diff options
| author | Guido Urdaneta <guidou@chromium.org> | 2022-11-13 18:50:26 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-02-17 08:36:49 +0000 |
| commit | b476794afcf282bd66819a8920bad7007d1da516 (patch) | |
| tree | 9be12e6216b839ba35bd7b4c114cf9b943e1e584 | |
| parent | 2c846dfbcce5d4cae21eba596a59e8b537e1cea8 (diff) | |
| download | qtwebengine-chromium-b476794afcf282bd66819a8920bad7007d1da516.tar.gz | |
[Backport] Security bug 829317 (1/2)
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4020095:
Make browser start recording indicator
Prior to this CL, the recording indicator was turned on by a call sent
by the renderer process.
This CL makes the browser process turn on the indicator directly, which protects against a potential malicious renderer that intentionally does
not make the call.
The difference in behavior is that, originally, the indicator was turned on after the tracks were started and now it is turned on before they start. The same approach is already in use for pepper media capture.
In both cases, the indicator was turned off by the browser when the sources backing the tracks stopped.
Bug: 829317
Change-Id: I1af1f481cbc0e8eb0fb96919313b667ac1fa0a0a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4020095
Reviewed-by: Tomas Gunnarsson <tommi@chromium.org>
Commit-Queue: Guido Urdaneta <guidou@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1070795}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/460501
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
5 files changed, 41 insertions, 13 deletions
diff --git a/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc b/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc index 2f359be49d3..ba730b67353 100644 --- a/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc +++ b/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc @@ -26,6 +26,7 @@ #include "mojo/public/cpp/bindings/pending_receiver.h" #include "mojo/public/cpp/bindings/self_owned_receiver.h" #include "services/service_manager/public/cpp/interface_provider.h" +#include "third_party/blink/public/common/features.h" #include "third_party/blink/public/mojom/mediastream/media_stream.mojom.h" #include "url/origin.h" @@ -528,6 +529,8 @@ void MediaStreamDispatcherHost::SetCapturingLinkSecured( void MediaStreamDispatcherHost::OnStreamStarted(const std::string& label) { DCHECK_CURRENTLY_ON(BrowserThread::IO); + DCHECK(!base::FeatureList::IsEnabled( + blink::features::kStartMediaStreamCaptureIndicatorInBrowser)); media_stream_manager_->OnStreamStarted(label); } diff --git a/chromium/content/browser/renderer_host/media/media_stream_manager.cc b/chromium/content/browser/renderer_host/media/media_stream_manager.cc index afb3978a94b..c0473e4fca4 100644 --- a/chromium/content/browser/renderer_host/media/media_stream_manager.cc +++ b/chromium/content/browser/renderer_host/media/media_stream_manager.cc @@ -810,8 +810,8 @@ class MediaStreamManager::DeviceRequest { } void RunMojoCallbacks() { - if (generate_stream_cb) { - std::move(generate_stream_cb) + if (generate_streams_cb_) { + std::move(generate_streams_cb_) .Run(MediaStreamRequestResult::FAILED_DUE_TO_SHUTDOWN, std::string(), MediaStreamDevices(), MediaStreamDevices(), /*pan_tilt_zoom_allowed=*/false); @@ -823,6 +823,18 @@ class MediaStreamManager::DeviceRequest { } } + void SetGenerateStreamsCallback(GenerateStreamCallback callback) { + generate_streams_cb_ = std::move(callback); + } + + GenerateStreamCallback&& MoveGenerateStreamsCallback() { + return std::move(generate_streams_cb_); + } + + bool HasGenerateStreamsCallback() const { + return !generate_streams_cb_.is_null(); + } + // The render process id that requested this stream to be generated and that // will receive a handle to the MediaStream. This may be different from // MediaStreamRequest::render_process_id which in the tab capture case @@ -863,8 +875,6 @@ class MediaStreamManager::DeviceRequest { // Currently it is only used by |DEVICE_ACCESS| type. MediaAccessRequestCallback media_access_request_cb; - GenerateStreamCallback generate_stream_cb; - // This callback is used by transferred MediaStreamTracks to access and clone // an existing open MediaStreamDevice (identified by its session_id). If the // device is found, it is returned to this callback along with a @@ -902,6 +912,7 @@ class MediaStreamManager::DeviceRequest { MediaStreamType video_type_; int target_process_id_; int target_frame_id_; + GenerateStreamCallback generate_streams_cb_; }; // static @@ -1113,7 +1124,7 @@ void MediaStreamManager::GenerateStream( MediaDeviceSaltAndOrigin salt_and_origin, bool user_gesture, StreamSelectionInfoPtr audio_stream_selection_info_ptr, - GenerateStreamCallback generate_stream_cb, + GenerateStreamCallback generate_streams_cb, DeviceStoppedCallback device_stopped_cb, DeviceChangedCallback device_changed_cb, DeviceRequestStateChangeCallback