Make Document::isSecureContext() work for OOPIFs

third_party/WebKit/Source/core/dom/Document.cpp

 /*
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
  *           (C) 2006 Alexey Proskuryakov (ap@webkit.org)
  * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2011, 2012 Apple Inc. All rights reserved.
  * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmobile.com/)
  * Copyright (C) 2008, 2009, 2011, 2012 Google Inc. All rights reserved.
  * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies)
  * Copyright (C) Research In Motion Limited 2010-2011. All rights reserved.
@@ skipping 3374 matching lines @@
     // Additionally, with
     //   <iframe src="scheme-has-exception://host">
     //     <iframe src="http://host"></iframe>
     //     <iframe sandbox src="http://host"></iframe>
     //   </iframe>
     // both inner iframes would fail the check, even though the outermost iframe
     // passes.
     //
     // In all cases, a frame must be potentially trustworthy in addition to
     // having an exception listed in order for the exception to be granted.
-    if (SecurityContext::isSandboxed(SandboxOrigin)) {
-        RefPtr<SecurityOrigin> origin = SecurityOrigin::create(url());
-        if (!isOriginPotentiallyTrustworthy(origin.get(), errorMessage))
-            return false;
-        if (SchemeRegistry::schemeShouldBypassSecureContextCheck(origin->protocol()))
-            return true;
-    } else {
-        if (!isOriginPotentiallyTrustworthy(securityOrigin(), errorMessage))
-            return false;
-        if (SchemeRegistry::schemeShouldBypassSecureContextCheck(securityOrigin()->protocol()))
-            return true;
-    }
+    if (!isOriginPotentiallyTrustworthy(securityOrigin(), errorMessage))
+        return false;
+    if (securityOrigin()->bypassSecureContextCheck())
+        return true;
 
     if (privilegeContextCheck == StandardSecureContextCheck) {
-        Document* context = parentDocument();
-        while (context) {
-            // Skip to the next ancestor if it's a srcdoc.
-            if (!context->isSrcdocDocument()) {
-                if (context->securityContext().isSandboxed(SandboxOrigin)) {
-                    // For a sandboxed origin, use the document's URL.
-                    RefPtr<SecurityOrigin> origin = SecurityOrigin::create(context->url());
-                    if (!isOriginPotentiallyTrustworthy(origin.get(), errorMessage))
-                        return false;
-                } else {
-                    if (!isOriginPotentiallyTrustworthy(context->securityOrigin(), errorMessage))
-                        return false;
-                }
-            }
-            context = context->parentDocument();
+        if (!m_frame)
+            return true;
+        Frame* parent = m_frame->tree().parent();
+        while (parent) {
+            if (!isOriginPotentiallyTrustworthy(parent->securityContext()->securityOrigin(), errorMessage))
+                return false;
+            parent = parent->tree().parent();
         }
     }
     return true;
 }
 
 StyleSheetList* Document::styleSheets()
 {
     if (!m_styleSheetList)
         m_styleSheetList = StyleSheetList::create(this);
     return m_styleSheetList.get();
@@ skipping 1500 matching lines @@
         // This can occur via document.implementation.createDocument().
         m_cookieURL = KURL(ParsedURLString, emptyString());
         setSecurityOrigin(SecurityOrigin::createUnique());
         initContentSecurityPolicy();
         return;
     }
 
     // In the common case, create the security context from the currently
     // loading URL with a fresh content security policy.
     m_cookieURL = m_url;
+    // Set the origin initially based on the URL. enforceSandboxFlags()
+    // will adjust it to be a unique origin if necessary.

[dcheng, 2016/02/24 22:11:30]

"if necessary": does that mean there are combinations of sandbox flags that
could result in the origin being shared?

[estark, 2016/02/24 22:14:51]

I might be misunderstanding the question, but the origin could be non-unique any
time SandboxOrigin is not set, right? i.e. sandbox="allow-same-origin"?

+    setSecurityOrigin(SecurityOrigin::create(m_url));
     enforceSandboxFlags(initializer.sandboxFlags());
     if (initializer.shouldEnforceStrictMixedContentChecking())
         enforceStrictMixedContentChecking();
     setInsecureRequestsPolicy(initializer.insecureRequestsPolicy());
     if (initializer.insecureNavigationsToUpgrade()) {
         for (auto toUpgrade : *initializer.insecureNavigationsToUpgrade())
             addInsecureNavigationUpgrade(toUpgrade);
     }
-    setSecurityOrigin(isSandboxed(SandboxOrigin) ? SecurityOrigin::createUnique() : SecurityOrigin::create(m_url));
 
     if (importsController()) {
         // If this document is an HTML import, grab a reference to it's master document's Content
         // Security Policy. We don't call 'initContentSecurityPolicy' in this case, as we can't
         // rebind the master document's policy object: its ExecutionContext needs to remain tied
         // to the master document.
         setContentSecurityPolicy(importsController()->master()->contentSecurityPolicy());
     } else {
         initContentSecurityPolicy();
     }
@@ skipping 25 matching lines @@
     // If we do not obtain a meaningful origin from the URL, then we try to
     // find one via the frame hierarchy.
 
     if (!initializer.owner()) {
         didFailToInitializeSecurityOrigin();
         return;
     }
 
     if (isSandboxed(SandboxOrigin)) {
         // If we're supposed to inherit our security origin from our owner,
-        // but we're also sandboxed, the only thing we inherit is the ability
-        // to load local resources. This lets about:blank iframes in file://
+        // but we're also sandboxed, the only things we inherit are the
+        // potential trustworthiness of the origin and the ability to
+        // load local resources. This lets about:blank iframes in file://

[alexmos, 2016/02/26 19:21:57]

nit: perhaps s/This/The latter/ or something similar to clarify that the second
sentence pertains only to ability to load local resources, not to origin
trustworthiness.

[estark, 2016/03/01 02:59:26]

Done.

         // URL documents load images and other resources from the file system.
+        if (initializer.owner()->securityOrigin()->isPotentiallyTrustworthy())
+            securityOrigin()->setIsPotentiallyTrustworthySandboxedOrigin();
         if (initializer.owner()->securityOrigin()->canLoadLocalResources())
             securityOrigin()->grantLoadLocalResources();
         return;
     }
 
     m_cookieURL = initializer.owner()->cookieURL();
     // We alias the SecurityOrigins to match Firefox, see Bug 15313
     // https://bugs.webkit.org/show_bug.cgi?id=15313
     setSecurityOrigin(initializer.owner()->securityOrigin());
 }
@@ skipping 983 matching lines @@
 #ifndef NDEBUG
 using namespace blink;
 void showLiveDocumentInstances()
 {
     Document::WeakDocumentSet& set = Document::liveDocumentSet();
     fprintf(stderr, "There are %u documents currently alive:\n", set.size());
     for (Document* document : set)
         fprintf(stderr, "- Document %p URL: %s\n", document, document->url().string().utf8().data());
 }
 #endif