CSP: "local schemes" should inherit policy when window.opened.

third_party/WebKit/Source/core/dom/Document.cpp

Index: third_party/WebKit/Source/core/dom/Document.cpp
diff --git a/third_party/WebKit/Source/core/dom/Document.cpp b/third_party/WebKit/Source/core/dom/Document.cpp
index 8a394b442085bdb71681852e61ec9f615ff941ec..844c2365322efaf4edce4827ccdb268edeba2706 100644
--- a/third_party/WebKit/Source/core/dom/Document.cpp
+++ b/third_party/WebKit/Source/core/dom/Document.cpp
@@ -5506,26 +5506,31 @@ void Document::initSecurityContext(const DocumentInit& initializer) {
 
 void Document::initContentSecurityPolicy(ContentSecurityPolicy* csp) {
   setContentSecurityPolicy(csp ? csp : ContentSecurityPolicy::create());
-  if (m_frame && m_frame->tree().parent() &&
-      m_frame->tree().parent()->isLocalFrame()) {
-    ContentSecurityPolicy* parentCSP = toLocalFrame(m_frame->tree().parent())
-                                           ->document()
-                                           ->contentSecurityPolicy();
-
-    // We inherit the parent frame's CSP for documents with "local" schemes:
-    // 'about', 'blob', 'data', and 'filesystem'. We also inherit the parent
-    // frame's CSP for documents with empty/invalid URLs because we treat
-    // those URLs as 'about:blank' in Blink.
-    //
-    // https://w3c.github.io/webappsec-csp/#initialize-document-csp
+
+  // We inherit the parent/opener's CSP for documents with "local" schemes:
+  // 'about', 'blob', 'data', and 'filesystem'. We also inherit CSP for
+  // documents with empty/invalid URLs because we treat those URLs as
+  // 'about:blank' in Blink.
+  //
+  // https://w3c.github.io/webappsec-csp/#initialize-document-csp
+  Frame* inheritFrom = nullptr;
+  if (m_frame && m_frame->tree().parent())

[dcheng, 2016/11/29 22:37:23]

Random musing: this feels kind of similar to
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/loader/Do...,
it sure would be nice if we could combine them (though I'd need to simplify the
latter to use SecurityContext generically)

Would you mind adding a TODO(dcheng) for this?

+    inheritFrom = m_frame->tree().parent();
+  else if (m_frame && m_frame->client())

[dcheng, 2016/11/29 22:37:23]

Nit: I think we should be able to assume client() is non-null here; are there
cases where it isn't?

+    inheritFrom = m_frame->client()->opener();
+  if (inheritFrom) {
+    DCHECK(inheritFrom->securityContext() &&
+           inheritFrom->securityContext()->contentSecurityPolicy());
+    ContentSecurityPolicy* policyToInherit =
+        inheritFrom->securityContext()->contentSecurityPolicy();
     if (m_url.isEmpty() || m_url.protocolIsAbout() || m_url.protocolIsData() ||
         m_url.protocolIs("blob") || m_url.protocolIs("filesystem")) {
-      contentSecurityPolicy()->copyStateFrom(parentCSP);
-    } else if (isPluginDocument()) {
-      // Per CSP2, plugin-types for plugin documents in nested browsing
-      // contexts gets inherited from the parent.
-      contentSecurityPolicy()->copyPluginTypesFrom(parentCSP);
+      contentSecurityPolicy()->copyStateFrom(policyToInherit);
     }
+    // Plugin documents inherit their parent/opener's 'plugin-types' directive
+    // regardless of URL.
+    if (isPluginDocument())
+      contentSecurityPolicy()->copyPluginTypesFrom(policyToInherit);
   }
   contentSecurityPolicy()->bindToExecutionContext(this);
 }