[Mac] Stop performing direct NSColor lookups in the renderer process.

In blink::LayoutThemeMac, various system color properties are retrieved
from NSColor. These system colors are part of the "dynamic system color
store", and trying to access them may cause issues with the sandbox.

This augments the blink::WebSandboxSuport interface on Mac to look up
system colors via a shared memory segment that is populated by the
browser. In addition, this centralizes the various Mac implementations
of that interface into a single one.

      System Prefs>General and change the Highlight Color. Upon going
      back to Chrome, the new highlight color should be visible.

Bug: 641509, 36032
Test: Highlight some text on a web page. Then go to
Change-Id: I3bc05c08ecab62b1fc68442d3edd93ec7edb8590
Reviewed-on: https://chromium-review.googlesource.com/c/1331133Reviewed-by: Avi Drissman <avi@chromium.org>
Reviewed-by: Kent Tamura <tkent@chromium.org>
Commit-Queue: Robert Sesek <rsesek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#609719}

content/browser/BUILD.gn

@@ -1940,6 +1940,8 @@ jumbo_source_set("browser") {
     sources += [
       "gpu/ca_transaction_gpu_coordinator.cc",
       "gpu/ca_transaction_gpu_coordinator.h",
+      "sandbox_support_mac_impl.h",
+      "sandbox_support_mac_impl.mm",
       "web_contents/web_contents_ns_view_bridge.h",
       "web_contents/web_contents_ns_view_bridge.mm",
     ]

content/browser/sandbox_support_mac_impl.h

+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CONTENT_BROWSER_SANDBOX_SUPPORT_MAC_IMPL_H_
+#define CONTENT_BROWSER_SANDBOX_SUPPORT_MAC_IMPL_H_
+
+#include "base/macros.h"
+#include "content/common/sandbox_support_mac.mojom.h"
+#include "mojo/public/cpp/bindings/binding_set.h"
+
+namespace service_manager {
+struct BindSourceInfo;
+}
+
+namespace content {
+
+// Performs privileged operations on behalf of sandboxed child processes.
+// This is used to implement the blink::WebSandboxSupport interface in the
+// renderer. However all child process types have access to this interface.
+// This class lives on the IO thread and is owned by the Mojo interface
+// registry.
+class SandboxSupportMacImpl : public mojom::SandboxSupportMac {
+ public:
+  SandboxSupportMacImpl();
+  ~SandboxSupportMacImpl() override;
+
+  void BindRequest(mojom::SandboxSupportMacRequest request,
+                   const service_manager::BindSourceInfo& source_info);
+
+  // content::mojom::SandboxSupportMac:
+  void GetSystemColors(GetSystemColorsCallback callback) override;
+
+ private:
+  mojo::BindingSet<mojom::SandboxSupportMac> bindings_;
+
+  DISALLOW_COPY_AND_ASSIGN(SandboxSupportMacImpl);
+};
+
+}  // namespace content
+
+#endif  // CONTENT_BROWSER_SANDBOX_SUPPORT_MAC_IMPL_H_

content/browser/sandbox_support_mac_impl.mm

+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#import "content/browser/sandbox_support_mac_impl.h"
+
+#include "base/bind.h"
+#include "base/task/post_task.h"
+#include "base/task_runner_util.h"
+#import "content/browser/theme_helper_mac.h"
+#include "content/public/browser/browser_task_traits.h"
+
+namespace content {
+
+SandboxSupportMacImpl::SandboxSupportMacImpl() = default;
+
+SandboxSupportMacImpl::~SandboxSupportMacImpl() = default;
+
+void SandboxSupportMacImpl::BindRequest(
+    mojom::SandboxSupportMacRequest request,
+    const service_manager::BindSourceInfo& source_info) {
+  bindings_.AddBinding(this, std::move(request));
+}
+
+void SandboxSupportMacImpl::GetSystemColors(GetSystemColorsCallback callback) {
+  auto task_runner =
+      base::CreateSingleThreadTaskRunnerWithTraits({BrowserThread::UI});
+  base::PostTaskAndReplyWithResult(
+      task_runner.get(), FROM_HERE,
+      base::BindOnce(&ThemeHelperMac::DuplicateReadOnlyColorMapRegion,
+                     base::Unretained(ThemeHelperMac::GetInstance())),
+      std::move(callback));
+}
+
+}  // namespace content

