Prevent Cross-Origin iframe from navigating top to a different scheme

Cross-origin iframes were prevented to navigate top with [1]. Those
iframes were allowed to navigate top only to same domain (eTLD+1)
following reports of adverse impact. This severely restrains the ability
of said iframe to cause nuisance.
It does not seem necessary however to loosen the constraint to allow
different schemes, especially from https to http. As a result this CL
prevents a cross-origin iframe from navigating top to the same eTLD + 1
with a different schemes if there's no user gesture.

[1] WICG/interventions#16

Bug: 1151507
Fixed: 1151507

Change-Id: Ia1568175c044831594154ceea3e3aacb4e2efb2c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2756509
Commit-Queue: Nate Chapin <[email protected]>
Auto-Submit: Pâris Meuleman <[email protected]>
Reviewed-by: Nate Chapin <[email protected]>
Cr-Commit-Position: refs/heads/master@{#863936}

Author: ParisMeuleman

third_party/blink/renderer/core/frame/local_frame.cc

@@ -1829,7 +1829,9 @@ static bool CanNavigateHelper(LocalFrame& initiating_frame,
     String destination_domain = network_utils::GetDomainAndRegistry(
         destination_url.Host(), network_utils::kIncludePrivateRegistries);
     if (!target_domain.IsEmpty() && !destination_domain.IsEmpty() &&
-        target_domain == destination_domain) {
+        target_domain == destination_domain &&
+        target_frame.GetSecurityContext()->GetSecurityOrigin()->Protocol() ==
+            destination_url.Protocol()) {
       return true;
     }
 

third_party/blink/web_tests/http/tests/security/frameNavigation/resources/iframe-that-performs-different-scheme-same-etld-plus-one-top-navigation-without-user-gesture.html

@@ -0,0 +1,16 @@
+<html>
+<body>
+The navigation should fail. This text should be visible.
+<script>
+window.onload = function()
+{
+    try {
+        top.location = "https://127.0.0.1:8443/security/frameNavigation/resources/navigation-changed-iframe.html";
+        top.postMessage("FAIL", "*");
+    } catch(e) {
+        top.postMessage("PASS", "*");
+    }
+}
+</script>
+</body>
+</html>

third_party/blink/web_tests/http/tests/security/frameNavigation/xss-DENIED-different-scheme-same-etld-plus-1-top-navigation-without-user-gesture-expected.txt

@@ -0,0 +1,6 @@
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+The navigation should fail. This text should be visible.

third_party/blink/web_tests/http/tests/security/frameNavigation/xss-DENIED-different-scheme-same-etld-plus-1-top-navigation-without-user-gesture.html

@@ -0,0 +1,22 @@
+<html>
+<head>
+    <script>
+    if (window.testRunner) {
+        testRunner.dumpAsText();
+        testRunner.dumpChildFrames();
+        testRunner.setDumpConsoleMessages(false);
+        testRunner.waitUntilDone();
+    }
+
+    window.addEventListener("message", e => {
+      if (e.data == "PASS")
+        testRunner.notifyDone();
+      else
+        testRunner.testFailed("'top.location' didn't throw.");
+    });
+    </script>
+</head>
+<body>
+    <iframe src="http://sub1.example.test:8000/security/frameNavigation/resources/iframe-that-performs-different-scheme-same-etld-plus-one-top-navigation-without-user-gesture.html"></iframe>
+</body>
+</html>