Turn off requirement that cross-origin top navigation be accompanied by a user gesture.

Replace with a console warning that this policy will be reinstated evenutally. BUG=678328 Review-Url: https://codereview.chromium.org/2617773002 Cr-Commit-Position: refs/heads/master@{#442069}

Turn off requirement that cross-origin top navigation be accompanied by a user gesture.
Replace with a console warning that this policy will be reinstated evenutally. BUG=678328 Review-Url: https://codereview.chromium.org/2617773002 Cr-Commit-Position: refs/heads/master@{#442069}
4ff362d2 · japhet · Commit bot · 0f17a6c2 · 4ff362d2 · 4ff362d2
Commit 4ff362d2 authored Jan 06, 2017 by japhet Committed by Commit bot Jan 06, 2017
10 changed files
--- a/content/public/common/content_features.cc
+++ b/content/public/common/content_features.cc
@@ -85,7 +85,7 @@ const base::Feature kFontCacheScaling{"FontCacheScaling",
 // same-origin to the top frame, or if a user gesture is being processed.
 const base::Feature kFramebustingNeedsSameOriginOrUserGesture{
    "FramebustingNeedsSameOriginOrUserGesture",
-    base::FEATURE_ENABLED_BY_DEFAULT};
+    base::FEATURE_DISABLED_BY_DEFAULT};

 // Enables extended Gamepad API features like motion tracking and haptics.
 const base::Feature kGamepadExtensions{"GamepadExtensions",

--- a/third_party/WebKit/LayoutTests/http/tests/security/frameNavigation/resources/iframe-that-performs-top-navigation-without-user-gesture.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/frameNavigation/resources/iframe-that-performs-top-navigation-without-user-gesture.html
 <html>
 <body>
-The navigation should fail and this iframe should be blocked. This text shouldn't appear.
+The navigation should succeed. This text shouldn't appear.
 <script>
 window.onload = function()
 {
    try {
        top.location = "http://localhost:8000/security/frameNavigation/resources/navigation-changed-iframe.html";
-        top.postMessage("FAIL", "*");
-    } catch(e) {
        top.postMessage("PASS", "*");
+    } catch(e) {
+        top.postMessage("FAIL", "*");
    }
 }
 </script>

--- a/third_party/WebKit/LayoutTests/http/tests/security/frameNavigation/xss-DENIED-top-navigation-user-gesture-in-parent-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/frameNavigation/xss-DENIED-top-navigation-user-gesture-in-parent-expected.txt
+localhost

-
--------
-Frame: '<!--framePath //<!--frame0-->-->'
--------
-
+PASSED: Navigation succeeded.
--- a/third_party/WebKit/LayoutTests/http/tests/security/frameNavigation/xss-DENIED-top-navigation-without-user-gesture-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/frameNavigation/xss-DENIED-top-navigation-without-user-gesture-expected.txt
-CONSOLE ERROR: line 8: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://127.0.0.1:8000/security/frameNavigation/xss-DENIED-top-navigation-without-user-gesture.html' from frame with URL 'http://localhost:8000/security/frameNavigation/resources/iframe-that-performs-top-navigation-without-user-gesture.html'. The frame attempting navigation is targeting its top-level window, but is neither same-origin with its target nor is it processing a user gesture. See https://www.chromestatus.com/features/5851021045661696.
-
-
-
--------
-Frame: '<!--framePath //<!--frame0-->-->'
--------
+CONSOLE WARNING: line 8: Frame with URL 'http://localhost:8000/security/frameNavigation/resources/iframe-that-performs-top-navigation-without-user-gesture.html' attempted to navigate its top-level window with URL 'http://127.0.0.1:8000/security/frameNavigation/xss-DENIED-top-navigation-without-user-gesture.html'. Navigating the top-level window from a cross-origin iframe will soon require that the iframe has received a user gesture. See https://www.chromestatus.com/features/5851021045661696.
+localhost

