Skip to content
Commit f327f170 authored by Liam Brady's avatar Liam Brady Committed by Chromium LUCI CQ
Browse files

Fenced frame: fix parseFromString() crash in sandboxed iframes. 

If parseFromString() is called inside a sandboxed iframe's DOMParser on
an HTML string that contains a <fencedframe> element, a fenced frame
will be created behind, including running the sandbox flags check. That
will fail, and upon logging, it will attempt to check if a frame is the
main frame, which requires getting the document's frame. Since the
fenced frame isn't attached to any DOMWindow at this point, the frame
will be null.

The existing code dereferences the frame without checking its nullness,
causing a crash. The fix switches that call to
`Document::IsInMainFrame()`, which includes a nullness check on the
frame. This CL also adds a minimal reproduction case as a test.

Bug: 40277893
Bug: 344029039
Change-Id: I53ca200b405a3f60ba4f64962ddc1b19950824a9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5601581


Commit-Queue: Liam Brady <lbrady@google.com>
Reviewed-by: default avatarGarrett Tanzer <gtanzer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1310781}
parent ece5fb9d
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment