Skip to content

chore: cherry-pick 6b66a45021 from chromium#34074

Merged
MarshallOfSound merged 1 commit into16-x-yfrom
cherry-pick/16-x-y/chromium/6b66a45021
May 5, 2022
Merged

chore: cherry-pick 6b66a45021 from chromium#34074
MarshallOfSound merged 1 commit into16-x-yfrom
cherry-pick/16-x-y/chromium/6b66a45021

Conversation

@ppontes
Copy link
Copy Markdown
Member

@ppontes ppontes commented May 4, 2022

Reland "Fix noopener case for user activation consumption"

This is a reland of e9828a82b5c182dc9a7fb0ae7226c35ba1726e7d

The MSAN error is from checking status before err in
content/renderer/render_view_impl.cc .
https://ci.chromium.org/ui/p/chromium/builders/ci/Linux%20ChromiumOS%20MSan%20Tests/b8821495655905086193/overview

The fix is to split the check for err and kIgnore into two checks,
and put the err check before kBlocked.

It is probably possible for the browser to consume user activation
but then eventually mojo returns an error and the renderer doesn't
consume activation, but that seems pretty marginal.

Original change's description:

Fix noopener case for user activation consumption

The flow for user activation consumption in window.open was as follows:

Renderer: ask the browser to create a new window
Browser: consume transient user activation (in the browser, and via RPC
to remote frames only)
Browser: return success for opener, return ignore for noopener
Renderer: consume transient user activation upon success

So in the noopener case, the renderer with the local frame where the
window.open originated didn't have its transient user activation
consumed.

The new behavior is to consume user activation in the calling renderer
whenever it is consumed in the browser. We accomplish this by returning
a distinct value kBlocked to represent failure before the browser
consumes user activation.

Bug: 1264543, 1291210
Change-Id: Iffb6e3fd772bef625d3d28e600e6fb73d70ab29f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3468171
Reviewed-by: Dominic Farolino [email protected]
Reviewed-by: Ken Buchanan [email protected]
Reviewed-by: Mustaq Ahmed [email protected]
Reviewed-by: Charles Reis [email protected]
Reviewed-by: Jonathan Ross [email protected]
Reviewed-by: Daniel Cheng [email protected]
Commit-Queue: Garrett Tanzer [email protected]
Cr-Commit-Position: refs/heads/main@{#973876}

Bug: 1264543, 1291210
Change-Id: Ie27c4d68db34dfd98adee7cc5c743953dad59834
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3481666
Reviewed-by: Jonathan Ross [email protected]
Reviewed-by: Daniel Cheng [email protected]
Reviewed-by: Mustaq Ahmed [email protected]
Reviewed-by: Ken Buchanan [email protected]
Reviewed-by: Charles Reis [email protected]
Commit-Queue: Garrett Tanzer [email protected]
Cr-Commit-Position: refs/heads/main@{#976745}

Notes: Backported fix for CVE-2022-1497.

@ppontes ppontes added security 🔒 semver/patch backwards-compatible bug fixes backport-check-skip Skip trop's backport validity checking 16-x-y labels May 4, 2022
@ppontes ppontes requested review from a team as code owners May 4, 2022 20:13
@MarshallOfSound MarshallOfSound merged commit 0bdca55 into 16-x-y May 5, 2022
@MarshallOfSound MarshallOfSound deleted the cherry-pick/16-x-y/chromium/6b66a45021 branch May 5, 2022 19:06
@release-clerk
Copy link
Copy Markdown

release-clerk bot commented May 5, 2022

Release Notes Persisted

Backported fix for CVE-2022-1497.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@nornagon nornagon nornagon approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

16-x-y backport-check-skip Skip trop's backport validity checking security 🔒 semver/patch backwards-compatible bug fixes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ppontes @nornagon @MarshallOfSound