| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Obtain graph/process lock when nullifying the buffer in Reverb
When the buffer is set to `null` while there is an active buffer
within a reverb object, SetBuffer() function can prematurely
nullify the `reverb_` and `shared_buffer_` while it is still
being accessed by the rendering thread.
This CL adds two locks (graph lock and process lock) when the
buffer gets nullified to ensure the synchronization between
two threads.
(cherry picked from commit 6a2e670a243b815cf043f8da4d26ecb9a64d307b)
Change-Id: I8f501b6a16b3c7e16db767e0b279a1a53d6eb290
Bug: 1019226
Reviewed-on:
https://chromium-review.googlesource.com/c/chromium/src/+/1888103
Commit-Queue: Hongchan Choi <hongchan@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#710627}
Reviewed-on:
https://chromium-review.googlesource.com/c/chromium/src/+/1889510
Reviewed-by: Krishna Govind <govind@chromium.org>
Cr-Commit-Position: refs/branch-heads/3953@{#8}
Cr-Branched-From:
b5ceb94d4b9a2f629c84df1be72f9e3d0a79fd2d-refs/heads/master@{#710313}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
| |
Prevent redirection to `javascript:...` during downloads.
Bug: 967780
Change-Id: I2703998615fea0f0a99cb7963f8440842ba3d92a
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Commit-Queue: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#678183}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't try to exit already exiting GPU process.
The exit_on_context_loss GPU driver bug workaround shouldn't be applied
when the GPU process is already exiting since it can trigger a
use-after-free.
Bug: 971904
Change-Id: I775c9fd29b1f9bdb71c28f0cb428951718001973
Commit-Queue: kylechar <kylechar@chromium.org>
Reviewed-by: Antoine Labour <piman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#668454}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add requester frame param to mouse-lock calls.
Without a specific frame, we were using the local root of caller's
widget, which was showing wrong activation state in certain cases.
(cherry picked from commit 32a0b159fdace8433876da922b04bba4063f1533)
Bug: 981597
Change-Id: I45a5dd88ea4c487ff4bf3a722e72bb6923fb8319
TBR: dcheng@chromium.org
Commit-Queue: Navid Zolghadr <nzolghadr@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Reviewed-by: Navid Zolghadr <nzolghadr@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#684359}
Cr-Commit-Position: refs/branch-heads/3865@{#283}
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't assume HTMLFrameOwnerElement::GetLayoutObject is LayoutEmbeddedContent
The comment above HTMLFrameOwnerElement::GetLayoutEmbeddedContent()
says:
// Most subclasses use LayoutEmbeddedContent (either LayoutEmbeddedObject or
// LayoutIFrame) except for HTMLObjectElement and HTMLEmbedElement which may
// return any LayoutObject when using fallback content.
LayoutEmbeddedContent* GetLayoutEmbeddedContent() const;
No new test because I couldn't reproduce the bug locally, but I believe this
will fix the clusterfuzz bug.
Bug: 981459
Change-Id: I3ecf8022111dc25a2e862c0311ffa56467d18c2e
Reviewed-by: Philip Rogers <pdr@chromium.org>
Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#675712}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Refactor computing the last box in CreateLineBoxes
This patch refactors so that:
a. Clarify which of the or-ed DCHECK fail.
b. If |line_layout_item| is a |LayoutBlockFlow| that is not
|this|, degrades SECURITY_DCHECK to DCHECK. We have wrong
object, but it's not a bad cast.
c. If |line_layout_item| is neither |LayoutInline| nor
|LayoutBlockFlow|, the |LineLayoutBlockFlow| constructor
has SECURITY_DCHECK.
This is a speculative fix as I was unable to reproduce.
Bug: 979373
Change-Id: Ib148009f8bdea7b599be160af72a48c86bc73d7c
Commit-Queue: Emil A Eklund <eae@chromium.org>
Reviewed-by: Emil A Eklund <eae@chromium.org>
Cr-Commit-Position: refs/heads/master@{#676079}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid rewriting about:srcdoc into chrome://srcdoc
Rewriting about:srcdoc into chrome://srcdoc is undesirable because
1. about:srcdoc has a special meaning and just like about:blank has been
reserved by specs like
https://html.spec.whatwg.org/multipage/urls-and-fetching.html
2. chrome:-scheme URLs are special and might have extra privileges.
Therefore chrome: URLs should not be reachable by an unprivileged webpage
(OTOH, the rewriting fixed here only applies to the URL *shown* to
the user, not the URL that gets committed - compare WebContents's
GetVisibleURL vs GetLastCommittedURL).
Bug: 973628
Change-Id: I021e623caf0d7e5c02a2546291bb4913412b3125
Auto-Submit: Łukasz Anforowicz <lukasza@chromium.org>
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Commit-Queue: Avi Drissman <avi@chromium.org>
Reviewed-by: Avi Drissman <avi@chromium.org>
Reviewed-by: Charlie Harrison <csharrison@chromium.org>
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Cr-Commit-Position: refs/heads/master@{#669328}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Roll src/third_party/sfntly/src/ e24c73130..48312c983 (2 commits)
https://chromium.googlesource.com/external/github.com/googlefonts/sfntly.git/+log/e24c73130c66..48312c98332a
Created with:
roll-dep src/third_party/sfntly/src
TBR=drott@chromium.org
BUG=960354
Change-Id: I7c7d982ba9648d04b05c6fe1407bf31920b08329
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
Cr-Commit-Position: refs/heads/master@{#678929}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pass request initiator to check whether a download can proceed
Currently download use webcontents::GeURL() to check content settings.
But the download can actually be triggered by javascript from another
origin. This CL fixes the issue by passing the request initiator to
check the content settings.
Here is what included in this CL:
1. removed originating_web_contents param from TabDownloadState ctor,
this param is never used.
2. Adding an origin param to DownloadRequestLimiter::CanDownload() call,
and it will be used to check the content settings.
3. In DownloadRequestLimiter::CanDownloadImpl(), always do content
setting check first. This fixes a bug that any site can always
trigger a download first even if its automatic download setting is
blocked
4. For restricted origins, record their download status. So that we can
differentiate origins that are blocked and origins that require prompt.
BUG=970378
Change-Id: I6f7efc8b5c6b27ff3eaec1bb436c5ffbb8c8b26d
Reviewed-by: Xing Liu <xingliu@chromium.org>
Reviewed-by: Scott Violet <sky@chromium.org>
Reviewed-by: Min Qin <qinmin@chromium.org>
Commit-Queue: Min Qin <qinmin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#672091}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This CL passes along the initiating origin of a request down into
DownloadInfo and related objects. The current download objects store
substantial context related to where a download comes from, but not
enough to reliably determine requesting origin. This functionality
will be used in a subsequent CL to block some forms downloads as
mixed content.
Bug: 960819
Change-Id: Ifa2537141bb71c37665608e992ee91cd665c41ea
Reviewed-by: Min Qin <qinmin@chromium.org>
Reviewed-by: Joshua Bell <jsbell@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Xi Han <hanxi@chromium.org>
Reviewed-by: Christopher Thompson <cthomp@chromium.org>
Commit-Queue: Joe DeBlasio <jdeblasio@chromium.org>
Cr-Commit-Position: refs/heads/master@{#658571}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixing extension corruption when navigating to extension resource with slash at end
Because of how Content Verifier currently normalizes relative paths of
an extension resource, it (incorrectly) drops any separators at the end
of the relative path. This makes Content Verifier incorrectly think
that a resource exists (if the separators came after a valid extension
resource path) and this results in content verification failure.
Fix this by ensuring content verifier path normalization does not drop
trailing separator, if present.
Bug: 929578
bar.html is present must not corrupt or disable the extension.
Test: Navigating to chrome-extension://<extensionId>/bar.html/ when
Change-Id: I3972643d9f9566e011070e4b01f0b1a50e3fa659
Commit-Queue: Utkarsh Patankar <utkpat@microsoft.com>
Auto-Submit: Utkarsh Patankar <utkpat@microsoft.com>
Reviewed-by: Istiaque Ahmed <lazyboy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#667431}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added Georgian d to confusables mapping
Added Georgian d to mapping of frequently confused symbol
based on idn spoofing possibility of d4000.com
Bug: 896533
Change-Id: I2c308379ffa9d4b67923dee3d40700c0c733a696
Reviewed-by: Tommy Li <tommycli@chromium.org>
Reviewed-by: Mustafa Emre Acer <meacer@chromium.org>
Commit-Queue: Cynthia Liang <liangcyn@google.com>
Cr-Commit-Position: refs/heads/master@{#677585}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make GL lost context sticky.
Move from GraphicsResetStatus logic from decoders to GLContext and make
it sticky. This is to ensure that once the GL context is lost once, we
never try to use the context again, as some drivers wrongly claim they
recovered from it.
Bug: 946978
Change-Id: I1527fe6ac997ddb766c7c3fec30270c3ae84a5cd
Commit-Queue: Antoine Labour <piman@chromium.org>
Auto-Submit: Antoine Labour <piman@chromium.org>
Reviewed-by: Zhenyao Mo <zmo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#671503}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fail decoder / SharedContextState creation if context is lost
When the context is lost during creation, on some drivers we may have had bogus values
during initialization for the static queries, which means we might have constructed a
ContextState that's inconsistent with other ContextStates for the same real context,
which causes problems when doing virtualized context switches.
So check reset state after initialization and fail if the context is lost.
Bug: 946978
Change-Id: I38fb73d819dfcedf0565e6b4345c3700c49fbb07
Commit-Queue: Antoine Labour <piman@chromium.org>
Reviewed-by: Zhenyao Mo <zmo@chromium.org>
Auto-Submit: Antoine Labour <piman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#670301}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
| |
This reverts commit 8635cf233cdf15409fcce7a66f0bc4670d07cd5f.
Reason for revert: Missing dependency
Change-Id: If4221d3738851f48e0176b6ab6b3ed9ea6562a9f
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add workaround to generators and manifest handlers to make
the extensions code build with GCC 5.3.1, which is missing a
couple of C++14 features and has bugs with some C++11 features.
Reverts some of the previous workarounds.
Task-number: QTBUG-76329
Change-Id: I2e6a268babbbb64ccdf8f703abf1afd1ee5e8857
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since we previously did so for the creation of the resource, we
were still receiving notifications about the destruction of the
resource.
Convert the NOTREACHED() to a LOG for this case. This will allow
us to still play Widevine video on macOS even though resource
creation failed. We still need to investigate what is actually
going wrong with the resource creation, though.
Also, format the LOG command for resource creation to be more
readable.
Task-number: QTBUG-64832
Change-Id: I42a11b8f795626b43f05d692491b81a179c0da9e
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix GpuMemoryBufferImplSharedMemory to validate received handles.
GpuMemoryBufferImplSharedMemory wasn't verifying buffer size of
the buffer it was receiving from another process.
Bug: 974354
Change-Id: I59be4278e3ac57953955153697109c7438d2c428
Commit-Queue: Sergey Ulanov <sergeyu@chromium.org>
Reviewed-by: Michael Spang <spang@chromium.org>
Reviewed-by: Dominick Ng <dominickn@chromium.org>
Cr-Commit-Position: refs/heads/master@{#675463}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ensure that IOSurface is not smaller than GMB size
Sending an IOSurface of a smaller size could induce writing out of
bounds.
Bug: 974354
Change-Id: I8c0228e715102a96385faf5f58aacd210ee59919
Reviewed-by: ccameron <ccameron@chromium.org>
Reviewed-by: Greg Kerr <kerrnel@chromium.org>
Reviewed-by: Sunny Sachanandani <sunnyps@chromium.org>
Commit-Queue: ccameron <ccameron@chromium.org>
Cr-Commit-Position: refs/heads/master@{#674614}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Attempt to resolve the msan bug reported.
The bug is not reproducible locally. So just
trying this to see whether it has any effect
on clusterfuzz.
