commit d53d8fe26fc50cd1944f072c3e47e3b48ec435c8
author arthursonzogni <arthursonzogni@chromium.org> Fri Oct 23 12:48:39 2020
committer Commit Bot <commit-bot@chromium.org> Fri Oct 23 12:48:39 2020
tree b3e3162f725564d28ee8b211d36cc01c90d920b7
parent 27e30b2c343ee25be59f0e94f769b550555a5e4c

[OutOfBlinkSandbox] Add the MHTML case.

Replicate the logic from about MHTML document from:
DocumentLoader::CalculateSandboxFlags()
into:
NavigationRequest::ComputeSandboxFlags()

This allow the removal of an exception in
RenderFrameHostImpl::CheckSandboxFlags.

Bug: 1082118
Change-Id: I1c7492c56c7c9f01f86aaf39d860ada4c2f9b4cb
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2452475
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Cr-Commit-Position: refs/heads/master@{#820207}

content/browser/renderer_host/navigation_request.cc

diff --git a/content/browser/renderer_host/navigation_request.cc b/content/browser/renderer_host/navigation_request.cc
index 5e664e9a..6bf9a49 100644
--- a/content/browser/renderer_host/navigation_request.cc
+++ b/content/browser/renderer_host/navigation_request.cc
@@ -5044,8 +5044,16 @@
     }
   }
 
-  // TODO(arthursonzogni): Add the MHTML sandbox flags here. This should
-  // replicate DocumentLoader::CalculateSandboxFlags.
+  // The URL of a document loaded from a MHTML archive is controlled by the
+  // Content-Location header. This can be set to an arbitrary URL. This is
+  // potentially dangerous. For this reason we force the document to be
+  // sandboxed, providing exceptions only for creating new windows. This
+  // includes disallowing javascript and using an opaque origin.
+  if (IsLoadedFromMhtmlArchive()) {
+    *sandbox_flags_to_commit_ |= ~network::mojom::WebSandboxFlags::kPopups &
+                                 ~network::mojom::WebSandboxFlags::
+                                     kPropagatesToAuxiliaryBrowsingContexts;
+  }
 }
 
 void NavigationRequest::CheckStateTransition(NavigationState state) const {

content/browser/renderer_host/render_frame_host_impl.cc

diff --git a/content/browser/renderer_host/render_frame_host_impl.cc b/content/browser/renderer_host/render_frame_host_impl.cc
index 9744644..fb8313f 100644
--- a/content/browser/renderer_host/render_frame_host_impl.cc
+++ b/content/browser/renderer_host/render_frame_host_impl.cc
@@ -9657,9 +9657,6 @@
 }
 
 void RenderFrameHostImpl::CheckSandboxFlags() {
-  if (is_mhtml_document_)
-    return;
-
   if (!active_sandbox_flags_control_)
     return;