Index: third_party/WebKit/Source/core/loader/DocumentLoader.cpp |
diff --git a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp |
index c0329ed50f6170b690c1381ef045511b71bd8a1f..d7ba41c24132cdaa211c341f26ef04d69ac5a41b 100644 |
--- a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp |
+++ b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp |
@@ -798,8 +798,14 @@ bool DocumentLoader::MaybeCreateArchive() { |
if (!frame_) |
return false; |
- // The Document has now been created. |
- frame_->GetDocument()->EnforceSandboxFlags(kSandboxAll); |
+ // The MHTML page is loaded in full sandboxing mode with the only |
+ // exception to open new top-level windows. Since the MHTML page stays in a |
+ // unquie origin with script execution disabled, the risk to navigate to |
+ // 'blob:'' and 'filesystem:'' URLs that allow code execution in the page's |
+ // "real" origin is mitigated. |
+ frame_->GetDocument()->EnforceSandboxFlags( |
+ kSandboxAll & |
+ ~(kSandboxPopups | kSandboxPropagatesToAuxiliaryBrowsingContexts)); |
CommitData(main_resource->Data()->Data(), main_resource->Data()->size()); |
return true; |