diff options
author | asargent@chromium.org <asargent@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-12-16 22:45:46 +0000 |
---|---|---|
committer | asargent@chromium.org <asargent@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-12-16 22:45:46 +0000 |
commit | 5be476f95d26c775356b1a991a9238b884aafc57 (patch) | |
tree | b4ddf187ff3ce9ef79c3be72979a77fc13a96593 /o3d | |
parent | 036fb21029f58eac6a473847b30d068579286e39 (diff) | |
download | chromium_src-5be476f95d26c775356b1a991a9238b884aafc57.zip chromium_src-5be476f95d26c775356b1a991a9238b884aafc57.tar.gz chromium_src-5be476f95d26c775356b1a991a9238b884aafc57.tar.bz2 |
Merge 34263 - Prevent 2 types of extension crashes.
If javascript code puts custom toJSON functions on Array.prototype, our
extension API code detects malformed requests and kills the offending renderer.
Also, the browser can crash if a browser action popup process dies (for various
reasons, including this json serialization problem).
BUG=29283
TEST=Create an extension with a browser action popup that loads prototype.js, and then calls chrome.tabs.update().
Before this change, the popup bubble will crash, and when you click away, crash the browser too.
Review URL: http://codereview.chromium.org/466065
TBR=asargent@chromium.org
Review URL: http://codereview.chromium.org/506044
git-svn-id: svn://svn.chromium.org/chrome/branches/249/src@34769 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'o3d')
0 files changed, 0 insertions, 0 deletions