Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: cherry-pick 6b66a45021 from chromium #34075

merged 1 commit into from May 4, 2022


Copy link

@ppontes ppontes commented May 4, 2022

Reland "Fix noopener case for user activation consumption"

This is a reland of e9828a82b5c182dc9a7fb0ae7226c35ba1726e7d

The MSAN error is from checking status before err in
content/renderer/ .

The fix is to split the check for err and kIgnore into two checks,
and put the err check before kBlocked.

It is probably possible for the browser to consume user activation
but then eventually mojo returns an error and the renderer doesn't
consume activation, but that seems pretty marginal.

Original change's description:

Fix noopener case for user activation consumption

The flow for user activation consumption in was as follows:

Renderer: ask the browser to create a new window
Browser: consume transient user activation (in the browser, and via RPC
to remote frames only)
Browser: return success for opener, return ignore for noopener
Renderer: consume transient user activation upon success

So in the noopener case, the renderer with the local frame where the originated didn't have its transient user activation

The new behavior is to consume user activation in the calling renderer
whenever it is consumed in the browser. We accomplish this by returning
a distinct value kBlocked to represent failure before the browser
consumes user activation.

Bug: 1264543, 1291210
Change-Id: Iffb6e3fd772bef625d3d28e600e6fb73d70ab29f
Reviewed-by: Dominic Farolino
Reviewed-by: Ken Buchanan
Reviewed-by: Mustaq Ahmed
Reviewed-by: Charles Reis
Reviewed-by: Jonathan Ross
Reviewed-by: Daniel Cheng
Commit-Queue: Garrett Tanzer
Cr-Commit-Position: refs/heads/main@{#973876}

Bug: 1264543, 1291210
Change-Id: Ie27c4d68db34dfd98adee7cc5c743953dad59834
Reviewed-by: Jonathan Ross
Reviewed-by: Daniel Cheng
Reviewed-by: Mustaq Ahmed
Reviewed-by: Ken Buchanan
Reviewed-by: Charles Reis
Commit-Queue: Garrett Tanzer
Cr-Commit-Position: refs/heads/main@{#976745}

Notes: Backported fix for CVE-2022-1497.

@ppontes ppontes added security 🔒 semver/patch backwards-compatible bug fixes backport-check-skip Skip trop's backport validity checking 15-x-y labels May 4, 2022
@ppontes ppontes requested review from a team as code owners May 4, 2022 20:14
@nornagon nornagon merged commit 6aa0609 into 15-x-y May 4, 2022
@nornagon nornagon deleted the cherry-pick/15-x-y/chromium/6b66a45021 branch May 4, 2022 23:30
Copy link

release-clerk bot commented May 4, 2022

Release Notes Persisted

Backported fix for CVE-2022-1497.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
15-x-y backport-check-skip Skip trop's backport validity checking security 🔒 semver/patch backwards-compatible bug fixes
None yet

Successfully merging this pull request may close these issues.

None yet

2 participants