Propagate scrolling/marginwidth/marginheight property values to child frame.

content/browser/frame_host/render_frame_host_impl.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/frame_host/render_frame_host_impl.h"
 
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "base/containers/hash_tables.h"
 #include "base/lazy_instance.h"
 #include "base/metrics/histogram.h"
 #include "base/process/kill.h"
 #include "base/time/time.h"
 #include "content/browser/accessibility/accessibility_mode_helper.h"
 #include "content/browser/accessibility/ax_tree_id_registry.h"
 #include "content/browser/accessibility/browser_accessibility_manager.h"
 #include "content/browser/accessibility/browser_accessibility_state_impl.h"
-#include "content/browser/bad_message.h"
 #include "content/browser/child_process_security_policy_impl.h"
 #include "content/browser/devtools/render_frame_devtools_agent_host.h"
 #include "content/browser/frame_host/cross_process_frame_connector.h"
 #include "content/browser/frame_host/cross_site_transferring_request.h"
 #include "content/browser/frame_host/frame_mojo_shell.h"
 #include "content/browser/frame_host/frame_tree.h"
 #include "content/browser/frame_host/frame_tree_node.h"
 #include "content/browser/frame_host/navigation_handle_impl.h"
 #include "content/browser/frame_host/navigation_request.h"
 #include "content/browser/frame_host/navigator.h"
@@ skipping 431 matching lines @@
                                     OnRunJavaScriptMessage)
     IPC_MESSAGE_HANDLER_DELAY_REPLY(FrameHostMsg_RunBeforeUnloadConfirm,
                                     OnRunBeforeUnloadConfirm)
     IPC_MESSAGE_HANDLER(FrameHostMsg_DidAccessInitialDocument,
                         OnDidAccessInitialDocument)
     IPC_MESSAGE_HANDLER(FrameHostMsg_DidChangeOpener, OnDidChangeOpener)
     IPC_MESSAGE_HANDLER(FrameHostMsg_DidChangeName, OnDidChangeName)
     IPC_MESSAGE_HANDLER(FrameHostMsg_DidAssignPageId, OnDidAssignPageId)
     IPC_MESSAGE_HANDLER(FrameHostMsg_DidChangeSandboxFlags,
                         OnDidChangeSandboxFlags)
+    IPC_MESSAGE_HANDLER(FrameHostMsg_DidChangeFrameOwnerProperties,
+                        OnDidChangeFrameOwnerProperties)
     IPC_MESSAGE_HANDLER(FrameHostMsg_UpdateTitle, OnUpdateTitle)
     IPC_MESSAGE_HANDLER(FrameHostMsg_UpdateEncoding, OnUpdateEncoding)
     IPC_MESSAGE_HANDLER(FrameHostMsg_BeginNavigation,
                         OnBeginNavigation)
     IPC_MESSAGE_HANDLER(FrameHostMsg_DispatchLoad, OnDispatchLoad)
     IPC_MESSAGE_HANDLER(FrameHostMsg_TextSurroundingSelectionResponse,
                         OnTextSurroundingSelectionResponse)
     IPC_MESSAGE_HANDLER(AccessibilityHostMsg_Events, OnAccessibilityEvents)
     IPC_MESSAGE_HANDLER(AccessibilityHostMsg_LocationChanges,
                         OnAccessibilityLocationChanges)
@@ skipping 150 matching lines @@
 
   DCHECK(GetProcess()->HasConnection());
 
   FrameMsg_NewFrame_Params params;
   params.routing_id = routing_id_;
   params.proxy_routing_id = proxy_routing_id;
   params.opener_routing_id = opener_routing_id;
   params.parent_routing_id = parent_routing_id;
   params.previous_sibling_routing_id = previous_sibling_routing_id;
   params.replication_state = frame_tree_node()->current_replication_state();
+  params.frame_owner_properties = frame_tree_node()->frame_owner_properties();
 
   if (render_widget_host_) {
     params.widget_params.routing_id = render_widget_host_->GetRoutingID();
     params.widget_params.hidden = render_widget_host_->is_hidden();
   } else {
     // MSG_ROUTING_NONE will prevent a new RenderWidget from being created in
     // the renderer process.
     params.widget_params.routing_id = MSG_ROUTING_NONE;
     params.widget_params.hidden = true;
   }
@@ skipping 69 matching lines @@
     logging::LogMessage("CONSOLE", line_no, resolved_level).stream()
         << "\"" << message << "\", source: " << source_id << " (" << line_no
         << ")";
   }
 }
 
 void RenderFrameHostImpl::OnCreateChildFrame(
     int new_routing_id,
     blink::WebTreeScopeType scope,
     const std::string& frame_name,
-    blink::WebSandboxFlags sandbox_flags) {
+    blink::WebSandboxFlags sandbox_flags,
+    const blink::WebFrameOwnerProperties& frame_owner_properties) {
   // It is possible that while a new RenderFrameHost was committed, the
   // RenderFrame corresponding to this host sent an IPC message to create a
   // frame and it is delivered after this host is swapped out.
   // Ignore such messages, as we know this RenderFrameHost is going away.
   if (rfh_state_ != RenderFrameHostImpl::STATE_DEFAULT)
     return;
 
