Ensure every LocalFrame has a fully functional PolicyContainer

A LocalFrame's PolicyContainer is the counterpart of the
RenderFrameHost's PolicyContainerHost. There are LocalFrames without a
corresponding RenderFrameHost, and there are RenderFrameHost (the
speculative ones) without a PolicyContainerHost. Previously, in those
cases, we were setting a LocalFrame's PolicyContainer to be
nullptr.

We were trying to handle accesses to a non-defined LocalFrame's
PolicyContainer with single nullptr checks. However, a LocalFrame's
PolicyContainer is needed every time a LocalFrame needs to handle
security policies. It turn out this can happen in a myriad of
cases. For example, SVG images included via the img tag (which are
rendered using a fake LocalFrame) allow meta tags delivering security
policies (although those policies effectively do nothing). Using
nullptr checks to handle those cases everywhere is tedious and error
prone.

With this CL we adopt a similar approach as for the
EmptyFrameClients. We always define a PolicyContainer for a
LocalFrame, even if it has no RenderFrameHost. In this case, the
PolicyContainer is an "empty" client: it is fully functional for
Blink's purposes, but it treats all mojo messaging to its
(non-existent) Browser counterpart as no-ops.

Bug: 1158034,1130587
Change-Id: I18347b9a16c6c7d71931c1f34abda793e66a9324
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2594768Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Pâris Meuleman <pmeuleman@chromium.org>
Commit-Queue: Antonio Sartori <antoniosartori@chromium.org>
Cr-Commit-Position: refs/heads/master@{#843501}

third_party/blink/renderer/core/frame/local_frame.cc

@@ -1481,7 +1481,8 @@ LocalFrame::LocalFrame(LocalFrameClient* client,
                               : InterfaceRegistry::GetEmptyInterfaceRegistry()),
       is_save_data_enabled_(GetNetworkStateNotifier().SaveDataEnabled()),
       lifecycle_state_(mojom::FrameLifecycleState::kRunning),
-      policy_container_(std::move(policy_container)) {
+      policy_container_(policy_container ? std::move(policy_container)
+                                         : PolicyContainer::CreateEmpty()) {
   auto frame_tracking_result = GetLocalFramesMap().insert(
       base::UnguessableTokenHash()(frame_token), this);
   CHECK(frame_tracking_result.stored_value) << "Inserting a duplicate item.";

third_party/blink/renderer/core/frame/policy_container.cc

@@ -12,6 +12,18 @@ PolicyContainer::PolicyContainer(
     : policies_(std::move(policies)),
       policy_container_host_remote_(std::move(remote)) {}
 
+// static
+std::unique_ptr<PolicyContainer> PolicyContainer::CreateEmpty() {
+  // Create a dummy PolicyContainerHost remote. All the messages will be
+  // ignored.
+  mojo::AssociatedRemote<mojom::blink::PolicyContainerHost> dummy_host;
+  ignore_result(dummy_host.BindNewEndpointAndPassDedicatedReceiver());
+
+  return std::make_unique<PolicyContainer>(
+      dummy_host.Unbind(),
+      mojom::blink::PolicyContainerDocumentPolicies::New());
+}
+
 // static
 std::unique_ptr<PolicyContainer> PolicyContainer::CreateFromWebPolicyContainer(
     std::unique_ptr<WebPolicyContainer> container) {

third_party/blink/renderer/core/frame/policy_container.h

@@ -32,6 +32,7 @@ class CORE_EXPORT PolicyContainer {
   PolicyContainer& operator=(const PolicyContainer&) = delete;
   ~PolicyContainer() = default;
 
+  static std::unique_ptr<PolicyContainer> CreateEmpty();
   static std::unique_ptr<PolicyContainer> CreateFromWebPolicyContainer(
       std::unique_ptr<WebPolicyContainer> container);
 

third_party/blink/renderer/core/html/html_meta_element.cc

@@ -599,11 +599,7 @@ void HTMLMetaElement::ProcessContent() {
       // has no PolicyContainer, so we ignore the next step. This function will
       // run again anyway, should this document or this element be attached to a
       // frame.
-      //
-      // SVG images (loaded via the img tag) create a fake LocalFrame which has
-      // no PolicyContainer. Ignore policy updates from meta tags inside SVG
-      // images.
-      if (frame && frame->GetPolicyContainer()) {
+      if (frame) {
         frame->GetPolicyContainer()->UpdateReferrerPolicy(
             GetExecutionContext()->GetReferrerPolicy());
       }

third_party/blink/renderer/core/loader/document_loader.cc

@@ -1835,12 +1835,8 @@ void DocumentLoader::InitializeWindow(Document* owner_document) {
   frame_->DomWindow()->SetAddressSpace(ip_address_space_);
 
   if (base::FeatureList::IsEnabled(blink::features::kPolicyContainer)) {
-    // SVG image documents go throught this but don't have a PolicyContainer, so
-    // ignore them.
-    if (frame_->GetPolicyContainer()) {
-      frame_->DomWindow()->SetReferrerPolicy(
-          frame_->GetPolicyContainer()->GetReferrerPolicy());
-    }
+    frame_->DomWindow()->SetReferrerPolicy(
+        frame_->GetPolicyContainer()->GetReferrerPolicy());
   }
   String referrer_policy_header =
       response_.HttpHeaderField(http_names::kReferrerPolicy);

third_party/blink/renderer/core/testing/dummy_page_holder.cc

@@ -84,11 +84,6 @@ DummyPageHolder::DummyPageHolder(
   if (!local_frame_client_)
     local_frame_client_ = MakeGarbageCollected<DummyLocalFrameClient>();
 
-  mojo::PendingAssociatedRemote<mojom::blink::PolicyContainerHost>
-      stub_policy_container_remote;
-  ignore_result(
-      stub_policy_container_remote.InitWithNewEndpointAndPassReceiver());
-
   // Create new WindowAgentFactory as this page will be isolated from others.
   frame_ = MakeGarbageCollected<LocalFrame>(
       local_frame_client_.Get(), *page_,
@@ -96,11 +91,7 @@ DummyPageHolder::DummyPageHolder(
       /* Frame* previous_sibling */ nullptr,
       FrameInsertType::kInsertInConstructor, base::UnguessableToken::Create(),
       /* WindowAgentFactory* */ nullptr,
-      /* InterfaceRegistry* */ nullptr,
-      std::make_unique<PolicyContainer>(
-          std::move(stub_policy_container_remote),
-          mojom::blink::PolicyContainerDocumentPolicies::New()),
-      clock);
+      /* InterfaceRegistry* */ nullptr, /* policy_container */ nullptr, clock);
   frame_->SetView(
       MakeGarbageCollected<LocalFrameView>(*frame_, initial_view_size));
   frame_->View()->GetPage()->GetVisualViewport().SetSize(initial_view_size);