|  | // Copyright 2013 The Chromium Authors | 
|  | // Use of this source code is governed by a BSD-style license that can be | 
|  | // found in the LICENSE file. | 
|  |  | 
|  | #include "content/browser/renderer_host/render_frame_host_impl.h" | 
|  |  | 
|  | #include <algorithm> | 
|  | #include <cstdint> | 
|  | #include <deque> | 
|  | #include <limits> | 
|  | #include <memory> | 
|  | #include <optional> | 
|  | #include <string_view> | 
|  | #include <tuple> | 
|  | #include <utility> | 
|  | #include <variant> | 
|  | #include <vector> | 
|  |  | 
|  | #include "base/check.h" | 
|  | #include "base/command_line.h" | 
|  | #include "base/containers/contains.h" | 
|  | #include "base/debug/crash_logging.h" | 
|  | #include "base/debug/dump_without_crashing.h" | 
|  | #include "base/feature_list.h" | 
|  | #include "base/functional/bind.h" | 
|  | #include "base/functional/callback_helpers.h" | 
|  | #include "base/json/json_reader.h" | 
|  | #include "base/lazy_instance.h" | 
|  | #include "base/memory/memory_pressure_monitor.h" | 
|  | #include "base/memory/ptr_util.h" | 
|  | #include "base/memory/raw_ptr.h" | 
|  | #include "base/metrics/field_trial_params.h" | 
|  | #include "base/metrics/histogram_functions.h" | 
|  | #include "base/metrics/histogram_macros.h" | 
|  | #include "base/metrics/metrics_hashes.h" | 
|  | #include "base/metrics/user_metrics.h" | 
|  | #include "base/no_destructor.h" | 
|  | #include "base/notimplemented.h" | 
|  | #include "base/notreached.h" | 
|  | #include "base/numerics/safe_conversions.h" | 
|  | #include "base/process/kill.h" | 
|  | #include "base/rand_util.h" | 
|  | #include "base/state_transitions.h" | 
|  | #include "base/strings/escape.h" | 
|  | #include "base/strings/strcat.h" | 
|  | #include "base/strings/string_number_conversions.h" | 
|  | #include "base/strings/string_util.h" | 
|  | #include "base/strings/to_string.h" | 
|  | #include "base/syslog_logging.h" | 
|  | #include "base/task/sequenced_task_runner.h" | 
|  | #include "base/task/single_thread_task_runner.h" | 
|  | #include "base/task/thread_pool.h" | 
|  | #include "base/threading/sequence_bound.h" | 
|  | #include "base/time/time.h" | 
|  | #include "base/timer/elapsed_timer.h" | 
|  | #include "base/timer/timer.h" | 
|  | #include "base/trace_event/optional_trace_event.h" | 
|  | #include "base/trace_event/trace_event.h" | 
|  | #include "base/trace_event/trace_id_helper.h" | 
|  | #include "base/types/optional_util.h" | 
|  | #include "base/uuid.h" | 
|  | #include "build/build_config.h" | 
|  | #include "components/download/public/common/download_url_parameters.h" | 
|  | #include "components/input/input_router.h" | 
|  | #include "components/input/timeout_monitor.h" | 
|  | #include "components/input/utils.h" | 
|  | #include "components/tracing/common/tracing_switches.h" | 
|  | #include "components/viz/common/features.h" | 
|  | #include "content/browser/about_url_loader_factory.h" | 
|  | #include "content/browser/accessibility/render_accessibility_host.h" | 
|  | #include "content/browser/bad_message.h" | 
|  | #include "content/browser/blob_storage/file_backed_blob_factory_frame_impl.h" | 
|  | #include "content/browser/bluetooth/web_bluetooth_service_impl.h" | 
|  | #include "content/browser/broadcast_channel/broadcast_channel_provider.h" | 
|  | #include "content/browser/broadcast_channel/broadcast_channel_service.h" | 
|  | #include "content/browser/browser_main_loop.h" | 
|  | #include "content/browser/can_commit_status.h" | 
|  | #include "content/browser/child_process_security_policy_impl.h" | 
|  | #include "content/browser/closewatcher/close_listener_host.h" | 
|  | #include "content/browser/code_cache/generated_code_cache_context.h" | 
|  | #include "content/browser/cookie_deprecation_label/cookie_deprecation_label_manager_impl.h" | 
|  | #include "content/browser/data_url_loader_factory.h" | 
|  | #include "content/browser/devtools/devtools_instrumentation.h" | 
|  | #include "content/browser/dom_storage/dom_storage_context_wrapper.h" | 
|  | #include "content/browser/download/data_url_blob_reader.h" | 
|  | #include "content/browser/feature_observer.h" | 
|  | #include "content/browser/fenced_frame/automatic_beacon_info.h" | 
|  | #include "content/browser/fenced_frame/fenced_document_data.h" | 
|  | #include "content/browser/fenced_frame/fenced_frame.h" | 
|  | #include "content/browser/fenced_frame/fenced_frame_reporter.h" | 
|  | #include "content/browser/fenced_frame/fenced_frame_url_mapping.h" | 
|  | #include "content/browser/file_system/file_system_manager_impl.h" | 
|  | #include "content/browser/file_system/file_system_url_loader_factory.h" | 
|  | #include "content/browser/file_system_access/file_system_access_manager_impl.h" | 
|  | #include "content/browser/font_access/font_access_manager.h" | 
|  | #include "content/browser/generic_sensor/frame_sensor_provider_proxy.h" | 
|  | #include "content/browser/geolocation/geolocation_service_impl.h" | 
|  | #include "content/browser/guest_page_holder_impl.h" | 
|  | #include "content/browser/idle/idle_manager_impl.h" | 
|  | #include "content/browser/installedapp/installed_app_provider_impl.h" | 
|  | #include "content/browser/interest_group/ad_auction_document_data.h" | 
|  | #include "content/browser/loader/file_url_loader_factory.h" | 
|  | #include "content/browser/loader/keep_alive_url_loader_service.h" | 
|  | #include "content/browser/loader/navigation_early_hints_manager.h" | 
|  | #include "content/browser/loader/subresource_proxying_url_loader_service.h" | 
|  | #include "content/browser/loader/url_loader_factory_utils.h" | 
|  | #include "content/browser/log_console_message.h" | 
|  | #include "content/browser/media/key_system_support_impl.h" | 
|  | #include "content/browser/media/media_devices_util.h" | 
|  | #include "content/browser/media/media_interface_proxy.h" | 
|  | #include "content/browser/media/webaudio/audio_context_manager_impl.h" | 
|  | #include "content/browser/navigation_or_document_handle.h" | 
|  | #include "content/browser/network/cross_origin_embedder_policy_reporter.h" | 
|  | #include "content/browser/permissions/permission_controller_impl.h" | 
|  | #include "content/browser/permissions/permission_service_context.h" | 
|  | #include "content/browser/permissions/permission_util.h" | 
|  | #include "content/browser/preloading/preloading_decider.h" | 
|  | #include "content/browser/preloading/prerender/prerender_final_status.h" | 
|  | #include "content/browser/preloading/prerender/prerender_host_registry.h" | 
|  | #include "content/browser/preloading/prerender/prerender_metrics.h" | 
|  | #include "content/browser/presentation/presentation_service_impl.h" | 
|  | #include "content/browser/process_lock.h" | 
|  | #include "content/browser/push_messaging/push_messaging_manager.h" | 
|  | #include "content/browser/renderer_host/agent_scheduling_group_host.h" | 
|  | #include "content/browser/renderer_host/back_forward_cache_disable.h" | 
|  | #include "content/browser/renderer_host/back_forward_cache_impl.h" | 
|  | #include "content/browser/renderer_host/clipboard_host_impl.h" | 
|  | #include "content/browser/renderer_host/code_cache_host_impl.h" | 
|  | #include "content/browser/renderer_host/cookie_utils.h" | 
|  | #include "content/browser/renderer_host/dip_util.h" | 
|  | #include "content/browser/renderer_host/frame_tree.h" | 
|  | #include "content/browser/renderer_host/frame_tree_node.h" | 
|  | #include "content/browser/renderer_host/input/input_injector_impl.h" | 
|  | #include "content/browser/renderer_host/ipc_utils.h" | 
|  | #include "content/browser/renderer_host/media/peer_connection_tracker_host.h" | 
|  | #include "content/browser/renderer_host/navigation_controller_impl.h" | 
|  | #include "content/browser/renderer_host/navigation_entry_impl.h" | 
|  | #include "content/browser/renderer_host/navigation_metrics_utils.h" | 
|  | #include "content/browser/renderer_host/navigation_request.h" | 
|  | #include "content/browser/renderer_host/navigation_state_keep_alive.h" | 
|  | #include "content/browser/renderer_host/navigation_transitions/navigation_transition_utils.h" | 
|  | #include "content/browser/renderer_host/navigator.h" | 
|  | #include "content/browser/renderer_host/page_delegate.h" | 
|  | #include "content/browser/renderer_host/private_network_access_util.h" | 
|  | #include "content/browser/renderer_host/randomized_confidence_utils.h" | 
|  | #include "content/browser/renderer_host/render_frame_host_delegate.h" | 
|  | #include "content/browser/renderer_host/render_frame_host_owner.h" | 
|  | #include "content/browser/renderer_host/render_frame_proxy_host.h" | 
|  | #include "content/browser/renderer_host/render_process_host_impl.h" | 
|  | #include "content/browser/renderer_host/render_view_host_delegate.h" | 
|  | #include "content/browser/renderer_host/render_view_host_impl.h" | 
|  | #include "content/browser/renderer_host/render_widget_host_factory.h" | 
|  | #include "content/browser/renderer_host/render_widget_host_impl.h" | 
|  | #include "content/browser/renderer_host/render_widget_host_view_base.h" | 
|  | #include "content/browser/renderer_host/render_widget_host_view_child_frame.h" | 
|  | #include "content/browser/renderer_host/view_transition_opt_in_state.h" | 
|  | #include "content/browser/scoped_active_url.h" | 
|  | #include "content/browser/security/coop/cross_origin_opener_policy_reporter.h" | 
|  | #include "content/browser/serial/serial_service.h" | 
|  | #include "content/browser/service_worker/service_worker_client.h" | 
|  | #include "content/browser/site_info.h" | 
|  | #include "content/browser/sms/webotp_service.h" | 
|  | #include "content/browser/speech/speech_synthesis_impl.h" | 
|  | #include "content/browser/storage_access/storage_access_handle.h" | 
|  | #include "content/browser/storage_partition_impl.h" | 
|  | #include "content/browser/url_loader_factory_params_helper.h" | 
|  | #include "content/browser/usb/web_usb_service_impl.h" | 
|  | #include "content/browser/web_exposed_isolation_info.h" | 
|  | #include "content/browser/web_package/prefetched_signed_exchange_cache.h" | 
|  | #include "content/browser/webauth/authenticator_impl.h" | 
|  | #include "content/browser/webauth/webauth_request_security_checker.h" | 
|  | #include "content/browser/webid/digital_credentials/digital_identity_request_impl.h" | 
|  | #include "content/browser/webid/federated_auth_request_impl.h" | 
|  | #include "content/browser/webid/flags.h" | 
|  | #include "content/browser/websockets/websocket_connector_impl.h" | 
|  | #include "content/browser/webtransport/web_transport_connector_impl.h" | 
|  | #include "content/browser/webui/url_data_manager_backend.h" | 
|  | #include "content/browser/webui/web_ui_controller_factory_registry.h" | 
|  | #include "content/browser/worker_host/dedicated_worker_host.h" | 
|  | #include "content/browser/worker_host/dedicated_worker_host_factory_impl.h" | 
|  | #include "content/browser/worker_host/dedicated_worker_hosts_for_document.h" | 
|  | #include "content/common/associated_interfaces.mojom.h" | 
|  | #include "content/common/content_navigation_policy.h" | 
|  | #include "content/common/debug_utils.h" | 
|  | #include "content/common/features.h" | 
|  | #include "content/common/frame.mojom.h" | 
|  | #include "content/common/frame_messages.mojom.h" | 
|  | #include "content/common/navigation_client.mojom.h" | 
|  | #include "content/common/navigation_params_utils.h" | 
|  | #include "content/public/browser/active_url_message_filter.h" | 
|  | #include "content/public/browser/browser_context.h" | 
|  | #include "content/public/browser/clipboard_types.h" | 
|  | #include "content/public/browser/content_browser_client.h" | 
|  | #include "content/public/browser/context_menu_params.h" | 
|  | #include "content/public/browser/cookie_access_details.h" | 
|  | #include "content/public/browser/disallow_activation_reason.h" | 
|  | #include "content/public/browser/document_ref.h" | 
|  | #include "content/public/browser/document_service_internal.h" | 
|  | #include "content/public/browser/download_manager.h" | 
|  | #include "content/public/browser/error_navigation_trigger.h" | 
|  | #include "content/public/browser/feature_observer_client.h" | 
|  | #include "content/public/browser/global_routing_id.h" | 
|  | #include "content/public/browser/media_device_id.h" | 
|  | #include "content/public/browser/network_service_util.h" | 
|  | #include "content/public/browser/permission_descriptor_util.h" | 
|  | #include "content/public/browser/render_process_host.h" | 
|  | #include "content/public/browser/render_widget_host_view.h" | 
|  | #include "content/public/browser/runtime_feature_state/runtime_feature_state_document_data.h" | 
|  | #include "content/public/browser/secure_payment_confirmation_utils.h" | 
|  | #include "content/public/browser/shared_cors_origin_access_list.h" | 
|  | #include "content/public/browser/site_isolation_policy.h" | 
|  | #include "content/public/browser/sms_fetcher.h" | 
|  | #include "content/public/browser/storage_partition.h" | 
|  | #include "content/public/browser/weak_document_ptr.h" | 
|  | #include "content/public/browser/web_ui_url_loader_factory.h" | 
|  | #include "content/public/common/alternative_error_page_override_info.mojom.h" | 
|  | #include "content/public/common/bindings_policy.h" | 
|  | #include "content/public/common/content_client.h" | 
|  | #include "content/public/common/content_features.h" | 
|  | #include "content/public/common/content_switches.h" | 
|  | #include "content/public/common/extra_mojo_js_features.mojom.h" | 
|  | #include "content/public/common/isolated_world_ids.h" | 
|  | #include "content/public/common/origin_util.h" | 
|  | #include "content/public/common/page_visibility_state.h" | 
|  | #include "content/public/common/referrer.h" | 
|  | #include "content/public/common/referrer_type_converters.h" | 
|  | #include "content/public/common/url_constants.h" | 
|  | #include "content/public/common/url_utils.h" | 
|  | #include "ipc/constants.mojom.h" | 
|  | #include "media/base/media_switches.h" | 
|  | #include "media/learning/common/value.h" | 
|  | #include "media/media_buildflags.h" | 
|  | #include "media/mojo/mojom/remoting.mojom.h" | 
|  | #include "media/mojo/services/video_decode_perf_history.h" | 
|  | #include "mojo/public/cpp/bindings/message.h" | 
|  | #include "mojo/public/cpp/bindings/self_owned_receiver.h" | 
|  | #include "mojo/public/cpp/bindings/struct_ptr.h" | 
|  | #include "mojo/public/cpp/bindings/urgent_message_scope.h" | 
|  | #include "mojo/public/cpp/system/data_pipe.h" | 
|  | #include "net/base/isolation_info.h" | 
|  | #include "net/base/registry_controlled_domains/registry_controlled_domain.h" | 
|  | #include "net/base/schemeful_site.h" | 
|  | #include "net/cookies/cookie_setting_override.h" | 
|  | #include "net/net_buildflags.h" | 
|  | #include "render_frame_host_impl.h" | 
|  | #include "services/metrics/public/cpp/ukm_builders.h" | 
|  | #include "services/metrics/public/cpp/ukm_source_id.h" | 
|  | #include "services/network/public/cpp/cors/origin_access_list.h" | 
|  | #include "services/network/public/cpp/features.h" | 
|  | #include "services/network/public/cpp/is_potentially_trustworthy.h" | 
|  | #include "services/network/public/cpp/network_service_buildflags.h" | 
|  | #include "services/network/public/cpp/not_implemented_url_loader_factory.h" | 
|  | #include "services/network/public/cpp/permissions_policy/permissions_policy.h" | 
|  | #include "services/network/public/cpp/permissions_policy/permissions_policy_declaration.h" | 
|  | #include "services/network/public/cpp/resource_request.h" | 
|  | #include "services/network/public/cpp/simple_url_loader.h" | 
|  | #include "services/network/public/cpp/web_sandbox_flags.h" | 
|  | #include "services/network/public/mojom/cookie_access_observer.mojom.h" | 
|  | #include "services/network/public/mojom/permissions_policy/permissions_policy_feature.mojom-shared.h" | 
|  | #include "services/network/public/mojom/url_loader_factory.mojom.h" | 
|  | #include "services/network/public/mojom/web_sandbox_flags.mojom-shared.h" | 
|  | #include "services/service_manager/public/cpp/interface_provider.h" | 
|  | #include "storage/browser/blob/blob_url_store_impl.h" | 
|  | #include "third_party/abseil-cpp/absl/container/flat_hash_map.h" | 
|  | #include "third_party/abseil-cpp/absl/container/flat_hash_set.h" | 
|  | #include "third_party/blink/public/common/associated_interfaces/associated_interface_provider.h" | 
|  | #include "third_party/blink/public/common/associated_interfaces/associated_interface_registry.h" | 
|  | #include "third_party/blink/public/common/chrome_debug_urls.h" | 
|  | #include "third_party/blink/public/common/features.h" | 
|  | #include "third_party/blink/public/common/fenced_frame/fenced_frame_utils.h" | 
|  | #include "third_party/blink/public/common/frame/fenced_frame_sandbox_flags.h" | 
|  | #include "third_party/blink/public/common/frame/frame_owner_element_type.h" | 
|  | #include "third_party/blink/public/common/frame/frame_policy.h" | 
|  | #include "third_party/blink/public/common/loader/inter_process_time_ticks_converter.h" | 
|  | #include "third_party/blink/public/common/loader/resource_type_util.h" | 
|  | #include "third_party/blink/public/common/messaging/transferable_message.h" | 
|  | #include "third_party/blink/public/common/navigation/navigation_params_mojom_traits.h" | 
|  | #include "third_party/blink/public/common/permissions/permission_utils.h" | 
|  | #include "third_party/blink/public/common/permissions_policy/document_policy.h" | 
|  | #include "third_party/blink/public/common/privacy_budget/identifiability_study_document_created.h" | 
|  | #include "third_party/blink/public/common/privacy_budget/identifiability_study_settings.h" | 
|  | #include "third_party/blink/public/common/runtime_feature_state/runtime_feature_state_context.h" | 
|  | #include "third_party/blink/public/common/scheduler/web_scheduler_tracked_feature.h" | 
|  | #include "third_party/blink/public/common/storage_key/storage_key.h" | 
|  | #include "third_party/blink/public/mojom/back_forward_cache_not_restored_reasons.mojom.h" | 
|  | #include "third_party/blink/public/mojom/broadcastchannel/broadcast_channel.mojom.h" | 
|  | #include "third_party/blink/public/mojom/confidence_level.mojom.h" | 
|  | #include "third_party/blink/public/mojom/devtools/inspector_issue.mojom.h" | 
|  | #include "third_party/blink/public/mojom/frame/frame.mojom.h" | 
|  | #include "third_party/blink/public/mojom/frame/frame_owner_properties.mojom.h" | 
|  | #include "third_party/blink/public/mojom/frame/fullscreen.mojom.h" | 
|  | #include "third_party/blink/public/mojom/frame/media_player_action.mojom.h" | 
|  | #include "third_party/blink/public/mojom/frame/text_autosizer_page_info.mojom.h" | 
|  | #include "third_party/blink/public/mojom/loader/local_resource_loader_config.mojom.h" | 
|  | #include "third_party/blink/public/mojom/loader/resource_load_info.mojom.h" | 
|  | #include "third_party/blink/public/mojom/loader/transferrable_url_loader.mojom.h" | 
|  | #include "third_party/blink/public/mojom/navigation/navigation_params.mojom.h" | 
|  | #include "third_party/blink/public/mojom/navigation/renderer_eviction_reason.mojom.h" | 
|  | #include "third_party/blink/public/mojom/opengraph/metadata.mojom.h" | 
|  | #include "third_party/blink/public/mojom/page/draggable_region.mojom.h" | 
|  | #include "third_party/blink/public/mojom/scroll/scroll_into_view_params.mojom.h" | 
|  | #include "third_party/blink/public/mojom/storage_key/ancestor_chain_bit.mojom.h" | 
|  | #include "third_party/blink/public/mojom/timing/resource_timing.mojom.h" | 
|  | #include "third_party/blink/public/mojom/window_features/window_features.mojom.h" | 
|  | #include "ui/accessibility/ax_action_handler_registry.h" | 
|  | #include "ui/accessibility/ax_common.h" | 
|  | #include "ui/accessibility/ax_location_and_scroll_updates.h" | 
|  | #include "ui/accessibility/ax_node_id_forward.h" | 
|  | #include "ui/accessibility/ax_tree_update.h" | 
|  | #include "ui/accessibility/ax_updates_and_events.h" | 
|  | #include "ui/accessibility/platform/browser_accessibility_manager.h" | 
|  | #include "ui/base/ime/text_input_client.h" | 
|  | #include "ui/display/screen.h" | 
|  | #include "ui/events/event_constants.h" | 
|  | #include "url/gurl.h" | 
|  | #include "url/origin.h" | 
|  | #include "url/url_constants.h" | 
|  |  | 
|  | #if BUILDFLAG(IS_ANDROID) | 
|  | #include "content/browser/accessibility/browser_accessibility_manager_android.h" | 
|  | #include "content/browser/android/content_url_loader_factory.h" | 
|  | #include "content/browser/android/java_interfaces_impl.h" | 
|  | #include "content/browser/renderer_host/render_frame_host_android.h" | 
|  | #include "content/browser/renderer_host/render_widget_host_view_android.h" | 
|  | #include "content/public/browser/android/java_interfaces.h" | 
|  | #include "content/public/browser/authenticator_request_client_delegate.h" | 
|  | #else | 
|  | #include "content/browser/hid/hid_service.h" | 
|  | #include "content/browser/host_zoom_map_impl.h" | 
|  | #endif | 
|  |  | 
|  | #if BUILDFLAG(IS_CHROMEOS) | 
|  | #include "content/browser/smart_card/smart_card_service.h" | 
|  | #endif | 
|  |  | 
|  | #if BUILDFLAG(IS_MAC) | 
|  | #include "content/browser/renderer_host/popup_menu_helper_mac.h" | 
|  | #endif | 
|  |  | 
|  | #if BUILDFLAG(USE_EXTERNAL_POPUP_MENU) | 
|  | #include "content/browser/renderer_host/render_view_host_delegate_view.h" | 
|  | #endif | 
|  |  | 
|  | #if AX_FAIL_FAST_BUILD() | 
|  | #include "base/command_line.h" | 
|  | #include "content/public/browser/ax_inspect_factory.h" | 
|  | #include "ui/accessibility/accessibility_switches.h" | 
|  | #endif | 
|  |  | 
|  | namespace features { | 
|  |  | 
|  | BASE_FEATURE(kDoNotEvictOnAXLocationChange, | 
|  | "DoNotEvictOnAXLocationChange", | 
|  | base::FEATURE_ENABLED_BY_DEFAULT); | 
|  |  | 
|  | }  // namespace features | 
|  |  | 
|  | namespace content { | 
|  |  | 
|  | class RenderFrameHostOrProxy { | 
|  | public: | 
|  | RenderFrameHostOrProxy(RenderFrameHostImpl* frame, | 
|  | RenderFrameProxyHost* proxy) { | 
|  | DCHECK(!frame || !proxy) | 
|  | << "Both frame and proxy can't be non-null at the same time"; | 
|  | if (proxy) { | 
|  | frame_or_proxy_ = proxy; | 
|  | return; | 
|  | } | 
|  | if (frame) { | 
|  | frame_or_proxy_ = frame; | 
|  | return; | 
|  | } | 
|  | } | 
|  |  | 
|  | explicit operator bool() { return frame_or_proxy_.index() > 0; } | 
|  |  | 
|  | FrameTreeNode* GetFrameTreeNode() { | 
|  | if (auto* proxy = GetProxy()) { | 
|  | return proxy->frame_tree_node(); | 
|  | } else if (auto* frame = GetFrame()) { | 
|  | return frame->frame_tree_node(); | 
|  | } | 
|  | return nullptr; | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl* GetCurrentFrameHost() { | 
|  | if (auto* proxy = GetProxy()) { | 
|  | return proxy->frame_tree_node()->current_frame_host(); | 
|  | } else if (auto* frame = GetFrame()) { | 
|  | return frame; | 
|  | } | 
|  | return nullptr; | 
|  | } | 
|  |  | 
|  | private: | 
|  | RenderFrameProxyHost* GetProxy() { | 
|  | if (auto** proxy = std::get_if<RenderFrameProxyHost*>(&frame_or_proxy_)) { | 
|  | return *proxy; | 
|  | } | 
|  | return nullptr; | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl* GetFrame() { | 
|  | if (auto** frame = std::get_if<RenderFrameHostImpl*>(&frame_or_proxy_)) { | 
|  | return *frame; | 
|  | } | 
|  | return nullptr; | 
|  | } | 
|  |  | 
|  | std::variant<std::monostate, RenderFrameHostImpl*, RenderFrameProxyHost*> | 
|  | frame_or_proxy_; | 
|  | }; | 
|  |  | 
|  | namespace { | 
|  |  | 
|  | // Maximum amount of time to wait for beforeunload/unload handlers to be | 
|  | // processed by the renderer process. | 
|  | constexpr base::TimeDelta kUnloadTimeout = base::Milliseconds(500); | 
|  |  | 
|  | constexpr base::TimeDelta kSubframeProcessShutdownDelay = base::Seconds(2); | 
|  | static_assert(kSubframeProcessShutdownDelay + kUnloadTimeout < | 
|  | RenderProcessHostImpl::kKeepAliveHandleFactoryTimeout, | 
|  | "The maximum process shutdown delay should not exceed the " | 
|  | "keepalive timeout. This has security implications, see " | 
|  | "https://crbug.com/1177674."); | 
|  |  | 
|  | #if BUILDFLAG(IS_ANDROID) | 
|  | const void* const kRenderFrameHostAndroidKey = &kRenderFrameHostAndroidKey; | 
|  | #endif  // BUILDFLAG(IS_ANDROID) | 
|  |  | 
|  | const void* const kDiscardedRFHProcessHelperKey = | 
|  | &kDiscardedRFHProcessHelperKey; | 
|  |  | 
|  | // The next value to use for the accessibility reset token. | 
|  | uint32_t g_accessibility_reset_token = 0; | 
|  |  | 
|  | // Whether to allow injecting javascript into any kind of frame, for Android | 
|  | // WebView, WebLayer, Fuchsia web.ContextProvider and CastOS content shell. | 
|  | bool g_allow_injecting_javascript = false; | 
|  |  | 
|  | const char kDotGoogleDotCom[] = ".google.com"; | 
|  |  | 
|  | const char kCrashReportingGroupName[] = "crash-reporting"; | 
|  |  | 
|  | using RoutingIDFrameMap = | 
|  | absl::flat_hash_map<GlobalRenderFrameHostId, RenderFrameHostImpl*>; | 
|  | base::LazyInstance<RoutingIDFrameMap>::DestructorAtExit g_routing_id_frame_map = | 
|  | LAZY_INSTANCE_INITIALIZER; | 
|  |  | 
|  | // A global set of all sandboxed RenderFrameHosts that could be isolated from | 
|  | // the rest of their SiteInstance. | 
|  | using RoutingIDIsolatableSandboxedIframesSet = | 
|  | absl::flat_hash_set<GlobalRenderFrameHostId>; | 
|  | base::LazyInstance<RoutingIDIsolatableSandboxedIframesSet>::DestructorAtExit | 
|  | g_routing_id_isolatable_sandboxed_iframes_set = LAZY_INSTANCE_INITIALIZER; | 
|  |  | 
|  | using TokenFrameMap = | 
|  | absl::flat_hash_map<blink::LocalFrameToken, RenderFrameHostImpl*>; | 
|  | TokenFrameMap& GetTokenFrameMap() { | 
|  | static base::NoDestructor<TokenFrameMap> token_frame_map; | 
|  | return *token_frame_map; | 
|  | } | 
|  |  | 
|  | BackForwardCacheMetrics::NotRestoredReason | 
|  | RendererEvictionReasonToNotRestoredReason( | 
|  | blink::mojom::RendererEvictionReason reason) { | 
|  | switch (reason) { | 
|  | case blink::mojom::RendererEvictionReason::kJavaScriptExecution: | 
|  | return BackForwardCacheMetrics::NotRestoredReason::kJavaScriptExecution; | 
|  | case blink::mojom::RendererEvictionReason:: | 
|  | kNetworkRequestDatapipeDrainedAsBytesConsumer: | 
|  | return BackForwardCacheMetrics::NotRestoredReason:: | 
|  | kNetworkRequestDatapipeDrainedAsBytesConsumer; | 
|  | case blink::mojom::RendererEvictionReason::kNetworkRequestRedirected: | 
|  | return BackForwardCacheMetrics::NotRestoredReason:: | 
|  | kNetworkRequestRedirected; | 
|  | case blink::mojom::RendererEvictionReason::kNetworkRequestTimeout: | 
|  | return BackForwardCacheMetrics::NotRestoredReason::kNetworkRequestTimeout; | 
|  | case blink::mojom::RendererEvictionReason::kNetworkExceedsBufferLimit: | 
|  | return BackForwardCacheMetrics::NotRestoredReason:: | 
|  | kNetworkExceedsBufferLimit; | 
|  | case blink::mojom::RendererEvictionReason::kBroadcastChannelOnMessage: | 
|  | return BackForwardCacheMetrics::NotRestoredReason:: | 
|  | kBroadcastChannelOnMessage; | 
|  | case blink::mojom::RendererEvictionReason::kSharedWorkerMessage: | 
|  | return BackForwardCacheMetrics::NotRestoredReason::kSharedWorkerMessage; | 
|  | } | 
|  | NOTREACHED(); | 
|  | } | 
|  |  | 
|  | // Ensure that we reset nav_entry_id_ in DidCommitProvisionalLoad if any of | 
|  | // the validations fail and lead to an early return.  Call disable() once we | 
|  | // know the commit will be successful.  Resetting nav_entry_id_ avoids acting on | 
|  | // any UpdateState or UpdateTitle messages after an ignored commit. | 
|  | class ScopedCommitStateResetter { | 
|  | public: | 
|  | explicit ScopedCommitStateResetter(RenderFrameHostImpl* render_frame_host) | 
|  | : render_frame_host_(render_frame_host) {} | 
|  |  | 
|  | ~ScopedCommitStateResetter() { | 
|  | if (!disabled_) { | 
|  | render_frame_host_->set_nav_entry_id(0); | 
|  | } | 
|  | } | 
|  |  | 
|  | void disable() { disabled_ = true; } | 
|  |  | 
|  | private: | 
|  | raw_ptr<RenderFrameHostImpl> render_frame_host_; | 
|  | bool disabled_ = false; | 
|  | }; | 
|  |  | 
|  | void GrantFileAccess(int child_id, | 
|  | const std::vector<base::FilePath>& file_paths) { | 
|  | ChildProcessSecurityPolicyImpl* policy = | 
|  | ChildProcessSecurityPolicyImpl::GetInstance(); | 
|  |  | 
|  | for (const auto& file : file_paths) { | 
|  | if (!policy->CanReadFile(child_id, file)) | 
|  | policy->GrantReadFile(child_id, file); | 
|  | } | 
|  | } | 
|  |  | 
|  | #if BUILDFLAG(ENABLE_MEDIA_REMOTING) | 
|  | // RemoterFactory that delegates Create() calls to the ContentBrowserClient. | 
|  | // | 
|  | // Since Create() could be called at any time, perhaps by a stray task being run | 
|  | // after a RenderFrameHost has been destroyed, the RemoterFactoryImpl uses the | 
|  | // process/routing IDs as a weak reference to the RenderFrameHostImpl. | 
|  | class RemoterFactoryImpl final : public media::mojom::RemoterFactory { | 
|  | public: | 
|  | RemoterFactoryImpl(int process_id, int routing_id) | 
|  | : process_id_(process_id), routing_id_(routing_id) {} | 
|  |  | 
|  | RemoterFactoryImpl(const RemoterFactoryImpl&) = delete; | 
|  | RemoterFactoryImpl& operator=(const RemoterFactoryImpl&) = delete; | 
|  |  | 
|  | private: | 
|  | void Create(mojo::PendingRemote<media::mojom::RemotingSource> source, | 
|  | mojo::PendingReceiver<media::mojom::Remoter> receiver) final { | 
|  | if (auto* host = RenderFrameHostImpl::FromID(process_id_, routing_id_)) { | 
|  | GetContentClient()->browser()->CreateMediaRemoter(host, std::move(source), | 
|  | std::move(receiver)); | 
|  | } | 
|  | } | 
|  |  | 
|  | const int process_id_; | 
|  | const int routing_id_; | 
|  | }; | 
|  | #endif  // BUILDFLAG(ENABLE_MEDIA_REMOTING) | 
|  |  | 
|  | RenderFrameHostOrProxy LookupRenderFrameHostOrProxy(int process_id, | 
|  | int routing_id) { | 
|  | RenderFrameHostImpl* rfh = | 
|  | RenderFrameHostImpl::FromID(process_id, routing_id); | 
|  | RenderFrameProxyHost* proxy = nullptr; | 
|  | if (!rfh) | 
|  | proxy = RenderFrameProxyHost::FromID(process_id, routing_id); | 
|  | return RenderFrameHostOrProxy(rfh, proxy); | 
|  | } | 
|  |  | 
|  | RenderFrameHostOrProxy LookupRenderFrameHostOrProxy( | 
|  | int process_id, | 
|  | const blink::FrameToken& frame_token) { | 
|  | if (frame_token.Is<blink::LocalFrameToken>()) { | 
|  | auto it = | 
|  | GetTokenFrameMap().find(frame_token.GetAs<blink::LocalFrameToken>()); | 
|  | // The check against |process_id| isn't strictly necessary, but represents | 
|  | // an extra level of protection against a renderer trying to force a frame | 
|  | // token. | 
|  | if (it == GetTokenFrameMap().end() || | 
|  | process_id != it->second->GetProcess()->GetDeprecatedID()) { | 
|  | return RenderFrameHostOrProxy(nullptr, nullptr); | 
|  | } | 
|  | return RenderFrameHostOrProxy(it->second, nullptr); | 
|  | } | 
|  | DCHECK(frame_token.Is<blink::RemoteFrameToken>()); | 
|  | return RenderFrameHostOrProxy( | 
|  | nullptr, RenderFrameProxyHost::FromFrameToken( | 
|  | process_id, frame_token.GetAs<blink::RemoteFrameToken>())); | 
|  | } | 
|  |  | 
|  | // Set crash keys that will help understand the circumstances of a renderer | 
|  | // kill.  Note that the commit URL is already reported in a crash key, and | 
|  | // additional keys are logged in RenderProcessHostImpl::ShutdownForBadMessage. | 
|  | void LogRendererKillCrashKeys(const SiteInfo& site_info) { | 
|  | static auto* const site_info_key = base::debug::AllocateCrashKeyString( | 
|  | "current_site_info", base::debug::CrashKeySize::Size256); | 
|  | base::debug::SetCrashKeyString(site_info_key, site_info.GetDebugString()); | 
|  | } | 
|  |  | 
|  | void LogCanCommitOriginAndUrlFailureReason(const std::string& failure_reason) { | 
|  | static auto* const failure_reason_key = base::debug::AllocateCrashKeyString( | 
|  | "rfhi_can_commit_failure_reason", base::debug::CrashKeySize::Size64); | 
|  | base::debug::SetCrashKeyString(failure_reason_key, failure_reason); | 
|  | } | 
|  |  | 
|  | std::unique_ptr<blink::PendingURLLoaderFactoryBundle> CloneFactoryBundle( | 
|  | scoped_refptr<blink::URLLoaderFactoryBundle> bundle) { | 
|  | return base::WrapUnique(static_cast<blink::PendingURLLoaderFactoryBundle*>( | 
|  | bundle->Clone().release())); | 
|  | } | 
|  |  | 
|  | // Helper method to download a URL on UI thread. | 
|  | void StartDownload( | 
|  | std::unique_ptr<download::DownloadUrlParameters> parameters, | 
|  | scoped_refptr<network::SharedURLLoaderFactory> blob_url_loader_factory) { | 
|  | DCHECK_CURRENTLY_ON(BrowserThread::UI); | 
|  | RenderProcessHost* render_process_host = | 
|  | RenderProcessHost::FromID(parameters->render_process_host_id()); | 
|  | if (!render_process_host) | 
|  | return; | 
|  |  | 
|  | BrowserContext* browser_context = render_process_host->GetBrowserContext(); | 
|  |  | 
|  | DownloadManager* download_manager = browser_context->GetDownloadManager(); | 
|  | parameters->set_download_source(download::DownloadSource::FROM_RENDERER); | 
|  | download_manager->DownloadUrl(std::move(parameters), | 
|  | std::move(blob_url_loader_factory)); | 
|  | } | 
|  |  | 
|  | // Called on the UI thread when the data URL in the BlobDataHandle | 
|  | // is read. | 
|  | void OnDataURLRetrieved( | 
|  | std::unique_ptr<download::DownloadUrlParameters> parameters, | 
|  | GURL data_url) { | 
|  | DCHECK_CURRENTLY_ON(BrowserThread::UI); | 
|  | if (!data_url.is_valid()) | 
|  | return; | 
|  | parameters->set_url(std::move(data_url)); | 
|  | StartDownload(std::move(parameters), nullptr); | 
|  | } | 
|  |  | 
|  | // Analyzes trusted sources of a frame's private-state-token-redemption | 
|  | // Permissions Policy feature to see if the feature is definitely disabled or | 
|  | // potentially enabled. | 
|  | // | 
|  | // This information will be bound to a URLLoaderFactory; if the answer is | 
|  | // "definitely disabled," the network service will report a bad message if it | 
|  | // receives a request from the renderer to execute a Trust Tokens redemption or | 
|  | // signing operation in the frame. | 
|  | // | 
|  | // A return value of kForbid denotes that the feature is disabled for the | 
|  | // frame. A return value of kPotentiallyPermit means that all trusted | 
|  | // information sources say that the policy is enabled. | 
|  | network::mojom::TrustTokenOperationPolicyVerdict | 
|  | DetermineWhetherToForbidTrustTokenOperation( | 
|  | const RenderFrameHostImpl* frame, | 
|  | const blink::mojom::CommitNavigationParams& commit_params, | 
|  | const url::Origin& subframe_origin, | 
|  | const network::mojom::TrustTokenOperationType& operation) { | 
|  | std::unique_ptr<network::PermissionsPolicy> subframe_policy; | 
|  | // TODO(crbug.com/40263106): Add WPT to test how TrustTokens behave in | 
|  | // a FencedFrame's subframe. | 
|  | if (frame->IsFencedFrameRoot()) { | 
|  | const std::optional<FencedFrameProperties>& fenced_frame_properties = | 
|  | frame->frame_tree_node()->GetFencedFrameProperties(); | 
|  | if (!fenced_frame_properties) { | 
|  | // Without fenced frame properties, there won't be a list of | 
|  | // effective enabled permissions or information about the embedder's | 
|  | // permissions policies, so we create a permissions policy with every | 
|  | // permission disabled. | 
|  | subframe_policy = network::PermissionsPolicy::CreateFixedForFencedFrame( | 
|  | subframe_origin, /*header_policy=*/{}, {}); | 
|  | } else if (fenced_frame_properties->parent_permissions_info().has_value()) { | 
|  | // Fenced frames with flexible permissions are allowed to inherit certain | 
|  | // permissions from their parent's permissions policy. | 
|  | const network::PermissionsPolicy* parent_policy = | 
|  | frame->GetParentOrOuterDocument()->GetPermissionsPolicy(); | 
|  | network::ParsedPermissionsPolicy container_policy = | 
|  | commit_params.frame_policy.container_policy; | 
|  | subframe_policy = | 
|  | network::PermissionsPolicy::CreateFlexibleForFencedFrame( | 
|  | parent_policy, /*header_policy=*/{}, container_policy, | 
|  | subframe_origin); | 
|  | } else { | 
|  | // Fenced frames with fixed permissions have a list of required permission | 
|  | // policies to load and can't be granted extra policies, so use the | 
|  | // required policies instead of inheriting from its parent. Note that the | 
|  | // parent policies must allow the required policies, which is checked | 
|  | // separately in | 
|  | // NavigationRequest::CheckPermissionsPoliciesForFencedFrames. | 
|  | subframe_policy = network::PermissionsPolicy::CreateFixedForFencedFrame( | 
|  | subframe_origin, /*header_policy=*/{}, | 
|  | fenced_frame_properties->effective_enabled_permissions()); | 
|  | } | 
|  | } else { | 
|  | // For main frame loads, the frame's permissions policy is determined | 
|  | // entirely by response headers, which are provided by the renderer. | 
|  | if (!frame->GetParent()) | 
|  | return network::mojom::TrustTokenOperationPolicyVerdict:: | 
|  | kPotentiallyPermit; | 
|  |  | 
|  | const network::PermissionsPolicy* parent_policy = | 
|  | frame->GetParent()->GetPermissionsPolicy(); | 
|  | network::ParsedPermissionsPolicy container_policy = | 
|  | commit_params.frame_policy.container_policy; | 
|  |  | 
|  | subframe_policy = network::PermissionsPolicy::CreateFromParentPolicy( | 
|  | parent_policy, /*header_policy=*/{}, container_policy, subframe_origin); | 
|  | } | 
|  |  | 
|  | switch (operation) { | 
|  | case network::mojom::TrustTokenOperationType::kRedemption: | 
|  | case network::mojom::TrustTokenOperationType::kSigning: | 
|  | if (subframe_policy->IsFeatureEnabled( | 
|  | network::mojom::PermissionsPolicyFeature:: | 
|  | kTrustTokenRedemption)) { | 
|  | return network::mojom::TrustTokenOperationPolicyVerdict:: | 
|  | kPotentiallyPermit; | 
|  | } | 
|  | return network::mojom::TrustTokenOperationPolicyVerdict::kForbid; | 
|  | case network::mojom::TrustTokenOperationType::kIssuance: | 
|  | if (subframe_policy->IsFeatureEnabled( | 
|  | network::mojom::PermissionsPolicyFeature:: | 
|  | kPrivateStateTokenIssuance)) { | 
|  | return network::mojom::TrustTokenOperationPolicyVerdict:: | 
|  | kPotentiallyPermit; | 
|  | } | 
|  | return network::mojom::TrustTokenOperationPolicyVerdict::kForbid; | 
|  | } | 
|  | return network::mojom::TrustTokenOperationPolicyVerdict::kForbid; | 
|  | } | 
|  |  | 
|  | // When a frame creates its initial subresource loaders, it needs to know | 
|  | // whether the private-state-token-redemption Permissions Policy feature will be | 
|  | // enabled after the commit finishes, which is a little involved (see | 
|  | // DetermineWhetherToForbidTrustTokenOperation). In contrast, if it needs to | 
|  | // make this decision once the frame has committted---for instance, to create | 
|  | // more loaders after the network service crashes---it can directly consult the | 
|  | // current Permissions Policy state to determine whether the feature is enabled. | 
|  | network::mojom::TrustTokenOperationPolicyVerdict | 
|  | DetermineAfterCommitWhetherToForbidTrustTokenOperation( | 
|  | RenderFrameHostImpl& impl, | 
|  | const network::mojom::TrustTokenOperationType& operation) { | 
|  | switch (operation) { | 
|  | case network::mojom::TrustTokenOperationType::kRedemption: | 
|  | case network::mojom::TrustTokenOperationType::kSigning: | 
|  | if (impl.IsFeatureEnabled(network::mojom::PermissionsPolicyFeature:: | 
|  | kTrustTokenRedemption)) { | 
|  | return network::mojom::TrustTokenOperationPolicyVerdict:: | 
|  | kPotentiallyPermit; | 
|  | } | 
|  | return network::mojom::TrustTokenOperationPolicyVerdict::kForbid; | 
|  | case network::mojom::TrustTokenOperationType::kIssuance: | 
|  | if (impl.IsFeatureEnabled(network::mojom::PermissionsPolicyFeature:: | 
|  | kPrivateStateTokenIssuance)) { | 
|  | return network::mojom::TrustTokenOperationPolicyVerdict:: | 
|  | kPotentiallyPermit; | 
|  | } | 
|  | return network::mojom::TrustTokenOperationPolicyVerdict::kForbid; | 
|  | } | 
|  | return network::mojom::TrustTokenOperationPolicyVerdict::kForbid; | 
|  | } | 
|  |  | 
|  | bool IsOriginSandboxedWithAllowSameSiteNoneCookiesValue( | 
|  | network::mojom::WebSandboxFlags sandbox_flags) { | 
|  | if (sandbox_flags == network::mojom::WebSandboxFlags::kNone) { | 
|  | return false; | 
|  | } | 
|  | if ((sandbox_flags & network::mojom::WebSandboxFlags::kOrigin) == | 
|  | network::mojom::WebSandboxFlags::kNone) { | 
|  | return false; | 
|  | } | 
|  | return (sandbox_flags & | 
|  | network::mojom::WebSandboxFlags::kAllowSameSiteNoneCookies) == | 
|  | network::mojom::WebSandboxFlags::kNone; | 
|  | } | 
|  |  | 
|  | // A simplified version of Blink's WebFrameLoadType, used to simulate renderer | 
|  | // calculations. See CalculateRendererLoadType() further below. | 
|  | // TODO(crbug.com/40150370): This should only be here temporarily. | 
|  | // Remove this once the renderer behavior at commit time is more consistent with | 
|  | // what the browser instructed it to do (e.g. reloads will always be classified | 
|  | // as kReload). | 
|  | enum class RendererLoadType { | 
|  | kStandard, | 
|  | kBackForward, | 
|  | kReload, | 
|  | kReplaceCurrentItem, | 
|  | }; | 
|  |  | 
|  | bool ValidateCSPAttribute(const std::string& value) { | 
|  | static const size_t kMaxLengthCSPAttribute = 4096; | 
|  | if (!base::IsStringASCII(value)) | 
|  | return false; | 
|  | if (value.length() > kMaxLengthCSPAttribute || | 
|  | value.find('\n') != std::string::npos || | 
|  | value.find('\r') != std::string::npos) { | 
|  | return false; | 
|  | } | 
|  | return true; | 
|  | } | 
|  |  | 
|  | perfetto::protos::pbzero::FrameDeleteIntention FrameDeleteIntentionToProto( | 
|  | mojom::FrameDeleteIntention intent) { | 
|  | using ProtoLevel = perfetto::protos::pbzero::FrameDeleteIntention; | 
|  | switch (intent) { | 
|  | case mojom::FrameDeleteIntention::kNotMainFrame: | 
|  | return ProtoLevel::FRAME_DELETE_INTENTION_NOT_MAIN_FRAME; | 
|  | case mojom::FrameDeleteIntention::kSpeculativeMainFrameForShutdown: | 
|  | return ProtoLevel:: | 
|  | FRAME_DELETE_INTENTION_SPECULATIVE_MAIN_FRAME_FOR_SHUTDOWN; | 
|  | case mojom::FrameDeleteIntention:: | 
|  | kSpeculativeMainFrameForNavigationCancelled: | 
|  | return ProtoLevel:: | 
|  | FRAME_DELETE_INTENTION_SPECULATIVE_MAIN_FRAME_FOR_NAVIGATION_CANCELLED; | 
|  | } | 
|  | // All cases should've been handled by the switch case above. | 
|  | NOTREACHED(); | 
|  | } | 
|  |  | 
|  | void WriteRenderFrameImplDeletion(perfetto::EventContext& ctx, | 
|  | RenderFrameHostImpl* rfh, | 
|  | mojom::FrameDeleteIntention intent) { | 
|  | auto* event = ctx.event<perfetto::protos::pbzero::ChromeTrackEvent>(); | 
|  | auto* data = event->set_render_frame_impl_deletion(); | 
|  | data->set_has_pending_commit(rfh->HasPendingCommitNavigation()); | 
|  | data->set_has_pending_cross_document_commit( | 
|  | rfh->HasPendingCommitForCrossDocumentNavigation()); | 
|  | data->set_frame_tree_node_id(rfh->GetFrameTreeNodeId().value()); | 
|  | data->set_intent(FrameDeleteIntentionToProto(intent)); | 
|  | } | 
|  |  | 
|  | // Returns the amount of time to keep subframe processes alive in case they can | 
|  | // be reused. Returns zero if under memory pressure, as memory should be freed | 
|  | // up as soon as possible if it's limited. | 
|  | base::TimeDelta GetSubframeProcessShutdownDelay( | 
|  | BrowserContext* browser_context) { | 
|  | static constexpr base::TimeDelta kZeroDelay; | 
|  | if (!RenderProcessHostImpl::ShouldDelayProcessShutdown()) { | 
|  | return kZeroDelay; | 
|  | } | 
|  |  | 
|  | // Don't delay process shutdown under memory pressure. Does not cancel | 
|  | // existing shutdown delays for processes already in delayed-shutdown state. | 
|  | const auto* const memory_monitor = base::MemoryPressureMonitor::Get(); | 
|  | if (memory_monitor && | 
|  | memory_monitor->GetCurrentPressureLevel() >= | 
|  | base::MemoryPressureListener::MEMORY_PRESSURE_LEVEL_MODERATE) { | 
|  | return kZeroDelay; | 
|  | } | 
|  |  | 
|  | return kSubframeProcessShutdownDelay; | 
|  | } | 
|  |  | 
|  | // Returns the "document" URL used for a navigation, which might be different | 
|  | // than the commit URL (CommonNavigationParam's URL) for certain cases such as | 
|  | // error document and loadDataWithBaseURL() commits. | 
|  | GURL GetLastDocumentURL( | 
|  | NavigationRequest* request, | 
|  | const mojom::DidCommitProvisionalLoadParams& params, | 
|  | bool last_document_is_error_document, | 
|  | const RenderFrameHostImpl::RendererURLInfo& renderer_url_info) { | 
|  | if (request->DidEncounterError() || | 
|  | (request->IsSameDocument() && last_document_is_error_document)) { | 
|  | // If the navigation happens on an error document, the document URL is set | 
|  | // to kUnreachableWebDataURL. Note that if a same-document navigation | 
|  | // happens in an error document it's possible for the document URL to have | 
|  | // changed, but the browser has no way of knowing that URL since it isn't | 
|  | // exposed in any way. Additionally, all current known ways to do a | 
|  | // same-document navigation on an error document | 
|  | // (history.pushState/replaceState without changing the URL) won't change | 
|  | // the URL, so it's probably OK to keep using kUnreachableWebDataURL here. | 
|  | return GURL(kUnreachableWebDataURL); | 
|  | } | 
|  | if (request->IsLoadDataWithBaseURL()) { | 
|  | // loadDataWithBaseURL() navigation can set its own "base URL", which is | 
|  | // also used by the renderer as the document URL unless the navigation | 
|  | // failed (which is already accounted for in the error document case above). | 
|  | return request->common_params().base_url_for_data_url; | 
|  | } | 
|  | if (renderer_url_info.was_loaded_from_load_data_with_base_url && | 
|  | request->IsSameDocument()) { | 
|  | // If this is a same-document navigation on a document loaded from | 
|  | // loadDataWithBaseURL(), it is not currently possible to figure out the | 
|  | // document URL. This is because the renderer can navigate to any | 
|  | // same-document URL, but that URL will not be used for | 
|  | // DidCommitProvisionalLoadParams' `url` if the loading URL for the document | 
|  | // is set to the data: URL. In this case, just return the last document URL, | 
|  | // since at least it will have the correct origin. | 
|  | return renderer_url_info.last_document_url; | 
|  | } | 
|  | // For all other navigations, the document URL should be the same as the URL | 
|  | // that is used to commit. | 
|  | return params.url; | 
|  | } | 
|  |  | 
|  | // Return true when `mode` is enabled for kAvoidUnnecessaryBeforeUnloadCheckSync | 
|  | // feature (see: https://crbug.com/396998476). | 
|  | bool IsAvoidUnnecessaryBeforeUnloadCheckSyncEnabledFor( | 
|  | features::AvoidUnnecessaryBeforeUnloadCheckSyncMode mode) { | 
|  | if (!GetContentClient() | 
|  | ->browser() | 
|  | ->SupportsAvoidUnnecessaryBeforeUnloadCheckSync()) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | if (!base::FeatureList::IsEnabled( | 
|  | features::kAvoidUnnecessaryBeforeUnloadCheckSync)) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | return features::kAvoidUnnecessaryBeforeUnloadCheckSyncMode.Get() == mode; | 
|  | } | 
|  |  | 
|  | // Returns true if `host` has the Window Management permission granted. | 
|  | bool IsWindowManagementGranted(RenderFrameHost* host) { | 
|  | content::PermissionController* permission_controller = | 
|  | host->GetBrowserContext()->GetPermissionController(); | 
|  | DCHECK(permission_controller); | 
|  |  | 
|  | return permission_controller->GetPermissionStatusForCurrentDocument( | 
|  | content::PermissionDescriptorUtil:: | 
|  | CreatePermissionDescriptorForPermissionType( | 
|  | blink::PermissionType::WINDOW_MANAGEMENT), | 
|  | host) == blink::mojom::PermissionStatus::GRANTED; | 
|  | } | 
|  |  | 
|  | bool IsOpenGraphMetadataValid(const blink::mojom::OpenGraphMetadata* metadata) { | 
|  | return !metadata->image || metadata->image->SchemeIsHTTPOrHTTPS(); | 
|  | } | 
|  |  | 
|  | void ForwardOpenGraphMetadataIfValid( | 
|  | base::OnceCallback<void(blink::mojom::OpenGraphMetadataPtr)> callback, | 
|  | blink::mojom::OpenGraphMetadataPtr metadata) { | 
|  | if (IsOpenGraphMetadataValid(metadata.get())) | 
|  | std::move(callback).Run(std::move(metadata)); | 
|  | else | 
|  | std::move(callback).Run({}); | 
|  | } | 
|  |  | 
|  | // Creates a JavaScriptExecuteRequestForTestsCallback callback that delegates | 
|  | // to the given JavaScriptResultCallback. | 
|  | blink::mojom::LocalFrame::JavaScriptExecuteRequestForTestsCallback | 
|  | CreateJavaScriptExecuteRequestForTestsCallback( | 
|  | RenderFrameHost::JavaScriptResultCallback callback) { | 
|  | if (!callback) | 
|  | return base::NullCallback(); | 
|  | return base::BindOnce( | 
|  | [](RenderFrameHost::JavaScriptResultCallback callback, | 
|  | blink::mojom::JavaScriptExecutionResultType type, base::Value value) { | 
|  | if (type == blink::mojom::JavaScriptExecutionResultType::kSuccess) | 
|  | std::move(callback).Run(value.Clone()); | 
|  | else | 
|  | std::move(callback).Run(base::Value()); | 
|  | }, | 
|  | std::move(callback)); | 
|  | } | 
|  |  | 
|  | bool ValidateUnfencedTopNavigation( | 
|  | RenderFrameHostImpl* render_frame_host, | 
|  | GURL& url, | 
|  | int initiator_process_id, | 
|  | const scoped_refptr<network::ResourceRequestBody>& post_body, | 
|  | bool user_gesture) { | 
|  | // Validate and modify `url` as needed. | 
|  | render_frame_host->GetSiteInstance()->GetProcess()->FilterURL( | 
|  | /*empty_allowed=*/false, &url); | 
|  |  | 
|  | if (!render_frame_host->IsNestedWithinFencedFrame() || | 
|  | render_frame_host->IsSandboxed( | 
|  | network::mojom::WebSandboxFlags::kTopNavigationByUserActivation)) { | 
|  | // If either of these conditions are true, then assume a compromised | 
|  | // renderer. | 
|  | bad_message::ReceivedBadMessage( | 
|  | initiator_process_id, | 
|  | bad_message::RFHI_UNFENCED_TOP_IPC_OUTSIDE_FENCED_FRAME); | 
|  | return false; | 
|  | } | 
|  |  | 
|  | // Perform checks that normally would be performed in | 
|  | // `blink::CanNavigate` but that we skipped because the target | 
|  | // frame wasn't available in the renderer. | 
|  | // TODO(crbug.com/40053214): Change these checks to send a BadMessage | 
|  | // when the renderer-side refactor is complete. | 
|  |  | 
|  | // Javascript URLs are not allowed, because they can be used to | 
|  | // communicate from the fenced frame to the embedder. | 
|  | // TODO(crbug.com/40221940): It does not seem possible to reach this code | 
|  | // with an uncompromised renderer, because javascript URLs don't reach | 
|  | // the same IPC; instead they run inside the fenced frame as _self. | 
|  | // It also seems that Javascript URLs would be caught earlier in this | 
|  | // particular code path by VerifyOpenURLParams(). | 
|  | // In this code's final IPC resting place after the factor, make sure | 
|  | // to check whether this code is redundant. | 
|  | if (url.SchemeIs(url::kJavaScriptScheme)) { | 
|  | render_frame_host->AddMessageToConsole( | 
|  | blink::mojom::ConsoleMessageLevel::kError, | 
|  | "The frame attempting navigation must be in the same fenced " | 
|  | "frame tree as the target if navigating to a javascript: url"); | 
|  | return false; | 
|  | } | 
|  |  | 
|  | // Blob URLs are not allowed, because you should not be able to exfiltrate | 
|  | // arbitrary amounts of information from a fenced frame. | 
|  | if (url.SchemeIs(url::kBlobScheme)) { | 
|  | render_frame_host->AddMessageToConsole( | 
|  | blink::mojom::ConsoleMessageLevel::kError, | 
|  | "_unfencedTop may not be used with a blob: url"); | 
|  | return false; | 
|  | } | 
|  |  | 
|  | // POST requests are not allowed, because they are asynchronous and more | 
|  | // difficult to account for in privacy budgets. | 
|  | if (post_body) { | 
|  | render_frame_host->AddMessageToConsole( | 
|  | blink::mojom::ConsoleMessageLevel::kError, | 
|  | "_unfencedTop may not be used to send POST requests"); | 
|  | return false; | 
|  | } | 
|  |  | 
|  | // User activation is required, because fenced frames use the sandbox | 
|  | // flag `allow-top-navigation-by-user-activation`. | 
|  | // It would be better to instead check | 
|  | // `render_frame_host->HasTransientUserActivation()`, | 
|  | // but it has already been consumed at this point. | 
|  | // TODO(crbug.com/40091540): use the browser's source of truth for user | 
|  | // activation here (and elsewhere in this file) rather than trust the | 
|  | // renderer. | 
|  | if (!user_gesture) { | 
|  | render_frame_host->AddMessageToConsole( | 
|  | blink::mojom::ConsoleMessageLevel::kError, | 
|  | "The frame attempting navigation of the top-level window is " | 
|  | "sandboxed with the 'allow-top-navigation-by-user-activation' " | 
|  | "flag, but has no user activation (aka gesture). See " | 
|  | "https://www.chromestatus.com/feature/5629582019395584."); | 
|  | return false; | 
|  | } | 
|  |  | 
|  | return true; | 
|  | } | 
|  |  | 
|  | // Records the identifiable surface metric associated with a document created | 
|  | // event when the identifiability study is active. | 
|  | void RecordIdentifiabilityDocumentCreatedMetrics( | 
|  | const ukm::SourceId document_ukm_source_id, | 
|  | ukm::UkmRecorder* ukm_recorder, | 
|  | ukm::SourceId navigation_source_id, | 
|  | bool is_cross_origin_frame, | 
|  | bool is_cross_site_frame, | 
|  | bool is_main_frame) { | 
|  | if (blink::IdentifiabilityStudySettings::Get()->IsActive()) { | 
|  | blink::IdentifiabilityStudyDocumentCreated(document_ukm_source_id) | 
|  | .SetNavigationSourceId(navigation_source_id) | 
|  | .SetIsMainFrame(is_main_frame) | 
|  | .SetIsCrossOriginFrame(is_cross_origin_frame) | 
|  | .SetIsCrossSiteFrame(is_cross_site_frame) | 
|  | .Record(ukm_recorder); | 
|  | } | 
|  | } | 
|  |  | 
|  | bool IsOpenerSameOriginFrame(const RenderFrameHostImpl* opener) { | 
|  | return opener->GetLastCommittedOrigin() == | 
|  | opener->GetMainFrame()->GetLastCommittedOrigin(); | 
|  | } | 
|  |  | 
|  | // See https://html.spec.whatwg.org/C/#browsing-context-names (step 8) | 
|  | // ``` | 
|  | // If current's top-level browsing context's active document's | 
|  | // cross-origin opener policy's value is "same-origin" or | 
|  | // "same-origin-plus-COEP", then [...] set noopener to true, name to | 
|  | // "_blank", and windowType to "new with no opener". | 
|  | // ``` | 
|  | bool CoopSuppressOpener(const RenderFrameHostImpl* opener) { | 
|  | // Those values are explicitly listed here, to force creator of new | 
|  | // values to make an explicit decision in the future. | 
|  | // See regression: https://crbug.com/1181673 | 
|  | switch (opener->GetMainFrame()->cross_origin_opener_policy().value) { | 
|  | case network::mojom::CrossOriginOpenerPolicyValue::kUnsafeNone: | 
|  | case network::mojom::CrossOriginOpenerPolicyValue::kSameOriginAllowPopups: | 
|  | case network::mojom::CrossOriginOpenerPolicyValue::kNoopenerAllowPopups: | 
|  | return false; | 
|  |  | 
|  | case network::mojom::CrossOriginOpenerPolicyValue::kSameOrigin: | 
|  | case network::mojom::CrossOriginOpenerPolicyValue::kSameOriginPlusCoep: | 
|  | return !IsOpenerSameOriginFrame(opener); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RecordAutomaticBeaconOutcome(const blink::AutomaticBeaconOutcome outcome) { | 
|  | base::UmaHistogramEnumeration(blink::kAutomaticBeaconOutcomeHistogram, | 
|  | outcome); | 
|  | } | 
|  |  | 
|  | // Traverse up a frame tree, starting at `rfh`, until finding a RFH whose | 
|  | // associated fenced document data matches the expected criteria. Namely, it | 
|  | // must contain automatic beacon data for the provided `event_type`, and if | 
|  | // `is_same_origin` is set to false (i.e. the frame initiating an automatic | 
|  | // beacon is cross-origin to the mapped URL of the root frame's fenced frame | 
|  | // config), the data must be marked as cross-origin exposed. | 
|  | FencedDocumentData* GetFencedDocumentData( | 
|  | RenderFrameHostImpl* rfh, | 
|  | blink::mojom::AutomaticBeaconType event_type, | 
|  | bool is_same_origin) { | 
|  | // Traverse up to but not past a URN iframe root. | 
|  | for (; rfh; rfh = rfh->frame_tree_node()->HasFencedFrameProperties() | 
|  | ? nullptr | 
|  | : rfh->GetParent()) { | 
|  | FencedDocumentData* fenced_document_data = | 
|  | FencedDocumentData::GetForCurrentDocument(rfh); | 
|  | if (!fenced_document_data) { | 
|  | continue; | 
|  | } | 
|  |  | 
|  | const std::optional<AutomaticBeaconInfo> beacon_info = | 
|  | fenced_document_data->GetAutomaticBeaconInfo(event_type); | 
|  | if (!beacon_info) { | 
|  | continue; | 
|  | } | 
|  |  | 
|  | // Check if the beacon data is usable based on whether the data needs to be | 
|  | // cross-origin exposed. If the feature flag is not enabled, unconditionally | 
|  | // return the document data, even if it means returning non-cross origin | 
|  | // exposed data for a cross-origin automatic beacon (which would result in | 
|  | // no data being sent). | 
|  | if (is_same_origin || beacon_info->cross_origin_exposed || | 
|  | !base::FeatureList::IsEnabled( | 
|  | blink::features::kFencedFramesCrossOriginAutomaticBeaconData)) { | 
|  | return fenced_document_data; | 
|  | } | 
|  | } | 
|  | return nullptr; | 
|  | } | 
|  |  | 
|  | bool FencedFrameAutomaticBeaconsAllowed(RenderFrameHostImpl* rfh) { | 
|  | if (!rfh->GetLastResponseHead() || !rfh->GetLastResponseHead()->headers) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | std::optional<std::string> allow = | 
|  | rfh->GetLastResponseHead()->headers->GetNormalizedHeader( | 
|  | "Allow-Fenced-Frame-Automatic-Beacons"); | 
|  |  | 
|  | return allow && base::EqualsCaseInsensitiveASCII(*allow, "true"); | 
|  | } | 
|  |  | 
|  | // Check if the document is loaded without URLLoaderClient. | 
|  | bool IsDocumentLoadedWithoutUrlLoaderClient( | 
|  | NavigationRequest* navigation_request, | 
|  | GURL url, | 
|  | bool is_same_document, | 
|  | bool is_mhtml_subframe) { | 
|  | #if BUILDFLAG(IS_ANDROID) | 
|  | if (navigation_request->GetUrlInfo().is_pdf) { | 
|  | return true; | 
|  | } | 
|  | #endif  // BUILDFLAG(IS_ANDROID) | 
|  |  | 
|  | return is_mhtml_subframe || is_same_document || | 
|  | url.SchemeIs(url::kDataScheme) || !IsURLHandledByNetworkStack(url); | 
|  | } | 
|  |  | 
|  | std::vector<GURL> GetTargetUrlsOfBoostRenderProcessForLoading() { | 
|  | std::optional<base::Value> json_value = | 
|  | base::JSONReader::Read(base::UnescapeURLComponent( | 
|  | blink::features::kBoostRenderProcessForLoadingTargetUrls.Get(), | 
|  | base::UnescapeRule::SPACES)); | 
|  |  | 
|  | if (!json_value) { | 
|  | return {}; | 
|  | } | 
|  |  | 
|  | base::Value::List* entries = json_value->GetIfList(); | 
|  | if (!entries) { | 
|  | return {}; | 
|  | } | 
|  |  | 
|  | std::vector<GURL> result; | 
|  | result.reserve(entries->size()); | 
|  | for (const base::Value& entry : *entries) { | 
|  | const std::string* target_url = entry.GetIfString(); | 
|  | if (target_url) { | 
|  | GURL url(*target_url); | 
|  | if (url.is_valid()) { | 
|  | result.emplace_back(std::move(url)); | 
|  | } | 
|  | } | 
|  | } | 
|  | return result; | 
|  | } | 
|  |  | 
|  | bool ShouldBoostRenderProcessForLoading( | 
|  | RenderFrameHostImpl::LifecycleStateImpl lifecycle_state, | 
|  | bool is_prerendering) { | 
|  | if (blink::features::kBoostRenderProcessForLoadingPrioritizePrerenderingOnly | 
|  | .Get()) { | 
|  | return is_prerendering; | 
|  | } | 
|  |  | 
|  | switch (lifecycle_state) { | 
|  | case RenderFrameHostImpl::LifecycleStateImpl::kSpeculative: | 
|  | case RenderFrameHostImpl::LifecycleStateImpl::kPendingCommit: | 
|  | case RenderFrameHostImpl::LifecycleStateImpl::kActive: | 
|  | return true; | 
|  | case RenderFrameHostImpl::LifecycleStateImpl::kPrerendering: | 
|  | return blink::features:: | 
|  | kBoostRenderProcessForLoadingPrioritizePrerendering.Get(); | 
|  | case RenderFrameHostImpl::LifecycleStateImpl::kInBackForwardCache: | 
|  | case RenderFrameHostImpl::LifecycleStateImpl::kRunningUnloadHandlers: | 
|  | case RenderFrameHostImpl::LifecycleStateImpl::kReadyToBeDeleted: | 
|  | return false; | 
|  | } | 
|  | } | 
|  |  | 
|  | bool BoostRendererInitiatedNavigation() { | 
|  | // If this is set to true, then the renderer initiated navigation is boosted | 
|  | // in addition to the browser initiated navigation. | 
|  | static const bool boost_renderer_initiated_navigation = | 
|  | base::GetFieldTrialParamByFeatureAsBool( | 
|  | blink::features::kBoostRenderProcessForLoading, | 
|  | "prioritize_renderer_initiated", false); | 
|  | return boost_renderer_initiated_navigation; | 
|  | } | 
|  |  | 
|  | std::optional<std::string_view> GetHostnameMinusRegistry(const GURL& url) { | 
|  | const size_t registry_length = | 
|  | net::registry_controlled_domains::GetRegistryLength( | 
|  | url, net::registry_controlled_domains::EXCLUDE_UNKNOWN_REGISTRIES, | 
|  | net::registry_controlled_domains::EXCLUDE_PRIVATE_REGISTRIES); | 
|  |  | 
|  | const std::string_view hostname = url.host_piece(); | 
|  | if (registry_length == 0 || registry_length == std::string::npos || | 
|  | registry_length >= hostname.length()) { | 
|  | return std::nullopt; | 
|  | } | 
|  |  | 
|  | // Removes the tld and the preceding dot. | 
|  | return hostname.substr(0, hostname.length() - (registry_length + 1)); | 
|  | } | 
|  |  | 
|  | bool IsSameHostnameMinusRegistry(const GURL& url1, const GURL& url2) { | 
|  | auto hostname_minus_registry1 = GetHostnameMinusRegistry(url1); | 
|  | auto hostname_minus_registry2 = GetHostnameMinusRegistry(url2); | 
|  | if (!hostname_minus_registry1 || !hostname_minus_registry2) { | 
|  | return false; | 
|  | } | 
|  | return *hostname_minus_registry1 == *hostname_minus_registry2; | 
|  | } | 
|  |  | 
|  | bool IsTargetUrlOfBoostRenderProcessForLoading(const GURL& url) { | 
|  | static const bool kIsEnabled = base::FeatureList::IsEnabled( | 
|  | blink::features::kBoostRenderProcessForLoading); | 
|  |  | 
|  | if (!kIsEnabled) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | static const base::NoDestructor<std::vector<GURL>> kTargetUrls( | 
|  | GetTargetUrlsOfBoostRenderProcessForLoading()); | 
|  |  | 
|  | if (kTargetUrls->empty()) { | 
|  | return true; | 
|  | } | 
|  |  | 
|  | for (GURL target_url : *kTargetUrls) { | 
|  | if (IsSameHostnameMinusRegistry(url, target_url) && | 
|  | url.path_piece() == target_url.path_piece()) { | 
|  | return true; | 
|  | } | 
|  | } | 
|  |  | 
|  | return false; | 
|  | } | 
|  |  | 
|  | void RecordIsProcessBackgrounded(const char* timing_string, | 
|  | base::Process::Priority process_priority) { | 
|  | base::UmaHistogramBoolean( | 
|  | base::StrCat({"Navigation.IsProcessBackgrounded2.", timing_string}), | 
|  | process_priority == base::Process::Priority::kBestEffort); | 
|  | } | 
|  |  | 
|  | // These are directly cast to UKM enums of the same name and logged, | 
|  | // be sure not to change ordering or delete lines. | 
|  | enum class WindowProxyFrameContext { | 
|  | kTopFrame, | 
|  | kSubFrameSameSite, | 
|  | kSubFrameCrossSite, | 
|  | }; | 
|  |  | 
|  | WindowProxyFrameContext GetWindowProxyFrameContext(RenderFrameHostImpl* frame) { | 
|  | if (frame == frame->GetOutermostMainFrame()) { | 
|  | return WindowProxyFrameContext::kTopFrame; | 
|  | } else if (frame->GetStorageKey() == | 
|  | frame->GetOutermostMainFrame()->GetStorageKey()) { | 
|  | return WindowProxyFrameContext::kSubFrameSameSite; | 
|  | } else { | 
|  | return WindowProxyFrameContext::kSubFrameCrossSite; | 
|  | } | 
|  | } | 
|  |  | 
|  | // These are directly cast to UKM enums of the same name and logged, | 
|  | // be sure not to change ordering or delete lines. | 
|  | enum class WindowProxyPageContext { | 
|  | kWindow, | 
|  | kPopup, | 
|  | kPartitionedPopin, | 
|  | }; | 
|  |  | 
|  | WindowProxyPageContext GetWindowProxyPageContext(RenderFrameHostImpl* frame) { | 
|  | if (frame->ShouldPartitionAsPopin()) { | 
|  | return WindowProxyPageContext::kPartitionedPopin; | 
|  | } else if (frame->delegate()->IsPopup()) { | 
|  | return WindowProxyPageContext::kPopup; | 
|  | } else { | 
|  | return WindowProxyPageContext::kWindow; | 
|  | } | 
|  | } | 
|  |  | 
|  | // These are directly cast to UKM enums of the same name and logged, | 
|  | // be sure not to change ordering or delete lines. | 
|  | enum class WindowProxyStorageKeyComparison { | 
|  | kSameKey, | 
|  | kSameTopSiteCrossOrigin, | 
|  | kCrossTopSiteSameOrigin, | 
|  | kCrossKey, | 
|  | }; | 
|  |  | 
|  | WindowProxyStorageKeyComparison GetWindowProxyStorageKeyComparison( | 
|  | const blink::StorageKey& local_storage_key, | 
|  | const blink::StorageKey& remote_storage_key) { | 
|  | if (local_storage_key == remote_storage_key) { | 
|  | return WindowProxyStorageKeyComparison::kSameKey; | 
|  | } else if (local_storage_key.top_level_site() == | 
|  | remote_storage_key.top_level_site()) { | 
|  | return WindowProxyStorageKeyComparison::kSameTopSiteCrossOrigin; | 
|  | } else if (local_storage_key.origin() == remote_storage_key.origin() && | 
|  | local_storage_key.nonce() == remote_storage_key.nonce()) { | 
|  | return WindowProxyStorageKeyComparison::kCrossTopSiteSameOrigin; | 
|  | } else { | 
|  | return WindowProxyStorageKeyComparison::kCrossKey; | 
|  | } | 
|  | } | 
|  |  | 
|  | // These are directly cast to UKM enums of the same name and logged, | 
|  | // be sure not to change ordering or delete lines. | 
|  | enum class WindowProxyUserActivationState { | 
|  | kIsActive, | 
|  | kHasBeenActive, | 
|  | kNeverActive, | 
|  | }; | 
|  |  | 
|  | WindowProxyUserActivationState GetWindowProxyUserActivationState( | 
|  | const RenderFrameHostImpl* frame) { | 
|  | if (frame->IsActiveUserActivation()) { | 
|  | return WindowProxyUserActivationState::kIsActive; | 
|  | } else if (frame->HasStickyUserActivation()) { | 
|  | return WindowProxyUserActivationState::kHasBeenActive; | 
|  | } else { | 
|  | return WindowProxyUserActivationState::kNeverActive; | 
|  | } | 
|  | } | 
|  |  | 
|  | // Responsible for cleaning up render processes for discard operations. | 
|  | class DiscardedRFHProcessHelper : public base::SupportsUserData::Data, | 
|  | public ServiceWorkerContextObserver { | 
|  | public: | 
|  | explicit DiscardedRFHProcessHelper(RenderProcessHost* host) : host_(host) {} | 
|  | DiscardedRFHProcessHelper(const DiscardedRFHProcessHelper&) = delete; | 
|  | DiscardedRFHProcessHelper& operator=(const DiscardedRFHProcessHelper&) = | 
|  | delete; | 
|  | ~DiscardedRFHProcessHelper() override = default; | 
|  |  | 
|  | static DiscardedRFHProcessHelper* GetForRenderProcessHost( | 
|  | RenderProcessHost* host) { | 
|  | if (!host->GetUserData(kDiscardedRFHProcessHelperKey)) { | 
|  | host->SetUserData(kDiscardedRFHProcessHelperKey, | 
|  | std::make_unique<DiscardedRFHProcessHelper>(host)); | 
|  | } | 
|  | return static_cast<DiscardedRFHProcessHelper*>( | 
|  | host->GetUserData(kDiscardedRFHProcessHelperKey)); | 
|  | } | 
|  |  | 
|  | // Resets `retries_` and begins attempts to shutdown sequenced with delay | 
|  | // until kKeepAliveHandleFactoryTimeout is reached. Posts the shutdown task to | 
|  | // the task queue as a synchronous process shutdown may update RFH state in a | 
|  | // way callers may not expect. | 
|  | void ShutdownForDiscardIfPossible() { | 
|  | shutdown_attempt_timer_.Stop(); | 
|  | retries_ = 0; | 
|  | shutdown_attempt_timer_.Start( | 
|  | FROM_HERE, /*delay=*/kUnloadTimeout, | 
|  | base::BindRepeating(&DiscardedRFHProcessHelper::ShutdownIfPossible, | 
|  | base::Unretained(this))); | 
|  | } | 
|  |  | 
|  | void SimulateKeepAliveTimeoutForTesting() { | 
|  | keep_alive_timeout_for_testing_ = true; | 
|  | } | 
|  |  | 
|  | private: | 
|  | // A task that attempts to shutdown the render process for the case where only | 
|  | // discarded frames remain. | 
|  | void ShutdownIfPossible() { | 
|  | if (!host_->IsInitializedAndNotDead() || host_->IsDeletingSoon()) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // The delay between render process shutdown attempts. Attempts will | 
|  | // continue until a maximum delay of kKeepAliveHandleFactoryTimeout is | 
|  | // reached. | 
|  | constexpr base::TimeDelta kProcessShutdownRetryDelay = | 
|  | base::Milliseconds(500); | 
|  |  | 
|  | // Attempt a fast shutdown if only discarded frames remain in the process. A | 
|  | // render process may host both speculative and non-speculative frames, | 
|  | // however speculative frames cannot be discarded and | 
|  | // FastShutdownIfPossible() will no-op if speculative frames are hosted in | 
|  | // the process. This is because a pending view is registered on the process | 
|  | // when a speculative frame is created. | 
|  | bool only_discarded_frames = true; | 
|  | std::set<RenderWidgetHost*> discarded_widgets; | 
|  | host_->ForEachRenderFrameHost( | 
|  | [&only_discarded_frames, &discarded_widgets](RenderFrameHost* rfh) { | 
|  | if (static_cast<RenderFrameHostImpl*>(rfh) | 
|  | ->document_associated_data() | 
|  | .is_discarded()) { | 
|  | discarded_widgets.insert(rfh->GetRenderWidgetHost()); | 
|  | } else { | 
|  | only_discarded_frames = false; | 
|  | } | 
|  | }); | 
|  |  | 
|  | // Attempt a shutdown if the the renderer is hosting only discarded frames. | 
|  | if (discarded_widgets.empty() || !only_discarded_frames) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // If shutdown re-attempts have exceeded the kKeepAliveHandleFactoryTimeout | 
|  | // then attempt a final shutdown ignoring any active keep-alive refs. | 
|  | if (keep_alive_timeout_for_testing_ || | 
|  | retries_ * kProcessShutdownRetryDelay >= | 
|  | RenderProcessHostImpl::kKeepAliveHandleFactoryTimeout) { | 
|  | host_->FastShutdownIfPossible( | 
|  | /*page_count=*/discarded_widgets.size(), | 
|  | /*skip_unload_handlers=*/true, | 
|  | /*ignore_workers=*/true, | 
|  | /*ignore_keep_alive=*/true); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // If re-attempts have not yet reached kKeepAliveHandleFactoryTimeout | 
|  | // attempt a shutdown honoring any existing keep-alive refs. Schedule a | 
|  | // retry if fast shutdown is blocked. | 
|  | if (!host_->FastShutdownIfPossible( | 
|  | /*page_count=*/discarded_widgets.size(), | 
|  | /*skip_unload_handlers=*/true, | 
|  | /*ignore_workers=*/true, | 
|  | /*ignore_keep_alive=*/false)) { | 
|  | retries_++; | 
|  | shutdown_attempt_timer_.Start( | 
|  | FROM_HERE, kProcessShutdownRetryDelay, | 
|  | base::BindRepeating(&DiscardedRFHProcessHelper::ShutdownIfPossible, | 
|  | base::Unretained(this))); | 
|  | } | 
|  | } | 
|  |  | 
|  | // `retries_` tracks the number of shutdown attempts. | 
|  | int retries_ = 0; | 
|  |  | 
|  | // Timer for the task that attempts to shutdown the render process. | 
|  | base::RetainingOneShotTimer shutdown_attempt_timer_; | 
|  |  | 
|  | // Owns this. | 
|  | const raw_ptr<RenderProcessHost> host_; | 
|  |  | 
|  | bool keep_alive_timeout_for_testing_ = false; | 
|  | }; | 
|  |  | 
|  | // Helper to record trace events and metrics for a navigation to `url`, using | 
|  | // the timestamps stored in `timeline`. | 
|  | // | 
|  | // This is similar to NavigationRequest::MaybeRecordTraceEventsAndHistograms(), | 
|  | // but improves on it in the following ways: (1) this works for any navigation, | 
|  | // whereas the NavigationRequest version was intended to be used in certain | 
|  | // narrow cases, (2) this is designed to be called at the very end of navigation | 
|  | // commit, which occurs after NavigationRequest destruction, and (3) this | 
|  | // introduces additional slices (e.g. CommitToDidCommit) to give a more thorough | 
|  | // start-to-finish breakdown of navigation timing, and uses more accurate | 
|  | // timestamps for some other slices. Eventually, | 
|  | // NavigationRequest::MaybeRecordTraceEventsAndHistograms() should be replaced | 
|  | // with this function. | 
|  | // | 
|  | // `ukm_builder` should be available only when the navigation is for a main | 
|  | // frame. Thus, we don't need to record separate main-frame-only metrics for | 
|  | // UKMs. | 
|  | void RecordNavigationTraceEventsAndMetrics( | 
|  | const NavigationRequest::Timeline& timeline, | 
|  | const GURL& url, | 
|  | bool is_primary_main_frame, | 
|  | bool is_same_document_navigation, | 
|  | std::optional<ukm::builders::NavigationTimeline>& ukm_builder) { | 
|  | DCHECK(!timeline.start.is_null()); | 
|  |  | 
|  | // Record these trace events in a global "Navigations" track, so that it can | 
|  | // be found under "Global Track Events". Since this contains events from | 
|  | // both the browser and renderer processes, this is preferable to nesting | 
|  | // the track under a particular process. | 
|  | constexpr uint64_t kGlobalInstantTrackId = 0; | 
|  | static const perfetto::NamedTrack track1( | 
|  | "Navigation: Timelines", base::trace_event::GetNextGlobalTraceId(), | 
|  | perfetto::Track::Global(kGlobalInstantTrackId)); | 
|  |  | 
|  | // Convenient alias for `ukm::builders::NavigationTimeline` member functions. | 
|  | using UkmBuilderMethod = ukm::builders::NavigationTimeline& ( | 
|  | ukm::builders::NavigationTimeline::*)(int64_t); | 
|  |  | 
|  | // Define a helper to log both a trace event slice and a corresponding metric | 
|  | // for one stage of a navigation. If `ukm_builder_method` is specified, it | 
|  | // will be used for recording UKMs. If `histogram_name` is specified, it will | 
|  | // be used for the histogram name instead of `name`. If `url` is specified, it | 
|  | // will be emitted as page_load.url argument along the trace event. | 
|  | auto log_trace_event_and_uma = | 
|  | [&](perfetto::StaticString name, const perfetto::NamedTrack track, | 
|  | const base::TimeTicks& begin_time, const base::TimeTicks& end_time, | 
|  | std::optional<UkmBuilderMethod> ukm_builder_method = std::nullopt, | 
|  | const std::string& histogram_name = std::string(), | 
|  | const std::string& url = std::string()) { | 
|  | if (begin_time.is_null() || end_time.is_null()) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // TODO(alexmos): These cases should never happen in practice, unless | 
|  | // the renderer provides inaccurate timestamps (either by lying, or due | 
|  | // to inter-process time skew that hasn't yet been adjusted with | 
|  | // InterProcessTimeTicksConverter). This should be tightened up to | 
|  | // validate (and possibly adjust) the renderer-provided timestamps and | 
|  | // then convert this to a CHECK. | 
|  | if (begin_time < timeline.start || end_time > timeline.finish) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Note that some cases in practice (e.g., prefetch, headless virtual | 
|  | // time) may cause end_time to be before begin_time. This can happen in | 
|  | // unit tests or due to compromised renderers as well. Skip trace events | 
|  | // and metrics in these ill-defined cases. | 
|  | if (end_time < begin_time) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | TRACE_EVENT_BEGIN("navigation", name, track, begin_time, | 
|  | [&](perfetto::EventContext& ctx) { | 
|  | if (url.empty()) { | 
|  | return; | 
|  | } | 
|  | perfetto::protos::pbzero::PageLoad* page_load = | 
|  | ctx.event<ChromeTrackEvent>()->set_page_load(); | 
|  | page_load->set_url(url); | 
|  | }); | 
|  | TRACE_EVENT_END("navigation", track, end_time); | 
|  |  | 
|  | // When provided, `histogram_name` is used to avoid including variable | 
|  | // or sensitive data in the reported metric name. For example, `name` | 
|  | // may include the navigation URL when measuring the start-to-finish | 
|  | // time, but we only want to use that for trace events and omit the | 
|  | // URL in metric names for UMA. | 
|  | base::UmaHistogramTimes( | 
|  | "Navigation.Timeline." + | 
|  | (histogram_name.empty() ? std::string(name.value) | 
|  | : histogram_name) + | 
|  | ".Duration", | 
|  | end_time - begin_time); | 
|  |  | 
|  | if (ukm_builder.has_value() && ukm_builder_method.has_value()) { | 
|  | base::BindRepeating(*ukm_builder_method, | 
|  | // Safe: `ukm_builder` outlives this method call. | 
|  | base::Unretained(&*ukm_builder)) | 
|  | .Run((end_time - begin_time).InMilliseconds()); | 
|  | } | 
|  | }; | 
|  |  | 
|  | // Actual navigation events are logged below in contiguous (or nested) | 
|  | // intervals. | 
|  |  | 
|  | // Record a top-level "Navigation" trace event with the duration of the | 
|  | // full navigation, and then break it down into nested intervals which will | 
|  | // show up under it. Note that `url` is the committing URL, which might differ | 
|  | // from the starting URL, e.g. due to redirects. | 
|  | // TODO(crbug.com/405437928): Overlapping navigations may incorrectly appear | 
|  | // to be nested, using the wrong end times. | 
|  | log_trace_event_and_uma("NavigationTotal", track1, timeline.start, | 
|  | timeline.finish, | 
|  | &ukm::builders::NavigationTimeline::SetTotalDuration, | 
|  | /*histogram_name=*/"Total", /*url=*/url.spec()); | 
|  | // Emit a trace event with url in the name for convenience. | 
|  | // TODO(crbug.com/415720503): Remove once Perfetto navigation plugins | 
|  | // surfaces urls. | 
|  | std::string top_level_trace_event_name = "Navigation: " + url.spec(); | 
|  | TRACE_EVENT_BEGIN("navigation", | 
|  | perfetto::DynamicString(top_level_trace_event_name), track1, | 
|  | timeline.start); | 
|  | TRACE_EVENT_END("navigation", track1, timeline.finish); | 
|  |  | 
|  | if (!timeline.begin_navigation.is_null()) { | 
|  | // Most navigations (other than synchronous renderer commits) go through | 
|  | // BeginNavigation and the phases below. This includes page activations like | 
|  | // bfcache and prerender, which do not send commit IPCs. | 
|  |  | 
|  | // Record Start -> {BeforeUnloadPhase1} -> NavigationRequest. | 
|  | if (!timeline.beforeunload_phase1_start.is_null()) { | 
|  | log_trace_event_and_uma("StartToBeforeUnloadPhase1", track1, | 
|  | timeline.start, | 
|  | timeline.beforeunload_phase1_start, | 
|  | &ukm::builders::NavigationTimeline:: | 
|  | SetStartToBeforeUnloadPhase1Duration); | 
|  | log_trace_event_and_uma( | 
|  | "BeforeUnloadPhase1", track1, timeline.beforeunload_phase1_start, | 
|  | timeline.beforeunload_phase1_end, | 
|  | &ukm::builders::NavigationTimeline::SetBeforeUnloadPhase1Duration); | 
|  | log_trace_event_and_uma( | 
|  | "BeforeUnloadPhase1ToNavigationRequestCreation", track1, | 
|  | timeline.beforeunload_phase1_end, | 
|  | timeline.navigation_request_creation, | 
|  | &ukm::builders::NavigationTimeline:: | 
|  | SetBeforeUnloadPhase1ToNavigationRequestCreationDuration); | 
|  | } else { | 
|  | log_trace_event_and_uma("StartToNavigationRequestCreation", track1, | 
|  | timeline.start, | 
|  | timeline.navigation_request_creation, | 
|  | &ukm::builders::NavigationTimeline:: | 
|  | SetStartToNavigationRequestCreationDuration); | 
|  | } | 
|  |  | 
|  | // Record NavigationRequest -> {BeforeUnloadPhase2} -> BeginNavigation. | 
|  | if (!timeline.beforeunload_phase2_start.is_null()) { | 
|  | log_trace_event_and_uma( | 
|  | "NavigationRequestToBeforeUnloadPhase2", track1, | 
|  | timeline.navigation_request_creation, | 
|  | timeline.beforeunload_phase2_start, | 
|  | &ukm::builders::NavigationTimeline:: | 
|  | SetNavigationRequestToBeforeUnloadPhase2Duration); | 
|  | log_trace_event_and_uma( | 
|  | "BeforeUnloadPhase2", track1, timeline.beforeunload_phase2_start, | 
|  | timeline.beforeunload_phase2_end, | 
|  | &ukm::builders::NavigationTimeline::SetBeforeUnloadPhase2Duration); | 
|  | log_trace_event_and_uma( | 
|  | "BeforeUnloadPhase2ToBeginNavigation", track1, | 
|  | timeline.beforeunload_phase2_end, timeline.begin_navigation, | 
|  | &ukm::builders::NavigationTimeline:: | 
|  | SetBeforeUnloadPhase2ToBeginNavigationDuration); | 
|  | } else { | 
|  | log_trace_event_and_uma( | 
|  | "NavigationRequestToBeginNavigation", track1, | 
|  | timeline.navigation_request_creation, timeline.begin_navigation, | 
|  | &ukm::builders::NavigationTimeline:: | 
|  | SetNavigationRequestToBeginNavigationDuration); | 
|  | } | 
|  |  | 
|  | // For navigations that don't use a URLLoader, such as about:blank | 
|  | // navigations, record a single interval from BeginNavigation to sending the | 
|  | // CommitNavigation IPC, which will include choosing the target SiteInstance | 
|  | // WillCommitWithoutUrlLoader throttle processing, etc. Do the same for | 
|  | // navigations that encounter an error and never see a response from the | 
|  | // loader. Otherwise, break down the URL loading into several finer-grained | 
|  | // intervals. | 
|  | if (timeline.loader_start.is_null() || | 
|  | timeline.receive_response.is_null()) { | 
|  | log_trace_event_and_uma("BeginNavigationToCommit", track1, | 
|  | timeline.begin_navigation, | 
|  | timeline.commit_ipc_sent, | 
|  | &ukm::builders::NavigationTimeline:: | 
|  | SetBeginNavigationToCommitDuration); | 
|  | } else { | 
|  | log_trace_event_and_uma("BeginNavigationToLoaderStart", track1, | 
|  | timeline.begin_navigation, timeline.loader_start, | 
|  | &ukm::builders::NavigationTimeline:: | 
|  | SetBeginNavigationToLoaderStartDuration); | 
|  | log_trace_event_and_uma("LoaderStartToReceiveResponse", track1, | 
|  | timeline.loader_start, timeline.receive_response, | 
|  | &ukm::builders::NavigationTimeline:: | 
|  | SetLoaderStartToReceiveResponseDuration); | 
|  |  | 
|  | // Generate the nested loader events contained within | 
|  | // LoaderStartToReceiveResponse. `loader_fetch_start` can be earlier than | 
|  | // `loader_start` when Prefetch or Prerendering is enabled. Don't record | 
|  | // metrics or traces in such cases to avoid skewing the data. | 
|  | if (timeline.loader_start <= timeline.loader_fetch_start) { | 
|  | log_trace_event_and_uma("LoaderStartToFetchStart", track1, | 
|  | timeline.loader_start, | 
|  | timeline.loader_fetch_start, | 
|  | &ukm::builders::NavigationTimeline:: | 
|  | SetLoaderStartToFetchStartDuration); | 
|  | log_trace_event_and_uma("FetchStartToReceiveHeaders", track1, | 
|  | timeline.loader_fetch_start, | 
|  | timeline.loader_receive_headers, | 
|  | &ukm::builders::NavigationTimeline:: | 
|  | SetFetchStartToReceiveHeadersDuration); | 
|  | // TODO(alexmos): add events for redirects when they are present. | 
|  | log_trace_event_and_uma("ReceiveHeadersToReceiveResponse", track1, | 
|  | timeline.loader_receive_headers, | 
|  | timeline.receive_response, | 
|  | &ukm::builders::NavigationTimeline:: | 
|  | SetReceiveHeadersToReceiveResponseDuration); | 
|  | } | 
|  |  | 
|  | log_trace_event_and_uma("ReceiveResponseToCommit", track1, | 
|  | timeline.receive_response, | 
|  | timeline.commit_ipc_sent, | 
|  | &ukm::builders::NavigationTimeline:: | 
|  | SetReceiveResponseToCommitDuration); | 
|  | } | 
|  |  | 
|  | log_trace_event_and_uma( | 
|  | "CommitToDidCommit", track1, timeline.commit_ipc_sent, | 
|  | timeline.did_commit_ipc_received, | 
|  | &ukm::builders::NavigationTimeline::SetCommitToDidCommitDuration); | 
|  | } else { | 
|  | // Navigations without a `begin_navigation` timestamp are synchronous | 
|  | // renderer commits, like same-document navigations and the synchronous | 
|  | // about:blank commit. | 
|  | // TODO(crbug.com/409589669): The `timeline.start` value is currently set to | 
|  | // `renderer_commit_ipc_received` in `DidCommitNavigationInternal`, making | 
|  | // `StartToSyncRendererCommit` zero sized. Move the start time earlier. | 
|  | log_trace_event_and_uma("StartToSyncRendererCommit", track1, timeline.start, | 
|  | timeline.renderer_commit_ipc_received, | 
|  | &ukm::builders::NavigationTimeline:: | 
|  | SetStartToSyncRendererCommitDuration); | 
|  | log_trace_event_and_uma( | 
|  | "CommitToDidCommit", track1, timeline.renderer_commit_ipc_received, | 
|  | timeline.did_commit_ipc_received, | 
|  | &ukm::builders::NavigationTimeline::SetCommitToDidCommitDuration); | 
|  | } | 
|  |  | 
|  | // Generate a nested slice for the renderer side of the navigation commit, | 
|  | // contained within CommitToDidCommit. | 
|  | log_trace_event_and_uma( | 
|  | "RendererCommitToDidCommit", track1, | 
|  | timeline.renderer_commit_ipc_received, | 
|  | timeline.renderer_did_commit_ipc_sent, | 
|  | &ukm::builders::NavigationTimeline::SetRendererCommitToDidCommitDuration); | 
|  | log_trace_event_and_uma( | 
|  | "DidCommitToFinish", track1, timeline.did_commit_ipc_received, | 
|  | timeline.finish, | 
|  | &ukm::builders::NavigationTimeline::SetDidCommitToFinishDuration); | 
|  |  | 
|  | // Create a second track (with the same name but a different ID) for showing | 
|  | // non-nested events about the duration of the navigation, with beforeunload | 
|  | // time removed. Note that the track names are not visible in the Perfetto UI. | 
|  | static const perfetto::NamedTrack track2( | 
|  | "Navigation: Durations", base::trace_event::GetNextGlobalTraceId(), | 
|  | perfetto::Track::Global(kGlobalInstantTrackId)); | 
|  |  | 
|  | // Excluding beforeunload time from the total navigation duration is useful | 
|  | // because it is not under the browser's control, and may include long periods | 
|  | // of waiting for the user to interact with a dialog. | 
|  | base::TimeDelta beforeunload_total_duration; | 
|  | if (!timeline.beforeunload_phase1_start.is_null()) { | 
|  | beforeunload_total_duration += | 
|  | timeline.beforeunload_phase1_end - timeline.beforeunload_phase1_start; | 
|  | } | 
|  | if (!timeline.beforeunload_phase2_start.is_null()) { | 
|  | beforeunload_total_duration += | 
|  | timeline.beforeunload_phase2_end - timeline.beforeunload_phase2_start; | 
|  | } | 
|  |  | 
|  | // Record how much time was correctly ignored by current navigation metrics, | 
|  | // by moving it to the start of the duration. | 
|  | base::TimeTicks duration_start = timeline.start + beforeunload_total_duration; | 
|  | log_trace_event_and_uma( | 
|  | "CorrectlyIgnored", track2, timeline.start, duration_start, | 
|  | &ukm::builders::NavigationTimeline::SetIgnoredCorrectlyDuration, | 
|  | /*histogram_name=*/"IgnoredCorrectly"); | 
|  | // Record the remaining duration of the navigation, moving the start time | 
|  | // forward by the amount that was ignored. | 
|  | log_trace_event_and_uma("TotalExcludingBeforeUnload", track2, duration_start, | 
|  | timeline.finish, | 
|  | &ukm::builders::NavigationTimeline:: | 
|  | SetTotalExcludingBeforeUnloadDuration); | 
|  |  | 
|  | // Also record a separate metric for main-frame, cross-document cases for | 
|  | // better comparison with guardrail metrics. | 
|  | bool is_main_frame_cross_doc = | 
|  | is_primary_main_frame && !is_same_document_navigation; | 
|  | if (is_main_frame_cross_doc && (timeline.finish >= duration_start)) { | 
|  | base::UmaHistogramTimes( | 
|  | "Navigation.Timeline.TotalExcludingBeforeUnload.MainFrameOnly.Duration", | 
|  | timeline.finish - duration_start); | 
|  | } | 
|  |  | 
|  | // Most navigation metrics currently ignore everything before the adjusted | 
|  | // common_params start time, which is after any beforeunload handling (either | 
|  | // phase 1 or phase 2). This is incorrect, because it excludes a significant | 
|  | // amount of work done before and between the two beforeunload phases. Record | 
|  | // how much of this time was ignored incorrectly to determine the impact of | 
|  | // changing the metrics. In the trace viewer, this time is shown nested within | 
|  | // (and at the start of) `TotalExcludingBeforeUnload`, to visually see how | 
|  | // much of the navigation duration such metrics are ignoring. | 
|  | // TODO(crbug.com/385170155): Move to a more accurate navigation start so that | 
|  | // we don't incorrectly ignore anything, and remove the metrics below. | 
|  | if (duration_start < timeline.common_params_start) { | 
|  | log_trace_event_and_uma( | 
|  | "IncorrectlyIgnored", track2, duration_start, | 
|  | timeline.common_params_start, | 
|  | &ukm::builders::NavigationTimeline::SetIgnoredIncorrectlyDuration, | 
|  | /*histogram_name=*/"IgnoredIncorrectly"); | 
|  | if (is_main_frame_cross_doc && | 
|  | (timeline.common_params_start >= duration_start)) { | 
|  | base::UmaHistogramTimes( | 
|  | "Navigation.Timeline.IgnoredIncorrectly.MainFrameOnly.Duration", | 
|  | timeline.common_params_start - duration_start); | 
|  | } | 
|  | // Also record what percentage was incorrectly ignored. We don't record UKMs | 
|  | // for that. | 
|  | base::TimeDelta ignored_incorrectly = | 
|  | timeline.common_params_start - duration_start; | 
|  | base::TimeDelta total_excluding_beforeunload = | 
|  | timeline.finish - duration_start; | 
|  | if (!ignored_incorrectly.is_negative() && | 
|  | total_excluding_beforeunload.is_positive()) { | 
|  | size_t ignored_percentage = | 
|  | 100 * ignored_incorrectly / total_excluding_beforeunload; | 
|  | base::UmaHistogramPercentage( | 
|  | "Navigation.Timeline.IgnoredIncorrectly.Percentage", | 
|  | ignored_percentage); | 
|  | if (is_main_frame_cross_doc) { | 
|  | base::UmaHistogramPercentage( | 
|  | "Navigation.Timeline.IgnoredIncorrectly.MainFrameOnly.Percentage", | 
|  | ignored_percentage); | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | if (ukm_builder.has_value()) { | 
|  | ukm_builder->Record(ukm::UkmRecorder::Get()); | 
|  | } | 
|  | } | 
|  | }  // namespace | 
|  |  | 
|  | class RenderFrameHostImpl::SubresourceLoaderFactoriesConfig { | 
|  | public: | 
|  | static SubresourceLoaderFactoriesConfig ForLastCommittedNavigation( | 
|  | RenderFrameHostImpl& frame) { | 
|  | SubresourceLoaderFactoriesConfig result; | 
|  | result.origin_ = frame.GetLastCommittedOrigin(); | 
|  | result.isolation_info_ = frame.GetIsolationInfoForSubresources(); | 
|  | result.client_security_state_ = frame.BuildClientSecurityState(); | 
|  | if (frame.coep_reporter_) { | 
|  | frame.coep_reporter_->Clone( | 
|  | result.coep_reporter_.BindNewPipeAndPassReceiver()); | 
|  | } | 
|  | if (frame.dip_reporter_) { | 
|  | frame.dip_reporter_->Clone( | 
|  | result.dip_reporter_.BindNewPipeAndPassReceiver()); | 
|  | } | 
|  | result.trust_token_redemption_policy_ = | 
|  | DetermineAfterCommitWhetherToForbidTrustTokenOperation( | 
|  | frame, network::mojom::TrustTokenOperationType::kRedemption); | 
|  | result.trust_token_issuance_policy_ = | 
|  | DetermineAfterCommitWhetherToForbidTrustTokenOperation( | 
|  | frame, network::mojom::TrustTokenOperationType::kIssuance); | 
|  |  | 
|  | // Our data collection policy disallows collecting UKMs while prerendering. | 
|  | // So, assign a valid ID only when the page is not in the prerendering | 
|  | // state. See //content/browser/preloading/prerender/README.md and ask the | 
|  | // team to explore options to record data for prerendering pages. | 
|  | result.ukm_source_id_ = ukm::SourceIdObj::FromInt64( | 
|  | frame.IsInLifecycleState(LifecycleState::kPrerendering) | 
|  | ? ukm::kInvalidSourceId | 
|  | : frame.GetPageUkmSourceId()); | 
|  |  | 
|  | result.cookie_setting_overrides_ = | 
|  | frame.document_associated_data_->cookie_setting_overrides(); | 
|  |  | 
|  | // Determine if the frame's sandboxing policy contains the | 
|  | // `allow-same-site-none-cookies` value and a CookieSettingOverride should | 
|  | // be applied so SameSite=None cookies are included in requests from this | 
|  | // context. See | 
|  | // https://github.com/explainers-by-googlers/csp-sandbox-allow-same-site-none-cookies | 
|  | if (frame.HasPolicyContainerHost() && | 
|  | IsOriginSandboxedWithAllowSameSiteNoneCookiesValue( | 
|  | frame.active_sandbox_flags()) && | 
|  | frame.AncestorsAllowSameSiteNoneCookiesOverride(result.origin())) { | 
|  | result.cookie_setting_overrides_.Put( | 
|  | net::CookieSettingOverride::kAllowSameSiteNoneCookiesInSandbox); | 
|  | } | 
|  | return result; | 
|  | } | 
|  |  | 
|  | static SubresourceLoaderFactoriesConfig ForPendingNavigation( | 
|  | NavigationRequest& navigation_request) { | 
|  | SubresourceLoaderFactoriesConfig result; | 
|  | result.origin_ = navigation_request.GetOriginToCommit().value(); | 
|  | result.client_security_state_ = | 
|  | navigation_request.BuildClientSecurityStateForCommittedDocument(); | 
|  | result.ukm_source_id_ = ukm::SourceIdObj::FromInt64( | 
|  | navigation_request.GetNextPageUkmSourceId()); | 
|  |  | 
|  | // TODO(lukasza): Consider pushing the ok-vs-error differentiation into | 
|  | // NavigationRequest methods (e.g. into |isolation_info_for_subresources| | 
|  | // and/or |coep_reporter| methods). | 
|  | if (navigation_request.DidEncounterError()) { | 
|  | // Error frames gets locked down `isolation_info_`, | 
|  | // `trust_token_redemption_policy_` and `trust_token_issuance_policy_` | 
|  | // plus an empty/uninitialized `coep_reporter_`. | 
|  | result.isolation_info_ = | 
|  | net::IsolationInfo::CreateTransient(/*nonce=*/std::nullopt); | 
|  | result.trust_token_redemption_policy_ = | 
|  | network::mojom::TrustTokenOperationPolicyVerdict::kForbid; | 
|  | result.trust_token_issuance_policy_ = | 
|  | network::mojom::TrustTokenOperationPolicyVerdict::kForbid; | 
|  | } else { | 
|  | result.isolation_info_ = | 
|  | navigation_request.isolation_info_for_subresources(); | 
|  | if (navigation_request.coep_reporter()) { | 
|  | navigation_request.coep_reporter()->Clone( | 
|  | result.coep_reporter_.BindNewPipeAndPassReceiver()); | 
|  | } | 
|  | if (navigation_request.dip_reporter()) { | 
|  | navigation_request.dip_reporter()->Clone( | 
|  | result.dip_reporter_.BindNewPipeAndPassReceiver()); | 
|  | } | 
|  | result.trust_token_redemption_policy_ = | 
|  | DetermineWhetherToForbidTrustTokenOperation( | 
|  | navigation_request.GetRenderFrameHost(), | 
|  | navigation_request.commit_params(), result.origin(), | 
|  | network::mojom::TrustTokenOperationType::kRedemption); | 
|  | result.trust_token_issuance_policy_ = | 
|  | DetermineWhetherToForbidTrustTokenOperation( | 
|  | navigation_request.GetRenderFrameHost(), | 
|  | navigation_request.commit_params(), result.origin(), | 
|  | network::mojom::TrustTokenOperationType::kIssuance); | 
|  |  | 
|  | // Determine if the frame's sandboxing policy contains the | 
|  | // `allow-same-site-none-cookies` value and a CookieSettingOverride should | 
|  | // be applied so SameSite=None cookies are included in requests from this | 
|  | // context. See | 
|  | // https://github.com/explainers-by-googlers/csp-sandbox-allow-same-site-none-cookies | 
|  | if (!navigation_request.IsSameDocument() && | 
|  | IsOriginSandboxedWithAllowSameSiteNoneCookiesValue( | 
|  | navigation_request.SandboxFlagsToCommit()) && | 
|  | navigation_request.GetRenderFrameHost() | 
|  | ->AncestorsAllowSameSiteNoneCookiesOverride(result.origin())) { | 
|  | result.cookie_setting_overrides_.Put( | 
|  | net::CookieSettingOverride::kAllowSameSiteNoneCookiesInSandbox); | 
|  | } | 
|  | } | 
|  |  | 
|  | return result; | 
|  | } | 
|  |  | 
|  | // ForPendingOrLastCommittedNavigation is useful in scenarios where there is | 
|  | // no coordination between the timing of 1) a navigation commit and 2) | 
|  | // subresource loader factories bundle creation.  For example, using | 
|  | // ForPendingOrLastCommittedNavigation from UpdateSubresourceLoaderFactories | 
|  | // leads to using the correct SubresourceLoaderFactoriesConfig regardless of | 
|  | // the timing of when a NetworkService crash triggers a call to | 
|  | // UpdateSubresourceLoaderFactories: | 
|  | // 1. If the crash happens when there is an in-flight Commit IPC to the | 
|  | //    renderer process, then the newly created subresource loader factories | 
|  | //    will arrive at the renderer *after* the Commit IPC and therefore the | 
|  | //    factories need to use the configuration (e.g. the origin) based on the | 
|  | //    pending navigation. | 
|  | // 2. OTOH, if the crash happens when there is no in-flight Commit IPC then | 
|  | //    the newly created factories should use the configuration based on the | 
|  | //    last committed navigation. | 
|  | // | 
|  | // TODO(crbug.com/40523839): ForPendingOrLastCommittedNavigation might | 
|  | // not be needed once we have RenderDocumentHost (e.g. we swap on every | 
|  | // cross-document navigation), because with RenderDocumentHost there is no | 
|  | // risk of sending last-commited-navigation-based subresource loaders to a | 
|  | // document different from the last-committed one. | 
|  | static SubresourceLoaderFactoriesConfig ForPendingOrLastCommittedNavigation( | 
|  | RenderFrameHostImpl& frame) { | 
|  | NavigationRequest* navigation_request = | 
|  | frame.FindLatestNavigationRequestThatIsStillCommitting(); | 
|  | return navigation_request ? ForPendingNavigation(*navigation_request) | 
|  | : ForLastCommittedNavigation(frame); | 
|  | } | 
|  |  | 
|  | ~SubresourceLoaderFactoriesConfig() = default; | 
|  |  | 
|  | SubresourceLoaderFactoriesConfig(SubresourceLoaderFactoriesConfig&&) = | 
|  | default; | 
|  | SubresourceLoaderFactoriesConfig& operator=( | 
|  | SubresourceLoaderFactoriesConfig&&) = default; | 
|  |  | 
|  | SubresourceLoaderFactoriesConfig(const SubresourceLoaderFactoriesConfig&) = | 
|  | delete; | 
|  | SubresourceLoaderFactoriesConfig& operator=( | 
|  | const SubresourceLoaderFactoriesConfig&) = delete; | 
|  |  | 
|  | const url::Origin& origin() const { return origin_; } | 
|  | const net::IsolationInfo& isolation_info() const { return isolation_info_; } | 
|  |  | 
|  | network::mojom::ClientSecurityStatePtr GetClientSecurityState() const { | 
|  | return mojo::Clone(client_security_state_); | 
|  | } | 
|  |  | 
|  | mojo::PendingRemote<network::mojom::CrossOriginEmbedderPolicyReporter> | 
|  | GetCoepReporter() const { | 
|  | mojo::PendingRemote<network::mojom::CrossOriginEmbedderPolicyReporter> p; | 
|  | if (coep_reporter_) { | 
|  | coep_reporter_->Clone(p.InitWithNewPipeAndPassReceiver()); | 
|  | } | 
|  | return p; | 
|  | } | 
|  |  | 
|  | mojo::PendingRemote<network::mojom::DocumentIsolationPolicyReporter> | 
|  | GetDipReporter() const { | 
|  | mojo::PendingRemote<network::mojom::DocumentIsolationPolicyReporter> p; | 
|  | if (dip_reporter_) { | 
|  | dip_reporter_->Clone(p.InitWithNewPipeAndPassReceiver()); | 
|  | } | 
|  | return p; | 
|  | } | 
|  |  | 
|  | const network::mojom::TrustTokenOperationPolicyVerdict& | 
|  | trust_token_redemption_policy() const { | 
|  | return trust_token_redemption_policy_; | 
|  | } | 
|  |  | 
|  | const network::mojom::TrustTokenOperationPolicyVerdict& | 
|  | trust_token_issuance_policy() const { | 
|  | return trust_token_issuance_policy_; | 
|  | } | 
|  |  | 
|  | const ukm::SourceIdObj& ukm_source_id() const { return ukm_source_id_; } | 
|  |  | 
|  | const net::CookieSettingOverrides& cookie_setting_overrides() const { | 
|  | return cookie_setting_overrides_; | 
|  | } | 
|  |  | 
|  | private: | 
|  | // Private constructor - please go through the static For... methods. | 
|  | SubresourceLoaderFactoriesConfig() = default; | 
|  |  | 
|  | url::Origin origin_; | 
|  | net::IsolationInfo isolation_info_; | 
|  | network::mojom::ClientSecurityStatePtr client_security_state_; | 
|  | mojo::Remote<network::mojom::CrossOriginEmbedderPolicyReporter> | 
|  | coep_reporter_; | 
|  | mojo::Remote<network::mojom::DocumentIsolationPolicyReporter> dip_reporter_; | 
|  | network::mojom::TrustTokenOperationPolicyVerdict trust_token_issuance_policy_; | 
|  | network::mojom::TrustTokenOperationPolicyVerdict | 
|  | trust_token_redemption_policy_; | 
|  | ukm::SourceIdObj ukm_source_id_; | 
|  | net::CookieSettingOverrides cookie_setting_overrides_; | 
|  | }; | 
|  |  | 
|  | struct PendingNavigation { | 
|  | blink::mojom::CommonNavigationParamsPtr common_params; | 
|  | blink::mojom::BeginNavigationParamsPtr begin_navigation_params; | 
|  | scoped_refptr<network::SharedURLLoaderFactory> blob_url_loader_factory; | 
|  | mojo::PendingAssociatedRemote<mojom::NavigationClient> navigation_client; | 
|  | mojo::PendingReceiver<mojom::NavigationRendererCancellationListener> | 
|  | renderer_cancellation_listener; | 
|  |  | 
|  | PendingNavigation( | 
|  | blink::mojom::CommonNavigationParamsPtr common_params, | 
|  | blink::mojom::BeginNavigationParamsPtr begin_navigation_params, | 
|  | scoped_refptr<network::SharedURLLoaderFactory> blob_url_loader_factory, | 
|  | mojo::PendingAssociatedRemote<mojom::NavigationClient> navigation_client, | 
|  | mojo::PendingReceiver<mojom::NavigationRendererCancellationListener> | 
|  | renderer_cancellation_listener); | 
|  | }; | 
|  |  | 
|  | PendingNavigation::PendingNavigation( | 
|  | blink::mojom::CommonNavigationParamsPtr common_params, | 
|  | blink::mojom::BeginNavigationParamsPtr begin_navigation_params, | 
|  | scoped_refptr<network::SharedURLLoaderFactory> blob_url_loader_factory, | 
|  | mojo::PendingAssociatedRemote<mojom::NavigationClient> navigation_client, | 
|  | mojo::PendingReceiver<mojom::NavigationRendererCancellationListener> | 
|  | renderer_cancellation_listener) | 
|  | : common_params(std::move(common_params)), | 
|  | begin_navigation_params(std::move(begin_navigation_params)), | 
|  | blob_url_loader_factory(std::move(blob_url_loader_factory)), | 
|  | navigation_client(std::move(navigation_client)), | 
|  | renderer_cancellation_listener( | 
|  | std::move(renderer_cancellation_listener)) {} | 
|  |  | 
|  | // static | 
|  | RenderFrameHost* RenderFrameHost::FromID(const GlobalRenderFrameHostId& id) { | 
|  | return RenderFrameHostImpl::FromID(id); | 
|  | } | 
|  |  | 
|  | // static | 
|  | RenderFrameHost* RenderFrameHost::FromID(int render_process_id, | 
|  | int render_frame_id) { | 
|  | return RenderFrameHostImpl::FromID( | 
|  | GlobalRenderFrameHostId(render_process_id, render_frame_id)); | 
|  | } | 
|  |  | 
|  | // static | 
|  | RenderFrameHost* RenderFrameHost::FromFrameToken( | 
|  | const GlobalRenderFrameHostToken& frame_token) { | 
|  | return RenderFrameHostImpl::FromFrameToken(frame_token); | 
|  | } | 
|  |  | 
|  | // static | 
|  | void RenderFrameHost::AllowInjectingJavaScript() { | 
|  | g_allow_injecting_javascript = true; | 
|  | } | 
|  |  | 
|  | // static | 
|  | RenderFrameHostImpl* RenderFrameHostImpl::FromID(GlobalRenderFrameHostId id) { | 
|  | DCHECK_CURRENTLY_ON(BrowserThread::UI); | 
|  | RoutingIDFrameMap* frames = g_routing_id_frame_map.Pointer(); | 
|  | auto it = frames->find(id); | 
|  | return it == frames->end() ? nullptr : it->second; | 
|  | } | 
|  |  | 
|  | // static | 
|  | RenderFrameHostImpl* RenderFrameHostImpl::FromID(int render_process_id, | 
|  | int render_frame_id) { | 
|  | return RenderFrameHostImpl::FromID( | 
|  | GlobalRenderFrameHostId(render_process_id, render_frame_id)); | 
|  | } | 
|  |  | 
|  | // static | 
|  | RenderFrameHostImpl* RenderFrameHostImpl::FromFrameToken( | 
|  | const GlobalRenderFrameHostToken& global_frame_token, | 
|  | mojo::ReportBadMessageCallback* process_mismatch_callback) { | 
|  | return RenderFrameHostImpl::FromFrameToken(global_frame_token.child_id, | 
|  | global_frame_token.frame_token, | 
|  | process_mismatch_callback); | 
|  | } | 
|  |  | 
|  | // static | 
|  | RenderFrameHostImpl* RenderFrameHostImpl::FromFrameToken( | 
|  | int process_id, | 
|  | const blink::LocalFrameToken& frame_token, | 
|  | mojo::ReportBadMessageCallback* process_mismatch_callback) { | 
|  | DCHECK_CURRENTLY_ON(BrowserThread::UI); | 
|  | auto it = GetTokenFrameMap().find(frame_token); | 
|  | if (it == GetTokenFrameMap().end()) { | 
|  | return nullptr; | 
|  | } | 
|  |  | 
|  | if (it->second->GetProcess()->GetDeprecatedID() != process_id) { | 
|  | if (process_mismatch_callback) { | 
|  | SYSLOG(WARNING) | 
|  | << "Denying illegal RenderFrameHost::FromFrameToken request."; | 
|  | std::move(*process_mismatch_callback) | 
|  | .Run( | 
|  | "Unknown LocalFrame made RenderFrameHost::FromFrameToken " | 
|  | "request."); | 
|  | } | 
|  | return nullptr; | 
|  | } | 
|  |  | 
|  | return it->second; | 
|  | } | 
|  |  | 
|  | // static | 
|  | RenderFrameHostImpl* RenderFrameHostImpl::FromDocumentToken( | 
|  | int process_id, | 
|  | const blink::DocumentToken& document_token, | 
|  | mojo::ReportBadMessageCallback* process_mismatch_callback) { | 
|  | DCHECK_CURRENTLY_ON(BrowserThread::UI); | 
|  | auto* rfh = DocumentAssociatedData::GetDocumentFromToken({}, document_token); | 
|  | if (!rfh) { | 
|  | return nullptr; | 
|  | } | 
|  |  | 
|  | if (rfh->GetProcess()->GetDeprecatedID() != process_id) { | 
|  | if (process_mismatch_callback) { | 
|  | SYSLOG(WARNING) | 
|  | << "Denying illegal RenderFrameHost::FromDocumentToken request."; | 
|  | std::move(*process_mismatch_callback) | 
|  | .Run("process ID does not match requested DocumentToken"); | 
|  | } | 
|  | return nullptr; | 
|  | } | 
|  |  | 
|  | return rfh; | 
|  | } | 
|  |  | 
|  | // static | 
|  | RenderFrameHost* RenderFrameHost::FromAXTreeID(const ui::AXTreeID& ax_tree_id) { | 
|  | return RenderFrameHostImpl::FromAXTreeID(ax_tree_id); | 
|  | } | 
|  |  | 
|  | // static | 
|  | RenderFrameHostImpl* RenderFrameHostImpl::FromAXTreeID( | 
|  | ui::AXTreeID ax_tree_id) { | 
|  | DCHECK_CURRENTLY_ON(BrowserThread::UI); | 
|  | ui::AXActionHandlerRegistry::FrameID frame_id = | 
|  | ui::AXActionHandlerRegistry::GetInstance()->GetFrameID(ax_tree_id); | 
|  | return RenderFrameHostImpl::FromID(frame_id.first, frame_id.second); | 
|  | } | 
|  |  | 
|  | // static | 
|  | RenderFrameHostImpl* RenderFrameHostImpl::FromOverlayRoutingToken( | 
|  | const base::UnguessableToken& token) { | 
|  | DCHECK_CURRENTLY_ON(BrowserThread::UI); | 
|  | auto it = GetTokenFrameMap().find(blink::LocalFrameToken(token)); | 
|  | return it == GetTokenFrameMap().end() ? nullptr : it->second; | 
|  | } | 
|  |  | 
|  | // static | 
|  | void RenderFrameHostImpl::ClearAllPrefetchedSignedExchangeCache() { | 
|  | DCHECK_CURRENTLY_ON(BrowserThread::UI); | 
|  | RoutingIDFrameMap* frames = g_routing_id_frame_map.Pointer(); | 
|  | for (auto it : *frames) | 
|  | it.second->ClearPrefetchedSignedExchangeCache(); | 
|  | } | 
|  |  | 
|  | // static | 
|  | void RenderFrameHostImpl::CancelAllNavigationsForBrowserContextShutdown( | 
|  | BrowserContext* browser_context) { | 
|  | DCHECK_CURRENTLY_ON(BrowserThread::UI); | 
|  | CHECK(browser_context->ShutdownStarted()); | 
|  | RoutingIDFrameMap* frames = g_routing_id_frame_map.Pointer(); | 
|  | // Avoid iterating through the RenderFrameHosts in `frames` directly, since | 
|  | // cancelling a navigation may trigger destruction of a speculative | 
|  | // RenderFrameHost, which may end up invalidating the iterator here. Instead, | 
|  | // create a list of RenderFrameHost IDs to go through and ensure each | 
|  | // RenderFrameHost exists (and that its profile matches the one being | 
|  | // destroyed) before canceling its navigations. See | 
|  | // https://crbug.com/371709958. | 
|  | std::vector<GlobalRenderFrameHostId> rfh_ids; | 
|  | rfh_ids.reserve(frames->size()); | 
|  | std::transform(frames->begin(), frames->end(), std::back_inserter(rfh_ids), | 
|  | [](auto entry) { return entry.first; }); | 
|  | for (auto it : rfh_ids) { | 
|  | auto* rfhi = RenderFrameHostImpl::FromID(it); | 
|  | if (rfhi && rfhi->GetBrowserContext() == browser_context) { | 
|  | rfhi->ResetOwnedNavigationRequests( | 
|  | NavigationDiscardReason::kWillRemoveFrame); | 
|  | rfhi->frame_tree_node()->CancelNavigation( | 
|  | NavigationDiscardReason::kWillRemoveFrame); | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | // TODO(crbug.com/40183788): Get/SetCodeCacheHostReceiverHandler are used only | 
|  | // for a test in content/browser/service_worker/service_worker_browsertest | 
|  | // that tests a bad message is returned on an incorrect origin. Try to find a | 
|  | // way to test this without adding these additional methods. | 
|  | RenderFrameHostImpl::CodeCacheHostReceiverHandler& | 
|  | GetCodeCacheHostReceiverHandler() { | 
|  | static base::NoDestructor<RenderFrameHostImpl::CodeCacheHostReceiverHandler> | 
|  | instance; | 
|  | return *instance; | 
|  | } | 
|  |  | 
|  | // static | 
|  | void RenderFrameHostImpl::SetCodeCacheHostReceiverHandlerForTesting( | 
|  | CodeCacheHostReceiverHandler handler) { | 
|  | GetCodeCacheHostReceiverHandler() = handler; | 
|  | } | 
|  |  | 
|  | // static | 
|  | const char* RenderFrameHostImpl::LifecycleStateImplToString( | 
|  | RenderFrameHostImpl::LifecycleStateImpl state) { | 
|  | using LifecycleStateImpl = RenderFrameHostImpl::LifecycleStateImpl; | 
|  | switch (state) { | 
|  | case LifecycleStateImpl::kSpeculative: | 
|  | return "Speculative"; | 
|  | case LifecycleStateImpl::kPrerendering: | 
|  | return "Prerendering"; | 
|  | case LifecycleStateImpl::kPendingCommit: | 
|  | return "PendingCommit"; | 
|  | case LifecycleStateImpl::kActive: | 
|  | return "Active"; | 
|  | case LifecycleStateImpl::kInBackForwardCache: | 
|  | return "InBackForwardCache"; | 
|  | case LifecycleStateImpl::kRunningUnloadHandlers: | 
|  | return "RunningUnloadHandlers"; | 
|  | case LifecycleStateImpl::kReadyToBeDeleted: | 
|  | return "ReadyToBeDeleted"; | 
|  | } | 
|  | } | 
|  |  | 
|  | // static | 
|  | PolicyContainerHost* RenderFrameHostImpl::GetPolicyContainerHost( | 
|  | const blink::LocalFrameToken* frame_token, | 
|  | int initiator_process_id, | 
|  | StoragePartitionImpl* storage_partition) { | 
|  | // There is no null check for `storage_partition` as tests can pass in a null | 
|  | // StoragePartition. | 
|  | CHECK(frame_token); | 
|  |  | 
|  | // Get the PolicyContainerHost directly from the RenderFrameHost if it's still | 
|  | // alive. | 
|  | RenderFrameHostImpl* initiator_rfh = | 
|  | RenderFrameHostImpl::FromFrameToken(initiator_process_id, *frame_token); | 
|  | if (initiator_rfh) { | 
|  | return initiator_rfh->policy_container_host(); | 
|  | } | 
|  |  | 
|  | // Otherwise get it from the NavigationStateKeepAlive stored in | 
|  | // `storage_partition`. | 
|  | NavigationStateKeepAlive* navigation_state = | 
|  | storage_partition->GetNavigationStateKeepAlive(*frame_token); | 
|  | if (navigation_state) { | 
|  | return navigation_state->policy_container_host(); | 
|  | } | 
|  |  | 
|  | // There is no PolicyContainerHost for the given `frame_token`. | 
|  | return nullptr; | 
|  | } | 
|  |  | 
|  | // static | 
|  | SiteInstanceImpl* RenderFrameHostImpl::GetSourceSiteInstanceFromFrameToken( | 
|  | const blink::LocalFrameToken* frame_token, | 
|  | int initiator_process_id, | 
|  | StoragePartitionImpl* storage_partition) { | 
|  | // There is no null check for `storage_partition` as tests can pass in a null | 
|  | // StoragePartition in the case the initiator RenderFrameHost still exists. | 
|  |  | 
|  | if (!frame_token) { | 
|  | return nullptr; | 
|  | } | 
|  |  | 
|  | // Get the source SiteInstance directly from the RenderFrameHost if it's still | 
|  | // alive. | 
|  | RenderFrameHostImpl* initiator_rfh = | 
|  | RenderFrameHostImpl::FromFrameToken(initiator_process_id, *frame_token); | 
|  | if (initiator_rfh) { | 
|  | return initiator_rfh->GetSiteInstance(); | 
|  | } | 
|  |  | 
|  | // Otherwise get it from the NavigationStateKeepAlive stored in | 
|  | // `storage_partition`. | 
|  | NavigationStateKeepAlive* navigation_state = | 
|  | storage_partition->GetNavigationStateKeepAlive(*frame_token); | 
|  | if (navigation_state) { | 
|  | return navigation_state->source_site_instance(); | 
|  | } | 
|  |  | 
|  | // There is no source SiteInstance for the given `frame_token`. | 
|  | return nullptr; | 
|  | } | 
|  |  | 
|  | // static | 
|  | std::optional<bool> RenderFrameHostImpl::GetIsUntrustedNetworkDisabled( | 
|  | const blink::LocalFrameToken* frame_token, | 
|  | int initiator_process_id, | 
|  | StoragePartitionImpl* storage_partition) { | 
|  | CHECK(storage_partition); | 
|  |  | 
|  | if (!frame_token) { | 
|  | return std::nullopt; | 
|  | } | 
|  |  | 
|  | // Get the value directly from the RenderFrameHost if it's still alive. | 
|  | RenderFrameHostImpl* initiator_rfh = | 
|  | RenderFrameHostImpl::FromFrameToken(initiator_process_id, *frame_token); | 
|  | if (initiator_rfh) { | 
|  | return initiator_rfh->IsUntrustedNetworkDisabled(); | 
|  | } | 
|  |  | 
|  | // Otherwise get it from the NavigationStateKeepAlive stored in | 
|  | // `storage_partition`. | 
|  | NavigationStateKeepAlive* navigation_state = | 
|  | storage_partition->GetNavigationStateKeepAlive(*frame_token); | 
|  | if (navigation_state) { | 
|  | // We're not aware of specific cases inside fenced frames where a navigation | 
|  | // can occur that results in a NavigationStateKeepAlive outliving the | 
|  | // associated RFH. For iframes, a top-level navigation from a form submit is | 
|  | // what is typically used to test this case. However, in fenced frames, | 
|  | // top-level (_unfencedTop) form submits are explicitly disallowed (target | 
|  | // _blank is still allowed, but will not result in this code path being | 
|  | // exercised). If we hit this point, log it so that we can learn more about | 
|  | // cases that result in this code path being executed. | 
|  | base::debug::DumpWithoutCrashing(); | 
|  | return navigation_state->is_untrusted_network_disabled(); | 
|  | } | 
|  |  | 
|  | // There is no untrusted network status for the given `frame_token`. | 
|  | return std::nullopt; | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl::RenderFrameHostImpl( | 
|  | SiteInstance* site_instance, | 
|  | scoped_refptr<RenderViewHostImpl> render_view_host, | 
|  | RenderFrameHostDelegate* delegate, | 
|  | FrameTree* frame_tree, | 
|  | FrameTreeNode* frame_tree_node, | 
|  | int32_t routing_id, | 
|  | mojo::PendingAssociatedRemote<mojom::Frame> frame_remote, | 
|  | const blink::LocalFrameToken& frame_token, | 
|  | const blink::DocumentToken& document_token, | 
|  | base::UnguessableToken devtools_frame_token, | 
|  | bool renderer_initiated_creation_of_main_frame, | 
|  | LifecycleStateImpl lifecycle_state, | 
|  | scoped_refptr<BrowsingContextState> browsing_context_state, | 
|  | blink::FrameOwnerElementType frame_owner_element_type, | 
|  | RenderFrameHostImpl* parent, | 
|  | FencedFrameStatus fenced_frame_status) | 
|  | : render_view_host_(std::move(render_view_host)), | 
|  | delegate_(delegate), | 
|  | site_instance_(static_cast<SiteInstanceImpl*>(site_instance)), | 
|  | agent_scheduling_group_( | 
|  | site_instance_->GetOrCreateAgentSchedulingGroup().GetSafeRef()), | 
|  | frame_tree_(frame_tree), | 
|  | frame_tree_node_(frame_tree_node), | 
|  | owner_(frame_tree_node), | 
|  | browsing_context_state_(std::move(browsing_context_state)), | 
|  | frame_owner_element_type_(frame_owner_element_type), | 
|  | parent_(parent), | 
|  | depth_(parent_ ? parent_->GetFrameDepth() + 1 : 0), | 
|  | last_committed_url_derived_site_info_( | 
|  | site_instance_->GetBrowserContext()), | 
|  | routing_id_(routing_id), | 
|  | beforeunload_timeout_delay_(kUnloadTimeout), | 
