Prevent drag-and-drop events from firing over cross-site, same-page frames.

content/browser/web_contents/web_contents_view_aura.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/web_contents/web_contents_view_aura.h"
 
 #include <stddef.h>
 #include <stdint.h>
 
 #include "base/auto_reset.h"
@@ skipping 498 matching lines @@
 ////////////////////////////////////////////////////////////////////////////////
 // WebContentsViewAura, public:
 
 WebContentsViewAura::WebContentsViewAura(WebContentsImpl* web_contents,
                                          WebContentsViewDelegate* delegate)
     : web_contents_(web_contents),
       delegate_(delegate),
       current_drag_op_(blink::WebDragOperationNone),
       drag_dest_delegate_(nullptr),
       current_rvh_for_drag_(nullptr),
+      drag_source_rph_(nullptr),
+      drag_source_rvh_(nullptr),
       current_overscroll_gesture_(OVERSCROLL_NONE),
       completed_overscroll_gesture_(OVERSCROLL_NONE),
       navigation_overlay_(nullptr),
       init_rwhv_with_null_parent_for_testing_(false) {}
 
 void WebContentsViewAura::SetDelegateForTesting(
     WebContentsViewDelegate* delegate) {
   delegate_.reset(delegate);
 }
 
@@ skipping 27 matching lines @@
     return;
 
   aura::Window* window = GetContentNativeView();
   gfx::Point screen_loc = display::Screen::GetScreen()->GetCursorScreenPoint();
   gfx::Point client_loc = screen_loc;
   aura::client::ScreenPositionClient* screen_position_client =
       aura::client::GetScreenPositionClient(window->GetRootWindow());
   if (screen_position_client)
     screen_position_client->ConvertPointFromScreen(window, &client_loc);
 
-  // TODO(paulmeyer): In the OOPIF case, should |client_loc| be converted to
-  // the coordinates local to |drag_start_rwh_|? See crbug.com/647249.
+  // TODO(paulmeyer): In the OOPIF case, should |client_loc| be converted to the
+  // coordinates local to |source_rwh|? See crbug.com/647249.
   web_contents_->DragSourceEndedAt(client_loc.x(), client_loc.y(),
                                    screen_loc.x(), screen_loc.y(), ops,
                                    source_rwh);
 
   web_contents_->SystemDragEnded(source_rwh);
 }
 
 void WebContentsViewAura::InstallOverscrollControllerDelegate(
     RenderWidgetHostViewAura* view) {
   const std::string value = base::CommandLine::ForCurrentProcess()->
@@ skipping 322 matching lines @@
   }
 
   // Grab a weak pointer to the RenderWidgetHost, since it can be destroyed
   // during the drag and drop nested message loop in StartDragAndDrop.
   // For example, the RenderWidgetHost can be deleted if a cross-process
   // transfer happens while dragging, since the RenderWidgetHost is deleted in
   // that case.
   base::WeakPtr<RenderWidgetHostImpl> source_rwh_weak_ptr =
       source_rwh->GetWeakPtr();
 
+  drag_source_rph_ = source_rwh->GetProcess();

[lfg, 2016/12/12 20:34:21]

Would it be possible that a RenderProcessHost is destroyed and a new
RenderProcessHost is recreated at the same memory address as the previous one?
Shouldn't we be storing the RenderProcessHost IDs instead?

[Charlie Reis, 2016/12/12 20:57:02]

Yes, I'm concerned about the void* pointers as well, here and the one added long
ago in https://chromiumcodereview.appspot.com/10388105/ (just above this in the
.h file).  Storing the process ID and RVH routing ID would seem safer to me.

[paulmeyer, 2016/12/13 20:57:30]

Done.

[paulmeyer, 2016/12/13 20:57:30]

Done.

+  drag_source_rvh_ = web_contents_->GetRenderViewHost();
+
   ui::TouchSelectionController* selection_controller = GetSelectionController();
   if (selection_controller)
     selection_controller->HideAndDisallowShowingAutomatically();
   std::unique_ptr<ui::OSExchangeData::Provider> provider =
       ui::OSExchangeDataProviderFactory::CreateProvider();
   PrepareDragData(drop_data, provider.get(), web_contents_);
 
   ui::OSExchangeData data(
       std::move(provider));  // takes ownership of |provider|.
 
@@ skipping 203 matching lines @@
   web_contents_->GetDelegate()->ContentsMouseEvent(
       web_contents_, display::Screen::GetScreen()->GetCursorScreenPoint(),
       type == ui::ET_MOUSE_MOVED, type == ui::ET_MOUSE_EXITED);
 }
 
 ////////////////////////////////////////////////////////////////////////////////
 // WebContentsViewAura, aura::client::DragDropDelegate implementation:
 
 void WebContentsViewAura::OnDragEntered(const ui::DropTargetEvent& event) {
   gfx::Point transformed_pt;
-  current_rwh_for_drag_ =
+  RenderWidgetHostImpl* target_rwh =
       web_contents_->GetInputEventRouter()->GetRenderWidgetHostAtPoint(
           web_contents_->GetRenderViewHost()->GetWidget()->GetView(),
-          event.location(), &transformed_pt)->GetWeakPtr();
+          event.location(), &transformed_pt);
+
+  if (drag_source_rvh_ == web_contents_->GetRenderViewHost() &&

[lfg, 2016/12/12 20:34:21]

I don't understand this check. This would only be false if the
WebContentsViewAura that we called OnDragEntered is different than the
WebContentsViewAura that we called StartDragging. In that case, won't
drag_source_rvh_ be null?

Is it possible to fail this check while drag_source_rvh_ != null?

[paulmeyer, 2016/12/13 20:57:30]

Per offline discussion, I will continue checking the RVH, but will store it as
(process ID, routing ID) pair instead of a pointer.

+      drag_source_rph_ != target_rwh->GetProcess()) {
+    return;
+  }
+
+  current_rwh_for_drag_ = target_rwh->GetWeakPtr();
   current_rvh_for_drag_ = web_contents_->GetRenderViewHost();
-
   current_drop_data_.reset(new DropData());
   PrepareDropData(current_drop_data_.get(), event.data());
   current_rwh_for_drag_->FilterDropData(current_drop_data_.get());
 
   blink::WebDragOperationsMask op = ConvertToWeb(event.source_operations());
 
   // Give the delegate an opportunity to cancel the drag.
   if (web_contents_->GetDelegate() &&
       !web_contents_->GetDelegate()->CanDragEnter(
           web_contents_, *current_drop_data_.get(), op)) {
@@ skipping 15 matching lines @@
   }
 }
 
 int WebContentsViewAura::OnDragUpdated(const ui::DropTargetEvent& event) {
   gfx::Point transformed_pt;
   RenderWidgetHostImpl* target_rwh =
       web_contents_->GetInputEventRouter()->GetRenderWidgetHostAtPoint(
           web_contents_->GetRenderViewHost()->GetWidget()->GetView(),
           event.location(), &transformed_pt);
 
+  if (drag_source_rvh_ == web_contents_->GetRenderViewHost() &&
+      drag_source_rph_ != target_rwh->GetProcess()) {
+    return ui::DragDropTypes::DRAG_NONE;
+  }
+
   if (target_rwh != current_rwh_for_drag_.get()) {
     if (current_rwh_for_drag_)
       current_rwh_for_drag_->DragTargetDragLeave();
     OnDragEntered(event);
   }
 
   if (!current_drop_data_)
     return ui::DragDropTypes::DRAG_NONE;
 
   blink::WebDragOperationsMask op = ConvertToWeb(event.source_operations());
@@ skipping 25 matching lines @@
   current_drop_data_.reset();
 }
 
 int WebContentsViewAura::OnPerformDrop(const ui::DropTargetEvent& event) {
   gfx::Point transformed_pt;
   RenderWidgetHostImpl* target_rwh =
       web_contents_->GetInputEventRouter()->GetRenderWidgetHostAtPoint(
           web_contents_->GetRenderViewHost()->GetWidget()->GetView(),
           event.location(), &transformed_pt);
 
+  if (drag_source_rvh_ == web_contents_->GetRenderViewHost() &&
+      drag_source_rph_ != target_rwh->GetProcess()) {
+    return ui::DragDropTypes::DRAG_NONE;
+  }
+
   if (target_rwh != current_rwh_for_drag_.get()) {
     if (current_rwh_for_drag_)
       current_rwh_for_drag_->DragTargetDragLeave();
     OnDragEntered(event);
   }
 
   if (!current_drop_data_)
     return ui::DragDropTypes::DRAG_NONE;
 
   target_rwh->DragTargetDrop(
@@ skipping 26 matching lines @@
                                         bool allow_multiple_selection) {
   NOTIMPLEMENTED() << " show " << items.size() << " menu items";
 }
 
 void WebContentsViewAura::HidePopupMenu() {
   NOTIMPLEMENTED();
 }
 #endif
 
 }  // namespace content