Throw a SecurityError when navigator.serviceWorker is accessed in a sandboxed iframe.

Source/modules/serviceworkers/NavigatorServiceWorker.cpp

Index: Source/modules/serviceworkers/NavigatorServiceWorker.cpp
diff --git a/Source/modules/serviceworkers/NavigatorServiceWorker.cpp b/Source/modules/serviceworkers/NavigatorServiceWorker.cpp
index 89d9647a012d09a0abfca5d3dadf3f32b283966d..d2552311f9a3ba290dd69584d2e2b505c29e230f 100644
--- a/Source/modules/serviceworkers/NavigatorServiceWorker.cpp
+++ b/Source/modules/serviceworkers/NavigatorServiceWorker.cpp
@@ -36,8 +36,10 @@ NavigatorServiceWorker& NavigatorServiceWorker::from(Navigator& navigator)
     if (!supplement) {
         supplement = new NavigatorServiceWorker(navigator);
         provideTo(navigator, supplementName(), supplement);
-        // Initialize ServiceWorkerContainer too.
-        supplement->serviceWorker();
+        if (navigator.frame() && navigator.frame()->securityContext()->securityOrigin()->canAccessServiceWorkers()) {
+            // Initialize ServiceWorkerContainer too.
+            supplement->serviceWorker(ASSERT_NO_EXCEPTION);
+        }
     }
     return *supplement;
 }
@@ -52,13 +54,20 @@ const char* NavigatorServiceWorker::supplementName()
     return "NavigatorServiceWorker";
 }
 
-ServiceWorkerContainer* NavigatorServiceWorker::serviceWorker(Navigator& navigator)
+ServiceWorkerContainer* NavigatorServiceWorker::serviceWorker(Navigator& navigator, ExceptionState& exceptionState)
 {
-    return NavigatorServiceWorker::from(navigator).serviceWorker();
+    return NavigatorServiceWorker::from(navigator).serviceWorker(exceptionState);
 }
 
-ServiceWorkerContainer* NavigatorServiceWorker::serviceWorker()
+ServiceWorkerContainer* NavigatorServiceWorker::serviceWorker(ExceptionState& exceptionState)
 {
+    if (frame() && !frame()->securityContext()->securityOrigin()->canAccessServiceWorkers()) {
+        if (frame()->securityContext()->isSandboxed(SandboxOrigin))
+            exceptionState.throwSecurityError("Service worker is disabled because the context is sandboxed and lacks the 'allow-same-origin' flag.");
+        else
+            exceptionState.throwSecurityError("Access to service workers is denied in this document origin.");
+        return nullptr;
+    }
     if (!m_serviceWorker && frame()) {
         ASSERT(frame()->domWindow());
         m_serviceWorker = ServiceWorkerContainer::create(frame()->domWindow()->executionContext());