Bug: 964938
Change-Id: I1ac7bee442facf2f4764b16e80caa766e0000e75
Reviewed-by: Timothy Dresser <tdresser@chromium.org>
Commit-Queue: Navid Zolghadr <nzolghadr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#670492}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
[Opus] Avoid processing LPC coeffs beyond the given order in NEON optimizations
Apply patch from
https://git.xiph.org/?p=opus.git;a=commit;h=812ae3fb5c589aaafe761b8ebf86bcbbb8f0ed76
Bug: 946351
Change-Id: I55f2abb3950ff86780a68ef7ee8d28e142c0fd23
Reviewed-by: James Zern <jzern@google.com>
Commit-Queue: Felicia Lim <flim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#680520}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[inspector] Generate custom previews in the objects creation context.
Generating custom previews can invoke user specified JavaScript (via the
`window.devtoolsFormatters` custom formatters feature). These custom
formatters were previously invoked in the main page context, even for
objects coming from other `<iframe>`s. Instead of using the main
renderer context, we should instead generate the custom preview in the
creation context of the object.
Bug: chromium:997925
Change-Id: Ia07915cff6680153b6727e68117ed565e60bc1c2
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63476}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Calls to {console} require an access check for the provided arguments
This CL adds an access check for the arguments to all calls to
{console} like {console.log}. This is needed since the DevTools
protocol notificiation event does not contain the context in which
the {console.log} call occurred. Only the context of the argument.
When DevTools then reads properties for the preview of the argument,
it uses arguments context, instead of the calling context, potentially
leaking objects/exceptions into the calling context.
Bug: chromium:987502, chromium:986393
Change-Id: I6f7682f7bee94a28ac61994bad259bd003511c39
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63122}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix multiple download protection for <a download> x-origin redirect
The bug: multiple downloads protection is bypassed when there are multiple
<a download> download attempts and they end up triggering a x-origin redirect
to another download.
The cause: Each x-origin redirect following the <a download> is being treated as
a navigation. (See DownloadManagerImpl::InterceptDownload() (NetworkService
enabled), DownloadResourceHandler::OnRequestRedirected() (NetworkService
disabled)). The navigation will hit
DownloadRequestLimiter::TabDownloadState::DidStartNavigation that resets some
state of the limiter, and future downloads won't be prevented.
The solution: plumb |from_download_cross_origin_redirect| to NavigationRequest,
and skip resetting the limiter state when the flag is true.
Bug: 959640
Change-Id: I7d8aca09670be5258e149e34e3e6f2f3107442ff
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Min Qin <qinmin@chromium.org>
Commit-Queue: Yao Xiao <yaoxia@chromium.org>
Cr-Commit-Position: refs/heads/master@{#665973}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Block CJK ideographs looking like slashes in domain names
This CL blocks the following characters from appearing in unicode domain names
when they're surrounded by non-Japanese scripts:
"丶" (CJK unified ideograph, U+4E36)
"乀" (CJK unified ideograph, U+4E40)
"乁" (CJK unified ideograph, U+4E41)
"丿" (CJK unified ideograph, U+4E3F)
None of these characters are currently used in domain names so the real world
impact is nil.
Bug: 863661
Change-Id: Ifc3a40d46d957bc99383445a71577a0cba744aec
Commit-Queue: Mustafa Emre Acer <meacer@chromium.org>
Reviewed-by: Tommy Li <tommycli@chromium.org>
Cr-Commit-Position: refs/heads/master@{#679205}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sqlite: Backport bugfix (M77 Cherry-Pick)
(cherry picked from commit 8dddf1d5d3f8525e028aee71be6a5bc2e1fe1098)
Bug: 990234
Change-Id: I6c8754c21ef2a1f5b712790cd43145e4853fea55
Reviewed-by: Chris Mumford <cmumford@google.com>
Commit-Queue: Darwin Huang <huangdarwin@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#700044}
Cr-Commit-Position: refs/branch-heads/3865@{#873}
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[m77-attempt#2] Use navigation initiator for calculating the `Origin` header's value.
Before this CL, AddAdditionalRequestHeaders would set the Origin header
to either the destination origin (for main frame navigations) or to the
main frame's origin (for subframe navigations). Both of these are wrong
and don't match Blink behavior (which correctly uses the initiator of
the navigation to calculate the Origin header's value).
