Make cc::SurfaceId unguessable

components/mus/public/interfaces/surface_id.mojom

Index: components/mus/public/interfaces/surface_id.mojom
diff --git a/components/mus/public/interfaces/surface_id.mojom b/components/mus/public/interfaces/surface_id.mojom
index 7d6f657fb0fab8306b06e9a3914d3b5b35d08411..6142365c0bfad4512e25f7b65bf900cad604984d 100644
--- a/components/mus/public/interfaces/surface_id.mojom
+++ b/components/mus/public/interfaces/surface_id.mojom
@@ -4,10 +4,10 @@
 
 module mus.mojom;
 
-// A surface ID is composed of two parts, a local part and a namespace. The
-// local part is allocated by the client using any scheme that avoids
-// duplicates. The namespace is allocated by the service and will be different
-// for each client (aka each connection to mojo.Surface).
+// A surface ID is composed of three parts: a namespace, a local ID, and a
+// nonce. The local part and nonce are allocated by the client using any scheme
+// that avoids duplicates and makes IDs unguessable respectively. The namespace
+// is allocated by the service and will be different for each client.
 //
 // The special id_namespace value 0 is equivalent to the namespace of the
 // client. This can be used to create, destroy and submit frames to
@@ -15,6 +15,14 @@ module mus.mojom;
 // owned by the same client. The actual id namespace must be used to pass
 // surface ids to other clients for them to reference.
 struct SurfaceId {
-  uint32 local;
+  // A service allocated ID identifying a client.
   uint32 id_namespace;
+
+  // An identifier allocated by the client uniquely identifying a surface within
+  // a client process.
+  uint32 local_id;
+
+  // A cryptographically secure random int chosen to make the SurfaceId
+  // unguessable by other clients.
+  uint64 nonce;
 };