-
Ionel Popescu authored
This is a reland of c64eed06 The difference from the original change is that this CL updates the color-picker-show-eye-dropper.html test to provide user activation. Original change's description: > Add security mitigations for eye dropper IPC. > > As discussed on the security review this CL adds the following mitigations: > - require a transient user activation on the browser side, and consume > it when showing the eye dropper for the renderer (this will prevent a > compromised renderer to repeatedly ask for a color) > - require the eye dropper UI to be visible for a minimum amount of time > before color selection is allowed in order to ensure the user has a > chance to see the UI. > > There is also a fix for the popup not correctly updating the user > activation state. This happens because it is using a > EmptyLocalFrameClient and its frame is not related to the > owner element's frame. > > Bug: 992297 > Change-Id: Ia5d2aead0be153ce4b49048552062de3a6c72e63 > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2442132 > Reviewed-by: Kent Tamura <tkent@chromium.org> > Reviewed-by: Mason Freed <masonfreed@chromium.org> > Reviewed-by: Avi Drissman <avi@chromium.org> > Commit-Queue: Mason Freed <masonfreed@chromium.org> > Cr-Commit-Position: refs/heads/master@{#812847} TBR=avi@chromium.org,tkent@chromium.org,masonfreed@chromium.org Bug: 992297 Change-Id: Icecebf941b277790e12a12d06bca5b20da404ff1 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2450731Reviewed-by:
Ionel Popescu <iopopesc@microsoft.com> Reviewed-by:
Kent Tamura <tkent@chromium.org> Reviewed-by:
Avi Drissman <avi@chromium.org> Reviewed-by:
Mason Freed <masonfreed@chromium.org> Commit-Queue: Ionel Popescu <iopopesc@microsoft.com> Cr-Commit-Position: refs/heads/master@{#814008}
d60c7e15
