| Index: content/browser/renderer_host/render_widget_host_impl.cc
|
| diff --git a/content/browser/renderer_host/render_widget_host_impl.cc b/content/browser/renderer_host/render_widget_host_impl.cc
|
| index 2335a60fa9e27504129300f8935b3a8e6eef7961..fb3e2e9aafef5fec74378af68104422349175979 100644
|
| --- a/content/browser/renderer_host/render_widget_host_impl.cc
|
| +++ b/content/browser/renderer_host/render_widget_host_impl.cc
|
| @@ -33,6 +33,7 @@
|
| #include "content/browser/accessibility/browser_accessibility_state_impl.h"
|
| #include "content/browser/bad_message.h"
|
| #include "content/browser/browser_plugin/browser_plugin_guest.h"
|
| +#include "content/browser/child_process_security_policy_impl.h"
|
| #include "content/browser/gpu/compositor_util.h"
|
| #include "content/browser/renderer_host/dip_util.h"
|
| #include "content/browser/renderer_host/frame_metadata_util.h"
|
| @@ -44,6 +45,8 @@
|
| #include "content/browser/renderer_host/input/timeout_monitor.h"
|
| #include "content/browser/renderer_host/input/touch_emulator.h"
|
| #include "content/browser/renderer_host/render_process_host_impl.h"
|
| +#include "content/browser/renderer_host/render_view_host_delegate.h"
|
| +#include "content/browser/renderer_host/render_view_host_delegate_view.h"
|
| #include "content/browser/renderer_host/render_view_host_impl.h"
|
| #include "content/browser/renderer_host/render_widget_helper.h"
|
| #include "content/browser/renderer_host/render_widget_host_input_event_router.h"
|
| @@ -53,12 +56,14 @@
|
| #include "content/common/content_constants_internal.h"
|
| #include "content/common/content_switches_internal.h"
|
| #include "content/common/cursors/webcursor.h"
|
| +#include "content/common/drag_messages.h"
|
| #include "content/common/frame_messages.h"
|
| #include "content/common/host_shared_bitmap_manager.h"
|
| #include "content/common/input_messages.h"
|
| #include "content/common/resize_params.h"
|
| #include "content/common/text_input_state.h"
|
| #include "content/common/view_messages.h"
|
| +#include "content/public/browser/browser_context.h"
|
| #include "content/public/browser/native_web_keyboard_event.h"
|
| #include "content/public/browser/notification_service.h"
|
| #include "content/public/browser/notification_types.h"
|
| @@ -80,6 +85,7 @@
|
| #include "ui/gfx/color_space.h"
|
| #include "ui/gfx/geometry/size_conversions.h"
|
| #include "ui/gfx/geometry/vector2d_conversions.h"
|
| +#include "ui/gfx/image/image_skia.h"
|
| #include "ui/gfx/skbitmap_operations.h"
|
| #include "ui/snapshot/snapshot.h"
|
|
|
| @@ -496,6 +502,7 @@ bool RenderWidgetHostImpl::OnMessageReceived(const IPC::Message &msg) {
|
| IPC_MESSAGE_HANDLER(ViewHostMsg_ForwardCompositorProto,
|
| OnForwardCompositorProto)
|
| IPC_MESSAGE_HANDLER(ViewHostMsg_SetNeedsBeginFrames, OnSetNeedsBeginFrames)
|
| + IPC_MESSAGE_HANDLER(DragHostMsg_StartDragging, OnStartDragging)
|
| IPC_MESSAGE_UNHANDLED(handled = false)
|
| IPC_END_MESSAGE_MAP()
|
|
|
| @@ -1350,6 +1357,64 @@ void RenderWidgetHostImpl::OnSetNeedsBeginFrames(bool needs_begin_frames) {
|
| view_->SetNeedsBeginFrames(needs_begin_frames);
|
| }
|
|
|
| +void RenderWidgetHostImpl::OnStartDragging(
|
| + const DropData& drop_data,
|
| + blink::WebDragOperationsMask drag_operations_mask,
|
| + const SkBitmap& bitmap,
|
| + const gfx::Vector2d& bitmap_offset_in_dip,
|
| + const DragEventSourceInfo& event_info) {
|
| + RenderViewHost* rvh = RenderViewHost::From(this);
|
| + if (!rvh)
|
| + return;
|
| +
|
| + RenderViewHostDelegateView* view = delegate_->GetDelegateView();
|
| + if (!view) {
|
| + // Need to clear drag and drop state in blink.
|
| + rvh->DragSourceSystemDragEnded();
|
| + return;
|
| + }
|
| +
|
| + DropData filtered_data(drop_data);
|
| + RenderProcessHost* process = GetProcess();
|
| + ChildProcessSecurityPolicyImpl* policy =
|
| + ChildProcessSecurityPolicyImpl::GetInstance();
|
| +
|
| + // Allow drag of Javascript URLs to enable bookmarklet drag to bookmark bar.
|
| + if (!filtered_data.url.SchemeIs(url::kJavaScriptScheme))
|
| + process->FilterURL(true, &filtered_data.url);
|
| + process->FilterURL(false, &filtered_data.html_base_url);
|
| + // Filter out any paths that the renderer didn't have access to. This prevents
|
| + // the following attack on a malicious renderer:
|
| + // 1. StartDragging IPC sent with renderer-specified filesystem paths that it
|
| + // doesn't have read permissions for.
|
| + // 2. We initiate a native DnD operation.
|
| + // 3. DnD operation immediately ends since mouse is not held down. DnD events
|
| + // still fire though, which causes read permissions to be granted to the
|
| + // renderer for any file paths in the drop.
|
| + filtered_data.filenames.clear();
|
| + for (const auto& file_info : drop_data.filenames) {
|
| + if (policy->CanReadFile(GetProcess()->GetID(), file_info.path))
|
| + filtered_data.filenames.push_back(file_info);
|
| + }
|
| +
|
| + storage::FileSystemContext* file_system_context =
|
| + BrowserContext::GetStoragePartition(GetProcess()->GetBrowserContext(),
|
| + rvh->GetSiteInstance())
|
| + ->GetFileSystemContext();
|
| + filtered_data.file_system_files.clear();
|
| + for (size_t i = 0; i < drop_data.file_system_files.size(); ++i) {
|
| + storage::FileSystemURL file_system_url =
|
| + file_system_context->CrackURL(drop_data.file_system_files[i].url);
|
| + if (policy->CanReadFileSystemFile(GetProcess()->GetID(), file_system_url))
|
| + filtered_data.file_system_files.push_back(drop_data.file_system_files[i]);
|
| + }
|
| +
|
| + float scale = GetScaleFactorForView(GetView());
|
| + gfx::ImageSkia image(gfx::ImageSkiaRep(bitmap, scale));
|
| + view->StartDragging(filtered_data, drag_operations_mask, image,
|
| + bitmap_offset_in_dip, event_info);
|
| +}
|
| +
|
| void RenderWidgetHostImpl::RendererExited(base::TerminationStatus status,
|
| int exit_code) {
|
| if (!renderer_initialized_)
|
|
|
Chromium Code Reviews
Issue 2475443003:
Drag-and-drop: Move startDrag out of WebView/RenderView. (Closed)
