Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(748)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/Source/core/frame/Frame.cpp

Issue 2092293002: Block framebusts without a user gesture (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: better flag description Created 4 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/xss-DENIED-window-open-parent-expected.txt ('k') | third_party/WebKit/Source/platform/RuntimeEnabledFeatures.in » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 1998, 1999 Torben Weis <weis@kde.org> 2 * Copyright (C) 1998, 1999 Torben Weis <weis@kde.org>
3 * 1999 Lars Knoll <knoll@kde.org> 3 * 1999 Lars Knoll <knoll@kde.org>
4 * 1999 Antti Koivisto <koivisto@kde.org> 4 * 1999 Antti Koivisto <koivisto@kde.org>
5 * 2000 Simon Hausmann <hausmann@kde.org> 5 * 2000 Simon Hausmann <hausmann@kde.org>
6 * 2000 Stefan Schimanski <1Stein@gmx.de> 6 * 2000 Stefan Schimanski <1Stein@gmx.de>
7 * 2001 George Staikos <staikos@kde.org> 7 * 2001 George Staikos <staikos@kde.org>
8 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All r ights reserved. 8 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All r ights reserved.
9 * Copyright (C) 2005 Alexey Proskuryakov <ap@nypop.com> 9 * Copyright (C) 2005 Alexey Proskuryakov <ap@nypop.com>
10 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies) 10 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
(...skipping 24 matching lines...) Expand all
35 #include "core/frame/LocalDOMWindow.h" 35 #include "core/frame/LocalDOMWindow.h"
36 #include "core/frame/Settings.h" 36 #include "core/frame/Settings.h"
37 #include "core/frame/UseCounter.h" 37 #include "core/frame/UseCounter.h"
38 #include "core/html/HTMLFrameElementBase.h" 38 #include "core/html/HTMLFrameElementBase.h"
39 #include "core/input/EventHandler.h" 39 #include "core/input/EventHandler.h"
40 #include "core/inspector/InspectorInstrumentation.h" 40 #include "core/inspector/InspectorInstrumentation.h"
41 #include "core/inspector/InstanceCounters.h" 41 #include "core/inspector/InstanceCounters.h"
42 #include "core/layout/LayoutPart.h" 42 #include "core/layout/LayoutPart.h"
43 #include "core/loader/EmptyClients.h" 43 #include "core/loader/EmptyClients.h"
44 #include "core/loader/FrameLoaderClient.h" 44 #include "core/loader/FrameLoaderClient.h"
45 #include "core/loader/NavigationScheduler.h"
45 #include "core/page/FocusController.h" 46 #include "core/page/FocusController.h"
46 #include "core/page/Page.h" 47 #include "core/page/Page.h"
47 #include "platform/Histogram.h" 48 #include "platform/Histogram.h"
48 #include "platform/UserGestureIndicator.h" 49 #include "platform/UserGestureIndicator.h"
49 50
50 namespace blink { 51 namespace blink {
51 52
52 using namespace HTMLNames; 53 using namespace HTMLNames;
53 54
54 Frame::~Frame() 55 Frame::~Frame()
(...skipping 106 matching lines...) Expand 10 before | Expand all | Expand 10 after
161 } 162 }
162 163
163 return false; 164 return false;
164 } 165 }
165 166
166 bool Frame::canNavigate(const Frame& targetFrame) 167 bool Frame::canNavigate(const Frame& targetFrame)
167 { 168 {
168 String errorReason; 169 String errorReason;
169 bool isAllowedNavigation = canNavigateWithoutFramebusting(targetFrame, error Reason); 170 bool isAllowedNavigation = canNavigateWithoutFramebusting(targetFrame, error Reason);
170 171
171 // Frame-busting is generally allowed, but blocked for sandboxed frames lack ing the 'allow-top-navigation' flag.
172 if (targetFrame != this && !securityContext()->isSandboxed(SandboxTopNavigat ion) && targetFrame == tree().top()) { 172 if (targetFrame != this && !securityContext()->isSandboxed(SandboxTopNavigat ion) && targetFrame == tree().top()) {
173 DEFINE_STATIC_LOCAL(EnumerationHistogram, framebustHistogram, ("WebCore. Framebust", 4)); 173 DEFINE_STATIC_LOCAL(EnumerationHistogram, framebustHistogram, ("WebCore. Framebust", 4));
174 const unsigned userGestureBit = 0x1; 174 const unsigned userGestureBit = 0x1;
175 const unsigned allowedBit = 0x2; 175 const unsigned allowedBit = 0x2;
176 unsigned framebustParams = 0; 176 unsigned framebustParams = 0;
177 UseCounter::count(&targetFrame, UseCounter::TopNavigationFromSubFrame); 177 UseCounter::count(&targetFrame, UseCounter::TopNavigationFromSubFrame);
178 if (UserGestureIndicator::processingUserGesture()) 178 bool hasUserGesture = UserGestureIndicator::processingUserGesture();
179 if (hasUserGesture)
179 framebustParams |= userGestureBit; 180 framebustParams |= userGestureBit;
180 if (isAllowedNavigation) 181 if (isAllowedNavigation)
181 framebustParams |= allowedBit; 182 framebustParams |= allowedBit;
182 framebustHistogram.count(framebustParams); 183 framebustHistogram.count(framebustParams);
183 return true; 184 // Frame-busting used to be generally allowed in most situations, but ma y now blocked if there is no user gesture.
