[ MimeHandlerView ] Fix cross-origin postMessage

When a.com embeds a PDF in b.com, {embed, object}.postMessages sends the messages from a.com to the WebRemoteFrame corresponding to the GuestView. On the browser side, the target RenderFrameHost is determined to be the outer WebContents's frame that is used to attach MimeHandlerViewGuest. This means at the end of routing, the IPC ends up going to a dead RenderFrameHost (dropped on the way since there is no RenderFrame to handle it). This CL fixes this issue by a) checking if target RenderFrameHost is live, and b) if not try to find an inner delegate or drop the message. Note that this CL fixes several tests which currently fail (or timeout) with --enable-features=MimeHandlerViewInCrossProcessFrame (the list of such tests is included in the linked bug). This CL fixes some of those tests and together with https://crrev.com/c/1607425 should make most tests including all of the PDFExtensionTest* pass (with the flag). Bug: 961786 Change-Id: I876b971f40d54f3386e23b9750420bbfc1bbbe01 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1606769 Commit-Queue: Ehsan Karamad <ekaramad@chromium.org> Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Cr-Commit-Position: refs/heads/master@{#659259}

[ MimeHandlerView ] Fix cross-origin postMessage
When a.com embeds a PDF in b.com, {embed, object}.postMessages sends the messages from a.com to the WebRemoteFrame corresponding to the GuestView. On the browser side, the target RenderFrameHost is determined to be the outer WebContents's frame that is used to attach MimeHandlerViewGuest. This means at the end of routing, the IPC ends up going to a dead RenderFrameHost (dropped on the way since there is no RenderFrame to handle it). This CL fixes this issue by a) checking if target RenderFrameHost is live, and b) if not try to find an inner delegate or drop the message. Note that this CL fixes several tests which currently fail (or timeout) with --enable-features=MimeHandlerViewInCrossProcessFrame (the list of such tests is included in the linked bug). This CL fixes some of those tests and together with https://crrev.com/c/1607425 should make most tests including all of the PDFExtensionTest* pass (with the flag). Bug: 961786 Change-Id: I876b971f40d54f3386e23b9750420bbfc1bbbe01 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1606769 Commit-Queue: Ehsan Karamad <ekaramad@chromium.org> Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Cr-Commit-Position: refs/heads/master@{#659259}
1c63176f · Ehsan Karamad · Commit Bot · da7d41dc · 1c63176f · 1c63176f
Commit 1c63176f authored May 13, 2019 by Ehsan Karamad Committed by Commit Bot May 13, 2019
5 changed files
--- a/content/browser/frame_host/render_frame_host_delegate.cc
+++ b/content/browser/frame_host/render_frame_host_delegate.cc
@@ -143,4 +143,9 @@ ukm::SourceId RenderFrameHostDelegate::GetUkmSourceIdForLastCommittedSource()
  return ukm::kInvalidSourceId;
 }
+RenderFrameHostImpl* RenderFrameHostDelegate::GetMainFrameForInnerDelegate(
+    FrameTreeNode* frame_tree_node) {
+  return nullptr;
+}
 }  // namespace content
--- a/content/browser/frame_host/render_frame_host_delegate.h
+++ b/content/browser/frame_host/render_frame_host_delegate.h
@@ -436,6 +436,12 @@ class CONTENT_EXPORT RenderFrameHostDelegate {
  virtual void AudioContextPlaybackStopped(RenderFrameHost* host,
                                           int context_id) {}
+  // Returns the main frame of the inner delegate that is attached to this
+  // delegate using |frame_tree_node|. Returns nullptr if no such inner delegate
+  // exists.
+  virtual RenderFrameHostImpl* GetMainFrameForInnerDelegate(
+      FrameTreeNode* frame_tree_node);
 protected:
  virtual ~RenderFrameHostDelegate() {}
 };

--- a/content/browser/frame_host/render_frame_proxy_host.cc
+++ b/content/browser/frame_host/render_frame_proxy_host.cc
@@ -354,6 +354,15 @@ void RenderFrameProxyHost::OnCheckCompleted() {
 void RenderFrameProxyHost::OnRouteMessageEvent(
    const FrameMsg_PostMessage_Params& params) {
  RenderFrameHostImpl* target_rfh = frame_tree_node()->current_frame_host();
+  if (!target_rfh->IsRenderFrameLive()) {
+    // Check if there is an inner delegate involved; if so target its main
+    // frame or otherwise return since there is no point in forwarding the
+    // message.
+    target_rfh = target_rfh->delegate()->GetMainFrameForInnerDelegate(
+        target_rfh->frame_tree_node());
+    if (!target_rfh || !target_rfh->IsRenderFrameLive())
+      return;
+  }
  // |targetOrigin| argument of postMessage is already checked by
  // blink::LocalDOMWindow::DispatchMessageEventWithOriginCheck (needed for

--- a/content/browser/web_contents/web_contents_impl.cc
+++ b/content/browser/web_contents/web_contents_impl.cc
@@ -6868,6 +6868,13 @@ void WebContentsImpl::AudioContextPlaybackStopped(RenderFrameHost* host,
    observer.AudioContextPlaybackStopped(audio_context_id);
 }
+RenderFrameHostImpl* WebContentsImpl::GetMainFrameForInnerDelegate(
+    FrameTreeNode* frame_tree_node) {
+  if (auto* web_contents = node_.GetInnerWebContentsInFrame(frame_tree_node))
+    return web_contents->GetMainFrame();
+  return nullptr;
+}
 void WebContentsImpl::UpdateWebContentsVisibility(Visibility visibility) {
  // Occlusion is disabled when |features::kWebContentsOcclusion| is disabled
  // (for power and speed impact assessment) or when

--- a/content/browser/web_contents/web_contents_impl.h
+++ b/content/browser/web_contents/web_contents_impl.h
@@ -604,6 +604,8 @@ class CONTENT_EXPORT WebContentsImpl : public WebContents,
                                   int context_id) override;
  void AudioContextPlaybackStopped(RenderFrameHost* host,
                                   int context_id) override;
+  RenderFrameHostImpl* GetMainFrameForInnerDelegate(
+      FrameTreeNode* frame_tree_node) override;
  // RenderViewHostDelegate ----------------------------------------------------
  RenderViewHostDelegateView* GetDelegateView() override;