extensions/renderer/resources/guest_view/guest_view_container.js · 2f5059a4ae7baafde36136cfa59af8ae80d4298c · eriksson monteiro / tangled

Further hardening of GuestView against tainted methods and properties · 2f5059a4

Kevin McNee authored Nov 28, 2018

In the GuestView implementation, we inadvertently call methods and
invoke property getters and setters that user code can control.

To avoid method calls to user code, we introduce safe_methods.js
which provides references to the untainted methods.

To avoid invoking user controlled getters and setters, we prevent our
internal objects from inheriting from Object.prototype or we explicitly
access own properties.

Bug: 701034, 803668, 892886
Change-Id: Ie615d6f796793313ed2db6089e259573ad25a90d
Reviewed-on: https://chromium-review.googlesource.com/c/1302698
Commit-Queue: Kevin McNee <mcnee@chromium.org>
Reviewed-by: Istiaque Ahmed <lazyboy@chromium.org>
Reviewed-by: James MacLean <wjmaclean@chromium.org>
Cr-Commit-Position: refs/heads/master@{#611832}

2f5059a4

guest_view_container.js 6.66 KB

Replace guest_view_container.js