window.close() should work from a sandboxed iframe if iframe is opener

third_party/WebKit/Source/core/frame/Frame.cpp

 /*
  * Copyright (C) 1998, 1999 Torben Weis <weis@kde.org>
  *                     1999 Lars Knoll <knoll@kde.org>
  *                     1999 Antti Koivisto <koivisto@kde.org>
  *                     2000 Simon Hausmann <hausmann@kde.org>
  *                     2000 Stefan Schimanski <1Stein@gmx.de>
  *                     2001 George Staikos <staikos@kde.org>
  * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All
  * rights reserved.
  * Copyright (C) 2005 Alexey Proskuryakov <ap@nypop.com>
@@ skipping 188 matching lines @@
           toLocalFrame(this)->document());
     return false;
   }
   if (!isAllowedNavigation && !errorReason.isNull())
     printNavigationErrorMessage(targetFrame, errorReason.latin1().data());
   return isAllowedNavigation;
 }
 
 bool Frame::canNavigateWithoutFramebusting(const Frame& targetFrame,
                                            String& reason) {
+  if (&targetFrame == this)
+    return true;
+
   if (securityContext()->isSandboxed(SandboxNavigation)) {
-    // Sandboxed frames can navigate their own children.
-    if (targetFrame.tree().isDescendantOf(this))
-      return true;
-
-    // They can also navigate popups, if the 'allow-sandbox-escape-via-popup'
-    // flag is specified.
-    if (targetFrame == targetFrame.tree().top() &&
-        targetFrame.tree().top() != tree().top() &&
-        !securityContext()->isSandboxed(
-            SandboxPropagatesToAuxiliaryBrowsingContexts))
-      return true;
-
-    // Top navigation can be opted-in.
-    if (!securityContext()->isSandboxed(SandboxTopNavigation) &&
-        targetFrame == tree().top())
-      return true;
-
-    // Otherwise, block the navigation.
-    if (securityContext()->isSandboxed(SandboxTopNavigation) &&
-        targetFrame == tree().top())
-      reason =
-          "The frame attempting navigation of the top-level window is "
-          "sandboxed, but the 'allow-top-navigation' flag is not set.";
-    else
+    if (!targetFrame.tree().isDescendantOf(this) &&
+        !targetFrame.isMainFrame()) {

[Nate Chapin, 2016/11/01 23:47:52]

I inverted this block so that it more closely matches
https://html.spec.whatwg.org/multipage/browsers.html#allowed-to-navigate (albeit
with clauses 2 and 3 reversed).

       reason =
           "The frame attempting navigation is sandboxed, and is therefore "
           "disallowed from navigating its ancestors.";
-    return false;
+      return false;
+    }
+
+    // Sandboxed frames can also navigate popups, if the
+    // 'allow-sandbox-escape-via-popup' flag is specified, or if
+    // 'allow-popups' flag is specified, or if the
+    if (targetFrame.isMainFrame() && targetFrame != tree().top() &&
+        securityContext()->isSandboxed(
+            SandboxPropagatesToAuxiliaryBrowsingContexts) &&
+        (securityContext()->isSandboxed(SandboxPopups) ||
+         targetFrame.client()->opener() != this)) {
+      reason =
+          "The frame attempting navigation is sandboxed and is trying "
+          "to navigate a popup, but is not the popup's opener and is not "
+          "set to propagate sandboxing to popups.";
+      return false;
+    }
+
+    // Top navigation is forbidden unless opted-in. allow-top-navigation
+    // will also skips origin checks.
+    if (targetFrame == tree().top()) {
+      if (securityContext()->isSandboxed(SandboxTopNavigation)) {
+        reason =
+            "The frame attempting navigation of the top-level window is "
+            "sandboxed, but the 'allow-top-navigation' flag is not set.";
+        return false;
+      }
+      return true;

[Nate Chapin, 2016/11/01 23:47:52]

We seem to depend on skipping origin checks for allow-top-navigation.

This is complicated by the fact that the spec splits navigation permissions into
an "is familiar with" step and an "is allowed to navigate" step. We combine them
in this function: the "if (securityContext()->isSandboxed(SandboxNavigation))"
block corresponds to "is allowed to navigate", and the rest to "is familiar
with". 

"is familiar with" is used far less frequently, according to the spec, and it's
not clear to me that what the spec defines is actually what browsers do in
practice. The spec implies that an Location object you can reach without looking
up by name/target (that is, top, opener, and any of their descendants) can be
navigated without any familiarity requirements. That's not what we do, and it's
not what firefox does AFAICT.

+    }
   }
 
   ASSERT(securityContext()->getSecurityOrigin());
   SecurityOrigin& origin = *securityContext()->getSecurityOrigin();
 
   // This is the normal case. A document can navigate its decendant frames,
   // or, more generally, a document can navigate a frame if the document is
   // in the same origin as any of that frame's ancestors (in the frame
   // hierarchy).
   //
@@ skipping 84 matching lines @@
 
   ASSERT(page());
 
   if (m_owner)
     m_owner->setContentFrame(*this);
   else
     page()->setMainFrame(this);
 }
 
 }  // namespace blink