blob: e7ad4519ada4888177b7250473395ee69daeeb2e [file] [log] [blame]
// Copyright 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "content/browser/frame_host/render_frame_host_impl.h"
#include <algorithm>
#include <utility>
#include "base/bind.h"
#include "base/command_line.h"
#include "base/containers/hash_tables.h"
#include "base/containers/queue.h"
#include "base/debug/alias.h"
#include "base/lazy_instance.h"
#include "base/memory/ptr_util.h"
#include "base/memory/ref_counted.h"
#include "base/metrics/histogram_functions.h"
#include "base/metrics/histogram_macros.h"
#include "base/metrics/metrics_hashes.h"
#include "base/metrics/user_metrics.h"
#include "base/numerics/safe_conversions.h"
#include "base/process/kill.h"
#include "base/stl_util.h"
#include "base/task/post_task.h"
#include "base/threading/thread_task_runner_handle.h"
#include "base/time/time.h"
#include "base/trace_event/traced_value.h"
#include "build/build_config.h"
#include "cc/base/switches.h"
#include "content/browser/accessibility/browser_accessibility_manager.h"
#include "content/browser/accessibility/browser_accessibility_state_impl.h"
#include "content/browser/background_fetch/background_fetch_service_impl.h"
#include "content/browser/bluetooth/web_bluetooth_service_impl.h"
#include "content/browser/browser_main_loop.h"
#include "content/browser/child_process_security_policy_impl.h"
#include "content/browser/contacts/contacts_manager_impl.h"
#include "content/browser/devtools/devtools_instrumentation.h"
#include "content/browser/dom_storage/dom_storage_context_wrapper.h"
#include "content/browser/download/mhtml_generation_manager.h"
#include "content/browser/file_url_loader_factory.h"
#include "content/browser/fileapi/file_system_manager_impl.h"
#include "content/browser/fileapi/file_system_url_loader_factory.h"
#include "content/browser/frame_host/cross_process_frame_connector.h"
#include "content/browser/frame_host/debug_urls.h"
#include "content/browser/frame_host/frame_tree.h"
#include "content/browser/frame_host/frame_tree_node.h"
#include "content/browser/frame_host/input/input_injector_impl.h"
#include "content/browser/frame_host/keep_alive_handle_factory.h"
#include "content/browser/frame_host/navigation_entry_impl.h"
#include "content/browser/frame_host/navigation_handle_impl.h"
#include "content/browser/frame_host/navigation_request.h"
#include "content/browser/frame_host/navigator.h"
#include "content/browser/frame_host/navigator_impl.h"
#include "content/browser/frame_host/render_frame_host_delegate.h"
#include "content/browser/frame_host/render_frame_proxy_host.h"
#include "content/browser/generic_sensor/sensor_provider_proxy_impl.h"
#include "content/browser/geolocation/geolocation_service_impl.h"
#include "content/browser/image_capture/image_capture_impl.h"
#include "content/browser/installedapp/installed_app_provider_impl_default.h"
#include "content/browser/interface_provider_filtering.h"
#include "content/browser/keyboard_lock/keyboard_lock_service_impl.h"
#include "content/browser/loader/prefetch_url_loader_service.h"
#include "content/browser/loader/resource_dispatcher_host_impl.h"
#include "content/browser/loader/resource_scheduler_filter.h"
#include "content/browser/media/capture/audio_mirroring_manager.h"
#include "content/browser/media/media_interface_proxy.h"
#include "content/browser/media/session/media_session_service_impl.h"
#include "content/browser/media/webaudio/audio_context_manager_impl.h"
#include "content/browser/payments/payment_app_context_impl.h"
#include "content/browser/permissions/permission_controller_impl.h"
#include "content/browser/permissions/permission_service_context.h"
#include "content/browser/permissions/permission_service_impl.h"
#include "content/browser/portal/portal.h"
#include "content/browser/presentation/presentation_service_impl.h"
#include "content/browser/quota_dispatcher_host.h"
#include "content/browser/renderer_host/dip_util.h"
#include "content/browser/renderer_host/input/input_router.h"
#include "content/browser/renderer_host/input/timeout_monitor.h"
#include "content/browser/renderer_host/media/audio_input_delegate_impl.h"
#include "content/browser/renderer_host/media/media_devices_dispatcher_host.h"
#include "content/browser/renderer_host/media/media_stream_dispatcher_host.h"
#include "content/browser/renderer_host/render_process_host_impl.h"
#include "content/browser/renderer_host/render_view_host_delegate.h"
#include "content/browser/renderer_host/render_view_host_delegate_view.h"
#include "content/browser/renderer_host/render_view_host_impl.h"
#include "content/browser/renderer_host/render_widget_host_factory.h"
#include "content/browser/renderer_host/render_widget_host_impl.h"
#include "content/browser/renderer_host/render_widget_host_view_base.h"
#include "content/browser/renderer_host/render_widget_host_view_child_frame.h"
#include "content/browser/renderer_interface_binders.h"
#include "content/browser/scoped_active_url.h"
#include "content/browser/speech/speech_recognition_dispatcher_host.h"
#include "content/browser/storage_partition_impl.h"
#include "content/browser/wake_lock/wake_lock_service_impl.h"
#include "content/browser/webauth/authenticator_impl.h"
#include "content/browser/webauth/scoped_virtual_authenticator_environment.h"
#include "content/browser/websockets/websocket_manager.h"
#include "content/browser/webui/url_data_manager_backend.h"
#include "content/browser/webui/web_ui_controller_factory_registry.h"
#include "content/browser/webui/web_ui_url_loader_factory_internal.h"
#include "content/browser/worker_host/dedicated_worker_host.h"
#include "content/browser/worker_host/shared_worker_connector_impl.h"
#include "content/browser/worker_host/shared_worker_service_impl.h"
#include "content/common/accessibility_messages.h"
#include "content/common/associated_interfaces.mojom.h"
#include "content/common/content_security_policy/content_security_policy.h"
#include "content/common/frame_messages.h"
#include "content/common/frame_owner_properties.h"
#include "content/common/input/input_handler.mojom.h"
#include "content/common/inter_process_time_ticks_converter.h"
#include "content/common/navigation_params.h"
#include "content/common/navigation_subresource_loader_params.h"
#include "content/common/render_message_filter.mojom.h"
#include "content/common/renderer.mojom.h"
#include "content/common/swapped_out_messages.h"
#include "content/common/url_loader_factory_bundle.mojom.h"
#include "content/common/widget.mojom.h"
#include "content/public/browser/ax_event_notification_details.h"
#include "content/public/browser/browser_accessibility_state.h"
#include "content/public/browser/browser_context.h"
#include "content/public/browser/browser_plugin_guest_manager.h"
#include "content/public/browser/browser_task_traits.h"
#include "content/public/browser/content_browser_client.h"
#include "content/public/browser/file_select_listener.h"
#include "content/public/browser/network_service_instance.h"
#include "content/public/browser/page_visibility_state.h"
#include "content/public/browser/permission_type.h"
#include "content/public/browser/render_process_host.h"
#include "content/public/browser/render_widget_host_view.h"
#include "content/public/browser/shared_cors_origin_access_list.h"
#include "content/public/browser/site_isolation_policy.h"
#include "content/public/browser/storage_partition.h"
#include "content/public/browser/stream_handle.h"
#include "content/public/browser/webvr_service_provider.h"
#include "content/public/common/bindings_policy.h"
#include "content/public/common/content_constants.h"
#include "content/public/common/content_features.h"
#include "content/public/common/content_switches.h"
#include "content/public/common/isolated_world_ids.h"
#include "content/public/common/mime_handler_view_mode.h"
#include "content/public/common/navigation_policy.h"
#include "content/public/common/network_service_util.h"
#include "content/public/common/referrer_type_converters.h"
#include "content/public/common/service_manager_connection.h"
#include "content/public/common/service_names.mojom.h"
#include "content/public/common/url_constants.h"
#include "content/public/common/url_utils.h"
#include "device/gamepad/gamepad_monitor.h"
#include "device/vr/public/mojom/vr_service.mojom.h"
#include "media/audio/audio_manager.h"
#include "media/base/media_switches.h"
#include "media/base/user_input_monitor.h"
#include "media/media_buildflags.h"
#include "media/mojo/interfaces/remoting.mojom.h"
#include "media/mojo/services/media_interface_provider.h"
#include "media/mojo/services/media_metrics_provider.h"
#include "media/mojo/services/video_decode_perf_history.h"
#include "mojo/public/cpp/bindings/associated_interface_ptr.h"
#include "mojo/public/cpp/bindings/interface_request.h"
#include "mojo/public/cpp/bindings/message.h"
#include "mojo/public/cpp/bindings/strong_binding.h"
#include "mojo/public/cpp/system/data_pipe.h"
#include "net/url_request/url_request_context.h"
#include "services/device/public/cpp/device_features.h"
#include "services/device/public/mojom/sensor_provider.mojom.h"
#include "services/device/public/mojom/wake_lock.mojom.h"
#include "services/device/public/mojom/wake_lock_context.mojom.h"
#include "services/network/public/cpp/features.h"
#include "services/network/public/cpp/wrapper_shared_url_loader_factory.h"
#include "services/network/public/mojom/network_service.mojom.h"
#include "services/resource_coordinator/public/cpp/resource_coordinator_features.h"
#include "services/service_manager/public/cpp/connector.h"
#include "services/service_manager/public/cpp/interface_provider.h"
#include "storage/browser/blob/blob_storage_context.h"
#include "third_party/blink/public/common/associated_interfaces/associated_interface_provider.h"
#include "third_party/blink/public/common/associated_interfaces/associated_interface_registry.h"
#include "third_party/blink/public/common/blob/blob_utils.h"
#include "third_party/blink/public/common/feature_policy/feature_policy.h"
#include "third_party/blink/public/common/features.h"
#include "third_party/blink/public/common/frame/frame_policy.h"
#include "third_party/blink/public/mojom/service_worker/service_worker_object.mojom.h"
#include "third_party/blink/public/mojom/usb/web_usb_service.mojom.h"
#include "third_party/blink/public/platform/modules/webauthn/virtual_authenticator.mojom.h"
#include "ui/accessibility/ax_tree.h"
#include "ui/accessibility/ax_tree_id_registry.h"
#include "ui/accessibility/ax_tree_update.h"
#include "ui/gfx/geometry/quad_f.h"
#include "url/gurl.h"
#include "url/origin.h"
#include "url/url_constants.h"
#if defined(OS_ANDROID)
#include "content/browser/android/content_url_loader_factory.h"
#include "content/browser/android/java_interfaces_impl.h"
#include "content/browser/frame_host/render_frame_host_android.h"
#include "content/public/browser/android/java_interfaces.h"
#endif
#if defined(OS_MACOSX)
#include "content/browser/frame_host/popup_menu_helper_mac.h"
#endif
using base::TimeDelta;
namespace content {
namespace {
#if defined(OS_ANDROID)
const void* const kRenderFrameHostAndroidKey = &kRenderFrameHostAndroidKey;
#endif // OS_ANDROID
// The next value to use for the accessibility reset token.
int g_next_accessibility_reset_token = 1;
// The next value to use for the javascript callback id.
int g_next_javascript_callback_id = 1;
#if defined(OS_ANDROID) || defined(OS_FUCHSIA)
// Whether to allow injecting javascript into any kind of frame, for Android
// WebView and Fuchsia web.ContextProvider.
bool g_allow_injecting_javascript = false;
#endif
// The (process id, routing id) pair that identifies one RenderFrame.
typedef std::pair<int32_t, int32_t> RenderFrameHostID;
typedef base::hash_map<RenderFrameHostID, RenderFrameHostImpl*>
RoutingIDFrameMap;
base::LazyInstance<RoutingIDFrameMap>::DestructorAtExit g_routing_id_frame_map =
LAZY_INSTANCE_INITIALIZER;
base::LazyInstance<RenderFrameHostImpl::CreateNetworkFactoryCallback>::Leaky
g_create_network_factory_callback_for_test = LAZY_INSTANCE_INITIALIZER;
using TokenFrameMap = base::hash_map<base::UnguessableToken,
RenderFrameHostImpl*,
base::UnguessableTokenHash>;
base::LazyInstance<TokenFrameMap>::Leaky g_token_frame_map =
LAZY_INSTANCE_INITIALIZER;
// Translate a WebKit text direction into a base::i18n one.
base::i18n::TextDirection WebTextDirectionToChromeTextDirection(
blink::WebTextDirection dir) {
switch (dir) {
case blink::kWebTextDirectionLeftToRight:
return base::i18n::LEFT_TO_RIGHT;
case blink::kWebTextDirectionRightToLeft:
return base::i18n::RIGHT_TO_LEFT;
default:
NOTREACHED();
return base::i18n::UNKNOWN_DIRECTION;
}
}
// Ensure that we reset nav_entry_id_ in DidCommitProvisionalLoad if any of
// the validations fail and lead to an early return. Call disable() once we
// know the commit will be successful. Resetting nav_entry_id_ avoids acting on
// any UpdateState or UpdateTitle messages after an ignored commit.
class ScopedCommitStateResetter {
public:
explicit ScopedCommitStateResetter(RenderFrameHostImpl* render_frame_host)
: render_frame_host_(render_frame_host), disabled_(false) {}
~ScopedCommitStateResetter() {
if (!disabled_) {
render_frame_host_->set_nav_entry_id(0);
}
}
void disable() { disabled_ = true; }
private:
RenderFrameHostImpl* render_frame_host_;
bool disabled_;
};
void GrantFileAccess(int child_id,
const std::vector<base::FilePath>& file_paths) {
ChildProcessSecurityPolicyImpl* policy =
ChildProcessSecurityPolicyImpl::GetInstance();
for (const auto& file : file_paths) {
if (!policy->CanReadFile(child_id, file))
policy->GrantReadFile(child_id, file);
}
}
#if BUILDFLAG(ENABLE_MEDIA_REMOTING)
// RemoterFactory that delegates Create() calls to the ContentBrowserClient.
//
// Since Create() could be called at any time, perhaps by a stray task being run
// after a RenderFrameHost has been destroyed, the RemoterFactoryImpl uses the
// process/routing IDs as a weak reference to the RenderFrameHostImpl.
class RemoterFactoryImpl final : public media::mojom::RemoterFactory {
public:
RemoterFactoryImpl(int process_id, int routing_id)
: process_id_(process_id), routing_id_(routing_id) {}
static void Bind(int process_id,
int routing_id,
media::mojom::RemoterFactoryRequest request) {
mojo::MakeStrongBinding(
std::make_unique<RemoterFactoryImpl>(process_id, routing_id),
std::move(request));
}
private:
void Create(media::mojom::RemotingSourcePtr source,
media::mojom::RemoterRequest request) final {
if (auto* host = RenderFrameHostImpl::FromID(process_id_, routing_id_)) {
GetContentClient()->browser()->CreateMediaRemoter(
host, std::move(source), std::move(request));
}
}
const int process_id_;
const int routing_id_;
DISALLOW_COPY_AND_ASSIGN(RemoterFactoryImpl);
};
#endif // BUILDFLAG(ENABLE_MEDIA_REMOTING)
void CreateFrameResourceCoordinator(
RenderFrameHostImpl* render_frame_host,
resource_coordinator::mojom::FrameCoordinationUnitRequest request) {
render_frame_host->GetFrameResourceCoordinator()->AddBinding(
std::move(request));
}
using FrameNotifyCallback =
base::RepeatingCallback<void(ResourceDispatcherHostImpl*,
const GlobalFrameRoutingId&)>;
// The following functions simplify code paths where the UI thread notifies the
// ResourceDispatcherHostImpl of information pertaining to loading behavior of
// frame hosts.
void NotifyRouteChangesOnIO(
const FrameNotifyCallback& frame_callback,
std::unique_ptr<std::set<GlobalFrameRoutingId>> routing_ids) {
DCHECK_CURRENTLY_ON(BrowserThread::IO);
ResourceDispatcherHostImpl* rdh = ResourceDispatcherHostImpl::Get();
if (!rdh)
return;
for (const auto& routing_id : *routing_ids)
frame_callback.Run(rdh, routing_id);
}
void NotifyForEachFrameFromUI(RenderFrameHostImpl* root_frame_host,
const FrameNotifyCallback& frame_callback) {
DCHECK_CURRENTLY_ON(BrowserThread::UI);
FrameTree* frame_tree = root_frame_host->frame_tree_node()->frame_tree();
DCHECK_EQ(root_frame_host, frame_tree->GetMainFrame());
auto routing_ids = std::make_unique<std::set<GlobalFrameRoutingId>>();
for (FrameTreeNode* node : frame_tree->Nodes()) {
RenderFrameHostImpl* frame_host = node->current_frame_host();
RenderFrameHostImpl* pending_frame_host =
node->render_manager()->speculative_frame_host();
if (frame_host)
routing_ids->insert(frame_host->GetGlobalFrameRoutingId());
if (pending_frame_host)
routing_ids->insert(pending_frame_host->GetGlobalFrameRoutingId());
}
base::PostTaskWithTraits(
FROM_HERE, {BrowserThread::IO},
base::BindOnce(&NotifyRouteChangesOnIO, frame_callback,
std::move(routing_ids)));
}
using FrameCallback = base::RepeatingCallback<void(RenderFrameHostImpl*)>;
void ForEachFrame(RenderFrameHostImpl* root_frame_host,
const FrameCallback& frame_callback) {
DCHECK_CURRENTLY_ON(BrowserThread::UI);
FrameTree* frame_tree = root_frame_host->frame_tree_node()->frame_tree();
DCHECK_EQ(root_frame_host, frame_tree->GetMainFrame());
for (FrameTreeNode* node : frame_tree->Nodes()) {
RenderFrameHostImpl* frame_host = node->current_frame_host();
RenderFrameHostImpl* pending_frame_host =
node->render_manager()->speculative_frame_host();
if (frame_host)
frame_callback.Run(frame_host);
if (pending_frame_host)
frame_callback.Run(pending_frame_host);
}
}
void LookupRenderFrameHostOrProxy(int process_id,
int routing_id,
RenderFrameHostImpl** rfh,
RenderFrameProxyHost** rfph) {
*rfh = RenderFrameHostImpl::FromID(process_id, routing_id);
if (*rfh == nullptr)
*rfph = RenderFrameProxyHost::FromID(process_id, routing_id);
}
void NotifyResourceSchedulerOfNavigation(
int render_process_id,
const FrameHostMsg_DidCommitProvisionalLoad_Params& params) {
// TODO(csharrison): This isn't quite right for OOPIF, as we *do* want to
// propagate OnNavigate to the client associated with the OOPIF's RVH. This
// should not result in show-stopping bugs, just poorer loading performance.
if (!ui::PageTransitionIsMainFrame(params.transition))
return;
base::PostTaskWithTraits(
FROM_HERE, {BrowserThread::IO},
base::BindOnce(&ResourceSchedulerFilter::OnDidCommitMainframeNavigation,
render_process_id, params.render_view_routing_id));
}
// Takes the lower 31 bits of the metric-name-hash of a Mojo interface |name|.
base::Histogram::Sample HashInterfaceNameToHistogramSample(
base::StringPiece name) {
return base::strict_cast<base::Histogram::Sample>(
static_cast<int32_t>(base::HashMetricName(name) & 0x7fffffffull));
}
// Set crash keys that will help understand the circumstances of a renderer
// kill. Note that the commit URL is already reported in a crash key, and
// additional keys are logged in RenderProcessHostImpl::ShutdownForBadMessage.
void LogRendererKillCrashKeys(const GURL& site_url) {
static auto* site_url_key = base::debug::AllocateCrashKeyString(
"current_site_url", base::debug::CrashKeySize::Size64);
base::debug::SetCrashKeyString(site_url_key, site_url.spec());
}
base::Optional<url::Origin> GetOriginForURLLoaderFactory(
GURL target_url,
SiteInstanceImpl* site_instance) {
// TODO(lukasza, nasko): https://crbug.com/888079: Use exact origin, instead
// of falling back to site URL for about:blank and about:srcdoc.
if (target_url.SchemeIs(url::kAboutScheme)) {
if (SiteIsolationPolicy::UseDedicatedProcessesForAllSites())
return url::Origin::Create(site_instance->GetSiteURL());
return base::nullopt;
}
// In cases not covered above, URLLoaderFactory should be associated with the
// origin of |target_url|. This works fine for all URLs, including data: URLs
// (which should use an opaque origin for their subresource requests) and
// blob: URLs (which embed their origin inside the |target_url|).
return url::Origin::Create(target_url);
}
service_manager::Connector* MaybeGetConnectorForProcess() {
auto* connection = ServiceManagerConnection::GetForProcess();
if (!connection)
return nullptr;
return connection->GetConnector();
}
std::unique_ptr<URLLoaderFactoryBundleInfo> CloneFactoryBundle(
scoped_refptr<URLLoaderFactoryBundle> bundle) {
return base::WrapUnique(
static_cast<URLLoaderFactoryBundleInfo*>(bundle->Clone().release()));
}
} // namespace
class RenderFrameHostImpl::DroppedInterfaceRequestLogger
: public service_manager::mojom::InterfaceProvider {
public:
DroppedInterfaceRequestLogger(
service_manager::mojom::InterfaceProviderRequest request)
: binding_(this) {
binding_.Bind(std::move(request));
}
~DroppedInterfaceRequestLogger() override {
UMA_HISTOGRAM_EXACT_LINEAR("RenderFrameHostImpl.DroppedInterfaceRequests",
num_dropped_requests_, 20);
}
protected:
// service_manager::mojom::InterfaceProvider:
void GetInterface(const std::string& interface_name,
mojo::ScopedMessagePipeHandle pipe) override {
++num_dropped_requests_;
base::UmaHistogramSparse(
"RenderFrameHostImpl.DroppedInterfaceRequestName",
HashInterfaceNameToHistogramSample(interface_name));
DLOG(WARNING)
<< "InterfaceRequest was dropped, the document is no longer active: "
<< interface_name;
}
private:
mojo::Binding<service_manager::mojom::InterfaceProvider> binding_;
int num_dropped_requests_ = 0;
DISALLOW_COPY_AND_ASSIGN(DroppedInterfaceRequestLogger);
};
struct PendingNavigation {
CommonNavigationParams common_params;
mojom::BeginNavigationParamsPtr begin_navigation_params;
scoped_refptr<network::SharedURLLoaderFactory> blob_url_loader_factory;
mojom::NavigationClientAssociatedPtrInfo navigation_client;
blink::mojom::NavigationInitiatorPtr navigation_initiator;
PendingNavigation(
CommonNavigationParams common_params,
mojom::BeginNavigationParamsPtr begin_navigation_params,
scoped_refptr<network::SharedURLLoaderFactory> blob_url_loader_factory,
mojom::NavigationClientAssociatedPtrInfo navigation_client,
blink::mojom::NavigationInitiatorPtr navigation_initiator);
};
PendingNavigation::PendingNavigation(
CommonNavigationParams common_params,
mojom::BeginNavigationParamsPtr begin_navigation_params,
scoped_refptr<network::SharedURLLoaderFactory> blob_url_loader_factory,
mojom::NavigationClientAssociatedPtrInfo navigation_client,
blink::mojom::NavigationInitiatorPtr navigation_initiator)
: common_params(common_params),
begin_navigation_params(std::move(begin_navigation_params)),
blob_url_loader_factory(std::move(blob_url_loader_factory)),
navigation_client(std::move(navigation_client)),
navigation_initiator(std::move(navigation_initiator)) {}
// An implementation of blink::mojom::FileChooser and FileSelectListener
// associated to RenderFrameHost.
class FileChooserImpl : public blink::mojom::FileChooser,
public content::WebContentsObserver {
using FileChooserResult = blink::mojom::FileChooserResult;
public:
static void Create(RenderFrameHostImpl* render_frame_host,
blink::mojom::FileChooserRequest request) {
mojo::MakeStrongBinding(
std::make_unique<FileChooserImpl>(render_frame_host),
std::move(request));
}
FileChooserImpl(RenderFrameHostImpl* render_frame_host)
: render_frame_host_(render_frame_host) {
Observe(WebContents::FromRenderFrameHost(render_frame_host));
}
~FileChooserImpl() override {
if (proxy_)
proxy_->ResetOwner();
}
void OpenFileChooser(blink::mojom::FileChooserParamsPtr params,
OpenFileChooserCallback callback) override {
callback_ = std::move(callback);
auto listener = std::make_unique<ListenerProxy>(this);
proxy_ = listener.get();
// Do not allow messages with absolute paths in them as this can permit a
// renderer to coerce the browser to perform I/O on a renderer controlled
// path.
if (params->default_file_name != params->default_file_name.BaseName()) {
mojo::ReportBadMessage(
"FileChooser: The default file name should not be an absolute path.");
listener->FileSelectionCanceled();
return;
}
render_frame_host_->delegate()->RunFileChooser(
render_frame_host_, std::move(listener), *params);
}
void EnumerateChosenDirectory(
const base::FilePath& directory_path,
EnumerateChosenDirectoryCallback callback) override {
callback_ = std::move(callback);
auto listener = std::make_unique<ListenerProxy>(this);
proxy_ = listener.get();
auto* policy = ChildProcessSecurityPolicyImpl::GetInstance();
if (policy->CanReadFile(render_frame_host_->GetProcess()->GetID(),
directory_path)) {
render_frame_host_->delegate()->EnumerateDirectory(
render_frame_host_, std::move(listener), directory_path);
} else {
listener->FileSelectionCanceled();
}
}
void FileSelected(std::vector<blink::mojom::FileChooserFileInfoPtr> files,
const base::FilePath& base_dir,
blink::mojom::FileChooserParams::Mode mode) {
proxy_ = nullptr;
if (!render_frame_host_)
return;
storage::FileSystemContext* file_system_context = nullptr;
const int pid = render_frame_host_->GetProcess()->GetID();
auto* policy = ChildProcessSecurityPolicyImpl::GetInstance();
// Grant the security access requested to the given files.
for (const auto& file : files) {
if (mode == blink::mojom::FileChooserParams::Mode::kSave) {
policy->GrantCreateReadWriteFile(pid,
file->get_native_file()->file_path);
} else {
if (file->is_file_system()) {
if (!file_system_context) {
file_system_context =
BrowserContext::GetStoragePartition(
render_frame_host_->GetProcess()->GetBrowserContext(),
render_frame_host_->GetSiteInstance())
->GetFileSystemContext();
}
policy->GrantReadFileSystem(
pid, file_system_context->CrackURL(file->get_file_system()->url)
.mount_filesystem_id());
} else {
policy->GrantReadFile(pid, file->get_native_file()->file_path);
}
}
}
std::move(callback_).Run(
FileChooserResult::New(std::move(files), base_dir));
}
void FileSelectionCanceled() {
proxy_ = nullptr;
if (!render_frame_host_)
return;
std::move(callback_).Run(nullptr);
}
private:
class ListenerProxy : public content::FileSelectListener {
public:
explicit ListenerProxy(FileChooserImpl* owner) : owner_(owner) {}
~ListenerProxy() override {
#if DCHECK_IS_ON()
DCHECK(was_file_select_listener_function_called_)
<< "Should call either FileSelectListener::FileSelected() or "
"FileSelectListener::FileSelectionCanceled()";
#endif
}
void ResetOwner() { owner_ = nullptr; }
// FileSelectListener overrides:
void FileSelected(std::vector<blink::mojom::FileChooserFileInfoPtr> files,
const base::FilePath& base_dir,
blink::mojom::FileChooserParams::Mode mode) override {
#if DCHECK_IS_ON()
DCHECK(!was_file_select_listener_function_called_)
<< "Should not call both of FileSelectListener::FileSelected() and "
"FileSelectListener::FileSelectionCanceled()";
was_file_select_listener_function_called_ = true;
#endif
if (owner_)
owner_->FileSelected(std::move(files), base_dir, mode);
}
void FileSelectionCanceled() override {
#if DCHECK_IS_ON()
DCHECK(!was_file_select_listener_function_called_)
<< "Should not call both of FileSelectListener::FileSelected() and "
"FileSelectListener::FileSelectionCanceled()";
was_file_select_listener_function_called_ = true;
#endif
if (owner_)
owner_->FileSelectionCanceled();
}
private:
FileChooserImpl* owner_;
#if DCHECK_IS_ON()
bool was_file_select_listener_function_called_ = false;
#endif
};
// content::WebContentsObserver overrides:
void RenderFrameHostChanged(RenderFrameHost* old_host,
RenderFrameHost* new_host) override {
if (old_host == render_frame_host_)
render_frame_host_ = nullptr;
}
void RenderFrameDeleted(RenderFrameHost* render_frame_host) override {
if (render_frame_host == render_frame_host_)
render_frame_host_ = nullptr;
}
void WebContentsDestroyed() override { render_frame_host_ = nullptr; }
RenderFrameHostImpl* render_frame_host_;
ListenerProxy* proxy_ = nullptr;
base::OnceCallback<void(blink::mojom::FileChooserResultPtr)> callback_;
};
// static
RenderFrameHost* RenderFrameHost::FromID(int render_process_id,
int render_frame_id) {
return RenderFrameHostImpl::FromID(render_process_id, render_frame_id);
}
#if defined(OS_ANDROID) || defined(OS_FUCHSIA)
// static
void RenderFrameHost::AllowInjectingJavaScript() {
g_allow_injecting_javascript = true;
}
#endif // defined(OS_ANDROID) || defined(OS_FUCHSIA)
// static
RenderFrameHostImpl* RenderFrameHostImpl::FromID(int process_id,
int routing_id) {
DCHECK_CURRENTLY_ON(BrowserThread::UI);
RoutingIDFrameMap* frames = g_routing_id_frame_map.Pointer();
auto it = frames->find(RenderFrameHostID(process_id, routing_id));
return it == frames->end() ? NULL : it->second;
}
// static
RenderFrameHost* RenderFrameHost::FromAXTreeID(ui::AXTreeID ax_tree_id) {
return RenderFrameHostImpl::FromAXTreeID(ax_tree_id);
}
// static
RenderFrameHostImpl* RenderFrameHostImpl::FromAXTreeID(
ui::AXTreeID ax_tree_id) {
DCHECK_CURRENTLY_ON(BrowserThread::UI);
ui::AXTreeIDRegistry::FrameID frame_id =
ui::AXTreeIDRegistry::GetInstance()->GetFrameID(ax_tree_id);
return RenderFrameHostImpl::FromID(frame_id.first, frame_id.second);
}
// static
RenderFrameHostImpl* RenderFrameHostImpl::FromOverlayRoutingToken(
const base::UnguessableToken& token) {
DCHECK_CURRENTLY_ON(BrowserThread::UI);
auto it = g_token_frame_map.Get().find(token);
return it == g_token_frame_map.Get().end() ? nullptr : it->second;
}
// static
void RenderFrameHostImpl::SetNetworkFactoryForTesting(
const CreateNetworkFactoryCallback& create_network_factory_callback) {
DCHECK(!BrowserThread::IsThreadInitialized(BrowserThread::UI) ||
BrowserThread::CurrentlyOn(BrowserThread::UI));
DCHECK(create_network_factory_callback.is_null() ||
g_create_network_factory_callback_for_test.Get().is_null())
<< "It is not expected that this is called with non-null callback when "
<< "another overriding callback is already set.";
g_create_network_factory_callback_for_test.Get() =
create_network_factory_callback;
}
RenderFrameHostImpl::RenderFrameHostImpl(SiteInstance* site_instance,
RenderViewHostImpl* render_view_host,
RenderFrameHostDelegate* delegate,
FrameTree* frame_tree,
FrameTreeNode* frame_tree_node,
int32_t routing_id,
int32_t widget_routing_id,
bool hidden,
bool renderer_initiated_creation)
: render_view_host_(render_view_host),
delegate_(delegate),
site_instance_(static_cast<SiteInstanceImpl*>(site_instance)),
process_(site_instance->GetProcess()),
frame_tree_(frame_tree),
frame_tree_node_(frame_tree_node),
parent_(nullptr),
render_widget_host_(nullptr),
routing_id_(routing_id),
is_waiting_for_swapout_ack_(false),
render_frame_created_(false),
is_waiting_for_beforeunload_ack_(false),
beforeunload_dialog_request_cancels_unload_(false),
unload_ack_is_for_navigation_(false),
beforeunload_timeout_delay_(base::TimeDelta::FromMilliseconds(
RenderViewHostImpl::kUnloadTimeoutMS)),
was_discarded_(false),
is_loading_(false),
nav_entry_id_(0),
accessibility_reset_token_(0),
accessibility_reset_count_(0),
browser_plugin_embedder_ax_tree_id_(ui::AXTreeIDUnknown()),
no_create_browser_accessibility_manager_for_testing_(false),
frame_resource_coordinator_(MaybeGetConnectorForProcess()),
web_ui_type_(WebUI::kNoWebUI),
pending_web_ui_type_(WebUI::kNoWebUI),
should_reuse_web_ui_(false),
has_selection_(false),
is_audible_(false),
last_navigation_previews_state_(PREVIEWS_UNSPECIFIED),
frame_host_associated_binding_(this),
waiting_for_init_(renderer_initiated_creation),
has_focused_editable_element_(false),
active_sandbox_flags_(blink::WebSandboxFlags::kNone),
document_scoped_interface_provider_binding_(this),
keep_alive_timeout_(base::TimeDelta::FromSeconds(30)),
subframe_unload_timeout_(base::TimeDelta::FromMilliseconds(
RenderViewHostImpl::kUnloadTimeoutMS)),
weak_ptr_factory_(this) {
frame_tree_->AddRenderViewHostRef(render_view_host_);
GetProcess()->AddRoute(routing_id_, this);
g_routing_id_frame_map.Get().emplace(
RenderFrameHostID(GetProcess()->GetID(), routing_id_), this);
site_instance_->AddObserver(this);
GetSiteInstance()->IncrementActiveFrameCount();
if (frame_tree_node_->parent()) {
// Keep track of the parent RenderFrameHost, which shouldn't change even if
// this RenderFrameHost is on the pending deletion list and the parent
// FrameTreeNode has changed its current RenderFrameHost.
parent_ = frame_tree_node_->parent()->current_frame_host();
// All frames in a page are expected to have the same bindings.
if (parent_->GetEnabledBindings())
enabled_bindings_ = parent_->GetEnabledBindings();
// New child frames should inherit the nav_entry_id of their parent.
set_nav_entry_id(
frame_tree_node_->parent()->current_frame_host()->nav_entry_id());
}
SetUpMojoIfNeeded();
swapout_event_monitor_timeout_.reset(new TimeoutMonitor(base::Bind(
&RenderFrameHostImpl::OnSwappedOut, weak_ptr_factory_.GetWeakPtr())));
beforeunload_timeout_.reset(
new TimeoutMonitor(base::Bind(&RenderFrameHostImpl::BeforeUnloadTimeout,
weak_ptr_factory_.GetWeakPtr())));
if (widget_routing_id != MSG_ROUTING_NONE) {
mojom::WidgetPtr widget;
GetRemoteInterfaces()->GetInterface(&widget);
// TODO(avi): Once RenderViewHostImpl has-a RenderWidgetHostImpl, the main
// render frame should probably start owning the RenderWidgetHostImpl,
// so this logic checking for an already existing RWHI should be removed.
// https://crbug.com/545684
render_widget_host_ =
RenderWidgetHostImpl::FromID(GetProcess()->GetID(), widget_routing_id);
mojom::WidgetInputHandlerAssociatedPtr widget_handler;
mojom::WidgetInputHandlerHostRequest host_request;
if (frame_input_handler_) {
mojom::WidgetInputHandlerHostPtr host;
host_request = mojo::MakeRequest(&host);
frame_input_handler_->GetWidgetInputHandler(
mojo::MakeRequest(&widget_handler), std::move(host));
}
if (!render_widget_host_) {
DCHECK(frame_tree_node->parent());
render_widget_host_ = RenderWidgetHostFactory::Create(
frame_tree_->render_widget_delegate(), GetProcess(),
widget_routing_id, std::move(widget), hidden);
render_widget_host_->set_owned_by_render_frame_host(true);
} else {
DCHECK(!render_widget_host_->owned_by_render_frame_host());
render_widget_host_->SetWidget(std::move(widget));
}
if (!frame_tree_node_->parent())
render_widget_host_->SetIntersectsViewport(true);
render_widget_host_->SetFrameDepth(frame_tree_node_->depth());
render_widget_host_->SetWidgetInputHandler(std::move(widget_handler),
std::move(host_request));
render_widget_host_->input_router()->SetFrameTreeNodeId(
frame_tree_node_->frame_tree_node_id());
}
ResetFeaturePolicy();
ax_tree_id_ = ui::AXTreeIDRegistry::GetInstance()->GetOrCreateAXTreeID(
GetProcess()->GetID(), routing_id_);
// Content-Security-Policy: The CSP source 'self' is usually the origin of the
// current document, set by SetLastCommittedOrigin(). However, before a new
// frame commits its first navigation, 'self' should correspond to the origin
// of the parent (in case of a new iframe) or the opener (in case of a new
// window). This is necessary to correctly enforce CSP during the initial
// navigation.
FrameTreeNode* frame_owner = frame_tree_node_->parent()
? frame_tree_node_->parent()
: frame_tree_node_->opener();
if (frame_owner)
CSPContext::SetSelf(frame_owner->current_origin());
// Hook up the Resource Coordinator edges to the associated process and
// parent frame, if any.
frame_resource_coordinator_.SetProcess(
*GetProcess()->GetProcessResourceCoordinator());
if (parent_) {
parent_->GetFrameResourceCoordinator()->AddChildFrame(
frame_resource_coordinator_);
}
}
RenderFrameHostImpl::~RenderFrameHostImpl() {
// When a RenderFrameHostImpl is deleted, it may still contain children. This
// can happen with the swap out timer. It causes a RenderFrameHost to delete
// itself even if it is still waiting for its children to complete their
// unload handlers.
//
// Observers expect children to be deleted first. Do it now before notifying
// them.
ResetChildren();
// Destroying |navigation_request_| may call into delegates/observers,
// so we do it early while |this| object is still in a sane state.
ResetNavigationRequests();
// Release the WebUI instances before all else as the WebUI may accesses the
// RenderFrameHost during cleanup.
ClearAllWebUI();
SetLastCommittedSiteUrl(GURL());
if (overlay_routing_token_)
g_token_frame_map.Get().erase(*overlay_routing_token_);
site_instance_->RemoveObserver(this);
if (delegate_ && render_frame_created_)
delegate_->RenderFrameDeleted(this);
// Ensure that the render process host has been notified that all audio
// streams from this frame have terminated. This is required to ensure the
// process host has the correct media stream count, which affects its
// background priority.
OnAudibleStateChanged(false);
// If this was the last active frame in the SiteInstance, the
// DecrementActiveFrameCount call will trigger the deletion of the
// SiteInstance's proxies.
GetSiteInstance()->DecrementActiveFrameCount();
// If this RenderFrameHost is swapping with a RenderFrameProxyHost, the
// RenderFrame will already be deleted in the renderer process. Main frame
// RenderFrames will be cleaned up as part of deleting its RenderView if the
// RenderView isn't in use by other frames. In all other cases, the
// RenderFrame should be cleaned up (if it exists).
bool will_render_view_clean_up_render_frame =
frame_tree_node_->IsMainFrame() && render_view_host_->ref_count() == 1;
if (is_active() && render_frame_created_ &&
!will_render_view_clean_up_render_frame) {
Send(new FrameMsg_Delete(routing_id_));
// If this subframe has an unload handler, ensure that it has a chance to
// execute by delaying process cleanup. This will prevent the process from
// shutting down immediately in the case where this is the last active
// frame in the process. See https://crbug.com/852204.
if (!frame_tree_node_->IsMainFrame() &&
GetSuddenTerminationDisablerState(blink::kUnloadHandler)) {
RenderProcessHostImpl* process =
static_cast<RenderProcessHostImpl*>(GetProcess());
process->DelayProcessShutdownForUnload(subframe_unload_timeout_);
}
}
GetProcess()->RemoveRoute(routing_id_);
g_routing_id_frame_map.Get().erase(
RenderFrameHostID(GetProcess()->GetID(), routing_id_));
// Null out the swapout timer; in crash dumps this member will be null only if
// the dtor has run. (It may also be null in tests.)
swapout_event_monitor_timeout_.reset();
for (auto& iter : visual_state_callbacks_)
std::move(iter.second).Run(false);
if (render_widget_host_ &&
render_widget_host_->owned_by_render_frame_host()) {
// Shutdown causes the RenderWidgetHost to delete itself.
render_widget_host_->ShutdownAndDestroyWidget(true);
}
// Notify the FrameTree that this RFH is going away, allowing it to shut down
// the corresponding RenderViewHost if it is no longer needed.
frame_tree_->ReleaseRenderViewHostRef(render_view_host_);
ui::AXTreeIDRegistry::GetInstance()->RemoveAXTreeID(ax_tree_id_);
// If another frame is waiting for a beforeunload ACK from this frame,
// simulate it now.
RenderFrameHostImpl* beforeunload_initiator = GetBeforeUnloadInitiator();
if (beforeunload_initiator && beforeunload_initiator != this) {
base::TimeTicks approx_renderer_start_time = send_before_unload_start_time_;
beforeunload_initiator->ProcessBeforeUnloadACKFromFrame(
true /* proceed */, false /* treat_as_final_ack */, this,
true /* is_frame_being_destroyed */, approx_renderer_start_time,
base::TimeTicks::Now());
}
}
int RenderFrameHostImpl::GetRoutingID() {
return routing_id_;
}
ui::AXTreeID RenderFrameHostImpl::GetAXTreeID() {
return ax_tree_id_;
}
const base::UnguessableToken& RenderFrameHostImpl::GetOverlayRoutingToken() {
if (!overlay_routing_token_) {
overlay_routing_token_ = base::UnguessableToken::Create();
g_token_frame_map.Get().emplace(*overlay_routing_token_, this);
}
return *overlay_routing_token_;
}
void RenderFrameHostImpl::DidCommitProvisionalLoadForTesting(
std::unique_ptr<FrameHostMsg_DidCommitProvisionalLoad_Params> params,
service_manager::mojom::InterfaceProviderRequest
interface_provider_request) {
DidCommitProvisionalLoad(std::move(params),
std::move(interface_provider_request));
}
void RenderFrameHostImpl::AudioContextPlaybackStarted(int audio_context_id) {
delegate_->AudioContextPlaybackStarted(this, audio_context_id);
}
void RenderFrameHostImpl::AudioContextPlaybackStopped(int audio_context_id) {
delegate_->AudioContextPlaybackStopped(this, audio_context_id);
}
SiteInstanceImpl* RenderFrameHostImpl::GetSiteInstance() {
return site_instance_.get();
}
RenderProcessHost* RenderFrameHostImpl::GetProcess() {
return process_;
}
RenderFrameHostImpl* RenderFrameHostImpl::GetParent() {
return parent_;
}
bool RenderFrameHostImpl::IsDescendantOf(RenderFrameHost* ancestor) {
if (!ancestor || !static_cast<RenderFrameHostImpl*>(ancestor)->child_count())
return false;
for (RenderFrameHostImpl* current = GetParent(); current;
current = current->GetParent()) {
if (current == ancestor)
return true;
}
return false;
}
int RenderFrameHostImpl::GetFrameTreeNodeId() {
return frame_tree_node_->frame_tree_node_id();
}
base::UnguessableToken RenderFrameHostImpl::GetDevToolsFrameToken() {
return frame_tree_node_->devtools_frame_token();
}
const std::string& RenderFrameHostImpl::GetFrameName() {
return frame_tree_node_->frame_name();
}
bool RenderFrameHostImpl::IsCrossProcessSubframe() {
if (!parent_)
return false;
return GetSiteInstance() != parent_->GetSiteInstance();
}
const GURL& RenderFrameHostImpl::GetLastCommittedURL() {
return last_committed_url_;
}
const url::Origin& RenderFrameHostImpl::GetLastCommittedOrigin() {
return last_committed_origin_;
}
void RenderFrameHostImpl::GetCanonicalUrlForSharing(
mojom::Frame::GetCanonicalUrlForSharingCallback callback) {
// TODO(https://crbug.com/859110): Remove this once frame_ can no longer be
// null.
if (IsRenderFrameLive()) {
frame_->GetCanonicalUrlForSharing(std::move(callback));
} else {
std::move(callback).Run(base::nullopt);
}
}
blink::mojom::PauseSubresourceLoadingHandlePtr
RenderFrameHostImpl::PauseSubresourceLoading() {
DCHECK(frame_);
blink::mojom::PauseSubresourceLoadingHandlePtr
pause_subresource_loading_handle;
GetRemoteInterfaces()->GetInterface(&pause_subresource_loading_handle);
return pause_subresource_loading_handle;
}
void RenderFrameHostImpl::ExecuteMediaPlayerActionAtLocation(
const gfx::Point& location,
const blink::WebMediaPlayerAction& action) {
gfx::PointF point_in_view = GetView()->TransformRootPointToViewCoordSpace(
gfx::PointF(location.x(), location.y()));
Send(new FrameMsg_MediaPlayerActionAt(routing_id_, point_in_view, action));
}
bool RenderFrameHostImpl::CreateNetworkServiceDefaultFactory(
network::mojom::URLLoaderFactoryRequest default_factory_request) {
return CreateNetworkServiceDefaultFactoryInternal(
last_committed_origin_, std::move(default_factory_request));
}
void RenderFrameHostImpl::MarkInitiatorsAsRequiringSeparateURLLoaderFactory(
base::flat_set<url::Origin> request_initiators,
bool push_to_renderer_now) {
size_t old_size = initiators_requiring_separate_url_loader_factory_.size();
initiators_requiring_separate_url_loader_factory_.insert(
request_initiators.begin(), request_initiators.end());
size_t new_size = initiators_requiring_separate_url_loader_factory_.size();
bool insertion_took_place = (old_size != new_size);
// Push the updated set of factories to the renderer, but only if
// 1) the caller requested an immediate push (e.g. for content scripts
// injected programmatically chrome.tabs.executeCode, but not for content
// scripts declared in the manifest - the difference is that the latter
// happen at a commit and the factories can just be send in the commit
// IPC).
