Prevent drag-and-drop events from firing over cross-site, same-page frames. (Mac)

content/browser/web_contents/web_drag_dest_mac.mm

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #import "content/browser/web_contents/web_drag_dest_mac.h"
 
 #import <Carbon/Carbon.h>
 
 #include "base/strings/sys_string_conversions.h"
 #include "content/browser/renderer_host/render_view_host_impl.h"
 #include "content/browser/renderer_host/render_widget_host_impl.h"
 #include "content/browser/renderer_host/render_widget_host_input_event_router.h"
 #include "content/browser/web_contents/web_contents_impl.h"
 #include "content/public/browser/web_contents_delegate.h"
 #include "content/public/browser/web_drag_dest_delegate.h"
+#include "content/public/common/child_process_host.h"
 #include "content/public/common/drop_data.h"
 #include "third_party/WebKit/public/platform/WebInputEvent.h"
 #import "third_party/mozilla/NSPasteboard+Utils.h"
 #include "ui/base/clipboard/custom_data_helper.h"
 #include "ui/base/cocoa/cocoa_base_utils.h"
 #import "ui/base/dragdrop/cocoa_dnd_util.h"
 #include "ui/base/window_open_disposition.h"
 #include "ui/gfx/geometry/point.h"
 
 using blink::WebDragOperationsMask;
@@ skipping 24 matching lines @@
   if (pressedButtons & (1 << 0))
       modifier_state |= blink::WebInputEvent::LeftButtonDown;
   if (pressedButtons & (1 << 1))
       modifier_state |= blink::WebInputEvent::RightButtonDown;
   if (pressedButtons & (1 << 2))
       modifier_state |= blink::WebInputEvent::MiddleButtonDown;
 
   return modifier_state;
 }
 
+content::GlobalRoutingID GetRenderViewHostID(content::RenderViewHost* rvh) {
+  return content::GlobalRoutingID(rvh->GetProcess()->GetID(),
+                                  rvh->GetRoutingID());
+}
+
 }  // namespace
 
 @implementation WebDragDest
 
 // |contents| is the WebContentsImpl representing this tab, used to communicate
 // drag&drop messages to WebCore and handle navigation on a successful drop
 // (if necessary).
 - (id)initWithWebContentsImpl:(WebContentsImpl*)contents {
   if ((self = [super init])) {
     webContents_ = contents;
     canceled_ = false;
+    dragStartProcessID_ = content::ChildProcessHost::kInvalidUniqueID;
+    dragStartViewID_ = content::GlobalRoutingID(
+        content::ChildProcessHost::kInvalidUniqueID, MSG_ROUTING_NONE);
   }
   return self;
 }
 
 - (DropData*)currentDropData {
   return dropData_.get();
 }
 
 - (void)setDragDelegate:(content::WebDragDestDelegate*)delegate {
   delegate_ = delegate;
@@ skipping 53 matching lines @@
   NSPoint viewPoint = [self flipWindowPointToView:windowPoint view:view];
   NSPoint screenPoint = [self flipWindowPointToScreen:windowPoint view:view];
   gfx::Point transformedPt;
   if (!webContents_->GetRenderWidgetHostView()) {
     // TODO(ekaramad, paulmeyer): Find a better way than toggling |canceled_|.
     // This could happen when the renderer process for the top-level RWH crashes
     // (see https://crbug.com/670645).
     canceled_ = true;
     return NSDragOperationNone;
   }
-  currentRWHForDrag_ =
-      [self GetRenderWidgetHostAtPoint:viewPoint transformedPt:&transformedPt]
-          ->GetWeakPtr();
+
+  content::RenderWidgetHostImpl* targetRWH =
+      [self GetRenderWidgetHostAtPoint:viewPoint transformedPt:&transformedPt];
+  if (![self isValidDragTarget:targetRWH])
+    return NSDragOperationNone;
+
+  currentRWHForDrag_ = targetRWH->GetWeakPtr();
 
   // Fill out a DropData from pasteboard.
   std::unique_ptr<DropData> dropData;
   dropData.reset(new DropData());
   [self populateDropData:dropData.get()
              fromPasteboard:[info draggingPasteboard]];
   // TODO(paulmeyer): Data may be pulled from the pasteboard multiple times per
   // drag. Ideally, this should only be done once, and filtered as needed.
   currentRWHForDrag_->FilterDropData(dropData.get());
 