185 if (!RuntimeEnabledFeatures::framebustingNeedsSameOriginOrUserGestureEna bled())
186 return true;
187 if (hasUserGesture || isAllowedNavigation)
188 return true;
189 errorReason = "The frame attempting navigation is targeting its top-leve l window, but is neither same-origin with its target nor is it processing a user gesture. See https://www.chromestatus.com/features/5851021045661696.";
190 printNavigationErrorMessage(targetFrame, errorReason.latin1().data());
191 if (isLocalFrame())
192 toLocalFrame(this)->navigationScheduler().schedulePageBlock(toLocalF rame(this)->document());
193 return false;
184 } 194 }
185 if (!isAllowedNavigation && !errorReason.isNull()) 195 if (!isAllowedNavigation && !errorReason.isNull())
186 printNavigationErrorMessage(targetFrame, errorReason.latin1().data()); 196 printNavigationErrorMessage(targetFrame, errorReason.latin1().data());
187 return isAllowedNavigation; 197 return isAllowedNavigation;
188 } 198 }
189 199
190 bool Frame::canNavigateWithoutFramebusting(const Frame& targetFrame, String& rea son) 200 bool Frame::canNavigateWithoutFramebusting(const Frame& targetFrame, String& rea son)
191 { 201 {
192 if (securityContext()->isSandboxed(SandboxNavigation)) { 202 if (securityContext()->isSandboxed(SandboxNavigation)) {
193 // Sandboxed frames can navigate their own children. 203 // Sandboxed frames can navigate their own children.
194 if (targetFrame.tree().isDescendantOf(this)) 204 if (targetFrame.tree().isDescendantOf(this))
195 return true; 205 return true;
196 206
197 // They can also navigate popups, if the 'allow-sandbox-escape-via-popup ' flag is specified. 207 // They can also navigate popups, if the 'allow-sandbox-escape-via-popup ' flag is specified.
198 if (targetFrame == targetFrame.tree().top() && targetFrame.tree().top() != tree().top() && !securityContext()->isSandboxed(SandboxPropagatesToAuxiliaryB rowsingContexts)) 208 if (targetFrame == targetFrame.tree().top() && targetFrame.tree().top() != tree().top() && !securityContext()->isSandboxed(SandboxPropagatesToAuxiliaryB rowsingContexts))
199 return true; 209 return true;
200 210
211 // Top navigation can be opted-in.
212 if (!securityContext()->isSandboxed(SandboxTopNavigation) && targetFrame == tree().top())
213 return true;
214
201 // Otherwise, block the navigation. 215 // Otherwise, block the navigation.
202 if (securityContext()->isSandboxed(SandboxTopNavigation) && targetFrame == tree().top()) 216 if (securityContext()->isSandboxed(SandboxTopNavigation) && targetFrame == tree().top())
203 reason = "The frame attempting navigation of the top-level window is sandboxed, but the 'allow-top-navigation' flag is not set."; 217 reason = "The frame attempting navigation of the top-level window is sandboxed, but the 'allow-top-navigation' flag is not set.";
204 else 218 else
205 reason = "The frame attempting navigation is sandboxed, and is there fore disallowed from navigating its ancestors."; 219 reason = "The frame attempting navigation is sandboxed, and is there fore disallowed from navigating its ancestors.";
206 return false; 220 return false;
207 } 221 }
208 222
209 ASSERT(securityContext()->getSecurityOrigin()); 223 ASSERT(securityContext()->getSecurityOrigin());
210 SecurityOrigin& origin = *securityContext()->getSecurityOrigin(); 224 SecurityOrigin& origin = *securityContext()->getSecurityOrigin();
(...skipping 87 matching lines...) Expand 10 before | Expand all | Expand 10 after
298 312
299 ASSERT(page()); 313 ASSERT(page());
300 314
301 if (m_owner) 315 if (m_owner)
302 m_owner->setContentFrame(*this); 316 m_owner->setContentFrame(*this);
303 else 317 else
304 page()->setMainFrame(this); 318 page()->setMainFrame(this);
305 } 319 }
306 320
307 } // namespace blink 321 } // namespace blink
OLDNEW
« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/xss-DENIED-window-open-parent-expected.txt ('k') | third_party/WebKit/Source/platform/RuntimeEnabledFeatures.in » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698