Require the entry document to have the same origin as the open()d document

third_party/WebKit/Source/core/dom/Document.cpp

Index: third_party/WebKit/Source/core/dom/Document.cpp
diff --git a/third_party/WebKit/Source/core/dom/Document.cpp b/third_party/WebKit/Source/core/dom/Document.cpp
index 281497ca4858358e3a6b229b6f1806410ff59386..a6b6e88a8201965ef2a31ddbfce1dfbc4db2136a 100644
--- a/third_party/WebKit/Source/core/dom/Document.cpp
+++ b/third_party/WebKit/Source/core/dom/Document.cpp
@@ -2416,7 +2416,7 @@ ScriptableDocumentParser* Document::scriptableDocumentParser() const
     return parser() ? parser()->asScriptableDocumentParser() : 0;
 }
 
-void Document::open(Document* ownerDocument, ExceptionState& exceptionState)
+void Document::open(Document* enteredDocument, ExceptionState& exceptionState)
 {
     if (importLoader()) {
         exceptionState.throwDOMException(InvalidStateError, "Imported document doesn't support open().");
@@ -2428,10 +2428,14 @@ void Document::open(Document* ownerDocument, ExceptionState& exceptionState)
         return;
     }
 
-    if (ownerDocument) {
-        setURL(ownerDocument->url());
-        m_cookieURL = ownerDocument->cookieURL();
-        setSecurityOrigin(ownerDocument->securityOrigin());
+    if (enteredDocument) {
+        if (!securityOrigin()->canAccess(enteredDocument->securityOrigin())) {
+            exceptionState.throwSecurityError("Can only call open() on same-origin documents.");
+            return;
+        }
+        setSecurityOrigin(enteredDocument->securityOrigin());
+        setURL(enteredDocument->url());
+        m_cookieURL = enteredDocument->cookieURL();
     }
 
     open();
@@ -2843,7 +2847,7 @@ int Document::elapsedTime() const
     return static_cast<int>((currentTime() - m_startTime) * 1000);
 }
 
-void Document::write(const SegmentedString& text, Document* ownerDocument, ExceptionState& exceptionState)
+void Document::write(const SegmentedString& text, Document* enteredDocument, ExceptionState& exceptionState)
 {
     if (importLoader()) {
         exceptionState.throwDOMException(InvalidStateError, "Imported document doesn't support write().");
@@ -2855,6 +2859,11 @@ void Document::write(const SegmentedString& text, Document* ownerDocument, Excep
         return;
     }
 
+    if (enteredDocument && !securityOrigin()->canAccess(enteredDocument->securityOrigin())) {

[jochen (gone - plz use gerrit), 2016/01/29 08:01:37]

without this, the ASSERT(m_parser) below will fail if open() refuses to open()

+        exceptionState.throwSecurityError("Can only call write() on same-origin documents.");
+        return;
+    }
+
     NestingLevelIncrementer nestingLevelIncrementer(m_writeRecursionDepth);
 
     m_writeRecursionIsTooDeep = (m_writeRecursionDepth > 1) && m_writeRecursionIsTooDeep;
@@ -2871,23 +2880,23 @@ void Document::write(const SegmentedString& text, Document* ownerDocument, Excep
     }
 
     if (!hasInsertionPoint)
-        open(ownerDocument, ASSERT_NO_EXCEPTION);
+        open(enteredDocument, ASSERT_NO_EXCEPTION);
 
     ASSERT(m_parser);
     m_parser->insert(text);
 }
 
-void Document::write(const String& text, Document* ownerDocument, ExceptionState& exceptionState)
+void Document::write(const String& text, Document* enteredDocument, ExceptionState& exceptionState)
 {
-    write(SegmentedString(text), ownerDocument, exceptionState);
+    write(SegmentedString(text), enteredDocument, exceptionState);
 }
 
-void Document::writeln(const String& text, Document* ownerDocument, ExceptionState& exceptionState)
+void Document::writeln(const String& text, Document* enteredDocument, ExceptionState& exceptionState)
 {
-    write(text, ownerDocument, exceptionState);
+    write(text, enteredDocument, exceptionState);
     if (exceptionState.hadException())
         return;
-    write("\n", ownerDocument);
+    write("\n", enteredDocument);
 }
 
 void Document::write(LocalDOMWindow* callingWindow, const Vector<String>& text, ExceptionState& exceptionState)