Don't allow sandboxed iframe to navigate top frame

This prevents sandboxed iframes that allow popups but not top navigation from navigating the top frame. The test fast/dom/Window/window-open-no-multiple-windows-from-sandbox tests that a sandboxed iframe cannot navigate the top frame when WebKitSupportsMultipleWindows is false. Bug: 845983 Change-Id: Ibe49275428bca1ceb3b5ca367d9309c2e087ea8a Reviewed-on: https://chromium-review.googlesource.com/1098460Reviewed-by: Richard Coles <torne@chromium.org> Reviewed-by: Jochen Eisinger <jochen@chromium.org> Commit-Queue: James Wallace-Lee <jamwalla@chromium.org> Cr-Commit-Position: refs/heads/master@{#568262}

Don't allow sandboxed iframe to navigate top frame
This prevents sandboxed iframes that allow popups but not top navigation from navigating the top frame. The test fast/dom/Window/window-open-no-multiple-windows-from-sandbox tests that a sandboxed iframe cannot navigate the top frame when WebKitSupportsMultipleWindows is false. Bug: 845983 Change-Id: Ibe49275428bca1ceb3b5ca367d9309c2e087ea8a Reviewed-on: https://chromium-review.googlesource.com/1098460Reviewed-by: Richard Coles <torne@chromium.org> Reviewed-by: Jochen Eisinger <jochen@chromium.org> Commit-Queue: James Wallace-Lee <jamwalla@chromium.org> Cr-Commit-Position: refs/heads/master@{#568262}
0446dd0f · James Wallace-Lee · Commit Bot · b387bc47 · 0446dd0f · 0446dd0f
Commit 0446dd0f authored Jun 19, 2018 by James Wallace-Lee Committed by Commit Bot Jun 19, 2018
3 changed files
--- a/third_party/WebKit/LayoutTests/fast/dom/Window/window-open-no-multiple-windows-from-sandbox-expected.txt
+++ b/third_party/WebKit/LayoutTests/fast/dom/Window/window-open-no-multiple-windows-from-sandbox-expected.txt
+CONSOLE ERROR: line 4: Unsafe JavaScript attempt to initiate navigation for frame with URL 'child-opens-window.html'. The frame attempting navigation of the top-level window is sandboxed, but the flag of 'allow-top-navigation' or 'allow-top-navigation-by-user-activation' is not set.
+
+ PASS
--- a/third_party/WebKit/LayoutTests/fast/dom/Window/window-open-no-multiple-windows-from-sandbox.html
+++ b/third_party/WebKit/LayoutTests/fast/dom/Window/window-open-no-multiple-windows-from-sandbox.html
+<!DOCTYPE html>
+<html>
+  <head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.setCanOpenWindows(true);
+    testRunner.setPopupBlockingEnabled(false);
+    testRunner.overridePreference('WebKitSupportsMultipleWindows', false);
+    testRunner.waitUntilDone();
+}
+
+function opened(result) {
+    // Called by the embedded iframe.
+    if (result == window) {
+        document.writeln("FAIL");
+        document.close();
+    }
+
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+</script>
+  </head>
+  <body>
+    <iframe src="resources/child-opens-window.html" sandbox="allow-scripts allow-popups allow-same-origin"></iframe>
+    PASS
+  </body>
+</html>
--- a/third_party/blink/renderer/core/page/create_window.cc
+++ b/third_party/blink/renderer/core/page/create_window.cc
@@ -221,6 +221,8 @@ static Frame* CreateNewWindow(LocalFrame& opener_frame,

  if (page == old_page) {
    Frame* frame = &opener_frame.Tree().Top();
+    if (!opener_frame.CanNavigate(*frame))
+      return nullptr;
    if (request.GetShouldSetOpener() == kMaybeSetOpener)
      frame->Client()->SetOpener(&opener_frame);
    return frame;