Tbr: avi@chromium.org, nasko@chromium.org, lukasza@chromium.org, zhongyi@chromium.org
Bug: 915538
Change-Id: I3e15b218b159ec86d47d1e5d8628d32653f4b483
Cr-Original-Original-Commit-Position: refs/heads/master@{#689562}
Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org>
Cr-Commit-Position: refs/branch-heads/3865@{#632}
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Block U+4E00 and U+3127 from IDN when used next to non-CJK characters
This CL blocks CJK unified ideograph 一 and Bopofomo letter I (ㄧ) from domain
names if they are next to non-CJK characters. As a result, the domain will be
shown as punycode.
U+2F00 (Kangxi Radical One) is a similar character but it's normalized to U+4E00
and implicitly blocked.
This change doesn't affect any popular domains. It also doesn't prevent attacks
with pure CJK characters, unfortunately. Such attacks are more likely to be
prevented by the lookalike domain warnings launched in M75.
Bug: 863661
Change-Id: I600fef90a0a1ebb12b3c707fa529e4a5711b2c0c
Commit-Queue: Mustafa Emre Acer <meacer@chromium.org>
Reviewed-by: Tommy Li <tommycli@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/master@{#670711}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Improve dropping fullscreen for security.
If dropping fullscreen for security, drop all pages in the
opener chain that are in fullscreen.
BUG=882363
TEST=as in bug
Change-Id: Ia730989dd77ff05fd724b1ead97dfa836e5b19e2
Commit-Queue: Avi Drissman <avi@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#671076}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix NEON optimizations buffer read overrun
- Patch https://git.xiph.org/?p=opus.git;a=commit;h=cd529ed
- Undo change from
https://chromium-review.googlesource.com/c/chromium/src/+/1746617,
which truncated the buffer too early
(cherry picked from commit afc68cb76979eaa1cfe9666aac2b0822f30c641e)
Bug: 986727
Change-Id: Iefb890ff828d8703a24bd61ec1411c8476b03a29
Reviewed-by: James Zern <jzern@google.com>
Commit-Queue: Felicia Lim <flim@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#693783}
Reviewed-by: Felicia Lim <flim@chromium.org>
Cr-Commit-Position: refs/branch-heads/3865@{#862}
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix NEON optimizations overrun buffer due to improper termination condition
(cherry picked from commit 2152a810537c819e0ecb4375aeeb53319489565f)
Bug: 986727
Change-Id: Ic5dac9ca94c4ab6bb66586ed512c74f6abfa049e
Commit-Queue: Felicia Lim <flim@chromium.org>
Reviewed-by: James Zern <jzern@google.com>
Cr-Original-Commit-Position: refs/heads/master@{#685675}
Reviewed-by: Felicia Lim <flim@chromium.org>
Cr-Commit-Position: refs/branch-heads/3865@{#861}
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix heap-use-after-free in setLocalDescription/setRemoteDescription.
This is another case where the pc handler invokes JavaScript callbacks
which could cause the PC+handler to be deleted. The fix is to invoke the
callback as the last step before returning.
(cherry picked from commit 0cd560eea3e00305765c2a9da7ec959ccb757460)
Bug: 1005251
Change-Id: I9a06ed0a6885b2f6d46e6646c2df0a9d07e79a2d
Reviewed-by: Guido Urdaneta <guidou@chromium.org>
Commit-Queue: Henrik Boström <hbos@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#701778}
Cr-Commit-Position: refs/branch-heads/3865@{#869}
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Reviewed-by: Kirill Burtsev <kirill.burtsev@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Disallow combining Kana voiced sound marks (U+3099 and U+309A) in IDN
This CL disallows U+3099 and U+309A characters from domain names. Any IDN
containing these characters will be displayed as punycode.
As of July 2019, these characters are not used in any popular domains.
Bug: 868846
Change-Id: I7e36b30d7dcaf167fb3a6eb23b96f0aa4bd393ee
Reviewed-by: Christopher Thompson <cthomp@chromium.org>
Commit-Queue: Mustafa Emre Acer <meacer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#681043}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[M77] [resource-timing] Report performance entries with failing status codes
Currently we don't report performance entries with failing status codes.
