<third_party/WebKit> Cherry-pick fix for CVE-2015-6768

Block javascript: document navigations during page dismissal events.

This basically reflects the logic from FrameLoader::startLoad. Before this patch, javascript: document navigations could be performed during page dismissal events. This could be problematic, especially that dismissal events prevent loaders from being stopped or detached.

This patch adds a bail-out condition to FrameLoader::replaceDocumentWhileExecutingJavaScriptURL.

BUG=556724

Review URL: https://codereview.chromium.org/1451123002

Change-Id: Ifcb3dfd1d962c3338a3703def3b84432b58cfa5b
Reviewed-by: Michael Brüning <[email protected]>

Author: carewolf

chromium/AUTHORS

@@ -288,6 +288,7 @@ Mao Yujie <[email protected]>
 Mao Yujie <[email protected]>
 Marco Rodrigues <[email protected]>
 Mario Sanchez Prada <[email protected]>
+Mariusz Mlynski <[email protected]>
 Mark Hahnenberg <[email protected]>
 Mark Seaborn <[email protected]>
 Martin Bednorz <[email protected]>

chromium/third_party/WebKit/Source/core/loader/FrameLoader.cpp

@@ -286,7 +286,7 @@ void FrameLoader::clear()
 // This is the <iframe src="javascript:'html'"> case.
 void FrameLoader::replaceDocumentWhileExecutingJavaScriptURL(const String& source, Document* ownerDocument)
 {
-    if (!m_frame->document()->loader())
+    if (!m_frame->document()->loader() || m_frame->document()->pageDismissalEventBeingDispatched() != Document::NoDismissal)
         return;
 
     // DocumentLoader::replaceDocumentWhileExecutingJavaScriptURL can cause the DocumentLoader to get deref'ed and possible destroyed,