content/browser/service_manager/common_browser_interfaces.cc

@@ -33,6 +33,7 @@
 #include "content/browser/renderer_host/dwrite_font_proxy_message_filter_win.h"
 #include "content/public/common/font_cache_dispatcher_win.h"
 #elif defined(OS_MACOSX)
+#include "content/browser/sandbox_support_mac_impl.h"
 #include "content/common/font_loader_dispatcher_mac.h"
 #endif
 
@@ -51,6 +52,9 @@ class ConnectionFilterImpl : public ConnectionFilter {
             {base::TaskPriority::USER_BLOCKING, base::MayBlock()}));
 #elif defined(OS_MACOSX)
     registry_.AddInterface(base::BindRepeating(&FontLoaderDispatcher::Create));
+    registry_.AddInterface(
+        base::BindRepeating(&SandboxSupportMacImpl::BindRequest,
+                            base::Owned(new SandboxSupportMacImpl)));
 #endif
     if (!features::IsMultiProcessMash()) {
       // For mus, the mojom::discardable_memory::DiscardableSharedMemoryManager

content/browser/theme_helper_mac.h

@@ -6,13 +6,24 @@
 #define CONTENT_BROWSER_THEME_HELPER_MAC_H_
 
 #include "base/macros.h"
-#include "base/memory/singleton.h"
+#include "base/memory/read_only_shared_memory_region.h"
+#include "base/memory/writable_shared_memory_region.h"
 #include "content/public/browser/notification_observer.h"
 #include "content/public/browser/notification_registrar.h"
+#include "third_party/blink/public/common/sandbox_support/sandbox_support_mac.h"
 #include "third_party/blink/public/platform/mac/web_scrollbar_theme.h"
 
+#if __OBJC__
+@class SystemThemeObserver;
+#else
+class SystemThemeObserver;
+#endif
+
 namespace content {
 
+// This class is used to monitor macOS system appearance changes and to notify
+// sandboxed child processes when they change. This class lives on the UI
+// thread.
 class ThemeHelperMac : public NotificationObserver {
  public:
   // Return pointer to the singleton instance for the current process, or NULL
@@ -23,17 +34,33 @@ class ThemeHelperMac : public NotificationObserver {
   // as the blink enum value.
   static blink::ScrollerStyle GetPreferredScrollerStyle();
 
- private:
-  friend struct base::DefaultSingletonTraits<ThemeHelperMac>;
+  // Duplicates a handle to the read-only copy of the system color table,
+  // which can be shared to sandboxed child processes.
+  base::ReadOnlySharedMemoryRegion DuplicateReadOnlyColorMapRegion();
 
+ private:
   ThemeHelperMac();
   ~ThemeHelperMac() override;
 
+  // Looks up the blink::MacSystemColorID corresponding to the NSColor
+  // selector and stores them in the |writable_color_map_| table.
+  void LoadSystemColors();
+
   // Overridden from NotificationObserver:
   void Observe(int type,
                const NotificationSource& source,
                const NotificationDetails& details) override;
 
+  // ObjC object that observes notifications from the system.
+  SystemThemeObserver* theme_observer_;  // strong
+
+  // Writable and mapped array of SkColor values, indexed by MacSystemColorID.
+  base::WritableSharedMemoryMapping writable_color_map_;
+
+  // Read-only handle to the |writable_color_map_| that can be duplicated for
+  // sharing to child processes.
+  base::ReadOnlySharedMemoryRegion read_only_color_map_;
+
   NotificationRegistrar registrar_;
 
