[Backport] Don't allow deferred frames to create new windows.

New pages never defer loads, which makes it difficult for ScopedPageLoadDeferrer to protect against synchronous loads. This patch adds a check in ChromeClientImpl::createWindow. BUG=616907 Review-Url: https://codereview.chromium.org/2035973002 (CVE-2016-1710) Change-Id: Ia787c8abfc1a7de20cf951d1e94db9633bcdee68 Reviewed-by: Michael Brüning <michael.bruning@qt.io>
author: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> 2016-07-26 13:38:22 +0200
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2016-08-10 12:22:28 +0000
commit: f6e6743a20dd7e53b8f51787f661ae8a319b4b18 (patch)
tree: a6ac7267c332f8d90556d0aacee847927b05152f
parent: a2dde8d5ac635fbea89ab17ff40c81f53ea952a6 (diff)
download: qtwebengine-chromium-f6e6743a20dd7e53b8f51787f661ae8a319b4b18.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/chromium/third_party/WebKit/Source/web/ChromeClientImpl.cpp b/chromium/third_party/WebKit/Source/web/ChromeClientImpl.cpp
index 8217b6d80cb..8b88e849f94 100644
--- a/chromium/third_party/WebKit/Source/web/ChromeClientImpl.cpp
+++ b/chromium/third_party/WebKit/Source/web/ChromeClientImpl.cpp
@@ -293,6 +293,9 @@ Page* ChromeClientImpl::createWindow(LocalFrame* frame, const FrameLoadRequest&
     if (!m_webView->client())
         return nullptr;
 
+    if (!frame->page() || frame->page()->defersLoading())
+        return nullptr;
+
     WebNavigationPolicy policy = effectiveNavigationPolicy(navigationPolicy, features);
     ASSERT(frame->document());
     Fullscreen::fullyExitFullscreen(*frame->document());
author	Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>	2016-07-26 13:38:22 +0200
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2016-08-10 12:22:28 +0000
commit	f6e6743a20dd7e53b8f51787f661ae8a319b4b18 (patch)
tree	a6ac7267c332f8d90556d0aacee847927b05152f
parent	a2dde8d5ac635fbea89ab17ff40c81f53ea952a6 (diff)
download	qtwebengine-chromium-f6e6743a20dd7e53b8f51787f661ae8a319b4b18.tar.gz