Enforce pose protection in XRFrame methods

Currently there are two ways to get XRFrame's via the spec.  The first
is in a rAF callback, and the second is as a result of an XRInputSource
event.  Currently, if poses are not to be handed out, neither of these
methods should fire.  However, to be fully spec compliant in the event
of future changes (especially from AR) allowing frames to be handed out
in other circumstances, the getPose and getViewerPose methods need to
throw SecurityError if they should not hand out poses.  This adds the
second layer of pose protection in that XRFrame's methods will throw if
poses cannot or should not be handed out.

Due to the fact that frames can only be achieved in the two ways
mentioned above, both of which should be blocked when these methods
would throw, no test is added for this behavior.

Bug: 1008573
Change-Id: If9940b290ad1c352c24d0660100ccbade3f1af59
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1832486
Commit-Queue: Alexander Cooper <alcooper@chromium.org>
Commit-Queue: Jacob DeWitt <jacde@chromium.org>
Auto-Submit: Alexander Cooper <alcooper@chromium.org>
Reviewed-by: Jacob DeWitt <jacde@chromium.org>
Cr-Commit-Position: refs/heads/master@{#701395}

third_party/blink/renderer/modules/xr/xr_frame.cc

@@ -26,6 +26,9 @@ const char kNonAnimationFrame[] =
 
 const char kSessionMismatch[] = "XRSpace and XRFrame sessions do not match.";
 
+const char kCannotReportPoses[] =
+    "Poses cannot be given out for the current state.";
+
 }  // namespace
 
 XRFrame::XRFrame(XRSession* session, XRWorldInformation* world_information)
@@ -56,6 +59,11 @@ XRViewerPose* XRFrame::getViewerPose(XRReferenceSpace* reference_space,
     return nullptr;
   }
 
+  if (!session_->CanReportPoses()) {
+    exception_state.ThrowSecurityError(kCannotReportPoses);
+    return nullptr;
+  }
+
   session_->LogGetPose();
 
   std::unique_ptr<TransformationMatrix> pose =
@@ -103,6 +111,11 @@ XRPose* XRFrame::getPose(XRSpace* space_A,
     return nullptr;
   }
 
+  if (!session_->CanReportPoses()) {
+    exception_state.ThrowSecurityError(kCannotReportPoses);
+    return nullptr;
+  }
+
   return space_A->getPose(space_B, mojo_from_viewer_.get());
 }
 

third_party/blink/renderer/modules/xr/xr_session.cc

@@ -1033,6 +1033,14 @@ void XRSession::LogGetPose() const {
   }
 }
 
+bool XRSession::CanReportPoses() {
+  // The spec has a few requirements for if poses can be reported.
+  // If we have a session, then user intent is understood. Therefore, (due to
+  // the way visibility state is updatd), the rest of the steps really just
+  // boil down to whether or not the XRVisibilityState is Visible.
+  return visibility_state_ == XRVisibilityState::VISIBLE;
+}
+
 XRFrame* XRSession::CreatePresentationFrame() {
   DVLOG(2) << __func__;
 

third_party/blink/renderer/modules/xr/xr_session.h

@@ -222,6 +222,8 @@ class XRSession final
   // ScriptWrappable
   bool HasPendingActivity() const override;
 
+  bool CanReportPoses();
+
   // Creates presentation frame based on current state of the session.
   // State currently used in XRFrame creation is mojo_from_viewer_ and
   // world_information_. The created XRFrame also stores a reference to this