// 2) an insertion actually took place / the factories have been modified
// 3) a commit has taken place before (i.e. the frame has received a factory
// bundle before).
if (push_to_renderer_now && insertion_took_place &&
has_committed_any_navigation_) {
std::unique_ptr<URLLoaderFactoryBundleInfo> subresource_loader_factories =
std::make_unique<URLLoaderFactoryBundleInfo>();
subresource_loader_factories->initiator_specific_factory_infos() =
CreateInitiatorSpecificURLLoaderFactories(request_initiators);
GetNavigationControl()->UpdateSubresourceLoaderFactories(
std::move(subresource_loader_factories));
}
}
bool RenderFrameHostImpl::IsSandboxed(blink::WebSandboxFlags flags) const {
return static_cast<int>(active_sandbox_flags_) & static_cast<int>(flags);
}
URLLoaderFactoryBundleInfo::OriginMap
RenderFrameHostImpl::CreateInitiatorSpecificURLLoaderFactories(
const base::flat_set<url::Origin>& initiator_origins) {
URLLoaderFactoryBundleInfo::OriginMap result;
for (const url::Origin& initiator : initiator_origins) {
network::mojom::URLLoaderFactoryPtrInfo factory_info;
CreateNetworkServiceDefaultFactoryAndObserve(
initiator, mojo::MakeRequest(&factory_info));
result[initiator] = std::move(factory_info);
}
return result;
}
gfx::NativeView RenderFrameHostImpl::GetNativeView() {
RenderWidgetHostView* view = render_view_host_->GetWidget()->GetView();
if (!view)
return nullptr;
return view->GetNativeView();
}
void RenderFrameHostImpl::AddMessageToConsole(ConsoleMessageLevel level,
const std::string& message) {
Send(new FrameMsg_AddMessageToConsole(routing_id_, level, message));
}
void RenderFrameHostImpl::ExecuteJavaScript(
const base::string16& javascript) {
CHECK(CanExecuteJavaScript());
Send(new FrameMsg_JavaScriptExecuteRequest(routing_id_,
javascript,
0, false));
}
void RenderFrameHostImpl::ExecuteJavaScript(
const base::string16& javascript,
const JavaScriptResultCallback& callback) {
CHECK(CanExecuteJavaScript());
int key = g_next_javascript_callback_id++;
Send(new FrameMsg_JavaScriptExecuteRequest(routing_id_,
javascript,
key, true));
javascript_callbacks_.emplace(key, callback);
}
void RenderFrameHostImpl::ExecuteJavaScriptForTests(
const base::string16& javascript) {
Send(new FrameMsg_JavaScriptExecuteRequestForTests(routing_id_,
javascript,
0, false, false));
}
void RenderFrameHostImpl::ExecuteJavaScriptForTests(
const base::string16& javascript,
const JavaScriptResultCallback& callback) {
int key = g_next_javascript_callback_id++;
Send(new FrameMsg_JavaScriptExecuteRequestForTests(routing_id_, javascript,
key, true, false));
javascript_callbacks_.emplace(key, callback);
}
void RenderFrameHostImpl::ExecuteJavaScriptWithUserGestureForTests(
const base::string16& javascript) {
Send(new FrameMsg_JavaScriptExecuteRequestForTests(routing_id_,
javascript,
0, false, true));
}
void RenderFrameHostImpl::ExecuteJavaScriptInIsolatedWorld(
const base::string16& javascript,
const JavaScriptResultCallback& callback,
int world_id) {
if (world_id <= ISOLATED_WORLD_ID_GLOBAL ||
world_id > ISOLATED_WORLD_ID_MAX) {
// Return if the world_id is not valid.
NOTREACHED();
return;
}
int key = 0;
bool request_reply = false;
if (!callback.is_null()) {
request_reply = true;
key = g_next_javascript_callback_id++;
javascript_callbacks_.emplace(key, callback);
}
Send(new FrameMsg_JavaScriptExecuteRequestInIsolatedWorld(
routing_id_, javascript, key, request_reply, world_id));
}
void RenderFrameHostImpl::CopyImageAt(int x, int y) {
gfx::PointF point_in_view =
GetView()->TransformRootPointToViewCoordSpace(gfx::PointF(x, y));
Send(new FrameMsg_CopyImageAt(routing_id_, point_in_view.x(),
point_in_view.y()));
}
void RenderFrameHostImpl::SaveImageAt(int x, int y) {
gfx::PointF point_in_view =
GetView()->TransformRootPointToViewCoordSpace(gfx::PointF(x, y));
Send(new FrameMsg_SaveImageAt(routing_id_, point_in_view.x(),
point_in_view.y()));
}
RenderViewHost* RenderFrameHostImpl::GetRenderViewHost() {
return render_view_host_;
}
service_manager::InterfaceProvider* RenderFrameHostImpl::GetRemoteInterfaces() {
return remote_interfaces_.get();
}
blink::AssociatedInterfaceProvider*
RenderFrameHostImpl::GetRemoteAssociatedInterfaces() {
if (!remote_associated_interfaces_) {
blink::mojom::AssociatedInterfaceProviderAssociatedPtr remote_interfaces;
IPC::ChannelProxy* channel = GetProcess()->GetChannel();
if (channel) {
RenderProcessHostImpl* process =
static_cast<RenderProcessHostImpl*>(GetProcess());
process->GetRemoteRouteProvider()->GetRoute(
GetRoutingID(), mojo::MakeRequest(&remote_interfaces));
} else {
// The channel may not be initialized in some tests environments. In this
// case we set up a dummy interface provider.
mojo::MakeRequestAssociatedWithDedicatedPipe(&remote_interfaces);
}
remote_associated_interfaces_ =
std::make_unique<blink::AssociatedInterfaceProvider>(
std::move(remote_interfaces));
}
return remote_associated_interfaces_.get();
}
PageVisibilityState RenderFrameHostImpl::GetVisibilityState() {
// Works around the crashes seen in https://crbug.com/501863, where the
// active WebContents from a browser iterator may contain a render frame
// detached from the frame tree. This tries to find a RenderWidgetHost
// attached to an ancestor frame, and defaults to visibility hidden if
// it fails.
// TODO(yfriedman, peter): Ideally this would never be called on an
// unattached frame and we could omit this check. See
// https://crbug.com/615867.
RenderFrameHostImpl* frame = this;
while (frame) {
if (frame->render_widget_host_)
break;
frame = frame->GetParent();
}
if (!frame)
return PageVisibilityState::kHidden;
PageVisibilityState visibility_state = GetRenderWidgetHost()->is_hidden()
? PageVisibilityState::kHidden
: PageVisibilityState::kVisible;
GetContentClient()->browser()->OverridePageVisibilityState(this,
&visibility_state);
return visibility_state;
}
bool RenderFrameHostImpl::Send(IPC::Message* message) {
DCHECK(IPC_MESSAGE_ID_CLASS(message->type()) != InputMsgStart);
return GetProcess()->Send(message);
}
bool RenderFrameHostImpl::OnMessageReceived(const IPC::Message &msg) {
// Only process messages if the RenderFrame is alive.
if (!render_frame_created_)
return false;
// Crash reports trigerred by IPC messages for this frame should be associated
// with its URL.
// TODO(lukasza): Also call SetActiveURL for mojo messages dispatched to
// either the FrameHost interface or to interfaces bound by this frame.
ScopedActiveURL scoped_active_url(this);
// This message map is for handling internal IPC messages which should not
// be dispatched to other objects.
bool handled = true;
IPC_BEGIN_MESSAGE_MAP(RenderFrameHostImpl, msg)
// This message is synthetic and doesn't come from RenderFrame, but from
// RenderProcessHost.
IPC_MESSAGE_HANDLER(FrameHostMsg_RenderProcessGone, OnRenderProcessGone)
IPC_MESSAGE_UNHANDLED(handled = false)
IPC_END_MESSAGE_MAP()
// Internal IPCs should not be leaked outside of this object, so return
// early.
if (handled)
return true;
if (delegate_->OnMessageReceived(this, msg))
return true;
RenderFrameProxyHost* proxy =
frame_tree_node_->render_manager()->GetProxyToParent();
if (proxy && proxy->cross_process_frame_connector() &&
proxy->cross_process_frame_connector()->OnMessageReceived(msg))
return true;
handled = true;
IPC_BEGIN_MESSAGE_MAP(RenderFrameHostImpl, msg)
IPC_MESSAGE_HANDLER(FrameHostMsg_DidAddMessageToConsole,
OnDidAddMessageToConsole)
IPC_MESSAGE_HANDLER(FrameHostMsg_Detach, OnDetach)
IPC_MESSAGE_HANDLER(FrameHostMsg_FrameFocused, OnFrameFocused)
IPC_MESSAGE_HANDLER(FrameHostMsg_DidFailProvisionalLoadWithError,
OnDidFailProvisionalLoadWithError)
IPC_MESSAGE_HANDLER(FrameHostMsg_DidFailLoadWithError,
OnDidFailLoadWithError)
IPC_MESSAGE_HANDLER(FrameHostMsg_UpdateState, OnUpdateState)
IPC_MESSAGE_HANDLER(FrameHostMsg_OpenURL, OnOpenURL)
IPC_MESSAGE_HANDLER(FrameHostMsg_DocumentOnLoadCompleted,
OnDocumentOnLoadCompleted)
IPC_MESSAGE_HANDLER(FrameHostMsg_BeforeUnload_ACK, OnBeforeUnloadACK)
IPC_MESSAGE_HANDLER(FrameHostMsg_SwapOut_ACK, OnSwapOutACK)
IPC_MESSAGE_HANDLER(FrameHostMsg_ContextMenu, OnContextMenu)
IPC_MESSAGE_HANDLER(FrameHostMsg_JavaScriptExecuteResponse,
OnJavaScriptExecuteResponse)
IPC_MESSAGE_HANDLER(FrameHostMsg_VisualStateResponse,
OnVisualStateResponse)
IPC_MESSAGE_HANDLER_DELAY_REPLY(FrameHostMsg_RunJavaScriptDialog,
OnRunJavaScriptDialog)
IPC_MESSAGE_HANDLER_DELAY_REPLY(FrameHostMsg_RunBeforeUnloadConfirm,
OnRunBeforeUnloadConfirm)
IPC_MESSAGE_HANDLER(FrameHostMsg_DidAccessInitialDocument,
OnDidAccessInitialDocument)
IPC_MESSAGE_HANDLER(FrameHostMsg_DidChangeOpener, OnDidChangeOpener)
IPC_MESSAGE_HANDLER(FrameHostMsg_DidAddContentSecurityPolicies,
OnDidAddContentSecurityPolicies)
IPC_MESSAGE_HANDLER(FrameHostMsg_DidChangeFramePolicy,
OnDidChangeFramePolicy)
IPC_MESSAGE_HANDLER(FrameHostMsg_DidChangeFrameOwnerProperties,
OnDidChangeFrameOwnerProperties)
IPC_MESSAGE_HANDLER(FrameHostMsg_UpdateTitle, OnUpdateTitle)
IPC_MESSAGE_HANDLER(FrameHostMsg_DidBlockFramebust, OnDidBlockFramebust)
IPC_MESSAGE_HANDLER(FrameHostMsg_AbortNavigation, OnAbortNavigation)
IPC_MESSAGE_HANDLER(FrameHostMsg_DispatchLoad, OnDispatchLoad)
IPC_MESSAGE_HANDLER(FrameHostMsg_ForwardResourceTimingToParent,
OnForwardResourceTimingToParent)
IPC_MESSAGE_HANDLER(FrameHostMsg_TextSurroundingSelectionResponse,
OnTextSurroundingSelectionResponse)
IPC_MESSAGE_HANDLER(AccessibilityHostMsg_EventBundle, OnAccessibilityEvents)
IPC_MESSAGE_HANDLER(AccessibilityHostMsg_LocationChanges,
OnAccessibilityLocationChanges)
IPC_MESSAGE_HANDLER(AccessibilityHostMsg_FindInPageResult,
OnAccessibilityFindInPageResult)
IPC_MESSAGE_HANDLER(AccessibilityHostMsg_ChildFrameHitTestResult,
OnAccessibilityChildFrameHitTestResult)
IPC_MESSAGE_HANDLER(AccessibilityHostMsg_SnapshotResponse,
OnAccessibilitySnapshotResponse)
IPC_MESSAGE_HANDLER(FrameHostMsg_EnterFullscreen, OnEnterFullscreen)
IPC_MESSAGE_HANDLER(FrameHostMsg_ExitFullscreen, OnExitFullscreen)
IPC_MESSAGE_HANDLER(FrameHostMsg_SuddenTerminationDisablerChanged,
OnSuddenTerminationDisablerChanged)
IPC_MESSAGE_HANDLER(FrameHostMsg_DidStopLoading, OnDidStopLoading)
IPC_MESSAGE_HANDLER(FrameHostMsg_DidChangeLoadProgress,
OnDidChangeLoadProgress)
IPC_MESSAGE_HANDLER(FrameHostMsg_SerializeAsMHTMLResponse,
OnSerializeAsMHTMLResponse)
IPC_MESSAGE_HANDLER(FrameHostMsg_SelectionChanged, OnSelectionChanged)
IPC_MESSAGE_HANDLER(FrameHostMsg_FocusedNodeChanged, OnFocusedNodeChanged)
IPC_MESSAGE_HANDLER(FrameHostMsg_UpdateUserActivationState,
OnUpdateUserActivationState)
IPC_MESSAGE_HANDLER(FrameHostMsg_SetHasReceivedUserGestureBeforeNavigation,
OnSetHasReceivedUserGestureBeforeNavigation)
IPC_MESSAGE_HANDLER(FrameHostMsg_ScrollRectToVisibleInParentFrame,
OnScrollRectToVisibleInParentFrame)
IPC_MESSAGE_HANDLER(FrameHostMsg_BubbleLogicalScrollInParentFrame,
OnBubbleLogicalScrollInParentFrame)
IPC_MESSAGE_HANDLER(FrameHostMsg_FrameDidCallFocus, OnFrameDidCallFocus)
IPC_MESSAGE_HANDLER(FrameHostMsg_RenderFallbackContentInParentProcess,
OnRenderFallbackContentInParentProcess)
#if BUILDFLAG(USE_EXTERNAL_POPUP_MENU)
IPC_MESSAGE_HANDLER(FrameHostMsg_ShowPopup, OnShowPopup)
IPC_MESSAGE_HANDLER(FrameHostMsg_HidePopup, OnHidePopup)
#endif
IPC_MESSAGE_HANDLER(FrameHostMsg_RequestOverlayRoutingToken,
OnRequestOverlayRoutingToken)
IPC_MESSAGE_HANDLER(FrameHostMsg_ShowCreatedWindow, OnShowCreatedWindow)
IPC_END_MESSAGE_MAP()
// No further actions here, since we may have been deleted.
