From 0a3ec23967683d402e8c3737ceb78381b1db6e9e Mon Sep 17 00:00:00 2001
From: "trop[bot]" <37223003+trop[bot]@users.noreply.github.com>
Date: Thu, 11 Jul 2019 17:57:14 +0900
Subject: [PATCH] fix: check parent-child relationship in canAccessWindow
 (#19117)

---
 lib/browser/guest-window-manager.js | 31 ++++++++++++++++++-----------
 1 file changed, 19 insertions(+), 12 deletions(-)

diff --git a/lib/browser/guest-window-manager.js b/lib/browser/guest-window-manager.js
index 12b6e8c0e1b49..d4e4e42a868f3 100644
--- a/lib/browser/guest-window-manager.js
+++ b/lib/browser/guest-window-manager.js
@@ -156,20 +156,27 @@ const getGuestWindow = function (guestContents) {
   return guestWindow
 }
 
+const isChildWindow = function (sender, target) {
+  return target.getLastWebPreferences().openerId === sender.id
+}
+
+const isRelatedWindow = function (sender, target) {
+  return isChildWindow(sender, target) || isChildWindow(target, sender)
+}
+
+const isScriptableWindow = function (sender, target) {
+  return isRelatedWindow(sender, target) && isSameOrigin(sender.getURL(), target.getURL())
+}
+
+const isNodeIntegrationEnabled = function (sender) {
+  return sender.getLastWebPreferences().nodeIntegration === true
+}
+
 // Checks whether |sender| can access the |target|:
-// 1. Check whether |sender| is the parent of |target|.
-// 2. Check whether |sender| has node integration, if so it is allowed to
-//    do anything it wants.
-// 3. Check whether the origins match.
-//
-// However it allows a child window without node integration but with same
-// origin to do anything it wants, when its opener window has node integration.
-// The W3C does not have anything on this, but from my understanding of the
-// security model of |window.opener|, this should be fine.
 const canAccessWindow = function (sender, target) {
-  return (target.getLastWebPreferences().openerId === sender.id) ||
-         (sender.getLastWebPreferences().nodeIntegration === true) ||
-         isSameOrigin(sender.getURL(), target.getURL())
+  return isChildWindow(sender, target) ||
+         isScriptableWindow(sender, target) ||
+         isNodeIntegrationEnabled(sender)
 }
 
 // Routed window.open messages with raw options