   DISALLOW_COPY_AND_ASSIGN(ThemeHelperMac);

content/child/child_process_sandbox_support_impl_mac.cc

@@ -12,11 +12,27 @@
 #include "base/strings/sys_string_conversions.h"
 #include "content/common/mac/font_loader.h"
 #include "content/public/child/child_thread.h"
+#include "content/public/common/service_names.mojom.h"
 #include "mojo/public/cpp/system/buffer.h"
+#include "services/service_manager/public/cpp/connector.h"
 
 namespace content {
 
-bool LoadFont(CTFontRef font, CGFontRef* out, uint32_t* font_id) {
+WebSandboxSupportMac::WebSandboxSupportMac(
+    service_manager::Connector* connector) {
+  connector->BindInterface(content::mojom::kBrowserServiceName,
+                           mojo::MakeRequest(&sandbox_support_));
+  sandbox_support_->GetSystemColors(base::BindOnce(
+      &WebSandboxSupportMac::OnGotSystemColors, base::Unretained(this)));
+}
+
+WebSandboxSupportMac::~WebSandboxSupportMac() = default;
+
+// TODO(rsesek): Move font loading off the content.mojom.FontLoaderMac
+// interface and onto the SandboxSupportMac interface.
+bool WebSandboxSupportMac::LoadFont(CTFontRef font,
+                                    CGFontRef* out,
+                                    uint32_t* font_id) {
   base::ScopedCFTypeRef<CFStringRef> name_ref(CTFontCopyPostScriptName(font));
   base::string16 font_name = SysCFStringRefToUTF16(name_ref);
   float font_point_size = CTFontGetSize(font);
@@ -42,4 +58,19 @@ bool LoadFont(CTFontRef font, CGFontRef* out, uint32_t* font_id) {
       std::move(font_data), static_cast<uint32_t>(font_data_size), out);
 }
 
+SkColor WebSandboxSupportMac::GetSystemColor(blink::MacSystemColorID color_id) {
+  if (!color_map_.IsValid()) {
+    DLOG(ERROR) << "GetSystemColor does not have a valid color_map_";
+    return SK_ColorMAGENTA;
+  }
+  base::span<const SkColor> color_map =
+      color_map_.GetMemoryAsSpan<SkColor>(blink::kMacSystemColorIDCount);
+  return color_map[static_cast<size_t>(color_id)];
+}
+
+void WebSandboxSupportMac::OnGotSystemColors(
+    base::ReadOnlySharedMemoryRegion region) {
+  color_map_ = region.Map();
+}
+
 }  // namespace content

content/child/child_process_sandbox_support_impl_mac.h

@@ -7,11 +7,37 @@
 
 #include <CoreText/CoreText.h>
 
+#include "base/memory/read_only_shared_memory_region.h"
+#include "base/memory/shared_memory_mapping.h"
+#include "content/common/sandbox_support_mac.mojom.h"
+#include "third_party/blink/public/platform/mac/web_sandbox_support.h"
+
+namespace service_manager {
+class Connector;
+}
+
 namespace content {
 
-// Load a font specified by |font| into |out| through communicating
-// with browser.
-bool LoadFont(CTFontRef font, CGFontRef* out, uint32_t* font_id);
+// Implementation of the interface used by Blink to upcall to the privileged
+// process (browser) for handling requests for data that are not allowed within
+// the sandbox.
+class WebSandboxSupportMac : public blink::WebSandboxSupport {
+ public:
+  explicit WebSandboxSupportMac(service_manager::Connector* connector);
+  ~WebSandboxSupportMac() override;
+
+  // blink::WebSandboxSupport:
+  bool LoadFont(CTFontRef font, CGFontRef* out, uint32_t* font_id) override;
+  SkColor GetSystemColor(blink::MacSystemColorID color_id) override;
+
+ private:
+  void OnGotSystemColors(base::ReadOnlySharedMemoryRegion region);
+
+  mojom::SandboxSupportMacPtr sandbox_support_;
+  base::ReadOnlySharedMemoryMapping color_map_;
+
+  DISALLOW_COPY_AND_ASSIGN(WebSandboxSupportMac);
+};
 
