Robustly handle WebContents without PermissionBubbleManagers |
|||||
Issue descriptionSome WebContents may not be created with associated PermissionBubbleManagers*. At the moment if this happens, and the associated web code makes a permission request, there won't be a crash, but only because of a null check here: https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/permissions/permission_context_base.cc&l=171. Note, this is a follow on from issue 457091, which fixed one of these crashes. This is a bit of a hack, and feels like it could be flaky. E.g. refactoring the code could easily cause new crashes to appear if the authors don't know about this. It would be better if we could capture the fact that some WebContents can't make permission requests more explicitly somewhere, and checked early on in the process. Strawman proposal: - Add a static function somewhere (maybe PermissionManager): bool CanGetPermissions(const WebContents& web_contents); - Check this early on in any permission type request, and bail out if false - Update PermissionContextBase::DecidePermission to be something like if (!bubble_manager) { NOTREACHED(); return; } Thoughts anyone? * In fact, only normal browser tabs get PermissionBubbleManagers.
,
May 1 2016
I guess it depends on the reasons for not having a PermissionBubbleManager? Does not having one imply that the WebContents should never be able to access permissions? Or just that it shouldn't be able to show a bubble? e.g. imagine the scenario where a user's decision for an origin has already been persisted from the past, so we don't need to show a bubble. In that case, what should happen when the WebContents requests permission when there is no PermissionBubbleManager? Should the WebContents be granted permission or denied? If, in that scenario, we should never grant any permission then I agree with your plan. But if we should grant permission in some cases, then it seems like checking the existence of the PermissionBubbleManager inside PermissionContext is reasonable? In that case it feels like it depends on the actual policy of that permission. WDYT?
,
May 2 2016
Good question.... PermissionBubbleManager is created by AttachTabHelpers, which is only called for a few types of WebContents (from searching, tabs and a few other things). If that function isn't called it won't have a PermissionBubbleManager. WebContents that won't have PermissionBubbleManagers include extension views (e.g. extension popups), and any WebContents we use to host UI (e.g. start page of the app launcher, which shows a doodle). These can be put into two classes: - WebContents which are used for chrome UI. E.g. the app launcher start page. The URL to load can be a resource in chrome or a real web URL we control. The defining factor here is probably that we control the URL somehow. In this case it would probably be better security-wise to just prevent all permissions from being used, in case that URL has been compromised somehow. - WebContents which are used for a URL out of our control, e.g. an extension popup or a chrome app. I am not sure what the policy is for extension popup usage. For chrome apps, there is no reason not to let them use permissions but to do so they would need a permission manager. If these types of web contents can use permissions they should be able to request them as well. One thing to keep in mind is that the developer creating these WebContents typically isn't intimate with permission bubbles or how web permissions work. There are a large number of TabHelpers that can be added to WebContents, and a good approach for a developer is to add the minimal set that seems to work for their feature, for the testing they do. E.g. see the comment in extension view host: https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/extensions/extension_view_host.cc&l=75 Making this a policy decision for someone creating WebContents feels like it might be a win. That is, the developer needs to answer the question 'Should this WebContents be able to use web permissions?" to create their web contents. Or at least, if they don't answer the question their thing can't use web permissions, which is safe. If they do answer the question, and say 'yes', it should set up all the machinery they need. I'm not sure of a clean way to do this however, given the layering involved.
,
Jul 5 2016
,
Jul 6 2016
+avi, who I believe is a TabHelper expert. Avi - see above comments for context. The question is whether we can / should have a way to force all creators of WebContents to think about whether the WebContents should get web permissions (e.g. by implementing a virtual abstract function, by passing a parameter in somewhere etc.). I don't think it is really possible in a nice way, in which case we should basically make the presence of PermissionBubbleManager the real flag for whether something should get permissions or not.
,
Jul 7 2016
Right now, PermissionBubbleManager is entirely an embedder concept, so it would be a blatant layering violation to enforce something like that via a parameter, etc. If you want, we can have a discussion about the best way to do something like that. We could bring in the content crew.
,
Dec 6 2016
Sorry for taking so long to respond. I agree it would be a layering violation; I think the situation is as good as it can be without massive effort. The presence of the PermissionBubbleManager is a proxy for whether something should get permissions or not.
,
Jun 2 2017
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 Deleted