New issue
Advanced search Search tips

Issue 666858 link

Starred by 1 user
Status: Fixed
Owner:
paulmeyer@chromium.org
Closed: Dec 2016
Cc:
lfg@chromium.org
lukasza@chromium.org
dcheng@chromium.org
wfh@chromium.org
creis@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

No drag-and-drop events should fire in a same-page, cross-site frame (wrt drag source)

Project Member Reported by lukasza@chromium.org, Nov 18 2016 
As explained in  issue 59081 , we need to disallow dragging between 2 cross-site frames within the same page.  This has regressed after the recent CLs related to OOPIF support for drag-and-drop.

Comment 1 by lukasza@chromium.org, Nov 18 2016 

I have a WIP CL (https://crrev.com/2507223003) for automating the scenario of dragging between 2 frames, but I estimate that this CL is 1+ week away from being landable... :-/

 issue 59081  has a regression test in layout tests (http/tests/security/drag-drop-different-origin.html), but this test unfortunately is not able to catch the regression (because AFAICT today it is not possible to use test_runner::EventSender from tests to support a drag-and-drop that goes over OOPIFs).

Comment 2 by mea...@chromium.org, Nov 18 2016

Labels: Security_Severity-Low Security_Impact-Head

Comment 3 by lukasza@chromium.org, Nov 18 2016

Components: Internals>Sandbox>SiteIsolation
I forgot to note - the regression only happens in presence of OOPIFs:

- In --isolate-extensions mode (90% on dev, 50% on beta, planning to launch to stable with M56) the regression doesn't affect web pages (because they are kept in the same process/widget), but does affect dragging between extension and web pages.

- There is no regression in absence of OOPIFs (i.e. without --isolate-extension switch).

Comment 4 by dcheng@chromium.org, Nov 18 2016

Components: Blink>DataTransfer

Comment 5 by kerrnel@chromium.org, Nov 18 2016 

Can we plus note what OS's this affects in the bug information? Thank.

Comment 6 by lukasza@chromium.org, Nov 18 2016

Labels: OS-Chrome OS-Linux OS-Mac OS-Windows
In theory this affects all OS-es, but we are considering launching --isolate-extensions in M56 only for desktop OS-es - so let me mark only them.

Comment 7 by creis@chromium.org, Dec 9 2016

Labels: -Pri-2 Proj-IsolateExtensions-BlockingLaunch M-56 Pri-1
Status: Started (was: Assigned)
Noting that we'll need this for M56 to launch --isolate-extensions.  Paul mentioned that he has a CL in progress.
Project Member

Comment 8 by sheriffbot@chromium.org, Dec 9 2016

Labels: -Security_Impact-Head Security_Impact-Beta
Project Member

Comment 10 by bugdroid1@chromium.org, Dec 14 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7dfa247951db2ccb10b8b5276eb58a33cda4728f

commit 7dfa247951db2ccb10b8b5276eb58a33cda4728f
Author: paulmeyer <paulmeyer@chromium.org>
Date: Wed Dec 14 20:34:02 2016

Prevent drag-and-drop events from firing over cross-site, same-page frames.

This is done by storing the source RenderViewHost and RenderProcessHost for each dragstart. Then, for other drag events (like dragover), if the target frame for that event is in the same RenderViewHost, but different RenderProcessHost, than the source, then the event is not fired.

Note that this patch will not affect behavior on Mac, and a subsequent CL will enforce the same thing for Mac.

BUG= 666858 

Review-Url: https://codereview.chromium.org/2568893002
Cr-Commit-Position: refs/heads/master@{#438609}

[modify] https://crrev.com/7dfa247951db2ccb10b8b5276eb58a33cda4728f/chrome/browser/ui/views/drag_and_drop_interactive_uitest.cc
[modify] https://crrev.com/7dfa247951db2ccb10b8b5276eb58a33cda4728f/content/browser/web_contents/web_contents_view_aura.cc
[modify] https://crrev.com/7dfa247951db2ccb10b8b5276eb58a33cda4728f/content/browser/web_contents/web_contents_view_aura.h
[modify] https://crrev.com/7dfa247951db2ccb10b8b5276eb58a33cda4728f/testing/buildbot/filters/site-per-process.interactive_ui_tests.filter

Comment 11 by creis@chromium.org, Dec 16 2016 

Looks like the Mac CL for this landed in r438911 (https://codereview.chromium.org/2580843003/), which is in today's canary (57.0.2953.0).  Thanks!

Paul, can this be marked fixed now?  Please request a merge to M56 once we're able to verify the fixes on both Windows and Mac.

Comment 12 by paulmeyer@chromium.org, Dec 19 2016

Status: Fixed (was: Started)

Comment 13 by paulmeyer@chromium.org, Dec 19 2016

Labels: Merge-Request-56
Fix is verified in Canary for Windows and Mac.

Comment 14 by dimu@chromium.org, Dec 19 2016

Labels: -Merge-Request-56 Merge-Approved-56 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M56 (branch: 2924)
Project Member

Comment 15 by bugdroid1@chromium.org, Dec 19 2016

Labels: -merge-approved-56 merge-merged-2924
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/13b936546c5148df17caa25ee744d94307ff9e94

commit 13b936546c5148df17caa25ee744d94307ff9e94
Author: Paul Meyer <paulmeyer@chromium.org>
Date: Mon Dec 19 20:31:34 2016

Prevent drag-and-drop events from firing over cross-site, same-page frames.

This is done by storing the source RenderViewHost and RenderProcessHost for each dragstart. Then, for other drag events (like dragover), if the target frame for that event is in the same RenderViewHost, but different RenderProcessHost, than the source, then the event is not fired.

Note that this patch will not affect behavior on Mac, and a subsequent CL will enforce the same thing for Mac.

BUG= 666858 

Review-Url: https://codereview.chromium.org/2568893002
Cr-Commit-Position: refs/heads/master@{#438609}
(cherry picked from commit 7dfa247951db2ccb10b8b5276eb58a33cda4728f)

Review-Url: https://codereview.chromium.org/2590613002 .
Cr-Commit-Position: refs/branch-heads/2924@{#554}
Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059}

[modify] https://crrev.com/13b936546c5148df17caa25ee744d94307ff9e94/content/browser/web_contents/web_contents_view_aura.cc
[modify] https://crrev.com/13b936546c5148df17caa25ee744d94307ff9e94/content/browser/web_contents/web_contents_view_aura.h
[modify] https://crrev.com/13b936546c5148df17caa25ee744d94307ff9e94/testing/buildbot/filters/site-per-process.interactive_ui_tests.filter
Project Member

Comment 16 by bugdroid1@chromium.org, Dec 19 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4ac976937b9c8c65e6eeb34678d7a7031fc0fdc3

commit 4ac976937b9c8c65e6eeb34678d7a7031fc0fdc3
Author: Paul Meyer <paulmeyer@chromium.org>
Date: Mon Dec 19 20:40:12 2016

Prevent drag-and-drop events from firing over cross-site, same-page frames.

This is a follow-up to https://codereview.chromium.org/2568893002/,
enabling the same behavior on Mac.

Review-Url: https://codereview.chromium.org/2580843003
Cr-Commit-Position: refs/heads/master@{#438911}
(cherry picked from commit 0678253f9e9c12a1cc704721ae6e013860bb909e)

BUG= 666858 

Review-Url: https://codereview.chromium.org/2589963002 .
Cr-Commit-Position: refs/branch-heads/2924@{#555}
Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059}

[modify] https://crrev.com/4ac976937b9c8c65e6eeb34678d7a7031fc0fdc3/content/browser/web_contents/web_contents_view_mac.mm
[modify] https://crrev.com/4ac976937b9c8c65e6eeb34678d7a7031fc0fdc3/content/browser/web_contents/web_drag_dest_mac.h
[modify] https://crrev.com/4ac976937b9c8c65e6eeb34678d7a7031fc0fdc3/content/browser/web_contents/web_drag_dest_mac.mm
Project Member

Comment 17 by sheriffbot@chromium.org, Dec 20 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 18 by sheriffbot@chromium.org, Mar 28 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment