Inherit policy container from parent for about:srcdoc

Since the content of a srcdoc iframe is always created by its parent,
a srcdoc iframe should always inherit its policies (via the policy
container) from the parent, even if the navigation was initiated by
some other document.

Cf. also https://crbug.com/1001283

Bug: 1130587
Change-Id: If77237b663d74eaa739b2c9b8e4bbaa3b3b61360
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2586345
Commit-Queue: Antonio Sartori <antoniosartori@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#837004}

content/browser/renderer_host/navigation_request.cc

@@ -1079,22 +1079,29 @@ NavigationRequest::NavigationRequest(
 
   policy_container_host_ = std::make_unique<PolicyContainerHost>();
 
+  if (frame_entry && frame_entry->document_policies()) {
     // If there is a history entry with some document policies, initialize the
     // PolicyContainerHost with them, so that they will get applied to the
     // document created by the navigation.
-  if (frame_entry && frame_entry->document_policies()) {
     policy_container_host_ = std::make_unique<PolicyContainerHost>(
         *frame_entry->document_policies());
+  } else if (common_params_->url.IsAboutSrcdoc()) {
+    // Srcdoc iframes inherit their policies from their parent.
+    // If there is no parent, the navigation will be blocked in BeginNavigation.
+    if (frame_tree_node_->parent()) {
+      policy_container_host_ =
+          frame_tree_node_->parent()->policy_container_host()->Clone();
+    }
+  } else if (common_params_->url.SchemeIs(url::kAboutScheme) ||
+             common_params_->url.SchemeIs(url::kDataScheme) ||
+             common_params_->url.SchemeIs(url::kBlobScheme) ||
+             common_params_->url.SchemeIs(url::kFileSystemScheme)) {
     // Local schemes inherit the policy container  from the initiator.
     //
     // TODO(antoniosartori): Fill up the PolicyContainerHost and/or replace it
     // with a new one whenever needed (e.g. blob: or filesystem: URLs should get
     // the policy container from the document which created them and not from
     // the initiator of the navigation).
-  } else if (common_params_->url.SchemeIs(url::kAboutScheme) ||
-             common_params_->url.SchemeIs(url::kDataScheme) ||
-             common_params_->url.SchemeIs(url::kBlobScheme) ||
-             common_params_->url.SchemeIs(url::kFileSystemScheme)) {
     if (initiator_frame_token_) {
       RenderFrameHostImpl* initiator_rfh = RenderFrameHostImpl::FromFrameToken(
           initiator_process_id_, initiator_frame_token_.value());

third_party/blink/web_tests/external/wpt/referrer-policy/generic/inheritance/iframe-inheritance-srcdoc.html

@@ -9,19 +9,38 @@
     <script src="resources/make-html-script.js"></script>
     <meta name="referrer" content="origin">
   </head>
-  <body onload="runTest()">
+  <body>
     <h1>Referrer Policy: iframes srcdoc correctly inherit the ancestor's referrer policy</h1>
     <script>
-      var test = async_test("iframes srcdoc correctly inherit the ancestor's referrer policy");
-      window.addEventListener("message", test.step_func_done(msg => {
-        assert_equals(msg.data.referrer, self.origin + "/");
-      }));
+      let reportedReferrer = () => {
+        return new Promise(resolve => {
+          window.addEventListener("message", msg => resolve(msg.data.referrer));
+        });
+      };
 
-      function runTest() {
-        var iframe = document.createElement("iframe");
-        iframe.srcdoc = createScriptString(get_host_info().REMOTE_ORIGIN);
+      const iframe = document.createElement("iframe");
+
+      promise_test(async t => {
+        let referrer = reportedReferrer();
+        iframe.srcdoc = createScriptString(get_host_info().REMOTE_ORIGIN,
+                                           location.origin + "/custom");
         document.body.appendChild(iframe);
-      }
+        assert_equals(await referrer, self.origin + "/");
+      }, "Srcdoc iframe inherits referrer policy from parent on creation.");
+
+      promise_test(async t => {
+        let referrer = reportedReferrer();
+
+        // We navigate the iframe to a page that will set referrer
+        // policy to 'unsafe-url' and then navigate to about:srcdoc.
+        iframe.contentWindow.location = 'resources/referrer-policy-unsafe-url-navigate-to-srcdoc.html';
+
+        // Despite the navigation was initiated by a document with
+        // referrer policy 'unsafe-url', the srcdoc iframe should
+        // still inherit the referrer policy from its parent, and
+        // not the navigation's initiator.
+        assert_equals(await referrer, self.origin + "/");
+      }, "Even after a navigation from another initiator, srcdoc iframe still inherits referrer policy from the parent.");
     </script>
     <div id="log"></div>
   </body>

third_party/blink/web_tests/external/wpt/referrer-policy/generic/inheritance/resources/referrer-policy-unsafe-url-navigate-to-srcdoc.html

+<!DOCTYPE html>
+<html>
+  <head>
+    <meta name="referrer" content="unsafe-url">
+  </head>
+  <body>
+    <script>
+      window.location = "about:srcdoc";
+    </script>
+  </body>
+</html>