Plumb the correct owner document through DocumentInit::m_owner.

third_party/WebKit/Source/core/dom/Document.cpp

 /*
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
  *           (C) 2006 Alexey Proskuryakov (ap@webkit.org)
  * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2011, 2012 Apple Inc. All rights reserved.
  * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmobile.com/)
  * Copyright (C) 2008, 2009, 2011, 2012 Google Inc. All rights reserved.
  * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies)
  * Copyright (C) Research In Motion Limited 2010-2011. All rights reserved.
@@ skipping 2785 matching lines @@
                 m_frame->localDOMWindow()->dispatchEvent(unloadEvent, m_frame->document());
             }
         }
         m_loadEventProgress = UnloadEventHandled;
     }
 
     if (!m_frame)
         return;
 
     // Don't remove event listeners from a transitional empty document (see https://bugs.webkit.org/show_bug.cgi?id=28716 for more information).
-    bool keepEventListeners = m_frame->loader().stateMachine()->isDisplayingInitialEmptyDocument() && m_frame->loader().provisionalDocumentLoader()
-        && isSecureTransitionTo(m_frame->loader().provisionalDocumentLoader()->url());
+    bool keepEventListeners = m_frame->loader().provisionalDocumentLoader()
+        && m_frame->shouldReuseDefaultView(m_frame->loader().provisionalDocumentLoader()->url());
     if (!keepEventListeners)
         removeAllEventListenersRecursively();
 }
 
 Document::PageDismissalType Document::pageDismissalEventBeingDispatched() const
 {
     if (m_loadEventProgress == BeforeUnloadEventInProgress)
         return BeforeUnloadDismissal;
     if (m_loadEventProgress == PageHideInProgress)
         return PageHideDismissal;
@@ skipping 2090 matching lines @@
 
     m_useSecureKeyboardEntryWhenActive = usesSecureKeyboard;
     m_frame->selection().updateSecureKeyboardEntryIfActive();
 }
 
 bool Document::useSecureKeyboardEntryWhenActive() const
 {
     return m_useSecureKeyboardEntryWhenActive;
 }
 
-void Document::initSecurityContext()
-{
-    initSecurityContext(DocumentInit(m_url, m_frame, contextDocument(), m_importsController));
-}
-
 void Document::initSecurityContext(const DocumentInit& initializer)
 {
-    if (haveInitializedSecurityOrigin()) {
-        ASSERT(securityOrigin());
-        return;
-    }
+    ASSERT(!securityOrigin());

[sof, 2016/03/02 07:26:19]

Does this merit being a release assert?

[dcheng, 2016/03/02 07:36:05]

In the current form, I think it's fine being an ASSERT. It's no longer public,
and it's only called in the constructor.

 
     if (initializer.isHostedInReservedIPRange())
         setHostedInReservedIPRange();
 
     if (!initializer.hasSecurityContext()) {
         // No source for a security context.
         // This can occur via document.implementation.createDocument().
         m_cookieURL = KURL(ParsedURLString, emptyString());
         setSecurityOrigin(SecurityOrigin::createUnique());
         initContentSecurityPolicy();
         return;
     }
 
     // In the common case, create the security context from the currently
     // loading URL with a fresh content security policy.
-    m_cookieURL = m_url;
     enforceSandboxFlags(initializer.getSandboxFlags());
     if (initializer.shouldEnforceStrictMixedContentChecking())
         enforceStrictMixedContentChecking();
     setInsecureRequestsPolicy(initializer.getInsecureRequestsPolicy());
     if (initializer.insecureNavigationsToUpgrade()) {
         for (auto toUpgrade : *initializer.insecureNavigationsToUpgrade())
             addInsecureNavigationUpgrade(toUpgrade);
     }
-    setSecurityOrigin(isSandboxed(SandboxOrigin) ? SecurityOrigin::createUnique() : SecurityOrigin::create(m_url));
+
+    if (isSandboxed(SandboxOrigin)) {
+        m_cookieURL = m_url;
+        setSecurityOrigin(SecurityOrigin::createUnique());
+        // If we're supposed to inherit our security origin from our owner,
+        // but we're also sandboxed, the only thing we inherit is the ability
+        // to load local resources. This lets about:blank iframes in file://
+        // URL documents load images and other resources from the file system.
+        if (initializer.owner() && initializer.owner()->securityOrigin()->canLoadLocalResources())
+            securityOrigin()->grantLoadLocalResources();
+    } else if (initializer.owner()) {
+        m_cookieURL = initializer.owner()->cookieURL();
+        // We alias the SecurityOrigins to match Firefox, see Bug 15313
+        // https://bugs.webkit.org/show_bug.cgi?id=15313
+        setSecurityOrigin(initializer.owner()->securityOrigin());
+    } else {
+        m_cookieURL = m_url;
+        setSecurityOrigin(SecurityOrigin::create(m_url));
+    }
 
