Sandbox detached iframes a bit more

third_party/WebKit/Source/bindings/core/v8/V8DOMWrapper.cpp

 /*
  * Copyright (C) 2009 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 19 matching lines @@
 
 #include "bindings/core/v8/V8DOMWrapper.h"
 
 #include "bindings/core/v8/V8Binding.h"
 #include "bindings/core/v8/V8Location.h"
 #include "bindings/core/v8/V8ObjectConstructor.h"
 #include "bindings/core/v8/V8PerContextData.h"
 #include "bindings/core/v8/V8PerIsolateData.h"
 #include "bindings/core/v8/V8ScriptRunner.h"
 #include "bindings/core/v8/V8Window.h"
+#include "core/dom/Document.h"
+#include "core/frame/LocalDOMWindow.h"
 
 namespace blink {
 
 v8::Local<v8::Object> V8DOMWrapper::createWrapper(v8::Isolate* isolate, v8::Local<v8::Object> creationContext, const WrapperTypeInfo* type)
 {
     ASSERT(!type->equals(&V8Window::wrapperTypeInfo));
     // According to https://html.spec.whatwg.org/multipage/browsers.html#security-location,
     // cross-origin script access to a few properties of Location is allowed.
     // Location already implements the necessary security checks.
     bool withSecurityCheck = !type->equals(&V8Location::wrapperTypeInfo);
@@ skipping 50 matching lines @@
         && untrustedWrapperTypeInfo->ginEmbedder == gin::kEmbedderBlink;
 }
 
 void V8WrapperInstantiationScope::securityCheck(v8::Isolate* isolate, v8::Local<v8::Context> contextForWrapper)
 {
     if (m_context.IsEmpty())
         return;
     // If the context is different, we need to make sure that the current
     // context has access to the creation context.
     Frame* frame = toFrameIfNotDetached(contextForWrapper);
-    if (!frame)
+    if (!frame) {
+        // Sandbox detached frames - they can't create cross origin objects.
+        LocalDOMWindow* callingWindow = currentDOMWindow(isolate);
+        DOMWindow* targetWindow = toDOMWindow(contextForWrapper);
+        if (callingWindow->document()->getSecurityOrigin()->canAccessCheckSuborigins(targetWindow->document()->getSecurityOrigin()))

[jochen (gone - plz use gerrit), 2016/06/07 08:47:39]

here ^^^

+            return;
+
+        // TODO(jochen): Currently, Location is the only object for which we can reach this code path. Should be generalized.
+        ExceptionState exceptionState(ExceptionState::ConstructionContext, "Location", contextForWrapper->Global(), isolate);
+        // We can't create a better message for a detached frame.
+        exceptionState.throwSecurityError(String(), String());
+        exceptionState.throwIfNeeded();
         return;
+    }
     const DOMWrapperWorld& currentWorld = DOMWrapperWorld::world(m_context);
     RELEASE_ASSERT(currentWorld.worldId() == DOMWrapperWorld::world(contextForWrapper).worldId());
     if (currentWorld.isMainWorld()) {
         RELEASE_ASSERT(BindingSecurity::shouldAllowAccessToFrame(isolate, currentDOMWindow(isolate), frame, DoNotReportSecurityError));
     }
 }
 
 void V8WrapperInstantiationScope::convertException()
 {
     v8::Isolate* isolate = m_context->GetIsolate();
     // TODO(jochen): Currently, Location is the only object for which we can reach this code path. Should be generalized.
     ExceptionState exceptionState(ExceptionState::ConstructionContext, "Location", isolate->GetCurrentContext()->Global(), isolate);
     LocalDOMWindow* callingWindow = currentDOMWindow(isolate);
     DOMWindow* targetWindow = toDOMWindow(m_context);
     exceptionState.throwSecurityError(targetWindow->sanitizedCrossDomainAccessErrorMessage(callingWindow), targetWindow->crossDomainAccessErrorMessage(callingWindow));
     exceptionState.throwIfNeeded();
 }
 
 } // namespace blink