[Backport] CVE-2020-6526: Inappropriate implementation in iframe sandbox

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2181318:
Fix uninitialized frame policy issue in javascript url

This CL follows up the previous CL that fixed the timing bug on
frame policy(https://chromium-review.googlesource.com/c/chromium/src/+/1852905).

There was a uncovered code path for subframe navigation where frame
policy is not initialized.

Bug: 1074340
Change-Id: I3840cd5a4f8b18f0976b164e5c768ad56eb6e492
Reviewed-by: Philip Jägenstedt <foolip@chromium.org>
Commit-Queue: Charlie Hu <chenleihu@google.com>
Cr-Commit-Position: refs/heads/master@{#767358}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 2 insertions, 0 deletions

diff --git a/chromium/third_party/blink/renderer/bindings/core/v8/script_controller.cc b/chromium/third_party/blink/renderer/bindings/core/v8/script_controller.cc
index 363375fe315..6311d5262d9 100644
--- a/chromium/third_party/blink/renderer/bindings/core/v8/script_controller.cc
+++ b/chromium/third_party/blink/renderer/bindings/core/v8/script_controller.cc
@@ -297,6 +297,8 @@ void ScriptController::ExecuteJavaScriptURL(
                     WebFeature::kReplaceDocumentViaJavaScriptURL);
   auto params = std::make_unique<WebNavigationParams>();
   params->url = GetFrame()->GetDocument()->Url();
+  if (auto* owner = GetFrame()->Owner())
+    params->frame_policy = owner->GetFramePolicy();
 
   String result = ToCoreString(v8::Local<v8::String>::Cast(v8_result));
   WebNavigationParams::FillStaticResponse(params.get(), "text/html", "UTF-8",