diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-09-06 14:06:53 +0200 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-09-14 15:24:27 +0000 |
commit | af4500d25e07e0931edcf0f497f9b0c7791a3318 (patch) | |
tree | 5152d3df5e6946e06b85c803491fb049f46b8bdb /chromium/third_party/WebKit/Source/core/frame | |
parent | 9ffeaf4caa98ede92afe9de3750a82acc70c42ac (diff) |
[Backport] CVE-2018-16077
Prevent sandboxed documents from reusing the default window
Bug: 377995
Change-Id: I5350c62072b46544331e40361b9d606d9e533ce3
Reviewed-on: https://chromium-review.googlesource.com/983558
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
Diffstat (limited to 'chromium/third_party/WebKit/Source/core/frame')
3 files changed, 20 insertions, 2 deletions
diff --git a/chromium/third_party/WebKit/Source/core/frame/LocalFrame.cpp b/chromium/third_party/WebKit/Source/core/frame/LocalFrame.cpp index 198244acb3e..5c0824f0e11 100644 --- a/chromium/third_party/WebKit/Source/core/frame/LocalFrame.cpp +++ b/chromium/third_party/WebKit/Source/core/frame/LocalFrame.cpp @@ -746,12 +746,24 @@ EphemeralRange LocalFrame::RangeForPoint(const IntPoint& frame_point) { return EphemeralRange(); } -bool LocalFrame::ShouldReuseDefaultView(const KURL& url) const { +bool LocalFrame::ShouldReuseDefaultView( + const KURL& url, + const ContentSecurityPolicy* csp) const { // Secure transitions can only happen when navigating from the initial empty // document. if (!Loader().StateMachine()->IsDisplayingInitialEmptyDocument()) return false; + // The Window object should only be re-used if it is same-origin. + // Since sandboxing turns the origin into an opaque origin it needs to also + // be considered when deciding whether to reuse it. + // Spec: + // https://html.spec.whatwg.org/multipage/browsing-the-web.html#initialise-the-document-object + if (csp && + SecurityContext::IsSandboxed(kSandboxOrigin, csp->GetSandboxMask())) { + return false; + } + return GetDocument()->IsSecureTransitionTo(url); } diff --git a/chromium/third_party/WebKit/Source/core/frame/LocalFrame.h b/chromium/third_party/WebKit/Source/core/frame/LocalFrame.h index d36b81dff58..72018c71f8a 100644 --- a/chromium/third_party/WebKit/Source/core/frame/LocalFrame.h +++ b/chromium/third_party/WebKit/Source/core/frame/LocalFrame.h @@ -214,7 +214,7 @@ class CORE_EXPORT LocalFrame final : public Frame, EphemeralRangeTemplate<EditingAlgorithm<NodeTraversal>> RangeForPoint( const IntPoint& frame_point); - bool ShouldReuseDefaultView(const KURL&) const; + bool ShouldReuseDefaultView(const KURL&, const ContentSecurityPolicy*) const; void RemoveSpellingMarkersUnderWords(const Vector<String>& words); bool ShouldThrottleRendering() const; diff --git a/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h b/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h index c562bdfbc79..4da2f742a1e 100644 --- a/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h +++ b/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h @@ -446,6 +446,12 @@ class CORE_EXPORT ContentSecurityPolicy // Returns the 'wasm-eval' source is supported. bool SupportsWasmEval() const { return supports_wasm_eval_; } + // Retrieves the parsed sandbox flags. A lot of the time the execution + // context will be used for all sandbox checks but there are situations + // (before installing the document that this CSP will bind to) when + // there is no execution context to enforce the sandbox flags. + SandboxFlags GetSandboxMask() const { return sandbox_mask_; } + private: FRIEND_TEST_ALL_PREFIXES(ContentSecurityPolicyTest, NonceInline); FRIEND_TEST_ALL_PREFIXES(ContentSecurityPolicyTest, NonceSinglePolicy); |