[security] COOP setting popup noopener

This sets a popup to noopener when: - COOP is same-origin, - a cross-origin iframe opens the popup. As specified in the draft: https://gist.github.com/annevk/6f2dd8c79c77123f39797f6bdac43f3e#changes-to-choosing-a-browsing-context Bug: 922191 Change-Id: Ie3aade8087b487998e7144375640f2e9a838a23f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1980173Reviewed-by: Arthur Hemery <ahemery@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Auto-Submit: Pâris Meuleman <pmeuleman@chromium.org> Commit-Queue: Arthur Hemery <ahemery@chromium.org> Cr-Commit-Position: refs/heads/master@{#728164}

[security] COOP setting popup noopener
This sets a popup to noopener when: - COOP is same-origin, - a cross-origin iframe opens the popup. As specified in the draft: https://gist.github.com/annevk/6f2dd8c79c77123f39797f6bdac43f3e#changes-to-choosing-a-browsing-context Bug: 922191 Change-Id: Ie3aade8087b487998e7144375640f2e9a838a23f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1980173Reviewed-by: Arthur Hemery <ahemery@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Auto-Submit: Pâris Meuleman <pmeuleman@chromium.org> Commit-Queue: Arthur Hemery <ahemery@chromium.org> Cr-Commit-Position: refs/heads/master@{#728164}
bb9c4049 · Pâris MEULEMAN · Commit Bot · e6f69f0e · bb9c4049 · bb9c4049
Commit bb9c4049 authored Jan 03, 2020 by Pâris MEULEMAN Committed by Commit Bot Jan 03, 2020
2 changed files
--- a/content/browser/cross_origin_opener_policy_browsertest.cc
+++ b/content/browser/cross_origin_opener_policy_browsertest.cc
@@ -117,4 +117,47 @@ IN_PROC_BROWSER_TEST_F(CrossOriginOpenerPolicyBrowserTest,
            network::mojom::CrossOriginOpenerPolicy::kUnsafeNone);
 }
+IN_PROC_BROWSER_TEST_F(
+    CrossOriginOpenerPolicyBrowserTest,
+    NewPopupCOOP_SameOriginPolicyAndCrossOriginIframeSetsNoopener) {
+  GURL starting_page(embedded_test_server()->GetURL(
+      "a.com", "/cross_site_iframe_factory.html?a(b)"));
+  EXPECT_TRUE(NavigateToURL(shell(), starting_page));
+  RenderFrameHostImpl* main_frame = current_frame_host();
+  main_frame->SetCrossOriginOriginOpenerPolicyForTesting(
+      network::mojom::CrossOriginOpenerPolicy::kSameOrigin);
+  ShellAddedObserver new_shell_observer;
+  RenderFrameHostImpl* iframe = main_frame->child_at(0)->current_frame_host();
+  EXPECT_TRUE(ExecJs(iframe, "window.open('about:blank')"));
+  Shell* new_shell = new_shell_observer.GetShell();
+  RenderFrameHostImpl* popup_frame =
+      static_cast<WebContentsImpl*>(new_shell->web_contents())
+          ->GetFrameTree()
+          ->root()
+          ->current_frame_host();
+  scoped_refptr<SiteInstance> main_frame_site_instance(
+      main_frame->GetSiteInstance());
+  scoped_refptr<SiteInstance> iframe_site_instance(iframe->GetSiteInstance());
+  scoped_refptr<SiteInstance> popup_site_instance(
+      popup_frame->GetSiteInstance());
+  ASSERT_TRUE(main_frame_site_instance);
+  ASSERT_TRUE(iframe_site_instance);
+  ASSERT_TRUE(popup_site_instance);
+  EXPECT_FALSE(main_frame_site_instance->IsRelatedSiteInstance(
+      popup_site_instance.get()));
+  EXPECT_FALSE(
+      iframe_site_instance->IsRelatedSiteInstance(popup_site_instance.get()));
+  // Check that `window.opener` is not set.
+  bool success = false;
+  EXPECT_TRUE(ExecuteScriptAndExtractBool(
+      new_shell, "window.domAutomationController.send(window.opener == null);",
+      &success));
+  EXPECT_TRUE(success) << "window.opener is set";
+}
 }  // namespace content
--- a/content/browser/frame_host/render_frame_host_impl.cc
+++ b/content/browser/frame_host/render_frame_host_impl.cc
@@ -4431,11 +4431,18 @@ void RenderFrameHostImpl::CreateNewWindow(
    while (top_level_opener->GetParent()) {
      top_level_opener = top_level_opener->GetParent();
    }
-    // Verify that they are same origin. Otherwise leave it to default
+    // Verify that they are same origin.
-    // unsafe-none.
    if (top_level_opener->GetLastCommittedOrigin().IsSameOriginWith(
            GetLastCommittedOrigin())) {
      popup_coop = top_level_opener->cross_origin_opener_policy();
+    } else {
+      // The documents are cross origin, leave COOP of the popup to the default
+      // unsafe-none.
+      // Then set the popup to noopener if the top level COOP is same origin.
+      if (top_level_opener->cross_origin_opener_policy() ==
+          network::mojom::CrossOriginOpenerPolicy::kSameOrigin) {
+        params->opener_suppressed = true;
+      }
    }
  }
@@ -4444,8 +4451,6 @@ void RenderFrameHostImpl::CreateNewWindow(
  // means the current renderer process will not be able to route messages to
  // it. Because of this, we will immediately show and navigate the window
  // in OnCreateNewWindowOnUI, using the params provided here.
-  // TODO(pmeuleman): Switch BrowsingInstance when Cross-Origin-Opener-Policy of
-  // the main document and the opened document are incompatible.
  bool is_new_browsing_instance =
      params->opener_suppressed || no_javascript_access;