Allows MHTM page to open a popup

third_party/WebKit/Source/core/loader/DocumentLoader.cpp

Index: third_party/WebKit/Source/core/loader/DocumentLoader.cpp
diff --git a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
index c0329ed50f6170b690c1381ef045511b71bd8a1f..d7ba41c24132cdaa211c341f26ef04d69ac5a41b 100644
--- a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
@@ -798,8 +798,14 @@ bool DocumentLoader::MaybeCreateArchive() {
   if (!frame_)
     return false;
 
-  // The Document has now been created.
-  frame_->GetDocument()->EnforceSandboxFlags(kSandboxAll);
+  // The MHTML page is loaded in full sandboxing mode with the only
+  // exception to open new top-level windows. Since the MHTML page stays in a
+  // unquie origin with script execution disabled, the risk to navigate to
+  // 'blob:'' and 'filesystem:'' URLs that allow code execution in the page's
+  // "real" origin is mitigated.
+  frame_->GetDocument()->EnforceSandboxFlags(
+      kSandboxAll &
+      ~(kSandboxPopups | kSandboxPropagatesToAuxiliaryBrowsingContexts));
 
   CommitData(main_resource->Data()->Data(), main_resource->Data()->size());
   return true;