Added UseCounter for clearing browsing context name on cross-origin name

third_party/WebKit/Source/core/loader/DocumentLoader.cpp

 /*
  * Copyright (C) 2006, 2007, 2008 Apple Inc. All rights reserved.
  * Copyright (C) 2011 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
@@ skipping 651 matching lines @@
     setHistoryItemStateForCommit(frameLoader().documentLoader()->historyItem(),
                                  m_loadType,
                                  HistoryNavigationType::kDifferentDocument);
   }
 
   DCHECK_EQ(m_state, Provisional);
   frameLoader().commitProvisionalLoad();
   if (!m_frame)
     return;
 
+  SecurityOrigin* frameSecurityOrigin = nullptr;
+  if (m_frame->document())
+    frameSecurityOrigin = m_frame->document()->getSecurityOrigin();
+
   const AtomicString& encoding = response().textEncodingName();
 
   // Prepare a DocumentInit before clearing the frame, because it may need to
   // inherit an aliased security context.
   Document* owner = nullptr;
   // TODO(dcheng): This differs from the behavior of both IE and Firefox: the
   // origin is inherited from the document that loaded the URL.
   if (shouldInheritSecurityOriginFromOwner(url())) {
     Frame* ownerFrame = m_frame->tree().parent();
     if (!ownerFrame)
       ownerFrame = m_frame->loader().opener();
     if (ownerFrame && ownerFrame->isLocalFrame())
       owner = toLocalFrame(ownerFrame)->document();
   }
   DocumentInit init(owner, url(), m_frame);
   init.withNewRegistrationContext();
   m_frame->loader().clear();
   DCHECK(m_frame->page());
 
   ParserSynchronizationPolicy parsingPolicy = AllowAsynchronousParsing;
   if ((m_substituteData.isValid() && m_substituteData.forceSynchronousLoad()) ||
       !Document::threadedParsingEnabledForTesting())
     parsingPolicy = ForceSynchronousParsing;
 
   installNewDocument(init, mimeType, encoding,
                      InstallNewDocumentReason::kNavigation, parsingPolicy,
-                     overridingURL);
+                     overridingURL, frameSecurityOrigin);
   m_writer->setDocumentWasLoadedAsPartOfNavigation();
   m_frame->document()->maybeHandleHttpRefresh(
       m_response.httpHeaderField(HTTPNames::Refresh),
       Document::HttpRefreshFromHeader);
 }
 
 void DocumentLoader::commitData(const char* bytes, size_t length) {
   ensureWriter(m_response.mimeType());
   DCHECK_GE(m_state, Committed);
 
@@ skipping 314 matching lines @@
 
   for (auto& message : messages) {
     document->addConsoleMessage(
         ConsoleMessage::create(OtherMessageSource, ErrorMessageLevel,
                                "Error with Feature-Policy header: " + message));
   }
   if (!parsedHeader.isEmpty())
     frame->client()->didSetFeaturePolicyHeader(parsedHeader);
 }
 
+// static
+bool DocumentLoader::shouldClearWindowName(
+    const LocalFrame& frame,
+    SecurityOrigin* frameSecurityOrigin,
+    const Document& newDocument)
+{
+  if (!frameSecurityOrigin)
+    return false;
+  if (!frame.isMainFrame())
+    return false;
+  if (frame.loader().opener())
+    return false;
+
+  return !newDocument.getSecurityOrigin()->isSameSchemeHostPort(frameSecurityOrigin);
+}
+
 void DocumentLoader::installNewDocument(
     const DocumentInit& init,
     const AtomicString& mimeType,
     const AtomicString& encoding,
     InstallNewDocumentReason reason,
     ParserSynchronizationPolicy parsingPolicy,
-    const KURL& overridingURL) {
+    const KURL& overridingURL,
+    SecurityOrigin* frameSecurityOrigin) {
   DCHECK_EQ(init.frame(), m_frame);
   DCHECK(!m_frame->document() || !m_frame->document()->isActive());
   DCHECK_EQ(m_frame->tree().childCount(), 0u);
 
   if (!init.shouldReuseDefaultView())
     m_frame->setDOMWindow(LocalDOMWindow::create(*m_frame));
 
   Document* document = m_frame->domWindow()->installNewDocument(mimeType, init);
+
+  if (shouldClearWindowName(*m_frame, frameSecurityOrigin, *document)) {

[dcheng, 2017/04/04 07:53:21]

Can we just check this in LocalDOMWindow::installNewDocument()? We can capture
both the previous SecurityOrigin and the new SecurityOrigin there, to avoid this
plumbing.

[dcheng, 2017/04/04 07:57:59]

Ah never mind, that doesn't work because we may have changed the DOMWindow.

But I would still try to name frameSecurityOrigin a bit more descriptively:
maybe "previousSecurityOrigin"

[dcheng, 2017/04/04 07:59:39]

Actually we can avoid plumbing around frameSecurityOrigin: just capture it at
the beginning of this function, before we install a new DOM window on line 1066.

+    // TODO(andypaicu): decide  if we can do this without breaking functionality

[Mike West, 2017/04/04 12:12:01]

Nit: double-space after "decide"
Nit: Capital "D" for "decide".
Nit: "Decide _whether_" sounds better than "if".
Nit: Actually, I'd just remove the whole first sentence, and change the last
sentence to "If we decide to move forward with this change, we'd actually clean
the name here."

+    // after we get user data. experimentalSetNullName will just record the fact
+    // that the name would be nulled and if the name is accessed after we will fire a UseCounter
+    // This is what would be here if we decided to move forward with this:
+    // m_frame->tree().setName(nullAtom);
+    m_frame->tree().experimentalSetNulledName();
+  }
+
   m_frame->page()->chromeClient().installSupplements(*m_frame);
   if (!overridingURL.isEmpty())
     document->setBaseURLOverride(overridingURL);
   didInstallNewDocument(document);
 
   // This must be called before DocumentWriter is created, otherwise HTML parser
   // will use stale values from HTMLParserOption.
   if (reason == InstallNewDocumentReason::kNavigation)
     didCommitNavigation();
 
   m_writer =
       DocumentWriter::create(document, parsingPolicy, mimeType, encoding);
 
   // FeaturePolicy is reset in the browser process on commit, so this needs to
   // be initialized and replicated to the browser process after commit messages
   // are sent in didCommitNavigation().
   setFeaturePolicy(document,
                    m_response.httpHeaderField(HTTPNames::Feature_Policy));
+
   frameLoader().dispatchDidClearDocumentOfWindowObject();
 }
 
 const AtomicString& DocumentLoader::mimeType() const {
   if (m_writer)
     return m_writer->mimeType();
   return m_response.mimeType();
 }
 
 // This is only called by
 // FrameLoader::replaceDocumentWhileExecutingJavaScriptURL()
 void DocumentLoader::replaceDocumentWhileExecutingJavaScriptURL(
     const DocumentInit& init,
-    const String& source) {
+    const String& source,
+    SecurityOrigin* frameSecurityOrigin) {
   installNewDocument(init, mimeType(),
                      m_writer ? m_writer->encoding() : emptyAtom,
                      InstallNewDocumentReason::kJavascriptURL,
-                     ForceSynchronousParsing, KURL());
+                     ForceSynchronousParsing, KURL(), frameSecurityOrigin);
   if (!source.isNull())
     m_writer->appendReplacingData(source);
   endWriting();
 }
 
 DEFINE_WEAK_IDENTIFIER_MAP(DocumentLoader);
 
 }  // namespace blink