device_request_state_change_cb, @@ -1128,7 +1139,7 @@ void MediaStreamManager::GenerateStream( std::move(device_stopped_cb), std::move(device_changed_cb), std::move(device_request_state_change_cb), std::move(device_capture_handle_change_cb)); - request->generate_stream_cb = std::move(generate_stream_cb); + request->SetGenerateStreamsCallback(std::move(generate_streams_cb)); DeviceRequest* const request_ptr = request.get(); const std::string label = AddRequest(std::move(request)); @@ -2165,7 +2176,7 @@ void MediaStreamManager::FinalizeGenerateStream(const std::string& label, DeviceRequest* request) { DCHECK_CURRENTLY_ON(BrowserThread::IO); DCHECK(request); - DCHECK(request->generate_stream_cb); + DCHECK(request->HasGenerateStreamsCallback()); SendLogMessage( base::StringPrintf("FinalizeGenerateStream({label=%s}, {requester_id=" "%d}, {request_type=%s})", @@ -2199,7 +2210,7 @@ void MediaStreamManager::FinalizeGenerateStream(const std::string& label, request->requesting_frame_id), base::BindOnce(&MediaStreamManager::PanTiltZoomPermissionChecked, base::Unretained(this), label, video_devices, - base::BindOnce(std::move(request->generate_stream_cb), + base::BindOnce(request->MoveGenerateStreamsCallback(), MediaStreamRequestResult::OK, label, audio_devices, video_devices))); } @@ -2315,10 +2326,10 @@ void MediaStreamManager::FinalizeRequestFailed( switch (request->request_type()) { case blink::MEDIA_GENERATE_STREAM: { - DCHECK(request->generate_stream_cb); - std::move(request->generate_stream_cb) - .Run(result, std::string(), MediaStreamDevices(), - MediaStreamDevices(), /*pan_tilt_zoom_allowed=*/false); + DCHECK(request->HasGenerateStreamsCallback()); + request->MoveGenerateStreamsCallback().Run( + result, std::string(), MediaStreamDevices(), + MediaStreamDevices(), /*pan_tilt_zoom_allowed=*/false); break; } case blink::MEDIA_GET_OPEN_DEVICE: { @@ -2540,6 +2551,10 @@ void MediaStreamManager::HandleRequestDone(const std::string& label, break; case blink::MEDIA_GENERATE_STREAM: { FinalizeGenerateStream(label, request); + if (base::FeatureList::IsEnabled( + blink::features::kStartMediaStreamCaptureIndicatorInBrowser)) { + OnStreamStarted(label); + } break; } case blink::MEDIA_GET_OPEN_DEVICE: { diff --git a/chromium/third_party/blink/common/features.cc b/chromium/third_party/blink/common/features.cc index dfb2b8044e5..c9face230dc 100644 --- a/chromium/third_party/blink/common/features.cc +++ b/chromium/third_party/blink/common/features.cc @@ -1437,5 +1437,8 @@ const base::FeatureParam<base::TimeDelta> kRecentBeginMainFrameCutoff = { &kDeferBeginMainFrameDuringLoading, "recent_begin_main_frame_cutoff", base::Milliseconds(150)}; +const base::Feature kStartMediaStreamCaptureIndicatorInBrowser("StartMediaStreamCaptureIndicatorInBrowser", + base::FEATURE_ENABLED_BY_DEFAULT); + } // namespace features } // namespace blink diff --git a/chromium/third_party/blink/public/common/features.h b/chromium/third_party/blink/public/common/features.h index e36e6b3bdbb..33707e02866 100644 --- a/chromium/third_party/blink/public/common/features.h +++ b/chromium/third_party/blink/public/common/features.h @@ -723,6 +723,9 @@ BLINK_COMMON_EXPORT extern const base::Feature BLINK_COMMON_EXPORT extern const base::FeatureParam<base::TimeDelta> kRecentBeginMainFrameCutoff; +// Make the browser decide when to turn on the capture indicator (red button) +BLINK_COMMON_EXPORT extern const base::Feature + kStartMediaStreamCaptureIndicatorInBrowser; } // namespace features } // namespace blink diff --git a/chromium/third_party/blink/renderer/modules/mediastream/user_media_processor.cc b/chromium/third_party/blink/renderer/modules/mediastream/user_media_processor.cc index 03d0d8e2cf8..ad5e7764f0e 100644 --- a/chromium/third_party/blink/renderer/modules/mediastream/user_media_processor.cc +++ b/chromium/third_party/blink/renderer/modules/mediastream/user_media_processor.cc @@ -22,6 +22,7 @@ #include "media/capture/video_capture_types.h" #include "media/webrtc/constants.h" #include "third_party/blink/public/common/browser_interface_broker_proxy.h" +#include "third_party/blink/public/common/features.h" #include "third_party/blink/public/common/mediastream/media_stream_controls.h" #include "third_party/blink/public/common/mediastream/media_stream_request.h" #include "third_party/blink/public/platform/modules/mediastream/web_media_stream_source.h" @@ -1582,7 +1583,10 @@ void UserMediaProcessor::OnCreateNativeTracksCompleted( if (result == MediaStreamRequestResult::OK) { GetUserMediaRequestSucceeded(request_info->descriptor(), request_info->request()); - GetMediaStreamDispatcherHost()->OnStreamStarted(label); + if (!base::FeatureList::IsEnabled( + blink::features::kStartMediaStreamCaptureIndicatorInBrowser)) { + GetMediaStreamDispatcherHost()->OnStreamStarted(label); + } } else { GetUserMediaRequestFailed(result, constraint_name); |