@@ skipping 60 matching lines @@
 
   // Create the appropriate mouse locations for WebCore. The draggingLocation
   // is in window coordinates. Both need to be flipped.
   NSPoint windowPoint = [info draggingLocation];
   NSPoint viewPoint = [self flipWindowPointToView:windowPoint view:view];
   NSPoint screenPoint = [self flipWindowPointToScreen:windowPoint view:view];
   gfx::Point transformedPt;
   content::RenderWidgetHostImpl* targetRWH =
       [self GetRenderWidgetHostAtPoint:viewPoint transformedPt:&transformedPt];
 
+  if (![self isValidDragTarget:targetRWH])
+    return NSDragOperationNone;
+
   // TODO(paulmeyer): The dragging delegates may now by invoked multiple times
   // per drag, even without the drag ever leaving the window.
   if (targetRWH != currentRWHForDrag_.get()) {
     if (currentRWHForDrag_)
       currentRWHForDrag_->DragTargetDragLeave();
     [self draggingEntered:info view:view];
   }
 
   if (canceled_)
     return NSDragOperationNone;
@@ skipping 19 matching lines @@
                               view:(NSView*)view {
   // Create the appropriate mouse locations for WebCore. The draggingLocation
   // is in window coordinates. Both need to be flipped.
   NSPoint windowPoint = [info draggingLocation];
   NSPoint viewPoint = [self flipWindowPointToView:windowPoint view:view];
   NSPoint screenPoint = [self flipWindowPointToScreen:windowPoint view:view];
   gfx::Point transformedPt;
   content::RenderWidgetHostImpl* targetRWH =
       [self GetRenderWidgetHostAtPoint:viewPoint transformedPt:&transformedPt];
 
+  if (![self isValidDragTarget:targetRWH])
+    return NO;
+
   if (targetRWH != currentRWHForDrag_.get()) {
     if (currentRWHForDrag_)
       currentRWHForDrag_->DragTargetDragLeave();
     [self draggingEntered:info view:view];
   }
 
   // Check if we only allow navigation and navigate to a url on the pasteboard.
   if ([self onlyAllowsNavigation]) {
     NSPasteboard* pboard = [info draggingPasteboard];
     if ([pboard containsURLDataConvertingTextToURL:YES]) {
@@ skipping 23 matching lines @@
 }
 
 - (content::RenderWidgetHostImpl*)
 GetRenderWidgetHostAtPoint:(const NSPoint&)viewPoint
              transformedPt:(gfx::Point*)transformedPt {
   return webContents_->GetInputEventRouter()->GetRenderWidgetHostAtPoint(
       webContents_->GetRenderViewHost()->GetWidget()->GetView(),
       gfx::Point(viewPoint.x, viewPoint.y), transformedPt);
 }
 
+- (void)setDragStartTrackersForProcess:(int)processID {
+  dragStartProcessID_ = processID;
+  dragStartViewID_ = GetRenderViewHostID(webContents_->GetRenderViewHost());
+}
+
+- (bool)isValidDragTarget:(content::RenderWidgetHostImpl*)targetRWH {
+  return targetRWH->GetProcess()->GetID() == dragStartProcessID_ ||
+         GetRenderViewHostID(webContents_->GetRenderViewHost()) !=
+             dragStartViewID_;
+}
+
 // Given |data|, which should not be nil, fill it in using the contents of the
 // given pasteboard. The types handled by this method should be kept in sync
 // with [WebContentsViewCocoa registerDragTypes].
 - (void)populateDropData:(DropData*)data
           fromPasteboard:(NSPasteboard*)pboard {
   DCHECK(data);
   DCHECK(pboard);
   NSArray* types = [pboard types];
 
   data->did_originate_from_renderer =
@@ skipping 47 matching lines @@
   // Get custom MIME data.
   if ([types containsObject:ui::kWebCustomDataPboardType]) {
     NSData* customData = [pboard dataForType:ui::kWebCustomDataPboardType];
     ui::ReadCustomDataIntoMap([customData bytes],
                               [customData length],
                               &data->custom_data);
   }
 }
 
 @end