-
Scott Violet authored
For OOPIF we want the parent renderer to embed the child. This is mediated by the browser. That is, we want something like the following: 1. Browser obtains WindowTreeClient from child renderer (cWTC). 2. Browser passes cWTC to parent renderer. 3. Parent renderer creates Window in mus and calls Embed() with cWTC. Unfortunately in step 2 if the parent renderer were compromised then it could directly call functions on cWTC, such as spoofing events. This is a security problem. To avoid this scenario I'm adding the option of a two phase embed. This results in the following: 1. Browser obtains WindowTreeClient from child renderer (cWTC). 2. Browser calls ScheduleEmbed() on it's WindowTree connection. ScheduleEmbed is a new function that takes a WindowTreeClient and returns a token. 3. Browser waits for token. 4. Browser passes token to parent renderer. 5. Parent renderer creates Window in mus and calls Embed() passing token. With this flow renderers don't end up with a WindowTreeClient from a different client. BUG=758387 TEST=covered by tests Change-Id: I819a57cd811d4939cbeecec8aeb8273eefca64f5 Reviewed-on: https://chromium-review.googlesource.com/699519Reviewed-by:
Ken Buchanan <kenrb@chromium.org> Reviewed-by:
Michael Wasserman <msw@chromium.org> Commit-Queue: Scott Violet <sky@chromium.org> Cr-Commit-Position: refs/heads/master@{#506476}
a8140751