|  | frame_(std::move(frame_remote)), | 
|  | waiting_for_init_(renderer_initiated_creation_of_main_frame), | 
|  | frame_token_(frame_token), | 
|  | keep_alive_handle_factory_( | 
|  | agent_scheduling_group_->GetProcess(), | 
|  | RenderProcessHostImpl::kKeepAliveHandleFactoryTimeout), | 
|  | subframe_unload_timeout_(kUnloadTimeout), | 
|  | media_device_id_salt_base_(CreateRandomMediaDeviceIDSalt()), | 
|  | document_associated_data_(std::in_place, *this, document_token), | 
|  | lifecycle_state_(lifecycle_state), | 
|  | cookie_observers_( | 
|  | base::BindRepeating(&RenderFrameHostImpl::NotifyCookiesAccessed, | 
|  | base::Unretained(this))), | 
|  | code_cache_host_receivers_( | 
|  | GetProcess()->GetStoragePartition()->GetGeneratedCodeCacheContext()), | 
|  | fenced_frame_status_(fenced_frame_status), | 
|  | devtools_frame_token_(devtools_frame_token), | 
|  | base_auction_nonce_(base::Uuid::GenerateRandomV4()) { | 
|  | TRACE_EVENT_WITH_FLOW0("navigation", | 
|  | "RenderFrameHostImpl::RenderFrameHostImpl", | 
|  | TRACE_ID_LOCAL(this), TRACE_EVENT_FLAG_FLOW_OUT); | 
|  | TRACE_EVENT_BEGIN("navigation", "RenderFrameHostImpl", | 
|  | perfetto::Track::FromPointer(this), | 
|  | "render_frame_host_when_created", this); | 
|  | base::ScopedUmaHistogramTimer histogram_timer( | 
|  | "Navigation.RenderFrameHostConstructor"); | 
|  | // Update lifecycle state on track of RenderFrameHostImpl. | 
|  | TRACE_EVENT_BEGIN( | 
|  | "navigation", | 
|  | perfetto::StaticString{LifecycleStateImplToString(lifecycle_state_)}, | 
|  | perfetto::Track::FromPointer(this)); | 
|  |  | 
|  | DCHECK_NE(routing_id_, IPC::mojom::kRoutingIdNone); | 
|  | DCHECK(delegate_); | 
|  | DCHECK(lifecycle_state_ == LifecycleStateImpl::kSpeculative || | 
|  | lifecycle_state_ == LifecycleStateImpl::kPrerendering || | 
|  | lifecycle_state_ == LifecycleStateImpl::kActive); | 
|  | // Only main frames have `waiting_for_init_` set. | 
|  | DCHECK(!waiting_for_init_ || !parent_); | 
|  |  | 
|  | GetAgentSchedulingGroup().AddRoute(routing_id_, this); | 
|  | g_routing_id_frame_map.Get().emplace( | 
|  | GlobalRenderFrameHostId(GetProcess()->GetDeprecatedID(), routing_id_), | 
|  | this); | 
|  | GetTokenFrameMap().insert(std::make_pair(frame_token_, this)); | 
|  | site_instance_->group()->AddObserver(this); | 
|  | auto* process = GetProcess(); | 
|  | process->RegisterRenderFrameHost(GetGlobalId(), IsOutermostMainFrame()); | 
|  | GetSiteInstance()->group()->IncrementActiveFrameCount(); | 
|  |  | 
|  | if (parent_) { | 
|  | // All frames in a frame tree should use the same storage partition. | 
|  | CHECK_EQ(parent_->GetStoragePartition(), GetStoragePartition()); | 
|  |  | 
|  | // New child frames should inherit the nav_entry_id of their parent. | 
|  | set_nav_entry_id(parent_->nav_entry_id()); | 
|  | } | 
|  |  | 
|  | if (frame_tree_->is_prerendering()) { | 
|  | // TODO(crbug.com/40150746): Check the prerendering page is | 
|  | // same-origin to the prerender trigger page. | 
|  | mojo_binder_policy_applier_ = | 
|  | MojoBinderPolicyApplier::CreateForSameOriginPrerendering(base::BindOnce( | 
|  | &RenderFrameHostImpl::CancelPrerenderingByMojoBinderPolicy, | 
|  | base::Unretained(this))); | 
|  | broker_.ApplyMojoBinderPolicies(mojo_binder_policy_applier_.get()); | 
|  | } else if (frame_tree_->page_delegate()->IsPageInPreviewMode()) { | 
|  | mojo_binder_policy_applier_ = MojoBinderPolicyApplier::CreateForPreview( | 
|  | base::BindOnce(&RenderFrameHostImpl::CancelPreviewByMojoBinderPolicy, | 
|  | base::Unretained(this))); | 
|  | broker_.ApplyMojoBinderPolicies(mojo_binder_policy_applier_.get()); | 
|  | } | 
|  |  | 
|  | if (lifecycle_state_ != LifecycleStateImpl::kSpeculative) { | 
|  | // Creating a RFH in kActive state implies that it is the RFH for a | 
|  | // newly-created FTN, which should still be on its initial empty document. | 
|  | DCHECK(frame_tree_node_->is_on_initial_empty_document()); | 
|  | } | 
|  |  | 
|  | InitializePolicyContainerHost(renderer_initiated_creation_of_main_frame); | 
|  |  | 
|  | InitializePrivateNetworkRequestPolicy(); | 
|  |  | 
|  | auto task_runner = GetUIThreadTaskRunner({BrowserTaskType::kUserInput}); | 
|  | // TODO(crbug.com/41483375): Stop using BrowserTaskType::kUserInput task | 
|  | // runner for non-input related tasks. | 
|  | unload_event_monitor_timeout_ = std::make_unique<input::TimeoutMonitor>( | 
|  | base::BindRepeating(&RenderFrameHostImpl::OnNavigationUnloadTimeout, | 
|  | weak_ptr_factory_.GetWeakPtr()), | 
|  | task_runner); | 
|  | beforeunload_timeout_ = std::make_unique<input::TimeoutMonitor>( | 
|  | base::BindRepeating(&RenderFrameHostImpl::BeforeUnloadTimeout, | 
|  | weak_ptr_factory_.GetWeakPtr()), | 
|  | task_runner); | 
|  |  | 
|  | // Local roots are: | 
|  | // - main frames; or | 
|  | // - subframes that use a proxy to talk to their parent. | 
|  | // | 
|  | // Local roots require a RenderWidget for input/layout/painting. | 
|  | // Note: We cannot use is_local_root() here because this block sets up the | 
|  | // fields that are used by that method. | 
|  | const bool setup_local_render_widget_host = | 
|  | is_main_frame() || RequiresProxyToParent(); | 
|  | if (setup_local_render_widget_host) { | 
|  | if (is_main_frame()) { | 
|  | // For main frames, the RenderWidgetHost is owned by the RenderViewHost. | 
|  | // TODO(crbug.com/40441137): Once RenderViewHostImpl has-a | 
|  | // RenderWidgetHostImpl, the main render frame should probably start | 
|  | // owning the RenderWidgetHostImpl itself. | 
|  | DCHECK(GetLocalRenderWidgetHost()); | 
|  | } else { | 
|  | // For local child roots, the RenderFrameHost directly creates and owns | 
|  | // its RenderWidgetHost. | 
|  | int32_t widget_routing_id = | 
|  | site_instance->GetProcess()->GetNextRoutingID(); | 
|  | DCHECK_EQ(nullptr, GetLocalRenderWidgetHost()); | 
|  |  | 
|  | auto* previous_rfh = | 
|  | lifecycle_state_ == LifecycleStateImpl::kSpeculative && | 
|  | frame_tree_node_->current_frame_host() | 
|  | ->ShouldReuseCompositing(*GetSiteInstance()) | 
|  | ? frame_tree_node_->current_frame_host() | 
|  | : nullptr; | 
|  | auto frame_sink_id = | 
|  | previous_rfh | 
|  | ? previous_rfh->GetLocalRenderWidgetHost()->GetFrameSinkId() | 
|  | : RenderWidgetHostImpl::DefaultFrameSinkId( | 
|  | *site_instance_->group(), widget_routing_id); | 
|  | owned_render_widget_host_ = RenderWidgetHostFactory::Create( | 
|  | frame_tree_, frame_tree_->render_widget_delegate(), frame_sink_id, | 
|  | site_instance_->group()->GetSafeRef(), widget_routing_id, | 
|  | /*hidden=*/true, | 
|  | /*renderer_initiated_creation=*/false); | 
|  | owned_render_widget_host_->SetViewIsFrameSinkIdOwner(!previous_rfh); | 
|  | } | 
|  |  | 
|  | if (is_main_frame()) | 
|  | GetLocalRenderWidgetHost()->SetIntersectsViewport(true); | 
|  | GetLocalRenderWidgetHost()->SetFrameDepth(depth_); | 
|  | } | 
|  | // Verify is_local_root() now indicates whether this frame is a local root or | 
|  | // not. It is safe to use this method anywhere beyond this point. | 
|  | DCHECK_EQ(setup_local_render_widget_host, is_local_root()); | 
|  | ResetPermissionsPolicy({}); | 
|  |  | 
|  | // New RenderFrameHostImpl are put in their own virtual browsing context | 
|  | // group. Then, they can inherit from: | 
|  | // 1) Their opener in RenderFrameHostImpl::CreateNewWindow(). | 
|  | // 2) Their navigation in RenderFrameHostImpl::DidCommitNavigationInternal(). | 
|  | virtual_browsing_context_group_ = CrossOriginOpenerPolicyAccessReportManager:: | 
|  | NextVirtualBrowsingContextGroup(); | 
|  | soap_by_default_virtual_browsing_context_group_ = | 
|  | CrossOriginOpenerPolicyAccessReportManager:: | 
|  | NextVirtualBrowsingContextGroup(); | 
|  |  | 
|  | // IdleManager should be unique per RenderFrame to provide proper isolation | 
|  | // of overrides. | 
|  | idle_manager_ = std::make_unique<IdleManagerImpl>(this); | 
|  |  | 
|  | // The renderer process priority has been set in the RenderWidgetHost so | 
|  | // it is safe to remove to spare renderer priority here. | 
|  | site_instance->GetProcess()->SetHasSpareRendererPriority(false); | 
|  |  | 
|  | SiteInstanceGroupId sig_id = site_instance_->group()->GetId(); | 
|  | bool rfh_in_bfcache = | 
|  | frame_tree->controller() | 
|  | .GetBackForwardCache() | 
|  | .IsRenderFrameHostWithSIGInBackForwardCacheForDebugging(sig_id); | 
|  | bool rfph_in_bfcache = | 
|  | frame_tree->controller() | 
|  | .GetBackForwardCache() | 
|  | .IsRenderFrameProxyHostWithSIGInBackForwardCacheForDebugging(sig_id); | 
|  | bool rvh_in_bfcache = | 
|  | frame_tree->controller() | 
|  | .GetBackForwardCache() | 
|  | .IsRenderViewHostWithMapIdInBackForwardCacheForDebugging( | 
|  | *render_view_host_); | 
|  | bool related_site_instance_in_bfcache = | 
|  | frame_tree->controller() | 
|  | .GetBackForwardCache() | 
|  | .IsRelatedSiteInstanceInBackForwardCacheForDebugging(*site_instance_); | 
|  | if (rfh_in_bfcache || rfph_in_bfcache || rvh_in_bfcache || | 
|  | related_site_instance_in_bfcache) { | 
|  | SCOPED_CRASH_KEY_BOOL("rvh-double", "rfh_in_bfcache", rfh_in_bfcache); | 
|  | SCOPED_CRASH_KEY_BOOL("rvh-double", "rfph_in_bfcache", rfph_in_bfcache); | 
|  | SCOPED_CRASH_KEY_BOOL("rvh-double", "rvh_in_bfcache", rvh_in_bfcache); | 
|  | SCOPED_CRASH_KEY_NUMBER("rvh-double", "si_id", | 
|  | site_instance_->GetId().value()); | 
|  | SCOPED_CRASH_KEY_NUMBER("rvh-double", "bi_id", | 
|  | site_instance_->GetBrowsingInstanceId().value()); | 
|  | SCOPED_CRASH_KEY_BOOL("rvh-double", "related_si_in_bfcache", | 
|  | related_site_instance_in_bfcache); | 
|  | SCOPED_CRASH_KEY_NUMBER("rvh-double", "related_active_contents", | 
|  | GetSiteInstance()->GetRelatedActiveContentsCount()); | 
|  | base::debug::DumpWithoutCrashing(); | 
|  | } | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl::~RenderFrameHostImpl() { | 
|  | TRACE_EVENT_WITH_FLOW0("navigation", | 
|  | "RenderFrameHostImpl::~RenderFrameHostImpl", | 
|  | TRACE_ID_LOCAL(this), TRACE_EVENT_FLAG_FLOW_IN); | 
|  | SCOPED_CRASH_KEY_STRING256("Bug1407526", "lifecycle", | 
|  | LifecycleStateImplToString(lifecycle_state())); | 
|  | TRACE_EVENT("navigation", "~RenderFrameHostImpl()", | 
|  | ChromeTrackEvent::kRenderFrameHost, this); | 
|  | base::ScopedUmaHistogramTimer histogram_timer( | 
|  | "Navigation.RenderFrameHostDestructor"); | 
|  |  | 
|  | MaybeResetBoostRenderProcessForLoading(); | 
|  |  | 
|  | // See https://crbug.com/1276535 | 
|  | if (check_deletion_for_bug_1276535_) { | 
|  | base::debug::DumpWithoutCrashing(); | 
|  | } | 
|  |  | 
|  | // The lifetime of this object has ended, so remove it from the id map before | 
|  | // calling any delegates/observers, so that any calls to |FromID| no longer | 
|  | // return |this|. | 
|  | g_routing_id_frame_map.Get().erase( | 
|  | GlobalRenderFrameHostId(GetProcess()->GetDeprecatedID(), routing_id_)); | 
|  |  | 
|  | // Remove this object from the isolatable sandboxed iframe set as well, if | 
|  | // necessary. | 
|  | g_routing_id_isolatable_sandboxed_iframes_set.Get().erase(GetGlobalId()); | 
|  |  | 
|  | // When a RenderFrameHostImpl is deleted, it may still contain children. This | 
|  | // can happen with the unload timer. It causes a RenderFrameHost to delete | 
|  | // itself even if it is still waiting for its children to complete their | 
|  | // unload handlers. | 
|  | // | 
|  | // Observers expect children to be deleted first. Do it now before notifying | 
|  | // them. | 
|  | ResetChildren(); | 
|  |  | 
|  | // Destroying NavigationRequests may call into delegates/observers, | 
|  | // so we do it early while |this| object is still in a sane state. | 
|  | ResetOwnedNavigationRequests( | 
|  | NavigationDiscardReason::kRenderFrameHostDestruction); | 
|  |  | 
|  | // Cancel the navigations (including the ones that are not owned by this | 
|  | // RenderFrameHost) that intends to commit in this RenderFrameHost, as they | 
|  | // can no longer do so. | 
|  | { | 
|  | CHECK(frame_tree_node_); | 
|  | NavigationRequest* navigation_request = | 
|  | frame_tree_node_->navigation_request(); | 
|  | if (navigation_request) { | 
|  | if (navigation_request | 
|  | ->GetRenderFrameHostRestoredFromBackForwardCache() == this) { | 
|  | CHECK(navigation_request->IsServedFromBackForwardCache()); | 
|  | frame_tree_node_->RestartBackForwardCachedNavigationAsync( | 
|  | navigation_request->nav_entry_id()); | 
|  | } else if (navigation_request->HasRenderFrameHost() && | 
|  | navigation_request->GetRenderFrameHost() == this) { | 
|  | // If the navigation has picked its final RenderFrameHost and that RFH | 
|  | // gets destructed, the NavigationRequest can no longer commit in that | 
|  | // RFH. Note that there's a similar reset in | 
|  | // `RenderFrameHostManager::DiscardSpeculativeRFH()`, which will | 
|  | // trigger earlier, so we'll not get here when the RFH deleted is a | 
|  | // speculative / pending commit RFH. | 
|  | CHECK_NE(lifecycle_state(), LifecycleStateImpl::kSpeculative); | 
|  | CHECK_NE(lifecycle_state(), LifecycleStateImpl::kPendingCommit); | 
|  | frame_tree_node_->ResetNavigationRequestButKeepState( | 
|  | NavigationDiscardReason::kRenderFrameHostDestruction); | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | // Release the WebUI instances before all else as the WebUI may accesses the | 
|  | // RenderFrameHost during cleanup. | 
|  | base::WeakPtr<RenderFrameHostImpl> self = GetWeakPtr(); | 
|  | ClearWebUI(); | 
|  | // `ClearWebUI()` may indirectly call content's embedders and delete this. | 
|  | // There are no known occurrences of it, so we assume this never happen and | 
|  | // crash immediately if it does, because there are no easy ways to recover. | 
|  | CHECK(self); | 
|  |  | 
|  | SetLastCommittedSiteInfo(UrlInfo()); | 
|  |  | 
|  | if (lifecycle_state_ == LifecycleStateImpl::kActive) { | 
|  | // It's possible to destruct an active RFH when e.g. closing a tab. We | 
|  | // should update the NIK count to not include this RFH anymore. | 
|  | // TODO(crbug.com/40693086): Remove this when it's no longer possible to | 
|  | // destruct an active RFH (i.e. we've changed the state to non-active for | 
|  | // all cases). | 
|  | GetStoragePartition()->DecrementActiveDocumentCount( | 
|  | GetNetworkIsolationKey()); | 
|  | } | 
|  |  | 
|  | GetTokenFrameMap().erase(frame_token_); | 
|  |  | 
|  | // Ensure that the render process host has been notified that all media | 
|  | // streams from this frame have terminated. This is required to ensure the | 
|  | // process host has the correct media stream count, which affects its | 
|  | // background priority. | 
|  | CleanUpMediaStreams(); | 
|  |  | 
|  | auto* process = GetProcess(); | 
|  | SCOPED_CRASH_KEY_BOOL("Bug1407526", "si_exists", !!site_instance_); | 
|  | SCOPED_CRASH_KEY_BOOL("Bug1407526", "sig_exists", !!site_instance_->group()); | 
|  | SCOPED_CRASH_KEY_BOOL("Bug1407526", "process_exists", !!process); | 
|  | site_instance_->group()->RemoveObserver(this); | 
|  | process->UnregisterRenderFrameHost(GetGlobalId(), IsOutermostMainFrame()); | 
|  |  | 
|  | const bool was_created = is_render_frame_created(); | 
|  | SCOPED_CRASH_KEY_BOOL("Bug1407526", "was_created", !!was_created); | 
|  | SCOPED_CRASH_KEY_BOOL("Bug1407526", "delegate_exists", !!delegate_); | 
|  | render_frame_state_ = RenderFrameState::kDeleted; | 
|  | if (was_created) | 
|  | delegate_->RenderFrameDeleted(this); | 
|  |  | 
|  | // Resetting `document_associated_data_` destroys live `DocumentService` and | 
|  | // `DocumentUserData` instances. It is important for them to be | 
|  | // destroyed before the body of the `RenderFrameHostImpl` destructor | 
|  | // completes. Among other things, this ensures that any `SafeRef`s from | 
|  | // `DocumentService` and `RenderFrameHostUserData` subclasses are still valid | 
|  | // when their destructors run. | 
|  | document_associated_data_.reset(); | 
|  |  | 
|  | // If this was the last active frame in the SiteInstanceGroup, the | 
|  | // DecrementActiveFrameCount call will trigger the deletion of the | 
|  | // SiteInstanceGroup's proxies. | 
|  | GetSiteInstance()->group()->DecrementActiveFrameCount(); | 
|  |  | 
|  | // Once a RenderFrame is created in the renderer, there are three possible | 
|  | // clean-up paths: | 
|  | // 1. The RenderFrame can be the main frame. In this case, closing the | 
|  | //    associated `blink::WebView` will clean up the resources associated with | 
|  | //    the main RenderFrame. | 
|  | // 2. The RenderFrame can be unloaded. In this case, the browser sends a | 
|  | //    mojom::FrameNavigationControl::UnloadFrame message for the RenderFrame | 
|  | //    to replace itself with a `blink::RemoteFrame`and release its associated | 
|  | //    resources. |lifecycle_state_| is advanced to | 
|  | //    LifecycleStateImpl::kRunningUnloadHandlers to track that this IPC is in | 
|  | //    flight. | 
|  | // 3. The RenderFrame can be detached, as part of removing a subtree (due to | 
|  | //    navigation, unload, or DOM mutation). In this case, the browser sends | 
|  | //    a mojom::FrameNavigationControl::Delete message for the RenderFrame | 
|  | //    to detach itself and release its associated resources. If the subframe | 
|  | //    contains an unload handler, |lifecycle_state_| is advanced to | 
|  | //    LifecycleStateImpl::kRunningUnloadHandlers to track that the detach is | 
|  | //    in progress; otherwise, it is advanced directly to | 
|  | //    LifecycleStateImpl::kReadyToBeDeleted. | 
|  | // | 
|  | // For BackForwardCache or Prerender case: | 
|  | // | 
|  | // Deleting the BackForwardCache::Entry deletes immediately all the | 
|  | // Render{View,Frame,FrameProxy}Host. This will destroy the main RenderFrame | 
|  | // eventually as part of path #1 above: | 
|  | // | 
|  | // - The RenderFrameHost/RenderFrameProxyHost of the main frame are owned by | 
|  | //   the BackForwardCache::Entry. | 
|  | // - RenderFrameHost/RenderFrameProxyHost for sub-frames are owned by their | 
|  | //   parent RenderFrameHost. | 
|  | // - The RenderViewHost(s) are refcounted by the | 
|  | //   RenderFrameHost/RenderFrameProxyHost of the page. They are guaranteed not | 
|  | //   to be referenced by any other pages. | 
|  | // | 
|  | // The browser side gives the renderer a small timeout to finish processing | 
|  | // unload / detach messages. When the timeout expires, the RFH will be | 
|  | // removed regardless of whether or not the renderer acknowledged that it | 
|  | // completed the work, to avoid indefinitely leaking browser-side state. To | 
|  | // avoid leaks, ~RenderFrameHostImpl still validates that the appropriate | 
|  | // cleanup IPC was sent to the renderer, by checking IsPendingDeletion(). | 
|  | // | 
|  | // TODO(dcheng): Due to how frame detach is signalled today, there are some | 
|  | // bugs in this area. In particular, subtree detach is reported from the | 
|  | // bottom up, so the replicated mojom::FrameNavigationControl::Delete | 
|  | // messages actually operate on a node-by-node basis rather than detaching an | 
|  | // entire subtree at once... | 
|  | // | 
|  | // Note that this logic is fairly subtle. It needs to include all subframes | 
|  | // and all speculative frames, but it should exclude case #1 (a main | 
|  | // RenderFrame owned by the `blink::WebView`). It can't simply check | 
|  | // |frame_tree_node_->render_manager()->speculative_frame_host()| for | 
|  | // equality against |this|. The speculative frame host is unset before the | 
|  | // speculative frame host is destroyed, so this condition would never be | 
|  | // matched for a speculative RFH that needs to be destroyed. | 
|  | // | 
|  | // Note that `RenderViewHostImpl::GetMainRenderFrameHost()` can never return | 
|  | // a speculative RFH.  So, a speculative main frame being deleted will always | 
|  | // pass this condition as well. | 
|  | if (was_created && render_view_host_->GetMainRenderFrameHost() != this) { | 
|  | CHECK_NE(lifecycle_state(), LifecycleStateImpl::kActive); | 
|  | } | 
|  |  | 
|  | GetAgentSchedulingGroup().RemoveRoute(routing_id_); | 
|  |  | 
|  | // Null out the unload timer; in crash dumps this member will be null only if | 
|  | // the dtor has run.  (It may also be null in tests.) | 
|  | unload_event_monitor_timeout_.reset(); | 
|  |  | 
|  | // Delete this before destroying the widget, to guard against reentrancy | 
|  | // by in-process screen readers such as JAWS. | 
|  | if (browser_accessibility_manager_) { | 
|  | browser_accessibility_manager_->DetachFromParentManager(); | 
|  | browser_accessibility_manager_.reset(); | 
|  | } | 
|  |  | 
|  | // Note: The RenderWidgetHost of the main frame is owned by the RenderViewHost | 
|  | // instead. In this case the RenderViewHost is responsible for shutting down | 
|  | // its RenderViewHost. | 
|  | if (owned_render_widget_host_) | 
|  | owned_render_widget_host_->ShutdownAndDestroyWidget(false); | 
|  |  | 
|  | render_view_host_.reset(); | 
|  |  | 
|  | // Attempt to cleanup the render process if only discarded frames remain. | 
|  | CleanupRenderProcessForDiscardIfPossible(); | 
|  |  | 
|  | // If another frame is waiting for a beforeunload completion callback from | 
|  | // this frame, simulate it now. | 
|  | RenderFrameHostImpl* beforeunload_initiator = GetBeforeUnloadInitiator(); | 
|  | if (beforeunload_initiator && beforeunload_initiator != this) { | 
|  | base::TimeTicks approx_renderer_start_time = send_before_unload_start_time_; | 
|  | beforeunload_initiator->ProcessBeforeUnloadCompletedFromFrame( | 
|  | /*proceed=*/true, /*treat_as_final_completion_callback=*/false, this, | 
|  | /*is_frame_being_destroyed=*/true, approx_renderer_start_time, | 
|  | base::TimeTicks::Now(), /*for_legacy=*/false); | 
|  | } | 
|  |  | 
|  | if (prefetched_signed_exchange_cache_) | 
|  | prefetched_signed_exchange_cache_->RecordHistograms(); | 
|  |  | 
|  | // |geolocation_service_| needs to be destroyed before RenderFrameHostImpl, | 
|  | // otherwise it might cause dangling pointer. | 
|  | geolocation_service_.reset(); | 
|  |  | 
|  | // Deleting the children would have deleted any guests. | 
|  | CHECK(guest_pages_.empty()); | 
|  |  | 
|  | // Matches the pair of TRACE_EVENT_BEGINS in the constructor: one for | 
|  | // "RenderFrameHostImpl" slice itself, one for the slice with the lifecycle | 
|  | // state name. | 
|  | TRACE_EVENT_END("navigation", perfetto::Track::FromPointer(this)); | 
|  | TRACE_EVENT_END("navigation", perfetto::Track::FromPointer(this)); | 
|  | } | 
|  |  | 
|  | const blink::StorageKey& RenderFrameHostImpl::GetStorageKey() const { | 
|  | return storage_key_; | 
|  | } | 
|  |  | 
|  | int RenderFrameHostImpl::GetRoutingID() const { | 
|  | return routing_id_; | 
|  | } | 
|  |  | 
|  | const blink::LocalFrameToken& RenderFrameHostImpl::GetFrameToken() const { | 
|  | return frame_token_; | 
|  | } | 
|  |  | 
|  | const base::UnguessableToken& RenderFrameHostImpl::GetReportingSource() { | 
|  | DCHECK(!document_associated_data_->reporting_source().is_empty()); | 
|  | return document_associated_data_->reporting_source(); | 
|  | } | 
|  |  | 
|  | ui::AXTreeID RenderFrameHostImpl::GetAXTreeID() { | 
|  | return ax_tree_id(); | 
|  | } | 
|  |  | 
|  | const blink::LocalFrameToken& RenderFrameHostImpl::GetTopFrameToken() { | 
|  | RenderFrameHostImpl* frame = this; | 
|  | while (frame->parent_) { | 
|  | frame = frame->parent_; | 
|  | } | 
|  | return frame->GetFrameToken(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::AudioContextPlaybackStarted(int audio_context_id) { | 
|  | delegate_->AudioContextPlaybackStarted(this, audio_context_id); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::AudioContextPlaybackStopped(int audio_context_id) { | 
|  | delegate_->AudioContextPlaybackStopped(this, audio_context_id); | 
|  | } | 
|  |  | 
|  | // The current frame went into the BackForwardCache. | 
|  | void RenderFrameHostImpl::DidEnterBackForwardCache() { | 
|  | TRACE_EVENT0("navigation", "RenderFrameHostImpl::EnterBackForwardCache"); | 
|  | DCHECK(IsBackForwardCacheEnabled()); | 
|  | DCHECK(IsInPrimaryMainFrame()); | 
|  |  | 
|  | // Notifies the View that the page is stored in the `BackForwardCache`. | 
|  | // | 
|  | // We shouldn't BFCache a renderer without a View. | 
|  | CHECK(GetView()); | 
|  | static_cast<RenderWidgetHostViewBase*>(GetView())->DidEnterBackForwardCache(); | 
|  |  | 
|  | // Cancel loading memory tracker if it hasn't already recorded loading | 
|  | // memory stats, as we would now be including stats from the navigation | 
|  | // navigating away from the page. | 
|  | GetPage().CancelLoadingMemoryTracker(); | 
|  |  | 
|  | CHECK(GetRenderWidgetHost()); | 
|  | CHECK(GetRenderWidgetHost()->view_is_frame_sink_id_owner()); | 
|  |  | 
|  | DidEnterBackForwardCacheInternal(); | 
|  | // Pages in the back-forward cache are automatically evicted after a certain | 
|  | // time. | 
|  | StartBackForwardCacheEvictionTimer(); | 
|  |  | 
|  | for (FrameTreeNode* node : FrameTree::SubtreeAndInnerTreeNodes( | 
|  | this, | 
|  | /*include_delegate_nodes_for_inner_frame_trees=*/true)) { | 
|  | if (RenderFrameHostImpl* rfh = node->current_frame_host()) | 
|  | rfh->DidEnterBackForwardCacheInternal(); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidEnterBackForwardCacheInternal() { | 
|  | DCHECK_EQ(lifecycle_state(), LifecycleStateImpl::kActive); | 
|  | SetLifecycleState(LifecycleStateImpl::kInBackForwardCache); | 
|  |  | 
|  | // If we are a delegate node we don't need to do anything else. | 
|  | if (inner_tree_main_frame_tree_node_id_) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | for (auto& entry : service_worker_clients_) { | 
|  | if (base::WeakPtr<ServiceWorkerClient> service_worker_client = | 
|  | entry.second) { | 
|  | service_worker_client->OnEnterBackForwardCache(); | 
|  | } | 
|  | } | 
|  |  | 
|  | DedicatedWorkerHostsForDocument::GetOrCreateForCurrentDocument(this) | 
|  | ->OnEnterBackForwardCache(); | 
|  | #if BUILDFLAG(IS_P2P_ENABLED) | 
|  | GetProcess()->PauseSocketManagerForRenderFrameHost(GetGlobalId()); | 
|  | #endif  // BUILDFLAG(IS_P2P_ENABLED) | 
|  |  | 
|  | if (auto* permission_service_context = | 
|  | PermissionServiceContext::GetForCurrentDocument(this)) { | 
|  | permission_service_context->StoreStatusAtBFCacheEntry(); | 
|  | } | 
|  | } | 
|  |  | 
|  | // The frame as been restored from the BackForwardCache. | 
|  | void RenderFrameHostImpl::WillLeaveBackForwardCache() { | 
|  | TRACE_EVENT0("navigation", "RenderFrameHostImpl::LeaveBackForwardCache"); | 
|  | DCHECK(IsBackForwardCacheEnabled()); | 
|  | DCHECK(IsOutermostMainFrame()); | 
|  | if (back_forward_cache_eviction_timer_.IsRunning()) | 
|  | back_forward_cache_eviction_timer_.Stop(); | 
|  |  | 
|  | WillLeaveBackForwardCacheInternal(); | 
|  | for (FrameTreeNode* node : FrameTree::SubtreeAndInnerTreeNodes( | 
|  | this, | 
|  | /*include_delegate_nodes_for_inner_frame_trees=*/true)) { | 
|  | if (RenderFrameHostImpl* rfh = node->current_frame_host()) | 
|  | rfh->WillLeaveBackForwardCacheInternal(); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::WillLeaveBackForwardCacheInternal() { | 
|  | DCHECK_EQ(lifecycle_state(), LifecycleStateImpl::kInBackForwardCache); | 
|  | DCHECK(!back_forward_cache_eviction_timer_.IsRunning()); | 
|  |  | 
|  | // If we are a delegate node we don't need to do anything else. | 
|  | if (inner_tree_main_frame_tree_node_id_) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | for (auto& entry : service_worker_clients_) { | 
|  | if (base::WeakPtr<ServiceWorkerClient> service_worker_client = | 
|  | entry.second) { | 
|  | service_worker_client->OnRestoreFromBackForwardCache(); | 
|  | } | 
|  | } | 
|  |  | 
|  | DedicatedWorkerHostsForDocument::GetOrCreateForCurrentDocument(this) | 
|  | ->OnRestoreFromBackForwardCache(); | 
|  | #if BUILDFLAG(IS_P2P_ENABLED) | 
|  | GetProcess()->ResumeSocketManagerForRenderFrameHost(GetGlobalId()); | 
|  | #endif  // BUILDFLAG(IS_P2P_ENABLED) | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::StartBackForwardCacheEvictionTimer() { | 
|  | DCHECK(IsInBackForwardCache()); | 
|  | base::TimeDelta evict_after = | 
|  | GetBackForwardCache().GetTimeToLiveInBackForwardCache( | 
|  | LoadedWithCacheControlNoStoreHeader() | 
|  | ? BackForwardCacheImpl::kInCCNSContext | 
|  | : BackForwardCacheImpl::kNotInCCNSContext); | 
|  |  | 
|  | back_forward_cache_eviction_timer_.SetTaskRunner( | 
|  | GetBackForwardCache().GetTaskRunner()); | 
|  |  | 
|  | back_forward_cache_eviction_timer_.Start( | 
|  | FROM_HERE, evict_after, | 
|  | base::BindOnce(&RenderFrameHostImpl::EvictFromBackForwardCacheWithReason, | 
|  | weak_ptr_factory_.GetWeakPtr(), | 
|  | BackForwardCacheMetrics::NotRestoredReason::kTimeout)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DisableBackForwardCache( | 
|  | BackForwardCache::DisabledReason reason, | 
|  | std::optional<ukm::SourceId> source_id) { | 
|  | back_forward_cache_disabled_reasons_[reason].insert(source_id); | 
|  | MaybeEvictFromBackForwardCache(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DisableProactiveBrowsingInstanceSwapForTesting() { | 
|  | // This should only be called on primary main frames. | 
|  | DCHECK(IsInPrimaryMainFrame()); | 
|  | has_test_disabled_proactive_browsing_instance_swap_ = true; | 
|  | } | 
|  |  | 
|  | NavigationController& RenderFrameHostImpl::GetController() { | 
|  | // Note: owner_ is null for bfcached and pending deletion cases. | 
|  | CHECK(!IsPendingDeletion()); | 
|  | CHECK(!IsInBackForwardCache()); | 
|  | return owner_->GetCurrentNavigator().controller(); | 
|  | } | 
|  |  | 
|  | SiteInstanceImpl* RenderFrameHostImpl::GetSiteInstance() const { | 
|  | return site_instance_.get(); | 
|  | } | 
|  |  | 
|  | RenderProcessHost* RenderFrameHostImpl::GetProcess() const { | 
|  | return agent_scheduling_group_->GetProcess(); | 
|  | } | 
|  |  | 
|  | AgentSchedulingGroupHost& RenderFrameHostImpl::GetAgentSchedulingGroup() { | 
|  | return *agent_scheduling_group_; | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl* RenderFrameHostImpl::GetParent() const { | 
|  | return parent_; | 
|  | } | 
|  |  | 
|  | PageImpl& RenderFrameHostImpl::GetPage() { | 
|  | return *GetMainFrame()->document_associated_data_->owned_page(); | 
|  | } | 
|  |  | 
|  | const PageImpl& RenderFrameHostImpl::GetPage() const { | 
|  | return *GetMainFrame()->document_associated_data_->owned_page(); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsDescendantOfWithinFrameTree( | 
|  | RenderFrameHostImpl* ancestor) { | 
|  | if (!ancestor || !ancestor->child_count()) | 
|  | return false; | 
|  |  | 
|  | for (RenderFrameHostImpl* current = GetParent(); current; | 
|  | current = current->GetParent()) { | 
|  | if (current == ancestor) | 
|  | return true; | 
|  | } | 
|  | return false; | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsFencedFrameRoot() const { | 
|  | return fenced_frame_status_ == FencedFrameStatus::kFencedFrameRoot; | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsNestedWithinFencedFrame() const { | 
|  | switch (fenced_frame_status_) { | 
|  | case FencedFrameStatus::kNotNestedInFencedFrame: | 
|  | return false; | 
|  | case FencedFrameStatus::kFencedFrameRoot: | 
|  | return true; | 
|  | case FencedFrameStatus::kIframeNestedWithinFencedFrame: | 
|  | return true; | 
|  | } | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsUntrustedNetworkDisabled() const { | 
|  | return frame_tree_node_->GetFencedFrameProperties( | 
|  | FencedFramePropertiesNodeSource::kFrameTreeRoot) && | 
|  | frame_tree_node_ | 
|  | ->GetFencedFrameProperties( | 
|  | FencedFramePropertiesNodeSource::kFrameTreeRoot) | 
|  | ->HasDisabledNetworkForCurrentFrameTree(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ForEachRenderFrameHostWithAction( | 
|  | base::FunctionRef<FrameIterationAction(RenderFrameHost*)> on_frame) { | 
|  | ForEachRenderFrameHostImplWithAction( | 
|  | [on_frame](RenderFrameHostImpl* rfh) { return on_frame(rfh); }); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ForEachRenderFrameHost( | 
|  | base::FunctionRef<void(RenderFrameHost*)> on_frame) { | 
|  | ForEachRenderFrameHostImpl( | 
|  | [on_frame](RenderFrameHostImpl* rfh) { on_frame(rfh); }); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ForEachRenderFrameHostImplWithAction( | 
|  | base::FunctionRef<FrameIterationAction(RenderFrameHostImpl*)> on_frame) { | 
|  | ForEachRenderFrameHostImpl(on_frame, /*include_speculative=*/false); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ForEachRenderFrameHostImpl( | 
|  | base::FunctionRef<void(RenderFrameHostImpl*)> on_frame) { | 
|  | ForEachRenderFrameHostImplWithAction([on_frame](RenderFrameHostImpl* rfh) { | 
|  | on_frame(rfh); | 
|  | return FrameIterationAction::kContinue; | 
|  | }); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl:: | 
|  | ForEachRenderFrameHostImplIncludingSpeculativeWithAction( | 
|  | base::FunctionRef<FrameIterationAction(RenderFrameHostImpl*)> | 
|  | on_frame) { | 
|  | ForEachRenderFrameHostImpl(on_frame, /*include_speculative=*/true); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ForEachRenderFrameHostImplIncludingSpeculative( | 
|  | base::FunctionRef<void(RenderFrameHostImpl*)> on_frame) { | 
|  | ForEachRenderFrameHostImplIncludingSpeculativeWithAction( | 
|  | [on_frame](RenderFrameHostImpl* rfh) { | 
|  | on_frame(rfh); | 
|  | return FrameIterationAction::kContinue; | 
|  | }); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ForEachRenderFrameHostImpl( | 
|  | base::FunctionRef<FrameIterationAction(RenderFrameHostImpl*)> on_frame, | 
|  | bool include_speculative) { | 
|  | DCHECK_CURRENTLY_ON(BrowserThread::UI); | 
|  |  | 
|  | if (!include_speculative && | 
|  | (lifecycle_state() == LifecycleStateImpl::kSpeculative || | 
|  | lifecycle_state() == LifecycleStateImpl::kPendingCommit)) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Since |this| may not be current in its FrameTree, we can't begin iterating | 
|  | // from |frame_tree_node()|, so we special case the first invocation for | 
|  | // |this| and then actually start iterating over the subtree starting with | 
|  | // our children's FrameTreeNodes. | 
|  | bool skip_children_of_starting_frame = false; | 
|  | switch (on_frame(this)) { | 
|  | case FrameIterationAction::kContinue: | 
|  | break; | 
|  | case FrameIterationAction::kSkipChildren: | 
|  | skip_children_of_starting_frame = true; | 
|  | break; | 
|  | case FrameIterationAction::kStop: | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Potentially include our FrameTreeNode's speculative RenderFrameHost, but | 
|  | // only if |this| is current in its FrameTree. | 
|  | // TODO(crbug.com/40203236): Avoid having a RenderFrameHost access its | 
|  | // FrameTreeNode's speculative RenderFrameHost by moving | 
|  | // ForEachRenderFrameHostImplIncludingSpeculative from RenderFrameHostImpl or | 
|  | // possibly removing it entirely. | 
|  | if (include_speculative && frame_tree_node()->current_frame_host() == this) { | 
|  | RenderFrameHostImpl* speculative_frame_host = | 
|  | frame_tree_node()->render_manager()->speculative_frame_host(); | 
|  | if (speculative_frame_host) { | 
|  | DCHECK_EQ(speculative_frame_host->child_count(), 0U); | 
|  | switch (on_frame(speculative_frame_host)) { | 
|  | case FrameIterationAction::kContinue: | 
|  | case FrameIterationAction::kSkipChildren: | 
|  | break; | 
|  | case FrameIterationAction::kStop: | 
|  | return; | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | if (skip_children_of_starting_frame) | 
|  | return; | 
|  |  | 
|  | FrameTree::NodeRange ftn_range = FrameTree::SubtreeAndInnerTreeNodes(this); | 
|  | FrameTree::NodeIterator it = ftn_range.begin(); | 
|  | const FrameTree::NodeIterator end = ftn_range.end(); | 
|  |  | 
|  | while (it != end) { | 
|  | FrameTreeNode* node = *it; | 
|  | RenderFrameHostImpl* frame_host = node->current_frame_host(); | 
|  | if (frame_host) { | 
|  | switch (on_frame(frame_host)) { | 
|  | case FrameIterationAction::kContinue: | 
|  | ++it; | 
|  | break; | 
|  | case FrameIterationAction::kSkipChildren: | 
|  | it.AdvanceSkippingChildren(); | 
|  | break; | 
|  | case FrameIterationAction::kStop: | 
|  | return; | 
|  | } | 
|  | } | 
|  |  | 
|  | if (include_speculative) { | 
|  | RenderFrameHostImpl* speculative_frame_host = | 
|  | node->render_manager()->speculative_frame_host(); | 
|  | if (speculative_frame_host) { | 
|  | DCHECK_EQ(speculative_frame_host->child_count(), 0U); | 
|  | switch (on_frame(speculative_frame_host)) { | 
|  | case FrameIterationAction::kContinue: | 
|  | case FrameIterationAction::kSkipChildren: | 
|  | break; | 
|  | case FrameIterationAction::kStop: | 
|  | return; | 
|  | } | 
|  | } | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | FrameTreeNodeId RenderFrameHostImpl::GetFrameTreeNodeId() const { | 
|  | return frame_tree_node_->frame_tree_node_id(); | 
|  | } | 
|  |  | 
|  | const base::UnguessableToken& RenderFrameHostImpl::GetDevToolsFrameToken() { | 
|  | return devtools_frame_token(); | 
|  | } | 
|  |  | 
|  | std::optional<base::UnguessableToken> RenderFrameHostImpl::GetEmbeddingToken() { | 
|  | return embedding_token_; | 
|  | } | 
|  |  | 
|  | const std::string& RenderFrameHostImpl::GetFrameName() { | 
|  | return browsing_context_state_->frame_name(); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsFrameDisplayNone() { | 
|  | return frame_tree_node()->frame_owner_properties().is_display_none; | 
|  | } | 
|  |  | 
|  | const std::optional<gfx::Size>& RenderFrameHostImpl::GetFrameSize() { | 
|  | return frame_size_; | 
|  | } | 
|  |  | 
|  | size_t RenderFrameHostImpl::GetFrameDepth() { | 
|  | return depth_; | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsCrossProcessSubframe() { | 
|  | if (is_main_frame()) { | 
|  | return false; | 
|  | } | 
|  | return GetSiteInstance()->GetProcess() != | 
|  | parent_->GetSiteInstance()->GetProcess(); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::RequiresProxyToParent() { | 
|  | if (is_main_frame()) | 
|  | return false; | 
|  | return GetSiteInstance()->group() != parent_->GetSiteInstance()->group(); | 
|  | } | 
|  |  | 
|  | WebExposedIsolationLevel RenderFrameHostImpl::GetWebExposedIsolationLevel() { | 
|  | DCHECK_EQ(GetSiteInstance()->GetSiteInfo().web_exposed_isolation_info(), | 
|  | GetProcess()->GetProcessLock().GetWebExposedIsolationInfo()); | 
|  | // First, get the WebExposedIsolationLevel that was computed based on whether | 
|  | // this page is in IsolatedWebApp, or was cross-origin isolated through the | 
|  | // use of COOP and COEP. | 
|  | WebExposedIsolationLevel level = GetProcess()->GetWebExposedIsolationLevel(); | 
|  |  | 
|  | // Cross-origin isolation set through COOP and COEP can be restricted through | 
|  | // a PermissionPolicy. In this case, the document should be considered as not | 
|  | // isolated. | 
|  | if (!IsFeatureEnabled( | 
|  | network::mojom::PermissionsPolicyFeature::kCrossOriginIsolated)) { | 
|  | level = WebExposedIsolationLevel::kNotIsolated; | 
|  | } | 
|  |  | 
|  | // Check if cross-origin isolation was enabled through | 
|  | // DocumentIsolationPolicy. This is stored in the AgentClusterKey, and not the | 
|  | // WebExposedIsolationLevel in the RenderProcessHost. This is not affected by | 
|  | // PermissionPolicy. | 
|  | auto& agent_cluster_key = | 
|  | GetSiteInstance()->GetSiteInfo().agent_cluster_key(); | 
|  | if (agent_cluster_key && agent_cluster_key->GetCrossOriginIsolationKey() && | 
|  | agent_cluster_key->GetCrossOriginIsolationKey() | 
|  | ->cross_origin_isolation_mode == | 
|  | CrossOriginIsolationMode::kConcrete) { | 
|  | if (level == WebExposedIsolationLevel::kNotIsolated) { | 
|  | level = WebExposedIsolationLevel::kIsolated; | 
|  | } | 
|  | } | 
|  |  | 
|  | return level; | 
|  | } | 
|  |  | 
|  | const GURL& RenderFrameHostImpl::GetLastCommittedURL() const { | 
|  | return last_committed_url_; | 
|  | } | 
|  |  | 
|  | const url::Origin& RenderFrameHostImpl::GetLastCommittedOrigin() const { | 
|  | return last_committed_origin_; | 
|  | } | 
|  |  | 
|  | const GURL& RenderFrameHostImpl::GetInheritedBaseUrl() const { | 
|  | return inherited_base_url_; | 
|  | } | 
|  |  | 
|  | const net::NetworkIsolationKey& RenderFrameHostImpl::GetNetworkIsolationKey() { | 
|  | DCHECK(!isolation_info_.IsEmpty()); | 
|  | return isolation_info_.network_isolation_key(); | 
|  | } | 
|  |  | 
|  | const net::IsolationInfo& | 
|  | RenderFrameHostImpl::GetIsolationInfoForSubresources() { | 
|  | DCHECK(!isolation_info_.IsEmpty()); | 
|  | return isolation_info_; | 
|  | } | 
|  |  | 
|  | net::IsolationInfo | 
|  | RenderFrameHostImpl::GetPendingIsolationInfoForSubresources() { | 
|  | // TODO(crbug.com/40767475): Figure out if | 
|  | // ForPendingOrLastCommittedNavigation is correct below (it might not be). | 
|  | auto config = | 
|  | SubresourceLoaderFactoriesConfig::ForPendingOrLastCommittedNavigation( | 
|  | *this); | 
|  | DCHECK(!config.isolation_info().IsEmpty()); | 
|  | return config.isolation_info(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::GetCanonicalUrl( | 
|  | base::OnceCallback<void(const std::optional<GURL>&)> callback) { | 
|  | if (IsRenderFrameLive()) { | 
|  | // Validate that the URL returned by the renderer is HTTP(S) only. It is | 
|  | // allowed to be cross-origin. | 
|  | auto validate_and_forward = | 
|  | [](base::OnceCallback<void(const std::optional<GURL>&)> callback, | 
|  | const std::optional<GURL>& url) { | 
|  | if (url && url->is_valid() && url->SchemeIsHTTPOrHTTPS()) { | 
|  | std::move(callback).Run(url); | 
|  | } else { | 
|  | std::move(callback).Run(std::nullopt); | 
|  | } | 
|  | }; | 
|  | GetAssociatedLocalFrame()->GetCanonicalUrlForSharing( | 
|  | base::BindOnce(validate_and_forward, std::move(callback))); | 
|  | } else { | 
|  | std::move(callback).Run(std::nullopt); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::GetOpenGraphMetadata( | 
|  | base::OnceCallback<void(blink::mojom::OpenGraphMetadataPtr)> callback) { | 
|  | if (IsRenderFrameLive()) { | 
|  | GetAssociatedLocalFrame()->GetOpenGraphMetadata( | 
|  | base::BindOnce(&ForwardOpenGraphMetadataIfValid, std::move(callback))); | 
|  | } else { | 
|  | std::move(callback).Run({}); | 
|  | } | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsErrorDocument() const { | 
|  | // This shouldn't be called before committing the document as this value is | 
|  | // set during call to RenderFrameHostImpl::DidNavigate which happens after | 
|  | // commit. | 
|  | DCHECK_NE(lifecycle_state(), LifecycleStateImpl::kSpeculative); | 
|  | DCHECK_NE(lifecycle_state(), LifecycleStateImpl::kPendingCommit); | 
|  | return is_error_document_; | 
|  | } | 
|  |  | 
|  | DocumentRef RenderFrameHostImpl::GetDocumentRef() { | 
|  | return DocumentRef(document_associated_data_->GetSafeRef()); | 
|  | } | 
|  |  | 
|  | WeakDocumentPtr RenderFrameHostImpl::GetWeakDocumentPtr() { | 
|  | return WeakDocumentPtr(document_associated_data_->GetWeakPtr()); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::GetSerializedHtmlWithLocalLinks( | 
|  | const base::flat_map<GURL, base::FilePath>& url_map, | 
|  | const base::flat_map<blink::FrameToken, base::FilePath>& frame_token_map, | 
|  | bool save_with_empty_url, | 
|  | mojo::PendingRemote<mojom::FrameHTMLSerializerHandler> serializer_handler) { | 
|  | if (!IsRenderFrameLive()) | 
|  | return; | 
|  | GetMojomFrameInRenderer()->GetSerializedHtmlWithLocalLinks( | 
|  | url_map, frame_token_map, save_with_empty_url, | 
|  | std::move(serializer_handler)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetWantErrorMessageStackTrace() { | 
|  | GetMojomFrameInRenderer()->SetWantErrorMessageStackTrace(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ExecuteMediaPlayerActionAtLocation( | 
|  | const gfx::Point& location, | 
|  | const blink::mojom::MediaPlayerAction& action) { | 
|  | auto media_player_action = blink::mojom::MediaPlayerAction::New(); | 
|  | media_player_action->type = action.type; | 
|  | media_player_action->enable = action.enable; | 
|  | gfx::PointF point_in_view = GetView()->TransformRootPointToViewCoordSpace( | 
|  | gfx::PointF(location.x(), location.y())); | 
|  | GetAssociatedLocalFrame()->MediaPlayerActionAt( | 
|  | gfx::Point(point_in_view.x(), point_in_view.y()), | 
|  | std::move(media_player_action)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::RequestVideoFrameAtWithBoundsHint( | 
|  | const gfx::Point& location, | 
|  | const gfx::Size& max_size, | 
|  | int max_area, | 
|  | base::OnceCallback<void(const SkBitmap&, const gfx::Rect&)> callback) { | 
|  | gfx::PointF point_in_view = GetView()->TransformRootPointToViewCoordSpace( | 
|  | gfx::PointF(location.x(), location.y())); | 
|  | GetAssociatedLocalFrame()->RequestVideoFrameAtWithBoundsHint( | 
|  | gfx::Point(point_in_view.x(), point_in_view.y()), max_size, max_area, | 
|  | std::move(callback)); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::CreateNetworkServiceDefaultFactory( | 
|  | mojo::PendingReceiver<network::mojom::URLLoaderFactory> | 
|  | default_factory_receiver) { | 
|  | // Factory config below is based on the last committed navigation, under the | 
|  | // assumptions that the caller wants a factory that acts on behalf of the | 
|  | // *currently* committed document.  This assumption is typically valid for | 
|  | // callers that are responding to an IPC coming from the renderer process.  If | 
|  | // the caller wanted a factory associated with a pending navigation, then the | 
|  | // config won't be correct.  For more details, please see the doc comment of | 
|  | // ForPendingOrLastCommittedNavigation. | 
|  | auto subresource_loader_factories_config = | 
|  | SubresourceLoaderFactoriesConfig::ForLastCommittedNavigation(*this); | 
|  |  | 
|  | return CreateNetworkServiceDefaultFactoryAndObserve( | 
|  | CreateURLLoaderFactoryParamsForMainWorld( | 
|  | subresource_loader_factories_config, | 
|  | "RFHI::CreateNetworkServiceDefaultFactory"), | 
|  | subresource_loader_factories_config.ukm_source_id(), | 
|  | std::move(default_factory_receiver)); | 
|  | } | 
|  |  | 
|  | std::unique_ptr<blink::PendingURLLoaderFactoryBundle> | 
|  | RenderFrameHostImpl::CreateSubresourceLoaderFactoriesForInitialEmptyDocument() { | 
|  | // This method should only be called (by RenderViewHostImpl::CreateRenderView) | 
|  | // when creating a new local main frame in a Renderer process. | 
|  | DCHECK(!GetParent()); | 
|  |  | 
|  | // Expecting the frame to be at the initial empty document. | 
|  | // Not DCHECK-ing `last_committed_origin_`, because it is not reset by | 
|  | // RenderFrameHostImpl::RenderProcessExited for crashed frames. | 
|  | DCHECK_EQ(GURL(), last_committed_url_); | 
|  |  | 
|  | auto subresource_loader_factories = | 
|  | std::make_unique<blink::PendingURLLoaderFactoryBundle>(); | 
|  | switch (lifecycle_state()) { | 
|  | case RenderFrameHostImpl::LifecycleStateImpl::kInBackForwardCache: | 
|  | case RenderFrameHostImpl::LifecycleStateImpl::kPendingCommit: | 
|  | case RenderFrameHostImpl::LifecycleStateImpl::kReadyToBeDeleted: | 
|  | case RenderFrameHostImpl::LifecycleStateImpl::kRunningUnloadHandlers: | 
|  | // A newly-created frame shouldn't be in any of the states above. | 
|  | NOTREACHED(); | 
|  | case RenderFrameHostImpl::LifecycleStateImpl::kSpeculative: | 
|  | // No subresource requests should be initiated in the speculative frame. | 
|  | // Serving an empty bundle of `subresource_loader_factories` will | 
|  | // desirably lead to a crash in URLLoaderFactoryBundle::GetFactory (see | 
|  | // also the DCHECK there) if the speculative frame attempts to start a | 
|  | // subresource load. | 
|  | break; | 
|  | case RenderFrameHostImpl::LifecycleStateImpl::kActive: | 
|  | case RenderFrameHostImpl::LifecycleStateImpl::kPrerendering: | 
|  | CreateNetworkServiceDefaultFactory( | 
|  | subresource_loader_factories->pending_default_factory() | 
|  | .InitWithNewPipeAndPassReceiver()); | 
|  |  | 
|  | // The caller will send the returned factory to the renderer process (as | 
|  | // the default factory).  Therefore, after a NetworkService crash we need | 
|  | // to push to the renderer an updated factory. | 
|  | recreate_default_url_loader_factory_after_network_service_crash_ = true; | 
|  | break; | 
|  | } | 
|  |  | 
|  | return subresource_loader_factories; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::MarkIsolatedWorldsAsRequiringSeparateURLLoaderFactory( | 
|  | const base::flat_set<url::Origin>& isolated_world_origins, | 
|  | bool push_to_renderer_now) { | 
|  | size_t old_size = | 
|  | isolated_worlds_requiring_separate_url_loader_factory_.size(); | 
|  | isolated_worlds_requiring_separate_url_loader_factory_.insert( | 
|  | isolated_world_origins.begin(), isolated_world_origins.end()); | 
|  | size_t new_size = | 
|  | isolated_worlds_requiring_separate_url_loader_factory_.size(); | 
|  | bool insertion_took_place = (old_size != new_size); | 
|  |  | 
|  | // Push the updated set of factories to the renderer, but only if | 
|  | // 1) the caller requested an immediate push (e.g. for content scripts | 
|  | //    injected programmatically chrome.tabs.executeCode, but not for content | 
|  | //    scripts declared in the manifest - the difference is that the latter | 
|  | //    happen at a commit and the factories can just be send in the commit | 
|  | //    IPC). | 
|  | // 2) an insertion actually took place / the factories have been modified. | 
|  | // | 
|  | // See also the doc comment of `PendingURLLoaderFactoryBundle::OriginMap` | 
|  | // (the type of `pending_isolated_world_factories` that are set below). | 
|  | if (push_to_renderer_now && insertion_took_place) { | 
|  | // The `config` of the new factories might need to depend on the pending | 
|  | // (rather than the last committed) navigation, because we can't predict if | 
|  | // an in-flight Commit IPC might be present when an extension injects a | 
|  | // content script and MarkIsolatedWorlds... is called.  See also the doc | 
|  | // comment for the ForPendingOrLastCommittedNavigation method. | 
|  | auto config = | 
|  | SubresourceLoaderFactoriesConfig::ForPendingOrLastCommittedNavigation( | 
|  | *this); | 
|  |  | 
|  | std::unique_ptr<blink::PendingURLLoaderFactoryBundle> | 
|  | subresource_loader_factories = | 
|  | std::make_unique<blink::PendingURLLoaderFactoryBundle>(); | 
|  | subresource_loader_factories->pending_isolated_world_factories() = | 
|  | CreateURLLoaderFactoriesForIsolatedWorlds(config, | 
|  | isolated_world_origins); | 
|  | GetMojomFrameInRenderer()->UpdateSubresourceLoaderFactories( | 
|  | std::move(subresource_loader_factories)); | 
|  | } | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsSandboxed(network::mojom::WebSandboxFlags flags) { | 
|  | return static_cast<int>(active_sandbox_flags()) & static_cast<int>(flags); | 
|  | } | 
|  |  | 
|  | blink::web_pref::WebPreferences | 
|  | RenderFrameHostImpl::GetOrCreateWebPreferences() { | 
|  | return delegate()->GetOrCreateWebPreferences(); | 
|  | } | 
|  |  | 
|  | blink::PendingURLLoaderFactoryBundle::OriginMap | 
|  | RenderFrameHostImpl::CreateURLLoaderFactoriesForIsolatedWorlds( | 
|  | const SubresourceLoaderFactoriesConfig& config, | 
|  | const base::flat_set<url::Origin>& isolated_world_origins) { | 
|  | blink::PendingURLLoaderFactoryBundle::OriginMap result; | 
|  | for (const url::Origin& isolated_world_origin : isolated_world_origins) { | 
|  | network::mojom::URLLoaderFactoryParamsPtr factory_params = | 
|  | URLLoaderFactoryParamsHelper::CreateForIsolatedWorld( | 
|  | this, isolated_world_origin, config.origin(), | 
|  | config.isolation_info(), config.GetClientSecurityState(), | 
|  | config.trust_token_issuance_policy(), | 
|  | config.trust_token_redemption_policy(), | 
|  | config.cookie_setting_overrides()); | 
|  |  | 
|  | mojo::PendingRemote<network::mojom::URLLoaderFactory> factory_remote; | 
|  | CreateNetworkServiceDefaultFactoryAndObserve( | 
|  | std::move(factory_params), | 
|  | ukm::kInvalidSourceIdObj, /* isolated from page */ | 
|  | factory_remote.InitWithNewPipeAndPassReceiver()); | 
|  | result[isolated_world_origin] = std::move(factory_remote); | 
|  | } | 
|  | return result; | 
|  | } | 
|  |  | 
|  | gfx::NativeView RenderFrameHostImpl::GetNativeView() { | 
|  | RenderWidgetHostView* view = render_view_host_->GetWidget()->GetView(); | 
|  | if (!view) | 
|  | return gfx::NativeView(); | 
|  | return view->GetNativeView(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::AddMessageToConsole( | 
|  | blink::mojom::ConsoleMessageLevel level, | 
|  | const std::string& message) { | 
|  | AddMessageToConsoleImpl(level, message, /*discard_duplicates=*/false); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ExecuteJavaScriptMethod( | 
|  | const std::u16string& object_name, | 
|  | const std::u16string& method_name, | 
|  | base::Value::List arguments, | 
|  | JavaScriptResultCallback callback) { | 
|  | DCHECK_CURRENTLY_ON(BrowserThread::UI); | 
|  | CHECK(CanExecuteJavaScript()); | 
|  | AssertFrameWasCommitted(); | 
|  |  | 
|  | const bool wants_result = !callback.is_null(); | 
|  | GetAssociatedLocalFrame()->JavaScriptMethodExecuteRequest( | 
|  | object_name, method_name, std::move(arguments), wants_result, | 
|  | std::move(callback)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ExecuteJavaScript(const std::u16string& javascript, | 
|  | JavaScriptResultCallback callback) { | 
|  | DCHECK_CURRENTLY_ON(BrowserThread::UI); | 
|  | CHECK(CanExecuteJavaScript()); | 
|  | AssertFrameWasCommitted(); | 
|  |  | 
|  | const bool wants_result = !callback.is_null(); | 
|  | GetAssociatedLocalFrame()->JavaScriptExecuteRequest(javascript, wants_result, | 
|  | std::move(callback)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ExecuteJavaScriptInIsolatedWorld( | 
|  | const std::u16string& javascript, | 
|  | JavaScriptResultCallback callback, | 
|  | int32_t world_id) { | 
|  | DCHECK_CURRENTLY_ON(BrowserThread::UI); | 
|  | DCHECK_GT(world_id, ISOLATED_WORLD_ID_GLOBAL); | 
|  | DCHECK_LE(world_id, ISOLATED_WORLD_ID_MAX); | 
|  | AssertFrameWasCommitted(); | 
|  |  | 
|  | const bool wants_result = !callback.is_null(); | 
|  | GetAssociatedLocalFrame()->JavaScriptExecuteRequestInIsolatedWorld( | 
|  | javascript, wants_result, world_id, std::move(callback)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ExecuteJavaScriptForTests( | 
|  | const std::u16string& javascript, | 
|  | JavaScriptResultCallback callback, | 
|  | int32_t world_id) { | 
|  | ExecuteJavaScriptForTests(  // IN-TEST | 
|  | javascript, /*has_user_gesture=*/false, | 
|  | /*resolve_promises=*/false, /*honor_js_content_settings=*/false, world_id, | 
|  | CreateJavaScriptExecuteRequestForTestsCallback(std::move(callback))); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ExecuteJavaScriptWithUserGestureForTests( | 
|  | const std::u16string& javascript, | 
|  | JavaScriptResultCallback callback, | 
|  | int32_t world_id) { | 
|  | ExecuteJavaScriptForTests(  // IN-TEST | 
|  | javascript, /*has_user_gesture=*/true, | 
|  | /*resolve_promises=*/false, /*honor_js_content_settings=*/false, world_id, | 
|  | CreateJavaScriptExecuteRequestForTestsCallback(std::move(callback))); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ExecuteJavaScriptForTests( | 
|  | const std::u16string& javascript, | 
|  | bool has_user_gesture, | 
|  | bool resolve_promises, | 
|  | bool honor_js_content_settings, | 
|  | int32_t world_id, | 
|  | JavaScriptResultAndTypeCallback callback) { | 
|  | DCHECK_CURRENTLY_ON(BrowserThread::UI); | 
|  | AssertFrameWasCommitted(); | 
|  |  | 
|  | if (has_user_gesture && owner_) { | 
|  | // TODO(mustaq): The render-to-browser state update caused by the below | 
|  | // JavaScriptExecuteRequestsForTests call is redundant with this update. We | 
|  | // should determine if the redundancy can be removed. | 
|  | owner_->UpdateUserActivationState( | 
|  | blink::mojom::UserActivationUpdateType::kNotifyActivation, | 
|  | blink::mojom::UserActivationNotificationType::kTest); | 
|  | } | 
|  |  | 
|  | GetAssociatedLocalFrame()->JavaScriptExecuteRequestForTests(  // IN-TEST | 
|  | javascript, has_user_gesture, resolve_promises, honor_js_content_settings, | 
|  | world_id, std::move(callback)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ExecutePluginActionAtLocalLocation( | 
|  | const gfx::Point& location, | 
|  | blink::mojom::PluginActionType plugin_action) { | 
|  | gfx::Point local_location = gfx::ToFlooredPoint( | 
|  | GetView()->TransformRootPointToViewCoordSpace(gfx::PointF(location))); | 
|  | GetAssociatedLocalFrame()->PluginActionAt(local_location, plugin_action); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CopyImageAt(int x, int y) { | 
|  | gfx::PointF point_in_view = | 
|  | GetView()->TransformRootPointToViewCoordSpace(gfx::PointF(x, y)); | 
|  | GetAssociatedLocalFrame()->CopyImageAt( | 
|  | gfx::Point(point_in_view.x(), point_in_view.y())); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SaveImageAt(int x, int y) { | 
|  | gfx::PointF point_in_view = | 
|  | GetView()->TransformRootPointToViewCoordSpace(gfx::PointF(x, y)); | 
|  | GetAssociatedLocalFrame()->SaveImageAt( | 
|  | gfx::Point(point_in_view.x(), point_in_view.y())); | 
|  | } | 
|  |  | 
|  | RenderViewHost* RenderFrameHostImpl::GetRenderViewHost() const { | 
|  | return render_view_host_.get(); | 
|  | } | 
|  |  | 
