summaryrefslogtreecommitdiffstats
path: root/chromium/third_party/WebKit/Source/core/frame/LocalFrame.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'chromium/third_party/WebKit/Source/core/frame/LocalFrame.cpp')
-rw-r--r--chromium/third_party/WebKit/Source/core/frame/LocalFrame.cpp14
1 files changed, 13 insertions, 1 deletions
diff --git a/chromium/third_party/WebKit/Source/core/frame/LocalFrame.cpp b/chromium/third_party/WebKit/Source/core/frame/LocalFrame.cpp
index 198244acb3e..5c0824f0e11 100644
--- a/chromium/third_party/WebKit/Source/core/frame/LocalFrame.cpp
+++ b/chromium/third_party/WebKit/Source/core/frame/LocalFrame.cpp
@@ -746,12 +746,24 @@ EphemeralRange LocalFrame::RangeForPoint(const IntPoint& frame_point) {
return EphemeralRange();
}
-bool LocalFrame::ShouldReuseDefaultView(const KURL& url) const {
+bool LocalFrame::ShouldReuseDefaultView(
+ const KURL& url,
+ const ContentSecurityPolicy* csp) const {
// Secure transitions can only happen when navigating from the initial empty
// document.
if (!Loader().StateMachine()->IsDisplayingInitialEmptyDocument())
return false;
+ // The Window object should only be re-used if it is same-origin.
+ // Since sandboxing turns the origin into an opaque origin it needs to also
+ // be considered when deciding whether to reuse it.
+ // Spec:
+ // https://html.spec.whatwg.org/multipage/browsing-the-web.html#initialise-the-document-object
+ if (csp &&
+ SecurityContext::IsSandboxed(kSandboxOrigin, csp->GetSandboxMask())) {
+ return false;
+ }
+
return GetDocument()->IsSecureTransitionTo(url);
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-09 10:55:41 +0000