From 7c22fc00cffb348e82627ee4bccd99203cd6dea8 Mon Sep 17 00:00:00 2001
From: jww <jww@chromium.org>
Date: Fri, 1 Apr 2016 12:44:02 -0700
Subject: [PATCH] Disable local storage from Suborigins

Per the draft suborigin spec
(https://w3c.github.io/webappsec-suborigins/), stateful storage
mechanisms, including localStorage and sessionStorage, should not be
accessible from a Suborigin. This CL disables DOM access to localStorage
and sessionStorage on the window object.

BUG=336894
R=mkwst@chromium.org

Review URL: https://codereview.chromium.org/1844713002

Cr-Commit-Position: refs/heads/master@{#384663}
---
 .../suborigin-storage-dom-access.php          | 28 +++++++++++++++++++
 .../platform/weborigin/SecurityOrigin.h       |  2 +-
 2 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 third_party/WebKit/LayoutTests/http/tests/security/suborigins/suborigin-storage-dom-access.php

diff --git a/third_party/WebKit/LayoutTests/http/tests/security/suborigins/suborigin-storage-dom-access.php b/third_party/WebKit/LayoutTests/http/tests/security/suborigins/suborigin-storage-dom-access.php
new file mode 100644
index 0000000000000..a373506f177da
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/suborigins/suborigin-storage-dom-access.php
@@ -0,0 +1,28 @@
+<?php
+header("Suborigin: foobar");
+?>
+<!DOCTYPE html>
+<html>
+<head>
+<title>Verifies that localStorage and sessionStorage are not accessible from within a suborigin</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<script>
+var expectedError = new DOMException("TEST EXCEPTION", "SecurityError");
+var localStorageTest = async_test("localStorage must not be accessible from a suborigin");
+var sessionStorageTest = async_test("sessionStorage must not be accessible from a suborigin");
+
+function mustThrowSecurityException() {
+    assert_throws(expectedError, function() {
+        window.localStorage;
+    });
+    this.done();
+}
+
+localStorageTest.step(mustThrowSecurityException);
+sessionStorageTest.step(mustThrowSecurityException);
+</script>
+</body>
+</html>
diff --git a/third_party/WebKit/Source/platform/weborigin/SecurityOrigin.h b/third_party/WebKit/Source/platform/weborigin/SecurityOrigin.h
index fb08499b150b1..6b068837ec647 100644
--- a/third_party/WebKit/Source/platform/weborigin/SecurityOrigin.h
+++ b/third_party/WebKit/Source/platform/weborigin/SecurityOrigin.h
@@ -170,7 +170,7 @@ class PLATFORM_EXPORT SecurityOrigin : public RefCounted<SecurityOrigin> {
     bool isGrantedUniversalAccess() const { return m_universalAccess; }
 
     bool canAccessDatabase() const { return !isUnique(); }
-    bool canAccessLocalStorage() const { return !isUnique(); }
+    bool canAccessLocalStorage() const { return !isUnique() && !hasSuborigin(); }
     bool canAccessSharedWorkers() const { return !isUnique(); }
     bool canAccessServiceWorkers() const { return !isUnique() && !hasSuborigin(); }
     bool canAccessCookies() const { return !isUnique(); }