Skip to content

GitLab

T
tangled
Commit dd6d018b authored by Nate Chapin's avatar Nate Chapin Committed by Commit Bot
Browse files
Options

Toggling sandbox flags on an <iframe> in an inactive document should not crash 

Bug: 1103089
Test: html/semantics/embedded-content/the-iframe-element/sandbox-toggle-in-inactive-document-crash.html
Change-Id: I7d5e7e9e53f7cfd4b94baf02ae58f1cda2d55009
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2288096
Commit-Queue: Kentaro Hara <haraken@chromium.org>
Auto-Submit: Nate Chapin <japhet@chromium.org>
Reviewed-by: default avatarKentaro Hara <haraken@chromium.org>
Cr-Commit-Position: refs/heads/master@{#786585}
parent 69f3f69d
Hide whitespace changes
Inline Side-by-side
Showing with 12 additions and 0 deletions
third_party/blink/renderer/core/html/html_iframe_element.cc
View file @ dd6d018b
......@@ -333,6 +333,9 @@ DocumentPolicy::FeatureState HTMLIFrameElement::ConstructRequiredPolicy()
}
ParsedFeaturePolicy HTMLIFrameElement::ConstructContainerPolicy() const {
if (!GetExecutionContext())
return ParsedFeaturePolicy();
scoped_refptr<const SecurityOrigin> src_origin = GetOriginForFeaturePolicy();
scoped_refptr<const SecurityOrigin> self_origin =
GetExecutionContext()->GetSecurityOrigin();
......
third_party/blink/web_tests/external/wpt/html/semantics/embedded-content/the-iframe-element/sandbox-toggle-in-inactive-document-crash.html 0 → 100644
View file @ dd6d018b
<body>
<iframe id="i"></iframe>
<script>
var saved_i = i;
var saved_i_doc = i.contentDocument;
i.remove();
saved_i_doc.adoptNode(saved_i);
saved_i.sandbox.toggle("1");
</script>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment