Taps on the parent window pass through to an iframe in Android Chrome |
|||||||
Issue description
Device name: Nexus 6P
From "Settings > About Chrome"
Application version: 67.0.3396.87
Operating system: Android 8.1.0; Nexus 6P Build/OPM6.171019.030.E1
URLs (if applicable):
https://iframe-dot-yunabe-gaelab.appspot.com/s/bug110458994.html
Steps to reproduce:
(1) Open https://iframe-dot-yunabe-gaelab.appspot.com/s/bug110458994.html on Android Chrome.
In the page, the red stripe region is placed in an same-origin iframe and the two blue <div>s are placed in the root window.
When you tap the red region, "iframe" counter is incremented. When you tap the blue regions, "parent" counter is incremented.
There is 1px overlap between the two blue region in the top window.
(2) Tap the border between the two regions
(3) The taps on the blue regions sometimes pass through to the underlying iframe and "iframe" counter is incremented.
Expected result:
The taps on the blue regions are captured in the root window and "parent" counter is incremented.
Videos: https://www.youtube.com/watch?v=cTaJpao1tLg
Additional information:
- This bug happens even even if "Site Isolation" (*1) is enabled.
https://www.youtube.com/watch?v=JTdzWw_JK2o
- This bug happens even if the iframe is cross-domain (https://yunabe-gaelab.appspot.com/s/bug110458994.html)
https://www.youtube.com/watch?v=adLRQDzfor4
- However, this bug is NOT reproducible if the iframe is cross domain AND "Site Isolation" is enabled
https://www.youtube.com/watch?v=xZSsBw5i6wk
- I found this bug when I debug a click-through bug in AMP project (ampproject.org).
https://www.youtube.com/watch?v=GRitDseN1GQ
(*1) https://security.googleblog.com/2018/07/mitigating-spectre-with-site-isolation.html
Other browsers tested:
Mac OSX Chrome 67.0.3396.99 - Not reproducible
I confirmed this bug is reproducible on
Nexus 6P, Nexus 5X, ZenFone 3, ZenFone 2 Laser, Essential Phone and Pixel 2.
,
Jul 18
,
Jul 18
,
Jul 19
Tested the issue on Android and able to reproduce this issue. Steps Followed: 1.Launch chrome 2.Navigate to https://iframe-dot-yunabe-gaelab.appspot.com/s/bug110458994.html 3.Tap the border between the two blue regions and Observed that iframe counter is incremented instead of parent. Chrome versions tested: 60.0.3072.0, 67.0.3396.87(Stable), 69.0.3495.2(Canary) OS: Android 8.1.0 Android Devices: Nexus 6P This seems to be a Non-Regression issue as same behavior is seen since M-60. Leaving the issue as Untriaged for further input's on this issue. Please navigate to below link for log's -- go/chrome-androidlogs/864849 Thanks!
,
Jul 20
I can reproduce this reliably with devtools touch emulation whenever the circular cursor overlaps the boundary. This suggests to me it may be a touch adjustment bug. IIRC touch adjustment has some logic to try to ensure the targetted frame is actually top-most at the point that the event gets adjusted to.
,
Jul 20
Yup. me too. It is easily reproducible with the touch emulation. Ella has recently worked on some touch adjustment related bugs. Ella, could you take a look at this one too?
,
Jul 20
I tried resizing the iframe and various divs. The bug happens only when two main-frame fixed-position divs (i.e. blue divs) has a border that lies over the iframe divs (red divs). Clearly a hittest problem. Perhaps caused by composited fixed-position layers?
,
Jul 20
Turning off touch adjustment can fix this, so I think it's because of the touch adjustment. We do have a point base hit test after the rect-base one to correct the target, but the second one is a in frame hit test, which doesn't solve adjusting into different frame like this one. I am working on a fix for this. I think the ideal solution is fixing the rect base hit test so we can avoid the additional point-base hit test, but not sure if that's possible :)
,
Jul 25
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f2bba0c63e575718391fc38f984165ad1e062cbc commit f2bba0c63e575718391fc38f984165ad1e062cbc Author: Ella Ge <eirage@chromium.org> Date: Wed Jul 25 17:01:11 2018 point-base hit-test after touch adjustment in root frame On touch adjustment, we do a point-base hit test after the rect-base one to make sure we find the correct target. This cl changes the point-base hit test from the iframe to the root frame. Because when we have iframe overlap by other elements, rect-base hit test might result an incorrect target in the iframe. In-frame hit-test cannot find the correct target that is outside the iframe. So, we should do the point-base hit-test on root-frame to find the correct target. Bug: 864849 Change-Id: Ib176a68e5c51eba40c504ad90190bec7fb66dccb Reviewed-on: https://chromium-review.googlesource.com/1145477 Reviewed-by: Navid Zolghadr <nzolghadr@chromium.org> Reviewed-by: Dave Tapuska <dtapuska@chromium.org> Commit-Queue: Ella Ge <eirage@chromium.org> Cr-Commit-Position: refs/heads/master@{#577946} [add] https://crrev.com/f2bba0c63e575718391fc38f984165ad1e062cbc/third_party/WebKit/LayoutTests/fast/events/touch/gesture/gesture-tap-frame-overlap.html [modify] https://crrev.com/f2bba0c63e575718391fc38f984165ad1e062cbc/third_party/WebKit/LayoutTests/resources/gesture-util.js [modify] https://crrev.com/f2bba0c63e575718391fc38f984165ad1e062cbc/third_party/blink/renderer/core/input/event_handler.cc
,
Jul 25
,
Aug 2
This issue is not reproducible on latest M70-70.0.3510.0, but still slightly observed on latest M69-69.0.3497.25, verified on Nexus6P / OPM1.171019.011 |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by uekawa@chromium.org
, Jul 18Components: Blink>Layout Blink>Input