Extension: remove USER_GESTURE_ENABLED state from tab-change events.

A past fix for activation propagation from an extension button to extension script seems to have added additional user activation propagation path from tab-strip to all installed extensions: https://chromiumcodereview.appspot.com/10821120/ This crack caused every tab-switching to activate /all/ installed extensions, which seems bad. Because of this, we encountered a security issue with unintended top frame navigation from an iframe. (Luckily only tab switching was affected, not tab clicking.) A user interaction with the tab-strip is different from an interaction with extension buttons. Tab-strip interactions are similar to those on any browser-provided UI element like top menu: they don't at all indicate the user's intention to interact with any extension or website. Therefore, like clicks on top-menu and unlike clicks on extension buttons, tab-switching should suppress activating any background script thus prevent access to use user-activation gated APIs like popup, fullscreen, navigation, etc. Bug: 957633, 1035315 Change-Id: I8d56e02a3a2966521b7bbc4f4efadf67e1acc371 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2072654Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Commit-Queue: Mustaq Ahmed <mustaq@chromium.org> Cr-Commit-Position: refs/heads/master@{#744802}

Extension: remove USER_GESTURE_ENABLED state from tab-change events.
A past fix for activation propagation from an extension button to extension script seems to have added additional user activation propagation path from tab-strip to all installed extensions: https://chromiumcodereview.appspot.com/10821120/ This crack caused every tab-switching to activate /all/ installed extensions, which seems bad. Because of this, we encountered a security issue with unintended top frame navigation from an iframe. (Luckily only tab switching was affected, not tab clicking.) A user interaction with the tab-strip is different from an interaction with extension buttons. Tab-strip interactions are similar to those on any browser-provided UI element like top menu: they don't at all indicate the user's intention to interact with any extension or website. Therefore, like clicks on top-menu and unlike clicks on extension buttons, tab-switching should suppress activating any background script thus prevent access to use user-activation gated APIs like popup, fullscreen, navigation, etc. Bug: 957633, 1035315 Change-Id: I8d56e02a3a2966521b7bbc4f4efadf67e1acc371 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2072654Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Commit-Queue: Mustaq Ahmed <mustaq@chromium.org> Cr-Commit-Position: refs/heads/master@{#744802}
6f9f33b6 · Mustaq Ahmed · Commit Bot · f01cecd1 · 6f9f33b6 · 6f9f33b6
Commit 6f9f33b6 authored Feb 26, 2020 by Mustaq Ahmed Committed by Commit Bot Feb 26, 2020
2 changed files
--- a/chrome/browser/extensions/api/tabs/tabs_event_router.cc
+++ b/chrome/browser/extensions/api/tabs/tabs_event_router.cc
@@ -233,7 +233,7 @@ void TabsEventRouter::OnTabStripModelChanged(
  if (selection.active_tab_changed()) {
    DispatchActiveTabChanged(selection.old_contents, selection.new_contents,
-                             selection.new_model.active(), selection.reason);
+                             selection.new_model.active());
  }
  if (selection.selection_changed()) {
@@ -398,8 +398,7 @@ void TabsEventRouter::DispatchTabDetachedAt(WebContents* contents,
 void TabsEventRouter::DispatchActiveTabChanged(WebContents* old_contents,
                                               WebContents* new_contents,
-                                               int index,
+                                               int index) {
-                                               int reason) {
  auto args = std::make_unique<base::ListValue>();
  int tab_id = ExtensionTabUtil::GetTabId(new_contents);
  args->AppendInteger(tab_id);
@@ -414,24 +413,21 @@ void TabsEventRouter::DispatchActiveTabChanged(WebContents* old_contents,
  // deprecated events take two arguments: tabId, {windowId}.
  Profile* profile =
      Profile::FromBrowserContext(new_contents->GetBrowserContext());
-  EventRouter::UserGestureState gesture =
-      reason & CHANGE_REASON_USER_GESTURE
-      ? EventRouter::USER_GESTURE_ENABLED
-      : EventRouter::USER_GESTURE_NOT_ENABLED;
  DispatchEvent(profile, events::TABS_ON_SELECTION_CHANGED,
                api::tabs::OnSelectionChanged::kEventName,
-                args->CreateDeepCopy(), gesture);
+                args->CreateDeepCopy(), EventRouter::USER_GESTURE_UNKNOWN);
  DispatchEvent(profile, events::TABS_ON_ACTIVE_CHANGED,
                api::tabs::OnActiveChanged::kEventName, std::move(args),
-                gesture);
+                EventRouter::USER_GESTURE_UNKNOWN);
  // The onActivated event takes one argument: {windowId, tabId}.
  auto on_activated_args = std::make_unique<base::ListValue>();
  object_args->Set(tabs_constants::kTabIdKey, std::make_unique<Value>(tab_id));
  on_activated_args->Append(std::move(object_args));
-  DispatchEvent(profile, events::TABS_ON_ACTIVATED,
+  DispatchEvent(
-                api::tabs::OnActivated::kEventName,
+      profile, events::TABS_ON_ACTIVATED, api::tabs::OnActivated::kEventName,
-                std::move(on_activated_args), gesture);
+      std::move(on_activated_args), EventRouter::USER_GESTURE_UNKNOWN);
 }
 void TabsEventRouter::DispatchTabSelectionChanged(

--- a/chrome/browser/extensions/api/tabs/tabs_event_router.h
+++ b/chrome/browser/extensions/api/tabs/tabs_event_router.h
@@ -95,8 +95,7 @@ class TabsEventRouter : public TabStripModelObserver,
                             bool was_active);
  void DispatchActiveTabChanged(content::WebContents* old_contents,
                                content::WebContents* new_contents,
-                                int index,
+                                int index);
-                                int reason);
  void DispatchTabSelectionChanged(TabStripModel* tab_strip_model,
                                   const ui::ListSelectionModel& old_model);
  void DispatchTabMoved(content::WebContents* contents,