[Backport] CVE-2022-4184: Insufficient policy enforcement in Autofill

Partial manual cherry-pick of patch originallt reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4028799:
Add GetWindowBounds for PictureInPicture

The window bounds would be used to check for any overlaps with the
Autofill popup in the next CLs.

(cherry picked from commit 87cf1589bb30dde902d74657840c8486b605a9b1)

Bug: 1358647
Change-Id: Ie564d1cdf26532a30b796eff15c402c5879332d0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3921456
Reviewed-by: Fr <beaufort.francois@gmail.com>
Commit-Queue: Vidhan Jain <vidhanj@google.com>
Reviewed-by: Kazuki Takise <takise@chromium.org>
Reviewed-by: Eliot Courtney <edcourtney@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1059914}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4028799
Owners-Override: Srinivas Sista <srinivassista@chromium.org>
Commit-Queue: Srinivas Sista <srinivassista@chromium.org>
Reviewed-by: Srinivas Sista <srinivassista@chromium.org>
Auto-Submit: Christoph Schwering <schwering@google.com>
Cr-Commit-Position: refs/branch-heads/5359@{#934}
Cr-Branched-From: 27d3765d341b09369006d030f83f582a29eb57ae-refs/heads/main@{#1058933}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/447105
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

5 files changed, 21 insertions, 0 deletions

diff --git a/chromium/content/browser/picture_in_picture/document_picture_in_picture_window_controller_impl.cc b/chromium/content/browser/picture_in_picture/document_picture_in_picture_window_controller_impl.cc
index bc33049775b..5cf491a4b42 100644
--- a/chromium/content/browser/picture_in_picture/document_picture_in_picture_window_controller_impl.cc
+++ b/chromium/content/browser/picture_in_picture/document_picture_in_picture_window_controller_impl.cc
@@ -120,6 +120,13 @@ void DocumentPictureInPictureWindowControllerImpl::WebContentsDestroyed() {
   ForceClosePictureInPicture();
 }
 
+absl::optional<gfx::Rect>
+DocumentPictureInPictureWindowControllerImpl::GetWindowBounds() {
+  if (!child_contents_)
+    return absl::nullopt;
+  return child_contents_->GetContainerBounds();
+}
+
 void DocumentPictureInPictureWindowControllerImpl::PrimaryPageChanged(Page&) {
   ForceClosePictureInPicture();
 }
diff --git a/chromium/content/browser/picture_in_picture/document_picture_in_picture_window_controller_impl.h b/chromium/content/browser/picture_in_picture/document_picture_in_picture_window_controller_impl.h
index 74829482b75..b57bf327b04 100644
--- a/chromium/content/browser/picture_in_picture/document_picture_in_picture_window_controller_impl.h
+++ b/chromium/content/browser/picture_in_picture/document_picture_in_picture_window_controller_impl.h
@@ -54,6 +54,7 @@ class CONTENT_EXPORT DocumentPictureInPictureWindowControllerImpl
   void CloseAndFocusInitiator() override;
   void OnWindowDestroyed(bool should_pause_video) override;
   WebContents* GetWebContents() override;
+  absl::optional<gfx::Rect> GetWindowBounds() override;
 
   // DocumentPictureInPictureWindowController:
   void SetChildWebContents(
diff --git a/chromium/content/browser/picture_in_picture/video_picture_in_picture_window_controller_impl.cc b/chromium/content/browser/picture_in_picture/video_picture_in_picture_window_controller_impl.cc
index db2caea6254..d58c787694e 100644
--- a/chromium/content/browser/picture_in_picture/video_picture_in_picture_window_controller_impl.cc
+++ b/chromium/content/browser/picture_in_picture/video_picture_in_picture_window_controller_impl.cc
@@ -425,6 +425,13 @@ void VideoPictureInPictureWindowControllerImpl::EnsureWindow() {
       GetContentClient()->browser()->CreateWindowForVideoPictureInPicture(this);
 }
 
+absl::optional<gfx::Rect>
+VideoPictureInPictureWindowControllerImpl::GetWindowBounds() {
+  if (!window_)
+    return absl::nullopt;
+  return window_->GetBounds();
+}
+
 void VideoPictureInPictureWindowControllerImpl::
     UpdatePlayPauseButtonVisibility() {
   if (!window_)
diff --git a/chromium/content/browser/picture_in_picture/video_picture_in_picture_window_controller_impl.h b/chromium/content/browser/picture_in_picture/video_picture_in_picture_window_controller_impl.h
index c52ef4184a3..31b48f855c1 100644
--- a/chromium/content/browser/picture_in_picture/video_picture_in_picture_window_controller_impl.h
+++ b/chromium/content/browser/picture_in_picture/video_picture_in_picture_window_controller_impl.h
@@ -78,6 +78,7 @@ class CONTENT_EXPORT VideoPictureInPictureWindowControllerImpl
   void ToggleMicrophone() override;
   void ToggleCamera() override;
   void HangUp() override;
+  absl::optional<gfx::Rect> GetWindowBounds() override;
 
   // Called by the MediaSessionImpl when the MediaSessionInfo changes.
   void MediaSessionInfoChanged(
diff --git a/chromium/content/public/browser/picture_in_picture_window_controller.h b/chromium/content/public/browser/picture_in_picture_window_controller.h
index 03a3a1bbda9..8bbe5fc0b57 100644
--- a/chromium/content/public/browser/picture_in_picture_window_controller.h
+++ b/chromium/content/public/browser/picture_in_picture_window_controller.h
@@ -6,6 +6,8 @@
 #define CONTENT_PUBLIC_BROWSER_PICTURE_IN_PICTURE_WINDOW_CONTROLLER_H_
 
 #include "content/common/content_export.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
+#include "ui/gfx/geometry/rect.h"
 
 namespace content {
 class WebContents;
@@ -50,6 +52,9 @@ class PictureInPictureWindowController {
 
   virtual WebContents* GetWebContents() = 0;
 
+  // Called to get the Picture-in-Picture window bounds.
+  virtual absl::optional<gfx::Rect> GetWindowBounds() = 0;
+
  protected:
   // Use PictureInPictureWindowController::GetOrCreateForWebContents() to
   // create an instance.