Revision 4c8580c189ce4501997af80b599bea070b1a7299 authored by Ian Clelland on 13 April 2018, 01:59:02 UTC, committed by Philip Jägenstedt on 13 April 2018, 12:05:15 UTC
Currently, policy-controlled features do not work as expected in
frames with opaque origins, such as isolated sandboxes and data: URLs,
because the eventual opaque origin of the frame is not known when the
HTMLFrameOwnerElement builds the container policy, and so has no way
to tell the browser that a particular origin should be allowed.
This CL adds a new member to the ParsedFeaturePolicyDeclaration, which
indicates that the iframe policy is expected to apply to the origin of
the frame, and is used when that frame has an opaque origin. This can
be triggered with an iframe of the form
<iframe sandbox allow="feature">
or
<iframe sandbox allow="feature src">
This flag is checked when building the feature policy in the new frame,
and ensures that the new feature policy will allow the feature in that
origin.
This is the first part of the eventual solution -- currently this has
the effect of allowing the feature even if a sandboxed frame navigates
to a new page (causing a new opaque origin to be created for it).
Subsequent CLs will add a unique identified to each such origin, and
ensure that the generated policies are properly tied to the specific
origin of the frame.
Bug: 690520
Change-Id: Ie18b9bc3c36be6550baf5a03e355871b9589fd40
Reviewed-on: https://chromium-review.googlesource.com/963382
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Jeremy Roman <jbroman@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Commit-Queue: Ian Clelland <iclelland@chromium.org>
Cr-Commit-Position: refs/heads/master@{#550463}
1 parent 1dd03e7
Computing file changes ...