From the spec's perspective, reporting aborts is a MAY, but failing
status code responses should not be considered aborts. [1]
Chromium is the only engine which doesn't report those entries.
This CL fixes that to report them similarly to successful status codes.
Bug: 883400, 990849
Change-Id: Ic5e99e3df77f3869aa0dd70f0141d88016fdb972
[1] https://github.com/w3c/resource-timing/issues/165#issuecomment-441413636
(cherry picked from commit 5e556dd80e03b7a217e10990d71be25d07e1ece7)
Change-Id: Ic5e99e3df77f3869aa0dd70f0141d88016fdb972
Commit-Queue: Yoav Weiss <yoavweiss@chromium.org>
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#695596}
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
Cr-Commit-Position: refs/branch-heads/3865@{#857}
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[merge m77] media: Keep |cdm_context_ref_| in mojo media services on failure
When unexpected failure happens, we expect the service to stay in a
valid state.
(cherry picked from commit d496219fd9061eaba1be73be05f8fac1dda86a27)
Bug: 1004730
Test: Manually tested
Change-Id: Ib35035705e4604b9aa8cf5212de07bc1069e73d4
Commit-Queue: Xiaohan Wang <xhwang@chromium.org>
Reviewed-by: John Rummell <jrummell@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#697907}
Reviewed-by: Xiaohan Wang <xhwang@chromium.org>
Cr-Commit-Position: refs/branch-heads/3865@{#843}
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IndexedDB: Unregister cursors from transactions more consistently.
IndexedDBCursor now calls IndexedDBTransaction::UnregisterOpenCursor()
in Close(), which is called by the destructor.
The previous setup missed an edge case where calling
IndexedDBCursor::Close() directly would not unregister the cursor. This
behavior was relied upon in IndexedDBTransaction::CloseOpenCursors(),
but was not intended at other callsites.
(cherry picked from commit 23303e6f178ca2993bfde7114e6bdf48dd0eff9d)
Bug: 1005753
Change-Id: I91944138d05faa2d91ecc03b1040ec16ca1a7e5f
Reviewed-by: Joshua Bell <jsbell@chromium.org>
Commit-Queue: Victor Costan <pwnall@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#699937}
Reviewed-by: Victor Costan <pwnall@chromium.org>
Cr-Commit-Position: refs/branch-heads/3865@{#872}
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[Video Capture Manager] Convert pointers from Unretained to WeakPtr.
This CL replaces the usage of unretained pointers with weak pointers
in VideoCaptureManager.
This conversion is safe because all places where the pointers are saved
are on the IO thread as well as the place were the callbacks are then
executed (see line 326 and 348).
BUG=998548
(cherry picked from commit b740a6052b00ebeec4bdc3044a130aab0c64ab05)
Change-Id: I47bda798fa7bcbd66bf23682ee6c6dd26b5642c1
Reviewed-by: Guido Urdaneta <guidou@chromium.org>
Commit-Queue: Armando Miraglia <armax@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#694214}
Reviewed-by: Armando Miraglia <armax@chromium.org>
Cr-Commit-Position: refs/branch-heads/3865@{#801}
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[Video Capture Manager] Delete all occurrences of device start requests queued.
The vulnerability indicated in crbug.com/995964 suggests that the core
issue relates to the assumption that device_start_request_queue_ can
only contain one occurrence of a controller while this might not be the
case.
This change makes sure that all occurrence of a controller are removed
from the list, instead of removing only the first found.
BUG=995964
(cherry picked from commit f33b0b8907693ef8401f631ab4c3fe7424c84aae)
Change-Id: Ice2a1da37d13339128d3d52d25daa252c5d61155
Reviewed-by: Guido Urdaneta <guidou@chromium.org>
Commit-Queue: Armando Miraglia <armax@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#694255}
Reviewed-by: Armando Miraglia <armax@chromium.org>
Cr-Commit-Position: refs/branch-heads/3865@{#802}
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Require dedicated process for all WebUI schemes.
This changes SiteInstanceImpl::DoesSiteURLRequireDedicatedProcess() to
return true for all WebUI schemes instead of just singling out the
chrome: scheme. This ensures that these URLs get placed in dedicated
processes even if site isolation is disabled.
