Make mixed content checking and CSP aware of RemoteFrames

Source/core/dom/Document.cpp

 /*
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
  *           (C) 2006 Alexey Proskuryakov (ap@webkit.org)
  * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2011, 2012 Apple Inc. All rights reserved.
  * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmobile.com/)
  * Copyright (C) 2008, 2009, 2011, 2012 Google Inc. All rights reserved.
  * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies)
  * Copyright (C) Research In Motion Limited 2010-2011. All rights reserved.
@@ skipping 293 matching lines @@
     return toRenderWidget(renderer)->widget();
 }
 
 static bool acceptsEditingFocus(const Element& element)
 {
     ASSERT(element.rendererIsEditable());
 
     return element.document().frame() && element.rootEditableElement();
 }
 
-static bool canAccessAncestor(const SecurityOrigin& activeSecurityOrigin, LocalFrame* targetFrame)
+static bool canAccessAncestor(const SecurityOrigin& activeSecurityOrigin, Frame* targetFrame)
 {
     // targetFrame can be 0 when we're trying to navigate a top-level frame
     // that has a 0 opener.
     if (!targetFrame)
         return false;
 
     const bool isLocalActiveOrigin = activeSecurityOrigin.isLocal();
-    for (LocalFrame* ancestorFrame = targetFrame; ancestorFrame; ancestorFrame = ancestorFrame->tree().parent()) {
-        Document* ancestorDocument = ancestorFrame->document();
+    for (Frame* ancestorFrame = targetFrame; ancestorFrame; ancestorFrame = ancestorFrame->tree().parent()) {
+        // FIXME: SecurityOrigins need to be refactored to work with out-of-process iframes.
+        // For now we prevent navigation between cross-process frames.
+        if (!ancestorFrame->isLocalFrame())
+            return false;
+
+        Document* ancestorDocument = toLocalFrame(ancestorFrame)->document();
         // FIXME: Should be an ASSERT? Frames should alway have documents.
         if (!ancestorDocument)
             return true;
 
         const SecurityOrigin* ancestorSecurityOrigin = ancestorDocument->securityOrigin();
         if (activeSecurityOrigin.canAccess(ancestorSecurityOrigin))
             return true;
 
         // Allow file URL descendant navigation even when allowFileAccessFromFileURLs is false.
         // FIXME: It's a bit strange to special-case local origins here. Should we be doing
@@ skipping 2582 matching lines @@
 }
 
 void Document::disableEval(const String& errorMessage)
 {
     if (!frame())
         return;
 
     frame()->script().disableEval(errorMessage);
 }
 
-bool Document::canNavigate(LocalFrame* targetFrame)
+bool Document::canNavigate(Frame* targetFrame)
 {
     if (!m_frame)
         return false;
 
     // FIXME: We shouldn't call this function without a target frame, but
     // fast/forms/submit-to-blank-multiple-times.html depends on this function
     // returning true when supplied with a 0 targetFrame.
     if (!targetFrame)
         return true;
 
-    // LocalFrame-busting is generally allowed, but blocked for sandboxed frames lacking the 'allow-top-navigation' flag.
+    // Frame-busting is generally allowed, but blocked for sandboxed frames lacking the 'allow-top-navigation' flag.
     if (!isSandboxed(SandboxTopNavigation) && targetFrame == m_frame->tree().top())

[Mike West, 2014/05/29 09:47:41]

Sandboxing flags will be moving up to Frame as well, correct?

[kenrb, 2014/05/29 13:38:41]

Those come off of the HTMLFrameOwnerElement. dcheng@ has a CL that is
refactoring that a little bit to make it easier to 'export' the parts of it that
will be needed by child frames in another process. That includes sandbox flags.

         return true;
 
     if (isSandboxed(SandboxNavigation)) {
         if (targetFrame->tree().isDescendantOf(m_frame))
             return true;
 
         const char* reason = "The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors.";
         if (isSandboxed(SandboxTopNavigation) && targetFrame == m_frame->tree().top())
             reason = "The frame attempting navigation of the top-level window is sandboxed, but the 'allow-top-navigation' flag is not set.";
 
-        printNavigationErrorMessage(*targetFrame, url(), reason);
+        printNavigationErrorMessage(*toLocalFrameTemporary(targetFrame), url(), reason);
         return false;
     }
 
     ASSERT(securityOrigin());
     SecurityOrigin& origin = *securityOrigin();
 
     // This is the normal case. A document can navigate its decendant frames,
     // or, more generally, a document can navigate a frame if the document is
     // in the same origin as any of that frame's ancestors (in the frame
     // hierarchy).
@@ skipping 11 matching lines @@
     // the top-level frame's opener's ancestors (in the frame hierarchy).
     //
     // In both of these cases, the document performing the navigation is in
     // some way related to the frame being navigate (e.g., by the "opener"
     // and/or "parent" relation). Requiring some sort of relation prevents a
     // document from navigating arbitrary, unrelated top-level frames.
     if (!targetFrame->tree().parent()) {
         if (targetFrame == m_frame->loader().opener())
             return true;
 
-        if (canAccessAncestor(origin, targetFrame->loader().opener()))
+        // If targetFrame is a RemoteFrame then it is a different origin.

[Mike West, 2014/05/29 09:47:41]

True, but that doesn't mean that canAccessAncestor would return false today.
SecurityOrigins can be flagged with "universal access", for example, which would
make the 'canAccess' fall in 'canAccessAncestor' true.

