Make Document::isSecureContext() work for OOPIFs

third_party/WebKit/Source/core/dom/Document.cpp

Index: third_party/WebKit/Source/core/dom/Document.cpp
diff --git a/third_party/WebKit/Source/core/dom/Document.cpp b/third_party/WebKit/Source/core/dom/Document.cpp
index 81263fb20b605db13a5843c513e00835b5d3c863..7dbc83a946e06d2d63430a6431953f5a9e065691 100644
--- a/third_party/WebKit/Source/core/dom/Document.cpp
+++ b/third_party/WebKit/Source/core/dom/Document.cpp
@@ -3386,35 +3386,19 @@ bool Document::isSecureContextImpl(String* errorMessage, const SecureContextChec
     //
     // In all cases, a frame must be potentially trustworthy in addition to
     // having an exception listed in order for the exception to be granted.
-    if (SecurityContext::isSandboxed(SandboxOrigin)) {
-        RefPtr<SecurityOrigin> origin = SecurityOrigin::create(url());
-        if (!isOriginPotentiallyTrustworthy(origin.get(), errorMessage))
-            return false;
-        if (SchemeRegistry::schemeShouldBypassSecureContextCheck(origin->protocol()))
-            return true;
-    } else {
-        if (!isOriginPotentiallyTrustworthy(securityOrigin(), errorMessage))
-            return false;
-        if (SchemeRegistry::schemeShouldBypassSecureContextCheck(securityOrigin()->protocol()))
-            return true;
-    }
+    if (!isOriginPotentiallyTrustworthy(securityOrigin(), errorMessage))
+        return false;
+    if (SchemeRegistry::schemeShouldBypassSecureContextCheck(securityOrigin()->protocol()))
+        return true;
 
     if (privilegeContextCheck == StandardSecureContextCheck) {
-        Document* context = parentDocument();
-        while (context) {
-            // Skip to the next ancestor if it's a srcdoc.
-            if (!context->isSrcdocDocument()) {
-                if (context->securityContext().isSandboxed(SandboxOrigin)) {
-                    // For a sandboxed origin, use the document's URL.
-                    RefPtr<SecurityOrigin> origin = SecurityOrigin::create(context->url());
-                    if (!isOriginPotentiallyTrustworthy(origin.get(), errorMessage))
-                        return false;
-                } else {
-                    if (!isOriginPotentiallyTrustworthy(context->securityOrigin(), errorMessage))
-                        return false;
-                }
-            }
-            context = context->parentDocument();
+        if (!m_frame)
+            return true;
+        Frame* parent = m_frame->tree().parent();
+        while (parent) {
+            if (!isOriginPotentiallyTrustworthy(parent->securityContext()->securityOrigin(), errorMessage))
+                return false;
+            parent = parent->tree().parent();
         }
     }
     return true;
@@ -4942,10 +4926,14 @@ void Document::initSecurityContext(const DocumentInit& initializer)
     if (isSandboxed(SandboxOrigin)) {
         m_cookieURL = m_url;
         setSecurityOrigin(SecurityOrigin::createUnique());
-        // If we're supposed to inherit our security origin from our owner,
-        // but we're also sandboxed, the only thing we inherit is the ability
-        // to load local resources. This lets about:blank iframes in file://
-        // URL documents load images and other resources from the file system.
+        // If we're supposed to inherit our security origin from our
+        // owner, but we're also sandboxed, the only things we inherit are
+        // the origin's potential trustworthiness and the ability to
+        // load local resources. The latter lets about:blank iframes in
+        // file:// URL documents load images and other resources from
+        // the file system.
+        if (initializer.owner() && initializer.owner()->securityOrigin()->isPotentiallyTrustworthy())
+            setUniqueOriginIsPotentiallyTrustworthy();
         if (initializer.owner() && initializer.owner()->securityOrigin()->canLoadLocalResources())
             securityOrigin()->grantLoadLocalResources();
     } else if (initializer.owner()) {
@@ -5001,8 +4989,8 @@ void Document::initSecurityContext(const DocumentInit& initializer)
         setBaseURLOverride(initializer.parentBaseURL());
     }
 
-    if (securityOrigin()->hasSuborigin())

[alexmos, 2016/03/09 18:45:06]

Weird that there were two identical enforceSuborigin calls previously.  That was
presumably a bug?

[estark, 2016/03/10 00:53:44]

Huh, I actually didn't notice that I deleted this; I think I must have done it
accidentally while resolving a conflict. I asked jww@ though and he thinks it
probably was indeed a mistake to have it twice. And no tests are failing so I
think it's okay to leave it out.

-        enforceSuborigin(securityOrigin()->suboriginName());
+    if (securityOrigin()->isUnique() && SecurityOrigin::create(m_url)->isPotentiallyTrustworthy())
+        setUniqueOriginIsPotentiallyTrustworthy();
 }
 
 void Document::initContentSecurityPolicy(PassRefPtrWillBeRawPtr<ContentSecurityPolicy> csp)
@@ -5063,6 +5051,14 @@ bool Document::allowExecutingScripts(Node* node)
     return true;
 }
 
+void Document::enforceSandboxFlags(SandboxFlags mask)
+{
+    RefPtr<SecurityOrigin> standInOrigin = securityOrigin();
+    applySandboxFlags(mask);
+    if (standInOrigin && !standInOrigin->isUnique() && securityOrigin()->isUnique() && standInOrigin->isPotentiallyTrustworthy())
+        setUniqueOriginIsPotentiallyTrustworthy();
+}
+
 void Document::updateSecurityOrigin(PassRefPtr<SecurityOrigin> origin)
 {
     setSecurityOrigin(origin);
@@ -5922,6 +5918,13 @@ PassOwnPtrWillBeRawPtr<OriginTrialContext> Document::createOriginTrialContext()
     return adoptPtrWillBeNoop(new DocumentOriginTrialContext(this));
 }
 
+void Document::setUniqueOriginIsPotentiallyTrustworthy()
+{
+    securityOrigin()->setUniqueOriginIsPotentiallyTrustworthy(true);
+    if (frame())
+        frame()->loader().client()->didSetUniqueOriginPotentiallyTrustworthy();
+}
+
 DEFINE_TRACE(Document)
 {
 #if ENABLE(OILPAN)