Don't skip security checks for javascript: URLs when the JS stack is empty.

Don't skip security checks for javascript: URLs when the JS stack is empty.

Before this patch, HTMLFrameElementBase::isURLAllowed would skip the security
check if there were no JavaScript frames on the stack. This could lead to UXSS
bugs if an attacker managed to trick the parser into attaching a frame element
with a cross-origin document and the src attribute set to a javascript: URL.

After this patch, the security context of the frame's containing document
is used to verify if the URL is allowed. Nothing else (expect for some other
same-origin context) could've set the src attribute, so we assume it's the most
logical choice in the absence of the current JavaScript context.

BUG=117226
Review-Url: https://codereview.chromium.org/2502783004
Cr-Commit-Position: refs/heads/master@{#436449}
(cherry picked from commit 783e19486cab2b7485b4a19c02a2eb0369f3b350)

R=esprehn@chromium.org, haraken@chromium.org, jochen@chromium.org

Committed: https://chromium.googlesource.com/chromium/src/+/6a2bb4e40356e5a96ff3395ee5ba8c1b48736f9d

[dcheng, 2016-12-16 01:33:11]

dcheng@chromium.org changed reviewers:
+ esprehn@chromium.org, haraken@chromium.org, jochen@chromium.org

[dcheng, 2016-12-16 01:33:12]

This is a merge to M56. I believe this should be safe, but if anyone believes
otherwise, please let me know. If no one comments, I'll be pushing this to M56
at 5pm PST on 2016-12-16.

[haraken, 2016-12-16 01:36:36]

LGTM on my side

[esprehn, 2016-12-16 01:54:02]

lgtm

[jochen (gone - plz use gerrit), 2016-12-16 09:27:41]

lgtm

[dcheng, 2016-12-16 09:34:45]

Description was changed from

==========
Don't skip security checks for javascript: URLs when the JS stack is empty.

Before this patch, HTMLFrameElementBase::isURLAllowed would skip the security
check if there were no JavaScript frames on the stack. This could lead to UXSS
bugs if an attacker managed to trick the parser into attaching a frame element
with a cross-origin document and the src attribute set to a javascript: URL.

After this patch, the security context of the frame's containing document
is used to verify if the URL is allowed. Nothing else (expect for some other
same-origin context) could've set the src attribute, so we assume it's the most
logical choice in the absence of the current JavaScript context.

BUG=117226

Review-Url: https://codereview.chromium.org/2502783004
Cr-Commit-Position: refs/heads/master@{#436449}
(cherry picked from commit 783e19486cab2b7485b4a19c02a2eb0369f3b350)
==========

to

==========
Don't skip security checks for javascript: URLs when the JS stack is empty.

Before this patch, HTMLFrameElementBase::isURLAllowed would skip the security
check if there were no JavaScript frames on the stack. This could lead to UXSS
bugs if an attacker managed to trick the parser into attaching a frame element
with a cross-origin document and the src attribute set to a javascript: URL.

After this patch, the security context of the frame's containing document
is used to verify if the URL is allowed. Nothing else (expect for some other
same-origin context) could've set the src attribute, so we assume it's the most
logical choice in the absence of the current JavaScript context.

BUG=117226

Review-Url: https://codereview.chromium.org/2502783004
Cr-Commit-Position: refs/heads/master@{#436449}
(cherry picked from commit 783e19486cab2b7485b4a19c02a2eb0369f3b350)

R=esprehn@chromium.org, haraken@chromium.org, jochen@chromium.org

Committed:
https://chromium.googlesource.com/chromium/src/+/6a2bb4e40356e5a96ff3395ee5ba...
==========

[dcheng, 2016-12-16 09:34:46]

Committed patchset #1 (id:1) manually as
6a2bb4e40356e5a96ff3395ee5ba8c1b48736f9d.