Add an 'allow-top-navigation-with-user-interaction' sandbox flag.

third_party/WebKit/Source/core/frame/Frame.cpp

 /*
  * Copyright (C) 1998, 1999 Torben Weis <weis@kde.org>
  *                     1999 Lars Knoll <knoll@kde.org>
  *                     1999 Antti Koivisto <koivisto@kde.org>
  *                     2000 Simon Hausmann <hausmann@kde.org>
  *                     2000 Stefan Schimanski <1Stein@gmx.de>
  *                     2001 George Staikos <staikos@kde.org>
  * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All
  * rights reserved.
  * Copyright (C) 2005 Alexey Proskuryakov <ap@nypop.com>
@@ skipping 30 matching lines @@
 #include "core/inspector/InspectorInstrumentation.h"
 #include "core/layout/LayoutPart.h"
 #include "core/layout/api/LayoutPartItem.h"
 #include "core/loader/EmptyClients.h"
 #include "core/loader/FrameLoaderClient.h"
 #include "core/loader/NavigationScheduler.h"
 #include "core/page/FocusController.h"
 #include "core/page/Page.h"
 #include "platform/Histogram.h"
 #include "platform/InstanceCounters.h"
+#include "platform/UserGestureIndicator.h"
 #include "platform/feature_policy/FeaturePolicy.h"
 #include "platform/network/ResourceError.h"
 
 namespace blink {
 
 using namespace HTMLNames;
 
 Frame::~Frame() {
   InstanceCounters::decrementCounter(InstanceCounters::FrameCounter);
   ASSERT(!m_owner);
@@ skipping 216 matching lines @@
             SandboxPropagatesToAuxiliaryBrowsingContexts) &&
         (securityContext()->isSandboxed(SandboxPopups) ||
          targetFrame.client()->opener() != this)) {
       reason =
           "The frame attempting navigation is sandboxed and is trying "
           "to navigate a popup, but is not the popup's opener and is not "
           "set to propagate sandboxing to popups.";
       return false;
     }
 
-    // Top navigation is forbidden unless opted-in. allow-top-navigation
-    // will also skips origin checks.
+    // Top navigation is forbidden unless opted-in. allow-top-navigation or
+    // allow-top-navigation-with-user-activation will also skips origin checks.
     if (targetFrame == tree().top()) {
-      if (securityContext()->isSandboxed(SandboxTopNavigation)) {
+      if (securityContext()->isSandboxed(SandboxTopNavigation) &&
+          securityContext()->isSandboxed(
+              SandboxTopNavigationWithUserActivation)) {
+        // TODO(binlu): To add "or 'allow-top-navigation-with-user-activation'"
+        // to the reason below, once the new flag is shipped.
         reason =
             "The frame attempting navigation of the top-level window is "
             "sandboxed, but the 'allow-top-navigation' flag is not set.";
         return false;
       }
+      if (securityContext()->isSandboxed(SandboxTopNavigation) &&
+          !securityContext()->isSandboxed(
+              SandboxTopNavigationWithUserActivation) &&
+          !UserGestureIndicator::processingUserGesture()) {
+        // With only 'allow-top-navigation-with-user-activation' (but not
+        // 'allow-top-navigation'), top navigation requires a user gesture.
+        reason =
+            "The frame attempting navigation of the top-level window is "
+            "sandboxed with the 'allow-top-navigation-with-user-activation' "
+            "flag, but has no user activation (aka gesture). See "
+            "https://www.chromestatus.com/feature/5629582019395584.";
+        return false;
+      }
       return true;
     }
   }
 
   ASSERT(securityContext()->getSecurityOrigin());
   SecurityOrigin& origin = *securityContext()->getSecurityOrigin();
 
   // This is the normal case. A document can navigate its decendant frames,
   // or, more generally, a document can navigate a frame if the document is
   // in the same origin as any of that frame's ancestors (in the frame
@@ skipping 86 matching lines @@
 
   ASSERT(page());
 
   if (m_owner)
     m_owner->setContentFrame(*this);
   else
     page()->setMainFrame(this);
 }
 
 }  // namespace blink