diff options
author | Mustaq Ahmed <mustaq@google.com> | 2021-10-06 22:38:01 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2021-12-01 13:51:21 +0000 |
commit | 3fce22f9ce99131965a1bb2129e4f4ad4cf21da8 (patch) | |
tree | dae3c19500a9255ab8b10f57208d9f6442f19c26 /chromium/third_party/blink/renderer | |
parent | 814d594ab396d2a5e6c2b3133a8f44c37ab8148a (diff) | |
download | qtwebengine-chromium-3fce22f9ce99131965a1bb2129e4f4ad4cf21da8.tar.gz |
[Backport] CVE-2021-38015: Inappropriate implementation in input
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3154195:
Add a restricted user activation state for synthetic triggers.
Also suppress synthetic activation triggering at an extension messaging
recipient when the message sender has a restricted activation.
Bug: 957553, 957633
Change-Id: I0b363fe907d18ef55d132b98a533c1cdf5e0d485
Commit-Queue: Mustaq Ahmed <mustaq@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Devlin <rdevlin.cronin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#928908}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'chromium/third_party/blink/renderer')
3 files changed, 11 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/core/frame/frame.h b/chromium/third_party/blink/renderer/core/frame/frame.h index 8ecf406cc97..f63c1b70a7d 100644 --- a/chromium/third_party/blink/renderer/core/frame/frame.h +++ b/chromium/third_party/blink/renderer/core/frame/frame.h @@ -205,6 +205,12 @@ class CORE_EXPORT Frame : public GarbageCollected<Frame> { return user_activation_state_.HasBeenActive(); } + // Returns if the last user activation for this frame was restricted in + // nature. + bool LastActivationWasRestricted() const { + return user_activation_state_.LastActivationWasRestricted(); + } + // Resets the user activation state of this frame. void ClearUserActivation() { user_activation_state_.Clear(); } diff --git a/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.cc b/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.cc index 6644c9bdfed..2846b854229 100644 --- a/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.cc +++ b/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.cc @@ -627,6 +627,10 @@ bool WebLocalFrameImpl::ConsumeTransientUserActivation( return LocalFrame::ConsumeTransientUserActivation(GetFrame(), update_source); } +bool WebLocalFrameImpl::LastActivationWasRestricted() const { + return GetFrame()->LastActivationWasRestricted(); +} + void WebLocalFrameImpl::SetOptimizationGuideHints( const WebOptimizationGuideHints& web_hints) { if (!GetFrame()) diff --git a/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.h b/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.h index e7dbee7813a..f52fb84b36f 100644 --- a/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.h +++ b/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.h @@ -319,6 +319,7 @@ class CORE_EXPORT WebLocalFrameImpl final bool HasStickyUserActivation() override; bool HasTransientUserActivation() override; bool ConsumeTransientUserActivation(UserActivationUpdateSource) override; + bool LastActivationWasRestricted() const override; void SetOptimizationGuideHints(const WebOptimizationGuideHints&) override; // WebNavigationControl overrides: |