Close the GuestView shadow root

Now that we're using Shadow DOM v1, we have the option to make the
shadow DOM unreachable by outside script by specifying a closed
encapsulation mode. Now GuestViews will behave more like other
elements defined by the browser which internally use shadow DOM.
This also prevents script from interfering with our internal elements
and producing unexpected behaviour.

Bug: 892886, 803274
Change-Id: I57b2513e3ff7290e286b3d8391e7d93bac2bc4e9
Reviewed-on: https://chromium-review.googlesource.com/c/1342768
Commit-Queue: Kevin McNee <mcnee@chromium.org>
Reviewed-by: Ehsan Karamad <ekaramad@chromium.org>
Cr-Commit-Position: refs/heads/master@{#612232}

chrome/test/data/extensions/platform_apps/web_view/shim/main.js

@@ -3074,8 +3074,11 @@ function testFocusWhileFocused() {
     // Focus twice, then make sure that the internal element is still focused.
     webview.focus();
     webview.focus();
-    embedder.test.assertTrue(document.activeElement = webview);
-    embedder.test.assertTrue(webview.shadowRoot.activeElement);
+    embedder.test.assertEq(document.activeElement, webview);
+    var webviewPrivates =
+        chrome.test.getModuleSystem(webview).privates(webview);
+    var shadowRoot = webviewPrivates.internal.shadowRoot;
+    embedder.test.assertTrue(shadowRoot.activeElement);
     embedder.test.succeed();
   });
 

extensions/browser/guest_view/web_view/web_view_apitest.cc

@@ -832,4 +832,8 @@ IN_PROC_BROWSER_TEST_F(WebViewAPITest, TestNoUserCodeFocus) {
   RunTest("testFocus", "web_view/no_internal_calls_to_user_code", false);
 }
 
+IN_PROC_BROWSER_TEST_F(WebViewAPITest, TestClosedShadowRoot) {
+  RunTest("testClosedShadowRoot", "web_view/apitest");
+}
+
 }  // namespace extensions

extensions/renderer/resources/guest_view/guest_view_container.js

@@ -32,7 +32,7 @@ function GuestViewContainer(element, viewType) {
   this.setupAttributes();
 
   this.internalElement = this.createInternalElement$();
-  this.shadowRoot = $Element.attachShadow(this.element, {mode: 'open'});
+  this.shadowRoot = $Element.attachShadow(this.element, {mode: 'closed'});
   $Node.appendChild(this.shadowRoot, this.internalElement);
 
   GuestViewInternalNatives.RegisterView(this.viewInstanceId, this, viewType);

extensions/test/data/web_view/apitest/main.js

@@ -1831,6 +1831,29 @@ function testCaptureVisibleRegion() {
 
 function captureVisibleRegionDoCapture() {}
 
+// Ensure we use the closed encapsulation mode for the guest view shadow DOM
+// to prevent script from interfering with our internal elements and producing
+// unexpected behaviour.
+function testClosedShadowRoot() {
+  // Script could overwrite attachShadow to ignore the provided encapsulation
+  // mode. Ensure this does not happen when creating the guest view shadow
+  // DOM.
+  Element.prototype.realAttachShadow = Element.prototype.attachShadow;
+  Element.prototype.attachShadow = function() {
+    window.console.log('Tainted attachShadow was called.');
+    embedder.test.fail();
+    return this.realAttachShadow({mode: 'open'});
+  };
+
+  var webview = document.createElement('webview');
+  webview.src = 'data:text/html,webview test'
+  webview.addEventListener('loadstop', () => {
+    embedder.test.assertFalse(webview.shadowRoot);
+    embedder.test.succeed();
+  });
+  document.body.appendChild(webview);
+}
+
 // Tests end.
 
 embedder.test.testList = {
@@ -1905,7 +1928,8 @@ embedder.test.testList = {
   'testWebRequestAPIWithHeaders': testWebRequestAPIWithHeaders,
   'testWebRequestAPIExistence': testWebRequestAPIExistence,
   'testWebRequestAPIGoogleProperty': testWebRequestAPIGoogleProperty,
-  'testCaptureVisibleRegion': testCaptureVisibleRegion
+  'testCaptureVisibleRegion': testCaptureVisibleRegion,
+  'testClosedShadowRoot': testClosedShadowRoot,
 };
 
 onload = function() {