Form submission should abort before constraint validation if sandboxed forms flag is set.

third_party/WebKit/Source/core/html/HTMLFormElement.cpp

 /*
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
  * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009 Apple Inc. All rights reserved.
  *           (C) 2006 Alexey Proskuryakov (ap@nypop.com)
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Library General Public
  * License as published by the Free Software Foundation; either
@@ skipping 278 matching lines @@
     }
     return false;
 }
 
 void HTMLFormElement::prepareForSubmission(Event* event)
 {
     LocalFrame* frame = document().frame();
     if (!frame || m_isSubmittingOrInUserJSSubmitEvent)
         return;
 
+    if (document().isSandboxed(SandboxForms)) {
+        // FIXME: This message should be moved off the console once a solution to https://bugs.webkit.org/show_bug.cgi?id=103274 exists.

[Mike West, 2016/07/28 09:26:47]

Drop this comment; at this point, I don't think we're going to move these
anywhere. Maybe someone will incorporate them into the security panel at some
point, but no one's actively working on a design for that, and the linked bug is
4 years old.

[ramya.v, 2016/07/28 09:37:15]

Done.

+        document().addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, "Blocked form submission to '" + m_attributes.action() + "' because the form's frame is sandboxed and the 'allow-forms' permission is not set."));
+        return;
+    }
+
     bool skipValidation = !document().page() || noValidate();
     ASSERT(event);
     HTMLFormControlElement* submitElement = submitElementFromEvent(event);
     if (submitElement && submitElement->formNoValidate())
         skipValidation = true;
 
     UseCounter::count(document(), UseCounter::FormSubmissionStarted);
     // Interactive validation must be done before dispatching the submit event.
     if (!skipValidation && !validateInteractively())
         return;
@@ skipping 78 matching lines @@
     m_isSubmittingOrInUserJSSubmitEvent = false;
 }
 
 void HTMLFormElement::scheduleFormSubmission(FormSubmission* submission)
 {
     ASSERT(submission->method() == FormSubmission::PostMethod || submission->method() == FormSubmission::GetMethod);
     ASSERT(submission->data());
     ASSERT(submission->form());
     if (submission->action().isEmpty())
         return;
     if (document().isSandboxed(SandboxForms)) {

[Mike West, 2016/07/28 09:26:47]

Can we change this to a DCHECK? I think `prepareForSubmission` is always called
before `submit()` (which calls this method).

[ramya.v, 2016/07/28 09:37:15]

I tried removing this code from here in patchset1. Its giving below failures.
https://storage.googleapis.com/chromium-layout-test-archives/linux_chromium_r...

         // FIXME: This message should be moved off the console once a solution to https://bugs.webkit.org/show_bug.cgi?id=103274 exists.
         document().addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, "Blocked form submission to '" + submission->action().elidedString() + "' because the form's frame is sandboxed and the 'allow-forms' permission is not set."));
         return;
     }
 
     if (protocolIsJavaScript(submission->action())) {
         if (!document().contentSecurityPolicy()->allowFormAction(submission->action()))
             return;
         document().frame()->script().executeScriptIfJavaScriptURL(submission->action());
         return;
@@ skipping 376 matching lines @@
 {
     for (const auto& control : associatedElements()) {
         if (!control->isFormControlElement())
             continue;
         if (toHTMLFormControlElement(control)->canBeSuccessfulSubmitButton())
             toHTMLFormControlElement(control)->pseudoStateChanged(CSSSelector::PseudoDefault);
     }
 }
 
 } // namespace blink