Add scheme exceptions for isSecureContext

third_party/WebKit/Source/core/dom/Document.cpp

Index: third_party/WebKit/Source/core/dom/Document.cpp
diff --git a/third_party/WebKit/Source/core/dom/Document.cpp b/third_party/WebKit/Source/core/dom/Document.cpp
index f0573887629fc669ea47dfd44cdb3d1389c40f38..4dd6e6b710bbd5e33052e0869f6280e68611bfe6 100644
--- a/third_party/WebKit/Source/core/dom/Document.cpp
+++ b/third_party/WebKit/Source/core/dom/Document.cpp
@@ -5656,12 +5656,45 @@ v8::Local<v8::Object> Document::associateWithWrapper(v8::Isolate* isolate, const
 
 bool Document::isSecureContext(String& errorMessage, const SecureContextCheck privilegeContextCheck) const
 {
+    // There may be exceptions for the secure context check defined for certain
+    // origins. The exceptions are applied only to the origin themselves and to
+    // sandboxed URLs from those origins, but *not* to any children.
+    //
+    // For example:
+    //   <iframe src="http://host">
+    //     <iframe src="scheme-has-exception://host"></iframe>
+    //     <iframe sandbox src="scheme-has-exception://host"></iframe>
+    //   </iframe>
+    // both inner iframes pass this check, assuming that the scheme
+    // "scheme-has-exception:" is granted an exception.
+    //
+    // However,
+    //   <iframe src="http://host">
+    //     <iframe sandbox src="http://host"></iframe>
+    //   </iframe>
+    // would fail the check (that is, sandbox does not grant an exception itself).
+    //
+    // Additionally, with
+    //   <iframe src="scheme-has-exception://host">
+    //     <iframe src="http://host"></iframe>
+    //     <iframe sandbox src="http://host"></iframe>
+    //   </iframe>
+    // both inner iframes would fail the check, even though the outermost iframe
+    // passes.
+    //
+    // In all cases, a frame must be potentially trustworthy in addition to
+    // having an exception listed in order for the exception to be granted.
     if (SecurityContext::isSandboxed(SandboxOrigin)) {

[Devlin, 2015/10/08 16:48:32]

I don't like that we duplicate the logic, just passing in a different security
origin, now that it's a little more complicated.  Unfortunately, the RefPtr vs
raw ptr makes it a bit of a pain to clean up, so I'm not sure this is any
better...

RefPtr<SecurityOrigin> originWrapper;
SecurityOrigin* origin = nullptr;
if (SecurityContext::isSandboxed(SandboxOrigin)) {
  originWrapper = SecurityOrigin::create(url());
  origin = originWrapper.get();
} else {
  origin = securityOrigin();
}
if (origin->IsPotentiallyTrustworthy(errorMessage))
  return false;
if (SecurityOrigin::shouldOriginBypassSecureContextCheck(*origin)
  return true;

(Depending on how performance-sensitive this code is, you could also just say
you don't care about the added ref, and the top part becomes simply:
RefPtr<SecurityOrigin> originWrapper =
SecurityContext::isSandboxed(SandboxOrigin) ? SecurityOrigin::create(url()) :
securityOrigin();
)

I'll let you decide whichever you prefer (including yours).

[jww, 2015/10/09 21:39:26]

I actually considered these approaches before, and went with this one, because I
thought it was less confusing that mixing up the raw pointers and ref pointers.
Agreed that it's ugly though.

-        if (!SecurityOrigin::create(url())->isPotentiallyTrustworthy(errorMessage))
+        RefPtr<SecurityOrigin> origin = SecurityOrigin::create(url());
+        if (!origin->isPotentiallyTrustworthy(errorMessage))
             return false;
+        if (SchemeRegistry::schemeShouldBypassSecureContextCheck(origin->protocol()))
+            return true;
     } else {
         if (!securityOrigin()->isPotentiallyTrustworthy(errorMessage))
             return false;
+        if (SchemeRegistry::schemeShouldBypassSecureContextCheck(securityOrigin()->protocol()))
+            return true;
     }
 
     if (privilegeContextCheck == StandardSecureContextCheck) {