|  | service_manager::InterfaceProvider* RenderFrameHostImpl::GetRemoteInterfaces() { | 
|  | DCHECK(IsRenderFrameLive()); | 
|  | return remote_interfaces_.get(); | 
|  | } | 
|  |  | 
|  | blink::AssociatedInterfaceProvider* | 
|  | RenderFrameHostImpl::GetRemoteAssociatedInterfaces() { | 
|  | if (!remote_associated_interfaces_) { | 
|  | mojo::AssociatedRemote<blink::mojom::AssociatedInterfaceProvider> | 
|  | remote_interfaces; | 
|  | if (GetAgentSchedulingGroup().GetChannel()) { | 
|  | GetAgentSchedulingGroup().GetRemoteRouteProvider()->GetRoute( | 
|  | GetFrameToken(), remote_interfaces.BindNewEndpointAndPassReceiver()); | 
|  | } else { | 
|  | LOG(WARNING) << "Creating unbound remote associated interface provider"; | 
|  | // The channel may not be initialized in some tests environments. In this | 
|  | // case we set up a dummy interface provider. | 
|  | std::ignore = remote_interfaces.BindNewEndpointAndPassDedicatedReceiver(); | 
|  | } | 
|  | remote_associated_interfaces_ = | 
|  | std::make_unique<blink::AssociatedInterfaceProvider>( | 
|  | remote_interfaces.Unbind()); | 
|  | } | 
|  | return remote_associated_interfaces_.get(); | 
|  | } | 
|  |  | 
|  | PageVisibilityState RenderFrameHostImpl::GetVisibilityState() { | 
|  | // Works around the crashes seen in https://crbug.com/501863, where the | 
|  | // active WebContents from a browser iterator may contain a render frame | 
|  | // detached from the frame tree. This tries to find a RenderWidgetHost | 
|  | // attached to an ancestor frame, and defaults to visibility hidden if | 
|  | // it fails. | 
|  | // TODO(yfriedman, peter): Ideally this would never be called on an | 
|  | // unattached frame and we could omit this check. See | 
|  | // https://crbug.com/615867. | 
|  | RenderFrameHostImpl* frame = this; | 
|  | while (frame) { | 
|  | if (frame->GetLocalRenderWidgetHost()) | 
|  | break; | 
|  | frame = frame->GetParent(); | 
|  | } | 
|  | if (!frame) { | 
|  | return PageVisibilityState::kHidden; | 
|  | } | 
|  |  | 
|  | return GetRenderWidgetHost()->is_hidden() ? PageVisibilityState::kHidden | 
|  | : PageVisibilityState::kVisible; | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::OnMessageReceived(const IPC::Message& msg) { | 
|  | // Only process messages if the RenderFrame is alive. | 
|  | if (!is_render_frame_created()) | 
|  | return false; | 
|  |  | 
|  | // Crash reports triggered by IPC messages for this frame should be associated | 
|  | // with its URL. | 
|  | ScopedActiveURL scoped_active_url(this); | 
|  |  | 
|  | if (delegate_->OnMessageReceived(this, msg)) | 
|  | return true; | 
|  |  | 
|  | return false; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnAssociatedInterfaceRequest( | 
|  | const std::string& interface_name, | 
|  | mojo::ScopedInterfaceEndpointHandle handle) { | 
|  | // `this` is an `IPC::Listener`, but there is no path by which `this` would | 
|  | // receive associated interface requests through this method. Associated | 
|  | // interface requests come in through `GetAssociatedInterface()`. | 
|  | NOTREACHED(); | 
|  | } | 
|  |  | 
|  | std::string RenderFrameHostImpl::ToDebugString() { | 
|  | return "RFHI:" + | 
|  | render_view_host_->GetDelegate()->GetCreatorLocation().ToString(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::AccessibilityPerformAction( | 
|  | const ui::AXActionData& action_data) { | 
|  | // Don't perform any Accessibility action on an inactive frame. | 
|  | if (IsInactiveAndDisallowActivation( | 
|  | DisallowActivationReasonId::kAXPerformAction) || | 
|  | !render_accessibility_) | 
|  | return; | 
|  |  | 
|  | if (action_data.action == ax::mojom::Action::kHitTest) { | 
|  | AccessibilityHitTest(action_data.target_point, | 
|  | action_data.hit_test_event_to_fire, | 
|  | action_data.request_id, {}); | 
|  | return; | 
|  | } | 
|  | // Set the input modality in RenderWidgetHostViewAura to touch so the | 
|  | // VK shows up. | 
|  | if (action_data.action == ax::mojom::Action::kFocus) { | 
|  | RenderWidgetHostViewBase* view = static_cast<RenderWidgetHostViewBase*>( | 
|  | render_view_host_->GetWidget()->GetView()); | 
|  | if (view) | 
|  | view->SetLastPointerType(ui::EventPointerType::kTouch); | 
|  | } | 
|  |  | 
|  | render_accessibility_->PerformAction(action_data); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::AccessibilityViewHasFocus() { | 
|  | RenderWidgetHostView* view = render_view_host_->GetWidget()->GetView(); | 
|  | if (view) | 
|  | return view->AccessibilityHasFocus(); | 
|  | return false; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::AccessibilityViewSetFocus() { | 
|  | // Don't update Accessibility for inactive frames. | 
|  | if (IsInactiveAndDisallowActivation(DisallowActivationReasonId::kAXSetFocus)) | 
|  | return; | 
|  |  | 
|  | RenderWidgetHostView* view = render_view_host_->GetWidget()->GetView(); | 
|  | if (view) | 
|  | view->Focus(); | 
|  | } | 
|  |  | 
|  | gfx::Rect RenderFrameHostImpl::AccessibilityGetViewBounds() { | 
|  | RenderWidgetHostView* view = render_view_host_->GetWidget()->GetView(); | 
|  | if (view) | 
|  | return view->GetViewBounds(); | 
|  | return gfx::Rect(); | 
|  | } | 
|  |  | 
|  | float RenderFrameHostImpl::AccessibilityGetDeviceScaleFactor() { | 
|  | return GetScaleFactorForView(GetView()); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::AccessibilityReset() { | 
|  | if (!render_accessibility_) | 
|  | return; | 
|  |  | 
|  | accessibility_reset_token_ = ++g_accessibility_reset_token; | 
|  | is_first_accessibility_request_ = false; | 
|  | accessibility_reset_start_ = base::TimeTicks::Now(); | 
|  | render_accessibility_->Reset(*accessibility_reset_token_); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::UnrecoverableAccessibilityError() { | 
|  | CHECK(!ui::AXTreeManager::IsFailFastMode()); | 
|  | browser_accessibility_manager_.reset(); | 
|  | if (!render_accessibility_) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | static auto* ax_rfhi_url_crash_key = base::debug::AllocateCrashKeyString( | 
|  | "ax_rfhi_url", base::debug::CrashKeySize::Size256); | 
|  | base::debug::ScopedCrashKeyString ax_rfhi_url(ax_rfhi_url_crash_key, | 
|  | GetLastCommittedURL().spec()); | 
|  | static auto* ax_rfhi_top_url_crash_key = base::debug::AllocateCrashKeyString( | 
|  | "ax_rfhi_top_url", base::debug::CrashKeySize::Size256); | 
|  | base::debug::ScopedCrashKeyString ax_rfhi_top_url( | 
|  | ax_rfhi_top_url_crash_key, | 
|  | GetOutermostMainFrameOrEmbedder()->GetLastCommittedURL().spec()); | 
|  |  | 
|  | // Turn off accessibility for this WebContents to ensure we don't continue | 
|  | // churning on failures, but do not crash the renderer. | 
|  | delegate_->UnrecoverableAccessibilityError(); | 
|  | // Crash keys were set in BrowserAccessibilityManager::Unserialize(). | 
|  | base::debug::DumpWithoutCrashing(); | 
|  | } | 
|  |  | 
|  | gfx::AcceleratedWidget | 
|  | RenderFrameHostImpl::AccessibilityGetAcceleratedWidget() { | 
|  | DCHECK(AccessibilityIsRootFrame()); | 
|  | // Only the active RenderFrameHost is connected to the native widget tree for | 
|  | // accessibility, so return null if this is queried on any other frame. | 
|  | if (!IsActive()) | 
|  | return gfx::kNullAcceleratedWidget; | 
|  |  | 
|  | RenderWidgetHostViewBase* view = static_cast<RenderWidgetHostViewBase*>( | 
|  | render_view_host_->GetWidget()->GetView()); | 
|  | if (view) | 
|  | return view->AccessibilityGetAcceleratedWidget(); | 
|  | return gfx::kNullAcceleratedWidget; | 
|  | } | 
|  |  | 
|  | gfx::NativeViewAccessible | 
|  | RenderFrameHostImpl::AccessibilityGetNativeViewAccessible() { | 
|  | RenderWidgetHostViewBase* view = static_cast<RenderWidgetHostViewBase*>( | 
|  | render_view_host_->GetWidget()->GetView()); | 
|  | if (view) | 
|  | return view->AccessibilityGetNativeViewAccessible(); | 
|  | return gfx::NativeViewAccessible(); | 
|  | } | 
|  |  | 
|  | gfx::NativeViewAccessible | 
|  | RenderFrameHostImpl::AccessibilityGetNativeViewAccessibleForWindow() { | 
|  | // If this method is called when the frame is in BackForwardCache, evict | 
|  | // the frame to avoid ignoring any accessibility related events which are not | 
|  | // expected. | 
|  | if (IsInactiveAndDisallowActivation( | 
|  | DisallowActivationReasonId::kAXGetNativeViewForWindow)) | 
|  | return gfx::NativeViewAccessible(); | 
|  |  | 
|  | RenderWidgetHostViewBase* view = static_cast<RenderWidgetHostViewBase*>( | 
|  | render_view_host_->GetWidget()->GetView()); | 
|  | if (view) | 
|  | return view->AccessibilityGetNativeViewAccessibleForWindow(); | 
|  | return gfx::NativeViewAccessible(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::AccessibilityHitTest( | 
|  | const gfx::Point& point_in_frame_pixels, | 
|  | const ax::mojom::Event& opt_event_to_fire, | 
|  | int opt_request_id, | 
|  | base::OnceCallback<void(ui::AXPlatformTreeManager* hit_manager, | 
|  | ui::AXNodeID hit_node_id)> opt_callback) { | 
|  | // This is called by BrowserAccessibilityManager. During teardown it's | 
|  | // possible that render_accessibility_ is null but the corresponding | 
|  | // BrowserAccessibilityManager still exists and could call this. | 
|  | if (IsInactiveAndDisallowActivation(DisallowActivationReasonId::kAXHitTest) || | 
|  | !render_accessibility_) { | 
|  | if (opt_callback) | 
|  | std::move(opt_callback).Run(nullptr, ui::kInvalidAXNodeID); | 
|  | return; | 
|  | } | 
|  |  | 
|  | render_accessibility_->HitTest( | 
|  | point_in_frame_pixels, opt_event_to_fire, opt_request_id, | 
|  | base::BindOnce(&RenderFrameHostImpl::AccessibilityHitTestCallback, | 
|  | weak_ptr_factory_.GetWeakPtr(), opt_request_id, | 
|  | opt_event_to_fire, std::move(opt_callback))); | 
|  | } | 
|  |  | 
|  | gfx::NativeWindow RenderFrameHostImpl::GetTopLevelNativeWindow() { | 
|  | return delegate_ ? delegate_->GetOwnerNativeWindow() : gfx::NativeWindow(); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::CanFireAccessibilityEvents() const { | 
|  | return IsActive(); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::ShouldSuppressAXLoadComplete() { | 
|  | if (!AccessibilityIsRootFrame()) { | 
|  | return false; | 
|  | } | 
|  | return GetContentClient()->browser()->ShouldSuppressAXLoadComplete(this); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::AccessibilityIsRootFrame() const { | 
|  | // Do not use is_main_frame() or IsOutermostMainFrame(). | 
|  | // Frame trees may be nested so it can be the case that is_main_frame() is | 
|  | // true, but is not the outermost RenderFrameHost (it only checks for nullity | 
|  | // of |parent_|. In particular, !is_main_frame() cannot be used to check if | 
|  | // this RenderFrameHost is embedded. In addition, IsOutermostMainFrame() | 
|  | // does not escape guest views. Therefore, we must check for any kind of | 
|  | // parent document or embedder. | 
|  | return !GetParentOrOuterDocumentOrEmbedderExcludingProspectiveOwners(); | 
|  | } | 
|  |  | 
|  | WebContentsAccessibility* | 
|  | RenderFrameHostImpl::AccessibilityGetWebContentsAccessibility() { | 
|  | DCHECK(AccessibilityIsRootFrame()); | 
|  | auto* view = static_cast<RenderWidgetHostViewBase*>(GetView()); | 
|  | if (!view) | 
|  | return nullptr; | 
|  | return view->GetWebContentsAccessibility(); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::AccessibilityIsWebContentSource() { | 
|  | return true; | 
|  | } | 
|  |  | 
|  | ui::AXPlatformNodeId RenderFrameHostImpl::GetOrCreateAXNodeUniqueId( | 
|  | ui::AXNodeID ax_node_id) { | 
|  | auto [iter, inserted] = | 
|  | ax_unique_ids_.try_emplace(ax_node_id, ui::AXUniqueId::CreateInvalid()); | 
|  | if (inserted) { | 
|  | iter->second = ui::AXUniqueId::Create(); | 
|  | } | 
|  | return iter->second; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnAXNodeDeleted(ui::AXNodeID ax_node_id) { | 
|  | ax_unique_ids_.erase(ax_node_id); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::InitializePolicyContainerHost( | 
|  | bool renderer_initiated_creation_of_main_frame) { | 
|  | // No policy container for speculative frames. | 
|  | if (lifecycle_state_ == LifecycleStateImpl::kSpeculative) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // During initialization, a RenderFrameHost always has a non-null `owner_`. | 
|  | // This is called from the constructor. | 
|  | CHECK(owner_); | 
|  |  | 
|  | // The initial empty document inherits its policy container from its creator. | 
|  | // The creator is either its parent for subframes and embedded frames, or its | 
|  | // opener for new windows. | 
|  | // | 
|  | // Note 1: For normal document created from a navigation, the policy container | 
|  | // is computed from the NavigationRequest and assigned in | 
|  | // DidCommitNewDocument(). | 
|  | if (parent_) { | 
|  | SetPolicyContainerHost(parent_->policy_container_host()->Clone()); | 
|  | } else if (GetParentOrOuterDocument()) { | 
|  | // In the MPArch implementation of FencedFrame, this RenderFrameHost's | 
|  | // SiteInstance has been adjusted to match its parent. During navigations, | 
|  | // COOP, COEP and DIP are used to determine the SiteInstance. It means that | 
|  | // if SiteInstance has been inherited, COOP,COEP and DIP  must also be | 
|  | // inherited to avoid creating inconsistencies. See: | 
|  | // https://chromium-review.googlesource.com/c/chromium/src/+/3645368 | 
|  | // | 
|  | // TODO(crbug.com/40849161): What makes sense for GuestView? | 
|  | const PolicyContainerPolicies& parent_policies = | 
|  | GetParentOrOuterDocument()->policy_container_host()->policies(); | 
|  |  | 
|  | // Note: the full constructor is used, to force developers to make an | 
|  | // explicit decision when adding new fields to the PolicyContainer. | 
|  | // The IP address space of fenced frame is set to `kPublic`. | 
|  | // 1. This makes it subject to local network access checks, restricting | 
|  | // its ability to access the private network. | 
|  | // 2. The IP address space of the parent does not leak to the fenced frame. | 
|  | SetPolicyContainerHost( | 
|  | base::MakeRefCounted<PolicyContainerHost>(PolicyContainerPolicies( | 
|  | network::mojom::ReferrerPolicy::kDefault, | 
|  | IsFencedFrameRoot() ? network::mojom::IPAddressSpace::kPublic | 
|  | : network::mojom::IPAddressSpace::kUnknown, | 
|  | /*is_web_secure_context=*/false, | 
|  | std::vector<network::mojom::ContentSecurityPolicyPtr>(), | 
|  | parent_policies.cross_origin_opener_policy, | 
|  | parent_policies.cross_origin_embedder_policy, | 
|  | parent_policies.document_isolation_policy, | 
|  | parent_policies.integrity_policy, | 
|  | parent_policies.integrity_policy_report_only, | 
|  | network::mojom::WebSandboxFlags::kNone, | 
|  | /*is_credentialless=*/false, | 
|  | /*can_navigate_top_without_user_gesture=*/true, | 
|  | parent_policies.cross_origin_isolation_enabled_by_dip))); | 
|  | } else if (owner_->GetOpener()) { | 
|  | // During a `window.open(...)` without `noopener`, a new popup is created | 
|  | // and always starts from the initial empty document. The opener has | 
|  | // synchronous access toward its openee. So they must both share the same | 
|  | // policies. | 
|  | SetPolicyContainerHost(owner_->GetOpener() | 
|  | ->current_frame_host() | 
|  | ->policy_container_host() | 
|  | ->Clone()); | 
|  | } else { | 
|  | // In all the other cases, there is no environment to inherit policies | 
|  | // from. This is "probably" a new top-level about:blank document created by | 
|  | // the browser directly (omnibox, bookmarks, ...). | 
|  | PolicyContainerPolicies policies; | 
|  |  | 
|  | // Main frames created by the browser are treated as belonging the | 
|  | // `loopback` address space, so that they can make requests to any address | 
|  | // space unimpeded. The only way to execute code in such a context is to | 
|  | // inject it via DevTools, WebView APIs, or extensions; it is impossible to | 
|  | // do so with Web Platform means only. | 
|  | // | 
|  | // See also https://crbug.com/1191161. | 
|  | // | 
|  | // We also exclude prerendering from this case manually, since prendering | 
|  | // RenderFrameHosts are unconditionally created with the | 
|  | // `renderer_initiated_creation_of_main_frame` set to false, even though the | 
|  | // frames arguably are renderer-created. | 
|  | // | 
|  | // TODO(crbug.com/40758431): Address the prerendering case. | 
|  | DCHECK(IsOutermostMainFrame()); | 
|  | if (!renderer_initiated_creation_of_main_frame && | 
|  | lifecycle_state_ != LifecycleStateImpl::kPrerendering) { | 
|  | policies.ip_address_space = network::mojom::IPAddressSpace::kLoopback; | 
|  | } | 
|  |  | 
|  | SetPolicyContainerHost( | 
|  | base::MakeRefCounted<PolicyContainerHost>(std::move(policies))); | 
|  | } | 
|  |  | 
|  | // The initial empty documents sandbox flags is the union from: | 
|  | // - The parent or opener document's CSP sandbox inherited by policy | 
|  | //   container. | 
|  | // - The frame's sandbox flags, contained in browsing_context_state. This | 
|  | //   are either: | 
|  | //   1. For iframe: the parent + iframe.sandbox attribute. | 
|  | //   2. For popups: the opener if "allow-popups-to-escape-sandbox" isn't | 
|  | //   set. | 
|  | network::mojom::WebSandboxFlags sandbox_flags_to_commit = | 
|  | browsing_context_state_->effective_frame_policy().sandbox_flags; | 
|  | for (const auto& csp : | 
|  | policy_container_host_->policies().content_security_policies) { | 
|  | sandbox_flags_to_commit |= csp->sandbox; | 
|  | } | 
|  | policy_container_host_->set_sandbox_flags(sandbox_flags_to_commit); | 
|  |  | 
|  | // The initial empty document's credentialless bit was inherited from the | 
|  | // parent document. The frame's credentialless bit can also turn it on. | 
|  | if (owner_->Credentialless()) { | 
|  | policy_container_host_->SetIsCredentialless(); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetPolicyContainerHost( | 
|  | scoped_refptr<PolicyContainerHost> policy_container_host) { | 
|  | policy_container_host_ = std::move(policy_container_host); | 
|  | policy_container_host_->AssociateWithFrameToken( | 
|  | GetFrameToken(), GetProcess()->GetDeprecatedID()); | 
|  | // Top-level document are never credentialless. | 
|  | // Note: It is never inherited from the opener, because they are forced to | 
|  | // open windows using noopener. | 
|  | devtools_instrumentation::DidUpdatePolicyContainerHost(frame_tree_node_); | 
|  | CHECK(parent_ || !IsCredentialless()); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::InitializePrivateNetworkRequestPolicy() { | 
|  | if (!policy_container_host_) { | 
|  | // Only speculative RFHs may lack a policy container. | 
|  | DCHECK_EQ(lifecycle_state_, LifecycleStateImpl::kSpeculative); | 
|  | return; | 
|  | } | 
|  |  | 
|  | private_network_request_policy_ = DerivePrivateNetworkRequestPolicy( | 
|  | policy_container_host_->policies(), | 
|  | PrivateNetworkRequestContext::kSubresource); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::RenderProcessGone( | 
|  | SiteInstanceGroup* site_instance_group, | 
|  | const ChildProcessTerminationInfo& info) { | 
|  | DCHECK_EQ(site_instance_->group(), site_instance_group); | 
|  |  | 
|  | if (IsInBackForwardCache()) { | 
|  | EvictFromBackForwardCacheWithReason( | 
|  | info.status == base::TERMINATION_STATUS_PROCESS_CRASHED | 
|  | ? BackForwardCacheMetrics::NotRestoredReason:: | 
|  | kRendererProcessCrashed | 
|  | : BackForwardCacheMetrics::NotRestoredReason:: | 
|  | kRendererProcessKilled); | 
|  | } | 
|  |  | 
|  | CancelPrerendering(PrerenderCancellationReason( | 
|  | info.status == base::TERMINATION_STATUS_PROCESS_CRASHED | 
|  | ? PrerenderFinalStatus::kRendererProcessCrashed | 
|  | : PrerenderFinalStatus::kRendererProcessKilled)); | 
|  |  | 
|  | if (owned_render_widget_host_) | 
|  | owned_render_widget_host_->RendererExited(); | 
|  |  | 
|  | // The renderer process is gone, so this frame can no longer be loading. | 
|  | ResetOwnedNavigationRequests(NavigationDiscardReason::kRenderProcessGone); | 
|  | ResetLoadingState(); | 
|  |  | 
|  | // Also, clear any pending navigations that have been blocked while the | 
|  | // embedder is processing window.open() requests.  This is consistent | 
|  | // with clearing NavigationRequests and loading state above, and it also | 
|  | // makes sense because certain parts of `pending_navigate_`, like the | 
|  | // NavigationClient remote interface, can no longer be used. | 
|  | pending_navigate_.reset(); | 
|  |  | 
|  | // Any future UpdateState or UpdateTitle messages from this or a recreated | 
|  | // process should be ignored until the next commit. | 
|  | set_nav_entry_id(0); | 
|  |  | 
|  | // During fast-shutdown, avoid cleanup as the VideoCaptureHost will still send | 
|  | // removal notifications after this function ends. | 
|  | if (!GetProcess()->FastShutdownStarted()) { | 
|  | CleanUpMediaStreams(); | 
|  | } | 
|  |  | 
|  | ++renderer_exit_count_; | 
|  |  | 
|  | MaybeGenerateCrashReport(info.status, info.exit_code); | 
|  |  | 
|  | // Reporting API: Send any queued reports and mark the reporting source as | 
|  | // expired so that the reporting configuration in the network service can be | 
|  | // removed. This is done here, rather than in the destructor, as it needs the | 
|  | // mojo pipe to the network service. | 
|  | GetProcess() | 
|  | ->GetStoragePartition() | 
|  | ->GetNetworkContext() | 
|  | ->SendReportsAndRemoveSource(GetReportingSource()); | 
|  |  | 
|  | // When a frame's process dies, its RenderFrame no longer exists, which means | 
|  | // that its child frames must be cleaned up as well. | 
|  | ResetChildren(); | 
|  |  | 
|  | // Reset state for the current RenderFrameHost once the FrameTreeNode has been | 
|  | // reset. | 
|  | RenderFrameDeleted(); | 
|  | SetLastCommittedUrl(GURL()); | 
|  | SetInheritedBaseUrl(GURL()); | 
|  | renderer_url_info_ = RendererURLInfo(); | 
|  |  | 
|  | must_be_replaced_for_crash_ = true; | 
|  | has_committed_any_navigation_ = false; | 
|  |  | 
|  | #if BUILDFLAG(IS_ANDROID) | 
|  | // Execute any pending Samsung smart clip callbacks. | 
|  | for (base::IDMap<std::unique_ptr<ExtractSmartClipDataCallback>>::iterator | 
|  | iter(&smart_clip_callbacks_); | 
|  | !iter.IsAtEnd(); iter.Advance()) { | 
|  | std::move(*iter.GetCurrentValue()) | 
|  | .Run(std::u16string(), std::u16string(), gfx::Rect()); | 
|  | } | 
|  | smart_clip_callbacks_.Clear(); | 
|  | #endif  // BUILDFLAG(IS_ANDROID) | 
|  |  | 
|  | // Ensure that future remote interface requests are associated with the new | 
|  | // process's channel. | 
|  | remote_associated_interfaces_.reset(); | 
|  |  | 
|  | // Any termination disablers in content loaded by the new process will | 
|  | // be sent again. | 
|  | has_before_unload_handler_ = false; | 
|  | has_unload_handler_ = false; | 
|  | has_pagehide_handler_ = false; | 
|  | has_visibilitychange_handler_ = false; | 
|  |  | 
|  | has_navigate_event_handler_ = false; | 
|  |  | 
|  | if (IsPendingDeletion()) { | 
|  | // If the process has died, we don't need to wait for the ACK. Complete the | 
|  | // deletion immediately. | 
|  | // Note that it is possible for a frame to already be in kReadyToBeDeleted. | 
|  | // This happens when this RenderFrameHost is pending deletion and is | 
|  | // waiting on one of its children to run its unload handler. While running | 
|  | // it, it can request its parent to detach itself. | 
|  | if (lifecycle_state() != LifecycleStateImpl::kReadyToBeDeleted) | 
|  | SetLifecycleState(LifecycleStateImpl::kReadyToBeDeleted); | 
|  |  | 
|  | DCHECK(children_.empty()); | 
|  | PendingDeletionCheckCompleted();  // Can delete |this|. | 
|  | // |this| is deleted. Don't add any more code at this point in the function. | 
|  | return; | 
|  | } | 
|  |  | 
|  | // If this was the current pending or speculative RFH dying, cancel and | 
|  | // destroy it. | 
|  | if (lifecycle_state_ == LifecycleStateImpl::kSpeculative || | 
|  | lifecycle_state_ == LifecycleStateImpl::kPendingCommit) { | 
|  | CHECK(owner_);  // See `owner_` invariants about `lifecycle_state_`. | 
|  | owner_->GetRenderFrameHostManager() | 
|  | .CleanupSpeculativeRfhForRenderProcessGone(); | 
|  | } | 
|  |  | 
|  | // Note: don't add any more code at this point in the function because | 
|  | // |this| may be deleted. Any additional cleanup should happen before | 
|  | // the last block of code here. | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::PerformAction(const ui::AXActionData& data) { | 
|  | AccessibilityPerformAction(data); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::RequiresPerformActionPointInPixels() const { | 
|  | return true; | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::CreateRenderFrame( | 
|  | const std::optional<blink::FrameToken>& previous_frame_token, | 
|  | const std::optional<blink::FrameToken>& opener_frame_token, | 
|  | const std::optional<blink::FrameToken>& parent_frame_token, | 
|  | const std::optional<blink::FrameToken>& previous_sibling_frame_token, | 
|  | const std::optional<base::UnguessableToken>& navigation_metrics_token) { | 
|  | TRACE_EVENT0("navigation", "RenderFrameHostImpl::CreateRenderFrame"); | 
|  | DCHECK(!IsRenderFrameLive()) << "Creating frame twice"; | 
|  |  | 
|  | // The process may (if we're sharing a process with another host that already | 
|  | // initialized it) or may not (we have our own process or the old process | 
|  | // crashed) have been initialized. Calling Init() multiple times will be | 
|  | // ignored, so this is safe. | 
|  | if (!GetAgentSchedulingGroup().Init()) | 
|  | return false; | 
|  |  | 
|  | DCHECK(GetProcess()->IsInitializedAndNotDead()); | 
|  |  | 
|  | mojom::CreateFrameParamsPtr params = mojom::CreateFrameParams::New(); | 
|  | BindBrowserInterfaceBrokerReceiver( | 
|  | params->interface_broker.InitWithNewPipeAndPassReceiver()); | 
|  |  | 
|  | params->routing_id = routing_id_; | 
|  | params->is_for_nested_main_frame = | 
|  | is_main_frame() && | 
|  | render_view_host_->ViewWidgetType() != mojom::ViewWidgetType::kTopLevel; | 
|  | params->previous_frame_token = previous_frame_token; | 
|  | params->opener_frame_token = opener_frame_token; | 
|  | params->parent_frame_token = parent_frame_token; | 
|  | params->previous_sibling_frame_token = previous_sibling_frame_token; | 
|  | params->tree_scope_type = frame_tree_node()->tree_scope_type(); | 
|  | params->replication_state = | 
|  | browsing_context_state_->current_replication_state().Clone(); | 
|  | params->frame_token = frame_token_; | 
|  | params->devtools_frame_token = devtools_frame_token(); | 
|  | BindAssociatedInterfaceProviderReceiver( | 
|  | params->associated_interface_provider_remote | 
|  | .InitWithNewEndpointAndPassReceiver()); | 
|  | params->document_token = document_associated_data_->token(); | 
|  | params->navigation_metrics_token = navigation_metrics_token; | 
|  |  | 
|  | // If this is a new RenderFrameHost for a frame that has already committed a | 
|  | // document, we don't have a policy container yet. Indeed, in that case, this | 
|  | // RenderFrameHost will not display any document until it commits a | 
|  | // navigation. The policy container for the navigated document will be sent to | 
|  | // Blink at CommitNavigation time and then stored in this RenderFrameHost in | 
|  | // DidCommitNewDocument. | 
|  | if (policy_container_host()) | 
|  | params->policy_container = | 
|  | policy_container_host()->CreatePolicyContainerForBlink(); | 
|  |  | 
|  | // Normally, the replication state contains effective frame policy, excluding | 
|  | // sandbox flags and permissions policy attributes that were updated but have | 
|  | // not taken effect. However, a new RenderFrame should use the pending frame | 
|  | // policy, since it is being created as part of the navigation that will | 
|  | // commit it. (I.e., the RenderFrame needs to know the policy to use when | 
|  | // initializing the new document once it commits). | 
|  | params->replication_state->frame_policy = | 
|  | frame_tree_node()->pending_frame_policy(); | 
|  |  | 
|  | // If we switched BrowsingInstances because of the COOP header, we should | 
|  | // clear the frame name. This below informs the renderer at frame creation. | 
|  | NavigationRequest* navigation_request = | 
|  | frame_tree_node()->navigation_request(); | 
|  | BrowserContext* context = | 
|  | frame_tree_node()->navigator().controller().GetBrowserContext(); | 
|  |  | 
|  | bool should_clear_browsing_instance_name = | 
|  | navigation_request && | 
|  | (navigation_request->browsing_context_group_swap() | 
|  | .ShouldClearWindowName() || | 
|  | (navigation_request->commit_params() | 
|  | .is_cross_site_cross_browsing_context_group && | 
|  | base::FeatureList::IsEnabled( | 
|  | features::kClearCrossSiteCrossBrowsingContextGroupWindowName) && | 
|  | GetContentClient() | 
|  | ->browser() | 
|  | ->IsClearWindowNameForNewBrowsingContextGroupAllowed(context))); | 
|  |  | 
|  | if (should_clear_browsing_instance_name) { | 
|  | params->replication_state->name = ""; | 
|  | // The "swaps" only affect main frames, that have an empty unique name. | 
|  | DCHECK(params->replication_state->unique_name.empty()); | 
|  | } | 
|  |  | 
|  | params->frame_owner_properties = | 
|  | frame_tree_node()->frame_owner_properties().Clone(); | 
|  |  | 
|  | params->is_on_initial_empty_document = | 
|  | frame_tree_node()->is_on_initial_empty_document(); | 
|  |  | 
|  | // The RenderWidgetHost takes ownership of its view. It is tied to the | 
|  | // lifetime of the current RenderProcessHost for this RenderFrameHost. | 
|  | // TODO(avi): This will need to change to initialize a | 
|  | // RenderWidgetHostViewAura for the main frame once RenderViewHostImpl has-a | 
|  | // RenderWidgetHostImpl. https://crbug.com/545684 | 
|  | if (owned_render_widget_host_) { | 
|  | DCHECK(parent_); | 
|  | DCHECK(parent_frame_token); | 
|  | RenderWidgetHostView* rwhv = RenderWidgetHostViewChildFrame::Create( | 
|  | owned_render_widget_host_.get(), | 
|  | parent_->GetRenderWidgetHost()->GetScreenInfos()); | 
|  | // The child frame should be created hidden. | 
|  | DCHECK(!rwhv->IsShowing()); | 
|  | } | 
|  |  | 
|  | if (auto* rwh = GetLocalRenderWidgetHost()) { | 
|  | params->widget_params = rwh->BindAndGenerateCreateFrameWidgetParams(); | 
|  |  | 
|  | auto* previous_rfh = lifecycle_state_ == LifecycleStateImpl::kSpeculative | 
|  | ? frame_tree_node_->current_frame_host() | 
|  | : nullptr; | 
|  | if (previous_rfh) { | 
|  | // When migrating a frame to a new/different render process, use the frame | 
|  | // size we already have from the existing RenderFrameHost. | 
|  | if (params->widget_params->visual_properties.new_size_device_px | 
|  | .IsZero()) { | 
|  | params->widget_params->visual_properties.new_size_device_px = | 
|  | previous_rfh->GetFrameSize().value_or(gfx::Size()); | 
|  | } | 
|  |  | 
|  | params->widget_params->reuse_compositor = | 
|  | frame_tree_node_->current_frame_host()->ShouldReuseCompositing( | 
|  | *GetSiteInstance()); | 
|  | if (params->widget_params->reuse_compositor) { | 
|  | waiting_for_renderer_widget_creation_after_commit_ = true; | 
|  | } | 
|  | } | 
|  | } | 
|  | mojo::PendingAssociatedRemote<mojom::Frame> pending_frame_remote; | 
|  | params->frame = pending_frame_remote.InitWithNewEndpointAndPassReceiver(); | 
|  | SetMojomFrameRemote(std::move(pending_frame_remote)); | 
|  |  | 
|  | // https://crbug.com/1006814. The renderer needs at least one of these tokens | 
|  | // to be able to insert the new frame in the frame tree. | 
|  | DCHECK(params->previous_frame_token || params->parent_frame_token); | 
|  | GetAgentSchedulingGroup().CreateFrame(std::move(params)); | 
|  |  | 
|  | if (previous_frame_token && | 
|  | previous_frame_token->Is<blink::RemoteFrameToken>()) { | 
|  | RenderFrameProxyHost* proxy = RenderFrameProxyHost::FromFrameToken( | 
|  | GetProcess()->GetDeprecatedID(), | 
|  | previous_frame_token->GetAs<blink::RemoteFrameToken>()); | 
|  | // We have also created a `blink::RemoteFrame` in CreateFrame above, so | 
|  | // remember that. | 
|  | CHECK(proxy); | 
|  | proxy->SetRenderFrameProxyCreated(true); | 
|  | } | 
|  |  | 
|  | // The renderer now has a RenderFrame for this RenderFrameHost.  Note that | 
|  | // this path is only used for out-of-process iframes.  Main frame RenderFrames | 
|  | // are created with their RenderView, and same-site iframes are created at the | 
|  | // time of OnCreateChildFrame. | 
|  | RenderFrameCreated(); | 
|  |  | 
|  | return true; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::NotifyWillCreateRenderWidgetOnCommit() { | 
|  | waiting_for_renderer_widget_creation_after_commit_ = true; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetMojomFrameRemote( | 
|  | mojo::PendingAssociatedRemote<mojom::Frame> frame_remote) { | 
|  | DCHECK(!frame_); | 
|  | frame_.Bind(std::move(frame_remote)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DeleteRenderFrame( | 
|  | mojom::FrameDeleteIntention intent) { | 
|  | TRACE_EVENT("navigation", "RenderFrameHostImpl::DeleteRenderFrame", | 
|  | [&](perfetto::EventContext ctx) { | 
|  | WriteRenderFrameImplDeletion(ctx, this, intent); | 
|  | }); | 
|  | base::ScopedUmaHistogramTimer histogram_timer( | 
|  | "Navigation.RenderFrameHostImpl.DeleteRenderFrame"); | 
|  | if (IsPendingDeletion()) | 
|  | return; | 
|  |  | 
|  | if (IsRenderFrameLive()) { | 
|  | GetMojomFrameInRenderer()->Delete(intent); | 
|  |  | 
|  | // We change the lifecycle state to kRunningUnloadHandlers at the end of | 
|  | // this method to wait until OnUnloadACK() is invoked. | 
|  | // For subframes, process shutdown may be delayed for two reasons: | 
|  | // (1) to allow the process to be potentially reused by future navigations | 
|  | // withjin a short time window, and | 
|  | // (2) to give the subframe unload handlers a chance to execute. | 
|  | // TODO(crbug.com/40860307): consider delaying process shutdown for fenced | 
|  | // frames. | 
|  | if (!is_main_frame() && IsActive()) { | 
|  | base::TimeDelta subframe_shutdown_timeout = | 
|  | frame_tree_->IsBeingDestroyed() | 
|  | ? base::TimeDelta() | 
|  | : GetSubframeProcessShutdownDelay( | 
|  | GetSiteInstance()->GetBrowserContext()); | 
|  | // If this document has unload handlers (and is active), ensure that they | 
|  | // have a chance to execute by delaying process cleanup. This will prevent | 
|  | // the process from shutting down immediately in the case where this is | 
|  | // the last active frame in the process. See https://crbug.com/852204. | 
|  | // Note that in the majority of cases, this is not necessary now that we | 
|  | // keep track of pending delete RenderFrameHost | 
|  | // (https://crbug.com/609963), but there are still a few exceptions where | 
|  | // this is needed (https://crbug.com/1014550). | 
|  | const base::TimeDelta unload_handler_timeout = | 
|  | has_unload_handlers() ? subframe_unload_timeout_ : base::TimeDelta(); | 
|  |  | 
|  | if (!subframe_shutdown_timeout.is_zero() || | 
|  | !unload_handler_timeout.is_zero()) { | 
|  | GetProcess()->DelayProcessShutdown(subframe_shutdown_timeout, | 
|  | unload_handler_timeout, | 
|  | site_instance_->GetSiteInfo()); | 
|  | } | 
|  | // If the subframe takes too long to unload, force its removal from the | 
|  | // tree. See https://crbug.com/950625. | 
|  | subframe_unload_timer_.Start( | 
|  | FROM_HERE, subframe_unload_timeout_, this, | 
|  | &RenderFrameHostImpl::OnSubframeDeletionUnloadTimeout); | 
|  | } | 
|  | } | 
|  |  | 
|  | // In case of speculative RenderFrameHosts deletion, we don't run any unload | 
|  | // handlers and RenderFrameHost is deleted directly without any lifecycle | 
|  | // state transitions. | 
|  | if (lifecycle_state() == LifecycleStateImpl::kSpeculative) { | 
|  | DCHECK(!has_unload_handlers()); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // In case of BackForwardCache, page is evicted directly from the cache and | 
|  | // deleted immediately, without waiting for unload handlers. | 
|  | SetLifecycleState(ShouldWaitForUnloadHandlers() | 
|  | ? LifecycleStateImpl::kRunningUnloadHandlers | 
|  | : LifecycleStateImpl::kReadyToBeDeleted); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::RenderFrameCreated() { | 
|  | // In https://crbug.com/1146573 a WebContentsObserver was causing the frame to | 
|  | // be reinitialized during deletion. It is not valid to re-enter navigation | 
|  | // code like that and it led to an invalid state. This is not a DCHECK because | 
|  | // the corruption will not be visible until later, making the bug very | 
|  | // difficult to understand. | 
|  | CHECK_NE(render_frame_state_, RenderFrameState::kDeleting); | 
|  | // We should not create new RenderFrames while `frame_tree_` is being | 
|  | // destroyed (e.g., via a WebContentsObserver during WebContents shutdown). | 
|  | // This seems to have caused crashes in https://crbug.com/717650. | 
|  | CHECK(!frame_tree_->IsBeingDestroyed()); | 
|  | DCHECK_NE(render_frame_state_, RenderFrameState::kCreated); | 
|  |  | 
|  | const RenderFrameState old_render_frame_state = render_frame_state_; | 
|  | render_frame_state_ = RenderFrameState::kCreated; | 
|  |  | 
|  | if (old_render_frame_state == RenderFrameState::kDeleted) { | 
|  | // Dispatch update notification when a Page is recreated after a crash. Only | 
|  | // main RenderFrameHosts should ever be reused. | 
|  | DCHECK(is_main_frame()); | 
|  | // Only a current RenderFrameHost should be recreating its RenderFrame | 
|  | // here, since speculative and pending deletion RenderFrameHosts get | 
|  | // deleted immediately after crash, whereas prerender gets cancelled and | 
|  | // bfcache entry gets evicted. | 
|  | DCHECK_EQ(lifecycle_state(), LifecycleStateImpl::kActive); | 
|  | GetPage().NotifyPageBecameCurrent(); | 
|  | } | 
|  |  | 
|  | // Initialize the RenderWidgetHost which marks it and the RenderViewHost as | 
|  | // live before calling to the `delegate_`. | 
|  | if (!waiting_for_renderer_widget_creation_after_commit_) { | 
|  | RendererWidgetCreated(); | 
|  | } | 
|  |  | 
|  | // Set up mojo connections to the renderer from the `frame_` connection before | 
|  | // notifying the delegate. | 
|  | SetUpMojoConnection(); | 
|  |  | 
|  | delegate_->RenderFrameCreated(this); | 
|  |  | 
|  | if (!enabled_bindings_.empty()) { | 
|  | GetFrameBindingsControl()->AllowBindings(enabled_bindings_.ToEnumBitmask()); | 
|  | } | 
|  |  | 
|  | if (web_ui_ && enabled_bindings_.Has(BindingsPolicyValue::kWebUi)) { | 
|  | web_ui_->SetUpMojoConnection(); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::RendererWidgetCreated() { | 
|  | if (GetLocalRenderWidgetHost()) { | 
|  | #if BUILDFLAG(IS_ANDROID) | 
|  | GetLocalRenderWidgetHost()->SetForceEnableZoom( | 
|  | delegate_->GetOrCreateWebPreferences().force_enable_zoom); | 
|  | #endif  // BUILDFLAG(IS_ANDROID) | 
|  | GetLocalRenderWidgetHost()->RendererWidgetCreated( | 
|  | /*for_frame_widget=*/true); | 
|  | } | 
|  |  | 
|  | waiting_for_renderer_widget_creation_after_commit_ = false; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::RenderFrameDeleted() { | 
|  | // In https://crbug.com/1146573 a WebContentsObserver was causing the frame to | 
|  | // be reinitialized during deletion. It is not valid to re-enter navigation | 
|  | // code like that and it led to an invalid state. This is not a DCHECK because | 
|  | // the corruption will cause a crash but later, making the bug very | 
|  | // difficult to understand. | 
|  | CHECK_NE(render_frame_state_, RenderFrameState::kDeleting); | 
|  | bool was_created = is_render_frame_created(); | 
|  | render_frame_state_ = RenderFrameState::kDeleting; | 
|  | render_frame_scoped_weak_ptr_factory_.InvalidateWeakPtrs(); | 
|  |  | 
|  | // If the current status is different than the new status, the delegate | 
|  | // needs to be notified. | 
|  | if (was_created) { | 
|  | delegate_->RenderFrameDeleted(this); | 
|  | } | 
|  | TearDownMojoConnection(); | 
|  |  | 
|  | #if !BUILDFLAG(IS_ANDROID) | 
|  | HostZoomMap* host_zoom_map = HostZoomMap::Get(GetSiteInstance()); | 
|  | host_zoom_map->ClearTemporaryZoomLevel(GetGlobalId()); | 
|  | #endif  // !BUILDFLAG(IS_ANDROID) | 
|  |  | 
|  | if (web_ui_) { | 
|  | web_ui_->RenderFrameDeleted(); | 
|  | web_ui_->TearDownMojoConnection(); | 
|  | } | 
|  | render_frame_state_ = RenderFrameState::kDeleted; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SwapIn() { | 
|  | GetAssociatedLocalFrame()->SwapInImmediately(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::Init() { | 
|  | // This is only called on the main frame, for renderer-created windows. These | 
|  | // windows wait for the renderer to signal that we can show them and begin | 
|  | // navigations. | 
|  | DCHECK(is_main_frame()); | 
|  | DCHECK(waiting_for_init_); | 
|  |  | 
|  | waiting_for_init_ = false; | 
|  |  | 
|  | GetLocalRenderWidgetHost()->Init(); | 
|  |  | 
|  | if (pending_navigate_) { | 
|  | // `pending_navigate_` is set only by BeginNavigation(), and | 
|  | // BeginNavigation() should only be triggered when the navigation is | 
|  | // initiated by a document in the same process. | 
|  | const int initiator_process_id = GetProcess()->GetDeprecatedID(); | 
|  |  | 
|  | // Transfer `pending_navigate_` to a local variable, to avoid resetting it | 
|  | // after OnBeginNavigation since `this` might already be destroyed (see | 
|  | // below). | 
|  | // | 
|  | // This shouldn't matter for early RFH swaps out of crashed frames, since | 
|  | // `pending_navigate_` is cleared when the renderer process dies, but it | 
|  | // may matter for other current/future use cases of the early RFH swap. | 
|  | std::unique_ptr<PendingNavigation> pending_navigation = | 
|  | std::move(pending_navigate_); | 
|  | frame_tree_node()->navigator().OnBeginNavigation( | 
|  | frame_tree_node(), std::move(pending_navigation->common_params), | 
|  | std::move(pending_navigation->begin_navigation_params), | 
|  | std::move(pending_navigation->blob_url_loader_factory), | 
|  | std::move(pending_navigation->navigation_client), | 
|  | EnsurePrefetchedSignedExchangeCache(), initiator_process_id, | 
|  | std::move(pending_navigation->renderer_cancellation_listener)); | 
|  | // DO NOT ADD CODE after this, as `this` might be deleted if an early | 
|  | // RenderFrameHost swap was performed when starting the navigation above. | 
|  | } | 
|  | } | 
|  |  | 
|  | RenderFrameProxyHost* RenderFrameHostImpl::GetProxyToParent() { | 
|  | if (is_main_frame()) | 
|  | return nullptr; | 
|  |  | 
|  | return browsing_context_state_->GetRenderFrameProxyHost( | 
|  | GetParent()->GetSiteInstance()->group()); | 
|  | } | 
|  |  | 
|  | RenderFrameProxyHost* RenderFrameHostImpl::GetProxyToOuterDelegate() { | 
|  | // Precondition:RFH in subframe, in pending deletion, speculative, or in the | 
|  | // BFCache are not expected to access the outer WebContents. | 
|  | CHECK(lifecycle_state_ == LifecycleStateImpl::kActive || | 
|  | lifecycle_state_ == LifecycleStateImpl::kPrerendering); | 
|  | DCHECK(is_main_frame()); | 
|  |  | 
|  | CHECK(owner_);  // See `owner_` invariants about `lifecycle_state_`. | 
|  | return owner_->GetRenderFrameHostManager().GetProxyToOuterDelegate(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidChangeReferrerPolicy( | 
|  | network::mojom::ReferrerPolicy referrer_policy) { | 
|  | if (!IsActive()) | 
|  | return; | 
|  | DCHECK(owner_);  // See `owner_` invariants about `IsActive()`. | 
|  | owner_->DidChangeReferrerPolicy(referrer_policy); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::PropagateEmbeddingTokenToParentFrame() { | 
|  | // Protect against calls from WebContentsImpl::AttachInnerWebContents() that | 
|  | // happen before RFHI::SetEmbeddingToken() gets called, which is where the | 
|  | // token gets set. It's safe to early return in those cases since this method | 
|  | // will get called anyway by RFHI::SetEmbeddingToken(), at which time the | 
|  | // outer delegate for the inner web contents will have been created already. | 
|  | if (!embedding_token_) | 
|  | return; | 
|  |  | 
|  | // We need to propagate the token to the parent frame if it's either remote or | 
|  | // part of an outer web contents, therefore we need to figure out the right | 
|  | // proxy to send the token to, if any. | 
|  | // For local parents the propagation occurs within the renderer process. The | 
|  | // token is also present on the main frame for generalization when the main | 
|  | // frame in embedded in another context (e.g. browser UI). The main frame is | 
|  | // not embedded in the context of the frame tree so it is not propagated here. | 
|  | // See RenderFrameHost::GetEmbeddingToken for more details. | 
|  | RenderFrameProxyHost* target_render_frame_proxy = nullptr; | 
|  |  | 
|  | if (RequiresProxyToParent()) { | 
|  | // This subframe should have a remote parent frame. | 
|  | target_render_frame_proxy = GetProxyToParent(); | 
|  | DCHECK(target_render_frame_proxy); | 
|  | } else if (is_main_frame()) { | 
|  | // The main frame in an inner web contents could have a delegate in the | 
|  | // outer web contents, so we need to account for that as well. | 
|  | target_render_frame_proxy = GetProxyToOuterDelegate(); | 
|  | } | 
|  |  | 
|  | // Propagate the token to the right process, if a proxy was found. | 
|  | if (target_render_frame_proxy && | 
|  | target_render_frame_proxy->is_render_frame_proxy_live()) { | 
|  | target_render_frame_proxy->GetAssociatedRemoteFrame()->SetEmbeddingToken( | 
|  | embedding_token_.value()); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnMediaStreamAdded(MediaStreamType type) { | 
|  | int& media_stream_count = media_stream_counts_[type]; | 
|  | CHECK_NE(media_stream_count, std::numeric_limits<int>::max()); | 
|  |  | 
|  | ++media_stream_count; | 
|  |  | 
|  | // Only notify on the first media stream, as the delegate only care about the | 
|  | // existence of at least 1 stream, but not the exact count. | 
|  | if (media_stream_count == 1) { | 
|  | switch (type) { | 
|  | case MediaStreamType::kCapturingMediaStream: | 
|  | GetProcess()->OnMediaStreamAdded(); | 
|  | delegate_->OnFrameIsCapturingMediaStreamChanged(this, true); | 
|  | break; | 
|  | case GetAudibleMediaStreamType(): | 
|  | DCHECK_NE(lifecycle_state(), LifecycleStateImpl::kPrerendering); | 
|  | GetProcess()->OnMediaStreamAdded(); | 
|  | delegate_->OnFrameAudioStateChanged(this, true); | 
|  | break; | 
|  | default: | 
|  | break; | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnMediaStreamRemoved(MediaStreamType type) { | 
|  | int& media_stream_count = media_stream_counts_[type]; | 
|  | CHECK(media_stream_count); | 
|  |  | 
|  | --media_stream_count; | 
|  |  | 
|  | // Only notify the delegate if this is the last media stream that was removed | 
|  | // to match the behavior in `OnMediaStreamAdded`. | 
|  | if (media_stream_count == 0) { | 
|  | switch (type) { | 
|  | case MediaStreamType::kCapturingMediaStream: | 
|  | GetProcess()->OnMediaStreamRemoved(); | 
|  | delegate_->OnFrameIsCapturingMediaStreamChanged(this, false); | 
|  | break; | 
|  | case GetAudibleMediaStreamType(): | 
|  | GetProcess()->OnMediaStreamRemoved(); | 
|  | delegate_->OnFrameAudioStateChanged(this, false); | 
|  | break; | 
|  | default: | 
|  | break; | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::HasMediaStreams(MediaStreamType type) const { | 
|  | return media_stream_counts_[type] > 0; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidAddMessageToConsole( | 
|  | blink::mojom::ConsoleMessageLevel log_level, | 
|  | const std::u16string& message, | 
|  | uint32_t line_no, | 
|  | const std::optional<std::u16string>& source_id, | 
|  | const std::optional<std::u16string>& untrusted_stack_trace) { | 
|  | std::u16string updated_source_id; | 
|  | if (source_id.has_value()) | 
|  | updated_source_id = *source_id; | 
|  | if (delegate_->DidAddMessageToConsole(this, log_level, message, line_no, | 
|  | updated_source_id, | 
|  | untrusted_stack_trace)) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Pass through log severity only on builtin components pages to limit console | 
|  | // spew. | 
|  | const bool is_web_ui = HasWebUIScheme(GetMainFrame()->GetLastCommittedURL()); | 
|  | if (is_web_ui) { | 
|  | DCHECK_EQ(GetMainFrame(), GetOutermostMainFrame()) | 
|  | << "The mainframe and outermost mainframe should be the same in WebUI."; | 
|  | } | 
|  | const bool is_builtin_component = | 
|  | is_web_ui || | 
|  | GetContentClient()->browser()->IsBuiltinComponent( | 
|  | GetProcess()->GetBrowserContext(), GetLastCommittedOrigin()); | 
|  | const bool is_off_the_record = | 
|  | GetSiteInstance()->GetBrowserContext()->IsOffTheRecord(); | 
|  |  | 
|  | LogConsoleMessage(log_level, message, line_no, is_builtin_component, | 
|  | is_off_the_record, updated_source_id); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::FrameSizeChanged(const gfx::Size& frame_size) { | 
|  | frame_size_ = frame_size; | 
|  | delegate_->FrameSizeChanged(this, frame_size); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::RendererDidActivateForPrerendering() { | 
|  | // RendererDidActivateForPrerendering() is called after the renderer has | 
|  | // notified that it fired the prerenderingchange event on the documents. The | 
|  | // browser now runs any binders that were deferred during prerendering. This | 
|  | // corresponds to the following steps of the activate algorithm: | 
|  | // | 
|  | // https://wicg.github.io/nav-speculation/prerendering.html#prerendering-browsing-context-activate | 
|  | // Step 8.3.4. "For each steps in doc's post-prerendering activation steps | 
|  | // list:" | 
|  | // Step 8.3.4.1. "Run steps." | 
|  |  | 
|  | // Release Mojo capability control to run the binders. The RenderFrameHostImpl | 
|  | // may have been created after activation started, in which case it already | 
|  | // does not have Mojo capability control applied. | 
|  | if (mojo_binder_policy_applier_) { | 
|  | mojo_binder_policy_applier_->GrantAll(); | 
|  |  | 
|  | // As per `ReleaseMojoBinderPolicies` method requirement, the policy applier | 
|  | // owner should call the method when destroying the object, so we first | 
|  | // need to call this method before resetting the unique pointer. | 
|  | broker_.ReleaseMojoBinderPolicies(); | 
|  | mojo_binder_policy_applier_.reset(); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetCrossOriginOpenerPolicyReporter( | 
|  | std::unique_ptr<CrossOriginOpenerPolicyReporter> coop_reporter) { | 
|  | coop_access_report_manager_.set_coop_reporter(std::move(coop_reporter)); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsCredentialless() const { | 
|  | return policy_container_host_->policies().is_credentialless; | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsLastCrossDocumentNavigationStartedByUser() const { | 
|  | return last_cross_document_navigation_started_by_user_; | 
|  | } | 
|  |  | 
|  | std::vector<base::SafeRef<NavigationHandle>> | 
|  | RenderFrameHostImpl::GetPendingCommitCrossDocumentNavigations() const { | 
|  | // Obtain the NavigationHandles corresponding to each of pending | 
|  | // cross-document navigations for this RenderFrameHostImpl. | 
|  | std::vector<base::SafeRef<NavigationHandle>> handles; | 
|  | for (const auto& request : navigation_requests_) { | 
|  | handles.push_back(request.first->GetSafeRef()); | 
|  | } | 
|  | return handles; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnCreateChildFrame( | 
|  | int new_routing_id, | 
|  | mojo::PendingAssociatedRemote<mojom::Frame> frame_remote, | 
|  | mojo::PendingReceiver<blink::mojom::BrowserInterfaceBroker> | 
|  | browser_interface_broker_receiver, | 
|  | blink::mojom::PolicyContainerBindParamsPtr policy_container_bind_params, | 
|  | mojo::PendingAssociatedReceiver<blink::mojom::AssociatedInterfaceProvider> | 
|  | associated_interface_provider_receiver, | 
|  | blink::mojom::TreeScopeType scope, | 
|  | const std::string& frame_name, | 
|  | const std::string& frame_unique_name, | 
|  | bool is_created_by_script, | 
|  | const blink::LocalFrameToken& frame_token, | 
|  | const base::UnguessableToken& devtools_frame_token, | 
|  | const blink::DocumentToken& document_token, | 
|  | const blink::FramePolicy& frame_policy, | 
|  | const blink::mojom::FrameOwnerProperties& frame_owner_properties, | 
|  | blink::FrameOwnerElementType owner_type, | 
|  | ukm::SourceId document_ukm_source_id) { | 
|  | // TODO(lukasza): Call ReceivedBadMessage when |frame_unique_name| is empty. | 
|  | DCHECK(!frame_unique_name.empty()); | 
|  | DCHECK(browser_interface_broker_receiver.is_valid()); | 
|  | DCHECK(policy_container_bind_params->receiver.is_valid()); | 
|  | DCHECK(associated_interface_provider_receiver.is_valid()); | 
|  | DCHECK(devtools_frame_token); | 
|  |  | 
|  | // The RenderFrame corresponding to this host sent an IPC message to create a | 
|  | // child, but by the time we get here, it's possible for its process to have | 
|  | // disconnected (maybe due to browser shutdown). Ignore such messages. | 
|  | if (!is_render_frame_created()) | 
|  | return; | 
|  |  | 
|  | // Only active and prerendered documents are allowed to create child | 
|  | // frames. | 
|  | if (lifecycle_state() != LifecycleStateImpl::kPrerendering) { | 
|  | // The RenderFrame corresponding to this host sent an IPC message to create | 
|  | // a child, but by the time we get here, it's possible for the | 
|  | // RenderFrameHost to become inactive. Ignore such messages. | 
|  | if (IsInactiveAndDisallowActivation( | 
|  | DisallowActivationReasonId::kCreateChildFrame)) | 
|  | return; | 
|  | } | 
|  |  | 
|  | // `new_routing_id`, `frame_token`, `devtools_frame_token` and | 
|  | // `document_token` were generated on the browser's IO thread and not taken | 
|  | // from the renderer process. | 
|  | FrameTreeNode* new_frame_tree_node = frame_tree_->AddFrame( | 
|  | this, GetProcess()->GetDeprecatedID(), new_routing_id, | 
|  | std::move(frame_remote), std::move(browser_interface_broker_receiver), | 
|  | std::move(policy_container_bind_params), | 
|  | std::move(associated_interface_provider_receiver), scope, frame_name, | 
|  | frame_unique_name, is_created_by_script, frame_token, | 
|  | devtools_frame_token, document_token, frame_policy, | 
|  | frame_owner_properties, was_discarded_, owner_type, | 
|  | /*is_dummy_frame_for_inner_tree=*/false); | 
|  |  | 
|  | // Record the DocumentCreated identifiability metric for initial empty | 
|  | // documents in child frames (other cases are taken care of by the | 
|  | // NavigationRequest). | 
|  | // | 
|  | // Note: We do not want to record the corresponding DocumentCreated UKM event | 
|  | // here, see https://crbug.com/1326431. | 
|  | new_frame_tree_node->current_frame_host()->RecordDocumentCreatedUkmEvent( | 
|  | GetLastCommittedOrigin(), document_ukm_source_id, ukm::UkmRecorder::Get(), | 
|  | /*only_record_identifiability_metric=*/true); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnPreloadingHeuristicsModelDone(const GURL& url, | 
|  | float score) { | 
|  | if (auto* preloading_decider = | 
|  | PreloadingDecider::GetOrCreateForCurrentDocument(this)) { | 
|  | preloading_decider->OnPreloadingHeuristicsModelDone(url, score); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CreateChildFrame( | 
|  | const blink::LocalFrameToken& frame_token, | 
|  | mojo::PendingAssociatedRemote<mojom::Frame> frame_remote, | 
|  | mojo::PendingReceiver<blink::mojom::BrowserInterfaceBroker> | 
|  | browser_interface_broker_receiver, | 
|  | blink::mojom::PolicyContainerBindParamsPtr policy_container_bind_params, | 
|  | mojo::PendingAssociatedReceiver<blink::mojom::AssociatedInterfaceProvider> | 
|  | associated_interface_provider_receiver, | 
|  | blink::mojom::TreeScopeType scope, | 
|  | const std::string& frame_name, | 
|  | const std::string& frame_unique_name, | 
|  | bool is_created_by_script, | 
|  | const blink::FramePolicy& frame_policy, | 
|  | blink::mojom::FrameOwnerPropertiesPtr frame_owner_properties, | 
|  | blink::FrameOwnerElementType owner_type, | 
|  | ukm::SourceId document_ukm_source_id) { | 
|  | int new_routing_id = IPC::mojom::kRoutingIdNone; | 
|  | base::UnguessableToken devtools_frame_token; | 
|  | blink::DocumentToken document_token; | 
|  | if (!static_cast<RenderProcessHostImpl*>(GetProcess()) | 
|  | ->TakeStoredDataForFrameToken(frame_token, new_routing_id, | 
|  | devtools_frame_token, | 
|  | document_token)) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | GetProcess(), bad_message::RFH_CREATE_CHILD_FRAME_TOKENS_NOT_FOUND); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Documents create iframes, iframes host new documents. Both are associated | 
|  | // with sandbox flags. They are required to be stricter or equal to their | 
|  | // owner when they are created, as we go down. | 
|  | if (frame_policy.sandbox_flags != | 
|  | (frame_policy.sandbox_flags | active_sandbox_flags())) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | GetProcess(), bad_message::RFH_CREATE_CHILD_FRAME_SANDBOX_FLAGS); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // TODO(crbug.com/40155982). The interface exposed to tests should | 
|  | // match the mojo interface. | 
|  | OnCreateChildFrame(new_routing_id, std::move(frame_remote), | 
|  | std::move(browser_interface_broker_receiver), | 
|  | std::move(policy_container_bind_params), | 
|  | std::move(associated_interface_provider_receiver), scope, | 
