Prevent drag-and-drop events from firing over cross-site, same-page frames.

content/browser/web_contents/web_contents_view_aura.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/web_contents/web_contents_view_aura.h"
 
 #include <stddef.h>
 #include <stdint.h>
+#include <utility>

[Charlie Reis, 2016/12/14 18:06:50]

Might not need this if we use GlobalRoutingID.

 
 #include "base/auto_reset.h"
 #include "base/command_line.h"
 #include "base/files/file_util.h"
 #include "base/macros.h"
 #include "base/strings/utf_string_conversions.h"
 #include "build/build_config.h"
 #include "content/browser/browser_plugin/browser_plugin_guest.h"
 #include "content/browser/download/drag_download_util.h"
 #include "content/browser/frame_host/interstitial_page_impl.h"
@@ skipping 374 matching lines @@
     web_input_event_modifiers |= blink::WebInputEvent::MetaKey;
   if (aura_event_flags & ui::EF_LEFT_MOUSE_BUTTON)
     web_input_event_modifiers |= blink::WebInputEvent::LeftButtonDown;
   if (aura_event_flags & ui::EF_MIDDLE_MOUSE_BUTTON)
     web_input_event_modifiers |= blink::WebInputEvent::MiddleButtonDown;
   if (aura_event_flags & ui::EF_RIGHT_MOUSE_BUTTON)
     web_input_event_modifiers |= blink::WebInputEvent::RightButtonDown;
   return web_input_event_modifiers;
 }
 
+std::pair<int, int> GetRenderViewHostID(RenderViewHost* rvh) {
+  return std::make_pair(rvh->GetProcess()->GetID(), rvh->GetRoutingID());
+}
+
 }  // namespace
 
 class WebContentsViewAura::WindowObserver
     : public aura::WindowObserver, public aura::WindowTreeHostObserver {
  public:
   explicit WindowObserver(WebContentsViewAura* view)
       : view_(view),
         host_window_(NULL) {
     view_->window_->AddObserver(this);
   }
@@ skipping 95 matching lines @@
 
 ////////////////////////////////////////////////////////////////////////////////
 // WebContentsViewAura, public:
 
 WebContentsViewAura::WebContentsViewAura(WebContentsImpl* web_contents,
                                          WebContentsViewDelegate* delegate)
     : web_contents_(web_contents),
       delegate_(delegate),
       current_drag_op_(blink::WebDragOperationNone),
       drag_dest_delegate_(nullptr),
-      current_rvh_for_drag_(nullptr),
+      current_rvh_for_drag_(-1, -1),

[lfg, 2016/12/14 16:10:09]

You should use kInvalidUniqueID for invalid process ids, and MSG_ROUTING_NONE
for invalid routing IDs.

+      drag_source_rph_(-1),
+      drag_source_rvh_(-1, -1),
       current_overscroll_gesture_(OVERSCROLL_NONE),
       completed_overscroll_gesture_(OVERSCROLL_NONE),
       navigation_overlay_(nullptr),
       init_rwhv_with_null_parent_for_testing_(false) {}
 
 void WebContentsViewAura::SetDelegateForTesting(
     WebContentsViewDelegate* delegate) {
   delegate_.reset(delegate);
 }
 
@@ skipping 16 matching lines @@
   if (web_contents_->GetInterstitialPage())
     web_contents_->GetInterstitialPage()->SetSize(size);
   RenderWidgetHostView* rwhv =
       web_contents_->GetRenderWidgetHostView();
   if (rwhv)
     rwhv->SetSize(size);
 }
 
 void WebContentsViewAura::EndDrag(RenderWidgetHost* source_rwh,
                                   blink::WebDragOperationsMask ops) {
+  drag_source_rph_ = -1;

[lfg, 2016/12/14 16:10:09]

kInvalidUniqueID

+  drag_source_rvh_ = std::make_pair(-1, -1);

[lfg, 2016/12/14 16:10:09]

kInvalidUniqueID, MSG_ROUTING_NONE.

