[CORS-RFC1918] Test inheritance for sandboxed iframes.

We test 6 out of the 7 possible URLs: - about:blank - the initial empty doc - about:srcodc - data: - blob: - filesystem: We do not test javascript:, since we cannot load in a sandboxed iframe (even with `sandbox = "allow-scripts"`). Fixed: chromium:1167697 Change-Id: I8c4c634bd7c0cc7d1ed9a6c1148f63fa79f7dfcb Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2637616 Auto-Submit: Titouan Rigoudy <titouan@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Commit-Queue: Titouan Rigoudy <titouan@chromium.org> Cr-Commit-Position: refs/heads/master@{#844765}

[CORS-RFC1918] Test inheritance for sandboxed iframes.
We test 6 out of the 7 possible URLs: - about:blank - the initial empty doc - about:srcodc - data: - blob: - filesystem: We do not test javascript:, since we cannot load in a sandboxed iframe (even with `sandbox = "allow-scripts"`). Fixed: chromium:1167697 Change-Id: I8c4c634bd7c0cc7d1ed9a6c1148f63fa79f7dfcb Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2637616 Auto-Submit: Titouan Rigoudy <titouan@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Commit-Queue: Titouan Rigoudy <titouan@chromium.org> Cr-Commit-Position: refs/heads/master@{#844765}
ee51fc4c · Titouan Rigoudy · Chromium LUCI CQ · de328abd · ee51fc4c · ee51fc4c
Commit ee51fc4c authored Jan 19, 2021 by Titouan Rigoudy Committed by Chromium LUCI CQ Jan 19, 2021
2 changed files
--- a/content/browser/renderer_host/cors_rfc1918_browsertest.cc
+++ b/content/browser/renderer_host/cors_rfc1918_browsertest.cc
@@ -684,6 +684,63 @@ RenderFrameHostImpl* AddChildFromFilesystem(RenderFrameHostImpl* parent) {
  return AddChildFromURL(parent, fs_url);
 }

+RenderFrameHostImpl* AddSandboxedChildFromURL(RenderFrameHostImpl* parent,
+                                              const GURL& url) {
+  std::string script_template = R"(
+    new Promise((resolve) => {
+      const iframe = document.createElement("iframe");
+      iframe.src = $1;
+      iframe.sandbox = "";
+      iframe.onload = _ => { resolve(true); };
+      document.body.appendChild(iframe);
+    })
+  )";
+  return AddChildWithScript(parent, JsReplace(script_template, url));
+}
+
+RenderFrameHostImpl* AddSandboxedChildFromAboutBlank(
+    RenderFrameHostImpl* parent) {
+  return AddSandboxedChildFromURL(parent, GURL("about:blank"));
+}
+
+RenderFrameHostImpl* AddSandboxedChildInitialEmptyDoc(
+    RenderFrameHostImpl* parent) {
+  return AddChildWithScript(parent, R"(
+    const iframe = document.createElement("iframe");
+    iframe.src = "/nocontent";  // Returns 204 NO CONTENT, thus no doc commits.
+    iframe.sandbox = "";
+    document.body.appendChild(iframe);
+    true  // Do not wait for iframe.onload, which never fires.
+  )");
+}
+
+RenderFrameHostImpl* AddSandboxedChildFromSrcdoc(RenderFrameHostImpl* parent) {
+  return AddChildWithScript(parent, R"(
+    new Promise((resolve) => {
+      const iframe = document.createElement("iframe");
+      iframe.srcdoc = "foo";
+      iframe.sandbox = "";
+      iframe.onload = _ => { resolve(true); };
+      document.body.appendChild(iframe);
+    })
+  )");
+}
+
+RenderFrameHostImpl* AddSandboxedChildFromDataURL(RenderFrameHostImpl* parent) {
+  return AddSandboxedChildFromURL(parent, GURL("data:text/html,foo"));
+}
+
+RenderFrameHostImpl* AddSandboxedChildFromBlob(RenderFrameHostImpl* parent) {
+  GURL blob_url = CreateBlobURL(parent);
+  return AddSandboxedChildFromURL(parent, blob_url);
+}
+
+RenderFrameHostImpl* AddSandboxedChildFromFilesystem(
+    RenderFrameHostImpl* parent) {
+  GURL fs_url = CreateFilesystemURL(parent);
+  return AddSandboxedChildFromURL(parent, fs_url);
+}
+
 // Returns the main frame RenderFrameHostImpl in the given |shell|.
 //
 // |shell| must not be nullptr.
@@ -774,6 +831,42 @@ IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
            security_state->ip_address_space);
 }

+IN_PROC_BROWSER_TEST_F(
+    CorsRfc1918BrowserTest,
+    SandboxedIframeInheritsAddressSpaceForAboutBlankFromPublic) {
+  EXPECT_TRUE(NavigateToURL(
+      shell(), SecureTreatAsPublicAddressURL(*embedded_test_server())));
+
+  RenderFrameHostImpl* child_frame =
+      AddSandboxedChildFromAboutBlank(root_frame_host());
+  ASSERT_NE(nullptr, child_frame);
+
+  const network::mojom::ClientSecurityStatePtr security_state =
+      child_frame->BuildClientSecurityState();
+  ASSERT_FALSE(security_state.is_null());
+
+  EXPECT_EQ(network::mojom::IPAddressSpace::kPublic,
+            security_state->ip_address_space);
+}
+
+IN_PROC_BROWSER_TEST_F(
+    CorsRfc1918BrowserTest,
+    SandboxedIframeInheritsAddressSpaceForAboutBlankFromLocal) {
+  EXPECT_TRUE(
+      NavigateToURL(shell(), SecureDefaultURL(*embedded_test_server())));
+
+  RenderFrameHostImpl* child_frame =
+      AddSandboxedChildFromAboutBlank(root_frame_host());
+  ASSERT_NE(nullptr, child_frame);
+
+  const network::mojom::ClientSecurityStatePtr security_state =
+      child_frame->BuildClientSecurityState();
+  ASSERT_FALSE(security_state.is_null());
+
+  EXPECT_EQ(network::mojom::IPAddressSpace::kLocal,
+            security_state->ip_address_space);
+}
+
 IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
                       OpeneeInheritsAddressSpaceForAboutBlankFromPublic) {
  EXPECT_TRUE(NavigateToURL(
@@ -838,6 +931,42 @@ IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
            security_state->ip_address_space);
 }

+IN_PROC_BROWSER_TEST_F(
+    CorsRfc1918BrowserTest,
+    SandboxedIframeInheritsAddressSpaceForInitialEmptyDocFromPublic) {
+  EXPECT_TRUE(NavigateToURL(
+      shell(), SecureTreatAsPublicAddressURL(*embedded_test_server())));
+
+  RenderFrameHostImpl* child_frame =
+      AddSandboxedChildInitialEmptyDoc(root_frame_host());
+  ASSERT_NE(nullptr, child_frame);
+
+  network::mojom::ClientSecurityStatePtr security_state =
+      child_frame->BuildClientSecurityState();
+  ASSERT_FALSE(security_state.is_null());
+
+  EXPECT_EQ(network::mojom::IPAddressSpace::kPublic,
+            security_state->ip_address_space);
+}
+
+IN_PROC_BROWSER_TEST_F(
+    CorsRfc1918BrowserTest,
+    SandboxedIframeInheritsAddressSpaceForInitialEmptyDocFromLocal) {
+  EXPECT_TRUE(
+      NavigateToURL(shell(), SecureDefaultURL(*embedded_test_server())));
+
+  RenderFrameHostImpl* child_frame =
+      AddSandboxedChildInitialEmptyDoc(root_frame_host());
+  ASSERT_NE(nullptr, child_frame);
+
+  network::mojom::ClientSecurityStatePtr security_state =
+      child_frame->BuildClientSecurityState();
+  ASSERT_FALSE(security_state.is_null());
+
+  EXPECT_EQ(network::mojom::IPAddressSpace::kLocal,
+            security_state->ip_address_space);
+}
+
 IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
                       OpeneeInheritsAddressSpaceForInitialEmptyDocFromPublic) {
  EXPECT_TRUE(NavigateToURL(
@@ -902,6 +1031,42 @@ IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
            security_state->ip_address_space);
 }

+IN_PROC_BROWSER_TEST_F(
+    CorsRfc1918BrowserTest,
+    SandboxedIframeInheritsAddressSpaceForAboutSrcdocFromPublic) {
+  EXPECT_TRUE(NavigateToURL(
+      shell(), SecureTreatAsPublicAddressURL(*embedded_test_server())));
+
+  RenderFrameHostImpl* child_frame =
+      AddSandboxedChildFromSrcdoc(root_frame_host());
+  ASSERT_NE(nullptr, child_frame);
+
+  const network::mojom::ClientSecurityStatePtr security_state =
+      child_frame->BuildClientSecurityState();
+  ASSERT_FALSE(security_state.is_null());
+
+  EXPECT_EQ(network::mojom::IPAddressSpace::kPublic,
+            security_state->ip_address_space);
+}
+
+IN_PROC_BROWSER_TEST_F(
+    CorsRfc1918BrowserTest,
+    SandboxedIframeInheritsAddressSpaceForAboutSrcdocFromLocal) {
+  EXPECT_TRUE(
+      NavigateToURL(shell(), SecureDefaultURL(*embedded_test_server())));
+
+  RenderFrameHostImpl* child_frame =
+      AddSandboxedChildFromSrcdoc(root_frame_host());
+  ASSERT_NE(nullptr, child_frame);
+
+  const network::mojom::ClientSecurityStatePtr security_state =
+      child_frame->BuildClientSecurityState();
+  ASSERT_FALSE(security_state.is_null());
+
+  EXPECT_EQ(network::mojom::IPAddressSpace::kLocal,
+            security_state->ip_address_space);
+}
+
 IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
                       IframeInheritsAddressSpaceForDataURLFromPublic) {
  EXPECT_TRUE(NavigateToURL(
@@ -934,6 +1099,41 @@ IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
            security_state->ip_address_space);
 }

+IN_PROC_BROWSER_TEST_F(
+    CorsRfc1918BrowserTest,
+    SandboxedIframeInheritsAddressSpaceForDataURLFromPublic) {
+  EXPECT_TRUE(NavigateToURL(
+      shell(), SecureTreatAsPublicAddressURL(*embedded_test_server())));
+
+  RenderFrameHostImpl* child_frame =
+      AddSandboxedChildFromDataURL(root_frame_host());
+  ASSERT_NE(nullptr, child_frame);
+
+  const network::mojom::ClientSecurityStatePtr security_state =
+      child_frame->BuildClientSecurityState();
+  ASSERT_FALSE(security_state.is_null());
+
+  EXPECT_EQ(network::mojom::IPAddressSpace::kPublic,
+            security_state->ip_address_space);
+}
+
+IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
+                       SandboxedIframeInheritsAddressSpaceForDataURLFromLocal) {
+  EXPECT_TRUE(
+      NavigateToURL(shell(), SecureDefaultURL(*embedded_test_server())));
+
+  RenderFrameHostImpl* child_frame =
+      AddSandboxedChildFromDataURL(root_frame_host());
+  ASSERT_NE(nullptr, child_frame);
+
+  const network::mojom::ClientSecurityStatePtr security_state =
+      child_frame->BuildClientSecurityState();
+  ASSERT_FALSE(security_state.is_null());
+
+  EXPECT_EQ(network::mojom::IPAddressSpace::kLocal,
+            security_state->ip_address_space);
+}
+
 IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
                       IframeInheritsAddressSpaceForJavascriptURLFromPublic) {
  EXPECT_TRUE(NavigateToURL(
@@ -1032,6 +1232,41 @@ IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
            security_state->ip_address_space);
 }

+IN_PROC_BROWSER_TEST_F(
+    CorsRfc1918BrowserTest,
+    SandboxedIframeInheritsAddressSpaceForBlobURLFromPublic) {
+  EXPECT_TRUE(NavigateToURL(
+      shell(), SecureTreatAsPublicAddressURL(*embedded_test_server())));
+
+  RenderFrameHostImpl* child_frame =
+      AddSandboxedChildFromBlob(root_frame_host());
+  ASSERT_NE(nullptr, child_frame);
+
+  const network::mojom::ClientSecurityStatePtr security_state =
+      child_frame->BuildClientSecurityState();
+  ASSERT_FALSE(security_state.is_null());
+
+  EXPECT_EQ(network::mojom::IPAddressSpace::kPublic,
+            security_state->ip_address_space);
+}
+
+IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
+                       SandboxedIframeInheritsAddressSpaceForBlobURLFromLocal) {
+  EXPECT_TRUE(
+      NavigateToURL(shell(), SecureDefaultURL(*embedded_test_server())));
+
+  RenderFrameHostImpl* child_frame =
+      AddSandboxedChildFromBlob(root_frame_host());
+  ASSERT_NE(nullptr, child_frame);
+
+  const network::mojom::ClientSecurityStatePtr security_state =
+      child_frame->BuildClientSecurityState();
+  ASSERT_FALSE(security_state.is_null());
+
+  EXPECT_EQ(network::mojom::IPAddressSpace::kLocal,
+            security_state->ip_address_space);
+}
+
 IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
                       OpeneeInheritsAddressSpaceForBlobURLFromPublic) {
  EXPECT_TRUE(NavigateToURL(
@@ -1096,6 +1331,42 @@ IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
            security_state->ip_address_space);
 }

+IN_PROC_BROWSER_TEST_F(
+    CorsRfc1918BrowserTest,
+    SandboxedIframeInheritsAddressSpaceForFilesystemURLFromPublic) {
+  EXPECT_TRUE(NavigateToURL(
+      shell(), SecureTreatAsPublicAddressURL(*embedded_test_server())));
+
+  RenderFrameHostImpl* child_frame =
+      AddSandboxedChildFromFilesystem(root_frame_host());
+  ASSERT_NE(nullptr, child_frame);
+
+  const network::mojom::ClientSecurityStatePtr security_state =
+      child_frame->BuildClientSecurityState();
+  ASSERT_FALSE(security_state.is_null());
+
+  EXPECT_EQ(network::mojom::IPAddressSpace::kPublic,
+            security_state->ip_address_space);
+}
+
+IN_PROC_BROWSER_TEST_F(
+    CorsRfc1918BrowserTest,
+    SandboxedIframeInheritsAddressSpaceForFilesystemURLFromLocal) {
+  EXPECT_TRUE(
+      NavigateToURL(shell(), SecureDefaultURL(*embedded_test_server())));
+
+  RenderFrameHostImpl* child_frame =
+      AddSandboxedChildFromFilesystem(root_frame_host());
+  ASSERT_NE(nullptr, child_frame);
+
+  const network::mojom::ClientSecurityStatePtr security_state =
+      child_frame->BuildClientSecurityState();
+  ASSERT_FALSE(security_state.is_null());
+
+  EXPECT_EQ(network::mojom::IPAddressSpace::kLocal,
+            security_state->ip_address_space);
+}
+
 IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
                       IframeInheritsSecureContextForAboutBlankFromSecure) {
  EXPECT_TRUE(
@@ -1130,6 +1401,44 @@ IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
  EXPECT_FALSE(security_state->is_web_secure_context);
 }

+IN_PROC_BROWSER_TEST_F(
+    CorsRfc1918BrowserTest,
+    SandboxedIframeInheritsSecureContextForAboutBlankFromSecure) {
+  EXPECT_TRUE(
+      NavigateToURL(shell(), SecureDefaultURL(*embedded_test_server())));
+
+  RenderFrameHostImpl* child_frame =
+      AddSandboxedChildFromAboutBlank(root_frame_host());
+  ASSERT_NE(nullptr, child_frame);
+
+  EXPECT_TRUE(child_frame->is_web_secure_context());
+
+  const network::mojom::ClientSecurityStatePtr security_state =
+      child_frame->BuildClientSecurityState();
+  ASSERT_FALSE(security_state.is_null());
+
+  EXPECT_TRUE(security_state->is_web_secure_context);
+}
+
+IN_PROC_BROWSER_TEST_F(
+    CorsRfc1918BrowserTest,
+    SandboxedIframeInheritsSecureContextForAboutBlankFromInsecure) {
+  EXPECT_TRUE(
+      NavigateToURL(shell(), InsecureDefaultURL(*embedded_test_server())));
+
+  RenderFrameHostImpl* child_frame =
+      AddSandboxedChildFromAboutBlank(root_frame_host());
+  ASSERT_NE(nullptr, child_frame);
+
+  EXPECT_FALSE(child_frame->is_web_secure_context());
+
+  const network::mojom::ClientSecurityStatePtr security_state =
+      child_frame->BuildClientSecurityState();
+  ASSERT_FALSE(security_state.is_null());
+
+  EXPECT_FALSE(security_state->is_web_secure_context);
+}
+
 IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
                       OpeneeInheritsSecureContextForAboutBlankFromSecure) {
  EXPECT_TRUE(
@@ -1200,6 +1509,44 @@ IN_PROC_BROWSER_TEST_F(
  EXPECT_FALSE(security_state->is_web_secure_context);
 }

+IN_PROC_BROWSER_TEST_F(
+    CorsRfc1918BrowserTest,
+    SandboxedIframeInheritsSecureContextForInitialEmptyDocFromSecure) {
+  EXPECT_TRUE(
+      NavigateToURL(shell(), SecureDefaultURL(*embedded_test_server())));
+
+  RenderFrameHostImpl* child_frame =
+      AddSandboxedChildInitialEmptyDoc(root_frame_host());
+  ASSERT_NE(nullptr, child_frame);
+
+  EXPECT_TRUE(child_frame->is_web_secure_context());
+
+  const network::mojom::ClientSecurityStatePtr security_state =
+      child_frame->BuildClientSecurityState();
+  ASSERT_FALSE(security_state.is_null());
+
+  EXPECT_TRUE(security_state->is_web_secure_context);
+}
+
+IN_PROC_BROWSER_TEST_F(
+    CorsRfc1918BrowserTest,
+    SandboxedIframeInheritsSecureContextForInitialEmptyDocFromInsecure) {
+  EXPECT_TRUE(
+      NavigateToURL(shell(), InsecureDefaultURL(*embedded_test_server())));
+
+  RenderFrameHostImpl* child_frame =
+      AddSandboxedChildInitialEmptyDoc(root_frame_host());
+  ASSERT_NE(nullptr, child_frame);
+
+  EXPECT_FALSE(child_frame->is_web_secure_context());
+
+  const network::mojom::ClientSecurityStatePtr security_state =
+      child_frame->BuildClientSecurityState();
+  ASSERT_FALSE(security_state.is_null());
+
+  EXPECT_FALSE(security_state->is_web_secure_context);
+}
+
 IN_PROC_BROWSER_TEST_F(
    CorsRfc1918BrowserTest,
    OpeneeInheritsSecureContextForInitialEmptyDocFromSecure) {
@@ -1270,6 +1617,44 @@ IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
  EXPECT_FALSE(security_state->is_web_secure_context);
 }

+IN_PROC_BROWSER_TEST_F(
+    CorsRfc1918BrowserTest,
+    SandboxedIframeInheritsSecureContextForAboutSrcdocFromSecure) {
+  EXPECT_TRUE(
+      NavigateToURL(shell(), SecureDefaultURL(*embedded_test_server())));
+
+  RenderFrameHostImpl* child_frame =
+      AddSandboxedChildFromSrcdoc(root_frame_host());
+  ASSERT_NE(nullptr, child_frame);
+
+  EXPECT_TRUE(child_frame->is_web_secure_context());
+
+  const network::mojom::ClientSecurityStatePtr security_state =
+      child_frame->BuildClientSecurityState();
+  ASSERT_FALSE(security_state.is_null());
+
+  EXPECT_TRUE(security_state->is_web_secure_context);
+}
+
+IN_PROC_BROWSER_TEST_F(
+    CorsRfc1918BrowserTest,
+    SandboxedIframeInheritsSecureContextForAboutSrcdocFromInsecure) {
+  EXPECT_TRUE(
+      NavigateToURL(shell(), InsecureDefaultURL(*embedded_test_server())));
+
+  RenderFrameHostImpl* child_frame =
+      AddSandboxedChildFromSrcdoc(root_frame_host());
+  ASSERT_NE(nullptr, child_frame);
+
+  EXPECT_FALSE(child_frame->is_web_secure_context());
+
+  const network::mojom::ClientSecurityStatePtr security_state =
+      child_frame->BuildClientSecurityState();
+  ASSERT_FALSE(security_state.is_null());
+
+  EXPECT_FALSE(security_state->is_web_secure_context);
+}
+
 IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
                       IframeInheritsSecureContextForDataURLFromSecure) {
  EXPECT_TRUE(
@@ -1278,17 +1663,7 @@ IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
  RenderFrameHostImpl* child_frame = AddChildFromDataURL(root_frame_host());
  ASSERT_NE(nullptr, child_frame);

-  // A document loaded from a `data:` URL is never a secure context according to
-  // the spec [1] unless it is origin-sandboxed and its parent is a secure
-  // context itself.
-  // That being said, there exists a web platform test [2] that asserts the
-  // contrary. Then again, it is failing on all major browsers as of
-  // 2021-01-08...
-  //
-  // [1]
-  // https://w3c.github.io/webappsec-secure-contexts/#is-settings-object-contextually-secure
-  // [2]
-  // https://wpt.fyi/results/secure-contexts/basic-popup-and-iframe-tests.https.html
+  // TODO(https://crbug.com/1168024): Expect true instead.
  EXPECT_FALSE(child_frame->is_web_secure_context());

  const network::mojom::ClientSecurityStatePtr security_state =
@@ -1315,6 +1690,45 @@ IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
  EXPECT_FALSE(security_state->is_web_secure_context);
 }

+IN_PROC_BROWSER_TEST_F(
+    CorsRfc1918BrowserTest,
+    SandboxedIframeInheritsSecureContextForDataURLFromSecure) {
+  EXPECT_TRUE(
+      NavigateToURL(shell(), SecureDefaultURL(*embedded_test_server())));
+
+  RenderFrameHostImpl* child_frame =
+      AddSandboxedChildFromDataURL(root_frame_host());
+  ASSERT_NE(nullptr, child_frame);
+
+  // TODO(https://crbug.com/1168024): Expect true instead.
+  EXPECT_FALSE(child_frame->is_web_secure_context());
+
+  const network::mojom::ClientSecurityStatePtr security_state =
+      child_frame->BuildClientSecurityState();
+  ASSERT_FALSE(security_state.is_null());
+
+  EXPECT_FALSE(security_state->is_web_secure_context);
+}
+
+IN_PROC_BROWSER_TEST_F(
+    CorsRfc1918BrowserTest,
+    SandboxedIframeInheritsSecureContextForDataURLFromInsecure) {
+  EXPECT_TRUE(
+      NavigateToURL(shell(), InsecureDefaultURL(*embedded_test_server())));
+
+  RenderFrameHostImpl* child_frame =
+      AddSandboxedChildFromDataURL(root_frame_host());
+  ASSERT_NE(nullptr, child_frame);
+
+  EXPECT_FALSE(child_frame->is_web_secure_context());
+
+  const network::mojom::ClientSecurityStatePtr security_state =
+      child_frame->BuildClientSecurityState();
+  ASSERT_FALSE(security_state.is_null());
+
+  EXPECT_FALSE(security_state->is_web_secure_context);
+}
+
 IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
                       IframeInheritsSecureContextForJavascriptURLFromSecure) {
  EXPECT_TRUE(
@@ -1333,6 +1747,25 @@ IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
  EXPECT_TRUE(security_state->is_web_secure_context);
 }

+IN_PROC_BROWSER_TEST_F(
+    CorsRfc1918BrowserTest,
+    IframeInheritsSecureContextForJavascriptURLFromInsecure) {
+  EXPECT_TRUE(
+      NavigateToURL(shell(), InsecureDefaultURL(*embedded_test_server())));
+
+  RenderFrameHostImpl* child_frame =
+      AddChildFromJavascriptURL(root_frame_host());
+  ASSERT_NE(nullptr, child_frame);
+
+  EXPECT_FALSE(child_frame->is_web_secure_context());
+
+  const network::mojom::ClientSecurityStatePtr security_state =
+      child_frame->BuildClientSecurityState();
+  ASSERT_FALSE(security_state.is_null());
+
+  EXPECT_FALSE(security_state->is_web_secure_context);
+}
+
 IN_PROC_BROWSER_TEST_F(
    CorsRfc1918BrowserTest,
    OpeneeInheritsSecureContextForJavascriptURLFromInsecure) {
@@ -1368,14 +1801,29 @@ IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
  EXPECT_TRUE(security_state->is_web_secure_context);
 }

-IN_PROC_BROWSER_TEST_F(
-    CorsRfc1918BrowserTest,
-    IframeInheritsSecureContextForJavascriptURLFromInsecure) {
+IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
+                       IframeInheritsSecureContextForBlobURLFromSecure) {
+  EXPECT_TRUE(
+      NavigateToURL(shell(), SecureDefaultURL(*embedded_test_server())));
+
+  RenderFrameHostImpl* child_frame = AddChildFromBlob(root_frame_host());
+  ASSERT_NE(nullptr, child_frame);
+
+  EXPECT_TRUE(child_frame->is_web_secure_context());
+
+  const network::mojom::ClientSecurityStatePtr security_state =
+      child_frame->BuildClientSecurityState();
+  ASSERT_FALSE(security_state.is_null());
+
+  EXPECT_TRUE(security_state->is_web_secure_context);
+}
+
+IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
+                       IframeInheritsSecureContextForBlobURLFromInsecure) {
  EXPECT_TRUE(
      NavigateToURL(shell(), InsecureDefaultURL(*embedded_test_server())));

-  RenderFrameHostImpl* child_frame =
-      AddChildFromJavascriptURL(root_frame_host());
+  RenderFrameHostImpl* child_frame = AddChildFromBlob(root_frame_host());
  ASSERT_NE(nullptr, child_frame);

  EXPECT_FALSE(child_frame->is_web_secure_context());
@@ -1387,12 +1835,14 @@ IN_PROC_BROWSER_TEST_F(
  EXPECT_FALSE(security_state->is_web_secure_context);
 }

-IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
-                       IframeInheritsSecureContextForBlobURLFromSecure) {
+IN_PROC_BROWSER_TEST_F(
+    CorsRfc1918BrowserTest,
+    SandboxedIframeInheritsSecureContextForBlobURLFromSecure) {
  EXPECT_TRUE(
      NavigateToURL(shell(), SecureDefaultURL(*embedded_test_server())));

-  RenderFrameHostImpl* child_frame = AddChildFromBlob(root_frame_host());
+  RenderFrameHostImpl* child_frame =
+      AddSandboxedChildFromBlob(root_frame_host());
  ASSERT_NE(nullptr, child_frame);

  EXPECT_TRUE(child_frame->is_web_secure_context());
@@ -1404,12 +1854,14 @@ IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
  EXPECT_TRUE(security_state->is_web_secure_context);
 }

-IN_PROC_BROWSER_TEST_F(CorsRfc1918BrowserTest,
-                       IframeInheritsSecureContextForBlobURLFromInsecure) {
+IN_PROC_BROWSER_TEST_F(
+    CorsRfc1918BrowserTest,
+    SandboxedIframeInheritsSecureContextForBlobURLFromInsecure) {
  EXPECT_TRUE(
      NavigateToURL(shell(), InsecureDefaultURL(*embedded_test_server())));

-  RenderFrameHostImpl* child_frame = AddChildFromBlob(root_frame_host());
+  RenderFrameHostImpl* child_frame =
+      AddSandboxedChildFromBlob(root_frame_host());
  ASSERT_NE(nullptr, child_frame);

  EXPECT_FALSE(child_frame->is_web_secure_context());
@@ -1490,6 +1942,44 @@ IN_PROC_BROWSER_TEST_F(
  EXPECT_FALSE(security_state->is_web_secure_context);
 }

+IN_PROC_BROWSER_TEST_F(
+    CorsRfc1918BrowserTest,
+    SandboxedIframeInheritsSecureContextForFilesystemURLFromSecure) {
+  EXPECT_TRUE(
+      NavigateToURL(shell(), SecureDefaultURL(*embedded_test_server())));
+
+  RenderFrameHostImpl* child_frame =
+      AddSandboxedChildFromFilesystem(root_frame_host());
+  ASSERT_NE(nullptr, child_frame);
+
+  EXPECT_TRUE(child_frame->is_web_secure_context());
+
+  const network::mojom::ClientSecurityStatePtr security_state =
+      child_frame->BuildClientSecurityState();
+  ASSERT_FALSE(security_state.is_null());
+
+  EXPECT_TRUE(security_state->is_web_secure_context);
+}
+
+IN_PROC_BROWSER_TEST_F(
+    CorsRfc1918BrowserTest,
+    SandboxedIframeInheritsSecureContextForFilesystemURLFromInsecure) {
+  EXPECT_TRUE(
+      NavigateToURL(shell(), InsecureDefaultURL(*embedded_test_server())));
+
+  RenderFrameHostImpl* child_frame =
+      AddSandboxedChildFromFilesystem(root_frame_host());
+  ASSERT_NE(nullptr, child_frame);
+
+  EXPECT_FALSE(child_frame->is_web_secure_context());
+
+  const network::mojom::ClientSecurityStatePtr security_state =
+      child_frame->BuildClientSecurityState();
+  ASSERT_FALSE(security_state.is_null());
+
+  EXPECT_FALSE(security_state->is_web_secure_context);
+}
+
 // This test verifies that even with the blocking feature disabled, an insecure
 // page in the `local` address space cannot fetch a `file:` URL.
 //

--- a/content/browser/renderer_host/render_frame_host_impl.h
+++ b/content/browser/renderer_host/render_frame_host_impl.h
@@ -2725,6 +2725,8 @@ class CONTENT_EXPORT RenderFrameHostImpl
  // WARNING: This does not behave exactly as specified in HTML. Instead it more
  // closely follows the Blink implementation, which predates it, for
  // consistency.
+  //
+  // TODO(https://crbug.com/1168024): Fix this to behave as specified in HTML.
  bool is_web_secure_context_ = false;

  network::CrossOriginEmbedderPolicy cross_origin_embedder_policy_;