|  | frame_name, frame_unique_name, is_created_by_script, | 
|  | frame_token, devtools_frame_token, document_token, | 
|  | frame_policy, *frame_owner_properties, owner_type, | 
|  | document_ukm_source_id); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidNavigate( | 
|  | const mojom::DidCommitProvisionalLoadParams& params, | 
|  | NavigationRequest* navigation_request, | 
|  | bool was_within_same_document) { | 
|  | // The `url` and `origin` of the current document are stored in the | 
|  | // RenderFrameHost, because: | 
|  | // - The FrameTreeNode represents the frame. | 
|  | // - The RenderFrameHost represents a document hosted inside the frame. | 
|  | // | 
|  | // The URL is set regardless of whether it's for a net error or not. | 
|  | SetLastCommittedUrl(params.url); | 
|  | // The origin is only updated for cross-document navigations. | 
|  | if (!was_within_same_document || | 
|  | !features::IsEnforceSameDocumentOriginInvariantsEnabled()) { | 
|  | SetLastCommittedOrigin(params.origin, | 
|  | params.has_potentially_trustworthy_unique_origin); | 
|  | } | 
|  |  | 
|  | // If the navigation was a cross-document navigation and it's not the | 
|  | // synchronous about:blank commit, then it committed a document that is not | 
|  | // the initial empty document. | 
|  | if (!navigation_request->IsSameDocument() && | 
|  | (!navigation_request->is_synchronous_renderer_commit() || | 
|  | !navigation_request->GetURL().IsAboutBlank())) { | 
|  | navigation_request->frame_tree_node()->set_not_on_initial_empty_document(); | 
|  | } | 
|  |  | 
|  | if (lifecycle_state_ == LifecycleStateImpl::kActive) { | 
|  | // The NIK might change after this, so decrement the count for the current | 
|  | // NIK. | 
|  | GetStoragePartition()->DecrementActiveDocumentCount( | 
|  | GetNetworkIsolationKey()); | 
|  | } | 
|  |  | 
|  | isolation_info_ = ComputeIsolationInfoInternal( | 
|  | GetLastCommittedOrigin(), isolation_info_.request_type(), | 
|  | navigation_request->is_credentialless(), | 
|  | navigation_request->ComputeFencedFrameNonce()); | 
|  |  | 
|  | if (lifecycle_state_ == LifecycleStateImpl::kActive) { | 
|  | // The NIK might have changed after the above call, so increment the count | 
|  | // for the new NIK. | 
|  | GetStoragePartition()->IncrementActiveDocumentCount( | 
|  | GetNetworkIsolationKey()); | 
|  | } | 
|  |  | 
|  | // Separately, update the frame's last successful URL except for net error | 
|  | // pages, since those do not end up in the correct process after transfers | 
|  | // (see https://crbug.com/560511).  Instead, the next cross-process navigation | 
|  | // or transfer should decide whether to swap as if the net error had not | 
|  | // occurred. | 
|  | // TODO(creis): Remove this block and always set the URL. | 
|  | // See https://crbug.com/588314. | 
|  | if (!navigation_request->DidEncounterError()) { | 
|  | last_successful_url_ = params.url; | 
|  | navigation_request->frame_tree_node()->set_last_successful_origin( | 
|  | GetLastCommittedOrigin()); | 
|  | } | 
|  |  | 
|  | renderer_url_info_.last_document_url = GetLastDocumentURL( | 
|  | navigation_request, params, is_error_document_, renderer_url_info_); | 
|  |  | 
|  | // Set the last committed HTTP method and POST ID. Note that we're setting | 
|  | // this here instead of in DidCommitNewDocument because same-document | 
|  | // navigations triggered by the History API (history.replaceState/pushState) | 
|  | // will reset the method to "GET" (while fragment navigations won't). | 
|  | // TODO(arthursonzogni): Stop relying on DidCommitProvisionalLoadParams. Use | 
|  | // the NavigationRequest instead. The browser process doesn't need to rely on | 
|  | // the renderer process. | 
|  | last_http_method_ = params.method; | 
|  | last_post_id_ = params.post_id; | 
|  |  | 
|  | // TODO(arthursonzogni): Stop relying on DidCommitProvisionalLoadParams. Use | 
|  | // the NavigationRequest instead. The browser process doesn't need to rely on | 
|  | // the renderer process. | 
|  | last_http_status_code_ = params.http_status_code; | 
|  |  | 
|  | // Sets whether the last navigation has user gesture/transient activation or | 
|  | // not. | 
|  | last_committed_common_params_has_user_gesture_ = | 
|  | navigation_request->common_params().has_user_gesture; | 
|  |  | 
|  | // Sets whether the last cross-document navigation was initiated from the | 
|  | // browser (e.g. typing on the location bar) or from the renderer while having | 
|  | // transient user activation | 
|  | if (!was_within_same_document) { | 
|  | last_cross_document_navigation_started_by_user_ = | 
|  | !navigation_request->IsRendererInitiated() || | 
|  | (navigation_request->begin_params() | 
|  | .initiator_activation_and_ad_status != | 
|  | blink::mojom::NavigationInitiatorActivationAndAdStatus:: | 
|  | kDidNotStartWithTransientActivation); | 
|  | } | 
|  |  | 
|  | // Navigations that activate an existing bfcached or prerendered document do | 
|  | // not create a new document. | 
|  | bool did_create_new_document = | 
|  | !navigation_request->IsPageActivation() && !was_within_same_document; | 
|  | if (did_create_new_document) | 
|  | DidCommitNewDocument(params, navigation_request); | 
|  |  | 
|  | // When the frame hosts a different document, its state must be replicated | 
|  | // via its proxies to the other processes where it appears as remote. | 
|  | // | 
|  | // This includes new documents. It also includes documents restored from the | 
|  | // BackForwardCache. This is because the cached state in | 
|  | // BrowsingContextState::replication_state_ needs to be refreshed with the | 
|  | // actual values. | 
|  | if (!navigation_request->IsSameDocument()) { | 
|  | // Permissions policy's inheritance from parent frame's permissions policy | 
|  | // is through accessing parent frame's security context(either remote or | 
|  | // local) when initializing child's security context, so the update to | 
|  | // proxies is needed. | 
|  | browsing_context_state_->UpdateFramePolicyHeaders( | 
|  | active_sandbox_flags(), permissions_policy_header_); | 
|  | // Document policy's inheritance from parent frame's required document | 
|  | // policy is done at |HTMLFrameOwnerElement::UpdateRequiredPolicy|. Parent | 
|  | // frame owns both parent's required document policy and child frame's frame | 
|  | // owner element which contains child's required document policy, so there | 
|  | // is no need to store required document policy in proxies. | 
|  | } | 
|  |  | 
|  | // Set `honor_sticky_activation_for_history_intervention_` to false if | 
|  | // it's a browser-initiated same-document back/forward navigation. | 
|  | // Note that `honor_sticky_activation_for_history_intervention_` is only | 
|  | // tracked on the main frame so that same-document navigations on a child | 
|  | // frame cannot be used as a work-around to the intervention. | 
|  |  | 
|  | // navigation_request->GetPageTransition only returns the bit set for | 
|  | // PAGE_TRANSITION_FORWARD_BACK for back/forward transitions on the main | 
|  | // frame so retrieve it from the pending entry instead of the | 
|  | // navigation_request. Also navigation_request->IsSameDocument | 
|  | // won't be true for the subframe's cross-document back/forward navigation | 
|  | // case so instead check GetMainFrameDocumentSequenceNumber(). | 
|  | // TODO(creis): Add NavigationRequest::IsSessionHistory() and | 
|  | // NavigationRequest::IsSamePage() to avoid needing to check either the | 
|  | // pending NavigationEntry or the PageTransition. | 
|  | NavigationControllerImpl& controller = frame_tree()->controller(); | 
|  | NavigationEntryImpl* pending_entry = controller.GetPendingEntry(); | 
|  | // pending_entry should be non-nullptr for a back/forward navigation. | 
|  | if (pending_entry) { | 
|  | ui::PageTransition transition = pending_entry->GetTransitionType(); | 
|  | if (transition & ui::PAGE_TRANSITION_FORWARD_BACK && | 
|  | navigation_request->browser_initiated() && | 
|  | pending_entry->GetMainFrameDocumentSequenceNumber() == | 
|  | controller.GetLastCommittedEntry() | 
|  | ->GetMainFrameDocumentSequenceNumber()) { | 
|  | GetMainFrame()->honor_sticky_activation_for_history_intervention_ = false; | 
|  | } | 
|  |  | 
|  | // After a navigation there is no need to map the renderer's AXNodeIds to | 
|  | // unique ids within the WebContents. | 
|  | ax_unique_ids_.clear(); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetLastCommittedOrigin( | 
|  | const url::Origin& origin, | 
|  | bool is_potentially_trustworthy_unique_origin) { | 
|  | last_committed_origin_ = origin; | 
|  | // TODO(https://crbug.com/40159049): Instead of passing | 
|  | // `is_potentially_trustworthy_unique_origin`, maybe we can just check if the | 
|  | // origin is opaque and use ``network::IsOriginPotentiallyTrustworthy()` on | 
|  | // its precursor origin. | 
|  | browsing_context_state()->SetCurrentOrigin( | 
|  | origin, is_potentially_trustworthy_unique_origin); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetInheritedBaseUrl(const GURL& inherited_base_url) { | 
|  | inherited_base_url_ = inherited_base_url; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetLastCommittedOriginForTesting( | 
|  | const url::Origin& origin) { | 
|  | // Default setting `is_potentially_trustworthy_unique_origin` to just whether | 
|  | // the origin is opaque or not, since we don't really have a way to get the | 
|  | // correct value from a random origin. Since this function is used mostly for | 
|  | // unit tests that won't actually use this value (which is only used in the | 
|  | // renderer), it should be good enough. | 
|  | SetLastCommittedOrigin( | 
|  | origin, /*is_potentially_trustworthy_unique_origin=*/origin.opaque()); | 
|  | } | 
|  |  | 
|  | const url::Origin& RenderFrameHostImpl::ComputeTopFrameOrigin( | 
|  | const url::Origin& frame_origin) const { | 
|  | // If this frame is in a partitioned popin, we consider the opener's top-frame | 
|  | // to be this frame's top-frame as long as we aren't in a fenced-frame. | 
|  | // See: https://explainers-by-googlers.github.io/partitioned-popins/ | 
|  | if (ShouldPartitionAsPopin()) { | 
|  | return delegate_->GetPartitionedPopinOpenerProperties().top_frame_origin; | 
|  | } | 
|  |  | 
|  | if (is_main_frame()) { | 
|  | return frame_origin; | 
|  | } | 
|  |  | 
|  | DCHECK(parent_); | 
|  | // It's important to go through parent_ rather than via | 
|  | // frame_free_->root() here in case we're in process of being deleted, as the | 
|  | // latter might point to what our ancestor is being replaced with rather than | 
|  | // the actual ancestor. | 
|  | RenderFrameHostImpl* host = parent_; | 
|  | while (host->parent_) { | 
|  | host = host->parent_; | 
|  | } | 
|  | return host->GetLastCommittedOrigin(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetStorageKey(const blink::StorageKey& storage_key) { | 
|  | storage_key_ = storage_key; | 
|  | } | 
|  |  | 
|  | net::IsolationInfo RenderFrameHostImpl::ComputeIsolationInfoForNavigation( | 
|  | const GURL& destination) { | 
|  | return ComputeIsolationInfoForNavigation( | 
|  | destination, IsCredentialless(), | 
|  | /*fenced_frame_nonce_for_navigation=*/std::nullopt); | 
|  | } | 
|  |  | 
|  | net::IsolationInfo RenderFrameHostImpl::ComputeIsolationInfoForNavigation( | 
|  | const GURL& destination, | 
|  | bool is_credentialless, | 
|  | std::optional<base::UnguessableToken> fenced_frame_nonce_for_navigation) { | 
|  | // This is a main frame request if it's from the main frame and we're not in a | 
|  | // partitioned popin (or if we are in a partitioned popin we are also within a | 
|  | // fenced frame). Otherwise this is a sub frame request. | 
|  | // See: https://explainers-by-googlers.github.io/partitioned-popins/ | 
|  | net::IsolationInfo::RequestType request_type = | 
|  | (is_main_frame() && !ShouldPartitionAsPopin()) | 
|  | ? net::IsolationInfo::RequestType::kMainFrame | 
|  | : net::IsolationInfo::RequestType::kSubFrame; | 
|  | return ComputeIsolationInfoInternal(url::Origin::Create(destination), | 
|  | request_type, is_credentialless, | 
|  | fenced_frame_nonce_for_navigation); | 
|  | } | 
|  |  | 
|  | net::IsolationInfo | 
|  | RenderFrameHostImpl::ComputeIsolationInfoForSubresourcesForPendingCommit( | 
|  | const url::Origin& main_world_origin, | 
|  | bool is_credentialless, | 
|  | std::optional<base::UnguessableToken> fenced_frame_nonce_for_navigation) { | 
|  | return ComputeIsolationInfoInternal( | 
|  | main_world_origin, net::IsolationInfo::RequestType::kOther, | 
|  | is_credentialless, fenced_frame_nonce_for_navigation); | 
|  | } | 
|  |  | 
|  | net::SiteForCookies RenderFrameHostImpl::ComputeSiteForCookies() { | 
|  | return isolation_info_.site_for_cookies(); | 
|  | } | 
|  |  | 
|  | net::IsolationInfo RenderFrameHostImpl::ComputeIsolationInfoInternal( | 
|  | const url::Origin& frame_origin, | 
|  | net::IsolationInfo::RequestType request_type, | 
|  | bool is_credentialless, | 
|  | std::optional<base::UnguessableToken> fenced_frame_nonce_for_navigation) { | 
|  | url::Origin top_frame_origin = ComputeTopFrameOrigin(frame_origin); | 
|  | net::SchemefulSite top_frame_site = net::SchemefulSite(top_frame_origin); | 
|  |  | 
|  | net::SiteForCookies candidate_site_for_cookies(top_frame_site); | 
|  |  | 
|  | // If this frame is in a partitioned popin and we aren't in a fenced-frame, we | 
|  | // must set site_for_cookies relative to the popin opener in order for the | 
|  | // renderer to properly conduct checks. | 
|  | // See https://explainers-by-googlers.github.io/partitioned-popins/ | 
|  | if (ShouldPartitionAsPopin()) { | 
|  | candidate_site_for_cookies = | 
|  | delegate_->GetPartitionedPopinOpenerProperties().site_for_cookies; | 
|  | } | 
|  |  | 
|  | std::optional<net::IsolationInfo::FrameAncestorRelation> | 
|  | candidate_frame_ancestor_relation = | 
|  | net::IsolationInfo::FrameAncestorRelation::kSameOrigin; | 
|  |  | 
|  | // Walk up the frame tree to check SiteForCookies and FrameAncestorRelation. | 
|  | // | 
|  | // If |request_type| is kOther, then IsolationInfo is being computed | 
|  | // for subresource requests. Check/compute starting from the frame itself. | 
|  | // Otherwise, it's OK to skip checking the frame itself since it's stored in | 
|  | // IsolationInfo for each request and will be validated later anyway. | 
|  | // | 
|  | // If origins are not consistent with the candidate SiteForCookies | 
|  | // of the main document, SameSite cookies may not be used. | 
|  | const RenderFrameHostImpl* initial_rfh = this; | 
|  | if (request_type != net::IsolationInfo::RequestType::kOther) | 
|  | initial_rfh = this->parent_; | 
|  |  | 
|  | for (const RenderFrameHostImpl* rfh = initial_rfh; rfh; rfh = rfh->parent_) { | 
|  | const url::Origin& cur_origin = | 
|  | rfh == this ? frame_origin : rfh->last_committed_origin_; | 
|  | net::SchemefulSite cur_site = net::SchemefulSite(cur_origin); | 
|  |  | 
|  | candidate_frame_ancestor_relation = | 
|  | net::IsolationInfo::ComputeNewFrameAncestorRelation( | 
|  | candidate_frame_ancestor_relation, cur_origin, top_frame_origin); | 
|  |  | 
|  | candidate_site_for_cookies.CompareWithFrameTreeSiteAndRevise(cur_site); | 
|  | } | 
|  |  | 
|  | // Reset the SiteForCookies if the top frame origin is of a scheme that should | 
|  | // always be treated as the SiteForCookies. | 
|  | if (GetContentClient() | 
|  | ->browser() | 
|  | ->ShouldTreatURLSchemeAsFirstPartyWhenTopLevel( | 
|  | top_frame_origin.scheme(), | 
|  | GURL::SchemeIsCryptographic(frame_origin.scheme()))) { | 
|  | candidate_site_for_cookies = net::SiteForCookies(top_frame_site); | 
|  | } | 
|  |  | 
|  | std::optional<base::UnguessableToken> nonce = | 
|  | ComputeNonce(is_credentialless, fenced_frame_nonce_for_navigation); | 
|  | return net::IsolationInfo::Create( | 
|  | request_type, top_frame_origin, frame_origin, candidate_site_for_cookies, | 
|  | nonce, net::NetworkIsolationPartition::kGeneral, | 
|  | candidate_frame_ancestor_relation); | 
|  | } | 
|  |  | 
|  | std::optional<base::UnguessableToken> RenderFrameHostImpl::ComputeNonce( | 
|  | bool is_credentialless, | 
|  | std::optional<base::UnguessableToken> fenced_frame_nonce_for_navigation) { | 
|  | // If it's a credentialless frame tree, use its nonce even if it's within a | 
|  | // fenced frame tree to maintain the guarantee that a credentialless frame | 
|  | // tree has a unique nonce. | 
|  | if (is_credentialless) { | 
|  | return GetPage().credentialless_iframes_nonce(); | 
|  | } | 
|  |  | 
|  | // Otherwise, use the fenced frame nonce for this navigation. | 
|  | // If this call is for a pending navigation, the fenced frame nonce should | 
|  | // have been computed with `NavigationRequest::ComputeFencedFrameNonce()` and | 
|  | // passed in `fenced_frame_nonce_for_navigation`. If there is no navigation | 
|  | // associated with this call, then we get the nonce from this RFHI's | 
|  | // FrameTreeNode with FrameTreeNode::GetFencedFrameNonce(). | 
|  | if (fenced_frame_nonce_for_navigation.has_value()) { | 
|  | return fenced_frame_nonce_for_navigation; | 
|  | } | 
|  | return frame_tree_node_->GetFencedFrameNonce(); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsThirdPartyStoragePartitioningEnabled( | 
|  | const url::Origin& new_rfh_origin) { | 
|  | const std::vector<RenderFrameHostImpl*> ancestor_chain = | 
|  | GetAncestorChainForStorageKeyCalculation(new_rfh_origin); | 
|  | RenderFrameHostImpl* main_frame_for_storage_partitioning = | 
|  | ancestor_chain.back(); | 
|  | // If we're in the main frame the state of third-party storage partitioning | 
|  | // doesn't matter as the StorageKey will be first-party unless we are in a | 
|  | // partitioned popin as they are partitioned as an iframe would be. | 
|  | // See: https://explainers-by-googlers.github.io/partitioned-popins/ | 
|  | if (main_frame_for_storage_partitioning == this && | 
|  | !ShouldPartitionAsPopin()) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | RuntimeFeatureStateDocumentData* rfs_document_data_for_storage_key = | 
|  | RuntimeFeatureStateDocumentData::GetForCurrentDocument( | 
|  | main_frame_for_storage_partitioning); | 
|  |  | 
|  | // `rfs_document_data_for_storage_key` should be available unless we are in | 
|  | // a popin examining the main frame's data. | 
|  | CHECK(rfs_document_data_for_storage_key || | 
|  | (ShouldPartitionAsPopin() && | 
|  | main_frame_for_storage_partitioning == this)); | 
|  |  | 
|  | bool unpartitioned_key_allowed = | 
|  | GetContentClient() | 
|  | ->browser() | 
|  | ->IsUnpartitionedStorageAccessAllowedByUserPreference( | 
|  | GetSiteInstance()->GetBrowserContext(), new_rfh_origin.GetURL(), | 
|  | ComputeSiteForCookies(), ComputeTopFrameOrigin(new_rfh_origin)); | 
|  |  | 
|  | // Ignore user bypass if only partitioned access is allowed. We'll | 
|  | // still respect enterprise policies which take precedence over the user's 3P | 
|  | // cookie blocking preference. | 
|  | if (rfs_document_data_for_storage_key && unpartitioned_key_allowed && | 
|  | rfs_document_data_for_storage_key->runtime_feature_state_read_context() | 
|  | .IsThirdPartyStoragePartitioningUserBypassEnabled()) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | // If the enterprise policy blocks, we have directive to override the | 
|  | // current value of net::features::ThirdPartyStoragePartitioning. | 
|  | // We can safely read the last committed-origin (even during navigation) | 
|  | // as we know we are not in the main-frame since that case is filtered above. | 
|  | if (!GetContentClient()->browser()->IsThirdPartyStoragePartitioningAllowed( | 
|  | GetBrowserContext(), | 
|  | main_frame_for_storage_partitioning->GetLastCommittedOrigin())) { | 
|  | return false; | 
|  | } | 
|  | return blink::StorageKey::IsThirdPartyStoragePartitioningEnabled(); | 
|  | } | 
|  |  | 
|  | std::vector<RenderFrameHostImpl*> | 
|  | RenderFrameHostImpl::GetAncestorChainForStorageKeyCalculation( | 
|  | const url::Origin& new_rfh_origin) { | 
|  | std::vector<RenderFrameHostImpl*> ancestor_chain; | 
|  | RenderFrameHostImpl* current = this; | 
|  | while (current) { | 
|  | ancestor_chain.push_back(current); | 
|  | current = current->parent_; | 
|  | } | 
|  |  | 
|  | // Make sure to always use the `new_rfh_origin` when referring to the current | 
|  | // RenderFrameHost. The origin might differ when the RenderFrameHost is reused | 
|  | // when SiteIsolation is off. | 
|  | auto origin = [&](RenderFrameHostImpl* rfh) { | 
|  | return rfh == this ? new_rfh_origin : rfh->GetLastCommittedOrigin(); | 
|  | }; | 
|  |  | 
|  | // When the top level RenderFrameHost is a Chrome extension, with host | 
|  | // permissions to its child in the ancestor chain, then behave "as-if" the | 
|  | // child was the top-level one computing the StorageKey. | 
|  | // | 
|  | // https://github.com/wanderview/quota-storage-partitioning/blob/main/explainer.md#interaction-with-extension-pages | 
|  | // | 
|  | // Sites with host permissions are saved in | 
|  | // `browser_context->GetSharedCorsOriginAccessList()` because they are also | 
|  | // used to bypass CORS restrictions. We can reuse this permissions list here | 
|  | // because sites that are explicitly granted access permissions should also be | 
|  | // able to access partitioned storage based not partitioned by the top level | 
|  | // extension URL. A origin will only have access to another origin via | 
|  | // OriginAccessList if the origin is an extension. | 
|  | bool ignore_top_level_extension = | 
|  | !is_main_frame() && | 
|  | GetBrowserContext() | 
|  | ->GetSharedCorsOriginAccessList() | 
|  | ->GetOriginAccessList() | 
|  | .CheckAccessState(origin(ancestor_chain.end()[-1]), | 
|  | origin(ancestor_chain.end()[-2]).GetURL()) == | 
|  | network::cors::OriginAccessList::AccessState::kAllowed; | 
|  | if (ignore_top_level_extension) { | 
|  | ancestor_chain.pop_back(); | 
|  | } | 
|  | return ancestor_chain; | 
|  | } | 
|  |  | 
|  | blink::StorageKey RenderFrameHostImpl::CalculateStorageKey( | 
|  | const url::Origin& new_rfh_origin, | 
|  | const base::UnguessableToken* nonce) { | 
|  | if (nonce) { | 
|  | // If the nonce isn't null, we can use the simpler form of the constructor. | 
|  | return blink::StorageKey::CreateWithNonce(new_rfh_origin, *nonce); | 
|  | } | 
|  |  | 
|  | if (GetContentClient()->browser()->ShouldUseFirstPartyStorageKey( | 
|  | new_rfh_origin)) { | 
|  | // Extension subframes should not take their top-level site into account | 
|  | // when determining storage access. Thus, we construct all extension frame | 
|  | // StorageKeys as first-party using the extension origin. | 
|  | return blink::StorageKey::CreateFirstParty(new_rfh_origin); | 
|  | } | 
|  |  | 
|  | const std::vector<RenderFrameHostImpl*> ancestor_chain = | 
|  | GetAncestorChainForStorageKeyCalculation(new_rfh_origin); | 
|  |  | 
|  | // Make sure to always use the `new_rfh_origin` when referring to the current | 
|  | // RenderFrameHost. The origin might differ when the RenderFrameHost is reused | 
|  | // when SiteIsolation is off. | 
|  | auto origin = [&](RenderFrameHostImpl* rfh) { | 
|  | return rfh == this ? new_rfh_origin : rfh->GetLastCommittedOrigin(); | 
|  | }; | 
|  | net::SchemefulSite top_level_site(origin(ancestor_chain.back())); | 
|  |  | 
|  | // If this frame is in a partitioned popin, we must use the top-site | 
|  | // of the popin opener as our point of comparison. | 
|  | // See: https://explainers-by-googlers.github.io/partitioned-popins/ | 
|  | if (ShouldPartitionAsPopin()) { | 
|  | top_level_site = net::SchemefulSite( | 
|  | delegate()->GetPartitionedPopinOpenerProperties().top_frame_origin); | 
|  | } | 
|  |  | 
|  | // Compute the AncestorChainBit. It represents whether every ancestors are | 
|  | // all same-site or not. If `origin` or `top_level_site` is opaque the bit | 
|  | // must be kCrossSite as this is the default (which won't be serialized). | 
|  | blink::mojom::AncestorChainBit ancestor_chain_bit = | 
|  | blink::mojom::AncestorChainBit::kSameSite; | 
|  | if (!new_rfh_origin.opaque() && !top_level_site.opaque()) { | 
|  | for (auto* ancestor : ancestor_chain) { | 
|  | if (!top_level_site.IsSameSiteWith(origin(ancestor))) { | 
|  | ancestor_chain_bit = blink::mojom::AncestorChainBit::kCrossSite; | 
|  | break; | 
|  | } | 
|  | } | 
|  | } else { | 
|  | ancestor_chain_bit = blink::mojom::AncestorChainBit::kCrossSite; | 
|  | } | 
|  |  | 
|  | // If this frame is in a partitioned popin, we may need to fixup the ancestor | 
|  | // chain bit based on whether the popin was opened from a cross-site context. | 
|  | // See: https://explainers-by-googlers.github.io/partitioned-popins/ | 
|  | if (ShouldPartitionAsPopin()) { | 
|  | if (delegate()->GetPartitionedPopinOpenerProperties().ancestor_chain_bit == | 
|  | blink::mojom::AncestorChainBit::kCrossSite) { | 
|  | ancestor_chain_bit = blink::mojom::AncestorChainBit::kCrossSite; | 
|  | } | 
|  | } | 
|  |  | 
|  | // We want the RuntimeFeatureStateReadContext from the effective main frame | 
|  | // (keeping in mind `ignore_top_level_extension`). | 
|  | bool is_third_party_storage_partitioning_allowed = | 
|  | IsThirdPartyStoragePartitioningEnabled(new_rfh_origin); | 
|  |  | 
|  | return blink::StorageKey::Create(new_rfh_origin, top_level_site, | 
|  | ancestor_chain_bit, | 
|  | is_third_party_storage_partitioning_allowed); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetOriginDependentStateOfNewFrame( | 
|  | RenderFrameHostImpl* creator_frame) { | 
|  | // This method should only be called for *new* frames, that haven't committed | 
|  | // a navigation yet. | 
|  | DCHECK(!has_committed_any_navigation_); | 
|  | DCHECK(GetLastCommittedOrigin().opaque()); | 
|  |  | 
|  | url::Origin creator_origin = | 
|  | creator_frame ? creator_frame->GetLastCommittedOrigin() : url::Origin(); | 
|  |  | 
|  | // Calculate and set |new_frame_origin|. | 
|  | bool new_frame_should_be_sandboxed = | 
|  | network::mojom::WebSandboxFlags::kOrigin == | 
|  | (browsing_context_state_->active_sandbox_flags() & | 
|  | network::mojom::WebSandboxFlags::kOrigin); | 
|  | url::Origin new_frame_origin = new_frame_should_be_sandboxed | 
|  | ? creator_origin.DeriveNewOpaqueOrigin() | 
|  | : creator_origin; | 
|  | isolation_info_ = ComputeIsolationInfoInternal( | 
|  | new_frame_origin, net::IsolationInfo::RequestType::kOther, | 
|  | IsCredentialless(), | 
|  | /*fenced_frame_nonce_for_navigation=*/std::nullopt); | 
|  | if (lifecycle_state_ == LifecycleStateImpl::kActive) { | 
|  | // Increment the document count if the newly created RenderFrameHost is | 
|  | // active. Note that it's necessary to check if we're active, since | 
|  | // prerendering RFHs can also call this function. | 
|  | GetStoragePartition()->IncrementActiveDocumentCount( | 
|  | GetNetworkIsolationKey()); | 
|  | } | 
|  | // The `is_potentially_trustworthy_unique_origin` bit should be inherited from | 
|  | // the creator frame if it exists. Note that we do this even when the new | 
|  | // frame is sandboxed, following `DocumentLoader::CaclculateOrigin()`. | 
|  | // TODO(https://crbug.com/40159049): Once we can always trust | 
|  | // `network::IsOriginPotentiallyTrustworthy()` instead of passing around | 
|  | // `has_potentially_trustworthy_unique_origin`, remove this. | 
|  | bool is_potentially_trustworthy_unique_origin = | 
|  | creator_frame ? creator_frame->browsing_context_state() | 
|  | ->current_replication_state() | 
|  | .has_potentially_trustworthy_unique_origin | 
|  | : false; | 
|  | SetLastCommittedOrigin(new_frame_origin, | 
|  | is_potentially_trustworthy_unique_origin); | 
|  | if (!creator_frame || !creator_frame->is_error_document_) { | 
|  | frame_tree_node()->set_last_successful_origin(new_frame_origin); | 
|  | } | 
|  |  | 
|  | if (creator_frame) { | 
|  | // If we're given a parent/opener frame, copy the | 
|  | // RuntimeFeatureStateReadContext. | 
|  | RuntimeFeatureStateDocumentData* rfs_document_data_from_creator = | 
|  | RuntimeFeatureStateDocumentData::GetForCurrentDocument(creator_frame); | 
|  | CHECK(rfs_document_data_from_creator); | 
|  | RuntimeFeatureStateDocumentData::CreateForCurrentDocument( | 
|  | this, | 
|  | rfs_document_data_from_creator->runtime_feature_state_read_context()); | 
|  | } else { | 
|  | // Otherwise create a RuntimeFeatureStateContext. We need to construct a | 
|  | // RuntimeFeatureStateContext because its constructor initializes default | 
|  | // values while the RuntimeFeatureStateReadContext's doesn't. | 
|  | RuntimeFeatureStateDocumentData::CreateForCurrentDocument( | 
|  | this, blink::RuntimeFeatureStateContext()); | 
|  | } | 
|  |  | 
|  | // For the StorageKey, we want the main frame's | 
|  | // RuntimeFeatureStateReadContext. | 
|  | SetStorageKey(CalculateStorageKey( | 
|  | new_frame_origin, base::OptionalToPtr(isolation_info_.nonce()))); | 
|  |  | 
|  | // Apply private network request policy according to our new origin. | 
|  | switch ( | 
|  | GetContentClient()->browser()->ShouldOverridePrivateNetworkRequestPolicy( | 
|  | GetBrowserContext(), new_frame_origin)) { | 
|  | case ContentBrowserClient::PrivateNetworkRequestPolicyOverride::kForceAllow: | 
|  | private_network_request_policy_ = | 
|  | network::mojom::PrivateNetworkRequestPolicy::kAllow; | 
|  | break; | 
|  | case ContentBrowserClient::PrivateNetworkRequestPolicyOverride:: | 
|  | kBlockInsteadOfWarn: | 
|  | private_network_request_policy_ = | 
|  | OverrideBlockWithWarn(DerivePrivateNetworkRequestPolicy( | 
|  | policy_container_host_->policies(), | 
|  | PrivateNetworkRequestContext::kSubresource)); | 
|  | break; | 
|  | case ContentBrowserClient::PrivateNetworkRequestPolicyOverride::kDefault: | 
|  | break; | 
|  | } | 
|  |  | 
|  | // Construct the frame's permissions policy only once we know its initial | 
|  | // committed origin. It's necessary to wait for the origin because the | 
|  | // permissions policy's state depends on the origin, so the PermissionsPolicy | 
|  | // object could be configured incorrectly if it were initialized before | 
|  | // knowing the value of |last_committed_origin_|. More at crbug.com/1112959. | 
|  | ResetPermissionsPolicy({}); | 
|  |  | 
|  | // New empty frames created on error page documents are also considered error | 
|  | // documents. Otherwise, site isolation enforcements would get confused by a | 
|  | // non-error document attempting to do things in an error process. Error pages | 
|  | // do not normally have subframes (or do window.open, which would also go | 
|  | // through here), but it's possible to inject new frames into error pages via | 
|  | // DevTools, for example. | 
|  | if (creator_frame) { | 
|  | is_error_document_ = creator_frame->is_error_document_; | 
|  | } | 
|  | } | 
|  |  | 
|  | FrameTreeNode* RenderFrameHostImpl::AddChild( | 
|  | std::unique_ptr<FrameTreeNode> child, | 
|  | int frame_routing_id, | 
|  | mojo::PendingAssociatedRemote<mojom::Frame> frame_remote, | 
|  | const blink::LocalFrameToken& frame_token, | 
|  | const blink::DocumentToken& document_token, | 
|  | base::UnguessableToken devtools_frame_token, | 
|  | const blink::FramePolicy& frame_policy, | 
|  | std::string frame_name, | 
|  | std::string frame_unique_name) { | 
|  | DCHECK(lifecycle_state_ == LifecycleStateImpl::kActive || | 
|  | lifecycle_state_ == LifecycleStateImpl::kPrerendering); | 
|  |  | 
|  | // Initialize the RenderFrameHost for the new node.  We always create child | 
|  | // frames in the same SiteInstance as the current frame, and they can swap to | 
|  | // a different one if they navigate away. | 
|  | child->render_manager()->InitChild( | 
|  | GetSiteInstance(), frame_routing_id, std::move(frame_remote), frame_token, | 
|  | document_token, devtools_frame_token, frame_policy, frame_name, | 
|  | frame_unique_name); | 
|  |  | 
|  | // Other renderer processes in this BrowsingInstance may need to find out | 
|  | // about the new frame.  Create a proxy for the child frame in all | 
|  | // SiteInstances that have a proxy for the frame's parent, since all frames | 
|  | // in a frame tree should have the same set of proxies. | 
|  | CHECK(owner_);  // See `owner_` invariants about `lifecycle_state_`. | 
|  | owner_->GetRenderFrameHostManager().CreateProxiesForChildFrame(child.get()); | 
|  |  | 
|  | // When the child is added, it hasn't committed any navigation yet - its | 
|  | // initial empty document should inherit the origin (the origin may change | 
|  | // after the first commit) and other state (such as the | 
|  | // RuntimeFeatureStateReadContext) from its parent. See also | 
|  | // https://crbug.com/932067. | 
|  | child->current_frame_host()->SetOriginDependentStateOfNewFrame(this); | 
|  |  | 
|  | children_.push_back(std::move(child)); | 
|  | return children_.back().get(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::RemoveChild(FrameTreeNode* child) { | 
|  | for (auto iter = children_.begin(); iter != children_.end(); ++iter) { | 
|  | if (iter->get() == child) { | 
|  | // Subtle: we need to make sure the node is gone from the tree before | 
|  | // observers are notified of its deletion. | 
|  | std::unique_ptr<FrameTreeNode> node_to_delete(std::move(*iter)); | 
|  | children_.erase(iter); | 
|  | // TODO(dcheng): Removing a subtree is still very piecemeal and somewhat | 
|  | // buggy. The entire subtree should be removed as a group, but it can | 
|  | // actually happen incrementally. For example, given the frame tree: | 
|  | // | 
|  | //   A1(A2(B3(A4(B5)))) | 
|  | // | 
|  | // | 
|  | // Suppose A1 executes: | 
|  | // | 
|  | //   window.frames[0].frameElement.remove(); | 
|  | // | 
|  | // What ends up happening is this: | 
|  | // | 
|  | // 1. Renderer A detaches the subtree beginning at A2. | 
|  | // 2. Renderer A starts detaching A2. | 
|  | // 3. Renderer A starts detaching B3. | 
|  | // 4. Renderer A starts detaching A4. | 
|  | // 5. Renderer A starts detaching B5 | 
|  | // 6. Renderer A reports B5 is complete detaching with the Mojo IPC | 
|  | //    `RenderFrameProxyHost::Detach()`, which calls | 
|  | //    `RenderFrameHostImpl::DetachFromProxy()`. `DetachFromProxy()` | 
|  | //    deletes RenderFrame B5 in renderer B, which means that the unload | 
|  | //    handler for B5 runs immediately--before the unload handler for B3. | 
|  | //    However, per the spec, the right order to run unload handlers is | 
|  | //    top-down (e.g. B3's unload handler should run before B5's in this | 
|  | //    scenario). | 
|  | node_to_delete->current_frame_host()->DeleteRenderFrame( | 
|  | mojom::FrameDeleteIntention::kNotMainFrame); | 
|  | RenderFrameHostImpl* speculative_frame_host = | 
|  | node_to_delete->render_manager()->speculative_frame_host(); | 
|  | if (speculative_frame_host) { | 
|  | if (speculative_frame_host->lifecycle_state() == | 
|  | LifecycleStateImpl::kPendingCommit) { | 
|  | // A speculative RenderFrameHost that has reached `kPendingCommit` has | 
|  | // already sent a `CommitNavigation()` to the renderer. Any subsequent | 
|  | // IPCs will only be processed after the renderer has already swapped | 
|  | // in the provisional RenderFrame and swapped out the provisional | 
|  | // frame's reference frame (which is either a RenderFrame or a | 
|  | // `blink::RemoteFrame`). | 
|  | // | 
|  | // Since the swapped out `RenderFrame`/`blink::RemoteFrame` is already | 
|  | // gone, a `DeleteRenderFrame()` (routed to the RenderFrame) or a | 
|  | // `DetachAndDispose()` (routed to the `blink::RemoteFrame`) won't do | 
|  | // anything. The browser must also instruct the already-committed but | 
|  | // not-yet-acknowledged speculative RFH to detach itself as well. | 
|  | speculative_frame_host->DeleteRenderFrame( | 
|  | mojom::FrameDeleteIntention::kNotMainFrame); | 
|  | } else { | 
|  | // Otherwise, the provisional RenderFrame has not yet been instructed | 
|  | // to swap in but is already associated with the RenderFrame or | 
|  | // `blink::RemoteFrame` it is expected to replace. The associated | 
|  | // `RenderFrame`/`blink::RemoteFrame` (which is still in the frame | 
|  | // tree) will be responsible for tearing down any associated | 
|  | // provisional RenderFrame, so the browser does not need to take any | 
|  | // explicit cleanup actions. | 
|  | } | 
|  | } | 
|  | // No explicit cleanup is needed here for `RenderFrameProxyHost`s. | 
|  | // Destroying `FrameTreeNode` destroys the map of `RenderFrameProxyHost`s, | 
|  | // and `~RenderFrameProxyHost()` sends a Mojo `DetachAndDispose()` IPC for | 
|  | // child frame proxies. | 
|  | node_to_delete.reset(); | 
|  | PendingDeletionCheckCompleted();  // Can delete |this|. | 
|  | // |this| is potentially deleted. Do not add code after this. | 
|  | return; | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ResetChildren() { | 
|  | TRACE_EVENT("navigation", "RenderFrameHostImpl::ResetChildren", | 
|  | ChromeTrackEvent::kRenderFrameHost, this); | 
|  | base::ScopedUmaHistogramTimer histogram_timer("Navigation.ResetChildren"); | 
|  |  | 
|  | // If the outermost main frame is tearing down its FrameTree state, then we | 
|  | // need to monitor how many of its child fenced frames were in the viewport | 
|  | // right before they all unload. This may have already occurred prior to a | 
|  | // navigation commit, in which case this block is a no-op. However, for | 
|  | // non-navigation cases that close the primary page, like frames detaching, | 
|  | // tabs closing, or renderer processes disappearing, we still need to monitor | 
|  | // the correct metrics. | 
|  | if (IsOutermostMainFrame()) { | 
|  | auto* monitor = | 
|  | PageUserData<FencedFrameViewportMonitor>::GetOrCreateForPage(GetPage()); | 
|  | if (monitor) { | 
|  | monitor->ComputeSameSiteFencedFrameMaximumBeforePrimaryPageChange(); | 
|  | } | 
|  | } | 
|  |  | 
|  | // Remove child nodes from the tree, then delete them. This destruction | 
|  | // operation will notify observers. See https://crbug.com/612450 for | 
|  | // explanation why we don't just call the std::vector::clear method. | 
|  | std::vector<std::unique_ptr<FrameTreeNode>> children; | 
|  | children.swap(children_); | 
|  | // TODO(dcheng): Ideally, this would be done by messaging all the proxies of | 
|  | // this RenderFrameHostImpl to detach the current frame's children, rather | 
|  | // than messaging each child's current frame host... | 
|  | for (auto& child : children) | 
|  | child->current_frame_host()->DeleteRenderFrame( | 
|  | mojom::FrameDeleteIntention::kNotMainFrame); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetLastCommittedUrl(const GURL& url) { | 
|  | last_committed_url_ = url; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::Detach() { | 
|  | // Detach() can be called in both speculative and pending-commit states. | 
|  | // - a speculative RenderFrameHost as a result of its associated Frame being | 
|  | //   detached (i.e., the Frame in the renderer with a provisional_frame_ field | 
|  | //   that points to `this`'s LocalFrame). We don't expect it to self-detach | 
|  | //   otherwise. | 
|  | // - a pending commit RenderFrameHost might detach itself due to unload events | 
|  | //   running that remove it from the tree when swapping it in. | 
|  | // | 
|  | // In both cases speculative and pending-commit RenderFrameHosts, it's OK to | 
|  | // early-return. The logical FrameTreeNode is going to be torn down as well, | 
|  | // and the speculative / pending commit RenderFrameHost (which is still | 
|  | // strongly owned by the RenderFrameHostManager via unique_ptr) will be torn | 
|  | // down then. If we do proceed, this ends up with a use-after-free, since | 
|  | // StartPendingDeletionOnSubtree() will call | 
|  | // ResetAllNavigationsInSubtreeForFrameDetach(), which deletes `this`. | 
|  | if (lifecycle_state() == LifecycleStateImpl::kSpeculative || | 
|  | lifecycle_state() == LifecycleStateImpl::kPendingCommit) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (!parent_) { | 
|  | bad_message::ReceivedBadMessage(GetProcess(), | 
|  | bad_message::RFH_DETACH_MAIN_FRAME); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // A frame is removed while replacing this document with the new one. When it | 
|  | // happens, delete the frame and both the new and old documents. Unload | 
|  | // handlers aren't guaranteed to run here. | 
|  | if (is_waiting_for_unload_ack_) { | 
|  | parent_->RemoveChild(GetFrameTreeNodeForUnload()); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Ignore Detach Mojo API, if the RenderFrameHost should be left in pending | 
|  | // deletion state. | 
|  | if (do_not_delete_for_testing_) | 
|  | return; | 
|  |  | 
|  | if (IsPendingDeletion()) { | 
|  | // The frame is pending deletion. Detach Mojo API is used to confirm its | 
|  | // unload handlers ran. Note that it is possible for a frame to already be | 
|  | // in kReadyToBeDeleted. This happens when this RenderFrameHost is pending | 
|  | // deletion and is waiting on one of its children to run its unload | 
|  | // handler. While running it, it can request its parent to detach itself. | 
|  | // See test: SitePerProcessBrowserTest.PartialUnloadHandler. | 
|  | if (lifecycle_state() != LifecycleStateImpl::kReadyToBeDeleted) | 
|  | SetLifecycleState(LifecycleStateImpl::kReadyToBeDeleted); | 
|  | PendingDeletionCheckCompleted();  // Can delete |this|. | 
|  | // |this| is potentially deleted. Do not add code after this. | 
|  | return; | 
|  | } | 
|  |  | 
|  | // This frame is being removed by the renderer, and it has already executed | 
|  | // its unload handler. | 
|  | SetLifecycleState(LifecycleStateImpl::kReadyToBeDeleted); | 
|  |  | 
|  | // Before completing the removal, we still need to wait for all of its | 
|  | // descendant frames to execute unload handlers. Start executing those | 
|  | // handlers now. | 
|  | StartPendingDeletionOnSubtree(PendingDeletionReason::kFrameDetach); | 
|  | frame_tree()->FrameUnloading(GetFrameTreeNodeForUnload()); | 
|  |  | 
|  | // Some children with no unload handler may be eligible for immediate | 
|  | // deletion. Cut the dead branches now. This is a performance optimization. | 
|  | PendingDeletionCheckCompletedOnSubtree();  // Can delete |this|. | 
|  | // |this| is potentially deleted. Do not add code after this. | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidFailLoadWithError(const GURL& url, | 
|  | int32_t error_code) { | 
|  | TRACE_EVENT("navigation", "RenderFrameHostImpl::DidFailLoadWithError", | 
|  | ChromeTrackEvent::kRenderFrameHost, *this, "error", error_code); | 
|  |  | 
|  | // Terminate the renderer if it sends an invalid error code. | 
|  | if (!net::IsOkOrDefinedError(error_code)) { | 
|  | bad_message::ReceivedBadMessage(GetProcess(), | 
|  | bad_message::RFHI_INVALID_NET_ERROR_CODE); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Cancel prerendering if DidFailLoadWithError is called on the outermost main | 
|  | // document during prerendering. Don't dispatch the DidFailLoad event in such | 
|  | // a case as the embedders are unaware of prerender page yet and shouldn't | 
|  | // show any user-visible changes from an inactive RenderFrameHost. | 
|  | if (!GetParentOrOuterDocument() && | 
|  | CancelPrerendering( | 
|  | PrerenderCancellationReason::BuildForLoadingError(error_code))) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | GURL validated_url(url); | 
|  | GetProcess()->FilterURL(false, &validated_url); | 
|  |  | 
|  | delegate_->DidFailLoadWithError(this, validated_url, error_code); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::TakingFocusWillCrossFencedBoundary( | 
|  | RenderFrameHostImpl* focused_rfh) { | 
|  | if (!focused_rfh) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | if (this == focused_rfh) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | if (frame_tree() == focused_rfh->frame_tree()) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | // We only care if the focus change is ENTERING a fenced frame. Focus is still | 
|  | // allowed to be pulled out of a fenced frame. This is done because an outer | 
|  | // frame should be allowed to re-gain focus from a child frame, and since | 
|  | // gating focus in one direction is enough to prevent a communication channel | 
|  | // from opening. | 
|  | if (!IsNestedWithinFencedFrame()) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | return true; | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::VerifyFencedFrameFocusChange( | 
|  | RenderFrameHostImpl* focused_rfh) { | 
|  | if (GetOutermostMainFrameOrEmbedder() | 
|  | ->GetRenderWidgetHost() | 
|  | ->HasLostFocus()) { | 
|  | ActivateFocusSourceUserActivation(); | 
|  | return true; | 
|  | } | 
|  |  | 
|  | if (HasTransientUserActivation() || FocusSourceHasTransientUserActivation()) { | 
|  | return true; | 
|  | } | 
|  |  | 
|  | if (!TakingFocusWillCrossFencedBoundary(focused_rfh)) { | 
|  | return true; | 
|  | } | 
|  |  | 
|  | SCOPED_CRASH_KEY_BOOL("FencedFocus", "is_fenced_root", IsFencedFrameRoot()); | 
|  |  | 
|  | // Information about the previously focused frame | 
|  | SCOPED_CRASH_KEY_BOOL("FencedFocus", "current_in_fenced_tree", | 
|  | focused_rfh->IsNestedWithinFencedFrame()); | 
|  | SCOPED_CRASH_KEY_BOOL("FencedFocus", "current_is_fenced_root", | 
|  | focused_rfh->IsFencedFrameRoot()); | 
|  |  | 
|  | // If none of the other cases were hit, disallow the focus change. | 
|  | // TODO(crbug.com/40274134): We will later badmessage the renderer, but, for | 
|  | // now, we will dump without crashing to monitor if any legitimate cases are | 
|  | // reaching this point. | 
|  | if (base::FeatureList::IsEnabled(features::kFencedFramesEnforceFocus)) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | GetProcess(), bad_message::RFH_FOCUS_ACROSS_FENCED_BOUNDARY); | 
|  | } else { | 
|  | base::debug::DumpWithoutCrashing(); | 
|  | } | 
|  | return false; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidFocusFrame() { | 
|  | TRACE_EVENT("navigation", "RenderFrameHostImpl::DidFocusFrame", | 
|  | ChromeTrackEvent::kRenderFrameHost, *this, | 
|  | ChromeTrackEvent::kSiteInstanceGroup, | 
|  | *GetSiteInstance()->group()); | 
|  | // We don't handle this IPC signal for non-active RenderFrameHost. | 
|  | if (!IsActive()) | 
|  | return; | 
|  |  | 
|  | DCHECK(owner_);  // See `owner_` invariants about `IsActive()`. | 
|  | owner_->SetFocusedFrame(GetSiteInstance()->group()); | 
|  |  | 
|  | #if BUILDFLAG(IS_WIN) | 
|  | // If the frame has a url, notify the view to allow it to supply the Url to | 
|  | // any interested IME (e.g. Windows 11's TSF uses this information). | 
|  | if (!last_committed_url_.is_empty()) { | 
|  | RenderWidgetHostView* view = render_view_host_->GetWidget()->GetView(); | 
|  | if (view) { | 
|  | ui::TextInputClient* input_client = view->GetTextInputClient(); | 
|  | if (input_client) { | 
|  | input_client->NotifyOnFrameFocusChanged(); | 
|  | } | 
|  | } | 
|  | } | 
|  | #endif  // BUILDFLAG(IS_WIN) | 
|  |  | 
|  | // The lost focus tracker is cleared out after a focus call. | 
|  | GetOutermostMainFrameOrEmbedder()->GetRenderWidgetHost()->ResetLostFocus(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidCallFocus() { | 
|  | // This should not occur for prerenders but may occur for pages in | 
|  | // the BackForwardCache depending on timing. | 
|  | if (!IsActive()) | 
|  | return; | 
|  | delegate_->DidCallFocus(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CancelInitialHistoryLoad() { | 
|  | // A Javascript navigation interrupted the initial history load.  Check if an | 
|  | // initial subframe cross-process navigation needs to be canceled as a result. | 
|  | // TODO(creis, clamy): Cancel any cross-process navigation. | 
|  | NOTIMPLEMENTED(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidChangeBackForwardCacheDisablingFeatures( | 
|  | BackForwardCacheBlockingDetails details) { | 
|  | renderer_reported_bfcache_blocking_details_ = std::move(details); | 
|  |  | 
|  | MaybeEvictFromBackForwardCache(); | 
|  | } | 
|  |  | 
|  | using BackForwardCacheDisablingFeatureHandle = | 
|  | RenderFrameHostImpl::BackForwardCacheDisablingFeatureHandle; | 
|  |  | 
|  | BackForwardCacheDisablingFeatureHandle:: | 
|  | BackForwardCacheDisablingFeatureHandle() { | 
|  | // |render_frame_host_| will be null, so this value is never used. | 
|  | feature_ = BackForwardCacheDisablingFeature::kDummy; | 
|  | } | 
|  |  | 
|  | BackForwardCacheDisablingFeatureHandle::BackForwardCacheDisablingFeatureHandle( | 
|  | BackForwardCacheDisablingFeatureHandle&& other) = default; | 
|  |  | 
|  | BackForwardCacheDisablingFeatureHandle::BackForwardCacheDisablingFeatureHandle( | 
|  | RenderFrameHostImpl* render_frame_host, | 
|  | BackForwardCacheDisablingFeature feature) | 
|  | : render_frame_host_(render_frame_host->GetWeakPtr()), feature_(feature) { | 
|  | CHECK(render_frame_host_); | 
|  | render_frame_host_->OnBackForwardCacheDisablingFeatureUsed(feature_); | 
|  | } | 
|  |  | 
|  | BackForwardCacheDisablingFeatureHandle:: | 
|  | ~BackForwardCacheDisablingFeatureHandle() { | 
|  | Reset(); | 
|  | } | 
|  |  | 
|  | bool BackForwardCacheDisablingFeatureHandle::IsValid() const { | 
|  | return render_frame_host_.get(); | 
|  | } | 
|  |  | 
|  | void BackForwardCacheDisablingFeatureHandle::Reset() { | 
|  | if (render_frame_host_) { | 
|  | render_frame_host_->OnBackForwardCacheDisablingFeatureRemoved(feature_); | 
|  | } | 
|  | render_frame_host_ = nullptr; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::RecordBackForwardCacheDisablingReason( | 
|  | BackForwardCacheDisablingFeature feature) { | 
|  | ++browser_reported_bfcache_disabling_features_counts_[feature]; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnBackForwardCacheDisablingFeatureUsed( | 
|  | BackForwardCacheDisablingFeature feature) { | 
|  | RecordBackForwardCacheDisablingReason(feature); | 
|  |  | 
|  | MaybeEvictFromBackForwardCache(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnBackForwardCacheDisablingStickyFeatureUsed( | 
|  | BackForwardCacheDisablingFeature feature) { | 
|  | OnBackForwardCacheDisablingFeatureUsed(feature); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnBackForwardCacheDisablingFeatureRemoved( | 
|  | BackForwardCacheDisablingFeature feature) { | 
|  | auto it = browser_reported_bfcache_disabling_features_counts_.find(feature); | 
|  | CHECK(it != browser_reported_bfcache_disabling_features_counts_.end()); | 
|  | DCHECK(it->second >= 1); | 
|  | if (it->second == 1) { | 
|  | browser_reported_bfcache_disabling_features_counts_.erase(it); | 
|  | } else { | 
|  | --it->second; | 
|  | } | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl::BackForwardCacheDisablingFeatures | 
|  | RenderFrameHostImpl::GetBackForwardCacheDisablingFeatures() const { | 
|  | BackForwardCacheDisablingFeatures features; | 
|  | for (const auto& details : GetBackForwardCacheBlockingDetails()) { | 
|  | features.Put(details->feature); | 
|  | } | 
|  | return features; | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl::BackForwardCacheBlockingDetails | 
|  | RenderFrameHostImpl::GetBackForwardCacheBlockingDetails() const { | 
|  | BackForwardCacheBlockingDetails combined_details_list = | 
|  | DedicatedWorkerHostsForDocument::GetOrCreateForCurrentDocument( | 
|  | const_cast<RenderFrameHostImpl*>(this)) | 
|  | ->GetBackForwardCacheBlockingDetails(); | 
|  |  | 
|  | for (const auto& details : renderer_reported_bfcache_blocking_details_) { | 
|  | combined_details_list.push_back(details.Clone()); | 
|  | } | 
|  |  | 
|  | for (const auto& it : browser_reported_bfcache_disabling_features_counts_) { | 
|  | // Browser reported features do not have JS location details. Create a | 
|  | // blocking details struct with only the feature filled. | 
|  | auto details_ptr = blink::mojom::BlockingDetails::New(); | 
|  | details_ptr->feature = it.first; | 
|  | combined_details_list.push_back(std::move(details_ptr)); | 
|  | } | 
|  | return combined_details_list; | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl::BackForwardCacheDisablingFeatureHandle | 
|  | RenderFrameHostImpl::RegisterBackForwardCacheDisablingNonStickyFeature( | 
|  | BackForwardCacheDisablingFeature feature) { | 
|  | return BackForwardCacheDisablingFeatureHandle(this, feature); | 
|  | } | 
|  |  | 
|  | using HoldingBlockingIDBLockHandle = | 
|  | RenderFrameHostImpl::HoldingBlockingIDBLockHandle; | 
|  |  | 
|  | HoldingBlockingIDBLockHandle::HoldingBlockingIDBLockHandle() = default; | 
|  |  | 
|  | HoldingBlockingIDBLockHandle::HoldingBlockingIDBLockHandle( | 
|  | HoldingBlockingIDBLockHandle&& other) = default; | 
|  |  | 
|  | HoldingBlockingIDBLockHandle::HoldingBlockingIDBLockHandle( | 
|  | RenderFrameHostImpl* render_frame_host) | 
|  | : render_frame_host_(render_frame_host->GetWeakPtr()) { | 
|  | CHECK(render_frame_host_); | 
|  | render_frame_host_->OnStartHoldingBlockingIDBLock(); | 
|  | } | 
|  |  | 
|  | HoldingBlockingIDBLockHandle::~HoldingBlockingIDBLockHandle() { | 
|  | Reset(); | 
|  | } | 
|  |  | 
|  | bool HoldingBlockingIDBLockHandle::IsValid() const { | 
|  | return render_frame_host_.get(); | 
|  | } | 
|  |  | 
|  | void HoldingBlockingIDBLockHandle::Reset() { | 
|  | if (render_frame_host_) { | 
|  | render_frame_host_->OnStopHoldingBlockingIDBLock(); | 
|  | } | 
|  | render_frame_host_ = nullptr; | 
|  | } | 
|  |  | 
|  | HoldingBlockingIDBLockHandle | 
|  | RenderFrameHostImpl::RegisterHoldingBlockingIDBLockHandle() { | 
|  | return HoldingBlockingIDBLockHandle(this); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnStartHoldingBlockingIDBLock() { | 
|  | CHECK_GE(holding_blocking_idb_lock_count_, 0); | 
|  | if (++holding_blocking_idb_lock_count_ != 1) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (auto* client = | 
|  | GetContentClient()->browser()->GetFeatureObserverClient()) { | 
|  | client->OnStartUsing( | 
|  | GetGlobalId(), | 
|  | blink::mojom::ObservedFeatureType::kBlockingIndexedDBLock); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnStopHoldingBlockingIDBLock() { | 
|  | CHECK_GT(holding_blocking_idb_lock_count_, 0); | 
|  | if (--holding_blocking_idb_lock_count_ != 0) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (auto* client = | 
|  | GetContentClient()->browser()->GetFeatureObserverClient()) { | 
|  | client->OnStopUsing( | 
|  | GetGlobalId(), | 
|  | blink::mojom::ObservedFeatureType::kBlockingIndexedDBLock); | 
|  | } | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsFrozen() { | 
|  | auto state = render_view_host() | 
|  | ->GetPageLifecycleStateManager() | 
|  | ->CalculatePageLifecycleState(); | 
|  | return state->is_frozen; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidCommitProvisionalLoad( | 
|  | mojom::DidCommitProvisionalLoadParamsPtr params, | 
|  | mojom::DidCommitProvisionalLoadInterfaceParamsPtr interface_params) { | 
|  | if (!MaybeInterceptCommitCallback(nullptr, ¶ms, &interface_params)) | 
|  | return; | 
|  |  | 
|  | DCHECK(params); | 
|  | DidCommitNavigation(nullptr, std::move(params), std::move(interface_params)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidCommitPageActivation( | 
|  | NavigationRequest* committing_navigation_request, | 
|  | mojom::DidCommitProvisionalLoadParamsPtr params) { | 
|  | TRACE_EVENT("navigation", "RenderFrameHostImpl::DidCommitPageActivation", | 
|  | ChromeTrackEvent::kRenderFrameHost, this, | 
|  | "committing_navigation_request", committing_navigation_request); | 
|  | DCHECK(committing_navigation_request->IsPageActivation()); | 
|  | DCHECK(is_main_frame()); | 
|  |  | 
|  | auto request = navigation_requests_.find(committing_navigation_request); | 
|  | CHECK(request != navigation_requests_.end()); | 
|  |  | 
|  | base::TimeTicks navigation_start = | 
|  | committing_navigation_request->NavigationStart(); | 
|  | bool is_prerender_page_activation = | 
|  | committing_navigation_request->IsPrerenderedPageActivation(); | 
|  |  | 
|  | std::unique_ptr<NavigationRequest> owned_request = std::move(request->second); | 
|  | navigation_requests_.erase(committing_navigation_request); | 
|  |  | 
|  | // Copy the prerendering frame replication state to have it available after | 
|  | // the navigation commit to be able to check that it didn't change, as | 
|  | // NavigationRequest will be destroyed by that point. | 
|  | blink::mojom::FrameReplicationState prerender_main_frame_replication_state; | 
|  | // Copy the prerendering trigger type and the embbeder histogram suffix for | 
|  | // metrics before NavigationRequest is destroyed. | 
|  | PreloadingTriggerType prerender_trigger_type; | 
|  | std::string prerender_embedder_histogram_suffix; | 
|  | if (is_prerender_page_activation) { | 
|  | prerender_main_frame_replication_state = | 
|  | owned_request->prerender_main_frame_replication_state(); | 
|  | prerender_trigger_type = owned_request->GetPrerenderTriggerType(); | 
|  | prerender_embedder_histogram_suffix = | 
|  | owned_request->GetPrerenderEmbedderHistogramSuffix(); | 
|  | } | 
|  |  | 
|  | #if DCHECK_IS_ON() | 
|  | // We do not support activating a page while subframes have any ongoing | 
|  | // NavigationRequest with a NavigationEntry (this would happen on a navigation | 
|  | // to an existing entry; this is called a "history navigation"). This would be | 
|  | // tricky to support because the NavigationRequest would change its | 
