service worker: Don't control a subframe of an insecure context

content/child/service_worker/service_worker_network_provider.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/child/service_worker/service_worker_network_provider.h"
 
 #include "base/atomic_sequence_num.h"
 #include "content/child/child_thread_impl.h"
 #include "content/child/service_worker/service_worker_provider_context.h"
 #include "content/common/navigation_params.h"
 #include "content/common/service_worker/service_worker_messages.h"
 #include "content/common/service_worker/service_worker_utils.h"
 #include "content/public/common/browser_side_navigation_policy.h"
+#include "third_party/WebKit/public/platform/WebString.h"
+#include "third_party/WebKit/public/web/WebDocument.h"
+#include "third_party/WebKit/public/web/WebLocalFrame.h"
+#include "third_party/WebKit/public/web/WebSandboxFlags.h"
 
 namespace content {
 
 namespace {
 
 const char kUserDataKey[] = "SWProviderKey";
 
 // Must be unique in the child process.
 int GetNextProviderId() {
   static base::StaticAtomicSequenceNumber sequence;
@@ skipping 21 matching lines @@
     base::SupportsUserData* datasource_userdata) {
   return static_cast<ServiceWorkerNetworkProvider*>(
       datasource_userdata->GetUserData(&kUserDataKey));
 }
 
 // static
 std::unique_ptr<ServiceWorkerNetworkProvider>
 ServiceWorkerNetworkProvider::CreateForNavigation(
     int route_id,
     const RequestNavigationParams& request_params,
-    blink::WebSandboxFlags sandbox_flags,
+    blink::WebLocalFrame* frame,
     bool content_initiated) {
   bool browser_side_navigation = IsBrowserSideNavigationEnabled();
   bool should_create_provider_for_window = false;
   int service_worker_provider_id = kInvalidServiceWorkerProviderId;
   std::unique_ptr<ServiceWorkerNetworkProvider> network_provider;
 
   // Determine if a ServiceWorkerNetworkProvider should be created and properly
   // initialized for the navigation. A default ServiceWorkerNetworkProvider
   // will always be created since it is expected in a certain number of places,
   // however it will have an invalid id.
   // PlzNavigate: |service_worker_provider_id| can be sent by the browser, if
   // it already created the SeviceWorkerProviderHost.
   if (browser_side_navigation && !content_initiated) {
     should_create_provider_for_window =
         request_params.should_create_service_worker;
     service_worker_provider_id = request_params.service_worker_provider_id;
     DCHECK(ServiceWorkerUtils::IsBrowserAssignedProviderId(
                service_worker_provider_id) ||
            service_worker_provider_id == kInvalidServiceWorkerProviderId);
   } else {
     should_create_provider_for_window =
-        (sandbox_flags & blink::WebSandboxFlags::Origin) !=
+        (frame->effectiveSandboxFlags() & blink::WebSandboxFlags::Origin) !=
         blink::WebSandboxFlags::Origin;
+    // Check if |frame| is a subframe of an insecure context.
+    // |frame|'s document is not yet created, so check the parent
+    // document directly.
+    if (should_create_provider_for_window) {
+      blink::WebFrame* parent = frame->parent();
+      blink::WebString errorMessage;
+      if (parent && !parent->document().isSecureContext(errorMessage))

[falken, 2016/05/24 11:29:58]

Some tests fail. It looks like this can't be done because parent can be "remote"
(out of process iframe), in which case parent->document() fails.

Is there a way to check security context of a WebFrame including remote frames?

[falken, 2016/05/24 13:16:37]

I see now, there is WebSecurityOrigin. Updated the patch.

[Charlie Reis, 2016/05/24 17:22:00]

Yep, that's the right way.  +alexmos to verify it's used correctly here.  (See
also mek@'s comment.)

[alexmos, 2016/05/24 18:51:55]

Yes, remote frames should have correct SecurityOrigins (which we replicate from
the corresponding local frame).  We've also recently refactored
SecurityOrigin::isPotentiallyTrustworthy and Document::isSecureContext to work
correctly with remote frames (see issue 571079).  Ideally you'd just call
WebDocument::isSecureContext on the |frame|'s document, so it's too bad that it
isn't created yet.

+1 to jww@'s suggestion to unify this walk with the one in
Document::isSecureContext if possible.

+        should_create_provider_for_window = false;
+    }
   }
 
   // Now create the ServiceWorkerNetworkProvider (with invalid id if needed).
   if (should_create_provider_for_window) {
     if (service_worker_provider_id == kInvalidServiceWorkerProviderId) {
       network_provider = std::unique_ptr<ServiceWorkerNetworkProvider>(
           new ServiceWorkerNetworkProvider(route_id,
                                            SERVICE_WORKER_PROVIDER_FOR_WINDOW));
     } else {
       CHECK(browser_side_navigation);
@@ skipping 53 matching lines @@
     return;  // May be null in some tests.
   ChildThreadImpl::current()->Send(
       new ServiceWorkerHostMsg_SetVersionId(provider_id_, version_id));
 }
 
 bool ServiceWorkerNetworkProvider::IsControlledByServiceWorker() const {
   return context() && context()->controller();
 }
 
 }  // namespace content