Make sure binding security checks don't pass if the frame is remote.

content/browser/frame_host/render_frame_host_manager_browsertest.cc

Index: content/browser/frame_host/render_frame_host_manager_browsertest.cc
diff --git a/content/browser/frame_host/render_frame_host_manager_browsertest.cc b/content/browser/frame_host/render_frame_host_manager_browsertest.cc
index 0d50ef6e024a39a3ed0240ba85d10aa427dbf248..2cc5b0cd605b0494534ba8ced778bfe5ddee2798 100644
--- a/content/browser/frame_host/render_frame_host_manager_browsertest.cc
+++ b/content/browser/frame_host/render_frame_host_manager_browsertest.cc
@@ -52,6 +52,7 @@
 #include "net/dns/mock_host_resolver.h"
 #include "net/test/embedded_test_server/embedded_test_server.h"
 #include "net/test/embedded_test_server/request_handler_util.h"
+#include "testing/gmock/include/gmock/gmock-matchers.h"
 
 using base::ASCIIToUTF16;
 
@@ -2617,4 +2618,68 @@ IN_PROC_BROWSER_TEST_F(RenderFrameHostManagerTest,
   click_link_and_verify_popup("clickNoRefTargetBlankLink()");
 }
 
+
+// When two frames are same-origin but cross-process; they should behave as if

[Charlie Reis, 2016/04/13 06:18:32]

nit: Comma rather than semicolon.

[dcheng, 2016/04/13 06:33:30]

Done.

+// they are not same-origin, and should not crash.
+IN_PROC_BROWSER_TEST_F(RenderFrameHostManagerTest,
+                       SameOriginFramesInDifferentProcesses) {
+  StartEmbeddedServer();
+
+  // Load a page with links that open in a new window.
+  NavigateToURL(shell(), embedded_test_server()->GetURL(
+                             "a.com", "/click-noreferrer-links.html"));
+
+  // Get the original SiteInstance for later comparison.
+  scoped_refptr<SiteInstance> orig_site_instance(
+      shell()->web_contents()->GetSiteInstance());
+  EXPECT_TRUE(orig_site_instance.get() != NULL);

[Charlie Reis, 2016/04/13 06:18:33]

nit: nullptr

[dcheng, 2016/04/13 06:33:30]

Changed this EXPECT_NE as well.

+
+  // Test clicking a target=foo link.
+  ShellAddedObserver new_shell_observer;
+  bool success = false;
+  EXPECT_TRUE(ExecuteScriptAndExtractBool(
+      shell()->web_contents(),
+      "window.domAutomationController.send(clickSameSiteTargetedLink());"
+      "saveWindowReference();",
+      &success));
+  EXPECT_TRUE(success);
+  Shell* new_shell = new_shell_observer.GetShell();
+
+  // Wait for the navigation in the new tab to finish, if it hasn't.
+  WaitForLoadStop(new_shell->web_contents());
+  EXPECT_EQ("/navigate_opener.html",
+            new_shell->web_contents()->GetLastCommittedURL().path());
+
+  // Clear the opener.

[Charlie Reis, 2016/04/13 06:18:33]

This block is unnecessary, given how the test works.

It only matters when doing a window.open() (to about:blank) and then doing a
renderer-initiated cross-site navigation.  Instead, this test is doing a
browser-initiated cross-site navigation on line 2662, which will go cross
process whether the opener is null or not.

[dcheng, 2016/04/13 06:33:48]

Done.

+  EXPECT_TRUE(ExecuteScriptAndExtractBool(
+      new_shell->web_contents(),
+      "window.opener = null;"
+      "window.domAutomationController.send(window.opener == null)",
+      &success));
+  EXPECT_TRUE(success);
+
+  // Do a cross-site navigation that winds up same-site

[Charlie Reis, 2016/04/13 06:18:33]

nit: End with period, and mention that it ends up in a different process.

[dcheng, 2016/04/13 06:33:30]

Done.

+  NavigateToURL(new_shell, embedded_test_server()->GetURL(
+                               "b.com", "/cross-site/a.com/title1.html"));
+  EXPECT_NE(shell()->web_contents()->GetSiteInstance(),
+            new_shell->web_contents()->GetSiteInstance());
+
+  // Now navigate the new tab to a different site.

[Charlie Reis, 2016/04/13 06:18:33]

Looks like a stale comment?

[dcheng, 2016/04/13 06:33:30]

Done.

+  std::string result;
+  EXPECT_TRUE(ExecuteScriptAndExtractString(
+      shell()->web_contents(),
+      "window.domAutomationController.send((function() {\n"
+      "  try {\n"
+      "    getLastOpenedWindowLocation();\n"
+      "  } catch (e) {\n"
+      "    return e.toString();\n"
+      "  }\n"
+      "})())",
+      &result));
+  EXPECT_THAT(result,
+              ::testing::MatchesRegex("SecurityError: Blocked a frame with "
+                                      "origin \"http://a.com:\\d+\" from "
+                                      "accessing a cross-origin frame."));
+}
+
 }  // namespace content