|  | // NavigationController in the course of the activation, and while that may be | 
|  | // safe for a normal navigation, it has more implications for a history | 
|  | // navigation as it already has an associated NavigationEntry and we do not | 
|  | // transfer pending NavigationEntries during activation. Fortunately, for | 
|  | // prerendering, we do not expect there to be any ongoing history navigations | 
|  | // in a subframe, because we maintain a trivial session history, so check that | 
|  | // nav_entry_id() is 0 here. Reloading subframes are considered | 
|  | // renderer-initiated navigations and do not create a new navigation entry | 
|  | // when NavigationRequest is created. | 
|  | // | 
|  | // Note that due to PrerenderCommitDeferringCondition, the main frame should | 
|  | // have no ongoing NavigationRequest at all, so it is not checked here. | 
|  | ForEachRenderFrameHostImpl([](RenderFrameHostImpl* rfh) { | 
|  | // Interested only in subframes. | 
|  | if (rfh->is_main_frame()) | 
|  | return; | 
|  | for (const auto& pair : rfh->navigation_requests_) | 
|  | DCHECK_EQ(pair.first->nav_entry_id(), 0); | 
|  | }); | 
|  | #endif | 
|  |  | 
|  | DidCommitNavigationInternal( | 
|  | std::move(owned_request), std::move(params), | 
|  | /*same_document_params=*/nullptr, | 
|  | /*did_commit_ipc_received_time=*/base::TimeTicks()); | 
|  |  | 
|  | // NOTE: Navigation metrics assume that not much work is done between | 
|  | // DidCommitNavigationInternal() and the end of this function. Avoid adding | 
|  | // code below unless absolutely needed specifically for page activation. | 
|  |  | 
|  | // If any load events occurred pre-activation and were deferred until | 
|  | // activation, dispatch them now. This must happen before DidStopLoading() is | 
|  | // called because observers expect them to occur before that. | 
|  | if (is_prerender_page_activation) { | 
|  | GetPage().MaybeDispatchLoadEventsOnPrerenderActivation(); | 
|  | } | 
|  |  | 
|  | // Try to dispatch DidStopLoading event (note that | 
|  | // RenderFrameHostImpl::DidStopLoading implementation won't dispatch the event | 
|  | // if the page is still loading). We dispatch it here as it hasn't been | 
|  | // dispatched pre-activation because the back-forward cache page is already | 
|  | // loaded, whereas, for initial prerendering navigation, prerendered page | 
|  | // might still be loading. | 
|  | if (is_prerender_page_activation) { | 
|  | // Regardless of the actual loading state of the prerendered page, the state | 
|  | // should be overwritten with LoadingState::LOADING_UI_REQUESTED in | 
|  | // SetNavigationRequest(). | 
|  | CHECK_EQ(loading_state_, LoadingState::LOADING_UI_REQUESTED); | 
|  |  | 
|  | // Dispatch DidStopLoading only when the page is fully loaded during | 
|  | // prerendering. Otherwise, DidStopLoading will be dispatched later. | 
|  | if (document_associated_data_ | 
|  | ->pending_did_stop_loading_for_prerendering()) { | 
|  | DidStopLoading(); | 
|  | } | 
|  | } else { | 
|  | DidStopLoading(); | 
|  | } | 
|  |  | 
|  | if (is_prerender_page_activation) { | 
|  | // Record metric to check navigation time with prerender activation. | 
|  | base::TimeDelta delta = base::TimeTicks::Now() - navigation_start; | 
|  | RecordPrerenderActivationTime(delta, prerender_trigger_type, | 
|  | prerender_embedder_histogram_suffix); | 
|  |  | 
|  | // We haven't sent any updates to the proxies during prerendering | 
|  | // activation, so we need to ensure that the new frame replication being | 
|  | // stored in the browser is the same as the old and consistent with the | 
|  | // state we've sent to the renderers. | 
|  | // TODO - can we check main frame replication state? | 
|  | DCHECK(prerender_main_frame_replication_state == | 
|  | frame_tree()->root()->current_replication_state()); | 
|  |  | 
|  | ForEachRenderFrameHostImpl([](RenderFrameHostImpl* rfh) { | 
|  | rfh->document_associated_data_->RunPostPrerenderingActivationSteps(); | 
|  | }); | 
|  |  | 
|  | } else if (auto* view = GetView()) { | 
|  | view->ActivatedOrEvictedFromBackForwardCache(); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::StartLoadingForAsyncNavigationApiCommit() { | 
|  | // A same document navigation commit was requested, but was intercepted by | 
|  | // the navigation event. This should cause loading UI to appear, because | 
|  | // unlike other same-document navigations, this one is asynchronous. Note that | 
|  | // the renderer notifies the browser after a short delay, in order to lessen | 
|  | // the risk of the loading UI jittering if there are several short | 
|  | // asynchronous navigations in a row. | 
|  | LoadingState previous_frame_tree_loading_state = | 
|  | frame_tree()->LoadingTree()->GetLoadingState(); | 
|  | loading_state_ = LoadingState::LOADING_UI_REQUESTED; | 
|  | frame_tree_node()->DidStartLoading(previous_frame_tree_loading_state); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidCommitSameDocumentNavigation( | 
|  | mojom::DidCommitProvisionalLoadParamsPtr params, | 
|  | mojom::DidCommitSameDocumentNavigationParamsPtr same_document_params) { | 
|  | TRACE_EVENT("navigation", | 
|  | "RenderFrameHostImpl::DidCommitSameDocumentNavigation", | 
|  | ChromeTrackEvent::kRenderFrameHost, this, "url", | 
|  | params->url.possibly_invalid_spec()); | 
|  | base::TimeTicks did_commit_ipc_received_time = base::TimeTicks().Now(); | 
|  |  | 
|  | // TODO(peilinwang): remove after the kAndroidVisibleUrlTruncation experiment | 
|  | // is complete. | 
|  | SCOPED_UMA_HISTOGRAM_TIMER( | 
|  | "Navigation.DidCommitSameDocumentNavigation.Duration"); | 
|  |  | 
|  | ScopedActiveURL scoped_active_url(params->url, | 
|  | GetMainFrame()->GetLastCommittedOrigin()); | 
|  | ScopedCommitStateResetter commit_state_resetter(this); | 
|  |  | 
|  | // When the frame is pending deletion, the browser is waiting for it to unload | 
|  | // properly. In the meantime, because of race conditions, it might tries to | 
|  | // commit a same-document navigation before unloading. Similarly to what is | 
|  | // done with cross-document navigations, such navigation are ignored. The | 
|  | // browser already committed to destroying this RenderFrameHost. | 
|  | // See https://crbug.com/805705 and https://crbug.com/930132. | 
|  | // TODO(crbug.com/40276805): Investigate to see if this can be removed | 
|  | // when the NavigationClient interface is implemented. | 
|  | // | 
|  | // If this is called when the frame is in BackForwardCache, evict the frame | 
|  | // to avoid ignoring the renderer-initiated navigation, which the frame | 
|  | // might not expect. | 
|  | // | 
|  | // If this is called when the frame is in Prerendering, do not cancel | 
|  | // Prerendering as prerendered frames can be navigated, including | 
|  | // same-document navigations like push/replaceState. | 
|  | if (lifecycle_state() != LifecycleStateImpl::kPrerendering && | 
|  | IsInactiveAndDisallowActivation( | 
|  | DisallowActivationReasonId::kCommitSameDocumentNavigation)) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Check if the navigation matches a stored same-document NavigationRequest. | 
|  | // In that case it is browser-initiated. | 
|  | auto request_entry = | 
|  | same_document_navigation_requests_.find(params->navigation_token); | 
|  | bool is_browser_initiated = | 
|  | (request_entry != same_document_navigation_requests_.end()); | 
|  | std::unique_ptr<NavigationRequest> request = | 
|  | is_browser_initiated ? std::move(request_entry->second) : nullptr; | 
|  | same_document_navigation_requests_.erase(params->navigation_token); | 
|  | if (!MaybeInterceptCommitCallback(request.get(), ¶ms, nullptr)) { | 
|  | return; | 
|  | } | 
|  | if (!DidCommitNavigationInternal(std::move(request), std::move(params), | 
|  | std::move(same_document_params), | 
|  | did_commit_ipc_received_time)) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // NOTE: Navigation metrics assume that not much work is done between | 
|  | // DidCommitNavigationInternal() and the end of this function. Avoid adding | 
|  | // code below unless absolutely needed. | 
|  |  | 
|  | // Since we didn't early return, it's safe to keep the commit state. | 
|  | commit_state_resetter.disable(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidOpenDocumentInputStream(const GURL& url) { | 
|  | // Check if the URL can actually be committed to the current origin. When | 
|  | // checking, the restrictions should be the same as a same-document navigation | 
|  | // since document.open() can only update the URL to a same-origin URL. | 
|  | if (!ValidateURLAndOrigin(url, last_committed_origin_, | 
|  | /*is_same_document_navigation=*/true, | 
|  | /*navigation_request=*/nullptr)) { | 
|  | return; | 
|  | } | 
|  | // Filter the URL, then update `renderer_url_info_`'s `last_document_url`. | 
|  | // Note that we won't update `last_committed_url_` because this doesn't really | 
|  | // count as committing a real navigation and won't update NavigationEntry etc. | 
|  | // See https://crbug.com/1046898 and https://github.com/whatwg/html/pull/6649 | 
|  | // for more details. | 
|  | GURL filtered_url(url); | 
|  | GetProcess()->FilterURL(/*empty_allowed=*/false, &filtered_url); | 
|  | renderer_url_info_.last_document_url = filtered_url; | 
|  | // `owner_` could be null if we get this message asynchronously from the | 
|  | // renderer in pending deletion state. | 
|  | if (owner_) { | 
|  | owner_->DidOpenDocumentInputStream(); | 
|  | } | 
|  | } | 
|  |  | 
|  | RenderWidgetHostImpl* RenderFrameHostImpl::GetRenderWidgetHost() { | 
|  | RenderFrameHostImpl* frame = this; | 
|  | while (frame) { | 
|  | if (frame->GetLocalRenderWidgetHost()) | 
|  | return frame->GetLocalRenderWidgetHost(); | 
|  | frame = frame->GetParent(); | 
|  | } | 
|  |  | 
|  | DUMP_WILL_BE_NOTREACHED(); | 
|  | return nullptr; | 
|  | } | 
|  |  | 
|  | RenderWidgetHostViewBase* RenderFrameHostImpl::GetView() { | 
|  | return GetRenderWidgetHost()->GetView(); | 
|  | } | 
|  |  | 
|  | GlobalRenderFrameHostId RenderFrameHostImpl::GetGlobalId() const { | 
|  | return GlobalRenderFrameHostId(GetProcess()->GetDeprecatedID(), | 
|  | GetRoutingID()); | 
|  | } | 
|  |  | 
|  | GlobalRenderFrameHostToken RenderFrameHostImpl::GetGlobalFrameToken() const { | 
|  | return GlobalRenderFrameHostToken(GetProcess()->GetDeprecatedID(), | 
|  | GetFrameToken()); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::HasPendingCommitNavigation() const { | 
|  | return HasPendingCommitForCrossDocumentNavigation() || | 
|  | !same_document_navigation_requests_.empty(); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::HasPendingCommitForCrossDocumentNavigation() const { | 
|  | return !navigation_requests_.empty(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::RecordMetricsForBlockedGetFrameHostAttempt( | 
|  | bool commit_attempt) { | 
|  | DCHECK_EQ(lifecycle_state_, LifecycleStateImpl::kPendingCommit); | 
|  | DCHECK_EQ(1u, navigation_requests_.size()); | 
|  | navigation_requests_.begin() | 
|  | ->first->RecordMetricsForBlockedGetFrameHostAttempt(commit_attempt); | 
|  | } | 
|  |  | 
|  | NavigationRequest* RenderFrameHostImpl::GetSameDocumentNavigationRequest( | 
|  | const base::UnguessableToken& token) { | 
|  | auto request = same_document_navigation_requests_.find(token); | 
|  | return (request == same_document_navigation_requests_.end()) | 
|  | ? nullptr | 
|  | : request->second.get(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ResetOwnedNavigationRequests( | 
|  | NavigationDiscardReason reason) { | 
|  | if (lifecycle_state_ == LifecycleStateImpl::kPendingCommit) { | 
|  | // Pending commit RenderFrameHosts should never have same document | 
|  | // navigation requests yet, as they do not have a real document committed | 
|  | // yet. | 
|  | DCHECK(same_document_navigation_requests_.empty()); | 
|  |  | 
|  | if (ShouldQueueNavigationsWhenPendingCommitRFHExists() && | 
|  | HasPendingCommitForCrossDocumentNavigation()) { | 
|  | // With navigation queueing, pending commit navigations shouldn't get | 
|  | // canceled, unless the FrameTreeNode or renderer process | 
|  | // is gone/will be gone soon. | 
|  | CHECK(reason == NavigationDiscardReason::kRenderProcessGone || | 
|  | reason == NavigationDiscardReason::kWillRemoveFrame); | 
|  | } | 
|  | } | 
|  |  | 
|  | for (auto& request : navigation_requests_) { | 
|  | request.second->set_navigation_discard_reason(reason); | 
|  | } | 
|  |  | 
|  | for (auto& request : same_document_navigation_requests_) { | 
|  | request.second->set_navigation_discard_reason(reason); | 
|  | } | 
|  |  | 
|  | // Move the NavigationRequests to new maps first before deleting them. This | 
|  | // avoids issues if a re-entrant call is made when a NavigationRequest is | 
|  | // being deleted (e.g., if the process goes away as the tab is closing). | 
|  | std::map<NavigationRequest*, std::unique_ptr<NavigationRequest>> | 
|  | navigation_requests; | 
|  | navigation_requests_.swap(navigation_requests); | 
|  |  | 
|  | base::flat_map<base::UnguessableToken, std::unique_ptr<NavigationRequest>> | 
|  | same_document_navigation_requests; | 
|  | same_document_navigation_requests_.swap(same_document_navigation_requests); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetNavigationRequest( | 
|  | std::unique_ptr<NavigationRequest> navigation_request) { | 
|  | DCHECK(navigation_request); | 
|  |  | 
|  | if (NavigationTypeUtils::IsSameDocument( | 
|  | navigation_request->common_params().navigation_type)) { | 
|  | loading_state_ = LoadingState::LOADING_WITHOUT_UI; | 
|  | same_document_navigation_requests_[navigation_request->commit_params() | 
|  | .navigation_token] = | 
|  | std::move(navigation_request); | 
|  | return; | 
|  | } | 
|  | loading_state_ = LoadingState::LOADING_UI_REQUESTED; | 
|  | navigation_requests_[navigation_request.get()] = | 
|  | std::move(navigation_request); | 
|  | } | 
|  |  | 
|  | const scoped_refptr<NavigationOrDocumentHandle>& | 
|  | RenderFrameHostImpl::GetNavigationOrDocumentHandle() { | 
|  | if (!document_associated_data_->navigation_or_document_handle()) { | 
|  | document_associated_data_->set_navigation_or_document_handle( | 
|  | NavigationOrDocumentHandle::CreateForDocument(GetGlobalId())); | 
|  | } | 
|  | return document_associated_data_->navigation_or_document_handle(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::Unload(RenderFrameProxyHost* proxy, bool is_loading) { | 
|  | // The end of this event is in OnUnloadACK when the RenderFrame has completed | 
|  | // the operation and sends back an IPC message. | 
|  | TRACE_EVENT_NESTABLE_ASYNC_BEGIN1("navigation", "RenderFrameHostImpl::Unload", | 
|  | TRACE_ID_LOCAL(this), "render_frame_host", | 
|  | this); | 
|  | base::ScopedUmaHistogramTimer histogram_timer("Navigation.Unload"); | 
|  |  | 
|  | // If this RenderFrameHost is already pending deletion, it must have already | 
|  | // gone through this, therefore just return. | 
|  | if (IsPendingDeletion()) { | 
|  | NOTREACHED() << "RFH should be in default state when calling Unload."; | 
|  | } | 
|  |  | 
|  | if (unload_event_monitor_timeout_ && !do_not_delete_for_testing_) { | 
|  | unload_event_monitor_timeout_->Start(kUnloadTimeout); | 
|  | } | 
|  |  | 
|  | is_waiting_for_unload_ack_ = true; | 
|  |  | 
|  | if (proxy) { | 
|  | SetLifecycleState(LifecycleStateImpl::kRunningUnloadHandlers); | 
|  | if (IsRenderFrameLive()) { | 
|  | GetMojomFrameInRenderer()->Unload( | 
|  | is_loading, | 
|  | proxy->frame_tree_node()->current_replication_state().Clone(), | 
|  | proxy->GetFrameToken(), proxy->CreateAndBindRemoteFrameInterfaces(), | 
|  | proxy->CreateAndBindRemoteMainFrameInterfaces(), | 
|  | /*devtools_frame_token=*/std::nullopt); | 
|  | // Remember that a `blink::RemoteFrame` was created as part of processing | 
|  | // the Unload message above. | 
|  | proxy->SetRenderFrameProxyCreated(true); | 
|  | } | 
|  | } else { | 
|  | // RenderDocument: After a local<->local swap, this function is called with | 
|  | // a null |proxy|. | 
|  | // It may be the case that two navigations are queued up. Both may initially | 
|  | // see `ShouldChangeRenderFrameHostOnSameSiteNavigation()` return true, | 
|  | // however after the first one commits the RFH will change. When the second | 
|  | // navigation commits `ShouldChangeRenderFrameHostOnSameSiteNavigation()` | 
|  | // may no longer return true. | 
|  | CHECK_EQ( | 
|  | GetSiteInstance()->group(), | 
|  | frame_tree_node_->current_frame_host()->GetSiteInstance()->group()); | 
|  |  | 
|  | // The unload handlers already ran for this document during the | 
|  | // local<->local swap. Hence, there is no need to send | 
|  | // mojom::FrameNavigationControl::Unload here. It can be marked at | 
|  | // completed. | 
|  | SetLifecycleState(LifecycleStateImpl::kReadyToBeDeleted); | 
|  | } | 
|  |  | 
|  | if (web_ui()) | 
|  | web_ui()->RenderFrameHostUnloading(); | 
|  |  | 
|  | StartPendingDeletionOnSubtree(PendingDeletionReason::kSwappedOut); | 
|  | // Some children with no unload handler may be eligible for deletion. Cut the | 
|  | // dead branches now. This is a performance optimization. | 
|  | PendingDeletionCheckCompletedOnSubtree(); | 
|  | // |this| is potentially deleted. Do not add code after this. | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::UndoCommitNavigation(RenderFrameProxyHost& proxy, | 
|  | bool is_loading) { | 
|  | TRACE_EVENT("navigation", "RenderFrameHostImpl::UndoCommitNavigation", | 
|  | "render_frame_host", this); | 
|  |  | 
|  | DCHECK_EQ(lifecycle_state_, LifecycleStateImpl::kPendingCommit); | 
|  |  | 
|  | if (IsRenderFrameLive()) { | 
|  | // By definition, the browser process has not received the | 
|  | // `DidCommitNavgation()`, so the RenderFrameProxyHost endpoints are still | 
|  | // bound. Resetting now means any queued IPCs that are still in-flight will | 
|  | // be dropped. This is a bit problematic, but it is still less problematic | 
|  | // than just crashing the renderer for being in an inconsistent state. | 
|  | proxy.TearDownMojoConnection(); | 
|  |  | 
|  | GetMojomFrameInRenderer()->UndoCommitNavigation( | 
|  | is_loading, | 
|  | proxy.frame_tree_node()->current_replication_state().Clone(), | 
|  | proxy.GetFrameToken(), proxy.CreateAndBindRemoteFrameInterfaces(), | 
|  | proxy.CreateAndBindRemoteMainFrameInterfaces()); | 
|  | } | 
|  |  | 
|  | SetLifecycleState(LifecycleStateImpl::kReadyToBeDeleted); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::MaybeDispatchDidFinishLoadOnPrerenderActivation() { | 
|  | // Don't dispatch notification if DidFinishLoad has not yet been invoked for | 
|  | // `rfh` i.e., when the url is nullopt. | 
|  | if (!document_associated_data_ | 
|  | ->pending_did_finish_load_url_for_prerendering()) | 
|  | return; | 
|  |  | 
|  | delegate_->OnDidFinishLoad( | 
|  | this, *document_associated_data_ | 
|  | ->pending_did_finish_load_url_for_prerendering()); | 
|  |  | 
|  | // Set to nullopt to avoid calling DidFinishLoad twice. | 
|  | document_associated_data_ | 
|  | ->reset_pending_did_finish_load_url_for_prerendering(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::MaybeDispatchDOMContentLoadedOnPrerenderActivation() { | 
|  | // Don't send a notification if DOM content is not yet loaded. | 
|  | if (!document_associated_data_->dom_content_loaded()) | 
|  | return; | 
|  |  | 
|  | delegate_->DOMContentLoaded(this); | 
|  | if (last_committed_url_.SchemeIsHTTPOrHTTPS() && IsOutermostMainFrame()) { | 
|  | RecordIsProcessBackgrounded("OnDOMContentLoaded", | 
|  | GetProcess()->GetPriority()); | 
|  | } | 
|  | MaybeResetBoostRenderProcessForLoading(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SwapOuterDelegateFrame( | 
|  | RenderFrameProxyHost* proxy, | 
|  | const base::UnguessableToken& devtools_frame_token) { | 
|  | // Note: At this point the placeholder iframe for embedding the guest has | 
|  | // been initialized with a devtools_frame_token that is different from the | 
|  | // guest's main frame (that is about to be attached to it). When we swap | 
|  | // the LocalFrame with a RemoteFrame below; we also update its | 
|  | // devtools_frame_token to the guest main frame's devtools_frame_token (i.e. | 
|  | // `devtools_frame_token`) to indicate to DevTools clients that the guest has | 
|  | // been attached to this placeholder iframe. | 
|  | const bool should_swap_devtools_frame_token = | 
|  | base::FeatureList::IsEnabled(features::kGuestViewMPArch); | 
|  | GetMojomFrameInRenderer()->Unload( | 
|  | /*is_loading=*/false, | 
|  | browsing_context_state_->current_replication_state().Clone(), | 
|  | proxy->GetFrameToken(), proxy->CreateAndBindRemoteFrameInterfaces(), | 
|  | proxy->CreateAndBindRemoteMainFrameInterfaces(), | 
|  | should_swap_devtools_frame_token | 
|  | ? std::make_optional(devtools_frame_token) | 
|  | : std::nullopt); | 
|  |  | 
|  | // Drop all accessibility state for this frame to release resources and ensure | 
|  | // that any in-flight tree updates received before the unload ACK are ignored. | 
|  | last_ax_mode_ = ui::AXMode(); | 
|  | render_accessibility_.reset(); | 
|  | browser_accessibility_manager_.reset(); | 
|  | ax_unique_ids_.clear(); | 
|  | accessibility_reset_token_.reset(); | 
|  | ax_tree_data_ = ui::AXTreeData(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DetachFromProxy() { | 
|  | if (IsPendingDeletion()) | 
|  | return; | 
|  |  | 
|  | // Start pending deletion on this frame and its children. | 
|  | DeleteRenderFrame(mojom::FrameDeleteIntention::kNotMainFrame); | 
|  | StartPendingDeletionOnSubtree(PendingDeletionReason::kFrameDetach); | 
|  | frame_tree()->FrameUnloading(GetFrameTreeNodeForUnload()); | 
|  |  | 
|  | // Some children with no unload handler may be eligible for immediate | 
|  | // deletion. Cut the dead branches now. This is a performance optimization. | 
|  | PendingDeletionCheckCompletedOnSubtree();  // May delete |this|. | 
|  | // |this| is potentially deleted. Do not add code after this. | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ProcessBeforeUnloadCompleted( | 
|  | bool proceed, | 
|  | bool treat_as_final_completion_callback, | 
|  | const base::TimeTicks& renderer_before_unload_start_time, | 
|  | const base::TimeTicks& renderer_before_unload_end_time, | 
|  | bool for_legacy) { | 
|  | TRACE_EVENT_WITH_FLOW0("navigation", | 
|  | "RenderFrameHostImpl::ProcessBeforeUnloadCompleted", | 
|  | TRACE_ID_LOCAL(this), | 
|  | TRACE_EVENT_FLAG_FLOW_IN | TRACE_EVENT_FLAG_FLOW_OUT); | 
|  | TRACE_EVENT_NESTABLE_ASYNC_END1( | 
|  | "navigation", "RenderFrameHostImpl BeforeUnload", TRACE_ID_LOCAL(this), | 
|  | "render_frame_host", this); | 
|  | // If this renderer navigated while the beforeunload request was in flight, we | 
|  | // may have cleared this state in DidCommitProvisionalLoad, in which case we | 
|  | // can ignore this message. | 
|  | // However renderer might also be swapped out but we still want to proceed | 
|  | // with navigation, otherwise it would block future navigations. This can | 
|  | // happen when pending cross-site navigation is canceled by a second one just | 
|  | // before DidCommitProvisionalLoad while current RVH is waiting for commit | 
|  | // but second navigation is started from the beginning. | 
|  | RenderFrameHostImpl* initiator = GetBeforeUnloadInitiator(); | 
|  | if (!initiator) | 
|  | return; | 
|  |  | 
|  | if (on_process_before_unload_completed_for_testing_) [[unlikely]] { | 
|  | std::move(on_process_before_unload_completed_for_testing_).Run(); | 
|  | } | 
|  |  | 
|  | // Continue processing the ACK in the frame that triggered beforeunload in | 
|  | // this frame.  This could be either this frame itself or an ancestor frame. | 
|  | initiator->ProcessBeforeUnloadCompletedFromFrame( | 
|  | proceed, treat_as_final_completion_callback, this, | 
|  | /*is_frame_being_destroyed=*/false, renderer_before_unload_start_time, | 
|  | renderer_before_unload_end_time, for_legacy); | 
|  | // DO NOT add code after this. `this` can be deleted at this point. | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ProcessBeforeUnloadCompletedFromFrame( | 
|  | bool proceed, | 
|  | bool treat_as_final_completion_callback, | 
|  | RenderFrameHostImpl* frame, | 
|  | bool is_frame_being_destroyed, | 
|  | const base::TimeTicks& renderer_before_unload_start_time, | 
|  | const base::TimeTicks& renderer_before_unload_end_time, | 
|  | bool for_legacy) { | 
|  | // Check if we need to wait for more beforeunload completion callbacks. If | 
|  | // |proceed| is false, we know the navigation or window close will be aborted, | 
|  | // so we don't need to wait for beforeunload completion callbacks from any | 
|  | // other frames. |treat_as_final_completion_callback| also indicates that we | 
|  | // shouldn't wait for any other ACKs (e.g., when a beforeunload timeout | 
|  | // fires). | 
|  | if (!proceed || treat_as_final_completion_callback) { | 
|  | beforeunload_pending_replies_.clear(); | 
|  | } else { | 
|  | beforeunload_pending_replies_.erase(frame); | 
|  | if (!beforeunload_pending_replies_.empty()) | 
|  | return; | 
|  | } | 
|  |  | 
|  | DCHECK(!send_before_unload_start_time_.is_null()); | 
|  |  | 
|  | // Sets a default value for before_unload_end_time so that the browser | 
|  | // survives a hacked renderer. | 
|  | base::TimeTicks before_unload_end_time = renderer_before_unload_end_time; | 
|  | base::TimeDelta browser_to_renderer_ipc_time_delta; | 
|  | if (!renderer_before_unload_start_time.is_null() && | 
|  | !renderer_before_unload_end_time.is_null()) { | 
|  | base::TimeTicks before_unload_completed_time = base::TimeTicks::Now(); | 
|  |  | 
|  | if (!base::TimeTicks::IsConsistentAcrossProcesses() && !for_legacy) { | 
|  | // TimeTicks is not consistent across processes and we are passing | 
|  | // TimeTicks across process boundaries so we need to compensate for any | 
|  | // skew between the processes. Here we are converting the renderer's | 
|  | // notion of before_unload_end_time to TimeTicks in the browser process. | 
|  | // See comments in inter_process_time_ticks_converter.h for more. | 
|  | blink::InterProcessTimeTicksConverter converter( | 
|  | blink::LocalTimeTicks::FromTimeTicks(send_before_unload_start_time_), | 
|  | blink::LocalTimeTicks::FromTimeTicks(before_unload_completed_time), | 
|  | blink::RemoteTimeTicks::FromTimeTicks( | 
|  | renderer_before_unload_start_time), | 
|  | blink::RemoteTimeTicks::FromTimeTicks( | 
|  | renderer_before_unload_end_time)); | 
|  | const base::TimeTicks browser_before_unload_start_time = | 
|  | converter | 
|  | .ToLocalTimeTicks(blink::RemoteTimeTicks::FromTimeTicks( | 
|  | renderer_before_unload_start_time)) | 
|  | .ToTimeTicks(); | 
|  | const base::TimeTicks browser_before_unload_end_time = | 
|  | converter | 
|  | .ToLocalTimeTicks(blink::RemoteTimeTicks::FromTimeTicks( | 
|  | renderer_before_unload_end_time)) | 
|  | .ToTimeTicks(); | 
|  | before_unload_end_time = browser_before_unload_end_time; | 
|  | browser_to_renderer_ipc_time_delta = | 
|  | browser_before_unload_start_time - send_before_unload_start_time_; | 
|  | } else { | 
|  | browser_to_renderer_ipc_time_delta = | 
|  | (renderer_before_unload_start_time - send_before_unload_start_time_); | 
|  | } | 
|  |  | 
|  | if (for_legacy) { | 
|  | // When `for_legacy` is true callers should supply | 
|  | // `send_before_unload_start_time_` as the value for | 
|  | // `renderer_before_unload_start_time`, which means | 
|  | // `browser_to_renderer_ipc_time_delta` should be 0. | 
|  | DCHECK(browser_to_renderer_ipc_time_delta.is_zero()); | 
|  | } | 
|  |  | 
|  | base::TimeDelta on_before_unload_overhead_time = | 
|  | (before_unload_completed_time - send_before_unload_start_time_) - | 
|  | (renderer_before_unload_end_time - renderer_before_unload_start_time); | 
|  | base::UmaHistogramTimes("Navigation.OnBeforeUnloadOverheadTime", | 
|  | on_before_unload_overhead_time); | 
|  |  | 
|  | frame_tree_node_->navigator().LogBeforeUnloadTime( | 
|  | renderer_before_unload_start_time, renderer_before_unload_end_time, | 
|  | send_before_unload_start_time_, for_legacy); | 
|  | } | 
|  |  | 
|  | bool showed_dialog = has_shown_beforeunload_dialog_; | 
|  |  | 
|  | // Resets beforeunload waiting state. | 
|  | is_waiting_for_beforeunload_completion_ = false; | 
|  | has_shown_beforeunload_dialog_ = false; | 
|  | if (beforeunload_timeout_) | 
|  | beforeunload_timeout_->Stop(); | 
|  | send_before_unload_start_time_ = base::TimeTicks(); | 
|  |  | 
|  | // We could reach this from a subframe destructor for |frame| while we're in | 
|  | // the middle of closing the current tab. In that case, dispatch the ACK to | 
|  | // prevent re-entrancy and a potential nested attempt to free the current | 
|  | // frame. See https://crbug.com/866382 and https://crbug.com/1147567. | 
|  | base::OnceClosure task = base::BindOnce( | 
|  | [](base::WeakPtr<RenderFrameHostImpl> self, | 
|  | const base::TimeTicks& before_unload_end_time, bool proceed, | 
|  | bool unload_ack_is_for_navigation, bool for_legacy, | 
|  | bool showed_dialog) { | 
|  | if (!self) | 
|  | return; | 
|  | FrameTreeNode* frame = self->frame_tree_node(); | 
|  | // If the ACK is for a navigation, send it to the Navigator to have the | 
|  | // current navigation stop/proceed. Otherwise, send it to the | 
|  | // RenderFrameHostManager which handles closing. | 
|  | if (unload_ack_is_for_navigation) { | 
|  | frame->navigator().BeforeUnloadCompleted(frame, proceed, | 
|  | before_unload_end_time, | 
|  | for_legacy, showed_dialog); | 
|  | } else { | 
|  | frame->render_manager()->BeforeUnloadCompleted(proceed); | 
|  | } | 
|  | }, | 
|  | // The overhead of the browser->renderer IPC may be non trivial. Account | 
|  | // for it here. Ideally this would also include the time to execute the | 
|  | // JS, but we would need to exclude the time spent waiting for a dialog, | 
|  | // which is tricky. | 
|  | weak_ptr_factory_.GetWeakPtr(), | 
|  | before_unload_end_time - browser_to_renderer_ipc_time_delta, proceed, | 
|  | unload_ack_is_for_navigation_, for_legacy, showed_dialog); | 
|  |  | 
|  | if (is_frame_being_destroyed) { | 
|  | DCHECK(proceed); | 
|  | base::SingleThreadTaskRunner::GetCurrentDefault()->PostTask( | 
|  | FROM_HERE, std::move(task)); | 
|  | } else { | 
|  | std::move(task).Run(); | 
|  | } | 
|  |  | 
|  | // If canceled, notify the delegate to cancel its pending navigation entry. | 
|  | // This is usually redundant with the dialog closure code in WebContentsImpl's | 
|  | // OnDialogClosed, but there may be some cases that Blink returns !proceed | 
|  | // without showing the dialog. We also update the address bar here to be safe. | 
|  | if (!proceed) | 
|  | frame_tree_->DidCancelLoading(); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsWaitingForUnloadACK() const { | 
|  | return page_close_state_ == PageCloseState::kRunningUnloadHandlers || | 
|  | is_waiting_for_unload_ack_; | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::BeforeUnloadTimedOut() const { | 
|  | return beforeunload_timeout_ && | 
|  | (send_before_unload_start_time_ != base::TimeTicks()) && | 
|  | (base::TimeTicks::Now() - send_before_unload_start_time_) > | 
|  | beforeunload_timeout_delay_; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnUnloadACK() { | 
|  | // Give the tests a chance to override this sequence. | 
|  | if (unload_ack_callback_ && unload_ack_callback_.Run()) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // This method should be called in the pending deletion state except the | 
|  | // placeholder RFHs for an inner WebContents that use unload without changing | 
|  | // lifecycle states. When attaching a GuestView as the inner WebContents, | 
|  | // `RFH::SwapOuterDelegateFrame()` is called for the placeholder RFH so that | 
|  | // it makes its renderer send this message. `owner_` is non null since this | 
|  | // attachment can only happen for subframes and pending deletion is the only | 
|  | // case where subframes may have a null `owner_`. | 
|  | RenderFrameHostOwner* owner = | 
|  | IsPendingDeletion() ? GetFrameTreeNodeForUnload() : owner_; | 
|  | if (!is_main_frame() && | 
|  | owner->GetRenderFrameHostManager().is_attaching_inner_delegate()) { | 
|  | // This RFH was unloaded while attaching an inner delegate. The RFH | 
|  | // will stay around but it will no longer be associated with a RenderFrame. | 
|  | RenderFrameDeleted(); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Ignore spurious unload ack. | 
|  | if (!is_waiting_for_unload_ack_) | 
|  | return; | 
|  |  | 
|  | // Ignore OnUnloadACK if the RenderFrameHost should be left in pending | 
|  | // deletion state. | 
|  | if (do_not_delete_for_testing_) | 
|  | return; | 
|  |  | 
|  | DCHECK_EQ(LifecycleStateImpl::kRunningUnloadHandlers, lifecycle_state()); | 
|  | SetLifecycleState(LifecycleStateImpl::kReadyToBeDeleted); | 
|  | PendingDeletionCheckCompleted();  // Can delete |this|. | 
|  | // |this| is potentially deleted. Do not add code after this. | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::MaybeLogMissingUnloadAck() { | 
|  | // If you are seeing this logging appear in a flaky test, the test may be | 
|  | // dependent on an unload handler or other sudden-termination disabling event | 
|  | // handler. If so, the test should probably | 
|  | // - call DisableUnloadTimerForTesting() to avoid timeouts on slow devices | 
|  | // - wait for the frame to be deleted e.g. via | 
|  | //   RenderFrameHostWrapper::WaitUntilRenderFrameDeleted | 
|  | // See https://crbug.com/1489568 for more information. | 
|  | if (base::CommandLine::ForCurrentProcess()->HasSwitch( | 
|  | switches::kLogMissingUnloadACK)) { | 
|  | LOG(ERROR) << "Missing unload ACK for " | 
|  | << (IsOutermostMainFrame() ? "main frame" : "subframe") << ": " | 
|  | << GetLastCommittedURL(); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnNavigationUnloadTimeout() { | 
|  | MaybeLogMissingUnloadAck(); | 
|  | OnUnloaded(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnUnloaded() { | 
|  | DCHECK(is_waiting_for_unload_ack_); | 
|  |  | 
|  | TRACE_EVENT_NESTABLE_ASYNC_END0("navigation", "RenderFrameHostImpl::Unload", | 
|  | TRACE_ID_LOCAL(this)); | 
|  | if (unload_event_monitor_timeout_) | 
|  | unload_event_monitor_timeout_->Stop(); | 
|  |  | 
|  | base::WeakPtr<RenderFrameHostImpl> self = GetWeakPtr(); | 
|  | ClearWebUI(); | 
|  | // See https://crbug.com/1308391. Calling `ClearWebUI()` indirectly call | 
|  | // content's embedders via a chain of destructors. Some might destroy the | 
|  | // whole WebContents. | 
|  | if (!self) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | bool deleted = | 
|  | GetFrameTreeNodeForUnload()->render_manager()->DeleteFromPendingList( | 
|  | this); | 
|  | CHECK(deleted); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DisableUnloadTimerForTesting() { | 
|  | unload_event_monitor_timeout_.reset(); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::ShouldPartitionAsPopin() const { | 
|  | return !IsNestedWithinFencedFrame() && delegate_->IsPartitionedPopin(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SimulateDiscardShutdownKeepAliveTimeoutForTesting() { | 
|  | DiscardedRFHProcessHelper::GetForRenderProcessHost(GetProcess()) | 
|  | ->SimulateKeepAliveTimeoutForTesting(); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsBackForwardCacheEvictionTimeRunningForTesting() | 
|  | const { | 
|  | return back_forward_cache_eviction_timer_.IsRunning(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetSubframeUnloadTimeoutForTesting( | 
|  | const base::TimeDelta& timeout) { | 
|  | subframe_unload_timeout_ = timeout; | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::AncestorsAllowSameSiteNoneCookiesOverride( | 
|  | const url::Origin& frame_origin) const { | 
|  | // Use precursor for cases where the current or parent frames are sandboxed | 
|  | // and have an opaque origin. | 
|  | const url::SchemeHostPort scheme_host_port = | 
|  | frame_origin.GetTupleOrPrecursorTupleIfOpaque(); | 
|  |  | 
|  | // Use |parent_| (not `GetParentOrOuterDocument()`) when checking ancestor | 
|  | // frames are same-site since the `allow-same-site-none-cookies` value is | 
|  | // disallowed in Fenced Frame contexts. | 
|  | for (const RenderFrameHostImpl* frame = parent_; frame; | 
|  | frame = frame->parent_) { | 
|  | url::SchemeHostPort parent_scheme_host_port = | 
|  | frame->last_committed_origin_.GetTupleOrPrecursorTupleIfOpaque(); | 
|  | if ((scheme_host_port != parent_scheme_host_port) || | 
|  | (net::SchemefulSite(scheme_host_port.GetURL()) != | 
|  | net::SchemefulSite(parent_scheme_host_port.GetURL()))) { | 
|  | return false; | 
|  | } | 
|  | } | 
|  | return true; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnKeepAliveRequestCreated( | 
|  | const network::ResourceRequest& resource_request) { | 
|  | if (delegate_) { | 
|  | delegate_->OnKeepAliveRequestCreated(resource_request, this); | 
|  | } | 
|  | } | 
|  |  | 
|  | #if BUILDFLAG(IS_ANDROID) | 
|  | void RenderFrameHostImpl::RequestSmartClipExtract( | 
|  | ExtractSmartClipDataCallback callback, | 
|  | gfx::Rect rect) { | 
|  | int32_t callback_id = smart_clip_callbacks_.Add( | 
|  | std::make_unique<ExtractSmartClipDataCallback>(std::move(callback))); | 
|  | GetAssociatedLocalFrame()->ExtractSmartClipData( | 
|  | rect, base::BindOnce(&RenderFrameHostImpl::OnSmartClipDataExtracted, | 
|  | base::Unretained(this), callback_id)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnSmartClipDataExtracted(int32_t callback_id, | 
|  | const std::u16string& text, | 
|  | const std::u16string& html, | 
|  | const gfx::Rect& clip_rect) { | 
|  | std::move(*smart_clip_callbacks_.Lookup(callback_id)) | 
|  | .Run(text, html, clip_rect); | 
|  | smart_clip_callbacks_.Remove(callback_id); | 
|  | } | 
|  | #endif  // BUILDFLAG(IS_ANDROID) | 
|  |  | 
|  | void RenderFrameHostImpl::RunModalAlertDialog( | 
|  | const std::u16string& alert_message, | 
|  | bool disable_third_party_subframe_suppresion, | 
|  | RunModalAlertDialogCallback response_callback) { | 
|  | auto dialog_closed_callback = base::BindOnce( | 
|  | [](RunModalAlertDialogCallback response_callback, bool success, | 
|  | const std::u16string& response) { | 
|  | // The response string is unused but we use a generic mechanism for | 
|  | // closing the javascript dialog that returns two arguments. | 
|  | std::move(response_callback).Run(); | 
|  | }, | 
|  | std::move(response_callback)); | 
|  | RunJavaScriptDialog(alert_message, std::u16string(), | 
|  | JAVASCRIPT_DIALOG_TYPE_ALERT, | 
|  | disable_third_party_subframe_suppresion, | 
|  | std::move(dialog_closed_callback)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::RunModalConfirmDialog( | 
|  | const std::u16string& alert_message, | 
|  | bool disable_third_party_subframe_suppresion, | 
|  | RunModalConfirmDialogCallback response_callback) { | 
|  | auto dialog_closed_callback = base::BindOnce( | 
|  | [](RunModalConfirmDialogCallback response_callback, bool success, | 
|  | const std::u16string& response) { | 
|  | // The response string is unused but we use a generic mechanism for | 
|  | // closing the javascript dialog that returns two arguments. | 
|  | std::move(response_callback).Run(success); | 
|  | }, | 
|  | std::move(response_callback)); | 
|  | RunJavaScriptDialog(alert_message, std::u16string(), | 
|  | JAVASCRIPT_DIALOG_TYPE_CONFIRM, | 
|  | disable_third_party_subframe_suppresion, | 
|  | std::move(dialog_closed_callback)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::RunModalPromptDialog( | 
|  | const std::u16string& alert_message, | 
|  | const std::u16string& default_value, | 
|  | bool disable_third_party_subframe_suppresion, | 
|  | RunModalPromptDialogCallback response_callback) { | 
|  | RunJavaScriptDialog( | 
|  | alert_message, default_value, JAVASCRIPT_DIALOG_TYPE_PROMPT, | 
|  | disable_third_party_subframe_suppresion, std::move(response_callback)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::RunJavaScriptDialog( | 
|  | const std::u16string& message, | 
|  | const std::u16string& default_prompt, | 
|  | JavaScriptDialogType dialog_type, | 
|  | bool disable_third_party_subframe_suppresion, | 
|  | JavaScriptDialogCallback ipc_response_callback) { | 
|  | // Don't show the dialog if it's triggered on a non-active RenderFrameHost | 
|  | // or is contained in a Fenced Frame. | 
|  | if (!IsActive() || IsNestedWithinFencedFrame()) { | 
|  | std::move(ipc_response_callback).Run(/*success=*/false, std::u16string()); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // While a JS message dialog is showing, tabs in the same process shouldn't | 
|  | // process input events. | 
|  | GetProcess()->SetBlocked(true); | 
|  |  | 
|  | delegate_->RunJavaScriptDialog( | 
|  | this, message, default_prompt, dialog_type, | 
|  | disable_third_party_subframe_suppresion, | 
|  | base::BindOnce(&RenderFrameHostImpl::JavaScriptDialogClosed, | 
|  | weak_ptr_factory_.GetWeakPtr(), | 
|  | std::move(ipc_response_callback))); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::RunBeforeUnloadConfirm( | 
|  | bool is_reload, | 
|  | RunBeforeUnloadConfirmCallback ipc_response_callback) { | 
|  | TRACE_EVENT1("navigation", "RenderFrameHostImpl::OnRunBeforeUnloadConfirm", | 
|  | "render_frame_host", this); | 
|  |  | 
|  | // Don't show the dialog if it's triggered on a non-active RenderFrameHost | 
|  | // or is contained in a Fenced Frame. | 
|  | if (!IsActive() || IsNestedWithinFencedFrame()) { | 
|  | std::move(ipc_response_callback).Run(/*success=*/false); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Allow at most one attempt to show a beforeunload dialog per navigation. | 
|  | RenderFrameHostImpl* beforeunload_initiator = GetBeforeUnloadInitiator(); | 
|  | if (beforeunload_initiator) { | 
|  | // If the running beforeunload handler wants to display a dialog and the | 
|  | // before-unload type wants to ignore it, then short-circuit the request and | 
|  | // respond as if the user decided to stay on the page, canceling the unload. | 
|  | if (beforeunload_initiator->beforeunload_dialog_request_cancels_unload_) { | 
|  | std::move(ipc_response_callback).Run(/*success=*/false); | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (beforeunload_initiator->has_shown_beforeunload_dialog_) { | 
|  | // TODO(alexmos): Pass enough data back to renderer to record histograms | 
|  | // for Document.BeforeUnloadDialog and add the intervention console | 
|  | // message to match renderer-side behavior in | 
|  | // Document::DispatchBeforeUnloadEvent(). | 
|  | std::move(ipc_response_callback).Run(/*success=*/true); | 
|  | return; | 
|  | } | 
|  | beforeunload_initiator->has_shown_beforeunload_dialog_ = true; | 
|  | } else { | 
|  | // TODO(alexmos): If a renderer-initiated beforeunload shows a dialog, it | 
|  | // won't find a |beforeunload_initiator|. This can happen for a | 
|  | // renderer-initiated navigation or window.close().  We should ensure that | 
|  | // when the browser process later kicks off subframe unload handlers (if | 
|  | // any), they won't be able to show additional dialogs. However, we can't | 
|  | // just set |has_shown_beforeunload_dialog_| because we don't know which | 
|  | // frame is navigating/closing here.  Plumb enough information here to fix | 
|  | // this. | 
|  | } | 
|  |  | 
|  | // While a JS beforeunload dialog is showing, tabs in the same process | 
|  | // shouldn't process input events. | 
|  | GetProcess()->SetBlocked(true); | 
|  |  | 
|  | // The beforeunload dialog for this frame may have been triggered by a | 
|  | // browser-side request to this frame or a frame up in the frame hierarchy. | 
|  | // Stop any timers that are waiting. | 
|  | for (RenderFrameHostImpl* frame = this; frame; frame = frame->GetParent()) { | 
|  | if (frame->beforeunload_timeout_) | 
|  | frame->beforeunload_timeout_->Stop(); | 
|  | } | 
|  |  | 
|  | auto ipc_callback_wrapper = base::BindOnce( | 
|  | [](RunBeforeUnloadConfirmCallback response_callback, bool success, | 
|  | const std::u16string& response) { | 
|  | // The response string is unused but we use a generic mechanism for | 
|  | // closing the javascript dialog that returns two arguments. | 
|  | std::move(response_callback).Run(success); | 
|  | }, | 
|  | std::move(ipc_response_callback)); | 
|  | auto dialog_closed_callback = base::BindOnce( | 
|  | &RenderFrameHostImpl::JavaScriptDialogClosed, | 
|  | weak_ptr_factory_.GetWeakPtr(), std::move(ipc_callback_wrapper)); | 
|  |  | 
|  | delegate_->RunBeforeUnloadConfirm(this, is_reload, | 
|  | std::move(dialog_closed_callback)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::MaybeStartOutermostMainFrameNavigation( | 
|  | const std::vector<GURL>& urls) { | 
|  | static const bool kWarmUpEnabled = base::FeatureList::IsEnabled( | 
|  | blink::features::kSpeculativeServiceWorkerWarmUp); | 
|  | static const bool kHttpDiskCachePrewarmingEnabled = | 
|  | base::FeatureList::IsEnabled(blink::features::kHttpDiskCachePrewarming) && | 
|  | !blink::features::kHttpDiskCachePrewarmingTriggerOnNavigation.Get(); | 
|  |  | 
|  | if (!kWarmUpEnabled && !kHttpDiskCachePrewarmingEnabled) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | TRACE_EVENT0("navigation", | 
|  | "RenderFrameHostImpl::MaybeStartOutermostMainFrameNavigation"); | 
|  |  | 
|  | // Disallow service worker start-up nor warm-up when there are other | 
|  | // windows that might script with this frame to mitigate security and | 
|  | // privacy concerns. | 
|  | if (site_instance_->GetRelatedActiveContentsCount() > 1u) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | ServiceWorkerContextWrapper* context = | 
|  | GetStoragePartition()->GetServiceWorkerContext(); | 
|  |  | 
|  | if (!context) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | for (const auto& url : urls) { | 
|  | GURL filtered_url(url); | 
|  |  | 
|  | if (GetProcess()->FilterURL(/*empty_allowed=*/false, &filtered_url) == | 
|  | RenderProcessHost::FilterURLResult::kBlocked) { | 
|  | continue; | 
|  | } | 
|  |  | 
|  | if (filtered_url.SchemeIsHTTPOrHTTPS()) { | 
|  | GetContentClient()->browser()->MaybePrewarmHttpDiskCache( | 
|  | *GetBrowserContext(), GetLastCommittedOrigin(), filtered_url); | 
|  | } | 
|  |  | 
|  | if (!OriginCanAccessServiceWorkers(filtered_url)) { | 
|  | continue; | 
|  | } | 
|  |  | 
|  | const blink::StorageKey key = | 
|  | blink::StorageKey::CreateFirstParty(url::Origin::Create(filtered_url)); | 
|  |  | 
|  | if (!context->MaybeHasRegistrationForStorageKey(key)) { | 
|  | continue; | 
|  | } | 
|  |  | 
|  | // Ask the service worker context to speculatively warm-up a service worker | 
|  | // for the request URL if necessary for optimization purposes. There are | 
|  | // cases where we have already started the service worker (e.g, Prerendering | 
|  | // or the previous navigation already started the service worker), but this | 
|  | // call does nothing if the service worker already started for the URL. | 
|  | if (kWarmUpEnabled) { | 
|  | context->WarmUpServiceWorker(filtered_url, key, base::DoNothing()); | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | // TODO(crbug.com/40183812): Move this method to content::PageImpl. | 
|  | void RenderFrameHostImpl::UpdateFaviconURL( | 
|  | std::vector<blink::mojom::FaviconURLPtr> favicon_urls) { | 
|  | // This message should only be sent for top-level frames. Suppress favicon | 
|  | // updates if the message was sent for a discarded document. | 
|  | DCHECK(!GetParent()); | 
|  | if (document_associated_data_->is_discarded()) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | GetPage().set_favicon_urls(std::move(favicon_urls)); | 
|  | delegate_->UpdateFaviconURL(this, GetPage().favicon_urls()); | 
|  | } | 
|  |  | 
|  | float RenderFrameHostImpl::GetPageScaleFactor() const { | 
|  | DCHECK(!GetParent()); | 
|  | return page_scale_factor_; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ScaleFactorChanged(float scale) { | 
|  | DCHECK(!GetParent()); | 
|  | page_scale_factor_ = scale; | 
|  | delegate_->OnPageScaleFactorChanged(GetPage()); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ContentsPreferredSizeChanged( | 
|  | const gfx::Size& pref_size) { | 
|  | // Do not try to handle the message in inactive RenderFrameHosts for | 
|  | // simplicity. If this RenderFrameHost belongs to a bfcached or prerendered | 
|  | // page, the page will be deleted. We predict that it will not significantly | 
|  | // impact coverage because renderers only send this message when running in | 
|  | // `PreferredSizeChanged` mode. | 
|  | if (IsInactiveAndDisallowActivation( | 
|  | DisallowActivationReasonId::kContentsPreferredSizeChanged)) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Ignore the request if we are aren't the outermost main frame. | 
|  | if (GetParentOrOuterDocument()) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | delegate_->UpdateWindowPreferredSize(this, pref_size); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::TextAutosizerPageInfoChanged( | 
|  | blink::mojom::TextAutosizerPageInfoPtr page_info) { | 
|  | GetPage().OnTextAutosizerPageInfoChanged(std::move(page_info)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::FocusPage() { | 
|  | render_view_host_->OnFocus(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::TakeFocus(bool reverse) { | 
|  | // TODO(crbug.com/40188381): Consider moving this to PageImpl. | 
|  | DCHECK(is_main_frame()); | 
|  |  | 
|  | // Do not update the parent on behalf of the inactive document. | 
|  | if (IsInactiveAndDisallowActivation( | 
|  | DisallowActivationReasonId::kDispatchLoad)) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // If we are representing an inner frame tree call advance on our outer | 
|  | // delegate's parent's RenderFrameHost. | 
|  | RenderFrameHostImpl* parent_or_outer_document = | 
|  | GetParentOrOuterDocumentOrEmbedder(); | 
|  | if (parent_or_outer_document) { | 
|  | RenderFrameProxyHost* proxy_host = GetProxyToOuterDelegate(); | 
|  | DCHECK(proxy_host); | 
|  |  | 
|  | if (HasTransientUserActivation() || | 
|  | FocusSourceHasTransientUserActivation()) { | 
|  | parent_or_outer_document->ActivateFocusSourceUserActivation(); | 
|  | focus_source_user_activation_state_.Deactivate(); | 
|  | } | 
|  |  | 
|  | parent_or_outer_document->DidFocusFrame(); | 
|  | parent_or_outer_document->AdvanceFocus( | 
|  | reverse ? blink::mojom::FocusType::kBackward | 
|  | : blink::mojom::FocusType::kForward, | 
|  | proxy_host); | 
|  | return; | 
|  | } | 
|  |  | 
|  | render_view_host_->OnTakeFocus(reverse); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::UpdateTargetURL( | 
|  | const GURL& url, | 
|  | blink::mojom::LocalMainFrameHost::UpdateTargetURLCallback callback) { | 
|  | // An inactive document should ignore to update the target url. | 
|  | if (!IsActive()) { | 
|  | std::move(callback).Run(); | 
|  | return; | 
|  | } | 
|  |  | 
|  | delegate_->UpdateTargetURL(this, url); | 
|  | std::move(callback).Run(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::RequestClose() { | 
|  | // The renderer already ensures that this can only be called on an outermost | 
|  | // main frame - see DOMWindow::Close().  Terminate the renderer if this is | 
|  | // not the case. | 
|  | if (!IsOutermostMainFrame()) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | GetProcess(), bad_message::RFH_WINDOW_CLOSE_ON_NON_OUTERMOST_FRAME); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // If the renderer is telling us to close, it has already run the unload | 
|  | // events, and we can take the fast path. | 
|  | ClosePageIgnoringUnloadEvents(ClosePageSource::kRenderer); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::HasStickyUserActivation() const { | 
|  | return user_activation_state_.HasBeenActive(); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsActiveUserActivation() const { | 
|  | return user_activation_state_.IsActive(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ClearUserActivation() { | 
|  | user_activation_state_.Clear(); | 
|  | history_user_activation_state_.Clear(); | 
|  | GetMainFrame()->honor_sticky_activation_for_history_intervention_ = true; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ConsumeTransientUserActivation() { | 
|  | user_activation_state_.ConsumeIfActive(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ActivateUserActivation( | 
|  | blink::mojom::UserActivationNotificationType notification_type, | 
|  | bool sticky_only) { | 
|  | if (sticky_only) { | 
|  | user_activation_state_.SetHasBeenActive(); | 
|  | } else { | 
|  | user_activation_state_.Activate(notification_type); | 
|  | history_user_activation_state_.Activate(); | 
|  | } | 
|  | GetMainFrame()->honor_sticky_activation_for_history_intervention_ = true; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ActivateFocusSourceUserActivation() { | 
|  | focus_source_user_activation_state_.Activate(); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsHistoryUserActivationActive() const { | 
|  | return history_user_activation_state_.IsActive(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ConsumeHistoryUserActivation() { | 
|  | history_user_activation_state_.Consume(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DeactivateFocusSourceUserActivation() { | 
|  | focus_source_user_activation_state_.Deactivate(); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::HasStickyUserActivationForHistoryIntervention() | 
|  | const { | 
|  | DCHECK(is_main_frame()); | 
|  | if (honor_sticky_activation_for_history_intervention_) { | 
|  | return HasStickyUserActivation(); | 
|  | } | 
|  | return false; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ClosePage( | 
|  | ClosePageSource source, | 
|  | base::RepeatingClosure completion_callback) { | 
|  | // This path is taken when tab/window close is initiated by either the | 
|  | // browser process or via a window.close() call through a proxy. In both | 
|  | // cases, we need to tell the main frame's renderer process to run unload | 
|  | // handlers and prepare for page close. | 
|  | // | 
|  | // This should only be called on outermost main frames. If this | 
|  | // RenderFrameHost is no longer an active main frame (e.g., if it was placed | 
|  | // into back-forward cache or became pending deletion just before getting | 
|  | // here), we should not close the active tab if the request to close came from | 
|  | // the renderer, so return early in that case. We proceed with closing | 
|  | // regardless if the request came from the browser so that renderers can't | 
|  | // avoid closing via navigation. | 
|  | DCHECK(is_main_frame()); | 
|  | DCHECK(IsOutermostMainFrame()); | 
|  | if (!IsActive() && source == ClosePageSource::kRenderer) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | page_close_state_ = PageCloseState::kRunningUnloadHandlers; | 
|  |  | 
|  | if (IsRenderFrameLive() && !IsPageReadyToBeClosed()) { | 
|  | close_timeout_ = std::make_unique<input::TimeoutMonitor>( | 
|  | base::BindRepeating(&RenderFrameHostImpl::ClosePageTimeout, | 
|  | weak_ptr_factory_.GetWeakPtr(), source, | 
|  | completion_callback), | 
|  | GetUIThreadTaskRunner({BrowserTaskType::kUserInput})); | 
|  | close_timeout_->Start(kUnloadTimeout); | 
|  | GetAssociatedLocalMainFrame()->ClosePage(base::BindOnce( | 
|  | &RenderFrameHostImpl::ClosePageIgnoringUnloadEvents, | 
|  | weak_ptr_factory_.GetWeakPtr(), source, completion_callback)); | 
|  | } else { | 
|  | // This RenderFrameHost doesn't have a live renderer (or has already run | 
|  | // unload handlers), so just skip the close event and close the page. | 
|  | ClosePageIgnoringUnloadEvents(source, completion_callback); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ClosePageIgnoringUnloadEvents( | 
|  | ClosePageSource source, | 
|  | base::RepeatingClosure completion_callback) { | 
|  | if (close_timeout_) { | 
|  | close_timeout_->Stop(); | 
|  | close_timeout_.reset(); | 
|  | } | 
|  |  | 
|  | // For prerendered pages, if window.close is called, it should be cancelled. | 
|  | if (lifecycle_state_ == LifecycleStateImpl::kPrerendering && | 
|  | source == ClosePageSource::kRenderer) { | 
|  | CancelPrerendering( | 
|  | PrerenderCancellationReason(PrerenderFinalStatus::kWindowClosed)); | 
|  | } | 
|  |  | 
|  | // If this RenderFrameHost is no longer active (e.g., if it | 
|  | // was replaced by another frame while waiting for the ClosePage ACK or | 
|  | // timeout), there's no need to close the active tab if the request to close | 
|  | // came from the renderer, so return early in that case. We proceed with | 
|  | // closing regardless if the request came from the browser so that renderers | 
|  | // can't avoid closing via navigation. | 
|  | if (!IsActive() && source == ClosePageSource::kRenderer) { | 
|  | page_close_state_ = PageCloseState::kNotClosing; | 
|  | return; | 
|  | } | 
|  |  | 
|  | page_close_state_ = PageCloseState::kReadyToBeClosed; | 
|  |  | 
|  | // If this is triggered by an intended prerender cancellation, it should not | 
|  | // close the WebContents. For the same tab case, closing WebContents will | 
|  | // close the initiator. As for the new tab case, WebContents will be destroyed | 
|  | // with `PrerenderNewTabHandle`, so no need to close it explicitly. | 
|  | if (lifecycle_state_ == LifecycleStateImpl::kPrerendering && | 
|  | source == ClosePageSource::kPrerenderDiscard) { | 
|  | completion_callback.Run(); | 
|  | return; | 
|  | } | 
|  |  | 
|  | delegate_->Close(this); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsPageReadyToBeClosed() { | 
|  | if (lifecycle_state_ != LifecycleStateImpl::kPrerendering) { | 
|  | DCHECK(IsInPrimaryMainFrame()); | 
|  | } | 
|  |  | 
|  | // If there is a JavaScript dialog up, don't bother sending the renderer the | 
|  | // close event because it is known unresponsive, waiting for the reply from | 
|  | // the dialog. | 
|  | return page_close_state_ == PageCloseState::kReadyToBeClosed || | 
|  | delegate_->IsJavaScriptDialogShowing() || BeforeUnloadTimedOut(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ClosePageTimeout( | 
|  | ClosePageSource source, | 
|  | base::RepeatingClosure completion_callback) { | 
|  | if (source == ClosePageSource::kRenderer && | 
|  | delegate_->ShouldIgnoreUnresponsiveRenderer()) { | 
|  | return; | 
|  | } | 
|  | ClosePageIgnoringUnloadEvents(source, completion_callback); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ShowCreatedWindow( | 
|  | const blink::LocalFrameToken& opener_frame_token, | 
|  | WindowOpenDisposition disposition, | 
|  | blink::mojom::WindowFeaturesPtr window_features, | 
|  | bool user_gesture, | 
|  | ShowCreatedWindowCallback callback) { | 
|  | CHECK(!base::FeatureList::IsEnabled(blink::features::kCombineNewWindowIPCs)); | 
|  | // This needs to be sent to the opener frame's delegate since it stores | 
|  | // the handle to this class's associated RenderWidgetHostView. | 
|  | RenderFrameHostImpl* opener_frame_host = | 
|  | FromFrameToken(GetProcess()->GetDeprecatedID(), opener_frame_token); | 
|  |  | 
|  | // If |opener_frame_host| has been destroyed just return. | 
|  | // TODO(crbug.com/40158114): Get rid of having to look up the opener frame | 
|  | // to find the newly created web contents, because it is actually just | 
|  | // |delegate_|. | 
|  | if (!opener_frame_host) { | 
|  | std::move(callback).Run(); | 
|  | return; | 
|  | } | 
|  | opener_frame_host->delegate()->ShowCreatedWindow( | 
|  | opener_frame_host, GetRenderWidgetHost()->GetRoutingID(), disposition, | 
|  | *window_features, user_gesture); | 
|  | std::move(callback).Run(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetWindowRect(const gfx::Rect& bounds, | 
|  | SetWindowRectCallback callback) { | 
|  | // Prerendering pages should not reach this code. | 
|  | if (lifecycle_state_ == LifecycleStateImpl::kPrerendering) { | 
|  | local_main_frame_host_receiver_.ReportBadMessage( | 
|  | "SetWindowRect called during prerendering."); | 
|  | return; | 
|  | } | 
|  | // Throw out SetWindowRects that are not from the outermost document. | 
|  | if (GetParentOrOuterDocument()) { | 
|  | local_main_frame_host_receiver_.ReportBadMessage( | 
|  | "SetWindowRect called from child frame."); | 
|  | return; | 
|  | } | 
|  |  | 
|  | delegate_->SetWindowRect(bounds); | 
|  | std::move(callback).Run(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidFirstVisuallyNonEmptyPaint() { | 
|  | // TODO(crbug.com/40188381): Consider moving this to PageImpl. | 
|  | DCHECK(is_main_frame()); | 
|  | GetPage().OnFirstVisuallyNonEmptyPaint(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DownloadURL( | 
|  | blink::mojom::DownloadURLParamsPtr blink_parameters) { | 
|  | // TODO(crbug.com/40180431): We should defer the download until the | 
|  | // prerendering page is activated, and it will comply with the prerendering | 
|  | // spec. | 
|  | if (CancelPrerendering( | 
|  | PrerenderCancellationReason(PrerenderFinalStatus::kDownload))) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (!VerifyDownloadUrlParams(GetProcess(), *blink_parameters)) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | net::NetworkTrafficAnnotationTag traffic_annotation = | 
|  | net::DefineNetworkTrafficAnnotation("renderer_initiated_download", R"( | 
|  | semantics { | 
|  | sender: "Download from Renderer" | 
|  | description: | 
|  | "The frame has either navigated to a URL that was determined to be " | 
|  | "a download via one of the renderer's classification mechanisms, " | 
|  | "or WebView has requested a <canvas> or <img> element at a " | 
|  | "specific location be to downloaded." | 
|  | trigger: | 
|  | "The user navigated to a destination that was categorized as a " | 
|  | "download, or WebView triggered saving a <canvas> or <img> tag." | 
|  | data: "Only the URL we are attempting to download." | 
|  | destination: WEBSITE | 
|  | } | 
|  | policy { | 
|  | cookies_allowed: YES | 
|  | cookies_store: "user" | 
|  | setting: "This feature cannot be disabled by settings." | 
|  | chrome_policy { | 
|  | DownloadRestrictions { | 
|  | DownloadRestrictions: 3 | 
|  | } | 
|  | } | 
|  | })"); | 
|  | std::unique_ptr<download::DownloadUrlParameters> parameters( | 
|  | new download::DownloadUrlParameters(blink_parameters->url, | 
|  | GetProcess()->GetDeprecatedID(), | 
|  | GetRoutingID(), traffic_annotation)); | 
|  | parameters->set_content_initiated(!blink_parameters->is_context_menu_save); | 
|  | parameters->set_has_user_gesture(blink_parameters->has_user_gesture); | 
|  | parameters->set_suggested_name( | 
|  | blink_parameters->suggested_name.value_or(std::u16string())); | 
|  | parameters->set_prompt(blink_parameters->is_context_menu_save); | 
|  | parameters->set_cross_origin_redirects( | 
|  | blink_parameters->cross_origin_redirects); | 
|  | parameters->set_referrer( | 
|  | blink_parameters->referrer ? blink_parameters->referrer->url : GURL()); | 
|  | parameters->set_referrer_policy(Referrer::ReferrerPolicyForUrlRequest( | 
|  | blink_parameters->referrer ? blink_parameters->referrer->policy | 
|  | : network::mojom::ReferrerPolicy::kDefault)); | 
|  | parameters->set_initiator( | 
|  | blink_parameters->initiator_origin.value_or(url::Origin())); | 
|  | parameters->set_download_source(download::DownloadSource::FROM_RENDERER); | 
|  |  | 
|  | if (blink_parameters->data_url_blob) { | 
|  | DataURLBlobReader::ReadDataURLFromBlob( | 
|  | std::move(blink_parameters->data_url_blob), | 
|  | base::BindOnce(&OnDataURLRetrieved, std::move(parameters))); | 
|  | return; | 
|  | } | 
|  |  | 
|  | scoped_refptr<network::SharedURLLoaderFactory> blob_url_loader_factory; | 
|  | if (blink_parameters->blob_url_token) { | 
|  | blob_url_loader_factory = | 
|  | ChromeBlobStorageContext::URLLoaderFactoryForToken( | 
|  | GetStoragePartition(), std::move(blink_parameters->blob_url_token)); | 
|  | } | 
|  | devtools_instrumentation::ApplyNetworkOverridesForDownload(this, | 
|  | parameters.get()); | 
|  |  | 
|  | StartDownload(std::move(parameters), std::move(blob_url_loader_factory)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ReportNoBinderForInterface(const std::string& error) { | 
|  | broker_receiver_.ReportBadMessage(error + " for the frame/document scope"); | 
|  | } | 
|  |  | 
|  | ukm::SourceId RenderFrameHostImpl::GetPageUkmSourceId() { | 
|  | CHECK(!IsInLifecycleState(LifecycleState::kPrerendering)); | 
|  | // This id for all subframes or fenced frames is the same as the id for the | 
|  | // outermost main frame. | 
|  | int64_t navigation_id = | 
|  | GetOutermostMainFrame()->last_committed_cross_document_navigation_id_; | 
|  | if (navigation_id == -1) | 
|  | return ukm::kInvalidSourceId; | 
|  | return ukm::ConvertToSourceId(navigation_id, | 
|  | ukm::SourceIdType::NAVIGATION_ID); | 
|  | } | 
|  |  | 
|  | BrowserContext* RenderFrameHostImpl::GetBrowserContext() { | 
|  | return GetProcess()->GetBrowserContext(); | 
|  | } | 
|  |  | 
|  | // TODO(crbug.com/40134294): Would be better to do this directly in the chrome | 
|  | // layer.  See referenced bug for further details. | 
|  | void RenderFrameHostImpl::ReportInspectorIssue( | 
|  | blink::mojom::InspectorIssueInfoPtr info) { | 
|  | devtools_instrumentation::BuildAndReportBrowserInitiatedIssue( | 
|  | this, std::move(info)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::WriteIntoTrace( | 
|  | perfetto::TracedProto<TraceProto> proto) const { | 
|  | proto.Set(TraceProto::kRenderFrameHostId, GetGlobalId()); | 
|  | proto->set_frame_tree_node_id(GetFrameTreeNodeId().value()); | 
|  | proto->set_lifecycle_state(LifecycleStateToProto()); | 
|  | proto->set_frame_type(GetFrameTypeProto()); | 
|  | proto->set_origin(GetLastCommittedOrigin().GetDebugString()); | 
|  | proto->set_url(GetLastCommittedURL().possibly_invalid_spec()); | 
|  | proto.Set(TraceProto::kProcess, GetProcess()); | 
|  | proto.Set(TraceProto::kSiteInstance, GetSiteInstance()); | 
|  | if (auto* parent = GetParent()) { | 
|  | proto.Set(TraceProto::kParent, parent); | 
|  | } else if (auto* outer_document = GetParentOrOuterDocument()) { | 
|  | proto.Set(TraceProto::kOuterDocument, outer_document); | 
|  | outer_document->WriteIntoTrace(proto.WriteNestedMessage( | 
|  | perfetto::protos::pbzero::RenderFrameHost::kOuterDocument)); | 
|  | } else if (auto* embedder = GetParentOrOuterDocumentOrEmbedder()) { | 
|  | proto.Set(TraceProto::kEmbedder, embedder); | 
|  | embedder->WriteIntoTrace(proto.WriteNestedMessage( | 
|  | perfetto::protos::pbzero::RenderFrameHost::kEmbedder)); | 
|  | } | 
|  | proto.Set(TraceProto::kBrowsingContextState, browsing_context_state_); | 
|  | } | 
|  |  | 
|  | perfetto::protos::pbzero::RenderFrameHost::LifecycleState | 
|  | RenderFrameHostImpl::LifecycleStateToProto() const { | 
|  | using RFHProto = perfetto::protos::pbzero::RenderFrameHost; | 
|  | switch (lifecycle_state()) { | 
|  | case LifecycleStateImpl::kSpeculative: | 
|  | return RFHProto::SPECULATIVE; | 
|  | case LifecycleStateImpl::kPendingCommit: | 
|  | return RFHProto::PENDING_COMMIT; | 
|  | case LifecycleStateImpl::kPrerendering: | 
|  | return RFHProto::PRERENDERING; | 
|  | case LifecycleStateImpl::kActive: | 
|  | return RFHProto::ACTIVE; | 
|  | case LifecycleStateImpl::kInBackForwardCache: | 
|  | return RFHProto::IN_BACK_FORWARD_CACHE; | 
|  | case LifecycleStateImpl::kRunningUnloadHandlers: | 
|  | return RFHProto::RUNNING_UNLOAD_HANDLERS; | 
|  | case LifecycleStateImpl::kReadyToBeDeleted: | 
|  | return RFHProto::READY_TO_BE_DELETED; | 
|  | } | 
|  |  | 
|  | return RFHProto::UNSPECIFIED; | 
|  | } | 
|  |  | 
|  | perfetto::protos::pbzero::FrameTreeNodeInfo::FrameType | 
|  | RenderFrameHostImpl::GetFrameTypeProto() const { | 
|  | using RFHProto = perfetto::protos::pbzero::FrameTreeNodeInfo; | 
|  |  | 
|  | if (GetParent()) { | 
|  | return RFHProto::SUBFRAME; | 
|  | } | 
|  | if (GetPage().IsPrimary()) { | 
|  | return RFHProto::PRIMARY_MAIN_FRAME; | 
|  | } | 
|  | if (lifecycle_state() == LifecycleStateImpl::kPrerendering) { | 
|  | return RFHProto::PRERENDER_MAIN_FRAME; | 
|  | } | 
|  | if (IsFencedFrameRoot()) { | 
|  | return RFHProto::FENCED_FRAME_ROOT; | 
|  | } | 
|  |  | 
|  | // It returns a different value from FrameTreeNode::GetFrameType() when | 
|  | // - `this` is a speculative RFH or | 
|  | // - `this` is not in a frame tree (e.g., IsInBackForwardCache() or | 
|  | // IsPendingDeletion()). | 
|  | return RFHProto::UNSPECIFIED_FRAME_TYPE; | 
|  | } | 
|  |  | 
|  | StoragePartitionImpl* RenderFrameHostImpl::GetStoragePartition() { | 
|  | // Both RenderProcessHostImpl and MockRenderProcessHost obtain the | 
|  | // StoragePartition instance through BrowserContext::GetStoragePartition() | 
|  | // call. That method does not support creating TestStoragePartition | 
|  | // instances and always vends StoragePartitionImpl objects. It is therefore | 
|  | // safe to static cast the result here. | 
|  | return static_cast<StoragePartitionImpl*>( | 
|  | GetProcess()->GetStoragePartition()); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::RequestTextSurroundingSelection( | 
|  | blink::mojom::LocalFrame::GetTextSurroundingSelectionCallback callback, | 
|  | int max_length) { | 
|  | DCHECK(!callback.is_null()); | 
|  | GetAssociatedLocalFrame()->GetTextSurroundingSelection(max_length, | 
|  | std::move(callback)); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::HasCommittingNavigationRequestForOrigin( | 
|  | const url::Origin& origin, | 
|  | NavigationRequest* navigation_request_to_exclude) { | 
|  | for (const auto& it : navigation_requests_) { | 
|  | NavigationRequest* request = it.first; | 
|  | if (request != navigation_request_to_exclude && | 
|  | request->HasCommittingOrigin(origin)) { | 
|  | return true; | 
|  | } | 
|  | } | 
|  |  | 
|  | // Note: this function excludes |same_document_navigation_requests_|, which | 
|  | // should be ok since these cannot change the origin. | 
|  | return false; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SendInterventionReport(const std::string& id, | 
|  | const std::string& message) { | 
|  | GetAssociatedLocalFrame()->SendInterventionReport(id, message); | 
|  | } | 
|  |  | 
|  | WebUI* RenderFrameHostImpl::GetWebUI() { | 
|  | return web_ui(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::AllowBindings(BindingsPolicySet bindings) { | 
|  | // Never grant any bindings to browser plugin guests. | 
|  | if (GetProcess()->IsForGuestsOnly()) { | 
|  | NOTREACHED() << "Never grant bindings to a guest process."; | 
|  | } | 
|  | TRACE_EVENT2("navigation", "RenderFrameHostImpl::AllowBindings", | 
|  | "render_frame_host", this, "bindings_flags", | 
|  | bindings.ToEnumBitmask()); | 
|  |  | 
|  | BindingsPolicySet webui_bindings = | 
|  | Intersection(bindings, kWebUIBindingsPolicySet); | 
|  |  | 
|  | // Ensure callers that specify non-zero WebUI bindings are doing so on a | 
|  | // RenderFrameHost that has WebUI associated with it. If we run the renderer | 
|  | // code in-process, the security invariant cannot be enforced, therefore it | 
|  | // should be skipped in that case. | 
|  | if (!webui_bindings.empty() && | 
|  | !RenderProcessHost::run_renderer_in_process()) { | 
|  | ProcessLock process_lock = GetProcess()->GetProcessLock(); | 
|  | if (!process_lock.is_locked_to_site() || | 
|  | !base::Contains(URLDataManagerBackend::GetWebUISchemes(), | 
|  | process_lock.lock_url().scheme())) { | 
|  | SCOPED_CRASH_KEY_STRING256("AllowBindings", "process_lock", | 
|  | process_lock.ToString()); | 
|  | NOTREACHED() << "Calling AllowBindings for a process not locked to WebUI:" | 
|  | << process_lock; | 
|  | } | 
|  | } | 
|  |  | 
|  | // The bindings being granted here should not differ from the bindings that | 
|  | // the associated WebUI requires. | 
|  | if (web_ui_) | 
|  | CHECK_EQ(web_ui_->GetBindings(), webui_bindings); | 
|  |  | 
|  | // Ensure we aren't granting WebUI bindings to a process that has already been | 
|  | // used to host other content. | 
|  | if (!webui_bindings.empty() && GetProcess()->IsInitializedAndNotDead() && | 
|  | !ChildProcessSecurityPolicyImpl::GetInstance()->HasWebUIBindings( | 
|  | GetProcess()->GetDeprecatedID())) { | 
|  | // This process has no bindings yet. Make sure it does not have any frames | 
|  | // that have committed a navigation, since bindings should always be granted | 
|  | // prior to committing the first WebUI navigation in a process.  This is a | 
|  | // defense-in-depth check complementing the site isolation process lock | 
|  | // checks above and in places like RenderProcessHostImpl::IsSuitableHost(). | 
|  | // --single-process only has one renderer, so it is exempt from this check. | 
|  | size_t non_empty_frame_count = 0; | 
|  | GetProcess()->ForEachRenderFrameHost( | 
|  | [&non_empty_frame_count](RenderFrameHost* rfh) { | 
|  | if (!static_cast<RenderFrameHostImpl*>(rfh) | 
|  | ->is_initial_empty_document()) { | 
|  | ++non_empty_frame_count; | 
|  | } | 
|  | }); | 
|  | if (non_empty_frame_count > 0 && | 
|  | !base::CommandLine::ForCurrentProcess()->HasSwitch( | 
|  | switches::kSingleProcess)) { | 
|  | return; | 
|  | } | 
|  | } | 
|  |  | 
|  | if (!webui_bindings.empty()) { | 
|  | ChildProcessSecurityPolicyImpl::GetInstance()->GrantWebUIBindings( | 
|  | GetProcess()->GetDeprecatedID(), webui_bindings); | 
|  | } | 
|  |  | 
|  | enabled_bindings_.PutAll(bindings); | 
|  |  | 
|  | if (is_render_frame_created()) { | 
|  | GetFrameBindingsControl()->AllowBindings(enabled_bindings_.ToEnumBitmask()); | 
|  | if (web_ui_ && enabled_bindings_.Has(BindingsPolicyValue::kWebUi)) { | 
|  | web_ui_->SetUpMojoConnection(); | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | BindingsPolicySet RenderFrameHostImpl::GetEnabledBindings() { | 
|  | return enabled_bindings_; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetWebUIProperty(const std::string& name, | 
|  | const std::string& value) { | 
|  | // WebUI allows to register SetProperties only for the outermost main frame. | 
|  | if (GetParentOrOuterDocument()) | 
|  | return; | 
|  |  | 
|  | // This is a sanity check before telling the renderer to enable the property. | 
|  | // It could lie and send the corresponding IPC messages anyway, but we will | 
|  | // not act on them if enabled_bindings_ doesn't agree. If we get here without | 
|  | // WebUI bindings, terminate the renderer process. | 
|  | if (enabled_bindings_.Has(BindingsPolicyValue::kWebUi)) { | 
|  | web_ui_->SetProperty(name, value); | 
|  | } else { | 
|  | ReceivedBadMessage(GetProcess(), bad_message::RVH_WEB_UI_BINDINGS_MISMATCH); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DisableBeforeUnloadHangMonitorForTesting() { | 
|  | beforeunload_timeout_.reset(); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsBeforeUnloadHangMonitorDisabledForTesting() { | 
|  | return !beforeunload_timeout_; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DoNotDeleteForTesting() { | 
|  | do_not_delete_for_testing_ = true; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ResumeDeletionForTesting() { | 
|  | do_not_delete_for_testing_ = false; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DetachForTesting() { | 
|  | do_not_delete_for_testing_ = false; | 
|  | RenderFrameHostImpl::Detach(); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsFeatureEnabled( | 
|  | network::mojom::PermissionsPolicyFeature feature) { | 
|  | return permissions_policy_ && permissions_policy_->IsFeatureEnabledForOrigin( | 
|  | feature, GetLastCommittedOrigin()); | 
|  | } | 
|  |  | 
|  | const network::PermissionsPolicy* RenderFrameHostImpl::GetPermissionsPolicy() { | 
|  | return permissions_policy_.get(); | 
|  | } | 
|  |  | 
|  | const network::ParsedPermissionsPolicy& | 
|  | RenderFrameHostImpl::GetPermissionsPolicyHeader() { | 
|  | return permissions_policy_header_; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ViewSource() { | 
|  | delegate_->ViewSource(this); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::FlushNetworkAndNavigationInterfacesForTesting( | 
|  | bool do_nothing_if_no_network_service_connection) { | 
|  | if (do_nothing_if_no_network_service_connection && | 
|  | !network_service_disconnect_handler_holder_) { | 
|  | return; | 
|  | } | 
|  | DCHECK(network_service_disconnect_handler_holder_); | 
|  | network_service_disconnect_handler_holder_.FlushForTesting();  // IN-TEST | 
|  |  | 
|  | DCHECK(IsRenderFrameLive()); | 
|  | DCHECK(frame_); | 
|  | frame_.FlushForTesting();  // IN-TEST | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::PrepareForInnerWebContentsAttach( | 
|  | PrepareForInnerWebContentsAttachCallback callback) { | 
|  | // TODO(crbug.com/40252449) Explain why `owner_` exists. | 
|  | CHECK(owner_); | 
|  | owner_->GetRenderFrameHostManager().PrepareForInnerDelegateAttach( | 
|  | std::move(callback)); | 
|  | } | 
|  |  | 
|  | // UpdateSubresourceLoaderFactories may be called (internally/privately), when | 
|  | // RenderFrameHostImpl detects a NetworkService crash after pushing a | 
|  | // NetworkService-based factory to the renderer process.  It may also be called | 
|  | // when DevTools wants to send to the renderer process a fresh factory bundle | 
|  | // (e.g. after injecting DevToolsURLLoaderInterceptor) - the latter scenario may | 
|  | // happen even if `this` RenderFrameHostImpl has not pushed any NetworkService | 
|  | // factories to the renderer process (DevTools is agnostic to this). | 
|  | void RenderFrameHostImpl::UpdateSubresourceLoaderFactories() { | 
|  | // Disregard this if frame is being destroyed. | 
|  | if (!frame_) | 
|  | return; | 
|  |  | 
|  | // Disregard if the IPC payload would have been empty. | 
|  | // | 
|  | // Examples of when this can happen: | 
|  | // 1. DevTools tries to inject its proxies by calling this method on *all* | 
|  | //    frames, regardless of whether a frame has actually used one or more | 
|  | //    NetworkService-based URLLoaderFactory.  See also | 
|  | //    RenderFrameDevToolsAgentHost::UpdateResourceLoaderFactories. | 
|  | // 2. The RenderFrameHostImpl::CreateNetworkServiceDefaultFactory method | 
|  | //    (exposed via //content/public) is called on a frame that doesn't | 
|  | //    actually use a NetworkService-backed URLLoaderFactory.  This means | 
|  | //    that CreateNetworkServiceDefaultFactoryAndObserve sets up | 
|  | //    `network_service_disconnect_handler_holder_`, but | 
|  | //    `recreate_default_url_loader_factory_after_network_service_crash_` is | 
|  | //    false. | 
|  | if (!recreate_default_url_loader_factory_after_network_service_crash_ && | 
|  | isolated_worlds_requiring_separate_url_loader_factory_.empty()) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // TODO(crbug.com/40061679): Remove the crash key logging after the | 
|  | // ad-hoc bug investigation is no longer needed. | 
|  | SCOPED_CRASH_KEY_STRING256("rfhi-uslf", "frame->ToDebugString", | 
|  | ToDebugString()); | 
|  |  | 
|  | // The `subresource_loader_factories_config` of the new factories might need | 
|  | // to depend on the pending (rather than the last committed) navigation, | 
|  | // because we can't predict if an in-flight Commit IPC might be present when | 
|  | // an extension injects a content script and MarkIsolatedWorlds... is called. | 
|  | // See also the doc comment for the ForPendingOrLastCommittedNavigation | 
|  | // method. | 
|  | auto subresource_loader_factories_config = | 
|  | SubresourceLoaderFactoriesConfig::ForPendingOrLastCommittedNavigation( | 
|  | *this); | 
|  |  | 
|  | mojo::PendingRemote<network::mojom::URLLoaderFactory> default_factory_remote; | 
|  | bool bypass_redirect_checks = false; | 
|  | if (recreate_default_url_loader_factory_after_network_service_crash_) { | 
|  | DCHECK(!IsOutOfProcessNetworkService() || | 
|  | network_service_disconnect_handler_holder_.is_bound()); | 
|  | bypass_redirect_checks = CreateNetworkServiceDefaultFactoryAndObserve( | 
|  | CreateURLLoaderFactoryParamsForMainWorld( | 
|  | subresource_loader_factories_config, | 
|  | "RFHI::UpdateSubresourceLoaderFactories"), | 
|  | subresource_loader_factories_config.ukm_source_id(), | 
|  | default_factory_remote.InitWithNewPipeAndPassReceiver()); | 
|  | } | 
|  |  | 
|  | std::unique_ptr<blink::PendingURLLoaderFactoryBundle> | 
|  | subresource_loader_factories = | 
|  | std::make_unique<blink::PendingURLLoaderFactoryBundle>( | 
|  | std::move(default_factory_remote), | 
|  | blink::PendingURLLoaderFactoryBundle::SchemeMap(), | 
|  | CreateURLLoaderFactoriesForIsolatedWorlds( | 
|  | subresource_loader_factories_config, | 
|  | isolated_worlds_requiring_separate_url_loader_factory_), | 
|  | /*local_resource_loader_config=*/nullptr, bypass_redirect_checks); | 
|  |  | 
|  | GetMojomFrameInRenderer()->UpdateSubresourceLoaderFactories( | 
|  | std::move(subresource_loader_factories)); | 
|  |  | 
|  | // UpdateSubresourceLoaderFactories() above will not be able to update the | 
|  | // factory used by fetch keepalive requests after https://crbug.com/1356128. | 
|  | // The following block replaces the in-browser fetch keepalive factory (shared | 
|  | // with other subresource loading, e.g. prefetch and browsing_topics) with a | 
|  | // new dedicated and intercepted factory. | 
|  | if (document_associated_data_->keep_alive_url_loader_factory_context()) { | 
|  | auto keep_alive_url_loader_factory_bundle = | 
|  | std::make_unique<blink::PendingURLLoaderFactoryBundle>(); | 
|  | keep_alive_url_loader_factory_bundle->set_bypass_redirect_checks( | 
|  | CreateNetworkServiceDefaultFactory( | 
|  | keep_alive_url_loader_factory_bundle->pending_default_factory() | 
|  | .InitWithNewPipeAndPassReceiver())); | 
|  | document_associated_data_->keep_alive_url_loader_factory_context() | 
|  | ->UpdateFactory(network::SharedURLLoaderFactory::Create( | 
|  | std::move(keep_alive_url_loader_factory_bundle))); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::UpdateLocalResourceLoader( | 
|  | blink::mojom::LocalResourceLoaderConfigPtr loader_config) { | 
|  | local_resource_loader_config_ = loader_config.Clone(); | 
|  | } | 
|  |  | 
|  | blink::FrameOwnerElementType RenderFrameHostImpl::GetFrameOwnerElementType() { | 
|  | return frame_owner_element_type_; | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::HasTransientUserActivation() { | 
|  | return user_activation_state_.IsActive(); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::FocusSourceHasTransientUserActivation() { | 
|  | return focus_source_user_activation_state_.IsActive(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::NotifyUserActivation( | 
|  | blink::mojom::UserActivationNotificationType notification_type) { | 
|  | GetAssociatedLocalFrame()->NotifyUserActivation(notification_type); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidAccessInitialMainDocument() { | 
|  | frame_tree_->DidAccessInitialMainDocument(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidChangeName(const std::string& name, | 
|  | const std::string& unique_name) { | 
|  | // Frame name updates used to occur in the FrameTreeNode; however, as they | 
|  | // now occur in RenderFrameHostImpl (and by extension, BrowsingContextState), | 
|  | // ensure that invalid updates (i.e. when in the BackForwardCache or in a | 
|  | // pending deletion state) are not applied. | 
|  | if (IsInBackForwardCache() || IsPendingDeletion()) { | 
|  | return; | 
|  | } | 
|  | if (GetParent() != nullptr) { | 
|  | // TODO(lukasza): Call ReceivedBadMessage when |unique_name| is empty. | 
|  | DCHECK(!unique_name.empty()); | 
|  | } | 
|  | TRACE_EVENT2("navigation", "RenderFrameHostImpl::OnDidChangeName", | 
|  | "render_frame_host", this, "name", name); | 
|  |  | 
|  | std::string old_name = browsing_context_state_->frame_name(); | 
|  | browsing_context_state_->SetFrameName(name, unique_name); | 
|  | if (old_name.empty() && !name.empty()) | 
|  | frame_tree_node_->render_manager()->CreateProxiesForNewNamedFrame( | 
|  | browsing_context_state_); | 
|  | delegate_->DidChangeName(this, name); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::EnforceInsecureRequestPolicy( | 
|  | blink::mojom::InsecureRequestPolicy policy) { | 
|  | browsing_context_state_->SetInsecureRequestPolicy(policy); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::EnforceInsecureNavigationsSet( | 
|  | const std::vector<uint32_t>& set) { | 
|  | browsing_context_state_->SetInsecureNavigationsSet(set); | 
|  | } | 
|  |  | 
|  | FrameTreeNode* RenderFrameHostImpl::FindAndVerifyChild( | 
|  | int32_t child_frame_routing_id, | 
|  | bad_message::BadMessageReason reason) { | 
|  | auto child_frame_or_proxy = LookupRenderFrameHostOrProxy( | 
|  | GetProcess()->GetDeprecatedID(), child_frame_routing_id); | 
|  | return FindAndVerifyChildInternal(child_frame_or_proxy, reason); | 
|  | } | 
|  |  | 
|  | FrameTreeNode* RenderFrameHostImpl::FindAndVerifyChild( | 
|  | const blink::FrameToken& child_frame_token, | 
|  | bad_message::BadMessageReason reason) { | 
|  | auto child_frame_or_proxy = LookupRenderFrameHostOrProxy( | 
|  | GetProcess()->GetDeprecatedID(), child_frame_token); | 
|  | return FindAndVerifyChildInternal(child_frame_or_proxy, reason); | 
|  | } | 
|  |  | 
|  | FrameTreeNode* RenderFrameHostImpl::FindAndVerifyChildInternal( | 
|  | RenderFrameHostOrProxy child_frame_or_proxy, | 
|  | bad_message::BadMessageReason reason) { | 
|  | // A race can result in |child| to be nullptr. Avoid killing the renderer in | 
|  | // that case. | 
|  | if (!child_frame_or_proxy) | 
|  | return nullptr; | 
|  |  | 
|  | if (&child_frame_or_proxy.GetFrameTreeNode()->frame_tree() != frame_tree()) { | 
|  | // Ignore the cases when the child lives in a different frame tree. | 
|  | // This is possible when we create a proxy for inner WebContents so the | 
|  | // |child_frame_or_proxy| points to the root frame of the nested | 
|  | // WebContents, which is in a different tree. | 
|  | // TODO(altimin, lfg): Reconsider what the correct behaviour here should be. | 
|  | return nullptr; | 
|  | } | 
|  |  | 
|  | if (child_frame_or_proxy.GetFrameTreeNode()->parent() != this) { | 
|  | bad_message::ReceivedBadMessage(GetProcess(), reason); | 
|  | return nullptr; | 
|  | } | 
|  | return child_frame_or_proxy.GetFrameTreeNode(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::UpdateTitle( | 
|  | const std::optional<::std::u16string>& title, | 
|  | base::i18n::TextDirection title_direction) { | 
|  | // This message should only be sent for top-level frames. Suppress title | 
|  | // updates if the message was sent for a discarded document. | 
|  | if (!is_main_frame() || document_associated_data_->is_discarded()) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | std::u16string received_title; | 
|  | if (title.has_value()) | 
|  | received_title = title.value(); | 
|  |  | 
|  | if (received_title.length() > blink::mojom::kMaxTitleChars) { | 
|  | mojo::ReportBadMessage("Renderer sent too many characters in title."); | 
|  | return; | 
|  | } | 
|  |  | 
|  | delegate_->UpdateTitle(this, received_title, title_direction); | 
|  | } | 
|  |  | 
|  | // Update application title. | 
|  | void RenderFrameHostImpl::UpdateApplicationTitle( | 
|  | const ::std::u16string& application_title) { | 
|  | delegate_->UpdateApplicationTitle(this, application_title); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidInferColorScheme( | 
|  | blink::mojom::PreferredColorScheme color_scheme) { | 
|  | if (is_main_frame()) { | 
|  | GetPage().DidInferColorScheme(color_scheme); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnFirstContentfulPaint() { | 
|  | GetPage().set_did_first_contentful_paint_in_main_document(); | 
|  | if (IsInPrimaryMainFrame()) { | 
|  | // Notify the delegates of the FCP. Note that the notifications for | 
|  | // prerendering pages will be deferred until activation. | 
|  | delegate_->OnFirstContentfulPaintInPrimaryMainFrame(); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetStorageAccessApiStatus( | 
|  | net::StorageAccessApiStatus status) { | 
|  | switch (status) { | 
|  | case net::StorageAccessApiStatus::kNone: | 
|  | document_associated_data_->RemoveCookieSettingOverride( | 
|  | net::CookieSettingOverride::kStorageAccessGrantEligible); | 
|  | return; | 
|  | case net::StorageAccessApiStatus::kAccessViaAPI: | 
|  | document_associated_data_->PutCookieSettingOverride( | 
|  | net::CookieSettingOverride::kStorageAccessGrantEligible); | 
|  | return; | 
|  | } | 
|  | NOTREACHED(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::UpdateEncoding(const std::string& encoding_name) { | 
|  | if (!is_main_frame()) { | 
|  | mojo::ReportBadMessage("Renderer sent updated encoding for a subframe."); | 
|  | return; | 
|  | } | 
|  |  | 
|  | GetPage().UpdateEncoding(encoding_name); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::FullscreenStateChanged( | 
|  | bool is_fullscreen, | 
|  | blink::mojom::FullscreenOptionsPtr options) { | 
|  | if (IsInactiveAndDisallowActivation( | 
|  | DisallowActivationReasonId::kFullScreenStateChanged)) | 
|  | return; | 
|  | delegate_->FullscreenStateChanged(this, is_fullscreen, std::move(options)); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::CanUseWindowingControls( | 
|  | std::string_view js_api_name) { | 
|  | #if BUILDFLAG(IS_ANDROID) || BUILDFLAG(IS_IOS) | 
|  | mojo::ReportBadMessage( | 
|  | base::StrCat({js_api_name, | 
|  | " API is only supported on Desktop platforms. This " | 
|  | "excludes mobile platforms."})); | 
|  | return false; | 
|  | #else | 
|  | if (!base::FeatureList::IsEnabled( | 
|  | blink::features::kDesktopPWAsAdditionalWindowingControls)) { | 
|  | mojo::ReportBadMessage(base::StrCat( | 
|  | {"API called without Additional Windowing Controls feature enabled: ", | 
|  | js_api_name})); | 
|  | return false; | 
|  | } | 
|  | if (!IsInPrimaryMainFrame()) { | 
|  | mojo::ReportBadMessage(base::StrCat( | 
|  | {"API called from a non-primary-main frame: ", js_api_name})); | 
|  | return false; | 
|  | } | 
|  | if (!IsActive()) { | 
|  | mojo::ReportBadMessage( | 
|  | base::StrCat({"API called from a non-active frame: ", js_api_name})); | 
|  | return false; | 
|  | } | 
|  |  | 
|  | // These checks don't kill RFH, instead they log to the developer console. | 
|  | if (!IsWindowManagementGranted(this)) { | 
|  | AddMessageToConsole( | 
|  | blink::mojom::ConsoleMessageLevel::kWarning, | 
|  | base::StrCat({"API called without `window-management` permission " | 
|  | "being granted: ", | 
|  | js_api_name})); | 
|  | return false; | 
|  | } | 
|  | return delegate_->CanUseWindowingControls(this); | 
|  | #endif | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::Maximize() { | 
|  | if (!CanUseWindowingControls("window.maximize")) { | 
|  | return; | 
|  | } | 
|  | delegate_->Maximize(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::Minimize() { | 
|  | if (!CanUseWindowingControls("window.minimize")) { | 
|  | return; | 
|  | } | 
|  | delegate_->Minimize(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::Restore() { | 
|  | if (!CanUseWindowingControls("window.restore")) { | 
|  | return; | 
|  | } | 
|  | delegate_->Restore(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetResizable(bool resizable) { | 
|  | if (!CanUseWindowingControls("window.setResizable")) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | GetPage().SetResizable(resizable); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DraggableRegionsChanged( | 
|  | std::vector<blink::mojom::DraggableRegionPtr> regions) { | 
|  | if (!IsInPrimaryMainFrame()) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | delegate_->DraggableRegionsChanged(std::move(regions)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::NotifyDocumentInteractive() { | 
|  | if (IsInPrimaryMainFrame()) { | 
|  | double trigger_rate = GetConfidenceRandomizedTriggerRate(); | 
|  | blink::mojom::ConfidenceLevel randomized_confidence = | 
|  | GenerateRandomizedConfidenceLevel( | 
|  | trigger_rate, document_associated_data_->navigation_confidence()); | 
|  | GetAssociatedLocalMainFrame()->FinalizeNavigationConfidence( | 
|  | trigger_rate, randomized_confidence); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::RegisterProtocolHandler(const std::string& scheme, | 
|  | const GURL& url, | 
|  | bool user_gesture) { | 
|  | delegate_->RegisterProtocolHandler(this, scheme, url, user_gesture); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::UnregisterProtocolHandler(const std::string& scheme, | 
|  | const GURL& url, | 
|  | bool user_gesture) { | 
|  | delegate_->UnregisterProtocolHandler(this, scheme, url, user_gesture); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidDisplayInsecureContent() { | 
|  | frame_tree_->controller().ssl_manager()->DidDisplayMixedContent(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidContainInsecureFormAction() { | 
|  | frame_tree_->controller().ssl_manager()->DidContainInsecureFormAction(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::MainDocumentElementAvailable( | 
|  | bool uses_temporary_zoom_level) { | 
|  | if (!is_main_frame()) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | GetProcess(), bad_message::RFH_INVALID_CALL_FROM_NOT_MAIN_FRAME); | 
|  | return; | 
|  | } | 
|  |  | 
|  | GetPage().set_is_main_document_element_available(true); | 
|  | GetPage().set_uses_temporary_zoom_level(uses_temporary_zoom_level); | 
|  |  | 
|  | // Don't dispatch PrimaryMainDocumentElementAvailable for non-primary | 
|  | // RenderFrameHosts. As most of the observers are interested only in taking | 
|  | // into account and can interact with or send IPCs to only the current | 
|  | // document in the primary main frame. Since the WebContents could be hosting | 
|  | // more than one main frame (e.g., fenced frame, prerender pages or pending | 
|  | // delete RFHs), return early for other cases. | 
|  | if (!IsInPrimaryMainFrame()) | 
|  | return; | 
|  |  | 
|  | delegate_->PrimaryMainDocumentElementAvailable(); | 
|  |  | 
|  | if (!uses_temporary_zoom_level) | 
|  | return; | 
|  |  | 
|  | #if !BUILDFLAG(IS_ANDROID) | 
|  | HostZoomMapImpl* host_zoom_map = | 
|  | static_cast<HostZoomMapImpl*>(HostZoomMap::Get(GetSiteInstance())); | 
|  | host_zoom_map->SetTemporaryZoomLevel(GetGlobalId(), | 
|  | host_zoom_map->GetDefaultZoomLevel()); | 
|  | #endif  // !BUILDFLAG(IS_ANDROID) | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetNeedsOcclusionTracking(bool needs_tracking) { | 
|  | // Do not update the parent on behalf of inactive RenderFrameHost. See also | 
|  | // https://crbug.com/972566. | 
|  | if (IsInactiveAndDisallowActivation( | 
|  | DisallowActivationReasonId::kSetNeedsOcclusionTracking)) | 
|  | return; | 
|  |  | 
|  | RenderFrameProxyHost* proxy = GetProxyToParent(); | 
|  | if (!proxy) { | 
|  | bad_message::ReceivedBadMessage(GetProcess(), | 
|  | bad_message::RFH_NO_PROXY_TO_PARENT); | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (proxy->is_render_frame_proxy_live()) { | 
|  | proxy->GetAssociatedRemoteFrame()->SetNeedsOcclusionTracking( | 
|  | needs_tracking); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetVirtualKeyboardMode( | 
|  | ui::mojom::VirtualKeyboardMode mode) { | 
|  | // TODO(crbug.com/40188381): Consider moving this to PageImpl. | 
|  | if (GetOutermostMainFrame() != this) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | GetProcess(), | 
|  | bad_message::RFHI_SET_OVERLAYS_CONTENT_NOT_OUTERMOST_FRAME); | 
|  | return; | 
|  | } | 
|  | GetPage().SetVirtualKeyboardMode(mode); | 
|  | } | 
|  |  | 
|  | #if BUILDFLAG(IS_ANDROID) | 
|  | void RenderFrameHostImpl::UpdateUserGestureCarryoverInfo() { | 
|  | // This should not occur for prerenders but may occur for pages in | 
|  | // the BackForwardCache depending on timing. | 
|  | if (!IsActive()) | 
|  | return; | 
|  | delegate_->UpdateUserGestureCarryoverInfo(); | 
|  | } | 
|  | #endif | 
|  |  | 
|  | void RenderFrameHostImpl::VisibilityChanged( | 
|  | blink::mojom::FrameVisibility visibility) { | 
|  | visibility_ = visibility; | 
|  | delegate_->OnFrameVisibilityChanged(this, visibility_); | 
|  | GetAssociatedLocalFrame()->OnFrameVisibilityChanged(visibility); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidChangeThemeColor( | 
|  | std::optional<SkColor> theme_color) { | 
|  | // TODO(crbug.com/40188381): Consider moving this to PageImpl. | 
|  | DCHECK(is_main_frame()); | 
|  | GetPage().OnThemeColorChanged(theme_color); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidChangeBackgroundColor( | 
|  | const SkColor4f& background_color, | 
|  | bool color_adjust) { | 
|  | // TODO(crbug.com/40188381): Consider moving this to PageImpl. | 
|  | DCHECK(is_main_frame()); | 
|  | GetPage().DidChangeBackgroundColor(background_color, color_adjust); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetCommitCallbackInterceptorForTesting( | 
|  | CommitCallbackInterceptor* interceptor) { | 
|  | // This DCHECK's aims to avoid unexpected replacement of an interceptor. | 
|  | // If this becomes a legitimate use case, feel free to remove. | 
|  | DCHECK(!commit_callback_interceptor_ || !interceptor); | 
|  | commit_callback_interceptor_ = interceptor; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetUnloadACKCallbackForTesting( | 
|  | const UnloadACKCallbackForTesting& callback) { | 
|  | // This DCHECK aims to avoid unexpected replacement of a callback. | 
|  | DCHECK(!unload_ack_callback_ || !callback); | 
|  | unload_ack_callback_ = callback; | 
|  | } | 
|  |  | 
|  | const network::mojom::URLResponseHead* | 
|  | RenderFrameHostImpl::GetLastResponseHead() { | 
|  | // This shouldn't be called before committing the document as this value is | 
|  | // set during call to RenderFrameHostImpl::DidNavigate which happens after | 
|  | // commit. | 
|  | CHECK_NE(lifecycle_state(), LifecycleStateImpl::kSpeculative); | 
|  | CHECK_NE(lifecycle_state(), LifecycleStateImpl::kPendingCommit); | 
|  | return last_response_head_.get(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidBlockNavigation( | 
|  | const GURL& blocked_url, | 
|  | blink::mojom::NavigationBlockedReason reason) { | 
|  | // Do not allow renderers to show off-limits URLs in the blocked dialog. | 
|  | GURL validated_blocked_url = blocked_url; | 
|  | RenderProcessHost* process = GetProcess(); | 
|  | process->FilterURL(/*empty_allowed=*/false, &validated_blocked_url); | 
|  |  | 
|  | // Cross-origin navigations are not allowed in prerendering so we can not | 
|  | // reach here while prerendering. | 
|  | DCHECK_NE(lifecycle_state(), LifecycleStateImpl::kPrerendering); | 
|  | delegate_->OnDidBlockNavigation(validated_blocked_url, GetLastCommittedURL(), | 
|  | reason); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidChangeLoadProgress(double load_progress) { | 
|  | if (!is_main_frame()) | 
|  | return; | 
|  |  | 
|  | if (load_progress < GetPage().load_progress()) | 
|  | return; | 
|  |  | 
|  | GetPage().set_load_progress(load_progress); | 
|  |  | 
|  | delegate_->DidChangeLoadProgressForMainFrame(this); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidFinishLoad(const GURL& validated_url) { | 
|  | // In case of prerendering, we dispatch DidFinishLoad on activation. This is | 
|  | // done to avoid notifying observers about a load event triggered from a | 
|  | // inactive RenderFrameHost. | 
|  | if (lifecycle_state() == LifecycleStateImpl::kPrerendering) { | 
|  | document_associated_data_->set_pending_did_finish_load_url_for_prerendering( | 
|  | validated_url); | 
|  | return; | 
|  | } | 
|  |  | 
|  | delegate_->OnDidFinishLoad(this, validated_url); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DispatchLoad() { | 
|  | TRACE_EVENT1("navigation", "RenderFrameHostImpl::DispatchLoad", | 
|  | "render_frame_host", this); | 
|  |  | 
|  | // Only active and prerendered documents are allowed to dispatch load events | 
|  | // to the parent. | 
|  | if (lifecycle_state() != LifecycleStateImpl::kPrerendering) { | 
|  | // If we ignored the last commit callback, this RenderFrameHost might be | 
|  | // stuck on the kPendingCommit stage. In this case, just ignore the load. | 
|  | if (did_ignore_last_commit_callback_) { | 
|  | return; | 
|  | } | 
|  | // Don't forward the load event to the parent on behalf of inactive | 
|  | // RenderFrameHost, which can happen in a race where this inactive | 
|  | // RenderFrameHost finishes loading just after the frame navigates away. | 
|  | // See https://crbug.com/626802. | 
|  | if (IsInactiveAndDisallowActivation( | 
|  | DisallowActivationReasonId::kDispatchLoad)) { | 
|  | return; | 
|  | } | 
|  | } | 
|  |  | 
|  | DCHECK(lifecycle_state() == LifecycleStateImpl::kActive || | 
|  | lifecycle_state() == LifecycleStateImpl::kPrerendering); | 
|  |  | 
|  | // Only frames with an out-of-process parent frame should be sending this | 
|  | // message. | 
|  | RenderFrameProxyHost* proxy = GetProxyToParent(); | 
|  | if (!proxy) { | 
|  | bad_message::ReceivedBadMessage(GetProcess(), | 
|  | bad_message::RFH_NO_PROXY_TO_PARENT); | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (proxy->is_render_frame_proxy_live()) | 
|  | proxy->GetAssociatedRemoteFrame()->DispatchLoadEventForFrameOwner(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::GoToEntryAtOffset( | 
|  | int32_t offset, | 
|  | bool has_user_gesture, | 
|  | base::TimeTicks actual_navigation_start, | 
|  | std::optional<blink::scheduler::TaskAttributionId> | 
|  | soft_navigation_heuristics_task_id) { | 
|  | OPTIONAL_TRACE_EVENT2("content", "RenderFrameHostImpl::GoToEntryAtOffset", | 
|  | "render_frame_host", this, "offset", offset); | 
|  |  | 
|  | // Non-user initiated navigations coming from the renderer should be ignored | 
|  | // if there is an ongoing browser-initiated navigation. | 
|  | // See https://crbug.com/879965. | 
|  | // TODO(arthursonzogni): See if this should check for ongoing navigations in | 
|  | // the frame(s) affected by the session history navigation, rather than just | 
|  | // the main frame. | 
|  | if (Navigator::ShouldIgnoreIncomingRendererRequest( | 
|  | frame_tree_->root()->navigation_request(), has_user_gesture)) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // All frames are allowed to navigate the global history. | 
|  | if (delegate_->IsAllowedToGoToEntryAtOffset(offset)) { | 
|  | frame_tree_->controller().GoToOffsetFromRenderer( | 
|  | offset, this, soft_navigation_heuristics_task_id, | 
|  | actual_navigation_start); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::NavigateToNavigationApiKey( | 
|  | const std::string& key, | 
|  | bool has_user_gesture, | 
|  | base::TimeTicks actual_navigation_start, | 
|  | std::optional<blink::scheduler::TaskAttributionId> task_id) { | 
|  | // Non-user initiated navigations coming from the renderer should be ignored | 
|  | // if there is an ongoing browser-initiated navigation. | 
|  | // See https://crbug.com/879965. | 
|  | // TODO(arthursonzogni): See if this should check for ongoing navigations in | 
|  | // the frame(s) affected by the session history navigation, rather than just | 
|  | // the main frame. | 
|  | if (Navigator::ShouldIgnoreIncomingRendererRequest( | 
|  | frame_tree_->root()->navigation_request(), has_user_gesture)) { | 
|  | return; | 
|  | } | 
|  | frame_tree_->controller().NavigateToNavigationApiKey(this, task_id, key, | 
|  | actual_navigation_start); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::NavigateEventHandlerPresenceChanged(bool present) { | 
|  | DCHECK_NE(has_navigate_event_handler_, present); | 
|  | has_navigate_event_handler_ = present; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::HandleAccessibilityFindInPageResult( | 
|  | blink::mojom::FindInPageResultAXParamsPtr params) { | 
|  | // Only update FindInPageResult on active RenderFrameHost. Note that, it is | 
|  | // safe to ignore this call for BackForwardCache, as we terminate the | 
|  | // FindInPage session once the page enters BackForwardCache. | 
|  | if (lifecycle_state() != LifecycleStateImpl::kActive) | 
|  | return; | 
|  |  | 
|  | ui::BrowserAccessibilityManager* manager = | 
|  | GetOrCreateBrowserAccessibilityManager(); | 
|  | if (manager) { | 
|  | manager->OnFindInPageResult(params->request_id, params->match_index, | 
|  | params->start_id, params->start_offset, | 
|  | params->end_id, params->end_offset); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::HandleAccessibilityFindInPageTermination() { | 
|  | // Only update FindInPageTermination on active RenderFrameHost. Note that, it | 
|  | // is safe to ignore this call for BackForwardCache, as we terminate the | 
|  | // FindInPage session once the page enters BackForwardCache. | 
|  | if (lifecycle_state() != LifecycleStateImpl::kActive) | 
|  | return; | 
|  |  | 
|  | ui::BrowserAccessibilityManager* manager = | 
|  | GetOrCreateBrowserAccessibilityManager(); | 
|  | if (manager) | 
|  | manager->OnFindInPageTermination(); | 
|  | } | 
|  |  | 
|  | // TODO(crbug.com/40183812): Move this method to content::PageImpl. | 
|  | void RenderFrameHostImpl::DocumentOnLoadCompleted() { | 
|  | if (!is_main_frame()) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | GetProcess(), bad_message::RFH_INVALID_CALL_FROM_NOT_MAIN_FRAME); | 
|  | return; | 
|  | } | 
|  |  | 
|  | GetPage().set_is_on_load_completed_in_main_document(true); | 
|  |  | 
|  | // This may be called when the main frame document is replaced with the empty | 
|  | // document during discard. Suppress document load notifications in this case. | 
|  | if (document_associated_data_->is_discarded()) { | 
|  | CleanupRenderProcessForDiscardIfPossible(); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // This message is only sent for main-level frames and will be filtered | 
|  | // out in the delegate. | 
|  | // | 
|  | // TODO(avi): when frame tree mirroring works correctly, add a check here | 
|  | // to enforce it. | 
|  | delegate_->DocumentOnLoadCompleted(this); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ForwardResourceTimingToParent( | 
|  | blink::mojom::ResourceTimingInfoPtr timing) { | 
|  | // Only active and prerendered documents are allowed to forward the resource | 
|  | // timing information to the parent. | 
|  | if (lifecycle_state() != LifecycleStateImpl::kPrerendering) { | 
|  | // Don't forward the resource timing of the parent on behalf of inactive | 
|  | // RenderFrameHost. This can happen in a race where this RenderFrameHost | 
|  | // finishes loading just after the frame navigates away. See | 
|  | // https://crbug.com/626802. | 
|  | if (IsInactiveAndDisallowActivation( | 
|  | DisallowActivationReasonId::kForwardResourceTimingToParent)) | 
|  | return; | 
|  | } | 
|  |  | 
|  | DCHECK(lifecycle_state() == LifecycleStateImpl::kActive || | 
|  | lifecycle_state() == LifecycleStateImpl::kPrerendering); | 
|  |  | 
|  | RenderFrameProxyHost* proxy = GetProxyToParent(); | 
|  | if (!proxy) { | 
|  | bad_message::ReceivedBadMessage(GetProcess(), | 
|  | bad_message::RFH_NO_PROXY_TO_PARENT); | 
|  | return; | 
|  | } | 
|  | if (proxy->is_render_frame_proxy_live()) { | 
|  | proxy->GetAssociatedRemoteFrame()->AddResourceTimingFromChild( | 
|  | std::move(timing)); | 
|  | } | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::Reload() { | 
|  | // Reloading the document frame will delete the currently active one. | 
|  | // We expected this function to be used only when this RenderFrameHost | 
|  | // is the currently active one. RenderFrameHost pending deletion, or | 
|  | // in the BackForwardCache are not expected to have side effect on the | 
|  | // current page. | 
|  | CHECK(IsActive()); | 
|  |  | 
|  | return owner_->Reload(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SendAccessibilityEventsToManager( | 
|  | ui::AXUpdatesAndEvents& details) { | 
|  | if (!browser_accessibility_manager_) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | DCHECK(delegate_->GetAccessibilityMode().has_mode(ui::AXMode::kNativeAPIs)); | 
|  | bool accessibility_error = | 
|  | !browser_accessibility_manager_->OnAccessibilityEvents(details); | 
|  | if (accessibility_error) { | 
|  | // OnAccessibilityEvents returns false in IPC error conditions. | 
|  | UnrecoverableAccessibilityError(); | 
|  | } | 
|  |  | 
|  | #if AX_FAIL_FAST_BUILD() | 
|  | // Don't exercise the accessibility tree when we either had an | 
|  | // accessibility failure or if we are not allowed to fire events | 
|  | if (!accessibility_error && browser_accessibility_manager_->CanFireEvents()) { | 
|  | ExerciseAccessibilityForTest(); | 
|  | } | 
|  | #endif | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ExerciseAccessibilityForTest() { | 
|  | #if AX_FAIL_FAST_BUILD() | 
|  | // When running a debugging/sanitizer build (but not a perf test) with | 
|  | // --force-renderer-accessibility, exercise the properties for every node, to | 
|  | // ensure no crashes or assertions are triggered. This helpfully runs for all | 
|  | // web tests on builder linux-blink-web-tests-force-accessibility-rel, as well | 
|  | // as for some clusterfuzz runs. | 
|  | static int g_max_ax_tree_exercise_iterations = 3;  // Avoid timeouts. | 
|  | static int count = 0; | 
|  | if (browser_accessibility_manager_->GetBrowserAccessibilityRoot() | 
|  | ->GetChildCount() > 0 && | 
|  | !browser_accessibility_manager_->GetBrowserAccessibilityRoot() | 
|  | ->GetBoolAttribute(ax::mojom::BoolAttribute::kBusy) && | 
|  | ++count <= g_max_ax_tree_exercise_iterations) { | 
|  | base::CommandLine* command_line = base::CommandLine::ForCurrentProcess(); | 
|  | if (command_line->HasSwitch(::switches::kForceRendererAccessibility) && | 
|  | !command_line->HasSwitch(switches::kTraceStartupOwner)) { | 
|  | std::unique_ptr<ui::AXTreeFormatter> formatter( | 
|  | AXInspectFactory::CreatePlatformFormatter()); | 
|  | formatter->SetPropertyFilters({{"*", ui::AXPropertyFilter::ALLOW}}); | 
|  | std::string formatted_tree = formatter->Format( | 
|  | browser_accessibility_manager_->GetBrowserAccessibilityRoot()); | 
|  | VLOG(1) << "\n\n******** Formatted tree ********\n\n" | 
|  | << formatted_tree << "\n*********************************\n\n"; | 
|  | } | 
|  | } | 
|  | #endif | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsInactiveAndDisallowActivation(uint64_t reason) { | 
|  | TRACE_EVENT1("navigation", | 
|  | "RenderFrameHostImpl::IsInactiveAndDisallowActivation", | 
|  | "render_frame_host", this); | 
|  | switch (lifecycle_state_) { | 
|  | case LifecycleStateImpl::kRunningUnloadHandlers: | 
|  | case LifecycleStateImpl::kReadyToBeDeleted: | 
|  | return true; | 
|  | case LifecycleStateImpl::kInBackForwardCache: { | 
|  | // This function should not be called with kAXEvent when the page is in | 
|  | // back/forward cache, because |HandleAXevents()| will continue to process | 
|  | // accessibility events without evicting. | 
|  | CHECK_NE(reason, kAXEvent); | 
|  | // This function should not be called with kAXLocationChange when the | 
|  | // page is in back/forward cache, because `HandleAXLocationChange()` will | 
|  | // continue to process accessibility location changes unless | 
|  | // kDoNotEvictOnAXLocationChange is off. | 
|  | if (base::FeatureList::IsEnabled( | 
|  | features::kDoNotEvictOnAXLocationChange)) { | 
|  | CHECK_NE(reason, kAXLocationChange); | 
|  | } | 
|  | BackForwardCacheCanStoreDocumentResult can_store_flat; | 
|  | can_store_flat.NoDueToDisallowActivation(reason); | 
|  | EvictFromBackForwardCacheWithFlattenedReasons(can_store_flat); | 
|  | } | 
|  | return true; | 
|  | case LifecycleStateImpl::kPrerendering: | 
|  | // Since the page in prerendering state is able to handle IndexedDB event, | 
|  | // the prerendering should not be cancelled because of that. | 
|  | DCHECK_NE(reason, DisallowActivationReasonId::kIndexedDBEvent); | 
|  | CancelPrerendering( | 
|  | PrerenderCancellationReason::BuildForDisallowActivationState(reason)); | 
|  | return true; | 
|  | case LifecycleStateImpl::kSpeculative: | 
|  | // We do not expect speculative or pending commit RenderFrameHosts to | 
|  | // generate events that require an active/inactive check. Don't crash the | 
|  | // browser process in case it comes from a compromised renderer, but kill | 
|  | // the renderer to avoid further confusion. | 
|  | bad_message::ReceivedBadMessage( | 
|  | GetProcess(), bad_message::RFH_INACTIVE_CHECK_FROM_SPECULATIVE_RFH); | 
|  | return false; | 
|  | case LifecycleStateImpl::kPendingCommit: | 
|  | // TODO(crbug.com/40174540): Understand the expected behaviour to | 
|  | // disallow activation for kPendingCommit RenderFrameHosts and update | 
|  | // accordingly. | 
|  | bad_message::ReceivedBadMessage( | 
|  | GetProcess(), | 
|  | bad_message::RFH_INACTIVE_CHECK_FROM_PENDING_COMMIT_RFH); | 
|  | return false; | 
|  | case LifecycleStateImpl::kActive: | 
|  | return false; | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::EvictFromBackForwardCache( | 
|  | blink::mojom::RendererEvictionReason reason, | 
|  | blink::mojom::ScriptSourceLocationPtr source) { | 
|  | if (base::FeatureList::IsEnabled( | 
|  | blink::features::kCaptureJSExecutionLocation) && | 
|  | reason == blink::mojom::RendererEvictionReason::kJavaScriptExecution) { | 
|  | if (source.is_null()) { | 
|  | mojo::ReportBadMessage( | 
|  | "Source location must be provided if it's JavaScript execution"); | 
|  | } | 
|  | } else { | 
|  | // If `kCaptureJSExecutionLocation` is disabled, the renderer side will | 
|  | // never capture source location for any reason. | 
|  | if (!source.is_null()) { | 
|  | mojo::ReportBadMessage( | 
|  | "Source location must not be provided in this condition."); | 
|  | } | 
|  | } | 
|  | // TODO(crbug.com/41485693): Use `source` to report the source location of | 
|  | // JavaScript execution. | 
|  | EvictFromBackForwardCacheWithReason( | 
|  | RendererEvictionReasonToNotRestoredReason(reason)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::EvictFromBackForwardCacheWithReason( | 
|  | BackForwardCacheMetrics::NotRestoredReason reason) { | 
|  | // kIgnoreEventAndEvict should never be a reason on its own without further | 
|  | // details. | 
|  | DCHECK_NE(reason, | 
|  | BackForwardCacheMetrics::NotRestoredReason::kIgnoreEventAndEvict); | 
|  |  | 
|  | BackForwardCacheCanStoreDocumentResult flattened_reasons; | 
|  | flattened_reasons.No(reason); | 
|  | EvictFromBackForwardCacheWithFlattenedReasons(flattened_reasons); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::EvictFromBackForwardCacheWithFlattenedReasons( | 
|  | BackForwardCacheCanStoreDocumentResult can_store_flat) { | 
|  | // Create a NotRestoredReasons tree that has |can_store_flat| as a reason | 
|  | // for |this| RenderFrameHost. | 
|  | auto can_store = | 
|  | BackForwardCacheImpl::CreateEvictionBackForwardCacheCanStoreTreeResult( | 
|  | *this, can_store_flat); | 
|  | EvictFromBackForwardCacheWithFlattenedAndTreeReasons(can_store); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::EvictFromBackForwardCacheWithFlattenedAndTreeReasons( | 
