Don't skip security checks for javascript: URLs when the JS stack is empty.
Before this patch, HTMLFrameElementBase::isURLAllowed would skip the security
check if there were no JavaScript frames on the stack. This could lead to UXSS
bugs if an attacker managed to trick the parser into attaching a frame element
with a cross-origin document and the src attribute set to a javascript: URL.
After this patch, the security context of the frame's containing document
is used to verify if the URL is allowed. Nothing else (expect for some other
same-origin context) could've set the src attribute, so we assume it's the most
logical choice in the absence of the current JavaScript context.
BUG=117226
Review-Url: https://codereview.chromium.org/2502783004
Cr-Commit-Position: refs/heads/master@{#436449}
3 files changed