+
   if (!web_contents_)
     return;
 
   aura::Window* window = GetContentNativeView();
   gfx::Point screen_loc = display::Screen::GetScreen()->GetCursorScreenPoint();
   gfx::Point client_loc = screen_loc;
   aura::client::ScreenPositionClient* screen_position_client =
       aura::client::GetScreenPositionClient(window->GetRootWindow());
   if (screen_position_client)
     screen_position_client->ConvertPointFromScreen(window, &client_loc);
 
-  // TODO(paulmeyer): In the OOPIF case, should |client_loc| be converted to
-  // the coordinates local to |drag_start_rwh_|? See crbug.com/647249.
+  // TODO(paulmeyer): In the OOPIF case, should |client_loc| be converted to the
+  // coordinates local to |source_rwh|? See crbug.com/647249.
   web_contents_->DragSourceEndedAt(client_loc.x(), client_loc.y(),
                                    screen_loc.x(), screen_loc.y(), ops,
                                    source_rwh);
 
   web_contents_->SystemDragEnded(source_rwh);
 }
 
 void WebContentsViewAura::InstallOverscrollControllerDelegate(
     RenderWidgetHostViewAura* view) {
   const std::string value = base::CommandLine::ForCurrentProcess()->
@@ skipping 44 matching lines @@
       ToRenderWidgetHostViewAura(web_contents_->GetRenderWidgetHostView());
   return view ? view->selection_controller_client() : nullptr;
 }
 
 gfx::NativeView WebContentsViewAura::GetRenderWidgetHostViewParent() const {
   if (init_rwhv_with_null_parent_for_testing_)
     return nullptr;
   return window_.get();
 }
 
+bool WebContentsViewAura::ValidDragTarget(
+    RenderWidgetHostImpl* target_rwh) const {
+  return target_rwh->GetProcess()->GetID() == drag_source_rph_ ||

[Charlie Reis, 2016/12/14 18:06:50]

Please put a comment explaining what this is trying to check, since it's a bit
subtle.  Something like:

Allow the drag if it's within the same process (in which case Blink will
validate it), or if it's between different pages.  Do not allow cross-process
drags within the same page.

[Charlie Reis, 2016/12/14 18:36:36]

I think you missed this comment, which I think is worthwhile because of the
Blink validation part.

[paulmeyer, 2016/12/14 18:53:18]

Oh sorry, I meant to reply that the comment is already on this function in the
header.

+      GetRenderViewHostID(web_contents_->GetRenderViewHost()) !=
+      drag_source_rvh_;
+}
+
 ////////////////////////////////////////////////////////////////////////////////
 // WebContentsViewAura, WebContentsView implementation:
 
 gfx::NativeView WebContentsViewAura::GetNativeView() const {
   return window_.get();
 }
 
 gfx::NativeView WebContentsViewAura::GetContentNativeView() const {
   RenderWidgetHostView* rwhv = web_contents_->GetRenderWidgetHostView();
   return rwhv ? rwhv->GetNativeView() : NULL;
@@ skipping 258 matching lines @@
   }
 
   // Grab a weak pointer to the RenderWidgetHost, since it can be destroyed
   // during the drag and drop nested message loop in StartDragAndDrop.
   // For example, the RenderWidgetHost can be deleted if a cross-process
   // transfer happens while dragging, since the RenderWidgetHost is deleted in
   // that case.
   base::WeakPtr<RenderWidgetHostImpl> source_rwh_weak_ptr =
       source_rwh->GetWeakPtr();
 
+  drag_source_rph_ = source_rwh->GetProcess()->GetID();
+  drag_source_rvh_ = GetRenderViewHostID(web_contents_->GetRenderViewHost());
+
   ui::TouchSelectionController* selection_controller = GetSelectionController();
   if (selection_controller)
     selection_controller->HideAndDisallowShowingAutomatically();
   std::unique_ptr<ui::OSExchangeData::Provider> provider =
       ui::OSExchangeDataProviderFactory::CreateProvider();
   PrepareDragData(drop_data, provider.get(), web_contents_);
 
   ui::OSExchangeData data(
       std::move(provider));  // takes ownership of |provider|.
 