return handled;
}
void RenderFrameHostImpl::OnAssociatedInterfaceRequest(
const std::string& interface_name,
mojo::ScopedInterfaceEndpointHandle handle) {
ContentBrowserClient* browser_client = GetContentClient()->browser();
if (!associated_registry_->TryBindInterface(interface_name, &handle) &&
!browser_client->BindAssociatedInterfaceRequestFromFrame(
this, interface_name, &handle)) {
delegate_->OnAssociatedInterfaceRequest(this, interface_name,
std::move(handle));
}
}
void RenderFrameHostImpl::AccessibilityPerformAction(
const ui::AXActionData& action_data) {
Send(new AccessibilityMsg_PerformAction(routing_id_, action_data));
}
bool RenderFrameHostImpl::AccessibilityViewHasFocus() const {
RenderWidgetHostView* view = render_view_host_->GetWidget()->GetView();
if (view)
return view->HasFocus();
return false;
}
gfx::Rect RenderFrameHostImpl::AccessibilityGetViewBounds() const {
RenderWidgetHostView* view = render_view_host_->GetWidget()->GetView();
if (view)
return view->GetViewBounds();
return gfx::Rect();
}
float RenderFrameHostImpl::AccessibilityGetDeviceScaleFactor() const {
RenderWidgetHostView* view = render_view_host_->GetWidget()->GetView();
if (view)
return GetScaleFactorForView(view);
return 1.0f;
}
void RenderFrameHostImpl::AccessibilityReset() {
accessibility_reset_token_ = g_next_accessibility_reset_token++;
Send(new AccessibilityMsg_Reset(routing_id_, accessibility_reset_token_));
}
void RenderFrameHostImpl::AccessibilityFatalError() {
browser_accessibility_manager_.reset(nullptr);
if (accessibility_reset_token_)
return;
accessibility_reset_count_++;
if (accessibility_reset_count_ >= kMaxAccessibilityResets) {
Send(new AccessibilityMsg_FatalError(routing_id_));
} else {
accessibility_reset_token_ = g_next_accessibility_reset_token++;
Send(new AccessibilityMsg_Reset(routing_id_, accessibility_reset_token_));
}
}
gfx::AcceleratedWidget
RenderFrameHostImpl::AccessibilityGetAcceleratedWidget() {
// Only the main frame's current frame host is connected to the native
// widget tree for accessibility, so return null if this is queried on
// any other frame.
if (frame_tree_node()->parent() || !IsCurrent())
return gfx::kNullAcceleratedWidget;
RenderWidgetHostViewBase* view = static_cast<RenderWidgetHostViewBase*>(
render_view_host_->GetWidget()->GetView());
if (view)
return view->AccessibilityGetAcceleratedWidget();
return gfx::kNullAcceleratedWidget;
}
gfx::NativeViewAccessible
RenderFrameHostImpl::AccessibilityGetNativeViewAccessible() {
RenderWidgetHostViewBase* view = static_cast<RenderWidgetHostViewBase*>(
render_view_host_->GetWidget()->GetView());
if (view)
return view->AccessibilityGetNativeViewAccessible();
return nullptr;
}
gfx::NativeViewAccessible
RenderFrameHostImpl::AccessibilityGetNativeViewAccessibleForWindow() {
RenderWidgetHostViewBase* view = static_cast<RenderWidgetHostViewBase*>(
render_view_host_->GetWidget()->GetView());
if (view)
return view->AccessibilityGetNativeViewAccessibleForWindow();
return nullptr;
}
void RenderFrameHostImpl::RenderProcessGone(SiteInstanceImpl* site_instance) {
DCHECK_EQ(site_instance_.get(), site_instance);
// The renderer process is gone, so this frame can no longer be loading.
if (GetNavigationHandle())
GetNavigationHandle()->set_net_error_code(net::ERR_ABORTED);
ResetNavigationRequests();
ResetLoadingState();
// Any future UpdateState or UpdateTitle messages from this or a recreated
// process should be ignored until the next commit.
set_nav_entry_id(0);
OnAudibleStateChanged(false);
}
void RenderFrameHostImpl::ReportContentSecurityPolicyViolation(
const CSPViolationParams& violation_params) {
Send(new FrameMsg_ReportContentSecurityPolicyViolation(routing_id_,
violation_params));
}
void RenderFrameHostImpl::SanitizeDataForUseInCspViolation(
bool is_redirect,
CSPDirective::Name directive,
GURL* blocked_url,
SourceLocation* source_location) const {
DCHECK(blocked_url);
DCHECK(source_location);
GURL source_location_url(source_location->url);
// The main goal of this is to avoid leaking information between potentially
// separate renderers, in the event of one of them being compromised.
// See https://crbug.com/633306.
bool sanitize_blocked_url = true;
bool sanitize_source_location = true;
// There is no need to sanitize data when it is same-origin with the current
// url of the renderer.
if (url::Origin::Create(*blocked_url)
.IsSameOriginWith(last_committed_origin_))
sanitize_blocked_url = false;
if (url::Origin::Create(source_location_url)
.IsSameOriginWith(last_committed_origin_))
sanitize_source_location = false;
// When a renderer tries to do a form submission, it already knows the url of
// the blocked url, except when it is redirected.
if (!is_redirect && directive == CSPDirective::FormAction)
sanitize_blocked_url = false;
if (sanitize_blocked_url)
*blocked_url = blocked_url->GetOrigin();
if (sanitize_source_location) {
*source_location =
SourceLocation(source_location_url.GetOrigin().spec(), 0u, 0u);
}
}
bool RenderFrameHostImpl::SchemeShouldBypassCSP(
const base::StringPiece& scheme) {
// Blink uses its SchemeRegistry to check if a scheme should be bypassed.
// It can't be used on the browser process. It is used for two things:
// 1) Bypassing the "chrome-extension" scheme when chrome is built with the
// extensions support.
// 2) Bypassing arbitrary scheme for testing purpose only in blink and in V8.
// TODO(arthursonzogni): url::GetBypassingCSPScheme() is used instead of the
// blink::SchemeRegistry. It contains 1) but not 2).
const auto& bypassing_schemes = url::GetCSPBypassingSchemes();
return base::ContainsValue(bypassing_schemes, scheme);
}
mojom::FrameInputHandler* RenderFrameHostImpl::GetFrameInputHandler() {
return frame_input_handler_.get();
}
bool RenderFrameHostImpl::CreateRenderFrame(int proxy_routing_id,
int opener_routing_id,
int parent_routing_id,
int previous_sibling_routing_id) {
TRACE_EVENT0("navigation", "RenderFrameHostImpl::CreateRenderFrame");
DCHECK(!IsRenderFrameLive()) << "Creating frame twice";
// The process may (if we're sharing a process with another host that already
// initialized it) or may not (we have our own process or the old process
// crashed) have been initialized. Calling Init multiple times will be
// ignored, so this is safe.
if (!GetProcess()->Init())
return false;
DCHECK(GetProcess()->IsInitializedAndNotDead());
service_manager::mojom::InterfaceProviderPtr interface_provider;
BindInterfaceProviderRequest(mojo::MakeRequest(&interface_provider));
mojom::CreateFrameParamsPtr params = mojom::CreateFrameParams::New();
params->interface_provider = interface_provider.PassInterface();
params->routing_id = routing_id_;
params->proxy_routing_id = proxy_routing_id;
params->opener_routing_id = opener_routing_id;
params->parent_routing_id = parent_routing_id;
params->previous_sibling_routing_id = previous_sibling_routing_id;
params->replication_state = frame_tree_node()->current_replication_state();
params->devtools_frame_token = frame_tree_node()->devtools_frame_token();
// Normally, the replication state contains effective frame policy, excluding
// sandbox flags and feature policy attributes that were updated but have not
// taken effect. However, a new RenderFrame should use the pending frame
// policy, since it is being created as part of the navigation that will
// commit it. (I.e., the RenderFrame needs to know the policy to use when
// initializing the new document once it commits).
params->replication_state.frame_policy =
frame_tree_node()->pending_frame_policy();
params->frame_owner_properties =
FrameOwnerProperties(frame_tree_node()->frame_owner_properties());
params->has_committed_real_load =
frame_tree_node()->has_committed_real_load();
params->widget_params = mojom::CreateFrameWidgetParams::New();
if (render_widget_host_) {
params->widget_params->routing_id = render_widget_host_->GetRoutingID();
params->widget_params->hidden = render_widget_host_->is_hidden();
} else {
// MSG_ROUTING_NONE will prevent a new RenderWidget from being created in
// the renderer process.
params->widget_params->routing_id = MSG_ROUTING_NONE;
params->widget_params->hidden = true;
}
GetProcess()->GetRendererInterface()->CreateFrame(std::move(params));
// The RenderWidgetHost takes ownership of its view. It is tied to the
// lifetime of the current RenderProcessHost for this RenderFrameHost.
// TODO(avi): This will need to change to initialize a
// RenderWidgetHostViewAura for the main frame once RenderViewHostImpl has-a
// RenderWidgetHostImpl. https://crbug.com/545684
if (parent_routing_id != MSG_ROUTING_NONE && render_widget_host_) {
RenderWidgetHostView* rwhv =
RenderWidgetHostViewChildFrame::Create(render_widget_host_);
rwhv->Hide();
}
if (proxy_routing_id != MSG_ROUTING_NONE) {
RenderFrameProxyHost* proxy = RenderFrameProxyHost::FromID(
GetProcess()->GetID(), proxy_routing_id);
// We have also created a RenderFrameProxy in CreateFrame above, so
// remember that.
proxy->set_render_frame_proxy_created(true);
}
// The renderer now has a RenderFrame for this RenderFrameHost. Note that
// this path is only used for out-of-process iframes. Main frame RenderFrames
// are created with their RenderView, and same-site iframes are created at the
// time of OnCreateChildFrame.
SetRenderFrameCreated(true);
return true;
}
void RenderFrameHostImpl::SetRenderFrameCreated(bool created) {
// We should not create new RenderFrames while our delegate is being destroyed
// (e.g., via a WebContentsObserver during WebContents shutdown). This seems
// to have caused crashes in https://crbug.com/717650.
if (created && delegate_)
CHECK(!delegate_->IsBeingDestroyed());
bool was_created = render_frame_created_;
render_frame_created_ = created;
// If the current status is different than the new status, the delegate
// needs to be notified.
if (delegate_ && (created != was_created)) {
if (created) {
SetUpMojoIfNeeded();
delegate_->RenderFrameCreated(this);
} else {
delegate_->RenderFrameDeleted(this);
}
}
if (created && render_widget_host_) {
mojom::WidgetPtr widget;
GetRemoteInterfaces()->GetInterface(&widget);
render_widget_host_->SetWidget(std::move(widget));
if (frame_input_handler_) {
mojom::WidgetInputHandlerAssociatedPtr widget_handler;
mojom::WidgetInputHandlerHostPtr host;
mojom::WidgetInputHandlerHostRequest host_request =
mojo::MakeRequest(&host);
frame_input_handler_->GetWidgetInputHandler(
mojo::MakeRequest(&widget_handler), std::move(host));
render_widget_host_->SetWidgetInputHandler(std::move(widget_handler),
std::move(host_request));
}
render_widget_host_->input_router()->SetFrameTreeNodeId(
frame_tree_node_->frame_tree_node_id());
viz::mojom::InputTargetClientPtr input_target_client;
remote_interfaces_->GetInterface(&input_target_client);
input_target_client_ = input_target_client.get();
render_widget_host_->SetInputTargetClient(std::move(input_target_client));
render_widget_host_->InitForFrame();
}
if (enabled_bindings_ && created) {
if (!frame_bindings_control_)
GetRemoteAssociatedInterfaces()->GetInterface(&frame_bindings_control_);
frame_bindings_control_->AllowBindings(enabled_bindings_);
}
}
void RenderFrameHostImpl::Init() {
ResumeBlockedRequestsForFrame();
if (!waiting_for_init_)
return;
waiting_for_init_ = false;
if (pending_navigate_) {
frame_tree_node()->navigator()->OnBeginNavigation(
frame_tree_node(), pending_navigate_->common_params,
std::move(pending_navigate_->begin_navigation_params),
std::move(pending_navigate_->blob_url_loader_factory),
std::move(pending_navigate_->navigation_client),
std::move(pending_navigate_->navigation_initiator));
pending_navigate_.reset();
}
}
void RenderFrameHostImpl::OnAudibleStateChanged(bool is_audible) {
if (is_audible_ == is_audible)
return;
if (is_audible)
GetProcess()->OnMediaStreamAdded();
else
GetProcess()->OnMediaStreamRemoved();
is_audible_ = is_audible;
GetFrameResourceCoordinator()->SetAudibility(is_audible_);
}
void RenderFrameHostImpl::OnDidAddMessageToConsole(
int32_t level,
const base::string16& message,
int32_t line_no,
const base::string16& source_id) {
if (level < logging::LOG_VERBOSE || level > logging::LOG_FATAL) {
bad_message::ReceivedBadMessage(
GetProcess(), bad_message::RFH_DID_ADD_CONSOLE_MESSAGE_BAD_SEVERITY);
return;
}
if (delegate_->DidAddMessageToConsole(level, message, line_no, source_id))
return;
// Pass through log level only on WebUI pages to limit console spew.
const bool is_web_ui =
HasWebUIScheme(delegate_->GetMainFrameLastCommittedURL());
const int32_t resolved_level = is_web_ui ? level : ::logging::LOG_INFO;
// LogMessages can be persisted so this shouldn't be logged in incognito mode.
// This rule is not applied to WebUI pages, because source code of WebUI is a
// part of Chrome source code, and we want to treat messages from WebUI the
// same way as we treat log messages from native code.
if (::logging::GetMinLogLevel() <= resolved_level &&
(is_web_ui ||
!GetSiteInstance()->GetBrowserContext()->IsOffTheRecord())) {
logging::LogMessage("CONSOLE", line_no, resolved_level).stream()
<< "\"" << message << "\", source: " << source_id << " (" << line_no
<< ")";
}
}
void RenderFrameHostImpl::OnCreateChildFrame(
int new_routing_id,
service_manager::mojom::InterfaceProviderRequest
new_interface_provider_provider_request,
blink::WebTreeScopeType scope,
const std::string& frame_name,
const std::string& frame_unique_name,
bool is_created_by_script,
const base::UnguessableToken& devtools_frame_token,
const blink::FramePolicy& frame_policy,
const FrameOwnerProperties& frame_owner_properties,
const blink::FrameOwnerElementType owner_type) {
// TODO(lukasza): Call ReceivedBadMessage when |frame_unique_name| is empty.
DCHECK(!frame_unique_name.empty());
DCHECK(new_interface_provider_provider_request.is_pending());
if (owner_type == blink::FrameOwnerElementType::kNone) {
// Any child frame must have a HTMLFrameOwnerElement in its parent document
// and therefore the corresponding type of kNone (specific to main frames)
// is invalid.
bad_message::ReceivedBadMessage(
GetProcess(), bad_message::RFH_CHILD_FRAME_NEEDS_OWNER_ELEMENT_TYPE);
}
// The RenderFrame corresponding to this host sent an IPC message to create a
// child, but by the time we get here, it's possible for the host to have been
// swapped out, or for its process to have disconnected (maybe due to browser
// shutdown). Ignore such messages.
if (!is_active() || !IsCurrent() || !render_frame_created_)
return;
// |new_routing_id|, |new_interface_provider_provider_request|, and
// |devtools_frame_token| were generated on the browser's IO thread and not
// taken from the renderer process.
frame_tree_->AddFrame(
frame_tree_node_, GetProcess()->GetID(), new_routing_id,
std::move(new_interface_provider_provider_request), scope, frame_name,
frame_unique_name, is_created_by_script, devtools_frame_token,
frame_policy, frame_owner_properties, was_discarded_, owner_type);
}
void RenderFrameHostImpl::DidNavigate(
const FrameHostMsg_DidCommitProvisionalLoad_Params& params,
bool is_same_document_navigation) {
// Keep track of the last committed URL and origin in the RenderFrameHost
// itself. These allow GetLastCommittedURL and GetLastCommittedOrigin to
// stay correct even if the render_frame_host later becomes pending deletion.
