Use the portal-host-including parent for console logging in AncestorThrottle.

This is already used for determining whether ancestors are permitted. It needs to be used also for figuring out which ancestor's console to log in. A web test that reaches this code using X-Frame-Options: DENY is included. Without the change to content/, this test fails with the same stack trace as in the linked bug. Bug: 1038256 Change-Id: Iad3623d82e0b2192eab626a2184d09d9d3e7be62 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2002967Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Commit-Queue: Jeremy Roman <jbroman@chromium.org> Cr-Commit-Position: refs/heads/master@{#732421}

Use the portal-host-including parent for console logging in AncestorThrottle.
This is already used for determining whether ancestors are permitted. It needs to be used also for figuring out which ancestor's console to log in. A web test that reaches this code using X-Frame-Options: DENY is included. Without the change to content/, this test fails with the same stack trace as in the linked bug. Bug: 1038256 Change-Id: Iad3623d82e0b2192eab626a2184d09d9d3e7be62 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2002967Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Commit-Queue: Jeremy Roman <jbroman@chromium.org> Cr-Commit-Position: refs/heads/master@{#732421}
42f4df7a · Jeremy Roman · Commit Bot · 23c140df · 42f4df7a · 42f4df7a
Commit 42f4df7a authored Jan 16, 2020 by Jeremy Roman Committed by Commit Bot Jan 16, 2020
3 changed files
--- a/content/browser/frame_host/ancestor_throttle.cc
+++ b/content/browser/frame_host/ancestor_throttle.cc
@@ -132,6 +132,12 @@ class FrameAncestorCSPContext : public CSPContext {
  RenderFrameHostImpl* navigated_frame_;
 };

+// Returns the parent, including outer delegates in the case of portals.
+RenderFrameHostImpl* ParentForAncestorThrottle(RenderFrameHostImpl* frame) {
+  return frame->InsidePortal() ? frame->ParentOrOuterDelegateFrame()
+                               : frame->GetParent();
+}
+
 }  // namespace

 // static
@@ -214,9 +220,7 @@ NavigationThrottle::ThrottleCheckResult AncestorThrottle::ProcessResponseImpl(
      // We enforce frame-ancestors in the outer delegate for portals, but not
      // for other uses of inner/outer WebContents (GuestViews).
      RenderFrameHostImpl* parent =
-          is_portal
-              ? request->GetRenderFrameHost()->ParentOrOuterDelegateFrame()
-              : request->GetRenderFrameHost()->GetParent();
+          ParentForAncestorThrottle(request->GetRenderFrameHost());
      while (parent) {
        if (!csp_context.IsAllowedByCsp(
                network::mojom::CSPDirectiveName::FrameAncestors,
@@ -227,11 +231,7 @@ NavigationThrottle::ThrottleCheckResult AncestorThrottle::ProcessResponseImpl(
                navigation_handle()->IsFormSubmission())) {
          return NavigationThrottle::BLOCK_RESPONSE;
        }
-        if (parent->InsidePortal()) {
-          parent = parent->ParentOrOuterDelegateFrame();
-        } else {
-          parent = parent->GetParent();
-        }
+        parent = ParentForAncestorThrottle(parent);
      }
      return NavigationThrottle::PROCEED;
    }
@@ -334,7 +334,9 @@ void AncestorThrottle::ParseError(const std::string& value,

  // Log a console error in the parent of the current RenderFrameHost (as
  // the current RenderFrameHost itself doesn't yet have a document).
-  navigation_handle()->GetRenderFrameHost()->GetParent()->AddMessageToConsole(
+  auto* frame = static_cast<RenderFrameHostImpl*>(
+      navigation_handle()->GetRenderFrameHost());
+  ParentForAncestorThrottle(frame)->AddMessageToConsole(
      blink::mojom::ConsoleMessageLevel::kError, message);
 }

@@ -352,7 +354,9 @@ void AncestorThrottle::ConsoleError(HeaderDisposition disposition) {

  // Log a console error in the parent of the current RenderFrameHost (as
  // the current RenderFrameHost itself doesn't yet have a document).
-  navigation_handle()->GetRenderFrameHost()->GetParent()->AddMessageToConsole(
+  auto* frame = static_cast<RenderFrameHostImpl*>(
+      navigation_handle()->GetRenderFrameHost());
+  ParentForAncestorThrottle(frame)->AddMessageToConsole(
      blink::mojom::ConsoleMessageLevel::kError, message);
 }


--- a/third_party/blink/web_tests/external/wpt/portals/xfo/portals-xfo-deny.sub.html
+++ b/third_party/blink/web_tests/external/wpt/portals/xfo/portals-xfo-deny.sub.html
+<!DOCTYPE html>
+<meta name="timeout" content="long">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<script>
+// TODO(jbroman): Ideally these would also check that the portal element gets a
+// completion event.
+
+async_test(t => {
+  var portal = document.createElement('portal');
+  portal.src = "/portals/xfo/resources/xfo-deny.asis";
+  portal.onmessage = t.unreached_func("should not have received a message");
+  document.body.appendChild(portal);
+  t.add_cleanup(() => portal.remove());
+  t.step_timeout(() => t.done(), 2000);
+}, "`XFO: DENY` blocks same-origin portals.");
+
+async_test(t => {
+  var portal = document.createElement('portal');
+  portal.src = "http://{{domains[www]}}:{{ports[http][0]}}/portals/xfo/resources/xfo-deny.asis";
+  portal.onmessage = t.unreached_func("should not have received a message");
+  document.body.appendChild(portal);
+  t.add_cleanup(() => portal.remove());
+  t.step_timeout(() => t.done(), 2000);
+}, "`XFO: DENY` blocks cross-origin portals.");
+</script>
+</body>
--- a/third_party/blink/web_tests/external/wpt/portals/xfo/resources/xfo-deny.asis
+++ b/third_party/blink/web_tests/external/wpt/portals/xfo/resources/xfo-deny.asis
+HTTP/1.1 200 OK
+Content-Type: text/html
+X-Frame-Options: DENY
+
+<!DOCTYPE html>
+<script>
+window.portalHost.postMessage('loaded');
+</script>