Refactor postMessage for out-of-process iframes.

content/renderer/render_frame_impl.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/render_frame_impl.h"
 
 #include <map>
 #include <string>
 
 #include "base/auto_reset.h"
@@ skipping 106 matching lines @@
 #include "third_party/WebKit/public/platform/WebStorageQuotaCallbacks.h"
 #include "third_party/WebKit/public/platform/WebString.h"
 #include "third_party/WebKit/public/platform/WebURL.h"
 #include "third_party/WebKit/public/platform/WebURLError.h"
 #include "third_party/WebKit/public/platform/WebURLResponse.h"
 #include "third_party/WebKit/public/platform/WebVector.h"
 #include "third_party/WebKit/public/web/WebColorSuggestion.h"
 #include "third_party/WebKit/public/web/WebDocument.h"
 #include "third_party/WebKit/public/web/WebFrameWidget.h"
 #include "third_party/WebKit/public/web/WebGlyphCache.h"
+#include "third_party/WebKit/public/web/WebKit.h"
 #include "third_party/WebKit/public/web/WebLocalFrame.h"
 #include "third_party/WebKit/public/web/WebMediaStreamRegistry.h"
 #include "third_party/WebKit/public/web/WebNavigationPolicy.h"
 #include "third_party/WebKit/public/web/WebPlugin.h"
 #include "third_party/WebKit/public/web/WebPluginParams.h"
 #include "third_party/WebKit/public/web/WebPluginPlaceholder.h"
 #include "third_party/WebKit/public/web/WebRange.h"
 #include "third_party/WebKit/public/web/WebScopedUserGesture.h"
 #include "third_party/WebKit/public/web/WebScriptSource.h"
 #include "third_party/WebKit/public/web/WebSearchableFormData.h"
 #include "third_party/WebKit/public/web/WebSecurityOrigin.h"
 #include "third_party/WebKit/public/web/WebSecurityPolicy.h"
+#include "third_party/WebKit/public/web/WebSerializedScriptValue.h"
 #include "third_party/WebKit/public/web/WebSurroundingText.h"
 #include "third_party/WebKit/public/web/WebUserGestureIndicator.h"
 #include "third_party/WebKit/public/web/WebView.h"
 #include "third_party/mojo/src/mojo/edk/js/core.h"
 #include "third_party/mojo/src/mojo/edk/js/support.h"
 
 #if defined(ENABLE_PLUGINS)
 #include "content/renderer/npapi/webplugin_impl.h"
 #include "content/renderer/pepper/pepper_browser_connection.h"
 #include "content/renderer/pepper/pepper_plugin_instance_impl.h"
@@ skipping 28 matching lines @@
 #include "content/renderer/media/media_renderer_service_provider.h"
 #include "media/mojo/services/mojo_renderer_factory.h"
 #else
 #include "media/renderers/default_renderer_factory.h"
 #endif
 
 using blink::WebContextMenuData;
 using blink::WebData;
 using blink::WebDataSource;
 using blink::WebDocument;
+using blink::WebDOMEvent;
+using blink::WebDOMMessageEvent;
 using blink::WebElement;
 using blink::WebExternalPopupMenu;
 using blink::WebExternalPopupMenuClient;
 using blink::WebFrame;
 using blink::WebHistoryItem;
 using blink::WebHTTPBody;
 using blink::WebLocalFrame;
 using blink::WebMediaPlayer;
 using blink::WebMediaPlayerClient;
 using blink::WebNavigationPolicy;
 using blink::WebNavigationType;
 using blink::WebNode;
 using blink::WebPluginParams;
 using blink::WebPopupMenuInfo;
 using blink::WebRange;
 using blink::WebReferrerPolicy;
 using blink::WebScriptSource;
 using blink::WebSearchableFormData;
 using blink::WebSecurityOrigin;
 using blink::WebSecurityPolicy;
+using blink::WebSerializedScriptValue;
 using blink::WebServiceWorkerProvider;
 using blink::WebStorageQuotaCallbacks;
 using blink::WebString;
 using blink::WebURL;
 using blink::WebURLError;
 using blink::WebURLRequest;
 using blink::WebURLResponse;
 using blink::WebUserGestureIndicator;
 using blink::WebVector;
 using blink::WebView;
@@ skipping 804 matching lines @@
     IPC_MESSAGE_HANDLER(FrameMsg_Reload, OnReload)
     IPC_MESSAGE_HANDLER(FrameMsg_TextSurroundingSelectionRequest,
                         OnTextSurroundingSelectionRequest)
     IPC_MESSAGE_HANDLER(FrameMsg_AddStyleSheetByURL,
                         OnAddStyleSheetByURL)
     IPC_MESSAGE_HANDLER(FrameMsg_SetAccessibilityMode,
                         OnSetAccessibilityMode)
     IPC_MESSAGE_HANDLER(FrameMsg_DisownOpener, OnDisownOpener)
     IPC_MESSAGE_HANDLER(FrameMsg_CommitNavigation, OnCommitNavigation)
     IPC_MESSAGE_HANDLER(FrameMsg_DidUpdateSandboxFlags, OnDidUpdateSandboxFlags)
+    IPC_MESSAGE_HANDLER(FrameMsg_PostMessageEvent, OnPostMessageEvent)
 #if defined(OS_ANDROID)
     IPC_MESSAGE_HANDLER(FrameMsg_SelectPopupMenuItems, OnSelectPopupMenuItems)
 #elif defined(OS_MACOSX)
     IPC_MESSAGE_HANDLER(FrameMsg_SelectPopupMenuItem, OnSelectPopupMenuItem)
     IPC_MESSAGE_HANDLER(InputMsg_CopyToFindPboard, OnCopyToFindPboard)
 #endif
   IPC_END_MESSAGE_MAP()
 
