Security: Fixing URL spoof via cross-site iframe top navigation.
Currently, it is possible to spoof the URL of a site by starting a
navigation in the main frame and having a cross-site iframe initiating
another navigation in its parent frame (with extra steps for it to be
user visible).
This can also be used to cancel any browser initiated navigation in the
main frame.
The CL adresses the issue by adding checks similar to what exists in
BeginNavigation on the FrameProxy::OpenURL path.
Bug: 966914
Change-Id: If547c2ef4b30b2e0323141005583412c12bfef8e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1643191
Reviewed-by: Camille Lamy <[email protected]>
Commit-Queue: Arthur Hemery <[email protected]>
Cr-Commit-Position: refs/heads/master@{#668435}
diff --git a/content/browser/frame_host/navigator_impl.h b/content/browser/frame_host/navigator_impl.h
index 7c0db61..714ee4bc 100644
--- a/content/browser/frame_host/navigator_impl.h
+++ b/content/browser/frame_host/navigator_impl.h
@@ -87,8 +87,8 @@
const std::string& method,
scoped_refptr<network::ResourceRequestBody> post_body,
const std::string& extra_headers,
- scoped_refptr<network::SharedURLLoaderFactory> blob_url_loader_factory)
- override;
+ scoped_refptr<network::SharedURLLoaderFactory> blob_url_loader_factory,
+ bool has_user_gesture) override;
void OnBeforeUnloadACK(FrameTreeNode* frame_tree_node,
bool proceed,
const base::TimeTicks& proceed_time) override;