 };  // namespace content
 

content/common/BUILD.gn

@@ -548,6 +548,7 @@ mojom("mojo_bindings") {
     sources += [
       "font_loader_mac.mojom",
       "render_widget_host_ns_view.mojom",
+      "sandbox_support_mac.mojom",
     ]
   }
 

content/common/sandbox_support_mac.mojom

+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+module content.mojom;
+
+import "mojo/public/mojom/base/shared_memory.mojom";
+
+// Interface for a sandboxed child process to request services of
+// the browser.
+interface SandboxSupportMac {
+  // Returns the shared memory region containing system theme color
+  // information.
+  GetSystemColors() => (mojo_base.mojom.ReadOnlySharedMemoryRegion region);
+};

content/ppapi_plugin/ppapi_blink_platform_impl.cc

@@ -19,7 +19,7 @@
 #include "third_party/blink/public/platform/web_string.h"
 
 #if defined(OS_MACOSX)
-#include "third_party/blink/public/platform/mac/web_sandbox_support.h"
+#include "content/child/child_process_sandbox_support_impl_mac.h"
 #elif defined(OS_POSIX) && !defined(OS_ANDROID)
 #include "content/child/child_process_sandbox_support_impl_linux.h"
 #include "third_party/blink/public/platform/linux/out_of_process_font.h"
@@ -36,19 +36,14 @@ typedef struct CGFont* CGFontRef;
 
 namespace content {
 
-#if !defined(OS_ANDROID) && !defined(OS_WIN)
+#if defined(OS_LINUX)
 
 class PpapiBlinkPlatformImpl::SandboxSupport : public WebSandboxSupport {
  public:
-#if defined(OS_LINUX)
   explicit SandboxSupport(sk_sp<font_service::FontLoader> font_loader)
       : font_loader_(std::move(font_loader)) {}
-#endif
   ~SandboxSupport() override {}
 
-#if defined(OS_MACOSX)
-  bool LoadFont(CTFontRef srcFont, CGFontRef* out, uint32_t* fontID) override;
-#elif defined(OS_LINUX)
   SandboxSupport();
   void GetFallbackFontForCharacter(
       WebUChar32 character,
@@ -72,23 +67,8 @@ class PpapiBlinkPlatformImpl::SandboxSupport : public WebSandboxSupport {
   sk_sp<font_service::FontLoader> font_loader_;
   // For debugging https://crbug.com/312965
   base::SequenceCheckerImpl creation_thread_sequence_checker_;
-#endif
 };
 
-#if defined(OS_MACOSX)
-
-bool PpapiBlinkPlatformImpl::SandboxSupport::LoadFont(CTFontRef src_font,
-                                                      CGFontRef* out,
-                                                      uint32_t* font_id) {
-  // TODO(brettw) this should do the something similar to what
-  // RendererBlinkPlatformImpl does and request that the browser load the font.
-  // Note: need to unlock the proxy lock like ensureFontLoaded does.
-  NOTIMPLEMENTED();
-  return false;
-}
-
-#elif defined(OS_POSIX)
-
 PpapiBlinkPlatformImpl::SandboxSupport::SandboxSupport() {}
 
 void PpapiBlinkPlatformImpl::SandboxSupport::GetFallbackFontForCharacter(
@@ -137,8 +117,6 @@ void PpapiBlinkPlatformImpl::SandboxSupport::
 
 #endif
 
-#endif  // !defined(OS_ANDROID) && !defined(OS_WIN)
-
 PpapiBlinkPlatformImpl::PpapiBlinkPlatformImpl() {
 #if defined(OS_LINUX)
   font_loader_ =
@@ -147,7 +125,8 @@ PpapiBlinkPlatformImpl::PpapiBlinkPlatformImpl() {
   sandbox_support_.reset(
       new PpapiBlinkPlatformImpl::SandboxSupport(font_loader_));
 #elif defined(OS_MACOSX)
-  sandbox_support_.reset(new PpapiBlinkPlatformImpl::SandboxSupport());
+  sandbox_support_.reset(
+      new WebSandboxSupportMac(ChildThread::Get()->GetConnector()));
 #endif
 }
 