   return handled;
 }
@@ skipping 505 matching lines @@
   CHECK(!frame_->parent());
 
   if (frame_->opener())
     frame_->setOpener(NULL);
 }
 
 void RenderFrameImpl::OnDidUpdateSandboxFlags(SandboxFlags flags) {
   frame_->setFrameOwnerSandboxFlags(ContentToWebSandboxFlags(flags));
 }
 
+void RenderFrameImpl::OnPostMessageEvent(
+    const FrameMsg_PostMessage_Params& params) {
+  // Find the source frame if it exists.
+  WebFrame* source_frame = NULL;
+  if (params.source_view_routing_id != MSG_ROUTING_NONE) {
+    // Support a legacy postMessage path for specifying a source RenderView;
+    // this is currently used when sending messages to Android WebView.
+    // TODO(alexmos): This path can be removed once crbug.com/473258 is fixed.
+    RenderViewImpl* source_view =
+        RenderViewImpl::FromRoutingID(params.source_view_routing_id);
+    if (source_view)
+      source_frame = source_view->webview()->mainFrame();
+  } else if (params.source_routing_id != MSG_ROUTING_NONE) {
+    RenderFrameProxy* source_proxy =
+        RenderFrameProxy::FromRoutingID(params.source_routing_id);
+    if (source_proxy) {
+      // Currently, navigating a top-level frame cross-process does not swap
+      // the WebLocalFrame for a WebRemoteFrame in the frame tree, and the
+      // WebRemoteFrame will not have an associated blink::Frame. If this is
+      // the case for |source_proxy|, use the corresponding (swapped-out)
+      // WebLocalFrame instead, so that event.source for this message can be
+      // set and used properly.
+      if (source_proxy->IsMainFrameDetachedFromTree())
+        source_frame = source_proxy->render_view()->webview()->mainFrame();
+      else
+        source_frame = source_proxy->web_frame();
+    }
+  }
+
+  // If the message contained MessagePorts, create the corresponding endpoints.
+  blink::WebMessagePortChannelArray channels =
+      WebMessagePortChannelImpl::CreatePorts(
+          params.message_ports, params.new_routing_ids,
+          base::MessageLoopProxy::current().get());
+
+  WebSerializedScriptValue serialized_script_value;
+  if (params.is_data_raw_string) {
+    v8::HandleScope handle_scope(blink::mainThreadIsolate());
+    v8::Local<v8::Context> context = frame_->mainWorldScriptContext();
+    v8::Context::Scope context_scope(context);
+    V8ValueConverterImpl converter;
+    converter.SetDateAllowed(true);
+    converter.SetRegExpAllowed(true);
+    scoped_ptr<base::Value> value(new base::StringValue(params.data));
+    v8::Handle<v8::Value> result_value = converter.ToV8Value(value.get(),
+                                                             context);
+    serialized_script_value = WebSerializedScriptValue::serialize(result_value);
+  } else {
+    serialized_script_value = WebSerializedScriptValue::fromString(params.data);
+  }
+
+  // Create an event with the message.  The next-to-last parameter to
+  // initMessageEvent is the last event ID, which is not used with postMessage.
+  WebDOMEvent event = frame_->document().createEvent("MessageEvent");
+  WebDOMMessageEvent msg_event = event.to<WebDOMMessageEvent>();
+  msg_event.initMessageEvent("message",
+                             // |canBubble| and |cancellable| are always false
+                             false, false,
+                             serialized_script_value,
+                             params.source_origin, source_frame, "", channels);
+
+  // We must pass in the target_origin to do the security check on this side,
+  // since it may have changed since the original postMessage call was made.
+  WebSecurityOrigin target_origin;
+  if (!params.target_origin.empty()) {
+    target_origin =
+        WebSecurityOrigin::createFromString(WebString(params.target_origin));
+  }
+  frame_->dispatchMessageEventWithOriginCheck(target_origin, msg_event);
+}
+
 #if defined(OS_ANDROID)
 void RenderFrameImpl::OnSelectPopupMenuItems(
     bool canceled,
     const std::vector<int>& selected_indices) {
   // It is possible to receive more than one of these calls if the user presses
   // a select faster than it takes for the show-select-popup IPC message to make
   // it to the browser UI thread. Ignore the extra-messages.
   // TODO(jcivelli): http:/b/5793321 Implement a better fix, as detailed in bug.
   if (!external_popup_menu_)
     return;
@@ skipping 1886 matching lines @@
   return midi_dispatcher_;
 }
 
 bool RenderFrameImpl::willCheckAndDispatchMessageEvent(
     blink::WebLocalFrame* source_frame,
     blink::WebFrame* target_frame,
     blink::WebSecurityOrigin target_origin,
     blink::WebDOMMessageEvent event) {
   DCHECK(!frame_ || frame_ == target_frame);
 
