Fenced frame: fix parseFromString() crash in sandboxed iframes.
If parseFromString() is called inside a sandboxed iframe's DOMParser on
an HTML string that contains a element, a fenced frame
will be created behind, including running the sandbox flags check. That
will fail, and upon logging, it will attempt to check if a frame is the
main frame, which requires getting the document's frame. Since the
fenced frame isn't attached to any DOMWindow at this point, the frame
will be null.
The existing code dereferences the frame without checking its nullness,
causing a crash. The fix switches that call to
Document::IsInMainFrame(), which includes a nullness check on the
frame. This CL also adds a minimal reproduction case as a test.
Bug: 40277893
Bug: 344029039
Change-Id: I53ca200b405a3f60ba4f64962ddc1b19950824a9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5601581
Commit-Queue: Liam Brady lbrady@google.com
Reviewed-by: Garrett Tanzer gtanzer@chromium.org
Cr-Commit-Position: refs/heads/main@{#1310781}