diff options
author | Mustaq Ahmed <mustaq@google.com> | 2021-10-06 22:38:01 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2021-12-06 21:34:31 +0000 |
commit | 9745175d352bec242eb06318e8d97aa7176f1716 (patch) | |
tree | 715560a7ca26273ca7ce1ce902eaba17bcc1920b /chromium/third_party/blink/renderer/core/frame | |
parent | 4ff4a9359f110e27028911f0d3f67d1582e4f26c (diff) | |
download | qtwebengine-chromium-9745175d352bec242eb06318e8d97aa7176f1716.tar.gz |
[Backport] CVE-2021-38015: Inappropriate implementation in input
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3154195:
Add a restricted user activation state for synthetic triggers.
Also suppress synthetic activation triggering at an extension messaging
recipient when the message sender has a restricted activation.
Bug: 957553, 957633
Change-Id: I0b363fe907d18ef55d132b98a533c1cdf5e0d485
Commit-Queue: Mustaq Ahmed <mustaq@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Devlin <rdevlin.cronin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#928908}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'chromium/third_party/blink/renderer/core/frame')
3 files changed, 11 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/core/frame/frame.h b/chromium/third_party/blink/renderer/core/frame/frame.h index ecc1409edb9..1167129b143 100644 --- a/chromium/third_party/blink/renderer/core/frame/frame.h +++ b/chromium/third_party/blink/renderer/core/frame/frame.h @@ -213,6 +213,12 @@ class CORE_EXPORT Frame : public GarbageCollected<Frame> { return user_activation_state_.HasBeenActive(); } + // Returns if the last user activation for this frame was restricted in + // nature. + bool LastActivationWasRestricted() const { + return user_activation_state_.LastActivationWasRestricted(); + } + // Resets the user activation state of this frame. void ClearUserActivation() { user_activation_state_.Clear(); } diff --git a/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.cc b/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.cc index 3d718e04a50..c5f779e1965 100644 --- a/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.cc +++ b/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.cc @@ -653,6 +653,10 @@ bool WebLocalFrameImpl::ConsumeTransientUserActivation( return LocalFrame::ConsumeTransientUserActivation(GetFrame(), update_source); } +bool WebLocalFrameImpl::LastActivationWasRestricted() const { + return GetFrame()->LastActivationWasRestricted(); +} + WebLocalFrame* WebLocalFrame::FrameForContext(v8::Local<v8::Context> context) { return WebLocalFrameImpl::FromFrame(ToLocalFrameIfNotDetached(context)); } diff --git a/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.h b/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.h index ebd7f45cadf..08531405db4 100644 --- a/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.h +++ b/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.h @@ -329,6 +329,7 @@ class CORE_EXPORT WebLocalFrameImpl final bool HasStickyUserActivation() override; bool HasTransientUserActivation() override; bool ConsumeTransientUserActivation(UserActivationUpdateSource) override; + bool LastActivationWasRestricted() const override; void SetTargetToCurrentHistoryItem(const WebString& target) override; void UpdateCurrentHistoryItem() override; PageState CurrentHistoryItemToPageState() override; |