@@ skipping 203 matching lines @@
   web_contents_->GetDelegate()->ContentsMouseEvent(
       web_contents_, display::Screen::GetScreen()->GetCursorScreenPoint(),
       type == ui::ET_MOUSE_MOVED, type == ui::ET_MOUSE_EXITED);
 }
 
 ////////////////////////////////////////////////////////////////////////////////
 // WebContentsViewAura, aura::client::DragDropDelegate implementation:
 
 void WebContentsViewAura::OnDragEntered(const ui::DropTargetEvent& event) {
   gfx::Point transformed_pt;
-  current_rwh_for_drag_ =
+  RenderWidgetHostImpl* target_rwh =
       web_contents_->GetInputEventRouter()->GetRenderWidgetHostAtPoint(
           web_contents_->GetRenderViewHost()->GetWidget()->GetView(),
-          event.location(), &transformed_pt)->GetWeakPtr();
-  current_rvh_for_drag_ = web_contents_->GetRenderViewHost();
+          event.location(), &transformed_pt);
 
+  if (!ValidDragTarget(target_rwh))
+    return;
+
+  current_rwh_for_drag_ = target_rwh->GetWeakPtr();
+  current_rvh_for_drag_ =
+      GetRenderViewHostID(web_contents_->GetRenderViewHost());
   current_drop_data_.reset(new DropData());
   PrepareDropData(current_drop_data_.get(), event.data());
   current_rwh_for_drag_->FilterDropData(current_drop_data_.get());
 
   blink::WebDragOperationsMask op = ConvertToWeb(event.source_operations());
 
   // Give the delegate an opportunity to cancel the drag.
   if (web_contents_->GetDelegate() &&
       !web_contents_->GetDelegate()->CanDragEnter(
           web_contents_, *current_drop_data_.get(), op)) {
@@ skipping 15 matching lines @@
   }
 }
 
 int WebContentsViewAura::OnDragUpdated(const ui::DropTargetEvent& event) {
   gfx::Point transformed_pt;
   RenderWidgetHostImpl* target_rwh =
       web_contents_->GetInputEventRouter()->GetRenderWidgetHostAtPoint(
           web_contents_->GetRenderViewHost()->GetWidget()->GetView(),
           event.location(), &transformed_pt);
 
+  if (!ValidDragTarget(target_rwh))
+    return ui::DragDropTypes::DRAG_NONE;
+
   if (target_rwh != current_rwh_for_drag_.get()) {
     if (current_rwh_for_drag_)
       current_rwh_for_drag_->DragTargetDragLeave();
     OnDragEntered(event);
   }
 
   if (!current_drop_data_)
     return ui::DragDropTypes::DRAG_NONE;
 
   blink::WebDragOperationsMask op = ConvertToWeb(event.source_operations());
   gfx::Point screen_pt = event.root_location();
   target_rwh->DragTargetDragOver(
       transformed_pt, screen_pt, op,
       ConvertAuraEventFlagsToWebInputEventModifiers(event.flags()));
 
   if (drag_dest_delegate_)
     drag_dest_delegate_->OnDragOver();
 
   return ConvertFromWeb(current_drag_op_);
 }
 
 void WebContentsViewAura::OnDragExited() {
-  if (current_rvh_for_drag_ != web_contents_->GetRenderViewHost() ||
+  if (current_rvh_for_drag_ !=
+      GetRenderViewHostID(web_contents_->GetRenderViewHost()) ||
       !current_drop_data_) {
     return;
   }
 
   if (current_rwh_for_drag_) {
     current_rwh_for_drag_->DragTargetDragLeave();
     current_rwh_for_drag_.reset();
   }
 
   if (drag_dest_delegate_)
     drag_dest_delegate_->OnDragLeave();
 
   current_drop_data_.reset();
 }
 
 int WebContentsViewAura::OnPerformDrop(const ui::DropTargetEvent& event) {
   gfx::Point transformed_pt;
   RenderWidgetHostImpl* target_rwh =
       web_contents_->GetInputEventRouter()->GetRenderWidgetHostAtPoint(
           web_contents_->GetRenderViewHost()->GetWidget()->GetView(),
           event.location(), &transformed_pt);
 
+  if (!ValidDragTarget(target_rwh))
+    return ui::DragDropTypes::DRAG_NONE;
+
   if (target_rwh != current_rwh_for_drag_.get()) {
     if (current_rwh_for_drag_)
       current_rwh_for_drag_->DragTargetDragLeave();
     OnDragEntered(event);
   }
 
   if (!current_drop_data_)
     return ui::DragDropTypes::DRAG_NONE;
 
   target_rwh->DragTargetDrop(
@@ skipping 26 matching lines @@
                                         bool allow_multiple_selection) {
   NOTIMPLEMENTED() << " show " << items.size() << " menu items";
 }
 
 void WebContentsViewAura::HidePopupMenu() {
   NOTIMPLEMENTED();
 }
 #endif
 
 }  // namespace content