fix: check parent-child relationship in canAccessWindow (#19077)

lib/browser/guest-window-manager.js

@@ -156,20 +156,27 @@ const getGuestWindow = function (guestContents) {
   return guestWindow
 }
 
+const isChildWindow = function (sender, target) {
+  return target.getLastWebPreferences().openerId === sender.id
+}
+
+const isRelatedWindow = function (sender, target) {
+  return isChildWindow(sender, target) || isChildWindow(target, sender)
+}
+
+const isScriptableWindow = function (sender, target) {
+  return isRelatedWindow(sender, target) && isSameOrigin(sender.getURL(), target.getURL())
+}
+
+const isNodeIntegrationEnabled = function (sender) {
+  return sender.getLastWebPreferences().nodeIntegration === true
+}
+
 // Checks whether |sender| can access the |target|:
-// 1. Check whether |sender| is the parent of |target|.
-// 2. Check whether |sender| has node integration, if so it is allowed to
-//    do anything it wants.
-// 3. Check whether the origins match.
-//
-// However it allows a child window without node integration but with same
-// origin to do anything it wants, when its opener window has node integration.
-// The W3C does not have anything on this, but from my understanding of the
-// security model of |window.opener|, this should be fine.
 const canAccessWindow = function (sender, target) {
-  return (target.getLastWebPreferences().openerId === sender.id) ||
-         (sender.getLastWebPreferences().nodeIntegration === true) ||
-         isSameOrigin(sender.getURL(), target.getURL())
+  return isChildWindow(sender, target) ||
+         isScriptableWindow(sender, target) ||
+         isNodeIntegrationEnabled(sender)
 }
 
 // Routed window.open messages with raw options