[Backport] CVE-2021-30534: Insufficient policy enforcement in iFrameSandbox

ParisMeuleman · Allan Sandfeld Jensen · commit e11e1e26681b · 2021-06-22T09:16:30.000Z
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2917013: Prevent Cross-Origin iframe from navigating top to a different scheme Cross-origin iframes were prevented to navigate top with [1]. Those iframes were allowed to navigate top only to same domain (eTLD+1) following reports of adverse impact. This severely restrains the ability of said iframe to cause nuisance. It does not seem necessary however to loosen the constraint to allow different schemes, especially from https to http. As a result this CL prevents a cross-origin iframe from navigating top to the same eTLD + 1 with a different schemes if there's no user gesture. [1] WICG/interventions#16 Bug: 1151507 Fixed: 1151507 (cherry picked from commit 1baf9eba07b806f86a6e60851428c7ab318da093) Change-Id: Ia1568175c044831594154ceea3e3aacb4e2efb2c Commit-Queue: Nate Chapin <japhet@chromium.org> Auto-Submit: Pâris Meuleman <pmeuleman@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#863936} Reviewed-by: Victor-Gabriel Savu <vsavu@google.com> Commit-Queue: Jana Grill <janagrill@google.com> Owners-Override: Jana Grill <janagrill@google.com> Cr-Commit-Position: refs/branch-heads/4240@{#1649} Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218} Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
diff --git a/chromium/third_party/blink/renderer/core/frame/local_frame.cc b/chromium/third_party/blink/renderer/core/frame/local_frame.cc
@@ -1612,7 +1612,9 @@ bool LocalFrame::CanNavigate(const Frame& target_frame,
     String destination_domain = network_utils::GetDomainAndRegistry(
         destination_url.Host(), network_utils::kIncludePrivateRegistries);
     if (!target_domain.IsEmpty() && !destination_domain.IsEmpty() &&
-        target_domain == destination_domain) {
+        target_domain == destination_domain &&
+        target_frame.GetSecurityContext()->GetSecurityOrigin()->Protocol() ==
+            destination_url.Protocol()) {
       return true;
     }
     if (auto* settings_client = Client()->GetContentSettingsClient()) {
