CSP: "local schemes" should inherit policy when window.opened.

third_party/WebKit/Source/core/dom/Document.cpp

 /*
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
  *           (C) 2006 Alexey Proskuryakov (ap@webkit.org)
  * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2011, 2012 Apple Inc. All
  * rights reserved.
  * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved.
  * (http://www.torchmobile.com/)
  * Copyright (C) 2008, 2009, 2011, 2012 Google Inc. All rights reserved.
@@ skipping 5488 matching lines @@
   if (getSecurityOrigin()->isUnique() &&
       SecurityOrigin::create(m_url)->isPotentiallyTrustworthy())
     getSecurityOrigin()->setUniqueOriginIsPotentiallyTrustworthy(true);
 
   if (getSecurityOrigin()->hasSuborigin())
     enforceSuborigin(*getSecurityOrigin()->suborigin());
 }
 
 void Document::initContentSecurityPolicy(ContentSecurityPolicy* csp) {
   setContentSecurityPolicy(csp ? csp : ContentSecurityPolicy::create());
-  if (m_frame && m_frame->tree().parent() &&
-      m_frame->tree().parent()->isLocalFrame()) {
-    ContentSecurityPolicy* parentCSP = toLocalFrame(m_frame->tree().parent())
-                                           ->document()
-                                           ->contentSecurityPolicy();
 
-    // We inherit the parent frame's CSP for documents with "local" schemes:
-    // 'about', 'blob', 'data', and 'filesystem'. We also inherit the parent
-    // frame's CSP for documents with empty/invalid URLs because we treat
-    // those URLs as 'about:blank' in Blink.
-    //
-    // https://w3c.github.io/webappsec-csp/#initialize-document-csp
-    if (m_url.isEmpty() || m_url.protocolIsAbout() || m_url.protocolIsData() ||
-        m_url.protocolIs("blob") || m_url.protocolIs("filesystem")) {
-      contentSecurityPolicy()->copyStateFrom(parentCSP);
-    } else if (isPluginDocument()) {
-      // Per CSP2, plugin-types for plugin documents in nested browsing
-      // contexts gets inherited from the parent.
-      contentSecurityPolicy()->copyPluginTypesFrom(parentCSP);
+  // We inherit the parent/opener's CSP for documents with "local" schemes:
+  // 'about', 'blob', 'data', and 'filesystem'. We also inherit CSP for
+  // documents with empty/invalid URLs because we treat those URLs as
+  // 'about:blank' in Blink.
+  //
+  // https://w3c.github.io/webappsec-csp/#initialize-document-csp
+  //
+  // TODO(dcheng): This is similar enough to work we're doing in
+  // 'DocumentLoader::ensureWriter' that it might make sense to combine them.
+  if (m_frame) {
+    Frame* inheritFrom = m_frame->tree().parent() ? m_frame->tree().parent()
+                                                  : m_frame->client()->opener();
+    if (inheritFrom && m_frame != inheritFrom) {
+      DCHECK(inheritFrom->securityContext() &&
+             inheritFrom->securityContext()->contentSecurityPolicy());
+      ContentSecurityPolicy* policyToInherit =
+          inheritFrom->securityContext()->contentSecurityPolicy();
+      if (m_url.isEmpty() || m_url.protocolIsAbout() ||
+          m_url.protocolIsData() || m_url.protocolIs("blob") ||
+          m_url.protocolIs("filesystem")) {
+        contentSecurityPolicy()->copyStateFrom(policyToInherit);
+      }
+      // Plugin documents inherit their parent/opener's 'plugin-types' directive
+      // regardless of URL.
+      if (isPluginDocument())
+        contentSecurityPolicy()->copyPluginTypesFrom(policyToInherit);
     }
   }
   contentSecurityPolicy()->bindToExecutionContext(this);
 }
 
 bool Document::isSecureTransitionTo(const KURL& url) const {
   RefPtr<SecurityOrigin> other = SecurityOrigin::create(url);
   return getSecurityOrigin()->canAccess(other.get());
 }
 
@@ skipping 1042 matching lines @@
 }
 
 void showLiveDocumentInstances() {
   WeakDocumentSet& set = liveDocumentSet();
   fprintf(stderr, "There are %u documents currently alive:\n", set.size());
   for (Document* document : set)
     fprintf(stderr, "- Document %p URL: %s\n", document,
             document->url().getString().utf8().data());
 }
 #endif