+PASSED: Navigation succeeded.
--- a/third_party/WebKit/Source/core/frame/Frame.cpp
+++ b/third_party/WebKit/Source/core/frame/Frame.cpp
@@ -184,16 +184,38 @@ bool Frame::canNavigate(const Frame& targetFrame) {
    if (isAllowedNavigation)
      framebustParams |= allowedBit;
    framebustHistogram.count(framebustParams);
+    if (hasUserGesture || isAllowedNavigation)
+      return true;
    // Frame-busting used to be generally allowed in most situations, but may
-    // now blocked if there is no user gesture.
+    // now blocked if the document initiating the navigation has never received
+    // a user gesture.
    if (!RuntimeEnabledFeatures::
-            framebustingNeedsSameOriginOrUserGestureEnabled())
-      return true;
-    if (hasUserGesture || isAllowedNavigation)
+            framebustingNeedsSameOriginOrUserGestureEnabled()) {
+      String targetFrameDescription =
+          targetFrame.isLocalFrame()
+              ? "with URL '" +
+                    toLocalFrame(targetFrame).document()->url().getString() +
+                    "'"
+              : "with origin '" +
+                    targetFrame.securityContext()
+                        ->getSecurityOrigin()
+                        ->toString() +
+                    "'";
+      String message = "Frame with URL '" +
+                       toLocalFrame(this)->document()->url().getString() +
+                       "' attempted to navigate its top-level window " +
+                       targetFrameDescription +
+                       ". Navigating the top-level window from a cross-origin "
+                       "iframe will soon require that the iframe has received "
+                       "a user gesture. See "
+                       "https://www.chromestatus.com/features/"
+                       "5851021045661696.";
+      printNavigationWarning(message);
      return true;
+    }
    errorReason =
        "The frame attempting navigation is targeting its top-level window, "
-        "but is neither same-origin with its target nor is it processing a "
+        "but is neither same-origin with its target nor has it received a "
        "user gesture. See "
        "https://www.chromestatus.com/features/5851021045661696.";
    printNavigationErrorMessage(targetFrame, errorReason.latin1().data());

--- a/third_party/WebKit/Source/core/frame/Frame.h
+++ b/third_party/WebKit/Source/core/frame/Frame.h
@@ -122,9 +122,11 @@ class CORE_EXPORT Frame : public GarbageCollectedFinalized<Frame> {
  // otherwise.
  virtual bool prepareForCommit() = 0;

+  // TODO(japhet): These should all move to LocalFrame.
  bool canNavigate(const Frame&);
  virtual void printNavigationErrorMessage(const Frame&,
                                           const char* reason) = 0;
+  virtual void printNavigationWarning(const String&) = 0;

  // TODO(pilgrim): Replace all instances of ownerLayoutObject() with
  // ownerLayoutItem(), https://crbug.com/499321

--- a/third_party/WebKit/Source/core/frame/LocalFrame.cpp
+++ b/third_party/WebKit/Source/core/frame/LocalFrame.cpp
@@ -55,6 +55,7 @@
 #include "core/html/HTMLFrameElementBase.h"
 #include "core/html/HTMLPlugInElement.h"
 #include "core/input/EventHandler.h"
+#include "core/inspector/ConsoleMessage.h"
 #include "core/inspector/InspectorInstrumentation.h"
 #include "core/layout/HitTestResult.h"
 #include "core/layout/LayoutView.h"
@@ -484,6 +485,11 @@ void LocalFrame::printNavigationErrorMessage(const Frame& targetFrame,
  domWindow()->printErrorMessage(message);
 }

+void LocalFrame::printNavigationWarning(const String& message) {
+  m_console->addMessage(
+      ConsoleMessage::create(JSMessageSource, WarningMessageLevel, message));
+}
+
 WindowProxyManager* LocalFrame::getWindowProxyManager() const {
  return m_script->getWindowProxyManager();
 }

--- a/third_party/WebKit/Source/core/frame/LocalFrame.h
+++ b/third_party/WebKit/Source/core/frame/LocalFrame.h
@@ -118,6 +118,7 @@ class CORE_EXPORT LocalFrame final : public Frame,
  bool shouldClose() override;
  SecurityContext* securityContext() const override;
  void printNavigationErrorMessage(const Frame&, const char* reason) override;
+  void printNavigationWarning(const String&) override;
  bool prepareForCommit() override;
  void didChangeVisibilityState() override;
  void setDocumentHasReceivedUserGesture() override;

--- a/third_party/WebKit/Source/core/frame/RemoteFrame.h
+++ b/third_party/WebKit/Source/core/frame/RemoteFrame.h
@@ -39,6 +39,7 @@ class CORE_EXPORT RemoteFrame final : public Frame {
  void detach(FrameDetachType) override;
  RemoteSecurityContext* securityContext() const override;
  void printNavigationErrorMessage(const Frame&, const char* reason) override {}
+  void printNavigationWarning(const String&) override {}
  bool prepareForCommit() override;
  bool shouldClose() override;
  void setDocumentHasReceivedUserGesture() override;

--- a/third_party/WebKit/Source/platform/RuntimeEnabledFeatures.in
+++ b/third_party/WebKit/Source/platform/RuntimeEnabledFeatures.in
@@ -111,7 +111,7 @@ FeaturePolicy status=experimental
 FileAPIBlobClose status=experimental
 FileSystem status=stable
 ForeignFetch status=experimental, origin_trial_feature_name=ForeignFetch
-FramebustingNeedsSameOriginOrUserGesture status=stable, settable_from_internals=True
+FramebustingNeedsSameOriginOrUserGesture status=experimental, settable_from_internals=True
 FullscreenUnprefixed status=test, settable_from_internals=True
 FrameTimingSupport status=experimental
 GamepadExtensions status=test, origin_trial_feature_name=WebVR