| commit | 646fec0ac2231d2818a0269c1be604f541861848 | |
| author | alexmos <alexmos@chromium.org> | |
| Sat, 25 Jul 2015 00:11:49 +0000 (24 17:11 -0700) | ||
| committer | Commit bot <commit-bot@chromium.org> | |
| Sat, 25 Jul 2015 00:12:16 +0000 (25 00:12 +0000) | ||
| tree | 9a404ddd7fe5f527b38bf13c66208b4fd036a7ad | treesnapshot (tar.gz zip) |
| parent | 618afa5ddf9d40d48278a1afbd9bcb3413b3c326 | commitdiff |
Ensure frames have the necessary proxies to be discoverable by name.
With OOPIF, when a frame navigates another frame via window.open(url,
name), we must ensure that a proxy for the target named frame exists
in the caller frame's process. This doesn't actually involve creating
this proxy in all SiteInstances in the current BrowsingInstance.
Although Blink uses a global namespace for frame names, it only
returns the target named frame if the caller is allowed to navigate
it, as decided by Frame::canNavigate (corresponding spec: [1]).
Currently, canNavigate may return true in these cases (some also
involve sandboxing checks):
1. Target is the top frame in caller's frame tree.
2. Target is a descendant of the caller.
3. Caller is same-origin with the target or one of its ancestors.
4. The target is a top-level frame and is the caller's opener.
5. The target is a top-level frame and caller has same origin as
an ancestor of the target's opener.
If caller and target frames are in different processes, the right
proxy for the target frame is already created in cases 1-4 by a
combination of CreateProxiesForNewRenderFrameHost,
CreateProxiesForChildFrame, and SwapOutOldFrame. This CL adds support
to handle case 5 (corresponding to [2] in Frame::canNavigate). Note
that we only have to do this for new frames that have a name, or if a
frame without a name acquires a name later.
[1] Case 4 in https://html.spec.whatwg.org/#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name,
and https://html.spec.whatwg.org/#familiar-with that it references
[2] https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/core/frame/Frame.cpp&sq=package:chromium&l=247
if (!targetFrame.tree().parent()) {
...
if (canAccessAncestor(origin, targetFrame.client()->opener()))
return true;
BUG=511474
Review URL: https://codereview.chromium.org/1250473008
Cr-Commit-Position: refs/heads/master@{#340381}
With OOPIF, when a frame navigates another frame via window.open(url,
name), we must ensure that a proxy for the target named frame exists
in the caller frame's process. This doesn't actually involve creating
this proxy in all SiteInstances in the current BrowsingInstance.
Although Blink uses a global namespace for frame names, it only
returns the target named frame if the caller is allowed to navigate
it, as decided by Frame::canNavigate (corresponding spec: [1]).
Currently, canNavigate may return true in these cases (some also
involve sandboxing checks):
1. Target is the top frame in caller's frame tree.
2. Target is a descendant of the caller.
3. Caller is same-origin with the target or one of its ancestors.
4. The target is a top-level frame and is the caller's opener.
5. The target is a top-level frame and caller has same origin as
an ancestor of the target's opener.
If caller and target frames are in different processes, the right
proxy for the target frame is already created in cases 1-4 by a
combination of CreateProxiesForNewRenderFrameHost,
CreateProxiesForChildFrame, and SwapOutOldFrame. This CL adds support
to handle case 5 (corresponding to [2] in Frame::canNavigate). Note
that we only have to do this for new frames that have a name, or if a
frame without a name acquires a name later.
[1] Case 4 in https://html.spec.whatwg.org/#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name,
and https://html.spec.whatwg.org/#familiar-with that it references
[2] https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/core/frame/Frame.cpp&sq=package:chromium&l=247
if (!targetFrame.tree().parent()) {
...
if (canAccessAncestor(origin, targetFrame.client()->opener()))
return true;
BUG=511474
Review URL: https://codereview.chromium.org/1250473008
Cr-Commit-Position: refs/heads/master@{#340381}