[kenrb, 2014/05/29 13:38:41]

Good point. I have added a TODO to reflect that.

+        if (targetFrame->isLocalFrame() && canAccessAncestor(origin, toLocalFrame(targetFrame)->loader().opener()))
             return true;
     }
 
-    printNavigationErrorMessage(*targetFrame, url(), "The frame attempting navigation is neither same-origin with the target, nor is it the target's parent or opener.");
+    printNavigationErrorMessage(*toLocalFrameTemporary(targetFrame), url(), "The frame attempting navigation is neither same-origin with the target, nor is it the target's parent or opener.");
     return false;
 }
 
 LocalFrame* Document::findUnsafeParentScrollPropagationBoundary()
 {
     LocalFrame* currentFrame = m_frame;
-    LocalFrame* ancestorFrame = currentFrame->tree().parent();
+    Frame* ancestorFrame = currentFrame->tree().parent();
 
     while (ancestorFrame) {
-        if (!ancestorFrame->document()->securityOrigin()->canAccess(securityOrigin()))
+        // RemoteFrames always have different origins.

[Mike West, 2014/05/29 09:47:41]

Same comment regarding canAccess as above; different origins doesn't always mean
no access.

[kenrb, 2014/05/29 13:38:41]

Comment changed.

+        if (!ancestorFrame->isLocalFrame())
             return currentFrame;
-        currentFrame = ancestorFrame;
+        if (!toLocalFrame(ancestorFrame)->document()->securityOrigin()->canAccess(securityOrigin()))
+            return currentFrame;
+        currentFrame = toLocalFrame(ancestorFrame);
         ancestorFrame = ancestorFrame->tree().parent();
     }
     return 0;
 }
 
 void Document::didLoadAllImports()
 {
     if (!haveStylesheetsLoaded())
         return;
     if (!importLoader())
@@ skipping 219 matching lines @@
     m_referrerPolicy = referrerPolicy;
 }
 
 String Document::outgoingReferrer()
 {
     // See http://www.whatwg.org/specs/web-apps/current-work/#fetching-resources
     // for why we walk the parent chain for srcdoc documents.
     Document* referrerDocument = this;
     if (LocalFrame* frame = m_frame) {
         while (frame->document()->isSrcdocDocument()) {
+            // Srcdoc documents must be local within the containing frame.

[Mike West, 2014/05/29 09:47:41]

Perhaps you could add `ASSERT(frame->isLocal())` to document this precondition?

[kenrb, 2014/05/29 13:38:41]

That will implicitly happen in the last stage of this change. Right now
frame->tree().parent() still returns a LocalFrame pointer, because too many call
sites still assume that. The cast macros don't allow casting a LocalFrame
pointer to a LocalFrame pointer (i.e. toLocalFrame(localFrame)), so I can't add
casts to lines like this yet. The cast macros does contain an ASSERT for type
correctness.

             frame = frame->tree().parent();
             // Srcdoc documents cannot be top-level documents, by definition,
             // because they need to be contained in iframes with the srcdoc.
             ASSERT(frame);
         }
         referrerDocument = frame->document();
     }
     return referrerDocument->m_url.strippedForUseAsReferrer();
 }
 
@@ skipping 1583 matching lines @@
     }
 
     m_cookieURL = initializer.owner()->cookieURL();
     // We alias the SecurityOrigins to match Firefox, see Bug 15313
     // https://bugs.webkit.org/show_bug.cgi?id=15313
     setSecurityOrigin(initializer.owner()->securityOrigin());
 }
 
 void Document::initContentSecurityPolicy(const ContentSecurityPolicyResponseHeaders& headers)
 {
-    if (m_frame && m_frame->tree().parent() && (shouldInheritSecurityOriginFromOwner(m_url) || isPluginDocument()))
+    if (m_frame && m_frame->tree().parent() && m_frame->tree().parent()->isLocalFrame() && (shouldInheritSecurityOriginFromOwner(m_url) || isPluginDocument()))

[Mike West, 2014/05/29 09:47:41]

Why does my parent need to be a local frame for this inheritance to work?

[kenrb, 2014/05/29 13:38:41]

I probably should have mentioned this when I put the CL up, but the same
explanation as above. The check is there because m_frame->tree().parent() will
soon need to have a toLocalFrame() cast, because RemoteFrames don't have
documents. I don't know how we are going to do CSP inheritance across processes
yet.

         contentSecurityPolicy()->copyStateFrom(m_frame->tree().parent()->document()->contentSecurityPolicy());
     contentSecurityPolicy()->didReceiveHeaders(headers);
 }
 
 bool Document::allowInlineEventHandlers(Node* node, EventListener* listener, const String& contextURL, const WTF::OrdinalNumber& contextLine)
 {
     if (!contentSecurityPolicy()->allowInlineEventHandlers(contextURL, contextLine))
         return false;
 
     // HTML says that inline script needs browsing context to create its execution environment.
@@ skipping 943 matching lines @@
     visitor->trace(m_timeline);
     visitor->trace(m_compositorPendingAnimations);
     visitor->registerWeakMembers<Document, &Document::clearWeakMembers>(this);
     DocumentSupplementable::trace(visitor);
     TreeScope::trace(visitor);
     ContainerNode::trace(visitor);
     ExecutionContext::trace(visitor);
 }
 
 } // namespace WebCore