b20beeee90777c7a7cf3ed05fd1946938175a8a1 - chromium/src

commit	b20beeee90777c7a7cf3ed05fd1946938175a8a1	[log] [tgz]
author	mkwst <mkwst@chromium.org>	Tue Jul 19 12:47:32 2016
committer	Commit bot <commit-bot@chromium.org>	Tue Jul 19 12:50:13 2016
tree	92a4561dcd7f504b21f44ddf8658f93457c75b6c
parent	804a6ba854e3c7cbe182177ad45988b02f832a9c [diff]

Prevent 'javascript:' URL execution in sandboxed frame.

[1] notes that Chrome is violating step 1 of [2] by allowing
`<iframe sandbox=allow-scripts src="javascript:alert(1)">` to execute
JavaScript in an origin distinct from its parent (due to sandboxing).
This patch closes that gap with Firefox.

[1]: https://github.com/w3c/webappsec-secure-contexts/issues/26#issuecomment-214801969
[2]: https://html.spec.whatwg.org/multipage/browsers.html#javascript-protocol

BUG=629083
R=jochen@chromium.org

Review-Url: https://codereview.chromium.org/2154213003
Cr-Commit-Position: refs/heads/master@{#406255}

third_party/WebKit/LayoutTests/http/tests/security/sandboxed-iframe-javascript-url.html[Added - diff]
third_party/WebKit/Source/core/html/HTMLFrameElementBase.cpp[diff]

2 files changed