Reland: service worker: Don't control a subframe of an insecure context

third_party/WebKit/Source/core/dom/Document.cpp

 /*
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
  *           (C) 2006 Alexey Proskuryakov (ap@webkit.org)
  * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2011, 2012 Apple Inc. All rights reserved.
  * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmobile.com/)
  * Copyright (C) 2008, 2009, 2011, 2012 Google Inc. All rights reserved.
  * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies)
  * Copyright (C) Research In Motion Limited 2010-2011. All rights reserved.
@@ skipping 341 matching lines @@
     return toLayoutPart(layoutObject)->widget();
 }
 
 static bool acceptsEditingFocus(const Element& element)
 {
     DCHECK(element.hasEditableStyle());
 
     return element.document().frame() && element.rootEditableElement();
 }
 
-static bool isOriginPotentiallyTrustworthy(SecurityOrigin* origin, String* errorMessage)
-{
-    if (origin->isPotentiallyTrustworthy())
-        return true;
-    if (errorMessage)
-        *errorMessage = origin->isPotentiallyTrustworthyErrorMessage();
-    return false;
-}
-
 uint64_t Document::s_globalTreeVersion = 0;
 
 static bool s_threadedParsingEnabledForTesting = true;
 
 // This class doesn't work with non-Document ExecutionContext.
 class AutofocusTask final : public ExecutionContextTask {
 public:
     static std::unique_ptr<AutofocusTask> create()
     {
         return wrapUnique(new AutofocusTask());
@@ skipping 2938 matching lines @@
 
 void Document::cloneDataFromDocument(const Document& other)
 {
     setCompatibilityMode(other.getCompatibilityMode());
     setEncodingData(other.m_encodingData);
     setContextFeatures(other.contextFeatures());
     setSecurityOrigin(other.getSecurityOrigin()->isolatedCopy());
     setMimeType(other.contentType());
 }
 
-bool Document::isSecureContextImpl(String* errorMessage, const SecureContextCheck privilegeContextCheck) const
+bool Document::isSecureContextImpl(const SecureContextCheck privilegeContextCheck) const
 {
     // There may be exceptions for the secure context check defined for certain
     // schemes. The exceptions are applied only to the special scheme and to
     // sandboxed URLs from those origins, but *not* to any children.
     //
     // For example:
     //   <iframe src="http://host">
     //     <iframe src="scheme-has-exception://host"></iframe>
     //     <iframe sandbox src="scheme-has-exception://host"></iframe>
     //   </iframe>
     // both inner iframes pass this check, assuming that the scheme
     // "scheme-has-exception:" is granted an exception.
     //
     // However,
     //   <iframe src="http://host">
     //     <iframe sandbox src="http://host"></iframe>
     //   </iframe>
     // would fail the check (that is, sandbox does not grant an exception itself).
     //
     // Additionally, with
     //   <iframe src="scheme-has-exception://host">
     //     <iframe src="http://host"></iframe>
     //     <iframe sandbox src="http://host"></iframe>
     //   </iframe>
     // both inner iframes would fail the check, even though the outermost iframe
     // passes.
     //
     // In all cases, a frame must be potentially trustworthy in addition to
     // having an exception listed in order for the exception to be granted.
-    if (!isOriginPotentiallyTrustworthy(getSecurityOrigin(), errorMessage))
+    if (!getSecurityOrigin()->isPotentiallyTrustworthy())
         return false;
 
     if (SchemeRegistry::schemeShouldBypassSecureContextCheck(getSecurityOrigin()->protocol()))
         return true;
 
     if (privilegeContextCheck == StandardSecureContextCheck) {
-        if (!m_frame)
-            return true;
-        Frame* parent = m_frame->tree().parent();
-        while (parent) {
-            if (!isOriginPotentiallyTrustworthy(parent->securityContext()->getSecurityOrigin(), errorMessage))
-                return false;
-            parent = parent->tree().parent();
-        }
+        Frame* parent = m_frame ? m_frame->tree().parent() : nullptr;
+        if (parent && !parent->canHaveSecureChild())
+            return false;
     }
     return true;
 }
 
 StyleSheetList& Document::styleSheets()
 {
     if (!m_styleSheetList)
         m_styleSheetList = StyleSheetList::create(this);
     return *m_styleSheetList;
 }
@@ skipping 2457 matching lines @@
 {
     wrapper = V8DOMWrapper::associateObjectWithWrapper(isolate, this, wrapperType, wrapper);
     DOMWrapperWorld& world = DOMWrapperWorld::current(isolate);
     if (world.isMainWorld() && frame())
         frame()->script().windowProxy(world)->updateDocumentWrapper(wrapper);
     return wrapper;
 }
 
 bool Document::isSecureContext(String& errorMessage, const SecureContextCheck privilegeContextCheck) const
 {
-    return isSecureContextImpl(&errorMessage, privilegeContextCheck);
+    if (isSecureContextImpl(privilegeContextCheck))
+        return true;
+    errorMessage = SecurityOrigin::isPotentiallyTrustworthyErrorMessage();
+    return false;
 }
 
 bool Document::isSecureContext(const SecureContextCheck privilegeContextCheck) const
 {
-    return isSecureContextImpl(nullptr, privilegeContextCheck);
+    return isSecureContextImpl(privilegeContextCheck);
 }
 
 WebTaskRunner* Document::loadingTaskRunner() const
 {
     if (frame())
         return frame()->frameScheduler()->loadingTaskRunner();
     if (m_importsController)
         return m_importsController->master()->loadingTaskRunner();
     if (m_contextDocument)
         return m_contextDocument->loadingTaskRunner();
@@ skipping 146 matching lines @@
 }
 
 void showLiveDocumentInstances()
 {
     WeakDocumentSet& set = liveDocumentSet();
     fprintf(stderr, "There are %u documents currently alive:\n", set.size());
     for (Document* document : set)
         fprintf(stderr, "- Document %p URL: %s\n", document, document->url().getString().utf8().data());
 }
 #endif