// The URL is set regardless of whether it's for a net error or not.
frame_tree_node_->SetCurrentURL(params.url);
SetLastCommittedOrigin(params.origin);
// Separately, update the frame's last successful URL except for net error
// pages, since those do not end up in the correct process after transfers
// (see https://crbug.com/560511). Instead, the next cross-process navigation
// or transfer should decide whether to swap as if the net error had not
// occurred.
// TODO(creis): Remove this block and always set the URL once transfers handle
// network errors or PlzNavigate is enabled. See https://crbug.com/588314.
if (!params.url_is_unreachable)
last_successful_url_ = params.url;
// After setting the last committed origin, reset the feature policy and
// sandbox flags in the RenderFrameHost to a blank policy based on the parent
// frame.
if (!is_same_document_navigation) {
ResetFeaturePolicy();
active_sandbox_flags_ = frame_tree_node()->active_sandbox_flags();
}
}
void RenderFrameHostImpl::SetLastCommittedOrigin(const url::Origin& origin) {
last_committed_origin_ = origin;
CSPContext::SetSelf(origin);
}
void RenderFrameHostImpl::SetLastCommittedOriginForTesting(
const url::Origin& origin) {
SetLastCommittedOrigin(origin);
}
FrameTreeNode* RenderFrameHostImpl::AddChild(
std::unique_ptr<FrameTreeNode> child,
int process_id,
int frame_routing_id) {
// Child frame must always be created in the same process as the parent.
CHECK_EQ(process_id, GetProcess()->GetID());
// Initialize the RenderFrameHost for the new node. We always create child
// frames in the same SiteInstance as the current frame, and they can swap to
// a different one if they navigate away.
child->render_manager()->Init(GetSiteInstance(),
render_view_host()->GetRoutingID(),
frame_routing_id, MSG_ROUTING_NONE, false);
// Other renderer processes in this BrowsingInstance may need to find out
// about the new frame. Create a proxy for the child frame in all
// SiteInstances that have a proxy for the frame's parent, since all frames
// in a frame tree should have the same set of proxies.
frame_tree_node_->render_manager()->CreateProxiesForChildFrame(child.get());
children_.push_back(std::move(child));
return children_.back().get();
}
void RenderFrameHostImpl::RemoveChild(FrameTreeNode* child) {
for (auto iter = children_.begin(); iter != children_.end(); ++iter) {
if (iter->get() == child) {
// Subtle: we need to make sure the node is gone from the tree before
// observers are notified of its deletion.
std::unique_ptr<FrameTreeNode> node_to_delete(std::move(*iter));
children_.erase(iter);
node_to_delete.reset();
PendingDeletionCheckCompleted();
return;
}
}
}
void RenderFrameHostImpl::ResetChildren() {
// Remove child nodes from the tree, then delete them. This destruction
// operation will notify observers. See https://crbug.com/612450 for
// explanation why we don't just call the std::vector::clear method.
std::vector<std::unique_ptr<FrameTreeNode>>().swap(children_);
}
void RenderFrameHostImpl::SetLastCommittedUrl(const GURL& url) {
last_committed_url_ = url;
}
void RenderFrameHostImpl::OnDetach() {
if (!parent_) {
bad_message::ReceivedBadMessage(GetProcess(),
bad_message::RFH_DETACH_MAIN_FRAME);
return;
}
// If this frame is pending deletion, OnDetach() is the ACK this
// RenderFrameHost is waiting for before going into the "Deleted" state.
if (!is_active() && !is_waiting_for_swapout_ack_) {
unload_state_ = UnloadState::Completed;
PendingDeletionCheckCompleted();
return;
}
// TODO(arthursonzogni): Put this frame and its children in pending deletion.
// Wait for every unload handler to execute before removing it.
parent_->RemoveChild(frame_tree_node_);
}
void RenderFrameHostImpl::OnFrameFocused() {
delegate_->SetFocusedFrame(frame_tree_node_, GetSiteInstance());
}
void RenderFrameHostImpl::OnOpenURL(const FrameHostMsg_OpenURL_Params& params) {
GURL validated_url(params.url);
GetProcess()->FilterURL(false, &validated_url);
mojo::ScopedMessagePipeHandle blob_url_token_handle(params.blob_url_token);
blink::mojom::BlobURLTokenPtr blob_url_token(
blink::mojom::BlobURLTokenPtrInfo(std::move(blob_url_token_handle),
blink::mojom::BlobURLToken::Version_));
scoped_refptr<network::SharedURLLoaderFactory> blob_url_loader_factory;
if (blob_url_token) {
if (!params.url.SchemeIsBlob()) {
bad_message::ReceivedBadMessage(
GetProcess(), bad_message::RFH_BLOB_URL_TOKEN_FOR_NON_BLOB_URL);
return;
}
blob_url_loader_factory =
ChromeBlobStorageContext::URLLoaderFactoryForToken(
GetSiteInstance()->GetBrowserContext(), std::move(blob_url_token));
}
if (!ChildProcessSecurityPolicyImpl::GetInstance()->CanReadRequestBody(
GetSiteInstance(), params.resource_request_body)) {
bad_message::ReceivedBadMessage(GetProcess(),
bad_message::RFH_ILLEGAL_UPLOAD_PARAMS);
return;
}
if (params.is_history_navigation_in_new_child) {
// Try to find a FrameNavigationEntry that matches this frame instead, based
// on the frame's unique name. If this can't be found, fall back to the
// default params using RequestOpenURL below.
if (frame_tree_node_->navigator()->StartHistoryNavigationInNewSubframe(
this, validated_url)) {
return;
}
}
TRACE_EVENT1("navigation", "RenderFrameHostImpl::OpenURL", "url",
validated_url.possibly_invalid_spec());
frame_tree_node_->navigator()->RequestOpenURL(
this, validated_url, params.uses_post, params.resource_request_body,
params.extra_headers, params.referrer, params.disposition,
params.should_replace_current_entry, params.user_gesture,
params.triggering_event_info, params.href_translate,
std::move(blob_url_loader_factory));
}
void RenderFrameHostImpl::CancelInitialHistoryLoad() {
// A Javascript navigation interrupted the initial history load. Check if an
// initial subframe cross-process navigation needs to be canceled as a result.
// TODO(creis, clamy): Cancel any cross-process navigation.
NOTIMPLEMENTED();
}
void RenderFrameHostImpl::OnDocumentOnLoadCompleted() {
// This message is only sent for top-level frames. TODO(avi): when frame tree
// mirroring works correctly, add a check here to enforce it.
delegate_->DocumentOnLoadCompleted(this);
}
void RenderFrameHostImpl::OnDidFailProvisionalLoadWithError(
const FrameHostMsg_DidFailProvisionalLoadWithError_Params& params) {
TRACE_EVENT2("navigation",
"RenderFrameHostImpl::OnDidFailProvisionalLoadWithError",
"frame_tree_node", frame_tree_node_->frame_tree_node_id(),
"error", params.error_code);
// TODO(clamy): Kill the renderer with RFH_FAIL_PROVISIONAL_LOAD_NO_HANDLE and
// return early if navigation_handle_ is null, once we prevent that case from
// happening in practice. See https://crbug.com/605289.
// Update the error code in the NavigationHandle of the navigation.
if (GetNavigationHandle()) {
GetNavigationHandle()->set_net_error_code(
static_cast<net::Error>(params.error_code));
}
frame_tree_node_->navigator()->DidFailProvisionalLoadWithError(this, params);
}
void RenderFrameHostImpl::OnDidFailLoadWithError(
const GURL& url,
int error_code,
const base::string16& error_description) {
TRACE_EVENT2("navigation",
"RenderFrameHostImpl::OnDidFailProvisionalLoadWithError",
"frame_tree_node", frame_tree_node_->frame_tree_node_id(),
"error", error_code);
GURL validated_url(url);
GetProcess()->FilterURL(false, &validated_url);
frame_tree_node_->navigator()->DidFailLoadWithError(
this, validated_url, error_code, error_description);
}
// Called when the renderer navigates. For every frame loaded, we'll get this
// notification containing parameters identifying the navigation.
void RenderFrameHostImpl::DidCommitProvisionalLoad(
std::unique_ptr<FrameHostMsg_DidCommitProvisionalLoad_Params>
validated_params,
service_manager::mojom::InterfaceProviderRequest
interface_provider_request) {
if (GetNavigationHandle()) {
main_frame_request_ids_ = {validated_params->request_id,
GetNavigationHandle()->GetGlobalRequestID()};
if (deferred_main_frame_load_info_)
ResourceLoadComplete(std::move(deferred_main_frame_load_info_));
}
// DidCommitProvisionalLoad IPC should be associated with the URL being
// committed (not with the *last* committed URL that most other IPCs are
// associated with).
ScopedActiveURL scoped_active_url(
validated_params->url,
frame_tree_node()->frame_tree()->root()->current_origin());
ScopedCommitStateResetter commit_state_resetter(this);
RenderProcessHost* process = GetProcess();
TRACE_EVENT2("navigation", "RenderFrameHostImpl::DidCommitProvisionalLoad",
"url", validated_params->url.possibly_invalid_spec(), "details",
CommitAsTracedValue(validated_params.get()));
// Notify the resource scheduler of the navigation committing.
NotifyResourceSchedulerOfNavigation(process->GetID(), *validated_params);
// If we're waiting for a cross-site beforeunload ack from this renderer and
// we receive a Navigate message from the main frame, then the renderer was
// navigating already and sent it before hearing the FrameMsg_Stop message.
// Treat this as an implicit beforeunload ack to allow the pending navigation
// to continue.
if (is_waiting_for_beforeunload_ack_ && unload_ack_is_for_navigation_ &&
!GetParent()) {
base::TimeTicks approx_renderer_start_time = send_before_unload_start_time_;
ProcessBeforeUnloadACK(true /* proceed */, true /* treat_as_final_ack */,
approx_renderer_start_time, base::TimeTicks::Now());
}
// If we're waiting for an unload ack from this frame and we receive a commit
// message, then the frame was navigating before it received the unload
// request. It will either respond to the unload request soon or our timer
// will expire. Either way, we should ignore this message, because we have
// already committed to destroying this RenderFrameHost. Note that we
// intentionally do not ignore commits that happen while the current tab is
// being closed - see https://crbug.com/805705.
if (is_waiting_for_swapout_ack_)
return;
// Retroactive sanity check:
// - If this is the first real load committing in this frame, then by this
// time the RenderFrameHost's InterfaceProvider implementation should have
// already been bound to a message pipe whose client end is used to service
// interface requests from the initial empty document.
// - Otherwise, the InterfaceProvider implementation should at this point be
// bound to an interface connection servicing interface requests coming from
// the document of the previously committed navigation.
DCHECK(document_scoped_interface_provider_binding_.is_bound());
if (interface_provider_request.is_pending()) {
// As a general rule, expect the RenderFrame to have supplied the
// request end of a new InterfaceProvider connection that will be used by
// the new document to issue interface requests to access RenderFrameHost
// services.
auto interface_provider_request_of_previous_document =
document_scoped_interface_provider_binding_.Unbind();
dropped_interface_request_logger_ =
std::make_unique<DroppedInterfaceRequestLogger>(
std::move(interface_provider_request_of_previous_document));
BindInterfaceProviderRequest(std::move(interface_provider_request));
} else {
// If there had already been a real load committed in the frame, and this is
// not a same-document navigation, then both the active document as well as
// the global object was replaced in this browsing context. The RenderFrame
// should have rebound its InterfaceProvider to a new pipe, but failed to do
// so. Kill the renderer, and close the old binding to ensure that any
// pending interface requests originating from the previous document, hence
// possibly from a different security origin, will no longer dispatched.
if (frame_tree_node_->has_committed_real_load()) {
document_scoped_interface_provider_binding_.Close();
bad_message::ReceivedBadMessage(
process, bad_message::RFH_INTERFACE_PROVIDER_MISSING);
return;
}
// Otherwise, it is the first real load commited, for which the RenderFrame
// is allowed to, and will re-use the existing InterfaceProvider connection
// if the new document is same-origin with the initial empty document, and
// therefore the global object is not replaced.
}
if (!DidCommitNavigationInternal(validated_params.get(),
false /* is_same_document_navigation */))
return;
// Since we didn't early return, it's safe to keep the commit state.
commit_state_resetter.disable();
// For a top-level frame, there are potential security concerns associated
// with displaying graphics from a previously loaded page after the URL in
// the omnibar has been changed. It is unappealing to clear the page
// immediately, but if the renderer is taking a long time to issue any
// compositor output (possibly because of script deliberately creating this
// situation) then we clear it after a while anyway.
// See https://crbug.com/497588.
if (frame_tree_node_->IsMainFrame() && GetView()) {
RenderWidgetHostImpl::From(GetView()->GetRenderWidgetHost())
->DidNavigate(validated_params->content_source_id);
}
}
void RenderFrameHostImpl::DidCommitSameDocumentNavigation(
std::unique_ptr<FrameHostMsg_DidCommitProvisionalLoad_Params>
validated_params) {
ScopedActiveURL scoped_active_url(
validated_params->url,
frame_tree_node()->frame_tree()->root()->current_origin());
ScopedCommitStateResetter commit_state_resetter(this);
// If we're waiting for an unload ack from this frame and we receive a commit
// message, then the frame was navigating before it received the unload
// request. It will either respond to the unload request soon or our timer
// will expire. Either way, we should ignore this message, because we have
// already committed to destroying this RenderFrameHost. Note that we
// intentionally do not ignore commits that happen while the current tab is
// being closed - see https://crbug.com/805705.
// TODO(ahemery): Investigate to see if this can be removed when the
// NavigationClient interface is implemented.
if (is_waiting_for_swapout_ack_)
return;
TRACE_EVENT2("navigation",
"RenderFrameHostImpl::DidCommitSameDocumentNavigation",
"frame_tree_node", frame_tree_node_->frame_tree_node_id(), "url",
validated_params->url.possibly_invalid_spec());
if (!DidCommitNavigationInternal(validated_params.get(),
true /* is_same_document_navigation*/))
return;
// Since we didn't early return, it's safe to keep the commit state.
commit_state_resetter.disable();
}
void RenderFrameHostImpl::OnUpdateState(const PageState& state) {
// TODO(creis): Verify the state's ISN matches the last committed FNE.
// Without this check, the renderer can trick the browser into using
// filenames it can't access in a future session restore.
if (!CanAccessFilesOfPageState(state)) {
bad_message::ReceivedBadMessage(
GetProcess(), bad_message::RFH_CAN_ACCESS_FILES_OF_PAGE_STATE);
return;
}
delegate_->UpdateStateForFrame(this, state);
}
RenderWidgetHostImpl* RenderFrameHostImpl::GetRenderWidgetHost() {
RenderFrameHostImpl* frame = this;
while (frame) {
if (frame->render_widget_host_)
return frame->render_widget_host_;
frame = frame->GetParent();
}
NOTREACHED();
return nullptr;
}
RenderWidgetHostView* RenderFrameHostImpl::GetView() {
return GetRenderWidgetHost()->GetView();
}
GlobalFrameRoutingId RenderFrameHostImpl::GetGlobalFrameRoutingId() {
return GlobalFrameRoutingId(GetProcess()->GetID(), GetRoutingID());
}
NavigationHandleImpl* RenderFrameHostImpl::GetNavigationHandle() {
return navigation_request() ? navigation_request()->navigation_handle()
: nullptr;
}
void RenderFrameHostImpl::ResetNavigationRequests() {
navigation_request_.reset();
same_document_navigation_request_.reset();
navigation_requests_.clear();
}
void RenderFrameHostImpl::SetNavigationRequest(
std::unique_ptr<NavigationRequest> navigation_request) {
DCHECK(navigation_request);
if (FrameMsg_Navigate_Type::IsSameDocument(
navigation_request->common_params().navigation_type)) {
same_document_navigation_request_ = std::move(navigation_request);
return;
}
navigation_requests_[navigation_request->navigation_handle()
->GetNavigationId()] = std::move(navigation_request);
}
void RenderFrameHostImpl::SwapOut(
RenderFrameProxyHost* proxy,
bool is_loading) {
// The end of this event is in OnSwapOutACK when the RenderFrame has completed
// the operation and sends back an IPC message.
