Only open windows with js URLs if the entered window has access

It's not enough to check that the current window has access, if other security checks failed and the entered window shouldn't have access to the current window. BUG=788453 R=haraken@chromium.org,mkwst@chromium.org Change-Id: Iea10c52f20bdc49f00eba067cab69dab06f79f01 Reviewed-on: https://chromium-review.googlesource.com/792934 Commit-Queue: Jochen Eisinger <jochen@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Yuki Shiino <yukishiino@chromium.org> Cr-Commit-Position: refs/heads/master@{#519683}

Only open windows with js URLs if the entered window has access
It's not enough to check that the current window has access, if other security checks failed and the entered window shouldn't have access to the current window. BUG=788453 R=haraken@chromium.org,mkwst@chromium.org Change-Id: Iea10c52f20bdc49f00eba067cab69dab06f79f01 Reviewed-on: https://chromium-review.googlesource.com/792934 Commit-Queue: Jochen Eisinger <jochen@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Yuki Shiino <yukishiino@chromium.org> Cr-Commit-Position: refs/heads/master@{#519683}
c1cc6f94 · Jochen Eisinger · Commit Bot · 793d1ce5 · c1cc6f94 · c1cc6f94
Commit c1cc6f94 authored Nov 28, 2017 by Jochen Eisinger Committed by Commit Bot Nov 28, 2017
3 changed files
--- a/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp
+++ b/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp
@@ -282,6 +282,17 @@ void V8Window::openMethodCustom(
    return;
  }

+  // If the bindings implementation is 100% correct, the current realm and the
+  // entered realm should be same origin-domain. However, to be on the safe
+  // side and add some defense in depth, we'll check against the entered realm
+  // as well here.
+  if (!BindingSecurity::ShouldAllowAccessTo(EnteredDOMWindow(info.GetIsolate()),
+                                            impl, exception_state)) {
+    UseCounter::Count(CurrentExecutionContext(info.GetIsolate()),
+                      WebFeature::kWindowOpenRealmMismatch);
+    return;
+  }
+
  TOSTRING_VOID(V8StringResource<kTreatNullAndUndefinedAsNullString>,
                url_string, info[0]);
  AtomicString frame_name;

--- a/third_party/WebKit/public/platform/web_feature.mojom
+++ b/third_party/WebKit/public/platform/web_feature.mojom
@@ -1765,6 +1765,7 @@ enum WebFeature {
  kWindowEventInV0ShadowTree = 2244,
  kHTMLAnchorElementDownloadInSandboxWithUserGesture = 2245,
  kHTMLAnchorElementDownloadInSandboxWithoutUserGesture = 2246,
+  kWindowOpenRealmMismatch = 2247,

  // Add new features immediately above this line. Don't change assigned
  // numbers of any item, and don't reuse removed slots.

--- a/tools/metrics/histograms/enums.xml
+++ b/tools/metrics/histograms/enums.xml
@@ -17036,6 +17036,7 @@ Called by update_net_error_codes.py.-->
  <int value="2245" label="HTMLAnchorElementDownloadInSandboxWithUserGesture"/>
  <int value="2246"
      label="HTMLAnchorElementDownloadInSandboxWithoutUserGesture"/>
+  <int value="2247" label="WindowOpenRealmMismatch"/>
 </enum>

 <enum name="FeedbackSource">