     if (importsController()) {
         // If this document is an HTML import, grab a reference to it's master document's Content
         // Security Policy. We don't call 'initContentSecurityPolicy' in this case, as we can't
         // rebind the master document's policy object: its ExecutionContext needs to remain tied
         // to the master document.
         setContentSecurityPolicy(importsController()->master()->contentSecurityPolicy());
     } else {
         initContentSecurityPolicy();
     }
@@ skipping 11 matching lines @@
                 // Some clients do not want local URLs to have access to other local URLs.
                 securityOrigin()->blockLocalAccessFromLocalOrigin();
             }
         }
     }
 
     if (initializer.shouldTreatURLAsSrcdocDocument()) {
         m_isSrcdocDocument = true;
         setBaseURLOverride(initializer.parentBaseURL());
     }
-
-    if (!shouldInheritSecurityOriginFromOwner(m_url))
-        return;
-
-    // If we do not obtain a meaningful origin from the URL, then we try to
-    // find one via the frame hierarchy.
-
-    if (!initializer.owner()) {
-        didFailToInitializeSecurityOrigin();
-        return;
-    }
-
-    if (isSandboxed(SandboxOrigin)) {
-        // If we're supposed to inherit our security origin from our owner,
-        // but we're also sandboxed, the only thing we inherit is the ability
-        // to load local resources. This lets about:blank iframes in file://
-        // URL documents load images and other resources from the file system.
-        if (initializer.owner()->securityOrigin()->canLoadLocalResources())
-            securityOrigin()->grantLoadLocalResources();
-        return;
-    }
-
-    m_cookieURL = initializer.owner()->cookieURL();
-    // We alias the SecurityOrigins to match Firefox, see Bug 15313
-    // https://bugs.webkit.org/show_bug.cgi?id=15313
-    setSecurityOrigin(initializer.owner()->securityOrigin());
 }
 
 void Document::initContentSecurityPolicy(PassRefPtrWillBeRawPtr<ContentSecurityPolicy> csp)
 {
     setContentSecurityPolicy(csp ? csp : ContentSecurityPolicy::create());
     if (m_frame && m_frame->tree().parent() && m_frame->tree().parent()->isLocalFrame()) {
         ContentSecurityPolicy* parentCSP = toLocalFrame(m_frame->tree().parent())->document()->contentSecurityPolicy();
         if (shouldInheritSecurityOriginFromOwner(m_url)) {
             contentSecurityPolicy()->copyStateFrom(parentCSP);
         } else if (isPluginDocument()) {
             // Per CSP2, plugin-types for plugin documents in nested browsing
             // contexts gets inherited from the parent.
             contentSecurityPolicy()->copyPluginTypesFrom(parentCSP);
         }
     }
     contentSecurityPolicy()->bindToExecutionContext(this);
 }
 
+bool Document::isSecureTransitionTo(const KURL& url) const
+{
+    RefPtr<SecurityOrigin> other = SecurityOrigin::create(url);
+    return securityOrigin()->canAccess(other.get());
+}
+
 bool Document::allowInlineEventHandlers(Node* node, EventListener* listener, const String& contextURL, const WTF::OrdinalNumber& contextLine)
 {
     bool allowedByHash = contentSecurityPolicy()->experimentalFeaturesEnabled() && contentSecurityPolicy()->allowScriptWithHash(listener->code());
     if (!ContentSecurityPolicy::shouldBypassMainWorld(this) && !allowedByHash && !contentSecurityPolicy()->allowInlineEventHandlers(contextURL, contextLine))
         return false;
 
     // HTML says that inline script needs browsing context to create its execution environment.
     // http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#event-handler-attributes
     // Also, if the listening node came from other document, which happens on context-less event dispatching,
     // we also need to ask the owner document of the node.
@@ skipping 956 matching lines @@
 #ifndef NDEBUG
 using namespace blink;
 void showLiveDocumentInstances()
 {
     Document::WeakDocumentSet& set = Document::liveDocumentSet();
     fprintf(stderr, "There are %u documents currently alive:\n", set.size());
     for (Document* document : set)
         fprintf(stderr, "- Document %p URL: %s\n", document, document->url().string().utf8().data());
 }
 #endif