(cherry picked from commit 7be7426134cc4978a253f3be6dcdbf77ee25702f)
Bug: 991153,991888
Change-Id: I1af3b87ac39d93f6e45587a5b3845a176f98b7bd
Commit-Queue: Aaron Colwell <acolwell@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#689561}
Reviewed-by: Aaron Colwell <acolwell@chromium.org>
Cr-Commit-Position: refs/branch-heads/3865@{#595}
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Security: Fixing URL spoof via cross-site iframe top navigation.
Currently, it is possible to spoof the URL of a site by starting a
navigation in the main frame and having a cross-site iframe initiating
another navigation in its parent frame (with extra steps for it to be
user visible).
This can also be used to cancel any browser initiated navigation in the
main frame.
The CL adresses the issue by adding checks similar to what exists in
BeginNavigation on the FrameProxy::OpenURL path.
Bug: 966914
Change-Id: If547c2ef4b30b2e0323141005583412c12bfef8e
Reviewed-by: Camille Lamy <clamy@chromium.org>
Commit-Queue: Arthur Hemery <ahemery@chromium.org>
Cr-Commit-Position: refs/heads/master@{#668435}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[Media Session] Fix issues in media session
For more context, please see the bug. This CL
is two part:
1) Unconditionally remove the player from
the media session
2) Do not add a pepper player if focus fails
BUG=997190
(cherry picked from commit e30383d507bb7f94a42a32c42d98ff2dd4811166)
Change-Id: I2f20d94762a2908c7531ce35cc2df110e5ba13aa
Commit-Queue: Becca Hughes <beccahughes@chromium.org>
Reviewed-by: Tommy Steimel <steimel@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#690096}
Reviewed-by: Becca Hughes <beccahughes@chromium.org>
Cr-Commit-Position: refs/branch-heads/3865@{#600}
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pass renderer initiated flag for navigations triggered by cross-origin download
If a navigation is triggered by a cross-origin download initiated by
renderer, the navigation should carry the renderer initiated flag.
BUG=979443
(cherry picked from commit 6d7c9ec2923a71d3f9acb7fdd019a5e56f44c09b)
Change-Id: I0716193768a5473f70e909b7efbb5fc74933d89e
Reviewed-by: Xing Liu <xingliu@chromium.org>
Commit-Queue: Min Qin <qinmin@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#690869}
Reviewed-by: Min Qin <qinmin@chromium.org>
Cr-Commit-Position: refs/branch-heads/3865@{#714}
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Close FileSystemOperationListener bindings on PreFinalizer
This is a speculative CL to the UAP observed on crbug.com/c/981492.
It basically early-closes FileSystemDispatcher's mojo bindings manually,
a common for Blink's GC objects that own mojo bindings.
BUG=981492
R=haraken@chromium.org, mek@chromium.org
TBR=tonikitoo@igalia.com
(cherry picked from commit cfd44efa92afda3eb1944ae2f862bd444553a78c)
Change-Id: I0ffff4798532df5dda1ee74e4bbe8a887b5c68ee
Reviewed-by: Marijn Kruisselbrink <mek@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Marijn Kruisselbrink <mek@chromium.org>
Auto-Submit: Antonio Gomes <tonikitoo@igalia.com>
Cr-Original-Commit-Position: refs/heads/master@{#685700}
Reviewed-by: Antonio Gomes <tonikitoo@igalia.com>
Cr-Commit-Position: refs/branch-heads/3865@{#606}
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Merge "Add more checks in MojoCdmService"
This is to prevent abnormal cases from happening.
(cherry picked from commit b7b305f3389017cc42e2cfac6e7a319f42d5bde3)
Bug: 999311
Test: Tested w/ shaka player demo and existing unit tests pass
Change-Id: Icef06d979351f16386cf3cbb177971a57a1e264c
Auto-Submit: Xiaohan Wang <xhwang@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: John Rummell <jrummell@chromium.org>
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Xiaohan Wang <xhwang@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#691911}
Cr-Commit-Position: refs/branch-heads/3865@{#688}
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
| |
Do not compile libevent when using glib, add missing
glib io message loop pump.
