Plumb the correct owner document through DocumentInit::m_owner.

third_party/WebKit/Source/core/loader/DocumentLoader.cpp

 /*
  * Copyright (C) 2006, 2007, 2008 Apple Inc. All rights reserved.
  * Copyright (C) 2011 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
@@ skipping 64 matching lines @@
 #include "wtf/TemporaryChange.h"
 #include "wtf/text/WTFString.h"
 
 namespace blink {
 
 static bool isArchiveMIMEType(const String& mimeType)
 {
     return equalIgnoringCase("multipart/related", mimeType);
 }
 
+static bool shouldInheritSecurityOriginFromOwner(const KURL& url)
+{
+    // https://html.spec.whatwg.org/multipage/browsers.html#origin
+    //
+    // If a Document is the initial "about:blank" document
+    //     The origin and effective script origin of the Document are those it
+    //     was assigned when its browsing context was created.
+    //
+    // Note: We generalize this to all "blank" URLs and invalid URLs because we
+    // treat all of these URLs as about:blank.
+    return url.isEmpty() || url.protocolIsAbout();
+}
+
 DocumentLoader::DocumentLoader(LocalFrame* frame, const ResourceRequest& req, const SubstituteData& substituteData)
     : m_frame(frame)
     , m_fetcher(FrameFetchContext::createContextAndFetcher(this))
     , m_originalRequest(req)
     , m_substituteData(substituteData)
     , m_request(req)
     , m_isClientRedirect(false)
     , m_replacesCurrentHistoryItem(false)
     , m_navigationType(NavigationTypeOther)
     , m_documentLoadTiming(*this)
@@ skipping 356 matching lines @@
 
 void DocumentLoader::ensureWriter(const AtomicString& mimeType, const KURL& overridingURL)
 {
     if (m_writer)
         return;
 
     const AtomicString& encoding = m_frame->host()->overrideEncoding().isNull() ? response().textEncodingName() : m_frame->host()->overrideEncoding();
 
     // Prepare a DocumentInit before clearing the frame, because it may need to
     // inherit an aliased security context.
-    DocumentInit init(url(), m_frame);
+    Document* owner = nullptr;
+    // TODO(dcheng): This differs from the behavior of both IE and Firefox: the
+    // origin is inherited from the document that loaded the URL.
+    if (shouldInheritSecurityOriginFromOwner(url())) {
+        Frame* ownerFrame = m_frame->tree().parent();
+        if (!ownerFrame)
+            ownerFrame = m_frame->loader().opener();
+        if (ownerFrame && ownerFrame->isLocalFrame())
+            owner = toLocalFrame(ownerFrame)->document();
+    }
+    DocumentInit init(owner, url(), m_frame);
     init.withNewRegistrationContext();
     m_frame->loader().clear();
     ASSERT(m_frame->page());
 
     ParserSynchronizationPolicy parsingPolicy = AllowAsynchronousParsing;
     if ((m_substituteData.isValid() && m_substituteData.forceSynchronousLoad()) || !Document::threadedParsingEnabledForTesting())
         parsingPolicy = ForceSynchronousParsing;
 
-    m_writer = createWriterFor(0, init, mimeType, encoding, false, parsingPolicy);
+    m_writer = createWriterFor(init, mimeType, encoding, false, parsingPolicy);
     m_writer->setDocumentWasLoadedAsPartOfNavigation();
 
     // This should be set before receivedFirstData().
     if (!overridingURL.isEmpty())
         m_frame->document()->setBaseURLOverride(overridingURL);
 
     // Call receivedFirstData() exactly once per load.
     frameLoader()->receivedFirstData();
     m_frame->document()->maybeHandleHttpRefresh(m_response.httpHeaderField(HTTPNames::Refresh), Document::HttpRefreshFromHeader);
 }
@@ skipping 244 matching lines @@
     m_fetcher->acceptDataFromThreadedReceiver(mainResourceIdentifier(), data, dataLength, encodedDataLength);
 }
 
 void DocumentLoader::endWriting(DocumentWriter* writer)
 {
     ASSERT_UNUSED(writer, m_writer == writer);
     m_writer->end();
     m_writer.clear();
 }
 
-PassRefPtrWillBeRawPtr<DocumentWriter> DocumentLoader::createWriterFor(const Document* ownerDocument, const DocumentInit& init, const AtomicString& mimeType, const AtomicString& encoding, bool dispatch, ParserSynchronizationPolicy parsingPolicy)
+PassRefPtrWillBeRawPtr<DocumentWriter> DocumentLoader::createWriterFor(const DocumentInit& init, const AtomicString& mimeType, const AtomicString& encoding, bool dispatch, ParserSynchronizationPolicy parsingPolicy)
 {
     LocalFrame* frame = init.frame();
 
     ASSERT(!frame->document() || !frame->document()->isActive());
     ASSERT(frame->tree().childCount() == 0);
 
     if (!init.shouldReuseDefaultView())
         frame->setDOMWindow(LocalDOMWindow::create(*frame));
 
     RefPtrWillBeRawPtr<Document> document = frame->localDOMWindow()->installNewDocument(mimeType, init);

[jochen (gone - plz use gerrit), 2016/02/29 16:37:23]

I wonder whether we should RELEASE_ASSERT that we don't change the security
origin here?

[dcheng, 2016/02/29 17:49:23]

It's kind of expected that this will normally change though: this is used for
both JS navigations and regular navigations. I'm not sure what a meaningful
assert here would be.

-    if (ownerDocument) {
-        document->setCookieURL(ownerDocument->cookieURL());
-        document->updateSecurityOrigin(ownerDocument->securityOrigin());
-    }
 
     frame->loader().didBeginDocument(dispatch);
 
     return DocumentWriter::create(document.get(), parsingPolicy, mimeType, encoding);
 }
 
 const AtomicString& DocumentLoader::mimeType() const
 {
     if (m_writer)
         return m_writer->mimeType();
     return m_response.mimeType();
 }
 
 // This is only called by FrameLoader::replaceDocumentWhileExecutingJavaScriptURL()
-void DocumentLoader::replaceDocumentWhileExecutingJavaScriptURL(const DocumentInit& init, const String& source, Document* ownerDocument)
+void DocumentLoader::replaceDocumentWhileExecutingJavaScriptURL(const DocumentInit& init, const String& source)
 {
-    m_writer = createWriterFor(ownerDocument, init, mimeType(), m_writer ? m_writer->encoding() : emptyAtom, true, ForceSynchronousParsing);
+    m_writer = createWriterFor(init, mimeType(), m_writer ? m_writer->encoding() : emptyAtom, true, ForceSynchronousParsing);
     if (!source.isNull())
         m_writer->appendReplacingData(source);
     endWriting(m_writer.get());
 }
 
 DEFINE_WEAK_IDENTIFIER_MAP(DocumentLoader);
 
 } // namespace blink