diff options
Diffstat (limited to 'chromium/third_party/WebKit/Source/core/frame')
3 files changed, 20 insertions, 2 deletions
diff --git a/chromium/third_party/WebKit/Source/core/frame/LocalFrame.cpp b/chromium/third_party/WebKit/Source/core/frame/LocalFrame.cpp index 198244acb3e..5c0824f0e11 100644 --- a/chromium/third_party/WebKit/Source/core/frame/LocalFrame.cpp +++ b/chromium/third_party/WebKit/Source/core/frame/LocalFrame.cpp @@ -746,12 +746,24 @@ EphemeralRange LocalFrame::RangeForPoint(const IntPoint& frame_point) { return EphemeralRange(); } -bool LocalFrame::ShouldReuseDefaultView(const KURL& url) const { +bool LocalFrame::ShouldReuseDefaultView( + const KURL& url, + const ContentSecurityPolicy* csp) const { // Secure transitions can only happen when navigating from the initial empty // document. if (!Loader().StateMachine()->IsDisplayingInitialEmptyDocument()) return false; + // The Window object should only be re-used if it is same-origin. + // Since sandboxing turns the origin into an opaque origin it needs to also + // be considered when deciding whether to reuse it. + // Spec: + // https://html.spec.whatwg.org/multipage/browsing-the-web.html#initialise-the-document-object + if (csp && + SecurityContext::IsSandboxed(kSandboxOrigin, csp->GetSandboxMask())) { + return false; + } + return GetDocument()->IsSecureTransitionTo(url); } diff --git a/chromium/third_party/WebKit/Source/core/frame/LocalFrame.h b/chromium/third_party/WebKit/Source/core/frame/LocalFrame.h index d36b81dff58..72018c71f8a 100644 --- a/chromium/third_party/WebKit/Source/core/frame/LocalFrame.h +++ b/chromium/third_party/WebKit/Source/core/frame/LocalFrame.h @@ -214,7 +214,7 @@ class CORE_EXPORT LocalFrame final : public Frame, EphemeralRangeTemplate<EditingAlgorithm<NodeTraversal>> RangeForPoint( const IntPoint& frame_point); - bool ShouldReuseDefaultView(const KURL&) const; + bool ShouldReuseDefaultView(const KURL&, const ContentSecurityPolicy*) const; void RemoveSpellingMarkersUnderWords(const Vector<String>& words); bool ShouldThrottleRendering() const; diff --git a/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h b/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h index c562bdfbc79..4da2f742a1e 100644 --- a/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h +++ b/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h @@ -446,6 +446,12 @@ class CORE_EXPORT ContentSecurityPolicy // Returns the 'wasm-eval' source is supported. bool SupportsWasmEval() const { return supports_wasm_eval_; } + // Retrieves the parsed sandbox flags. A lot of the time the execution + // context will be used for all sandbox checks but there are situations + // (before installing the document that this CSP will bind to) when + // there is no execution context to enforce the sandbox flags. + SandboxFlags GetSandboxMask() const { return sandbox_mask_; } + private: FRIEND_TEST_ALL_PREFIXES(ContentSecurityPolicyTest, NonceInline); FRIEND_TEST_ALL_PREFIXES(ContentSecurityPolicyTest, NonceSinglePolicy); |