[bfcache] Blocklist pages capturing audio from subframe.

If a subframe does audio capture, it should be handled the same as if
audo capture was done from the top level frame.

Bug: 989379
Change-Id: I31f751c7c96aa202ced4d78d8f396f3e36bd3425
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1760295
Commit-Queue: Lowell Manners <lowell@chromium.org>
Reviewed-by: Kouhei Ueno <kouhei@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#689426}

content/browser/back_forward_cache_browsertest.cc

@@ -769,6 +769,34 @@ IN_PROC_BROWSER_TEST_F(BackForwardCacheBrowserTest,
   deleted.WaitUntilDeleted();
 }
 
+IN_PROC_BROWSER_TEST_F(BackForwardCacheBrowserTest,
+                       DoesNotCacheIfSubframeRecordingAudio) {
+  ASSERT_TRUE(embedded_test_server()->Start());
+
+  // Navigate to a page with an iframe.
+  GURL url(embedded_test_server()->GetURL("/page_with_iframe.html"));
+  EXPECT_TRUE(NavigateToURL(shell(), url));
+  RenderFrameHostImpl* rfh = current_frame_host();
+
+  // Request for audio recording from the subframe.
+  EXPECT_EQ("success", EvalJs(rfh->child_at(0)->current_frame_host(), R"(
+    new Promise(resolve => {
+      navigator.mediaDevices.getUserMedia({audio: true})
+        .then(m => { resolve("success"); })
+        .catch(() => { resolve("error"); });
+    });
+  )"));
+
+  RenderFrameDeletedObserver deleted(current_frame_host());
+
+  // 2) Navigate away.
+  shell()->LoadURL(embedded_test_server()->GetURL("b.com", "/title1.html"));
+
+  // The page was still recording audio when we navigated away, so it shouldn't
+  // have been cached.
+  deleted.WaitUntilDeleted();
+}
+
 IN_PROC_BROWSER_TEST_F(BackForwardCacheBrowserTest,
                        DoesNotCacheIfMainFrameStillLoading) {
   net::test_server::ControllableHttpResponse response(embedded_test_server(),

content/browser/frame_host/back_forward_cache.cc

@@ -97,6 +97,12 @@ bool CanStoreRenderFrameHost(RenderFrameHostImpl* rfh) {
   if (is_loading)
     return false;
 
+  // If the rfh has ever granted media access, prevent it from entering cache.
+  // TODO(crbug.com/989379): Consider only blocking when there's an active
+  //                         media stream.
+  if (rfh->was_granted_media_access())
+    return false;
+
   // Don't cache the page if it uses any disallowed features.
   // TODO(lowell): Handle races involving scheduler_tracked_features.
   // One solution could be to listen for changes to scheduler_tracked_features
@@ -127,14 +133,6 @@ bool BackForwardCache::CanStoreDocument(RenderFrameHostImpl* rfh) {
   if (!IsBackForwardCacheEnabled() || is_disabled_for_testing_)
     return false;
 
-  // If the rfh has ever granted media access, prevent it from entering cache.
-  // TODO(crbug.com/989379): Consider only blocking when there's an active
-  //                         media stream.
-  // TODO(crbug.com/989379): Consider also checking whether any subframes
-  //                         have requested an media stream.
-  if (rfh->was_granted_media_access())
-    return false;
-
   // Two pages in the same BrowsingInstance can script each other. When a page
   // can be scripted from outside, it can't enter the BackForwardCache.
   //