Feature Policy: Create container policy correctly during cross-origin frame navigation.

This change ensures that the pending container policy is used (along with the
pending sandbox flags) when constructing a new renderframe to support a cross-
origin navigation.

CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation

Bug: 716478
Change-Id: Ib6b46ea639e660527e4e144845dcaea4b8e2695f
Reviewed-on: https://chromium-review.googlesource.com/490466Reviewed-by: Ian Clelland <iclelland@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Commit-Queue: Ian Clelland <iclelland@chromium.org>
Cr-Commit-Position: refs/heads/master@{#468369}

content/browser/frame_host/frame_tree_node.h

@@ -201,6 +201,10 @@ class CONTENT_EXPORT FrameTreeNode {
     return pending_sandbox_flags_;
   }
 
+  const ParsedFeaturePolicyHeader& pending_container_policy() const {
+    return pending_container_policy_;
+  }
+
   // Update this frame's sandbox flags.  This is used when a parent frame
   // updates sandbox flags in the <iframe> element for this frame.  These flags
   // won't take effect until next navigation.  If this frame's parent is itself

content/browser/frame_host/render_frame_host_impl.cc

@@ -974,14 +974,16 @@ bool RenderFrameHostImpl::CreateRenderFrame(int proxy_routing_id,
   params->previous_sibling_routing_id = previous_sibling_routing_id;
   params->replication_state = frame_tree_node()->current_replication_state();
 
-  // Normally, the replication state contains effective sandbox flags,
-  // excluding flags that were updated but have not taken effect.  However, a
-  // new RenderFrame should use the pending sandbox flags, since it is being
-  // created as part of the navigation that will commit these flags. (I.e., the
-  // RenderFrame needs to know the flags to use when initializing the new
-  // document once it commits).
+  // Normally, the replication state contains effective frame policy, excluding
+  // sandbox flags and feature policy attributes that were updated but have not
+  // taken effect. However, a new RenderFrame should use the pending frame
+  // policy, since it is being created as part of the navigation that will
+  // commit it. (I.e., the RenderFrame needs to know the policy to use when
+  // initializing the new document once it commits).
   params->replication_state.sandbox_flags =
       frame_tree_node()->pending_sandbox_flags();
+  params->replication_state.container_policy =
+      frame_tree_node()->pending_container_policy();
 
   params->frame_owner_properties =
       FrameOwnerProperties(frame_tree_node()->frame_owner_properties());

content/browser/site_per_process_browsertest.cc

@@ -9724,6 +9724,54 @@ IN_PROC_BROWSER_TEST_F(SitePerProcessFeaturePolicyBrowserTest,
   EXPECT_EQ(0UL, root->child_at(2)->effective_container_policy().size());
 }
 
+// Check that out-of-process frames correctly calculate the container policy in
+// the renderer when navigating cross-origin. The policy should be unchanged
+// when modified dynamically in the parent frame. When the frame is navigated,
+// the new renderer should have the correct container policy.
+//
+// TODO(iclelland): Once there is a proper JS inspection API from the renderer,
+// use that to check the policy. Until then, we test webkitFullscreenEnabled,
+// which conveniently just returns the result of calling isFeatureEnabled on
+// the fullscreen feature. Since there are no HTTP header policies involved,
+// this verifies the presence of the container policy in the iframe.
+// https://crbug.com/703703
+IN_PROC_BROWSER_TEST_F(SitePerProcessFeaturePolicyBrowserTest,
+                       ContainerPolicyCrossOriginNavigation) {
+  WebContentsImpl* contents = web_contents();
+  FrameTreeNode* root = contents->GetFrameTree()->root();
+
+  // Helper to check if a frame is allowed to go fullscreen on the renderer
+  // side.
+  auto is_fullscreen_allowed = [](FrameTreeNode* ftn) {
+    bool fullscreen_allowed = false;
+    EXPECT_TRUE(ExecuteScriptAndExtractBool(
+        ftn,
+        "window.domAutomationController.send(document.webkitFullscreenEnabled)",
+        &fullscreen_allowed));
+    return fullscreen_allowed;
+  };
+
+  // Load a page with an <iframe> without allowFullscreen.
+  EXPECT_TRUE(NavigateToURL(
+      shell(), embedded_test_server()->GetURL(
+                   "a.com", "/cross_site_iframe_factory.html?a(b)")));
+
+  // Dynamically enable fullscreen for the subframe and check that the
+  // fullscreen property was updated on the FrameTreeNode.
+  EXPECT_TRUE(ExecuteScript(
+      root, "document.getElementById('child-0').allowFullscreen='true'"));
+
+  // No change is expected to the container policy for dynamic modification of
+  // a loaded frame.
+  EXPECT_FALSE(is_fullscreen_allowed(root->child_at(0)));
+
+  // Cross-site navigation should update the container policy in the new render
+  // frame.
+  NavigateFrameToURL(root->child_at(0),
+                     embedded_test_server()->GetURL("c.com", "/title1.html"));
+  EXPECT_TRUE(is_fullscreen_allowed(root->child_at(0)));
+}
+
 // Test that dynamic updates to iframe sandbox attribute correctly set the
 // replicated container policy.
 IN_PROC_BROWSER_TEST_F(SitePerProcessFeaturePolicyBrowserTest,