OOPIF extension subframes are missing JS bindings in some cases |
|||
Issue descriptionWhat steps will reproduce the problem? (1) Install oopif-demo extension from https://bugs.chromium.org/p/chromium/issues/detail?id=487872#c4 (2) Make sure there isn't an existing extension process running for this extension. (3) Go to http://csreis.github.io/tests/cross-site-iframe.html. (4) Navigate the subframe to (web-accessible) extension page from DevTools, e.g.: frames[0].location = "chrome-extension://ifheaekpohcmgkgdjnpiogkcohpanmok/options.html" Alternatively, just go to https://www.chromium.org/, which has an OOPIF from that extension injected on the bottom. (5) Inspect the OOPIF with devtools and check "chrome.windows". What is the expected result? chrome.windows points to a valid object. E.g., chrome.windows.create() opens a new window. What happens instead? chrome.windows is undefined. If you navigate to that extension options.html URL in a main frame, the JS bindings work. Similarly, if you do that before step (3), the subframe will go into the existing extension process, and again the bindings will work fine. I suspect because of this, this issue won't affect extensions with background pages (the one from step 1 doesn't have one). It appears that in some cases, extensions JS bindings are injected in response to a RenderViewCreated notification: ExtensionWebContentsObserver::RenderViewCreated -> RendererStartupHelper::ActivateExtensionInProcess puts the RVH's process into pending_active_extensions_, which is later referenced to send ExtensionMsg_ActivateExtension. However, WebContentsImpl::RenderViewCreated does *not* dispatch RenderViewCreated for inactive RVHs: // Don't send notifications if we are just creating a swapped-out RVH for // the opener chain. These won't be used for view-source or WebUI, so it's // ok to return early. if (!static_cast<RenderViewHostImpl*>(render_view_host)->is_active()) return; So, if the RVH is created in swapped-out state, as is the case for an extension OOPIF, RendererStartupHelper will never learn about it. :( There are a few things going on here with RenderViewCreated that we might want to fix, and it likely affects other observers as well. 1. For this particular case, should this go through RenderFrameCreated instead? 2. Should we be also dispatching RenderViewCreated for swapped-out RVHs? There are many other observers affected, and I'd guess some of them can't deal with the RVH being swapped-out, so this seems risky. But cases like this show that we might also have other bugs here. 3. Should we be at least dispatching RenderViewCreated when a swapped-out RVH becomes active, for example after a remote-to-local main frame navigation in an opener tab? We don't seem to do that either. I found this while experimenting with always doing remote-to-local transitions on cross-process navigations as part of issue 756790, which means that in those cases the RVH will start swapped-out and transition to active when the main frame commits. I reproed this on both Mac and Windows canary (62.0.3199.0).
,
Aug 30 2017
,
Aug 31 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/393b9789bd7930474ce268bd7c29b3e3b54ff31c commit 393b9789bd7930474ce268bd7c29b3e3b54ff31c Author: Alex Moshchuk <alexmos@chromium.org> Date: Thu Aug 31 20:16:29 2017 Move extension process init from RenderViewCreated to RenderFrameCreated Previously, extension activation was performed via ExtensionWebContentsObserver::RenderViewCreated. This does not work correctly for cases like a remote-to-local navigation to an extension URL, where a RenderViewHost starts out as inactive and then transitions to active. This was breaking a few tests in https://chromium-review.googlesource.com/c/chromium/src/+/636786, like ExtensionBrowserTest.WindowOpenNoPrivileges. This CL moves this path to RenderFrameCreated. For now, RenderFrameCreated performs process init only for main frames, which matches previous behavior. Eventually we should probably do this for subframes as well, which will be needed to fix missing JS bindings in extension OOPIFs in issue 760341 . Bug: 760341 ,304341 Change-Id: Ia21005f6d2e070fb0a5c5d3392f99208bf4e09b2 Reviewed-on: https://chromium-review.googlesource.com/641818 Commit-Queue: Alex Moshchuk <alexmos@chromium.org> Reviewed-by: Michael Wasserman <msw@chromium.org> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Cr-Commit-Position: refs/heads/master@{#498971} [modify] https://crrev.com/393b9789bd7930474ce268bd7c29b3e3b54ff31c/chrome/browser/extensions/chrome_extension_web_contents_observer.cc [modify] https://crrev.com/393b9789bd7930474ce268bd7c29b3e3b54ff31c/chrome/browser/extensions/chrome_extension_web_contents_observer.h [modify] https://crrev.com/393b9789bd7930474ce268bd7c29b3e3b54ff31c/chrome/browser/ui/toolbar/toolbar_model_unittest.cc [modify] https://crrev.com/393b9789bd7930474ce268bd7c29b3e3b54ff31c/chrome/browser/ui/webui/settings/site_settings_handler_unittest.cc [modify] https://crrev.com/393b9789bd7930474ce268bd7c29b3e3b54ff31c/extensions/browser/extension_web_contents_observer.cc [modify] https://crrev.com/393b9789bd7930474ce268bd7c29b3e3b54ff31c/extensions/browser/extension_web_contents_observer.h
,
Oct 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e63b9e9f5df48dbe42c497d6cb2eecd1201364be commit e63b9e9f5df48dbe42c497d6cb2eecd1201364be Author: Alex Moshchuk <alexmos@chromium.org> Date: Sat Oct 14 00:27:22 2017 [Extensions] Call ActivateExtensionInProcess for all frames. Previously, only extension main frames sent ExtensionMsg_ActivateExtension, which led to extension OOPIFs missing proper JS bindings in some cases, depending on whether the extension was or was not previously activated by, for example, a background page. Now that --isolate-extensions is shipped, and extension subframes always run in the extension process, we can activate all extension frames, not just main frames. This will ensure that extension OOPIFs are always getting proper JS bindings. Bug: 760341 Change-Id: If9d071e07672f9463d5725ef6e38cc076b188534 Reviewed-on: https://chromium-review.googlesource.com/709937 Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Commit-Queue: Alex Moshchuk <alexmos@chromium.org> Cr-Commit-Position: refs/heads/master@{#508890} [modify] https://crrev.com/e63b9e9f5df48dbe42c497d6cb2eecd1201364be/chrome/browser/extensions/chrome_app_api_browsertest.cc [modify] https://crrev.com/e63b9e9f5df48dbe42c497d6cb2eecd1201364be/chrome/browser/extensions/extension_bindings_apitest.cc [modify] https://crrev.com/e63b9e9f5df48dbe42c497d6cb2eecd1201364be/chrome/common/extensions/api/_api_features.json [add] https://crrev.com/e63b9e9f5df48dbe42c497d6cb2eecd1201364be/chrome/test/data/extensions/api_test/bindings/extension_subframe_gets_bindings/manifest.json [add] https://crrev.com/e63b9e9f5df48dbe42c497d6cb2eecd1201364be/chrome/test/data/extensions/api_test/bindings/extension_subframe_gets_bindings/page.html [add] https://crrev.com/e63b9e9f5df48dbe42c497d6cb2eecd1201364be/chrome/test/data/extensions/api_test/bindings/extension_subframe_gets_bindings/page.js [modify] https://crrev.com/e63b9e9f5df48dbe42c497d6cb2eecd1201364be/extensions/browser/extension_web_contents_observer.cc [modify] https://crrev.com/e63b9e9f5df48dbe42c497d6cb2eecd1201364be/extensions/renderer/dispatcher.cc
,
Oct 16 2017
I've rechecked the repro steps on Mac canary 64.0.3241.0, which has the fix in c#4, and the OOPIF bindings work properly now. |
|||
►
Sign in to add a comment |
|||
Comment 1 by alex...@chromium.org
, Aug 30 2017Owner: alex...@chromium.org
Status: Started (was: Available)