[Backport] CVE-2018-16077

Prevent sandboxed documents from reusing the default window

Bug: 377995
Change-Id: I5350c62072b46544331e40361b9d606d9e533ce3
Reviewed-on: https://chromium-review.googlesource.com/983558
Reviewed-by: Michael Brüning <michael.bruning@qt.io>

3 files changed, 20 insertions, 2 deletions

diff --git a/chromium/third_party/WebKit/Source/core/frame/LocalFrame.cpp b/chromium/third_party/WebKit/Source/core/frame/LocalFrame.cpp
index 198244acb3e..5c0824f0e11 100644
--- a/chromium/third_party/WebKit/Source/core/frame/LocalFrame.cpp
+++ b/chromium/third_party/WebKit/Source/core/frame/LocalFrame.cpp
@@ -746,12 +746,24 @@ EphemeralRange LocalFrame::RangeForPoint(const IntPoint& frame_point) {
   return EphemeralRange();
 }
 
-bool LocalFrame::ShouldReuseDefaultView(const KURL& url) const {
+bool LocalFrame::ShouldReuseDefaultView(
+    const KURL& url,
+    const ContentSecurityPolicy* csp) const {
   // Secure transitions can only happen when navigating from the initial empty
   // document.
   if (!Loader().StateMachine()->IsDisplayingInitialEmptyDocument())
     return false;
 
+  // The Window object should only be re-used if it is same-origin.
+  // Since sandboxing turns the origin into an opaque origin it needs to also
+  // be considered when deciding whether to reuse it.
+  // Spec:
+  // https://html.spec.whatwg.org/multipage/browsing-the-web.html#initialise-the-document-object
+  if (csp &&
+      SecurityContext::IsSandboxed(kSandboxOrigin, csp->GetSandboxMask())) {
+    return false;
+  }
+
   return GetDocument()->IsSecureTransitionTo(url);
 }
 
diff --git a/chromium/third_party/WebKit/Source/core/frame/LocalFrame.h b/chromium/third_party/WebKit/Source/core/frame/LocalFrame.h
index d36b81dff58..72018c71f8a 100644
--- a/chromium/third_party/WebKit/Source/core/frame/LocalFrame.h
+++ b/chromium/third_party/WebKit/Source/core/frame/LocalFrame.h
@@ -214,7 +214,7 @@ class CORE_EXPORT LocalFrame final : public Frame,
   EphemeralRangeTemplate<EditingAlgorithm<NodeTraversal>> RangeForPoint(
       const IntPoint& frame_point);
 
-  bool ShouldReuseDefaultView(const KURL&) const;
+  bool ShouldReuseDefaultView(const KURL&, const ContentSecurityPolicy*) const;
   void RemoveSpellingMarkersUnderWords(const Vector<String>& words);
 
   bool ShouldThrottleRendering() const;
diff --git a/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h b/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
index c562bdfbc79..4da2f742a1e 100644
--- a/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
+++ b/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
@@ -446,6 +446,12 @@ class CORE_EXPORT ContentSecurityPolicy
   // Returns the 'wasm-eval' source is supported.
   bool SupportsWasmEval() const { return supports_wasm_eval_; }
 
+  // Retrieves the parsed sandbox flags. A lot of the time the execution
+  // context will be used for all sandbox checks but there are situations
+  // (before installing the document that this CSP will bind to) when
+  // there is no execution context to enforce the sandbox flags.
+  SandboxFlags GetSandboxMask() const { return sandbox_mask_; }
+
  private:
   FRIEND_TEST_ALL_PREFIXES(ContentSecurityPolicyTest, NonceInline);
   FRIEND_TEST_ALL_PREFIXES(ContentSecurityPolicyTest, NonceSinglePolicy);