[webnfc] Allow access to WebNFC API only from main frame

third_party/WebKit/Source/modules/nfc/NFC.cpp

Index: third_party/WebKit/Source/modules/nfc/NFC.cpp
diff --git a/third_party/WebKit/Source/modules/nfc/NFC.cpp b/third_party/WebKit/Source/modules/nfc/NFC.cpp
index 7125180b26c85090bdb24a68f8c1174190e87e7b..f8e710fc419e012f2e5a4c59104909b64fb0ee2e 100644
--- a/third_party/WebKit/Source/modules/nfc/NFC.cpp
+++ b/third_party/WebKit/Source/modules/nfc/NFC.cpp
@@ -780,11 +780,22 @@ void NFC::OnWatch(const WTF::Vector<uint32_t>& ids,
 
 ScriptPromise NFC::rejectIfNotSupported(ScriptState* scriptState) {
   String errorMessage;
-  if (!scriptState->getExecutionContext()->isSecureContext(errorMessage)) {
+  ExecutionContext* context = scriptState->getExecutionContext();
+  if (!context->isSecureContext(errorMessage)) {
     return ScriptPromise::rejectWithDOMException(
         scriptState, DOMException::create(SecurityError, errorMessage));
   }
 
+  // https://w3c.github.io/web-nfc/#security-policies
+  // WebNFC API must be only accessible from top level browsing context.
+  if (!toDocument(context)->domWindow()->frame() ||
+      !toDocument(context)->frame()->isMainFrame()) {
+    return ScriptPromise::rejectWithDOMException(
+        scriptState,
+        DOMException::create(SecurityError,
+                             "Must be in a top-level browsing context."));
+  }
+
   if (!m_nfc) {
     return ScriptPromise::rejectWithDOMException(
         scriptState, DOMException::create(NotSupportedError));