// The trace event may not end properly if the ACK times out. We expect this
// to be fixed when RenderViewHostImpl::OnSwapOut moves to RenderFrameHost.
TRACE_EVENT_ASYNC_BEGIN1("navigation", "RenderFrameHostImpl::SwapOut", this,
"frame_tree_node",
frame_tree_node_->frame_tree_node_id());
// If this RenderFrameHost is already pending deletion, it must have already
// gone through this, therefore just return.
if (!is_active()) {
NOTREACHED() << "RFH should be in default state when calling SwapOut.";
return;
}
if (swapout_event_monitor_timeout_) {
swapout_event_monitor_timeout_->Start(base::TimeDelta::FromMilliseconds(
RenderViewHostImpl::kUnloadTimeoutMS));
}
// There should always be a proxy to replace the old RenderFrameHost. If
// there are no remaining active views in the process, the proxy will be
// short-lived and will be deleted when the SwapOut ACK is received.
CHECK(proxy);
// TODO(nasko): If the frame is not live, the RFH should just be deleted by
// simulating the receipt of swap out ack.
is_waiting_for_swapout_ack_ = true;
unload_state_ = UnloadState::InProgress;
if (IsRenderFrameLive()) {
FrameReplicationState replication_state =
proxy->frame_tree_node()->current_replication_state();
Send(new FrameMsg_SwapOut(routing_id_, proxy->GetRoutingID(), is_loading,
replication_state));
// Remember that a RenderFrameProxy was created as part of processing the
// SwapOut message above.
proxy->set_render_frame_proxy_created(true);
StartPendingDeletionOnSubtree();
}
// Some children with no unload handler may be eligible for deletion. Cut the
// dead branches now. This is a performance optimization.
PendingDeletionCheckCompletedOnSubtree();
if (web_ui())
web_ui()->RenderFrameHostSwappingOut();
}
void RenderFrameHostImpl::OnBeforeUnloadACK(
bool proceed,
const base::TimeTicks& renderer_before_unload_start_time,
const base::TimeTicks& renderer_before_unload_end_time) {
ProcessBeforeUnloadACK(proceed, false /* treat_as_final_ack */,
renderer_before_unload_start_time,
renderer_before_unload_end_time);
}
void RenderFrameHostImpl::ProcessBeforeUnloadACK(
bool proceed,
bool treat_as_final_ack,
const base::TimeTicks& renderer_before_unload_start_time,
const base::TimeTicks& renderer_before_unload_end_time) {
TRACE_EVENT_ASYNC_END1("navigation", "RenderFrameHostImpl BeforeUnload", this,
"FrameTreeNode id",
frame_tree_node_->frame_tree_node_id());
// If this renderer navigated while the beforeunload request was in flight, we
// may have cleared this state in DidCommitProvisionalLoad, in which case we
// can ignore this message.
// However renderer might also be swapped out but we still want to proceed
// with navigation, otherwise it would block future navigations. This can
// happen when pending cross-site navigation is canceled by a second one just
// before DidCommitProvisionalLoad while current RVH is waiting for commit
// but second navigation is started from the beginning.
RenderFrameHostImpl* initiator = GetBeforeUnloadInitiator();
if (!initiator)
return;
// Continue processing the ACK in the frame that triggered beforeunload in
// this frame. This could be either this frame itself or an ancestor frame.
initiator->ProcessBeforeUnloadACKFromFrame(
proceed, treat_as_final_ack, this, false /* is_frame_being_destroyed */,
renderer_before_unload_start_time, renderer_before_unload_end_time);
}
RenderFrameHostImpl* RenderFrameHostImpl::GetBeforeUnloadInitiator() {
for (RenderFrameHostImpl* frame = this; frame; frame = frame->GetParent()) {
if (frame->is_waiting_for_beforeunload_ack_)
return frame;
}
return nullptr;
}
void RenderFrameHostImpl::ProcessBeforeUnloadACKFromFrame(
bool proceed,
bool treat_as_final_ack,
RenderFrameHostImpl* frame,
bool is_frame_being_destroyed,
const base::TimeTicks& renderer_before_unload_start_time,
const base::TimeTicks& renderer_before_unload_end_time) {
// Check if we need to wait for more beforeunload ACKs. If |proceed| is
// false, we know the navigation or window close will be aborted, so we don't
// need to wait for beforeunload ACKs from any other frames.
// |treat_as_final_ack| also indicates that we shouldn't wait for any other
// ACKs (e.g., when a beforeunload timeout fires).
if (!proceed || treat_as_final_ack) {
beforeunload_pending_replies_.clear();
} else {
beforeunload_pending_replies_.erase(frame);
if (!beforeunload_pending_replies_.empty())
return;
}
DCHECK(!send_before_unload_start_time_.is_null());
// Sets a default value for before_unload_end_time so that the browser
// survives a hacked renderer.
base::TimeTicks before_unload_end_time = renderer_before_unload_end_time;
if (!renderer_before_unload_start_time.is_null() &&
!renderer_before_unload_end_time.is_null()) {
base::TimeTicks receive_before_unload_ack_time = base::TimeTicks::Now();
if (!base::TimeTicks::IsConsistentAcrossProcesses()) {
// TimeTicks is not consistent across processes and we are passing
// TimeTicks across process boundaries so we need to compensate for any
// skew between the processes. Here we are converting the renderer's
// notion of before_unload_end_time to TimeTicks in the browser process.
// See comments in inter_process_time_ticks_converter.h for more.
InterProcessTimeTicksConverter converter(
LocalTimeTicks::FromTimeTicks(send_before_unload_start_time_),
LocalTimeTicks::FromTimeTicks(receive_before_unload_ack_time),
RemoteTimeTicks::FromTimeTicks(renderer_before_unload_start_time),
RemoteTimeTicks::FromTimeTicks(renderer_before_unload_end_time));
LocalTimeTicks browser_before_unload_end_time =
converter.ToLocalTimeTicks(
RemoteTimeTicks::FromTimeTicks(renderer_before_unload_end_time));
before_unload_end_time = browser_before_unload_end_time.ToTimeTicks();
}
base::TimeDelta on_before_unload_overhead_time =
(receive_before_unload_ack_time - send_before_unload_start_time_) -
(renderer_before_unload_end_time - renderer_before_unload_start_time);
UMA_HISTOGRAM_TIMES("Navigation.OnBeforeUnloadOverheadTime",
on_before_unload_overhead_time);
frame_tree_node_->navigator()->LogBeforeUnloadTime(
renderer_before_unload_start_time, renderer_before_unload_end_time);
}
// Resets beforeunload waiting state.
is_waiting_for_beforeunload_ack_ = false;
has_shown_beforeunload_dialog_ = false;
if (beforeunload_timeout_)
beforeunload_timeout_->Stop();
send_before_unload_start_time_ = base::TimeTicks();
// If the ACK is for a navigation, send it to the Navigator to have the
// current navigation stop/proceed. Otherwise, send it to the
// RenderFrameHostManager which handles closing.
if (unload_ack_is_for_navigation_) {
frame_tree_node_->navigator()->OnBeforeUnloadACK(frame_tree_node_, proceed,
before_unload_end_time);
} else {
// We could reach this from a subframe destructor for |frame| while we're
// in the middle of closing the current tab. In that case, dispatch the
// ACK to prevent re-entrancy and a potential nested attempt to free the
// current frame. See https://crbug.com/866382.
base::OnceClosure task = base::BindOnce(
[](base::WeakPtr<RenderFrameHostImpl> self,
const base::TimeTicks& before_unload_end_time, bool proceed) {
if (!self)
return;
self->frame_tree_node()->render_manager()->OnBeforeUnloadACK(
proceed, before_unload_end_time);
},
weak_ptr_factory_.GetWeakPtr(), before_unload_end_time, proceed);
if (is_frame_being_destroyed) {
DCHECK(proceed);
base::ThreadTaskRunnerHandle::Get()->PostTask(FROM_HERE, std::move(task));
} else {
std::move(task).Run();
}
}
// If canceled, notify the delegate to cancel its pending navigation entry.
// This is usually redundant with the dialog closure code in WebContentsImpl's
// OnDialogClosed, but there may be some cases that Blink returns !proceed
// without showing the dialog. We also update the address bar here to be safe.
if (!proceed)
delegate_->DidCancelLoading();
}
bool RenderFrameHostImpl::IsWaitingForUnloadACK() const {
return render_view_host_->is_waiting_for_close_ack_ ||
is_waiting_for_swapout_ack_;
}
void RenderFrameHostImpl::OnSwapOutACK() {
// Ignore spurious swap out ack.
if (!is_waiting_for_swapout_ack_)
return;
DCHECK_EQ(UnloadState::InProgress, unload_state_);
unload_state_ = UnloadState::Completed;
PendingDeletionCheckCompleted();
}
void RenderFrameHostImpl::OnRenderProcessGone(int status, int exit_code) {
base::TerminationStatus termination_status =
static_cast<base::TerminationStatus>(status);
if (frame_tree_node_->IsMainFrame()) {
// Keep the termination status so we can get at it later when we
// need to know why it died.
render_view_host_->render_view_termination_status_ = termination_status;
}
if (base::FeatureList::IsEnabled(features::kCrashReporting))
MaybeGenerateCrashReport(termination_status);
// When a frame's process dies, its RenderFrame no longer exists, which means
// that its child frames must be cleaned up as well.
ResetChildren();
// Reset state for the current RenderFrameHost once the FrameTreeNode has been
// reset.
SetRenderFrameCreated(false);
InvalidateMojoConnection();
document_scoped_interface_provider_binding_.Close();
SetLastCommittedUrl(GURL());
// Execute any pending AX tree snapshot callbacks with an empty response,
// since we're never going to get a response from this renderer.
for (auto& iter : ax_tree_snapshot_callbacks_)
std::move(iter.second).Run(ui::AXTreeUpdate());
#if defined(OS_ANDROID)
// Execute any pending Samsung smart clip callbacks.
for (base::IDMap<std::unique_ptr<ExtractSmartClipDataCallback>>::iterator
iter(&smart_clip_callbacks_);
!iter.IsAtEnd(); iter.Advance()) {
std::move(*iter.GetCurrentValue())
.Run(base::string16(), base::string16(), gfx::Rect());
}
smart_clip_callbacks_.Clear();
#endif // defined(OS_ANDROID)
ax_tree_snapshot_callbacks_.clear();
javascript_callbacks_.clear();
visual_state_callbacks_.clear();
// Ensure that future remote interface requests are associated with the new
// process's channel.
remote_associated_interfaces_.reset();
// Any termination disablers in content loaded by the new process will
// be sent again.
sudden_termination_disabler_types_enabled_ = 0;
if (!is_active()) {
// If the process has died, we don't need to wait for the ACK. Complete the
// deletion immediately.
unload_state_ = UnloadState::Completed;
DCHECK(children_.empty());
PendingDeletionCheckCompleted();
// |this| is deleted. Don't add any more code at this point in the function.
return;
}
// If this was the current pending or speculative RFH dying, cancel and
// destroy it.
frame_tree_node_->render_manager()->CancelPendingIfNecessary(this);
// Note: don't add any more code at this point in the function because
// |this| may be deleted. Any additional cleanup should happen before
// the last block of code here.
}
void RenderFrameHostImpl::OnSwappedOut() {
DCHECK(is_waiting_for_swapout_ack_);
TRACE_EVENT_ASYNC_END0("navigation", "RenderFrameHostImpl::SwapOut", this);
if (swapout_event_monitor_timeout_)
swapout_event_monitor_timeout_->Stop();
ClearAllWebUI();
// If this is a main frame RFH that's about to be deleted, update its RVH's
// swapped-out state here. https://crbug.com/505887. This should only be
// done if the RVH hasn't been already reused and marked as active by another
// navigation. See https://crbug.com/823567.
if (frame_tree_node_->IsMainFrame() && !render_view_host_->is_active())
render_view_host_->set_is_swapped_out(true);
bool deleted =
frame_tree_node_->render_manager()->DeleteFromPendingList(this);
CHECK(deleted);
}
void RenderFrameHostImpl::DisableSwapOutTimerForTesting() {
swapout_event_monitor_timeout_.reset();
}
void RenderFrameHostImpl::SetSubframeUnloadTimeoutForTesting(
const base::TimeDelta& timeout) {
subframe_unload_timeout_ = timeout;
}
void RenderFrameHostImpl::OnContextMenu(const ContextMenuParams& params) {
if (!is_active())
return;
// Validate the URLs in |params|. If the renderer can't request the URLs
// directly, don't show them in the context menu.
ContextMenuParams validated_params(params);
RenderProcessHost* process = GetProcess();
// We don't validate |unfiltered_link_url| so that this field can be used
// when users want to copy the original link URL.
process->FilterURL(true, &validated_params.link_url);
process->FilterURL(true, &validated_params.src_url);
process->FilterURL(false, &validated_params.page_url);
process->FilterURL(true, &validated_params.frame_url);
// It is necessary to transform the coordinates to account for nested
// RenderWidgetHosts, such as with out-of-process iframes.
gfx::Point original_point(validated_params.x, validated_params.y);
gfx::Point transformed_point =
static_cast<RenderWidgetHostViewBase*>(GetView())
->TransformPointToRootCoordSpace(original_point);
validated_params.x = transformed_point.x();
validated_params.y = transformed_point.y();
if (validated_params.selection_start_offset < 0) {
bad_message::ReceivedBadMessage(
GetProcess(), bad_message::RFH_NEGATIVE_SELECTION_START_OFFSET);
}
delegate_->ShowContextMenu(this, validated_params);
}
void RenderFrameHostImpl::OnJavaScriptExecuteResponse(
int id, const base::ListValue& result) {
const base::Value* result_value;
if (!result.Get(0, &result_value)) {
// Programming error or rogue renderer.
NOTREACHED() << "Got bad arguments for OnJavaScriptExecuteResponse";
return;
}
auto it = javascript_callbacks_.find(id);
if (it != javascript_callbacks_.end()) {
it->second.Run(result_value);
javascript_callbacks_.erase(it);
} else {
NOTREACHED() << "Received script response for unknown request";
}
}
#if defined(OS_ANDROID)
void RenderFrameHostImpl::RequestSmartClipExtract(
ExtractSmartClipDataCallback callback,
gfx::Rect rect) {
int32_t callback_id = smart_clip_callbacks_.Add(
std::make_unique<ExtractSmartClipDataCallback>(std::move(callback)));
frame_->ExtractSmartClipData(
rect, base::BindOnce(&RenderFrameHostImpl::OnSmartClipDataExtracted,
base::Unretained(this), callback_id));
}
void RenderFrameHostImpl::OnSmartClipDataExtracted(int32_t callback_id,
const base::string16& text,
const base::string16& html,
const gfx::Rect& clip_rect) {
std::move(*smart_clip_callbacks_.Lookup(callback_id))
.Run(text, html, clip_rect);
smart_clip_callbacks_.Remove(callback_id);
}
#endif // defined(OS_ANDROID)
void RenderFrameHostImpl::OnVisualStateResponse(uint64_t id) {
auto it = visual_state_callbacks_.find(id);
if (it != visual_state_callbacks_.end()) {
std::move(it->second).Run(true);
visual_state_callbacks_.erase(it);
} else {
NOTREACHED() << "Received script response for unknown request";
}
}
void RenderFrameHostImpl::OnRunJavaScriptDialog(
const base::string16& message,
const base::string16& default_prompt,
JavaScriptDialogType dialog_type,
IPC::Message* reply_msg) {
if (dialog_type == JavaScriptDialogType::JAVASCRIPT_DIALOG_TYPE_ALERT)
GetFrameResourceCoordinator()->OnAlertFired();
// Don't show the dialog if it's triggered on a frame that's pending deletion
// (e.g., from an unload handler), or when the tab is being closed.
if (IsWaitingForUnloadACK()) {
SendJavaScriptDialogReply(reply_msg, true, base::string16());
return;
}
// While a JS message dialog is showing, tabs in the same process shouldn't
// process input events.
