[Backport] CVE-2018-16077

Prevent sandboxed documents from reusing the default window

Bug: 377995
Change-Id: I5350c62072b46544331e40361b9d606d9e533ce3
Reviewed-on: https://chromium-review.googlesource.com/983558
Reviewed-by: Michael Brüning <michael.bruning@qt.io>

1 files changed, 6 insertions, 0 deletions

diff --git a/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h b/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
index c562bdfbc79..4da2f742a1e 100644
--- a/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
+++ b/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
@@ -446,6 +446,12 @@ class CORE_EXPORT ContentSecurityPolicy
   // Returns the 'wasm-eval' source is supported.
   bool SupportsWasmEval() const { return supports_wasm_eval_; }
 
+  // Retrieves the parsed sandbox flags. A lot of the time the execution
+  // context will be used for all sandbox checks but there are situations
+  // (before installing the document that this CSP will bind to) when
+  // there is no execution context to enforce the sandbox flags.
+  SandboxFlags GetSandboxMask() const { return sandbox_mask_; }
+
  private:
   FRIEND_TEST_ALL_PREFIXES(ContentSecurityPolicyTest, NonceInline);
   FRIEND_TEST_ALL_PREFIXES(ContentSecurityPolicyTest, NonceSinglePolicy);