third_party/WebKit/Source/core/frame/Frame.cpp - Issue 2399713002: window.close() should work from a sandboxed iframe if iframe is opener

Unified Diff: third_party/WebKit/Source/core/frame/Frame.cpp

Issue 2399713002: window.close() should work from a sandboxed iframe if iframe is opener (Closed)

Patch Set: +test Created 4 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/popup-allowed-by-sandbox-can-navigate-expected.txt ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/Source/core/frame/Frame.cpp

diff --git a/third_party/WebKit/Source/core/frame/Frame.cpp b/third_party/WebKit/Source/core/frame/Frame.cpp

index aa7ce85b880f4ad16e4293355fa7a168b22f5cb3..3433a493c81f3d7725ea2df809c727d5e758a8e2 100644

--- a/third_party/WebKit/Source/core/frame/Frame.cpp

+++ b/third_party/WebKit/Source/core/frame/Frame.cpp

@@ -206,35 +206,44 @@ bool Frame::canNavigate(const Frame& targetFrame) {

bool Frame::canNavigateWithoutFramebusting(const Frame& targetFrame,

String& reason) {

- if (securityContext()->isSandboxed(SandboxNavigation)) {

- // Sandboxed frames can navigate their own children.

- if (targetFrame.tree().isDescendantOf(this))

- return true;

- // They can also navigate popups, if the 'allow-sandbox-escape-via-popup'

- // flag is specified.

- if (targetFrame == targetFrame.tree().top() &&

- targetFrame.tree().top() != tree().top() &&

- !securityContext()->isSandboxed(

- SandboxPropagatesToAuxiliaryBrowsingContexts))

- return true;

- // Top navigation can be opted-in.

- if (!securityContext()->isSandboxed(SandboxTopNavigation) &&

- targetFrame == tree().top())

- return true;

+ if (&targetFrame == this)

+ return true;

- // Otherwise, block the navigation.

- if (securityContext()->isSandboxed(SandboxTopNavigation) &&

- targetFrame == tree().top())

- reason =

- "The frame attempting navigation of the top-level window is "

- "sandboxed, but the 'allow-top-navigation' flag is not set.";

- else

+ if (securityContext()->isSandboxed(SandboxNavigation)) {

+ if (!targetFrame.tree().isDescendantOf(this) &&

+ !targetFrame.isMainFrame()) {

Nate Chapin 2016/11/01 23:47:52 I inverted this block so that it more closely matc

reason =

"The frame attempting navigation is sandboxed, and is therefore "

"disallowed from navigating its ancestors.";

- return false;

+ return false;

+ }

+ // Sandboxed frames can also navigate popups, if the

+ // 'allow-sandbox-escape-via-popup' flag is specified, or if

+ // 'allow-popups' flag is specified, or if the

+ if (targetFrame.isMainFrame() && targetFrame != tree().top() &&

+ securityContext()->isSandboxed(

+ SandboxPropagatesToAuxiliaryBrowsingContexts) &&

+ (securityContext()->isSandboxed(SandboxPopups) ||

+ targetFrame.client()->opener() != this)) {

+ reason =

+ "The frame attempting navigation is sandboxed and is trying "

+ "to navigate a popup, but is not the popup's opener and is not "

+ "set to propagate sandboxing to popups.";

+ return false;

+ }

+ // Top navigation is forbidden unless opted-in. allow-top-navigation

+ // will also skips origin checks.

+ if (targetFrame == tree().top()) {

+ if (securityContext()->isSandboxed(SandboxTopNavigation)) {

+ reason =

+ "The frame attempting navigation of the top-level window is "

+ "sandboxed, but the 'allow-top-navigation' flag is not set.";

+ return false;

+ }

+ return true;

Nate Chapin 2016/11/01 23:47:52 We seem to depend on skipping origin checks for al

+ }

}

ASSERT(securityContext()->getSecurityOrigin());

« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/popup-allowed-by-sandbox-can-navigate-expected.txt ('k') | no next file » | no next file with comments »