Fix sandbox flags inheritance with javascript-url.

From the browser process point of view:
- javascript-url document.
- XSLT document.
- document.open document.

Are all a no-op. (e.g. no IPC sent to the browser process). The security
properties of the document shouldn't change.

There was a bug about sandbox_flags inheritance and javascript-url. We
weren't inheriting from the right flags.

Bug: 1151954
Change-Id: I7dc3cdfff4eaa8d0db02a2aaab6963a6aa3c8ef3
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2577211Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#835212}

third_party/blink/renderer/bindings/core/v8/script_controller.cc

@@ -255,10 +255,19 @@ void ScriptController::ExecuteJavaScriptURL(
 
   UseCounter::Count(window_.Get(),
                     WebFeature::kReplaceDocumentViaJavaScriptURL);
+
+  // From the browser process point of view, committing a javascript-URL, an
+  // XSLT document or a document.open are all a no-op. All the security
+  // properties of the document must be preserved.
   auto params = std::make_unique<WebNavigationParams>();
   params->url = window_->Url();
+  // TODO(https://crbug.com/1151954): Consider inheriting the feature-policy
+  // from the previous document. Here we might miss the one defined from the
+  // original network request.
+  params->frame_policy = FramePolicy();
   if (auto* owner = window_->GetFrame()->Owner())
     params->frame_policy = owner->GetFramePolicy();
+  params->frame_policy->sandbox_flags = window_->GetSandboxFlags();
   params->origin_to_commit = window_->GetSecurityOrigin();
 
   String result = ToCoreString(v8::Local<v8::String>::Cast(v8_result));

third_party/blink/web_tests/external/wpt/html/browsers/sandboxing/resources/sandbox-javascript-window-open.html

+<script>
+  // Forward message from the openee toward the parent.
+  window.addEventListener("message", event => top.postMessage(event.data, "*"));
+
+  let check_sandboxed = `"
+    <script>
+      try {
+        document.domain = document.domain;
+        opener.postMessage('allow-document-domain', '*');
+      } catch (error) {
+        opener.postMessage('disallow-document-domain', '*');
+      }
+    </scr`+`ipt>
+  "`;
+
+  window.open('about:blank', "window_name");
+  window.open("javascript:" + check_sandboxed, "window_name");
+</script>

third_party/blink/web_tests/external/wpt/html/browsers/sandboxing/sandbox-javascript-window-open.html

+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>window.open in sandbox iframe</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+<body>
+<script>
+promise_test(async test => {
+  let message = new Promise(resolve => {
+    window.addEventListener("message", event => resolve(event.data));
+  });
+  let iframe = document.createElement("iframe");
+  iframe.sandbox = "allow-scripts allow-popups allow-same-origin";
+  iframe.src = "./resources/sandbox-javascript-window-open.html";
+  document.body.appendChild(iframe);
+  assert_equals(await message, "disallow-document-domain");
+});
+</script>