@@ -155,7 +134,7 @@ PpapiBlinkPlatformImpl::~PpapiBlinkPlatformImpl() {
 }
 
 void PpapiBlinkPlatformImpl::Shutdown() {
-#if !defined(OS_ANDROID) && !defined(OS_WIN)
+#if defined(OS_LINUX) || defined(OS_MACOSX)
   // SandboxSupport contains a map of OutOfProcessFont objects, which hold
   // WebStrings and WebVectors, which become invalidated when blink is shut
   // down. Hence, we need to clear that map now, just before blink::shutdown()
@@ -165,7 +144,7 @@ void PpapiBlinkPlatformImpl::Shutdown() {
 }
 
 blink::WebSandboxSupport* PpapiBlinkPlatformImpl::GetSandboxSupport() {
-#if !defined(OS_ANDROID) && !defined(OS_WIN)
+#if defined(OS_LINUX) || defined(OS_MACOSX)
   return sandbox_support_.get();
 #else
   return nullptr;

content/ppapi_plugin/ppapi_blink_platform_impl.h

@@ -42,12 +42,12 @@ class PpapiBlinkPlatformImpl : public BlinkPlatformImpl {
                          bool sync_dir) override;
 
  private:
-#if !defined(OS_ANDROID) && !defined(OS_WIN)
-  class SandboxSupport;
-  std::unique_ptr<SandboxSupport> sandbox_support_;
+#if defined(OS_LINUX) || defined(OS_MACOSX)
+  std::unique_ptr<blink::WebSandboxSupport> sandbox_support_;
 #endif
 
 #if defined(OS_LINUX)
+  class SandboxSupport;
   sk_sp<font_service::FontLoader> font_loader_;
 #endif
 

content/public/app/mojo/content_browser_manifest.json

@@ -82,6 +82,9 @@
           "viz.mojom.CompositingModeReporter",
           "ws.mojom.Gpu"
         ],
+        "sandbox_support": [
+          "content.mojom.SandboxSupportMac"
+        ],
         "service_manager:service_factory": [
           "service_manager.mojom.ServiceFactory"
         ]

content/public/app/mojo/content_plugin_manifest.json

@@ -22,7 +22,8 @@
           "dwrite_font_proxy",
           "field_trials",
           "font_cache",
-          "plugin"
+          "plugin",
+          "sandbox_support"
         ],
         "device": [ "device:power_monitor" ],
         "font_service": [ "font_service" ],

content/public/app/mojo/content_renderer_manifest.json

@@ -33,7 +33,8 @@
           "dwrite_font_proxy",
           "field_trials",
           "font_loader",
-          "renderer"
+          "renderer",
+          "sandbox_support"
         ],
         "font_service": [ "font_service" ],
         "metrics": [ "url_keyed_metrics" ],

content/public/app/mojo/content_utility_manifest.json

@@ -24,7 +24,8 @@
         "content_browser": [
           "dwrite_font_proxy",
           "field_trials",
-          "font_cache"
+          "font_cache",
+          "sandbox_support"
         ],
         "device": [
           "device:power_monitor",

content/renderer/renderer_blink_platform_impl.cc

@@ -112,7 +112,6 @@
 #if defined(OS_MACOSX)
 #include "content/child/child_process_sandbox_support_impl_mac.h"
 #include "content/common/mac/font_loader.h"
-#include "third_party/blink/public/platform/mac/web_sandbox_support.h"
 #endif
 
 #if defined(OS_POSIX)
@@ -194,21 +193,14 @@ gpu::ContextType ToGpuContextType(blink::Platform::ContextType type) {
 
 //------------------------------------------------------------------------------
 
-#if !defined(OS_ANDROID) && !defined(OS_WIN) && !defined(OS_FUCHSIA)
+#if defined(OS_LINUX)
 class RendererBlinkPlatformImpl::SandboxSupport
     : public blink::WebSandboxSupport {
  public:
-#if defined(OS_LINUX)
   explicit SandboxSupport(sk_sp<font_service::FontLoader> font_loader)
       : font_loader_(std::move(font_loader)) {}
-#endif
   ~SandboxSupport() override {}
 