Change-Id: I0979659298889045475576cf5176433e9c587e9e
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make it possible to use glib message pump in Ozone
Ozone implementation assumes libevent MessagePump is used (more specifically,
MessagePumpLibevent and X11EventSourceLibevent are directly referenced), which
makes it impossible to build/run ozone-based builds with use_glib=true. This CL
changes it, making use mainly of Message{Pump,Loop}CurrentFor{UI,IO} APIs.
The main motivation for this is to bring up glib MessagePump/EventSource in
ozone/x11 UI thread, which is part of the effort to migrate away from Aura/X11
to Ozone in Linux desktop.
So, with this change, use_glib can be set to true when configuring ozone/linux
builds. Additionally, X11EventSourceLibevent is renamed (as it is not
libevent-specific anymore).
Also, from now on it will be possible to start XEvent => ui::Event migration in
Aura/X11, reducing even more the delta between ozone and non-ozone X11. A
preliminary step towards that is done in this CL, which consists of moving
XEventDispatcher API out of X11EventSourceDelegate into X11EventSource, so that
its consumers should not use delegate implementation to register/unregister
|XEventDispatcher|s anymore, thus making delegate implementation more like an
internal detail, at some point it might makes sense to merge delegate impl into
X11EventSource and even move it into ozone/x11 layer.
Bug: 988094, 789065
Change-Id: I46c38aa26475ae8f3f89ef0c632d4c8ffb76fd7c
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement file descriptor watching API in MessagePumpGlib
The main user of GLib MessagePump implementation is Aura/X11, while Ozone-based
ports use mainly libevent version, which exposes WatchFileDescriptor API that
is used by higher level components through MessageLoop[Current]For{UI,IO}
interfaces. Currently, there's no such API in MessagePumpGlib.
The motivation here is to make MessageLoopCurrent API usage transparent,
regardless which message pump is used in UI thread. This benefits X11 migration
to Ozone on Linux desktop, which (just like Aura/X11) must integrate with Gtk,
so GLib-based loop in browser's main thread is a natural path.
So, this CL implements the aforementioned API in GLib MessageLoop following the
same design, assumptions and overall structure as its original libevent-based
version.
As a follow-up, https://crrev.com/c/1730972 refactors code using
MessagePumpLibevent::{FdWatchController,FdWatcher} directly, replacing them by
MessageLoopCurrent*ForUI counterparts as well as refactoring
X11EventSourceLibevent (which Implementation has been used as reference for
this CL) in the same direction, so in the end it has no libevent specific code
and the build-time glib/libevent switch (use_glib gn var) is possible.
Bug: 988094, 789065
Change-Id: Ifee758b6893cea54892b88f16951d9d3d4827d41
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
| |
Task-number: QTBUG-78997
Change-Id: If2915cadda10bc29e9a5596dda0b39fa57623167
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Dmitriy Kuminov <coding@dmik.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
scanForNetworksWithParameters has ben removed in the sdk that ships
with XCode 11. Replace its use with scanForNetworksWithName.
The results should be the same.
Task-number: QTBUG-78997
Change-Id: Ifaeb6b380d02364133280b44644ae8ca1e51119a
Reviewed-by: Peter Varga <pvarga@inf.u-szeged.hu>
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
(cherry picked from commit 1f1bd0af331476d46fe69ceb6df14b82f98cd54d)
Reviewed-by: Dmitriy Kuminov <coding@dmik.org>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Updates various files with to conform to iOS13 SDK headers changes:
Nullability and availability changes
Updates security types
Updated default values (modalPresentationStyle)
Updates objc_zombie with IMP changes (as well as adding the accidentally-omitted tests)
Task-number: QTBUG-78997
Change-Id: I949717fbe3823a7d867b2b854f05d52f20478ea6
Commit-Queue: Justin Cohen <justincohen@chromium.org>
Reviewed-by: Mark Mentovai <mark@chromium.org>
Reviewed-by: Mark Cogan <marq@chromium.org>
Reviewed-by: edchin <edchin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#666142}
Reviewed-by: Dmitriy Kuminov <coding@dmik.org>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