+  // Currently, a postMessage that targets a cross-process frame can be plumbed
+  // either through this function or RenderFrameProxy::postMessageEvent. This
+  // function is used when the target cross-process frame is a top-level frame
+  // which has been swapped out.  In that case, the corresponding WebLocalFrame
+  // currently remains in the frame tree even in site-per-process mode (see
+  // OnSwapOut). RenderFrameProxy::postMessageEvent is used in
+  // --site-per-process mode for all other cases.
+  //
+  // TODO(alexmos, nasko): When swapped-out:// disappears, this should be
+  // cleaned up so that RenderFrameProxy::postMessageEvent is the only path for
+  // cross-process postMessages.
   if (!is_swapped_out_)
     return false;
 
-  ViewMsg_PostMessage_Params params;
-  params.is_data_raw_string = false;
-  params.data = event.data().toString();
-  params.source_origin = event.origin();
-  if (!target_origin.isNull())
-    params.target_origin = target_origin.toString();
-
-  params.message_ports =
-      WebMessagePortChannelImpl::ExtractMessagePortIDs(event.releaseChannels());
-
-  // Include the routing ID for the source frame (if one exists), which the
-  // browser process will translate into the routing ID for the equivalent
-  // frame in the target process.
-  params.source_routing_id = MSG_ROUTING_NONE;
-  if (source_frame) {
-    RenderViewImpl* source_view =
-        RenderViewImpl::FromWebView(source_frame->view());
-    if (source_view)
-      params.source_routing_id = source_view->routing_id();
-  }
-
-  Send(new ViewHostMsg_RouteMessageEvent(render_view_->routing_id_, params));
+  CHECK(render_frame_proxy_);

[alexmos, 2015/04/02 23:17:00]

Am I correct in assuming the proxy_ will always exist if the frame is swapped
out?  There is a window in OnSwapOut between setting is_swapped_out and calling
set_render_frame_proxy, but I’m not sure whether it’s possible for postMessage
to somehow happen in that window.  I could also route through the swapped-out RF
if that’s safer.

[Charlie Reis, 2015/04/06 16:18:55]

I think the only way it could happen is in a beforeunload handler.  (There's a
comment in OnSwapOut that says that the unload handler won't be run a second
time, but beforeunload will.)

I admit that it's nice not to have to process this message in
RenderFrameHostImpl, so sending it via render_frame_proxy_ would be a good
thing.  That said, it's probably worth testing the case of sending a postMessage
in beforeUnload while swapping out.

[alexmos, 2015/04/07 18:44:39]

Just to summarize what we discussed offline.  beforeunload should not be a
problem, because earlier in OnSwapOut, dispatchUnloadEvent() will clear all the
event handlers (as part of blink::Document::dispatchUnloadEvents), so while
NavigateToSwappedOutURL indeed dispatches beforeunload a second time, the event
handlers won't actually run.

However, I discovered a different problem, which is that calling OnStop() in
OnSwapOut can actually trigger onload event handlers to run.  An example is a
parent page which embeds a cross-site subframe, and the parent page has an
onload handler to send a postMessage to the subframe.  That onload handler gets
triggered deep inside OnStop (see stack at http://pastebin.com/gvqFGNRu), so it
needs the render_frame_proxy_ to already be set.  To fix this, I moved
OnSwapOut's call to set_render_frame_proxy() up to be done immediately after
is_swapped_out_ is set to true, and before OnStop.  This should be safe given
render_frame_proxy_'s current usage.  It also seemed safe to set the proxy
unconditionally, rather than for main frames only.

+  render_frame_proxy_->postMessageEvent(
+      source_frame, render_frame_proxy_->web_frame(), target_origin, event);
   return true;
 }
 
 blink::WebString RenderFrameImpl::userAgentOverride(blink::WebLocalFrame* frame,
                                                     const blink::WebURL& url) {
   DCHECK(!frame_ || frame_ == frame);
   std::string user_agent_override_for_url =
       GetContentClient()->renderer()->GetUserAgentOverrideForURL(GURL(url));
   if (!user_agent_override_for_url.empty())
     return WebString::fromUTF8(user_agent_override_for_url);
@@ skipping 1044 matching lines @@
 
 #if defined(ENABLE_BROWSER_CDMS)
 RendererCdmManager* RenderFrameImpl::GetCdmManager() {
   if (!cdm_manager_)
     cdm_manager_ = new RendererCdmManager(this);
   return cdm_manager_;
 }
 #endif  // defined(ENABLE_BROWSER_CDMS)
 
 }  // namespace content