-#if defined(OS_MACOSX)
-  bool LoadFont(CTFontRef src_font,
-                CGFontRef* container,
-                uint32_t* font_id) override;
-#elif defined(OS_LINUX)
   void GetFallbackFontForCharacter(
       blink::WebUChar32 character,
       const char* preferred_locale,
@@ -230,9 +222,8 @@ class RendererBlinkPlatformImpl::SandboxSupport
   base::Lock unicode_font_families_mutex_;
   std::map<int32_t, blink::OutOfProcessFont> unicode_font_families_;
   sk_sp<font_service::FontLoader> font_loader_;
-#endif
 };
-#endif  // !defined(OS_ANDROID) && !defined(OS_WIN)
+#endif  // defined(OS_LINUX)
 
 //------------------------------------------------------------------------------
 
@@ -265,10 +256,10 @@ RendererBlinkPlatformImpl::RendererBlinkPlatformImpl(
     connector_ = service_manager::Connector::Create(&request);
   }
 
-#if !defined(OS_ANDROID) && !defined(OS_WIN) && !defined(OS_FUCHSIA)
+#if defined(OS_LINUX) || defined(OS_MACOSX)
   if (g_sandbox_enabled && sandboxEnabled()) {
 #if defined(OS_MACOSX)
-    sandbox_support_.reset(new RendererBlinkPlatformImpl::SandboxSupport());
+    sandbox_support_.reset(new WebSandboxSupportMac(connector_.get()));
 #else
     sandbox_support_.reset(
         new RendererBlinkPlatformImpl::SandboxSupport(font_loader_));
@@ -294,7 +285,7 @@ RendererBlinkPlatformImpl::~RendererBlinkPlatformImpl() {
 }
 
 void RendererBlinkPlatformImpl::Shutdown() {
-#if !defined(OS_ANDROID) && !defined(OS_WIN) && !defined(OS_FUCHSIA)
+#if defined(OS_LINUX) || defined(OS_MACOSX)
   // SandboxSupport contains a map of OutOfProcessFont objects, which hold
   // WebStrings and WebVectors, which become invalidated when blink is shut
   // down. Hence, we need to clear that map now, just before blink::shutdown()
@@ -388,11 +379,11 @@ blink::BlameContext* RendererBlinkPlatformImpl::GetTopLevelBlameContext() {
 }
 
 blink::WebSandboxSupport* RendererBlinkPlatformImpl::GetSandboxSupport() {
-#if defined(OS_ANDROID) || defined(OS_WIN) || defined(OS_FUCHSIA)
-  // These platforms do not require sandbox support.
-  return NULL;
-#else
+#if defined(OS_LINUX) || defined(OS_MACOSX)
   return sandbox_support_.get();
+#else
+  // These platforms do not require sandbox support.
+  return nullptr;
 #endif
 }
 
@@ -569,15 +560,7 @@ WebString RendererBlinkPlatformImpl::FileSystemCreateOriginIdentifier(
 
 //------------------------------------------------------------------------------
 
-#if defined(OS_MACOSX)
-
-bool RendererBlinkPlatformImpl::SandboxSupport::LoadFont(CTFontRef src_font,
-                                                         CGFontRef* out,
-                                                         uint32_t* font_id) {
-  return content::LoadFont(src_font, out, font_id);
-}
-
-#elif defined(OS_POSIX) && !defined(OS_ANDROID)
+#if defined(OS_LINUX)
 
 void RendererBlinkPlatformImpl::SandboxSupport::GetFallbackFontForCharacter(
     blink::WebUChar32 character,

content/renderer/renderer_blink_platform_impl.h

@@ -264,9 +264,8 @@ class CONTENT_EXPORT RendererBlinkPlatformImpl : public BlinkPlatformImpl {
   std::unique_ptr<service_manager::Connector> connector_;
   scoped_refptr<base::SingleThreadTaskRunner> io_runner_;
 
-#if !defined(OS_ANDROID) && !defined(OS_WIN) && !defined(OS_FUCHSIA)
-  class SandboxSupport;
-  std::unique_ptr<SandboxSupport> sandbox_support_;
+#if defined(OS_LINUX) || defined(OS_MACOSX)
+  std::unique_ptr<blink::WebSandboxSupport> sandbox_support_;
 #endif
 