-  RenderFrameHostImpl* new_frame =
-      frame_tree_->AddFrame(frame_tree_node_, GetProcess()->GetID(),
-                            new_routing_id, scope, frame_name, sandbox_flags);
+  RenderFrameHostImpl* new_frame = frame_tree_->AddFrame(
+      frame_tree_node_, GetProcess()->GetID(), new_routing_id, scope,
+      frame_name, sandbox_flags, frame_owner_properties);
   if (!new_frame)
     return;
 
   // We know that the RenderFrame has been created in this case, immediately
   // after the CreateChildFrame IPC was sent.
   new_frame->SetRenderFrameCreated(true);
 }
 
 void RenderFrameHostImpl::OnDetach() {
   frame_tree_->RemoveFrame(frame_tree_node_);
@@ skipping 551 matching lines @@
     frame_tree_node_->render_manager()->CreateProxiesForNewNamedFrame();
   delegate_->DidChangeName(this, name);
 }
 
 void RenderFrameHostImpl::OnDidAssignPageId(int32 page_id) {
   // Update the RVH's current page ID so that future IPCs from the renderer
   // correspond to the new page.
   render_view_host_->page_id_ = page_id;
 }
 
+FrameTreeNode* RenderFrameHostImpl::FindAndVerifyChild(
+    int32 child_frame_routing_id,
+    bad_message::BadMessageReason reason) {
+  FrameTreeNode* child = frame_tree_node()->frame_tree()->FindByRoutingID(
+      GetProcess()->GetID(), child_frame_routing_id);
+  if (child && child->parent() != frame_tree_node()) {
+    bad_message::ReceivedBadMessage(GetProcess(), reason);
+    return nullptr;
+  }
+  return child;

[dcheng, 2015/10/21 21:04:01]

I assume we explicitly allow not finding a child, to prevent a race from killing
the renderer. Would be nice to comment if that's the case.

[lazyboy, 2015/10/23 21:19:35]

Yes, I believe so (this pattern already existed in this file).
Would be nice to comment if that's the case.

Done.

+}
+
 void RenderFrameHostImpl::OnDidChangeSandboxFlags(
     int32 frame_routing_id,
     blink::WebSandboxFlags flags) {
-  FrameTree* frame_tree = frame_tree_node()->frame_tree();
-  FrameTreeNode* child =
-      frame_tree->FindByRoutingID(GetProcess()->GetID(), frame_routing_id);
+  // Ensure that a frame can only update sandbox flags for its immediate
+  // children.  If this is not the case, the renderer is considered malicious
+  // and is killed.
+  FrameTreeNode* child = FindAndVerifyChild(
+      frame_routing_id, bad_message::RFH_SANDBOX_FLAGS);
   if (!child)
     return;
 
-  // Ensure that a frame can only update sandbox flags for its immediate
-  // children.  If this is not the case, the renderer is considered malicious
-  // and is killed.
-  if (child->parent() != frame_tree_node()) {
-    bad_message::ReceivedBadMessage(GetProcess(),
-                                    bad_message::RFH_SANDBOX_FLAGS);
-    return;
-  }
-
   child->set_sandbox_flags(flags);
 
   // Notify the RenderFrame if it lives in a different process from its
   // parent. The frame's proxies in other processes also need to learn about
   // the updated sandbox flags, but these notifications are sent later in
   // RenderFrameHostManager::CommitPendingSandboxFlags(), when the frame
   // navigates and the new sandbox flags take effect.
   RenderFrameHost* child_rfh = child->current_frame_host();
   if (child_rfh->GetSiteInstance() != GetSiteInstance()) {
     child_rfh->Send(
         new FrameMsg_DidUpdateSandboxFlags(child_rfh->GetRoutingID(), flags));
   }
 }
 
+void RenderFrameHostImpl::OnDidChangeFrameOwnerProperties(
+    int32 frame_routing_id,
+    const blink::WebFrameOwnerProperties& frame_owner_properties) {
+  FrameTreeNode* child = FindAndVerifyChild(
+      frame_routing_id, bad_message::RFH_OWNER_PROPERTY);
+  if (!child)
+    return;
+
+  child->set_frame_owner_properties(frame_owner_properties);
+
+  // Notify the RenderFrame if it lives in a different process from its parent.
+  // These properties only affect the RenderFrame and live in its parent
+  // (HTMLFrameOwnerElement). Therefore, we do not need to notify this frame's
+  // proxies.
+  RenderFrameHost* child_rfh = child->current_frame_host();
+  if (child_rfh->GetSiteInstance() != GetSiteInstance()) {
+    child_rfh->Send(new FrameMsg_SetFrameOwnerProperties(
+        child_rfh->GetRoutingID(), frame_owner_properties));
+  }
+}
+
 void RenderFrameHostImpl::OnUpdateTitle(
     const base::string16& title,
     blink::WebTextDirection title_direction) {
   // This message is only sent for top-level frames. TODO(avi): when frame tree
   // mirroring works correctly, add a check here to enforce it.
   if (title.length() > kMaxTitleChars) {
     NOTREACHED() << "Renderer sent too many characters in title.";
     return;
   }
 
@@ skipping 917 matching lines @@
             BrowserPluginInstanceIDToAXTreeID(value)));
         break;
       case AX_CONTENT_INT_ATTRIBUTE_LAST:
         NOTREACHED();
         break;
     }
   }
 }
 
 }  // namespace content