Add scheme exceptions for isSecureContext

third_party/WebKit/Source/core/dom/Document.cpp

Index: third_party/WebKit/Source/core/dom/Document.cpp
diff --git a/third_party/WebKit/Source/core/dom/Document.cpp b/third_party/WebKit/Source/core/dom/Document.cpp
index f0573887629fc669ea47dfd44cdb3d1389c40f38..48c837abca91befde9ae6e56923446364c560190 100644
--- a/third_party/WebKit/Source/core/dom/Document.cpp
+++ b/third_party/WebKit/Source/core/dom/Document.cpp
@@ -5656,12 +5656,34 @@ v8::Local<v8::Object> Document::associateWithWrapper(v8::Isolate* isolate, const
 
 bool Document::isSecureContext(String& errorMessage, const SecureContextCheck privilegeContextCheck) const
 {
+    // There may be exceptions for the secure context check defined for
+    // certain origins. The exceptions are applied only to the origin
+    // themselves and to immediate sanbox frame descendants, but *not* to

[robwu, 2015/10/03 19:28:51]

sanbox -> sandbox

[jww, 2015/10/06 21:53:55]

Done.

+    // any other children. For example:
+    //   <iframe src="scheme://this-origin-has-exception">
+    //     <iframe sandbox srcdoc="..."></iframe>

[robwu, 2015/10/03 19:28:51]

This does not pass the check because the URL of the frame is about:srcdoc, not
scheme://this-origin-has-exception. If you want to allow about:srcdoc and
about:blank frames to pass the check, then you have to traverse the frame tree
in the loop below.

[jww, 2015/10/06 21:53:56]

Hm, no, I don't want that to pass; I'm not sure what I was getting at with this
note. I'll simplify it.

+    //   </iframe>
+    // would pass this check, both for the outer frame and the inner frame,
+    // assuming that the origin "scheme://this-origin-has-exception" is granted
+    // an exception. However,
+    //   <iframe src="scheme://this-origin-has-exception">
+    //     <iframe src="http://a.b/"></iframe>
+    //   </iframe>
+    // the inner frame "http://a.b/" would *not* pass the check, even though
+    // the parent frame has an exception.
+    // In all cases, a frame must be potentially trustworthy in addition to
+    // having an exception listed in order for the exception to be granted.
     if (SecurityContext::isSandboxed(SandboxOrigin)) {
-        if (!SecurityOrigin::create(url())->isPotentiallyTrustworthy(errorMessage))
+        RefPtr<SecurityOrigin> origin = SecurityOrigin::create(url());
+        if (!origin->isPotentiallyTrustworthy(errorMessage))
             return false;
+        if (SecurityPolicy::shouldOriginBypassSecureContextCheck(*origin))
+            return true;
     } else {
         if (!securityOrigin()->isPotentiallyTrustworthy(errorMessage))
             return false;
+        if (SecurityPolicy::shouldOriginBypassSecureContextCheck(*securityOrigin()))
+            return true;
     }
 
     if (privilegeContextCheck == StandardSecureContextCheck) {