   // This counter keeps track of the number of times sudden termination is
@@ -301,6 +300,7 @@ class CONTENT_EXPORT RendererBlinkPlatformImpl : public BlinkPlatformImpl {
   scoped_refptr<blink::mojom::ThreadSafeCodeCacheHostPtr> code_cache_host_;
 
 #if defined(OS_LINUX)
+  class SandboxSupport;
   sk_sp<font_service::FontLoader> font_loader_;
 #endif
 

content/utility/utility_blink_platform_with_sandbox_support_impl.cc

@@ -9,8 +9,7 @@
 #if defined(OS_MACOSX)
 #include "base/mac/foundation_util.h"
 #include "content/child/child_process_sandbox_support_impl_mac.h"
-#include "third_party/blink/public/platform/mac/web_sandbox_support.h"
-#elif defined(OS_POSIX) && !defined(OS_ANDROID)
+#elif defined(OS_LINUX)
 #include "base/synchronization/lock.h"
 #include "content/child/child_process_sandbox_support_impl_linux.h"
 #include "content/child/child_thread_impl.h"
@@ -27,20 +26,15 @@ struct WebFontRenderStyle;
 
 namespace content {
 
-#if defined(OS_POSIX) && !defined(OS_ANDROID)
+#if defined(OS_LINUX)
 
 class UtilityBlinkPlatformWithSandboxSupportImpl::SandboxSupport
     : public blink::WebSandboxSupport {
  public:
-#if defined(OS_LINUX)
   explicit SandboxSupport(sk_sp<font_service::FontLoader> font_loader)
       : font_loader_(std::move(font_loader)) {}
-#endif
   ~SandboxSupport() override {}
 
-#if defined(OS_MACOSX)
-  bool LoadFont(CTFontRef srcFont, CGFontRef* out, uint32_t* fontID) override;
-#else
   void GetFallbackFontForCharacter(
       blink::WebUChar32 character,
       const char* preferred_locale,
@@ -63,10 +57,9 @@ class UtilityBlinkPlatformWithSandboxSupportImpl::SandboxSupport
   // Maps unicode chars to their fallback fonts.
   std::map<int32_t, blink::OutOfProcessFont> unicode_font_families_;
   sk_sp<font_service::FontLoader> font_loader_;
-#endif  // defined(OS_MACOSX)
 };
 
-#endif  // defined(OS_POSIX) && !defined(OS_ANDROID)
+#endif  // defined(OS_LINUX)
 
 UtilityBlinkPlatformWithSandboxSupportImpl::
     UtilityBlinkPlatformWithSandboxSupportImpl(
@@ -76,7 +69,7 @@ UtilityBlinkPlatformWithSandboxSupportImpl::
   SkFontConfigInterface::SetGlobal(font_loader_);
   sandbox_support_ = std::make_unique<SandboxSupport>(font_loader_);
 #elif defined(OS_MACOSX)
-  sandbox_support_ = std::make_unique<SandboxSupport>();
+  sandbox_support_ = std::make_unique<WebSandboxSupportMac>(connector);
 #endif
 }
 
@@ -85,23 +78,14 @@ UtilityBlinkPlatformWithSandboxSupportImpl::
 
 blink::WebSandboxSupport*
 UtilityBlinkPlatformWithSandboxSupportImpl::GetSandboxSupport() {
-#if defined(OS_POSIX) && !defined(OS_ANDROID)
+#if defined(OS_LINUX) || defined(OS_MACOSX)
   return sandbox_support_.get();
 #else
   return nullptr;
 #endif
 }
 
-#if defined(OS_MACOSX)
-
-bool UtilityBlinkPlatformWithSandboxSupportImpl::SandboxSupport::LoadFont(
-    CTFontRef src_font,
-    CGFontRef* out,
-    uint32_t* font_id) {
-  return content::LoadFont(src_font, out, font_id);
-}
-
-#elif defined(OS_POSIX) && !defined(OS_ANDROID)
+#if defined(OS_LINUX)
 
 void UtilityBlinkPlatformWithSandboxSupportImpl::SandboxSupport::
     GetFallbackFontForCharacter(blink::WebUChar32 character,

content/utility/utility_blink_platform_with_sandbox_support_impl.h

@@ -11,7 +11,7 @@
 #include "build/build_config.h"
 #include "third_party/blink/public/platform/platform.h"
 
