Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: cherry-pick 6b66a45021 from chromium #34075

Merged
merged 1 commit into from May 4, 2022

Conversation

ppontes
Copy link
Member

@ppontes ppontes commented May 4, 2022

Reland "Fix noopener case for user activation consumption"

This is a reland of e9828a82b5c182dc9a7fb0ae7226c35ba1726e7d

The MSAN error is from checking status before err in
content/renderer/render_view_impl.cc .
https://ci.chromium.org/ui/p/chromium/builders/ci/Linux%20ChromiumOS%20MSan%20Tests/b8821495655905086193/overview

The fix is to split the check for err and kIgnore into two checks,
and put the err check before kBlocked.

It is probably possible for the browser to consume user activation
but then eventually mojo returns an error and the renderer doesn't
consume activation, but that seems pretty marginal.

Original change's description:

Fix noopener case for user activation consumption

The flow for user activation consumption in window.open was as follows:

Renderer: ask the browser to create a new window
Browser: consume transient user activation (in the browser, and via RPC
to remote frames only)
Browser: return success for opener, return ignore for noopener
Renderer: consume transient user activation upon success

So in the noopener case, the renderer with the local frame where the
window.open originated didn't have its transient user activation
consumed.

The new behavior is to consume user activation in the calling renderer
whenever it is consumed in the browser. We accomplish this by returning
a distinct value kBlocked to represent failure before the browser
consumes user activation.

Bug: 1264543, 1291210
Change-Id: Iffb6e3fd772bef625d3d28e600e6fb73d70ab29f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3468171
Reviewed-by: Dominic Farolino dom@chromium.org
Reviewed-by: Ken Buchanan kenrb@chromium.org
Reviewed-by: Mustaq Ahmed mustaq@chromium.org
Reviewed-by: Charles Reis creis@chromium.org
Reviewed-by: Jonathan Ross jonross@chromium.org
Reviewed-by: Daniel Cheng dcheng@chromium.org
Commit-Queue: Garrett Tanzer gtanzer@chromium.org
Cr-Commit-Position: refs/heads/main@{#973876}

Bug: 1264543, 1291210
Change-Id: Ie27c4d68db34dfd98adee7cc5c743953dad59834
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3481666
Reviewed-by: Jonathan Ross jonross@chromium.org
Reviewed-by: Daniel Cheng dcheng@chromium.org
Reviewed-by: Mustaq Ahmed mustaq@chromium.org
Reviewed-by: Ken Buchanan kenrb@chromium.org
Reviewed-by: Charles Reis creis@chromium.org
Commit-Queue: Garrett Tanzer gtanzer@chromium.org
Cr-Commit-Position: refs/heads/main@{#976745}

Notes: Backported fix for CVE-2022-1497.

@ppontes ppontes added security 🔒 semver/patch backport-check-skip 15-x-y labels May 4, 2022
@ppontes ppontes requested review from a team as code owners May 4, 2022
@nornagon nornagon merged commit 6aa0609 into 15-x-y May 4, 2022
16 checks passed
@nornagon nornagon deleted the cherry-pick/15-x-y/chromium/6b66a45021 branch May 4, 2022
@release-clerk
Copy link

release-clerk bot commented May 4, 2022

Release Notes Persisted

Backported fix for CVE-2022-1497.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
15-x-y backport-check-skip security 🔒 semver/patch
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants