Index: third_party/WebKit/Source/core/frame/Frame.cpp |
diff --git a/third_party/WebKit/Source/core/frame/Frame.cpp b/third_party/WebKit/Source/core/frame/Frame.cpp |
index 3d12f88fbeeb7f62458c99fac27c458131a1afc6..95a0e4190b5745f3b6fdb81b52b2b1538f49d54c 100644 |
--- a/third_party/WebKit/Source/core/frame/Frame.cpp |
+++ b/third_party/WebKit/Source/core/frame/Frame.cpp |
@@ -204,9 +204,15 @@ bool Frame::canNavigate(const Frame& targetFrame) |
return true; |
if (securityContext()->isSandboxed(SandboxNavigation)) { |
+ // Sandboxed frames can navigate their own children. |
if (targetFrame.tree().isDescendantOf(this)) |
return true; |
+ // They can also navigate popups, if the 'allow-sandbox-escape-via-popup' flag is specified. |
+ if (targetFrame == targetFrame.tree().top() && targetFrame.tree().top() != tree().top() && !securityContext()->isSandboxed(SandboxPropagatesToAuxiliaryBrowsingContexts)) |
+ return true; |
+ |
+ // Otherwise, block the navigation. |
const char* reason = "The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors."; |
if (securityContext()->isSandboxed(SandboxTopNavigation) && targetFrame == tree().top()) |
reason = "The frame attempting navigation of the top-level window is sandboxed, but the 'allow-top-navigation' flag is not set."; |