-#if defined(OS_POSIX) && !defined(OS_ANDROID)
+#if defined(OS_LINUX)
 #include "components/services/font/public/cpp/font_loader.h"  // nogncheck
 #include "third_party/skia/include/core/SkRefCnt.h"           // nogncheck
 #endif
@@ -39,11 +39,11 @@ class UtilityBlinkPlatformWithSandboxSupportImpl : public blink::Platform {
   blink::WebSandboxSupport* GetSandboxSupport() override;
 
  private:
-#if defined(OS_POSIX) && !defined(OS_ANDROID)
-  class SandboxSupport;
-  std::unique_ptr<SandboxSupport> sandbox_support_;
+#if defined(OS_LINUX) || defined(OS_MACOSX)
+  std::unique_ptr<blink::WebSandboxSupport> sandbox_support_;
 #endif
 #if defined(OS_LINUX)
+  class SandboxSupport;
   sk_sp<font_service::FontLoader> font_loader_;
 #endif
 

third_party/blink/public/common/BUILD.gn

@@ -112,6 +112,10 @@ source_set("headers") {
     deps += [ ":font_unique_name_table_proto" ]
   }
 
+  if (is_mac) {
+    sources += [ "sandbox_support/sandbox_support_mac.h" ]
+  }
+
   if (is_win) {
     sources += [ "dwrite_rasterizer_support/dwrite_rasterizer_support.h" ]
   }

third_party/blink/public/common/sandbox_support/sandbox_support_mac.h

+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef THIRD_PARTY_BLINK_PUBLIC_COMMON_SANDBOX_SUPPORT_SANDBOX_SUPPORT_MAC_H_
+#define THIRD_PARTY_BLINK_PUBLIC_COMMON_SANDBOX_SUPPORT_SANDBOX_SUPPORT_MAC_H_
+
+namespace blink {
+
+// Named Mac system colors. Each of these corresponds to a selector on
+// NSColor.
+enum class MacSystemColorID {
+  kAlternateSelectedControl,
+  kControlBackground,
+  kControlDarkShadow,
+  kControlHighlight,
+  kControlLightHighlight,
+  kControlShadow,
+  kControlText,
+  kDisabledControlText,
+  kHeader,
+  kHighlight,
+  kKeyboardFocusIndicator,
+  kMenuBackground,
+  kScrollBar,
+  kSecondarySelectedControl,
+  kSelectedMenuItemText,
+  kSelectedText,
+  kSelectedTextBackground,
+  kShadow,
+  kText,
+  kWindowBackground,
+  kWindowFrame,
+  kWindowFrameText,
+  kCount,
+};
+
+constexpr size_t kMacSystemColorIDCount =
+    static_cast<size_t>(MacSystemColorID::kCount);
+
+}  // namespace blink
+
+#endif  // THIRD_PARTY_BLINK_PUBLIC_COMMON_SANDBOX_SUPPORT_SANDBOX_SUPPORT_MAC_H_

third_party/blink/public/platform/mac/web_sandbox_support.h

@@ -31,6 +31,9 @@
 #ifndef THIRD_PARTY_BLINK_PUBLIC_PLATFORM_MAC_WEB_SANDBOX_SUPPORT_H_
 #define THIRD_PARTY_BLINK_PUBLIC_PLATFORM_MAC_WEB_SANDBOX_SUPPORT_H_
 
+#include "third_party/blink/public/common/sandbox_support/sandbox_support_mac.h"
+#include "third_party/skia/include/core/SkColor.h"
+
 typedef struct CGFont* CGFontRef;
 
 namespace blink {
@@ -52,6 +55,9 @@ class WebSandboxSupport {
   virtual bool LoadFont(CTFontRef src_font,
                         CGFontRef* out,
                         uint32_t* font_id) = 0;
+
+  // Returns the system's preferred value for a named color.
+  virtual SkColor GetSystemColor(MacSystemColorID) = 0;
 };
 
 }  // namespace blink