This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Strongly suspecting https://chromium.googlesource.com/chromium/src/+/30d21915acf01e3cb5746b1a3cb2e8786c2bd841 as the regression. I will deal with this when my sheriff rotation ends.

Hi kenrb - is there anybody who could take a look while you're sheriffing?  We're promoting M55 to Beta this week and this is marked as a blocker for that since it's a regression.

I can try to figure this out tomorrow, and worst case I will revert that CL.

This shouldn't be a blocker. The problematic code is browser side input event processing, which is not reachable strictly from web content. The need for very specific user interaction is mitigating.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/83e4f9ac895d5b42a4b114f3ef964676a40476ff

commit 83e4f9ac895d5b42a4b114f3ef964676a40476ff
Author: kenrb <kenrb@chromium.org>
Date: Tue Oct 11 20:36:27 2016

Clear last MouseMove root view in RWHIER if that view gets destroyed

Cluster-fuzz has reported some difficult-to-reproduce crashes in the
MouseEnter/Leave generation code in RenderWidgetHostInputEventRouter,
and there are some very sparse crash reports appearing for that also.

These might be caused by race conditions from RenderWidgetHostView
tree modifications that get slightly out of sync from the Surface
state that is used for hit testing (Surfaces aren't invalidated until
RWHVs are deleted, which for some RWHVs is not immediate upon them
having Destroy() called).

This CL speculatively tries to address the crashes by having
SendMouseEnterOrLeaveEvents abort when it discovers the RWHV tree out
of sync, and also clearing last_mouse_move_root_view_ when that
gets destroyed.

BUG= 647821 ,  652209 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation

Review-Url: https://codereview.chromium.org/2396083002
Cr-Commit-Position: refs/heads/master@{#424533}

[modify] https://crrev.com/83e4f9ac895d5b42a4b114f3ef964676a40476ff/content/browser/frame_host/render_widget_host_view_child_frame.cc
[modify] https://crrev.com/83e4f9ac895d5b42a4b114f3ef964676a40476ff/content/browser/frame_host/render_widget_host_view_child_frame.h
[modify] https://crrev.com/83e4f9ac895d5b42a4b114f3ef964676a40476ff/content/browser/renderer_host/render_widget_host_input_event_router.cc
[modify] https://crrev.com/83e4f9ac895d5b42a4b114f3ef964676a40476ff/content/browser/renderer_host/render_widget_host_view_base.cc
[modify] https://crrev.com/83e4f9ac895d5b42a4b114f3ef964676a40476ff/content/browser/renderer_host/render_widget_host_view_base.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/68f883645ff0c2f46fa75128af0642e87e7095bd

commit 68f883645ff0c2f46fa75128af0642e87e7095bd
Author: Ken Buchanan <kenrb@chromium.org>
Date: Thu Nov 03 20:54:24 2016

Clear last MouseMove root view in RWHIER if that view gets destroyed

Cluster-fuzz has reported some difficult-to-reproduce crashes in the
MouseEnter/Leave generation code in RenderWidgetHostInputEventRouter,
and there are some very sparse crash reports appearing for that also.

These might be caused by race conditions from RenderWidgetHostView
tree modifications that get slightly out of sync from the Surface
state that is used for hit testing (Surfaces aren't invalidated until
RWHVs are deleted, which for some RWHVs is not immediate upon them
having Destroy() called).

This CL speculatively tries to address the crashes by having
SendMouseEnterOrLeaveEvents abort when it discovers the RWHV tree out
of sync, and also clearing last_mouse_move_root_view_ when that
gets destroyed.

BUG= 647821 ,  652209 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation

Review-Url: https://codereview.chromium.org/2396083002
Cr-Commit-Position: refs/heads/master@{#424533}
(cherry picked from commit 83e4f9ac895d5b42a4b114f3ef964676a40476ff)

Review URL: https://codereview.chromium.org/2477893002 .

Cr-Commit-Position: refs/branch-heads/2883@{#445}
Cr-Branched-From: 614d31daee2f61b0180df403a8ad43f20b9f6dd7-refs/heads/master@{#423768}

[modify] https://crrev.com/68f883645ff0c2f46fa75128af0642e87e7095bd/content/browser/frame_host/render_widget_host_view_child_frame.cc
[modify] https://crrev.com/68f883645ff0c2f46fa75128af0642e87e7095bd/content/browser/frame_host/render_widget_host_view_child_frame.h
[modify] https://crrev.com/68f883645ff0c2f46fa75128af0642e87e7095bd/content/browser/renderer_host/render_widget_host_input_event_router.cc
[modify] https://crrev.com/68f883645ff0c2f46fa75128af0642e87e7095bd/content/browser/renderer_host/render_widget_host_view_base.cc
[modify] https://crrev.com/68f883645ff0c2f46fa75128af0642e87e7095bd/content/browser/renderer_host/render_widget_host_view_base.h

Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot