New issue
Advanced search Search tips

Issue 760451 link

Starred by 1 user
Status: Fixed
Owner:
alex...@chromium.org
Closed: Aug 2017
Cc:
creis@chromium.org
dcheng@chromium.org
wfh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug

Blocking:
issue 756790



Sign in to add a comment

Sandbox flags lost on remote-to-local transitions in main frames

Project Member Reported by alex...@chromium.org, Aug 30 2017 
What steps will reproduce the problem?
(1) With --site-per-process, go to http://csreis.github.io/tests/cross-site-iframe.html
(2) From DevTools:
  document.querySelector("iframe").sandbox="allow-scripts allow-popups"
(3) Click "Go same-site" so the sandbox flags take effect.
(4) In DevTools, switch to subframe context and execute
  var w = window.open("https://csreis.github.io")
(5) Check that document.origin in the new window is "null", as it should be, since it inherited the iframe's sandbox flags and preserved them across the cross-process navigation.
(6) Back in first tab, again from subframe context, execute
  w.location="http://csreis.github.io"
(7) Recheck the document.origin in the new window.  It's now "http://csreis.github.io", because we've lost the sandbox flags during the remote-to-local navigation.

This is because for remote-to-local transitions, WebLocalFrameImpl::CreateProvisional sets the sandbox flags only for subframes, when there's an owner present.  I think it also should force the sandbox flags for main frames, just like CreateMainFrame does it via ForceSandboxFlags for cases where the main frame is created along with the RenderView.  I've got a fix in progress.

Comment 1 by alex...@chromium.org, Aug 30 2017

Blocking: 756790
I encountered this when working on issue 756790, where the test SitePerProcessBrowserTest.NewPopupInheritsSandboxFlagsFromOpener starts failing if the popup navigation in the test is switched to a remote-to-local path from a CreateMainFrame path.
Project Member

Comment 2 by bugdroid1@chromium.org, Aug 30 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1ef8e9e0b90d73d8cf899d47d060073e4268b270

commit 1ef8e9e0b90d73d8cf899d47d060073e4268b270
Author: Alex Moshchuk <alexmos@chromium.org>
Date: Wed Aug 30 18:26:52 2017

Preserve sandbox flags on remote-to-local navigations in main frames.

Cross-process remote-to-local navigations used to only set the sandbox
flags on the FrameOwner, if one was present.  This CL ensures that
they are also preserved for main frames via
FrameLoader::ForceSandboxFlags, which mirrors how CreateMainFrame
propagates inherited sandbox flags for main frames created along with
a new RenderView.

Bug:  760451 
Change-Id: Icae705b4e5c35699e9056640512e2db66e94ed6c
Reviewed-on: https://chromium-review.googlesource.com/642637
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Alex Moshchuk <alexmos@chromium.org>
Cr-Commit-Position: refs/heads/master@{#498540}
[modify] https://crrev.com/1ef8e9e0b90d73d8cf899d47d060073e4268b270/content/browser/site_per_process_browsertest.cc
[modify] https://crrev.com/1ef8e9e0b90d73d8cf899d47d060073e4268b270/third_party/WebKit/Source/core/frame/WebLocalFrameImpl.cpp

Comment 3 by alex...@chromium.org, Aug 30 2017

Status: Fixed (was: Started)

Sign in to add a comment