Prevent drag-and-drop events from firing over cross-site, same-page frames.

content/browser/web_contents/web_contents_view_aura.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CONTENT_BROWSER_WEB_CONTENTS_WEB_CONTENTS_VIEW_AURA_H_
 #define CONTENT_BROWSER_WEB_CONTENTS_WEB_CONTENTS_VIEW_AURA_H_
 
 #include <memory>
 #include <vector>
 
 #include "base/gtest_prod_util.h"
 #include "base/macros.h"
 #include "base/memory/ref_counted.h"
 #include "base/memory/weak_ptr.h"
+#include "content/browser/loader/global_routing_id.h"
 #include "content/browser/renderer_host/overscroll_controller_delegate.h"
 #include "content/browser/renderer_host/render_view_host_delegate_view.h"
 #include "content/browser/web_contents/web_contents_view.h"
 #include "content/common/content_export.h"
 #include "ui/aura/client/drag_drop_delegate.h"
 #include "ui/aura/window_delegate.h"
 #include "ui/aura/window_observer.h"
 
 namespace aura {
 class Window;
@@ skipping 55 matching lines @@
   void CompleteOverscrollNavigation(OverscrollMode mode);
 
   void OverscrollUpdateForWebContentsDelegate(float delta_y);
 
   ui::TouchSelectionController* GetSelectionController() const;
   TouchSelectionControllerClientAura* GetSelectionControllerClient() const;
 
   // Returns GetNativeView unless overridden for testing.
   gfx::NativeView GetRenderWidgetHostViewParent() const;
 
+  // Returns whether |target_rwh| is a valid RenderWidgetHost to be dragging
+  // over. This enforces that same-page, cross-site drags are not allowed. See
+  // crbug.com/666858.
+  bool IsValidDragTarget(RenderWidgetHostImpl* target_rwh) const;
+
   // Overridden from WebContentsView:
   gfx::NativeView GetNativeView() const override;
   gfx::NativeView GetContentNativeView() const override;
   gfx::NativeWindow GetTopLevelNativeWindow() const override;
   void GetScreenInfo(ScreenInfo* screen_info) const override;
   void GetContainerBounds(gfx::Rect* out) const override;
   void SizeContents(const gfx::Size& size) override;
   void Focus() override;
   void SetInitialFocus() override;
   void StoreFocus() override;
@@ skipping 91 matching lines @@
   blink::WebDragOperationsMask current_drag_op_;
 
   std::unique_ptr<DropData> current_drop_data_;
 
   WebDragDestDelegate* drag_dest_delegate_;
 
   // We keep track of the RenderWidgetHost we're dragging over. If it changes
   // during a drag, we need to re-send the DragEnter message.
   base::WeakPtr<RenderWidgetHostImpl> current_rwh_for_drag_;
 
-  // We also keep track of the RenderViewHost we're dragging over to avoid
-  // sending the drag exited message after leaving the current
-  // view. |current_rvh_for_drag_| should not be dereferenced.
-  void* current_rvh_for_drag_;
+  // We also keep track of the ID of the RenderViewHost we're dragging over to
+  // avoid sending the drag exited message after leaving the current view.
+  GlobalRoutingID current_rvh_for_drag_;
+
+  // We track the IDs of the source RenderProcessHost and RenderViewHost from
+  // which the current drag originated. These are used to ensure that drag
+  // events do not fire over a cross-site frame (with respect to the source
+  // frame) in the same page (see crbug.com/666858). Specifically, the
+  // RenderViewHost is used to check the "same page" property, while the
+  // RenderProcessHost is used to check the "cross-site" property. Note that the
+  // reason the RenderProcessHost is tracked instead of the RenderWidgetHost is
+  // so that we still allow drags between non-contiguous same-site frames (such
+  // frames will have the same process, but different widgets). Note also that
+  // The RenderViewHost may not be in the same process as the RenderProcessHost,

[Charlie Reis, 2016/12/14 18:36:36]

nit: s/The/the/

[paulmeyer, 2016/12/14 18:53:18]

Done.

+  // since the view corresponds to the page, while the process is specific to
+  // the frame from which the drag started.
+  int drag_start_process_id_;
+  GlobalRoutingID drag_start_view_id_;
 
   // The overscroll gesture currently in progress.
   OverscrollMode current_overscroll_gesture_;
 
   // This is the completed overscroll gesture. This is used for the animation
   // callback that happens in response to a completed overscroll gesture.
   OverscrollMode completed_overscroll_gesture_;
 
   // This manages the overlay window that shows the screenshot during a history
   // navigation triggered by the overscroll gesture.
   std::unique_ptr<OverscrollNavigationOverlay> navigation_overlay_;
 
   std::unique_ptr<GestureNavSimple> gesture_nav_simple_;
 
   bool init_rwhv_with_null_parent_for_testing_;
 
   DISALLOW_COPY_AND_ASSIGN(WebContentsViewAura);
 };
 
 }  // namespace content
 
 #endif  // CONTENT_BROWSER_WEB_CONTENTS_WEB_CONTENTS_VIEW_AURA_H_