GetProcess()->SetBlocked(true);
delegate_->RunJavaScriptDialog(this, message, default_prompt, dialog_type,
reply_msg);
}
void RenderFrameHostImpl::OnRunBeforeUnloadConfirm(
bool is_reload,
IPC::Message* reply_msg) {
TRACE_EVENT1("navigation", "RenderFrameHostImpl::OnRunBeforeUnloadConfirm",
"frame_tree_node", frame_tree_node_->frame_tree_node_id());
// Allow at most one attempt to show a beforeunload dialog per navigation.
RenderFrameHostImpl* beforeunload_initiator = GetBeforeUnloadInitiator();
if (beforeunload_initiator) {
// If the running beforeunload handler wants to display a dialog and the
// before-unload type wants to ignore it, then short-circuit the request and
// respond as if the user decided to stay on the page, canceling the unload.
if (beforeunload_initiator->beforeunload_dialog_request_cancels_unload_) {
SendJavaScriptDialogReply(reply_msg, false /* success */,
base::string16());
return;
}
if (beforeunload_initiator->has_shown_beforeunload_dialog_) {
// TODO(alexmos): Pass enough data back to renderer to record histograms
// for Document.BeforeUnloadDialog and add the intervention console
// message to match renderer-side behavior in
// Document::DispatchBeforeUnloadEvent().
SendJavaScriptDialogReply(reply_msg, true /* success */,
base::string16());
return;
}
beforeunload_initiator->has_shown_beforeunload_dialog_ = true;
} else {
// TODO(alexmos): If a renderer-initiated beforeunload shows a dialog, it
// won't find a |beforeunload_initiator|. This can happen for a
// renderer-initiated navigation or window.close(). We should ensure that
// when the browser process later kicks off subframe unload handlers (if
// any), they won't be able to show additional dialogs. However, we can't
// just set |has_shown_beforeunload_dialog_| because we don't know which
// frame is navigating/closing here. Plumb enough information here to fix
// this.
}
// While a JS beforeunload dialog is showing, tabs in the same process
// shouldn't process input events.
GetProcess()->SetBlocked(true);
// The beforeunload dialog for this frame may have been triggered by a
// browser-side request to this frame or a frame up in the frame hierarchy.
// Stop any timers that are waiting.
for (RenderFrameHostImpl* frame = this; frame; frame = frame->GetParent()) {
if (frame->beforeunload_timeout_)
frame->beforeunload_timeout_->Stop();
}
delegate_->RunBeforeUnloadConfirm(this, is_reload, reply_msg);
}
void RenderFrameHostImpl::RequestTextSurroundingSelection(
const TextSurroundingSelectionCallback& callback,
int max_length) {
DCHECK(!callback.is_null());
// Only one outstanding request is allowed at any given time.
// If already one request is in progress, then immediately release callback
// with empty result.
if (!text_surrounding_selection_callback_.is_null()) {
callback.Run(base::string16(), 0, 0);
return;
}
text_surrounding_selection_callback_ = callback;
Send(
new FrameMsg_TextSurroundingSelectionRequest(GetRoutingID(), max_length));
}
void RenderFrameHostImpl::OnTextSurroundingSelectionResponse(
const base::string16& content,
uint32_t start_offset,
uint32_t end_offset) {
// text_surrounding_selection_callback_ should not be null, but don't trust
// the renderer.
if (text_surrounding_selection_callback_.is_null())
return;
// Just Run the callback instead of propagating further.
text_surrounding_selection_callback_.Run(content, start_offset, end_offset);
// Reset the callback for enabling early exit from future request.
text_surrounding_selection_callback_.Reset();
}
void RenderFrameHostImpl::AllowBindings(int bindings_flags) {
// Never grant any bindings to browser plugin guests.
if (GetProcess()->IsForGuestsOnly()) {
NOTREACHED() << "Never grant bindings to a guest process.";
return;
}
TRACE_EVENT2("navigation", "RenderFrameHostImpl::AllowBindings",
"frame_tree_node", frame_tree_node_->frame_tree_node_id(),
"bindings flags", bindings_flags);
int webui_bindings = bindings_flags & kWebUIBindingsPolicyMask;
// Ensure we aren't granting WebUI bindings to a process that has already
// been used for non-privileged views.
if (webui_bindings && GetProcess()->IsInitializedAndNotDead() &&
!ChildProcessSecurityPolicyImpl::GetInstance()->HasWebUIBindings(
GetProcess()->GetID())) {
// This process has no bindings yet. Make sure it does not have more
// than this single active view.
// --single-process only has one renderer.
if (GetProcess()->GetActiveViewCount() > 1 &&
!base::CommandLine::ForCurrentProcess()->HasSwitch(
switches::kSingleProcess))
return;
}
if (webui_bindings) {
ChildProcessSecurityPolicyImpl::GetInstance()->GrantWebUIBindings(
GetProcess()->GetID(), webui_bindings);
}
enabled_bindings_ |= bindings_flags;
if (GetParent())
DCHECK_EQ(GetParent()->GetEnabledBindings(), GetEnabledBindings());
if (render_frame_created_) {
if (!frame_bindings_control_)
GetRemoteAssociatedInterfaces()->GetInterface(&frame_bindings_control_);
frame_bindings_control_->AllowBindings(enabled_bindings_);
}
}
int RenderFrameHostImpl::GetEnabledBindings() const {
return enabled_bindings_;
}
void RenderFrameHostImpl::DisableBeforeUnloadHangMonitorForTesting() {
beforeunload_timeout_.reset();
}
bool RenderFrameHostImpl::IsBeforeUnloadHangMonitorDisabledForTesting() {
return !beforeunload_timeout_;
}
bool RenderFrameHostImpl::IsFeatureEnabled(
blink::mojom::FeaturePolicyFeature feature) {
return feature_policy_ && feature_policy_->IsFeatureEnabledForOrigin(
feature, GetLastCommittedOrigin());
}
void RenderFrameHostImpl::ViewSource() {
delegate_->ViewSource(this);
}
void RenderFrameHostImpl::FlushNetworkAndNavigationInterfacesForTesting() {
DCHECK(network_service_connection_error_handler_holder_);
network_service_connection_error_handler_holder_.FlushForTesting();
if (!navigation_control_)
GetNavigationControl();
DCHECK(navigation_control_);
navigation_control_.FlushForTesting();
}
bool RenderFrameHostImpl::PrepareForInnerWebContentsAttach() {
DCHECK(MimeHandlerViewMode::UsesCrossProcessFrame());
if (IsCrossProcessSubframe() || !GetParent())
return false;
ResetNavigationRequests();
ResetLoadingState();
is_attaching_inner_delegate_ = true;
return true;
}
void RenderFrameHostImpl::OnDidAccessInitialDocument() {
delegate_->DidAccessInitialDocument();
}
void RenderFrameHostImpl::OnDidChangeOpener(int32_t opener_routing_id) {
frame_tree_node_->render_manager()->DidChangeOpener(opener_routing_id,
GetSiteInstance());
}
void RenderFrameHostImpl::DidChangeName(const std::string& name,
const std::string& unique_name) {
if (GetParent() != nullptr) {
// TODO(lukasza): Call ReceivedBadMessage when |unique_name| is empty.
DCHECK(!unique_name.empty());
}
TRACE_EVENT2("navigation", "RenderFrameHostImpl::OnDidChangeName",
"frame_tree_node", frame_tree_node_->frame_tree_node_id(),
"name length", name.length());
std::string old_name = frame_tree_node()->frame_name();
frame_tree_node()->SetFrameName(name, unique_name);
if (old_name.empty() && !name.empty())
frame_tree_node_->render_manager()->CreateProxiesForNewNamedFrame();
delegate_->DidChangeName(this, name);
}
void RenderFrameHostImpl::DidSetFramePolicyHeaders(
blink::WebSandboxFlags sandbox_flags,
const blink::ParsedFeaturePolicy& parsed_header) {
if (!is_active())
return;
// Rebuild the feature policy for this frame.
ResetFeaturePolicy();
feature_policy_->SetHeaderPolicy(*DirectivesWithDisposition(
blink::mojom::FeaturePolicyDisposition::kEnforce, parsed_header));
// Update the feature policy and sandbox flags in the frame tree. This will
// send any updates to proxies if necessary.
frame_tree_node()->UpdateFramePolicyHeaders(sandbox_flags, parsed_header);
// Save a copy of the now-active sandbox flags on this RFHI.
active_sandbox_flags_ = frame_tree_node()->active_sandbox_flags();
}
void RenderFrameHostImpl::OnDidAddContentSecurityPolicies(
const std::vector<ContentSecurityPolicy>& policies) {
TRACE_EVENT1("navigation",
"RenderFrameHostImpl::OnDidAddContentSecurityPolicies",
"frame_tree_node", frame_tree_node_->frame_tree_node_id());
std::vector<ContentSecurityPolicyHeader> headers;
for (const ContentSecurityPolicy& policy : policies) {
AddContentSecurityPolicy(policy);
headers.push_back(policy.header);
}
frame_tree_node()->AddContentSecurityPolicies(headers);
}
void RenderFrameHostImpl::EnforceInsecureRequestPolicy(
blink::WebInsecureRequestPolicy policy) {
frame_tree_node()->SetInsecureRequestPolicy(policy);
}
void RenderFrameHostImpl::EnforceInsecureNavigationsSet(
const std::vector<uint32_t>& set) {
frame_tree_node()->SetInsecureNavigationsSet(set);
}
FrameTreeNode* RenderFrameHostImpl::FindAndVerifyChild(
int32_t child_frame_routing_id,
bad_message::BadMessageReason reason) {
FrameTreeNode* child = frame_tree_node()->frame_tree()->FindByRoutingID(
GetProcess()->GetID(), child_frame_routing_id);
// A race can result in |child| to be nullptr. Avoid killing the renderer in
// that case.
if (child && child->parent() != frame_tree_node()) {
bad_message::ReceivedBadMessage(GetProcess(), reason);
return nullptr;
}
return child;
}
void RenderFrameHostImpl::OnDidChangeFramePolicy(
int32_t frame_routing_id,
const blink::FramePolicy& frame_policy) {
// Ensure that a frame can only update sandbox flags or feature policy for its
// immediate children. If this is not the case, the renderer is considered
// malicious and is killed.
FrameTreeNode* child = FindAndVerifyChild(
// TODO(iclelland): Rename this message
frame_routing_id, bad_message::RFH_SANDBOX_FLAGS);
if (!child)
return;
child->SetPendingFramePolicy(frame_policy);
// Notify the RenderFrame if it lives in a different process from its parent.
// The frame's proxies in other processes also need to learn about the updated
// flags and policy, but these notifications are sent later in
// RenderFrameHostManager::CommitPendingFramePolicy(), when the frame
// navigates and the new policies take effect.
RenderFrameHost* child_rfh = child->current_frame_host();
if (child_rfh->GetSiteInstance() != GetSiteInstance()) {
child_rfh->Send(new FrameMsg_DidUpdateFramePolicy(child_rfh->GetRoutingID(),
frame_policy));
}
}
void RenderFrameHostImpl::OnDidChangeFrameOwnerProperties(
int32_t frame_routing_id,
const FrameOwnerProperties& properties) {
FrameTreeNode* child = FindAndVerifyChild(
frame_routing_id, bad_message::RFH_OWNER_PROPERTY);
if (!child)
return;
child->set_frame_owner_properties(properties);
child->render_manager()->OnDidUpdateFrameOwnerProperties(properties);
}
void RenderFrameHostImpl::OnUpdateTitle(
const base::string16& title,
blink::WebTextDirection title_direction) {
// This message should only be sent for top-level frames.
if (frame_tree_node_->parent())
return;
if (title.length() > kMaxTitleChars) {
NOTREACHED() << "Renderer sent too many characters in title.";
return;
}
delegate_->UpdateTitle(
this, title, WebTextDirectionToChromeTextDirection(title_direction));
}
void RenderFrameHostImpl::UpdateEncoding(const std::string& encoding_name) {
// This message is only sent for top-level frames. TODO(avi): when frame tree
// mirroring works correctly, add a check here to enforce it.
delegate_->UpdateEncoding(this, encoding_name);
}
void RenderFrameHostImpl::FrameSizeChanged(const gfx::Size& frame_size) {
frame_size_ = frame_size;
}
void RenderFrameHostImpl::FullscreenStateChanged(bool is_fullscreen) {
if (!is_active())
return;
delegate_->FullscreenStateChanged(this, is_fullscreen);
}
#if defined(OS_ANDROID)
void RenderFrameHostImpl::UpdateUserGestureCarryoverInfo() {
delegate_->UpdateUserGestureCarryoverInfo();
}
#endif
void RenderFrameHostImpl::OnDidBlockFramebust(const GURL& url) {
delegate_->OnDidBlockFramebust(url);
}
void RenderFrameHostImpl::OnAbortNavigation() {
TRACE_EVENT1("navigation", "RenderFrameHostImpl::OnAbortNavigation",
"frame_tree_node", frame_tree_node_->frame_tree_node_id());
if (!is_active())
return;
frame_tree_node()->navigator()->OnAbortNavigation(frame_tree_node());
}
void RenderFrameHostImpl::OnForwardResourceTimingToParent(
const ResourceTimingInfo& resource_timing) {
// Don't forward the resource timing if this RFH is pending deletion. This can
// happen in a race where this RenderFrameHost finishes loading just after
// the frame navigates away. See https://crbug.com/626802.
if (!is_active())
return;
// We should never be receiving this message from a speculative RFH.
DCHECK(IsCurrent());
RenderFrameProxyHost* proxy =
frame_tree_node()->render_manager()->GetProxyToParent();
if (!proxy) {
bad_message::ReceivedBadMessage(GetProcess(),
bad_message::RFH_NO_PROXY_TO_PARENT);
return;
}
proxy->Send(new FrameMsg_ForwardResourceTimingToParent(proxy->GetRoutingID(),
resource_timing));
}
void RenderFrameHostImpl::OnDispatchLoad() {
TRACE_EVENT1("navigation", "RenderFrameHostImpl::OnDispatchLoad",
"frame_tree_node", frame_tree_node_->frame_tree_node_id());
// Don't forward the load event if this RFH is pending deletion. This can
// happen in a race where this RenderFrameHost finishes loading just after
// the frame navigates away. See https://crbug.com/626802.
if (!is_active())
return;
// We should never be receiving this message from a speculative RFH.
DCHECK(IsCurrent());
// Only frames with an out-of-process parent frame should be sending this
// message.
RenderFrameProxyHost* proxy =
frame_tree_node()->render_manager()->GetProxyToParent();
if (!proxy) {
bad_message::ReceivedBadMessage(GetProcess(),