|  | BackForwardCacheCanStoreDocumentResultWithTree& can_store) { | 
|  | TRACE_EVENT2("navigation", "RenderFrameHostImpl::EvictFromBackForwardCache", | 
|  | "can_store", can_store.flattened_reasons.ToString(), "rfh", | 
|  | static_cast<void*>(this)); | 
|  | TRACE_EVENT("navigation", | 
|  | "RenderFrameHostImpl::" | 
|  | "EvictFromBackForwardCacheWithFlattenedAndTreeReasons", | 
|  | ChromeTrackEvent::kBackForwardCacheCanStoreDocumentResult, | 
|  | can_store.flattened_reasons); | 
|  | DCHECK(IsBackForwardCacheEnabled()); | 
|  |  | 
|  | RenderFrameHostImpl* top_document = GetOutermostMainFrame(); | 
|  |  | 
|  | if (top_document->is_evicted_from_back_forward_cache_) | 
|  | return; | 
|  |  | 
|  | bool in_back_forward_cache = IsInBackForwardCache(); | 
|  |  | 
|  | // TODO(hajimehoshi): Record the 'race condition' by JavaScript execution when | 
|  | // |in_back_forward_cache| is false. | 
|  | BackForwardCacheMetrics* metrics = top_document->GetBackForwardCacheMetrics(); | 
|  | if (in_back_forward_cache && metrics) { | 
|  | metrics->SetNotRestoredReasons(can_store); | 
|  | } | 
|  |  | 
|  | if (!in_back_forward_cache) { | 
|  | TRACE_EVENT0("navigation", "BackForwardCache_EvictAfterDocumentRestored"); | 
|  | // TODO(crbug.com/40163285): We should no longer get into this branch thanks | 
|  | // to https://crrev.com/c/2563674 but we do. We should eventually replace | 
|  | // this with a CHECK. | 
|  | BackForwardCacheMetrics::RecordEvictedAfterDocumentRestored( | 
|  | BackForwardCacheMetrics::EvictedAfterDocumentRestoredReason:: | 
|  | kByJavaScript); | 
|  | CaptureTraceForNavigationDebugScenario( | 
|  | DebugScenario::kDebugBackForwardCacheEvictRestoreRace); | 
|  |  | 
|  | // A document is evicted from the BackForwardCache, but it has already been | 
|  | // restored. The current document should be reloaded, because it is not | 
|  | // salvageable. | 
|  | top_document->frame_tree()->controller().Reload(ReloadType::NORMAL, false); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Check if there is an in-flight navigation restoring the document that is | 
|  | // being evicted. | 
|  | NavigationRequest* in_flight_navigation_request = | 
|  | top_document->frame_tree_node()->navigation_request(); | 
|  |  | 
|  | if (in_flight_navigation_request && | 
|  | in_flight_navigation_request | 
|  | ->GetRenderFrameHostRestoredFromBackForwardCache() == | 
|  | top_document) { | 
|  | // If we are currently navigating to the document that was just evicted, we | 
|  | // must restart the navigation. This is important because restarting the | 
|  | // navigation deletes the `NavigationRequest` associated with the evicted | 
|  | // document (preventing use-after-free). | 
|  | // Restarting the navigation should also happen asynchronously as eviction | 
|  | // might happen in the middle of another navigation - we should not try to | 
|  | // restart the navigation in that case. | 
|  | top_document->frame_tree_node()->RestartBackForwardCachedNavigationAsync( | 
|  | in_flight_navigation_request->nav_entry_id()); | 
|  | } | 
|  |  | 
|  | // Evict the frame and schedule it to be destroyed. Eviction happens | 
|  | // immediately, but destruction is delayed, so that callers don't have to | 
|  | // worry about use-after-free of |this|. | 
|  | top_document->is_evicted_from_back_forward_cache_ = true; | 
|  | GetBackForwardCache().PostTaskToDestroyEvictedFrames(); | 
|  | if (auto* view = GetView()) { | 
|  | view->ActivatedOrEvictedFromBackForwardCache(); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl:: | 
|  | UseDummyStickyBackForwardCacheDisablingFeatureForTesting() { | 
|  | OnBackForwardCacheDisablingFeatureUsed( | 
|  | BackForwardCacheDisablingFeature::kDummy); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::HasSeenRecentXrOverlaySetup() { | 
|  | static constexpr base::TimeDelta kMaxInterval = base::Seconds(1); | 
|  | base::TimeDelta delta = base::TimeTicks::Now() - last_xr_overlay_setup_time_; | 
|  | DVLOG(2) << __func__ << ": return " << (delta <= kMaxInterval); | 
|  | return delta <= kMaxInterval; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetIsXrOverlaySetup() { | 
|  | DVLOG(2) << __func__; | 
|  | last_xr_overlay_setup_time_ = base::TimeTicks::Now(); | 
|  | } | 
|  |  | 
|  | // TODO(alexmos): When the allowFullscreen flag is known in the browser | 
|  | // process, use it to double-check that fullscreen can be entered here. | 
|  | void RenderFrameHostImpl::EnterFullscreen( | 
|  | blink::mojom::FullscreenOptionsPtr options, | 
|  | EnterFullscreenCallback callback) { | 
|  | const bool had_fullscreen_token = fullscreen_request_token_.IsActive(); | 
|  |  | 
|  | // Frames (possibly a subframe) that are not active nor belonging to a primary | 
|  | // page should not enter fullscreen. | 
|  | if (!IsActive() || !GetPage().IsPrimary()) { | 
|  | std::move(callback).Run(/*granted=*/false); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Entering fullscreen generally requires a transient user activation signal, | 
|  | // or another feature-specific transient allowance. | 
|  | if (delegate_->IsTransientActivationRequiredForHtmlFullscreen() && | 
|  | !HasSeenRecentXrOverlaySetup()) { | 
|  | // Reject requests made without transient user activation or a token. | 
|  | // TODO(lanwei): Investigate whether we can terminate the renderer when | 
|  | // transient user activation and the delegated token are both inactive. | 
|  | CHECK(owner_);  // See `owner_` invariants about `IsActive()`. | 
|  | // Consume any transient user activation and delegated fullscreen token. | 
|  | const bool consumed_activation = owner_->UpdateUserActivationState( | 
|  | blink::mojom::UserActivationUpdateType::kConsumeTransientActivation, | 
|  | blink::mojom::UserActivationNotificationType::kNone); | 
|  | const bool consumed_token = fullscreen_request_token_.ConsumeIfActive(); | 
|  | if (!consumed_activation && !consumed_token) { | 
|  | DLOG(ERROR) << "Cannot enter fullscreen without a transient activation, " | 
|  | << "orientation change, XR overlay, or delegated capability."; | 
|  | std::move(callback).Run(/*granted=*/false); | 
|  | return; | 
|  | } | 
|  | } | 
|  |  | 
|  | if (!delegate_->CanEnterFullscreenMode(this)) { | 
|  | std::move(callback).Run(/*granted=*/false); | 
|  | return; | 
|  | } | 
|  |  | 
|  | base::RecordAction(base::UserMetricsAction("EnterFullscreen_API")); | 
|  |  | 
|  | // Allow sites with the Window Management permission to open a popup window | 
|  | // after requesting fullscreen on a specific screen of a multi-screen device. | 
|  | // This enables multi-screen content experiences from a single user gesture. | 
|  | const display::Screen* screen = display::Screen::GetScreen(); | 
|  | display::Display display; | 
|  | if (screen && screen->GetNumDisplays() > 1 && | 
|  | screen->GetDisplayWithDisplayId(options->display_id, &display) && | 
|  | IsWindowManagementGranted(this)) { | 
|  | transient_allow_popup_.Activate(); | 
|  | } | 
|  |  | 
|  | std::move(callback).Run(/*granted=*/true); | 
|  |  | 
|  | // Entering fullscreen from a cross-process subframe also affects all | 
|  | // renderers for ancestor frames, which will need to apply fullscreen CSS to | 
|  | // appropriate ancestor <iframe> elements, fire fullscreenchange events, etc. | 
|  | // Thus, walk through the ancestor chain of this frame and for each (parent, | 
|  | // child) pair, send a message about the pending fullscreen change to the | 
|  | // child's proxy in parent's SiteInstanceGroup. The renderer process will use | 
|  | // this to find the <iframe> element in the parent frame that will need | 
|  | // fullscreen styles. This is done at most once per SiteInstanceGroup: for | 
|  | // example, with a A-B-A-B hierarchy, if the bottom frame goes fullscreen, | 
|  | // this only needs to notify its parent, and Blink-side logic will take care | 
|  | // of applying necessary changes to the other two ancestors. | 
|  | std::set<SiteInstanceGroup*> notified_groups; | 
|  | notified_groups.insert(GetSiteInstance()->group()); | 
|  | for (RenderFrameHostImpl* rfh = this; rfh->GetParent(); | 
|  | rfh = rfh->GetParent()) { | 
|  | SiteInstanceGroup* parent_group = | 
|  | rfh->GetParent()->GetSiteInstance()->group(); | 
|  | if (base::Contains(notified_groups, parent_group)) { | 
|  | continue; | 
|  | } | 
|  |  | 
|  | RenderFrameProxyHost* child_proxy = | 
|  | rfh->browsing_context_state()->GetRenderFrameProxyHost(parent_group); | 
|  | if (child_proxy->is_render_frame_proxy_live()) { | 
|  | child_proxy->GetAssociatedRemoteFrame()->WillEnterFullscreen( | 
|  | options.Clone()); | 
|  | notified_groups.insert(parent_group); | 
|  | } | 
|  | } | 
|  |  | 
|  | // Focus the window if another frame may have delegated the capability. | 
|  | if (had_fullscreen_token && !GetView()->HasFocus()) | 
|  | GetView()->Focus(); | 
|  | delegate_->EnterFullscreenMode(this, *options); | 
|  | delegate_->FullscreenStateChanged(this, /*is_fullscreen=*/true, | 
|  | std::move(options)); | 
|  |  | 
|  | // The previous call might change the fullscreen state. We need to make sure | 
|  | // the renderer is aware of that, which is done via the resize message. | 
|  | // Typically, this will be sent as part of the call on the |delegate_| above | 
|  | // when resizing the native windows, but sometimes fullscreen can be entered | 
|  | // without causing a resize, so we need to ensure that the resize message is | 
|  | // sent in that case. We always send this to the main frame's widget, and if | 
|  | // there are any OOPIF widgets, this will also trigger them to resize via | 
|  | // frameRectsChanged. | 
|  | GetOutermostMainFrame() | 
|  | ->GetLocalRenderWidgetHost() | 
|  | ->SynchronizeVisualProperties(); | 
|  | } | 
|  |  | 
|  | // TODO(alexmos): When the allowFullscreen flag is known in the browser | 
|  | // process, use it to double-check that fullscreen can be entered here. | 
|  | void RenderFrameHostImpl::ExitFullscreen() { | 
|  | base::RecordAction(base::UserMetricsAction("ExitFullscreen_API")); | 
|  | delegate_->ExitFullscreenMode(/*will_cause_resize=*/true); | 
|  |  | 
|  | // The previous call might change the fullscreen state. We need to make sure | 
|  | // the renderer is aware of that, which is done via the resize message. | 
|  | // Typically, this will be sent as part of the call on the |delegate_| above | 
|  | // when resizing the native windows, but sometimes fullscreen can be entered | 
|  | // without causing a resize, so we need to ensure that the resize message is | 
|  | // sent in that case. We always send this to the main frame's widget, and if | 
|  | // there are any OOPIF widgets, this will also trigger them to resize via | 
|  | // frameRectsChanged. | 
|  | GetOutermostMainFrame() | 
|  | ->GetLocalRenderWidgetHost() | 
|  | ->SynchronizeVisualProperties(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SuddenTerminationDisablerChanged( | 
|  | bool present, | 
|  | blink::mojom::SuddenTerminationDisablerType disabler_type) { | 
|  | switch (disabler_type) { | 
|  | case blink::mojom::SuddenTerminationDisablerType::kBeforeUnloadHandler: | 
|  | DCHECK_NE(has_before_unload_handler_, present); | 
|  | if (IsNestedWithinFencedFrame()) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | GetProcess(), | 
|  | bad_message::RFH_BEFOREUNLOAD_HANDLER_NOT_ALLOWED_IN_FENCED_FRAME); | 
|  | return; | 
|  | } | 
|  | has_before_unload_handler_ = present; | 
|  | break; | 
|  | case blink::mojom::SuddenTerminationDisablerType::kPageHideHandler: | 
|  | DCHECK_NE(has_pagehide_handler_, present); | 
|  | has_pagehide_handler_ = present; | 
|  | break; | 
|  | case blink::mojom::SuddenTerminationDisablerType::kUnloadHandler: | 
|  | DCHECK_NE(has_unload_handler_, present); | 
|  | if (IsNestedWithinFencedFrame()) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | GetProcess(), | 
|  | bad_message::RFH_UNLOAD_HANDLER_NOT_ALLOWED_IN_FENCED_FRAME); | 
|  | return; | 
|  | } | 
|  | has_unload_handler_ = present; | 
|  | break; | 
|  | case blink::mojom::SuddenTerminationDisablerType::kVisibilityChangeHandler: | 
|  | has_visibilitychange_handler_ = present; | 
|  | break; | 
|  | } | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::GetSuddenTerminationDisablerState( | 
|  | blink::mojom::SuddenTerminationDisablerType disabler_type) { | 
|  | if (do_not_delete_for_testing_ && | 
|  | disabler_type != | 
|  | blink::mojom::SuddenTerminationDisablerType::kBeforeUnloadHandler) { | 
|  | return true; | 
|  | } | 
|  | switch (disabler_type) { | 
|  | case blink::mojom::SuddenTerminationDisablerType::kBeforeUnloadHandler: | 
|  | return has_before_unload_handler_; | 
|  | case blink::mojom::SuddenTerminationDisablerType::kPageHideHandler: | 
|  | return has_pagehide_handler_; | 
|  | case blink::mojom::SuddenTerminationDisablerType::kUnloadHandler: | 
|  | return has_unload_handler_; | 
|  | case blink::mojom::SuddenTerminationDisablerType::kVisibilityChangeHandler: | 
|  | return has_visibilitychange_handler_; | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidDispatchDOMContentLoadedEvent() { | 
|  | document_associated_data_->MarkDomContentLoaded(); | 
|  |  | 
|  | // In case of prerendering, we dispatch DOMContentLoaded on activation. This | 
|  | // is done to avoid notifying observers about a load event triggered from a | 
|  | // inactive RenderFrameHost. | 
|  | if (lifecycle_state() == LifecycleStateImpl::kPrerendering) { | 
|  | MaybeResetBoostRenderProcessForLoading(); | 
|  | return; | 
|  | } | 
|  |  | 
|  | delegate_->DOMContentLoaded(this); | 
|  | if (last_committed_url_.SchemeIsHTTPOrHTTPS() && IsOutermostMainFrame()) { | 
|  | RecordIsProcessBackgrounded("OnDOMContentLoaded", | 
|  | GetProcess()->GetPriority()); | 
|  | } | 
|  | MaybeResetBoostRenderProcessForLoading(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::FocusedElementChanged( | 
|  | bool is_editable_element, | 
|  | bool is_richly_editable_element, | 
|  | const gfx::Rect& bounds_in_frame_widget, | 
|  | blink::mojom::FocusType focus_type) { | 
|  | if (!GetView()) | 
|  | return; | 
|  |  | 
|  | has_focused_editable_element_ = is_editable_element; | 
|  | has_focused_richly_editable_element_ = is_richly_editable_element; | 
|  |  | 
|  | // First convert the bounds to root view. | 
|  | delegate_->OnFocusedElementChangedInFrame( | 
|  | this, | 
|  | gfx::Rect(GetView()->TransformPointToRootCoordSpace( | 
|  | bounds_in_frame_widget.origin()), | 
|  | bounds_in_frame_widget.size()), | 
|  | focus_type); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::TextSelectionChanged(const std::u16string& text, | 
|  | uint32_t offset, | 
|  | const gfx::Range& range) { | 
|  | RecordAction(base::UserMetricsAction("TextSelectionChanged")); | 
|  | has_selection_ = !text.empty(); | 
|  | GetRenderWidgetHost()->SelectionChanged(text, offset, range); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidReceiveUserActivation() { | 
|  | delegate_->DidReceiveUserActivation(this); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::WebAuthnAssertionRequestSucceeded() { | 
|  | delegate_->WebAuthnAssertionRequestSucceeded(this); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::MaybeIsolateForUserActivation() { | 
|  | // If user activation occurs in a frame that previously triggered a site | 
|  | // isolation hint based on the Cross-Origin-Opener-Policy header, isolate the | 
|  | // corresponding site for all future BrowsingInstances.  We also do this for | 
|  | // user activation on any same-origin subframe of such COOP main frames. | 
|  | // | 
|  | // Note that without user activation, COOP-triggered site isolation is scoped | 
|  | // only to the current BrowsingInstance.  This prevents malicious sites from | 
|  | // silently loading COOP sites to put them on the isolation list and later | 
|  | // querying that state. | 
|  | if (GetMainFrame() | 
|  | ->GetSiteInstance() | 
|  | ->GetSiteInfo() | 
|  | .does_site_request_dedicated_process_for_coop()) { | 
|  | // The SiteInfo flag above should guarantee that we've already passed all | 
|  | // the isolation eligibility checks, such as having the corresponding | 
|  | // feature enabled or satisfying memory requirements. | 
|  | DCHECK(base::FeatureList::IsEnabled( | 
|  | features::kSiteIsolationForCrossOriginOpenerPolicy)); | 
|  |  | 
|  | bool is_same_origin_activation = | 
|  | GetParent() ? GetMainFrame()->GetLastCommittedOrigin().IsSameOriginWith( | 
|  | GetLastCommittedOrigin()) | 
|  | : true; | 
|  | if (is_same_origin_activation) { | 
|  | SiteInstance::StartIsolatingSite( | 
|  | GetSiteInstance()->GetBrowserContext(), | 
|  | GetMainFrame()->GetLastCommittedURL(), | 
|  | ChildProcessSecurityPolicy::IsolatedOriginSource::WEB_TRIGGERED, | 
|  | SiteIsolationPolicy::ShouldPersistIsolatedCOOPSites()); | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::UpdateUserActivationState( | 
|  | blink::mojom::UserActivationUpdateType update_type, | 
|  | blink::mojom::UserActivationNotificationType notification_type) { | 
|  | // Don't update UserActivationState for non-active RenderFrameHost. In case | 
|  | // of BackForwardCache, this is only called for tests and it is safe to ignore | 
|  | // such requests. | 
|  | if (lifecycle_state() != LifecycleStateImpl::kActive) | 
|  | return; | 
|  |  | 
|  | CHECK(owner_);  // See `owner_` invariants about `lifecycle_state_`. | 
|  | owner_->UpdateUserActivationState(update_type, notification_type); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidConsumeHistoryUserActivation() { | 
|  | // owner_ may be null for IsPendingDeletion() or IsInBackForwardCache(), in | 
|  | // which case the history user activation is managed by a different active | 
|  | // RenderFrameHost. | 
|  | if (owner_) { | 
|  | owner_->DidConsumeHistoryUserActivation(); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::HadStickyUserActivationBeforeNavigationChanged( | 
|  | bool value) { | 
|  | browsing_context_state_->OnSetHadStickyUserActivationBeforeNavigation(value); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ScrollRectToVisibleInParentFrame( | 
|  | const gfx::RectF& rect_to_scroll, | 
|  | blink::mojom::ScrollIntoViewParamsPtr params) { | 
|  | // Do not update the parent on behalf of inactive RenderFrameHost. | 
|  | if (IsInactiveAndDisallowActivation( | 
|  | DisallowActivationReasonId::kDispatchLoad)) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | RenderFrameProxyHost* proxy = nullptr; | 
|  |  | 
|  | if (IsFencedFrameRoot()) { | 
|  | // TODO(bokan): This is overly trusting of the renderer. We'll need some way | 
|  | // to verify that the browser is the one that initiated this | 
|  | // ScrollFocusedEditable process. | 
|  | // https://crbug.com/1123606. I&S tracker row 191. | 
|  | if (!params->for_focused_editable) { | 
|  | local_frame_host_receiver_.ReportBadMessage( | 
|  | "ScrollRectToVisibleInParentFrame can only be used for " | 
|  | "is_for_editable from a fenced frame"); | 
|  | return; | 
|  | } | 
|  |  | 
|  | proxy = GetProxyToOuterDelegate(); | 
|  | } else { | 
|  | proxy = GetProxyToParent(); | 
|  | } | 
|  |  | 
|  | if (!proxy) | 
|  | return; | 
|  |  | 
|  | proxy->ScrollRectToVisible(rect_to_scroll, std::move(params)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BubbleLogicalScrollInParentFrame( | 
|  | blink::mojom::ScrollDirection direction, | 
|  | ui::ScrollGranularity granularity) { | 
|  | // Do not update the parent on behalf of inactive RenderFrameHost. | 
|  | if (IsInactiveAndDisallowActivation( | 
|  | DisallowActivationReasonId::kDispatchLoad)) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // TODO(bokan): This is overly trusting of the renderer. Ideally we'd check | 
|  | // that a keyboard event was recently sent. https://crbug.com/1123606. I&S | 
|  | // tracker row 191. | 
|  | RenderFrameProxyHost* proxy = | 
|  | IsFencedFrameRoot() ? GetProxyToOuterDelegate() : GetProxyToParent(); | 
|  |  | 
|  | if (!proxy) { | 
|  | // Only frames with an out-of-process parent frame should be sending this | 
|  | // message. | 
|  | bad_message::ReceivedBadMessage(GetProcess(), | 
|  | bad_message::RFH_NO_PROXY_TO_PARENT); | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (proxy->is_render_frame_proxy_live()) { | 
|  | proxy->GetAssociatedRemoteFrame()->BubbleLogicalScroll(direction, | 
|  | granularity); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ShowPopupMenu( | 
|  | mojo::PendingRemote<blink::mojom::PopupMenuClient> popup_client, | 
|  | const gfx::Rect& bounds, | 
|  | double font_size, | 
|  | int32_t selected_item, | 
|  | std::vector<blink::mojom::MenuItemPtr> menu_items, | 
|  | bool right_aligned, | 
|  | bool allow_multiple_selection) { | 
|  | #if BUILDFLAG(USE_EXTERNAL_POPUP_MENU) | 
|  | auto send_did_cancel = | 
|  | [](mojo::PendingRemote<blink::mojom::PopupMenuClient> popup_client) { | 
|  | // Call DidCancel() so the renderer knows that the popup didn't open. | 
|  | mojo::Remote<blink::mojom::PopupMenuClient> bound_popup_client( | 
|  | std::move(popup_client)); | 
|  | bound_popup_client->DidCancel(); | 
|  | }; | 
|  |  | 
|  | // Do not open popups in an inactive document. | 
|  | if (!IsActive()) { | 
|  | // Sending this message requires user activation, which is impossible | 
|  | // for a prerendering document, so the renderer process should be | 
|  | // terminated. See | 
|  | // https://html.spec.whatwg.org/multipage/interaction.html#tracking-user-activation. | 
|  | if (lifecycle_state() == LifecycleStateImpl::kPrerendering) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | GetProcess(), bad_message::RFH_POPUP_REQUEST_WHILE_PRERENDERING); | 
|  | } else { | 
|  | // Only notify the renderer of the canceled popup if we didn't kill the | 
|  | // renderer above. | 
|  | send_did_cancel(std::move(popup_client)); | 
|  | } | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (delegate()->GetVisibility() != Visibility::VISIBLE) { | 
|  | // Don't create popups for hidden tabs. https://crbug.com/1521345 | 
|  | send_did_cancel(std::move(popup_client)); | 
|  | return; | 
|  | } | 
|  |  | 
|  | auto* view = render_view_host()->delegate_->GetDelegateView(); | 
|  | if (!view) { | 
|  | send_did_cancel(std::move(popup_client)); | 
|  | return; | 
|  | } | 
|  |  | 
|  | gfx::Point original_point(bounds.x(), bounds.y()); | 
|  | gfx::Point transformed_point = | 
|  | static_cast<RenderWidgetHostViewBase*>(GetView()) | 
|  | ->TransformPointToRootCoordSpace(original_point); | 
|  | gfx::Rect transformed_bounds(transformed_point.x(), transformed_point.y(), | 
|  | bounds.width(), bounds.height()); | 
|  | view->ShowPopupMenu(this, std::move(popup_client), transformed_bounds, | 
|  | font_size, selected_item, std::move(menu_items), | 
|  | right_aligned, allow_multiple_selection); | 
|  | #endif | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ShowContextMenu( | 
|  | mojo::PendingAssociatedRemote<blink::mojom::ContextMenuClient> | 
|  | context_menu_client, | 
|  | const blink::UntrustworthyContextMenuParams& params) { | 
|  | if (IsInactiveAndDisallowActivation( | 
|  | DisallowActivationReasonId::kShowContextMenu)) | 
|  | return; | 
|  |  | 
|  | // Validate the URLs in |params|.  If the renderer can't request the URLs | 
|  | // directly, don't show them in the context menu. | 
|  | ContextMenuParams validated_params(params); | 
|  | // Freshly constructed ContextMenuParams have empty `page_url` and `frame_url` | 
|  | // - populate them based on trustworthy, browser-side data. | 
|  | validated_params.page_url = GetOutermostMainFrame()->GetLastCommittedURL(); | 
|  | validated_params.frame_url = GetLastCommittedURL(); | 
|  | validated_params.frame_origin = GetLastCommittedOrigin(); | 
|  | validated_params.is_subframe = !!GetParentOrOuterDocument(); | 
|  |  | 
|  | // We don't validate |unfiltered_link_url| so that this field can be used | 
|  | // when users want to copy the original link URL. | 
|  | RenderProcessHost* process = GetProcess(); | 
|  | process->FilterURL(true, &validated_params.link_url); | 
|  | process->FilterURL(true, &validated_params.src_url); | 
|  | // In theory `page_url` and `frame_url` come from a trustworthy data source | 
|  | // (from the browser process) and therefore don't need to be validated via | 
|  | // FilterURL below.  In practice, some scenarios depend on clearing of the | 
|  | // `page_url` - see https://crbug.com/1285312. | 
|  | process->FilterURL(false, &validated_params.page_url); | 
|  | process->FilterURL(true, &validated_params.frame_url); | 
|  |  | 
|  | // It is necessary to transform the coordinates to account for nested | 
|  | // RenderWidgetHosts, such as with out-of-process iframes. | 
|  | gfx::Point original_point(validated_params.x, validated_params.y); | 
|  | gfx::Point transformed_point = | 
|  | static_cast<RenderWidgetHostViewBase*>(GetView()) | 
|  | ->TransformPointToRootCoordSpace(original_point); | 
|  | validated_params.x = transformed_point.x(); | 
|  | validated_params.y = transformed_point.y(); | 
|  |  | 
|  | if (validated_params.selection_start_offset < 0) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | GetProcess(), bad_message::RFH_NEGATIVE_SELECTION_START_OFFSET); | 
|  | return; | 
|  | } | 
|  |  | 
|  | delegate_->ShowContextMenu(*this, std::move(context_menu_client), | 
|  | validated_params); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidLoadResourceFromMemoryCache( | 
|  | const GURL& url, | 
|  | const std::string& http_method, | 
|  | const std::string& mime_type, | 
|  | network::mojom::RequestDestination request_destination, | 
|  | bool include_credentials) { | 
|  | delegate_->DidLoadResourceFromMemoryCache(this, url, http_method, mime_type, | 
|  | request_destination, | 
|  | include_credentials); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidChangeFrameOwnerProperties( | 
|  | const blink::FrameToken& child_frame_token, | 
|  | blink::mojom::FrameOwnerPropertiesPtr properties) { | 
|  | auto* child = | 
|  | FindAndVerifyChild(child_frame_token, bad_message::RFH_OWNER_PROPERTY); | 
|  | if (!child) | 
|  | return; | 
|  |  | 
|  | bool has_display_none_property_changed = | 
|  | properties->is_display_none != | 
|  | child->frame_owner_properties().is_display_none; | 
|  |  | 
|  | child->set_frame_owner_properties(*properties); | 
|  |  | 
|  | child->render_manager()->OnDidUpdateFrameOwnerProperties(*properties); | 
|  | if (has_display_none_property_changed) { | 
|  | delegate_->DidChangeDisplayState(child->current_frame_host(), | 
|  | properties->is_display_none); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidChangeOpener( | 
|  | const std::optional<blink::LocalFrameToken>& opener_frame_token) { | 
|  | // `owner_` could be null when we get this message asynchronously from the | 
|  | // renderer in pending deletion state. | 
|  | if (!owner_) | 
|  | return; | 
|  |  | 
|  | owner_->GetRenderFrameHostManager().DidChangeOpener( | 
|  | opener_frame_token, GetSiteInstance()->group()); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidChangeIframeAttributes( | 
|  | const blink::FrameToken& child_frame_token, | 
|  | blink::mojom::IframeAttributesPtr attributes) { | 
|  | if (attributes->parsed_csp_attribute && | 
|  | !ValidateCSPAttribute( | 
|  | attributes->parsed_csp_attribute->header->header_value)) { | 
|  | bad_message::ReceivedBadMessage(GetProcess(), | 
|  | bad_message::RFH_CSP_ATTRIBUTE); | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (attributes->browsing_topics && | 
|  | !base::FeatureList::IsEnabled(network::features::kBrowsingTopics)) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | GetProcess(), | 
|  | bad_message::RFH_RECEIVED_INVALID_BROWSING_TOPICS_ATTRIBUTE); | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (attributes->shared_storage_writable_opted_in && | 
|  | (!base::FeatureList::IsEnabled(network::features::kSharedStorageAPI))) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | GetProcess(), | 
|  | bad_message::RFH_RECEIVED_INVALID_SHARED_STORAGE_WRITABLE_ATTRIBUTE); | 
|  | return; | 
|  | } | 
|  |  | 
|  | auto* child = FindAndVerifyChild( | 
|  | child_frame_token, bad_message::RFH_DID_CHANGE_IFRAME_ATTRIBUTE); | 
|  | if (!child) | 
|  | return; | 
|  |  | 
|  | child->SetAttributes(std::move(attributes)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidChangeFramePolicy( | 
|  | const blink::FrameToken& child_frame_token, | 
|  | const blink::FramePolicy& frame_policy) { | 
|  | // Ensure that a frame can only update sandbox flags or permissions policy for | 
|  | // its immediate children.  If this is not the case, the renderer is | 
|  | // considered malicious and is killed. | 
|  | FrameTreeNode* child = FindAndVerifyChild( | 
|  | // TODO(iclelland): Rename this message | 
|  | child_frame_token, bad_message::RFH_SANDBOX_FLAGS); | 
|  | if (!child) | 
|  | return; | 
|  |  | 
|  | child->SetPendingFramePolicy(frame_policy); | 
|  |  | 
|  | // Notify the RenderFrame if it lives in a different process from its parent. | 
|  | // The frame's proxies in other processes also need to learn about the updated | 
|  | // flags and policy, but these notifications are sent later in | 
|  | // RenderFrameHostManager::CommitPendingFramePolicy(), when the frame | 
|  | // navigates and the new policies take effect. | 
|  | if (child->current_frame_host()->GetSiteInstance()->group() != | 
|  | GetSiteInstance()->group()) { | 
|  | child->current_frame_host() | 
|  | ->GetAssociatedLocalFrame() | 
|  | ->DidUpdateFramePolicy(frame_policy); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CapturePaintPreviewOfSubframe( | 
|  | const gfx::Rect& clip_rect, | 
|  | const base::UnguessableToken& guid) { | 
|  | if (IsInactiveAndDisallowActivation( | 
|  | DisallowActivationReasonId::kCapturePaintPreview)) | 
|  | return; | 
|  | // This should only be called on a subframe. | 
|  | if (IsOutermostMainFrame()) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | GetProcess(), bad_message::RFH_SUBFRAME_CAPTURE_ON_MAIN_FRAME); | 
|  | return; | 
|  | } | 
|  |  | 
|  | delegate()->CapturePaintPreviewOfCrossProcessSubframe(clip_rect, guid, this); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetCloseListener( | 
|  | mojo::PendingRemote<blink::mojom::CloseListener> listener) { | 
|  | CloseListenerHost::GetOrCreateForCurrentDocument(this)->SetListener( | 
|  | std::move(listener)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindBrowserInterfaceBrokerReceiver( | 
|  | mojo::PendingReceiver<blink::mojom::BrowserInterfaceBroker> receiver) { | 
|  | DCHECK(receiver.is_valid()); | 
|  | if (frame_tree()->is_prerendering()) { | 
|  | // RenderFrameHostImpl will rebind the receiver end of | 
|  | // BrowserInterfaceBroker if it receives a new one sent from renderer | 
|  | // processes. It happens when renderer processes navigate to a new document, | 
|  | // see RenderFrameImpl::DidCommitNavigation() and | 
|  | // RenderFrameHostImpl::DidCommitNavigation(). So before binding a new | 
|  | // receiver end of BrowserInterfaceBroker, RenderFrameHostImpl should drop | 
|  | // all deferred binders to avoid connecting Mojo pipes with old documents. | 
|  | DCHECK(mojo_binder_policy_applier_) | 
|  | << "prerendering pages should have a policy applier"; | 
|  | mojo_binder_policy_applier_->DropDeferredBinders(); | 
|  | } | 
|  | broker_receiver_.Bind(std::move(receiver)); | 
|  | broker_receiver_.SetFilter( | 
|  | std::make_unique<internal::ActiveUrlMessageFilter>(this)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindAssociatedInterfaceProviderReceiver( | 
|  | mojo::PendingAssociatedReceiver<blink::mojom::AssociatedInterfaceProvider> | 
|  | receiver) { | 
|  | DCHECK(receiver.is_valid()); | 
|  | associated_interface_provider_receiver_.Bind(std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindDomOperationControllerHostReceiver( | 
|  | mojo::PendingAssociatedReceiver<mojom::DomAutomationControllerHost> | 
|  | receiver) { | 
|  | DCHECK(receiver.is_valid()); | 
|  | // In the renderer side, the remote is document-associated so the receiver on | 
|  | // the browser side can be reused after a cross-document navigation. | 
|  | // TODO(dcheng): Make this document-associated? | 
|  | dom_automation_controller_receiver_.reset(); | 
|  | dom_automation_controller_receiver_.Bind(std::move(receiver)); | 
|  | dom_automation_controller_receiver_.SetFilter( | 
|  | CreateMessageFilterForAssociatedReceiver( | 
|  | mojom::DomAutomationControllerHost::Name_)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetKeepAliveTimeoutForTesting( | 
|  | base::TimeDelta timeout) { | 
|  | keep_alive_handle_factory_.set_timeout(timeout); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::UpdateState(const blink::PageState& state) { | 
|  | OPTIONAL_TRACE_EVENT1("content", "RenderFrameHostImpl::UpdateState", | 
|  | "render_frame_host", this); | 
|  | // TODO(creis): Verify the state's ISN matches the last committed FNE. | 
|  |  | 
|  | // Without this check, the renderer can trick the browser into using | 
|  | // filenames it can't access in a future session restore. | 
|  | if (!CanAccessFilesOfPageState(state)) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | GetProcess(), bad_message::RFH_CAN_ACCESS_FILES_OF_PAGE_STATE); | 
|  | return; | 
|  | } | 
|  |  | 
|  | frame_tree_->controller().UpdateStateForFrame(this, state); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OpenURL(blink::mojom::OpenURLParamsPtr params) { | 
|  | // Verify and unpack the Mojo payload. | 
|  | GURL validated_url; | 
|  | scoped_refptr<network::SharedURLLoaderFactory> blob_url_loader_factory; | 
|  | if (!VerifyOpenURLParams(this, GetProcess(), params, &validated_url, | 
|  | &blob_url_loader_factory)) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // If the flag `is_unfenced_top_navigation` is set, this is a special code | 
|  | // path for MPArch fenced frames. The target frame doesn't have a handle | 
|  | // inside the MPArch renderer process, so we need to set it here. | 
|  | // TODO(crbug.com/40221940): Refactor _unfencedTop handling. | 
|  | if (params->is_unfenced_top_navigation) { | 
|  | GURL validated_params_url = params->url; | 
|  |  | 
|  | // Check that the IPC parameters are valid and that the navigation | 
|  | // is allowed. | 
|  | // TODO(crbug.com/40221940): When this handling is refactored into a | 
|  | // separate IPC, make sure that the checks from VerifyOpenURLParams above | 
|  | // are not unintentionally weakened. | 
|  | if (!ValidateUnfencedTopNavigation( | 
|  | this, validated_params_url, GetProcess()->GetDeprecatedID(), | 
|  | params->post_body, params->user_gesture)) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | TRACE_EVENT1("navigation", "RenderFrameHostImpl::OpenURL(_unfencedTop)", | 
|  | "url", validated_params_url.possibly_invalid_spec()); | 
|  |  | 
|  | // There are some relevant parameter changes to note: | 
|  | // Change the navigation target to the outermost frame. | 
|  | // This does not escape GuestViews. | 
|  | // - We don't want _unfencedTop navigations to escape a GuestView | 
|  | //   (<webview>) and affect their embedder. | 
|  | RenderFrameHostImpl* target_frame = GetOutermostMainFrame(); | 
|  |  | 
|  | // Change `should_replace_current_entry` to false. | 
|  | // Fenced frames are enforced to have a history of length 1. Because the | 
|  | // renderer thinks this navigation is to the fenced frame root, it sets | 
|  | // `should_replace_current_entry` to true, but we do not want this | 
|  | // restriction for navigations outside the fenced frame. | 
|  | // TODO(crbug.com/40221940): Make sure that the browser doesn't rely on | 
|  | // whether the renderer says we should replace the current entry, i.e. | 
|  | // make sure there are no situations where we should actually replace the | 
|  | // current entry but don't, due to this line. | 
|  | bool should_replace_current_entry = false; | 
|  |  | 
|  | // TODO(crbug.com/40221940): Null out the initiator origin, frame token, and | 
|  | // site instance. | 
|  | // We use an opaque `initiator_origin` in order to avoid leaking | 
|  | // information from the fenced frame to its embedder. (The navigation will | 
|  | // be treated as cross-origin unconditionally.) We don't need to provide a | 
|  | // `source_site_instance`. | 
|  | // url::Origin initiator_origin; | 
|  |  | 
|  | // TODO(crbug.com/40193166): Resolve the discussion of download policy. | 
|  | blink::NavigationDownloadPolicy download_policy; | 
|  |  | 
|  | MaybeRecordAdClickMainFrameNavigationMetrics( | 
|  | /*initiator_frame=*/this, params->initiator_activation_and_ad_status); | 
|  |  | 
|  | target_frame->frame_tree_node()->navigator().NavigateFromFrameProxy( | 
|  | target_frame, validated_params_url, | 
|  | base::OptionalToPtr(params->initiator_frame_token), | 
|  | GetProcess()->GetDeprecatedID(), params->initiator_origin, | 
|  | params->initiator_base_url, GetSiteInstance(), content::Referrer(), | 
|  | ui::PAGE_TRANSITION_LINK, should_replace_current_entry, download_policy, | 
|  | "GET", | 
|  | /*post_body=*/nullptr, params->extra_headers, | 
|  | /*blob_url_loader_factory=*/nullptr, | 
|  | network::mojom::SourceLocation::New(), /*has_user_gesture=*/false, | 
|  | params->is_form_submission, params->impression, | 
|  | params->initiator_activation_and_ad_status, | 
|  | params->actual_navigation_start, | 
|  | /*navigation_start_time=*/base::TimeTicks::Now(), | 
|  | /*is_embedder_initiated_fenced_frame_navigation=*/false, | 
|  | /*is_unfenced_top_navigation=*/true, | 
|  | /*force_new_browsing_instance=*/true, /*is_container_initiated=*/false, | 
|  | params->has_rel_opener, params->storage_access_api_status); | 
|  | return; | 
|  | } | 
|  |  | 
|  | TRACE_EVENT1("navigation", "RenderFrameHostImpl::OpenURL", "url", | 
|  | validated_url.possibly_invalid_spec()); | 
|  |  | 
|  | if (params->initiator_frame_token) { | 
|  | RenderFrameHostImpl* initiator_frame = RenderFrameHostImpl::FromFrameToken( | 
|  | GetProcess()->GetDeprecatedID(), params->initiator_frame_token.value()); | 
|  |  | 
|  | // Try recording the AdClickMainFrameNavigation use counter for navigation | 
|  | // targeting this page's main frame, or targeting a new tab. | 
|  | if (params->disposition != WindowOpenDisposition::CURRENT_TAB || | 
|  | IsOutermostMainFrame()) { | 
|  | MaybeRecordAdClickMainFrameNavigationMetrics( | 
|  | initiator_frame, params->initiator_activation_and_ad_status); | 
|  | } | 
|  | } | 
|  |  | 
|  | RenderFrameHostOwner* owner = owner_; | 
|  | // Inactive documents are not allowed to initiate navigations. | 
|  | // Also, see a similar check in RenderFrameHostImpl::BeginNavigation at | 
|  | // https://source.chromium.org/chromium/chromium/src/+/main:content/browser/renderer_host/render_frame_host_impl.cc;l=7761-7769;drc=6dc39d60fea45c003424272efdb4c366119a9d7f | 
|  | if (!owner) { | 
|  | return; | 
|  | } | 
|  | // TODO(crbug.com/385170155): Consider whether to pass actual_navigation_start | 
|  | // through this path as well, which may involve a lot of plumbing. | 
|  | owner->GetCurrentNavigator().RequestOpenURL( | 
|  | this, validated_url, base::OptionalToPtr(params->initiator_frame_token), | 
|  | GetProcess()->GetDeprecatedID(), params->initiator_origin, | 
|  | params->initiator_base_url, params->post_body, params->extra_headers, | 
|  | params->referrer.To<content::Referrer>(), params->disposition, | 
|  | params->should_replace_current_entry, params->user_gesture, | 
|  | params->triggering_event_info, params->href_translate, | 
|  | std::move(blob_url_loader_factory), params->impression, | 
|  | params->has_rel_opener); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::GetAssociatedInterface( | 
|  | const std::string& name, | 
|  | mojo::PendingAssociatedReceiver<blink::mojom::AssociatedInterface> | 
|  | receiver) { | 
|  | // `associated_interface_provider_receiver_` and `associated_registry_` are | 
|  | // both reset at the same time, so we should never get a request for an | 
|  | // associated interface when `associated_registry_` is not valid. | 
|  | DCHECK(associated_registry_); | 
|  |  | 
|  | // Perform Mojo capability control if `mojo_binder_policy_applier_` exists. | 
|  | if (mojo_binder_policy_applier_ && | 
|  | !mojo_binder_policy_applier_->ApplyPolicyToAssociatedBinder(name)) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | mojo::ScopedInterfaceEndpointHandle handle = receiver.PassHandle(); | 
|  | if (associated_registry_->TryBindInterface(name, &handle)) | 
|  | return; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidStopLoading() { | 
|  | TRACE_EVENT("navigation", "RenderFrameHostImpl::DidStopLoading", | 
|  | ChromeTrackEvent::kRenderFrameHost, this); | 
|  |  | 
|  | // This may be called for newly created frames when the frame is not loading | 
|  | // that navigate to about:blank, as well as history navigations during | 
|  | // BeforeUnload or Unload events. | 
|  | // TODO(fdegans): Change this to a DCHECK after LoadEventProgress has been | 
|  | // refactored in Blink. See crbug.com/466089 | 
|  | if (!is_loading()) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // During prerendering, DidStopLoading is dispatched to | 
|  | // PrerenderHost::DidStopLoading, not WebContentsObserver::DidStopLoading. To | 
|  | // dispatch the event to WebContentsObserver on activation later, set the flag | 
|  | // here. | 
|  | if (lifecycle_state() == LifecycleStateImpl::kPrerendering) { | 
|  | document_associated_data_->set_pending_did_stop_loading_for_prerendering(); | 
|  | } | 
|  |  | 
|  | was_discarded_ = false; | 
|  | loading_state_ = LoadingState::NONE; | 
|  |  | 
|  | if (IsInPrimaryMainFrame()) { | 
|  | // After resetting the tracker, it will asynchronously receive the | 
|  | // statistics from the GPU process, and update UMA stats. | 
|  | GetPage().ResetLoadingMemoryTracker(); | 
|  | } | 
|  |  | 
|  | // Only inform the FrameTreeNode of a change in load state if the load state | 
|  | // of this RenderFrameHost is being tracked. | 
|  | // This async Mojo method can be called from the renderer before entering | 
|  | // BFCache but the message can arrive here after it. | 
|  | if (!IsPendingDeletion() && !IsInBackForwardCache()) { | 
|  | DCHECK(owner_);  // See `owner_` invariants about IsPendingDeletion() and | 
|  | // IsInBackForwardCache(). | 
|  | owner_->DidStopLoading(); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::GetSavableResourceLinksCallback( | 
|  | blink::mojom::GetSavableResourceLinksReplyPtr reply) { | 
|  | if (!reply) { | 
|  | delegate_->SavableResourceLinksError(this); | 
|  | return; | 
|  | } | 
|  |  | 
|  | delegate_->SavableResourceLinksResponse(this, reply->resources_list, | 
|  | std::move(reply->referrer), | 
|  | reply->subframes); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DomOperationResponse(const std::string& json_string) { | 
|  | delegate_->DomOperationResponse(this, json_string); | 
|  | } | 
|  |  | 
|  | std::unique_ptr<blink::PendingURLLoaderFactoryBundle> | 
|  | RenderFrameHostImpl::CreateCrossOriginPrefetchLoaderFactoryBundle() { | 
|  | // IPCs coming from the renderer talk on behalf of the last-committed | 
|  | // navigation.  This also applies to IPCs asking for a prefetch factory | 
|  | // bundle. | 
|  | auto subresource_loader_factories_config = | 
|  | SubresourceLoaderFactoriesConfig::ForLastCommittedNavigation(*this); | 
|  | network::mojom::URLLoaderFactoryParamsPtr factory_params = | 
|  | URLLoaderFactoryParamsHelper::CreateForPrefetch( | 
|  | this, subresource_loader_factories_config.GetClientSecurityState(), | 
|  | subresource_loader_factories_config.cookie_setting_overrides()); | 
|  |  | 
|  | mojo::PendingRemote<network::mojom::URLLoaderFactory> pending_default_factory; | 
|  | bool bypass_redirect_checks = false; | 
|  | // Passing an empty IsolationInfo ensures the factory is not initialized with | 
|  | // a IsolationInfo. This is necessary for a cross-origin prefetch factory | 
|  | // because the factory must use the value provided by requests going through | 
|  | // it. | 
|  | bypass_redirect_checks = CreateNetworkServiceDefaultFactoryAndObserve( | 
|  | std::move(factory_params), | 
|  | subresource_loader_factories_config.ukm_source_id(), | 
|  | pending_default_factory.InitWithNewPipeAndPassReceiver()); | 
|  |  | 
|  | return std::make_unique<blink::PendingURLLoaderFactoryBundle>( | 
|  | std::move(pending_default_factory), | 
|  | blink::PendingURLLoaderFactoryBundle::SchemeMap(), | 
|  | CreateURLLoaderFactoriesForIsolatedWorlds( | 
|  | subresource_loader_factories_config, | 
|  | isolated_worlds_requiring_separate_url_loader_factory_), | 
|  | /*local_resource_loader_config=*/nullptr, bypass_redirect_checks); | 
|  | } | 
|  |  | 
|  | base::WeakPtr<RenderFrameHostImpl> RenderFrameHostImpl::GetWeakPtr() { | 
|  | return weak_ptr_factory_.GetWeakPtr(); | 
|  | } | 
|  |  | 
|  | base::SafeRef<RenderFrameHostImpl> RenderFrameHostImpl::GetSafeRef() const { | 
|  | return weak_ptr_factory_.GetSafeRef(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CreateNewWindow( | 
|  | mojom::CreateNewWindowParamsPtr params, | 
|  | CreateNewWindowCallback callback) { | 
|  | DCHECK_CURRENTLY_ON(BrowserThread::UI); | 
|  | TRACE_EVENT2("navigation", "RenderFrameHostImpl::CreateNewWindow", | 
|  | "render_frame_host", this, "url", params->target_url); | 
|  |  | 
|  | // These checks ensure malformed partitioned popins cannot be created. | 
|  | // Most of these checks should already have been done by the renderer. | 
|  | // See https://explainers-by-googlers.github.io/partitioned-popins/ | 
|  | if (params->features && params->features->is_partitioned_popin) { | 
|  | if (!base::FeatureList::IsEnabled(blink::features::kPartitionedPopins)) { | 
|  | frame_host_associated_receiver_.ReportBadMessage( | 
|  | "Partitioned popins not permitted."); | 
|  | return; | 
|  | } | 
|  | if (ShouldPartitionAsPopin()) { | 
|  | frame_host_associated_receiver_.ReportBadMessage( | 
|  | "Partitioned popins cannot open their own popin."); | 
|  | return; | 
|  | } | 
|  | if (!GetLastCommittedURL().SchemeIs(url::kHttpsScheme)) { | 
|  | frame_host_associated_receiver_.ReportBadMessage( | 
|  | "Partitioned popins must be opened from https URLs."); | 
|  | return; | 
|  | } | 
|  | if (!params->target_url.SchemeIs(url::kHttpsScheme)) { | 
|  | frame_host_associated_receiver_.ReportBadMessage( | 
|  | "Partitioned popins can only open https URLs."); | 
|  | return; | 
|  | } | 
|  | if (delegate()->GetOpenedPartitionedPopin()) { | 
|  | // Each window can have at most one partitioned popin. Unlike the other | 
|  | // errors above, this one is handled by the browser process only as the | 
|  | // renderer does not know if there is an open popin. | 
|  | // See https://explainers-by-googlers.github.io/partitioned-popins/ | 
|  | AddMessageToConsole( | 
|  | blink::mojom::ConsoleMessageLevel::kError, | 
|  | "Only one partitioned popin can be active at a time."); | 
|  | std::move(callback).Run(mojom::CreateNewWindowStatus::kBlocked, nullptr); | 
|  | return; | 
|  | } | 
|  | } | 
|  |  | 
|  | // Only top-most frames can open picture-in-picture windows. | 
|  | if (params->disposition == WindowOpenDisposition::NEW_PICTURE_IN_PICTURE && | 
|  | GetParentOrOuterDocumentOrEmbedder()) { | 
|  | frame_host_associated_receiver_.ReportBadMessage( | 
|  | "Only top-most frames can open picture-in-picture windows."); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Fenced frames that have revoked network access can't open popups. | 
|  | if (base::FeatureList::IsEnabled( | 
|  | blink::features::kFencedFramesLocalUnpartitionedDataAccess)) { | 
|  | const std::optional<FencedFrameProperties>& | 
|  | initiator_fenced_frame_properties = | 
|  | frame_tree_node()->GetFencedFrameProperties( | 
|  | FencedFramePropertiesNodeSource::kFrameTreeRoot); | 
|  | if (initiator_fenced_frame_properties.has_value() && | 
|  | initiator_fenced_frame_properties | 
|  | ->HasDisabledNetworkForCurrentFrameTree()) { | 
|  | AddMessageToConsole( | 
|  | blink::mojom::ConsoleMessageLevel::kError, | 
|  | "Popup creation is not allowed after the fenced frame's " | 
|  | "network has been disabled."); | 
|  | std::move(callback).Run(mojom::CreateNewWindowStatus::kBlocked, nullptr); | 
|  | return; | 
|  | } | 
|  | } | 
|  |  | 
|  | bool no_javascript_access = false; | 
|  |  | 
|  | // Filter out URLs to which navigation is disallowed from this context. | 
|  | GetProcess()->FilterURL(false, ¶ms->target_url); | 
|  |  | 
|  | bool effective_transient_activation_state = | 
|  | params->allow_popup || HasTransientUserActivation() || | 
|  | (transient_allow_popup_.IsActive() && | 
|  | params->disposition == WindowOpenDisposition::NEW_POPUP); | 
|  |  | 
|  | // Ignore window creation when sent from a frame that's not active or | 
|  | // created. | 
|  | bool can_create_window = | 
|  | IsActive() && is_render_frame_created() && | 
|  | GetContentClient()->browser()->CanCreateWindow( | 
|  | this, GetLastCommittedURL(), | 
|  | GetOutermostMainFrame()->GetLastCommittedURL(), | 
|  | last_committed_origin_, params->window_container_type, | 
|  | params->target_url, params->referrer.To<Referrer>(), | 
|  | params->frame_name, params->disposition, *params->features, | 
|  | effective_transient_activation_state, params->opener_suppressed, | 
|  | &no_javascript_access); | 
|  |  | 
|  | // If this frame isn't allowed to create a window, return early (before we | 
|  | // consume transient user activation). | 
|  | if (!can_create_window) { | 
|  | std::move(callback).Run(mojom::CreateNewWindowStatus::kBlocked, nullptr); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Otherwise, consume user activation before we proceed. In particular, it is | 
|  | // important to do this before we return from the |opener_suppressed| case | 
|  | // below. | 
|  | // NB: This call will consume activations in the browser and the remote frame | 
|  | // proxies for this frame. The initiating renderer will consume its view of | 
|  | // the activations after we return. | 
|  |  | 
|  | // See `owner_` invariants about `IsActive()`, which is implied by | 
|  | // `can_create_window`. | 
|  | CHECK(owner_); | 
|  | bool was_consumed = owner_->UpdateUserActivationState( | 
|  | blink::mojom::UserActivationUpdateType::kConsumeTransientActivation, | 
|  | blink::mojom::UserActivationNotificationType::kNone); | 
|  |  | 
|  | // For Android WebView, we support a pop-up like behavior for window.open() | 
|  | // even if the embedding app doesn't support multiple windows. In this case, | 
|  | // window.open() will return "window" and navigate it to whatever URL was | 
|  | // passed. | 
|  | if (!GetOrCreateWebPreferences().supports_multiple_windows) { | 
|  | std::move(callback).Run(mojom::CreateNewWindowStatus::kReuse, nullptr); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // This will clone the sessionStorage for namespace_id_to_clone. | 
|  | StoragePartition* storage_partition = GetStoragePartition(); | 
|  | DOMStorageContextWrapper* dom_storage_context = | 
|  | static_cast<DOMStorageContextWrapper*>( | 
|  | storage_partition->GetDOMStorageContext()); | 
|  |  | 
|  | scoped_refptr<SessionStorageNamespaceImpl> cloned_namespace; | 
|  | if (!params->clone_from_session_storage_namespace_id.empty()) { | 
|  | cloned_namespace = SessionStorageNamespaceImpl::CloneFrom( | 
|  | dom_storage_context, params->session_storage_namespace_id, | 
|  | params->clone_from_session_storage_namespace_id); | 
|  | } else { | 
|  | cloned_namespace = SessionStorageNamespaceImpl::Create( | 
|  | dom_storage_context, params->session_storage_namespace_id); | 
|  | } | 
|  |  | 
|  | if (IsCredentialless() || IsNestedWithinFencedFrame() || | 
|  | CoopSuppressOpener(/*opener=*/this)) { | 
|  | params->opener_suppressed = true; | 
|  | // TODO(crbug.com/40679181) This should be applied to all | 
|  | // popups opened with noopener. | 
|  | params->frame_name.clear(); | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl* top_level_opener = GetMainFrame(); | 
|  | int popup_virtual_browsing_context_group = | 
|  | params->opener_suppressed | 
|  | ? CrossOriginOpenerPolicyAccessReportManager:: | 
|  | NextVirtualBrowsingContextGroup() | 
|  | : top_level_opener->virtual_browsing_context_group(); | 
|  | int popup_soap_by_default_virtual_browsing_context_group = | 
|  | params->opener_suppressed | 
|  | ? CrossOriginOpenerPolicyAccessReportManager:: | 
|  | NextVirtualBrowsingContextGroup() | 
|  | : top_level_opener->soap_by_default_virtual_browsing_context_group(); | 
|  |  | 
|  | // If the opener is suppressed or script access is disallowed, we should | 
|  | // open the window in a new BrowsingInstance, and thus a new process. That | 
|  | // means the current renderer process will not be able to route messages to | 
|  | // it. Because of this, we will immediately show and navigate the window | 
|  | // in OnCreateNewWindowOnUI, using the params provided here. | 
|  | bool is_new_browsing_instance = | 
|  | params->opener_suppressed || no_javascript_access; | 
|  |  | 
|  | DCHECK(IsRenderFrameLive()); | 
|  |  | 
|  | // The non-owning pointer |new_frame_tree| is valid in this stack frame since | 
|  | // nothing can delete it until this thread is freed up again. | 
|  | FrameTree* new_frame_tree = | 
|  | delegate_->CreateNewWindow(this, *params, is_new_browsing_instance, | 
|  | was_consumed, cloned_namespace.get()); | 
|  |  | 
|  | transient_allow_popup_.Deactivate(); | 
|  |  | 
|  | MaybeRecordAdClickMainFrameNavigationMetrics( | 
|  | /*initiator_frame=*/this, params->initiator_activation_and_ad_status); | 
|  |  | 
|  | if (is_new_browsing_instance || !new_frame_tree) { | 
|  | // Opener suppressed, Javascript access disabled, or delegate did not | 
|  | // provide a handle to any windows it created. In these cases, never tell | 
|  | // the renderer about the new window. | 
|  | std::move(callback).Run(mojom::CreateNewWindowStatus::kIgnore, nullptr); | 
|  | return; | 
|  | } | 
|  |  | 
|  | DCHECK(!params->opener_suppressed); | 
|  |  | 
|  | RenderFrameHostImpl* new_main_rfh = | 
|  | new_frame_tree->root()->current_frame_host(); | 
|  |  | 
|  | new_main_rfh->virtual_browsing_context_group_ = | 
|  | popup_virtual_browsing_context_group; | 
|  | new_main_rfh->soap_by_default_virtual_browsing_context_group_ = | 
|  | popup_soap_by_default_virtual_browsing_context_group; | 
|  |  | 
|  | // COOP and COOP reporter are inherited from the opener to the popup's initial | 
|  | // empty document. | 
|  | if (IsOpenerSameOriginFrame(/*opener=*/this) && | 
|  | GetMainFrame()->coop_access_report_manager()->coop_reporter()) { | 
|  | new_main_rfh->SetCrossOriginOpenerPolicyReporter( | 
|  | std::make_unique<CrossOriginOpenerPolicyReporter>( | 
|  | GetProcess()->GetStoragePartition(), GetLastCommittedURL(), | 
|  | params->referrer->url, | 
|  | // TODO(crbug.com/40879437): See if we need to send the | 
|  | // origin to reporters as well. | 
|  | new_main_rfh->cross_origin_opener_policy(), GetReportingSource(), | 
|  | isolation_info_.network_anonymization_key())); | 
|  | } | 
|  |  | 
|  | new_main_rfh->SetMojomFrameRemote(std::move(params->frame_remote)); | 
|  | new_main_rfh->BindBrowserInterfaceBrokerReceiver( | 
|  | std::move(params->main_frame_interface_broker)); | 
|  | new_main_rfh->BindAssociatedInterfaceProviderReceiver( | 
|  | std::move(params->associated_interface_provider)); | 
|  | new_main_rfh->render_view_host()->BindPageBroadcast( | 
|  | std::move(params->page_broadcast_remote)); | 
|  | auto* new_rwh = new_main_rfh->GetLocalRenderWidgetHost(); | 
|  | new_rwh->BindWidgetInterfaces(std::move(params->widget_host), | 
|  | std::move(params->widget)); | 
|  | new_rwh->BindFrameWidgetInterfaces(std::move(params->frame_widget_host), | 
|  | std::move(params->frame_widget)); | 
|  |  | 
|  | bool wait_for_debugger = | 
|  | devtools_instrumentation::ShouldWaitForDebuggerInWindowOpen(); | 
|  |  | 
|  | // We must send access information relative to the popin opener in order for | 
|  | // the renderer to properly conduct checks. | 
|  | // See https://explainers-by-googlers.github.io/partitioned-popins/ | 
|  | blink::mojom::PartitionedPopinParamsPtr partitioned_popin_params = nullptr; | 
|  | if (new_main_rfh->ShouldPartitionAsPopin()) { | 
|  | partitioned_popin_params = new_main_rfh->delegate() | 
|  | ->GetPartitionedPopinOpenerProperties() | 
|  | .AsMojom(); | 
|  | } | 
|  |  | 
|  | // NOTE: if the call to ShowCreatedWindow() below returns nullptr, then | 
|  | // new_frame_tree, new_main_rfh, and new_main_rwh will all have been destroyed | 
|  | // and point to freed memory! To preserve legacy behavior, we still need to | 
|  | // send a fully-populated reply along with kSuccess, so we construct the reply | 
|  | // here prior to ShowCreatedWindow(). | 
|  |  | 
|  | blink::VisualProperties visual_properties; | 
|  | // If we can't get an accurate set of VisualProperties after ShowCreatedWindow | 
|  | // below, we at least want to transmit screen info based on the screen of the | 
|  | // initiating frame, which is what new_rwh is constructed with. | 
|  | visual_properties.screen_infos = new_rwh->GetScreenInfos(); | 
|  | mojom::CreateNewWindowReplyPtr reply = mojom::CreateNewWindowReply::New( | 
|  | new_main_rfh->GetFrameToken(), new_main_rfh->GetRoutingID(), | 
|  | new_rwh->GetRoutingID(), visual_properties, cloned_namespace->id(), | 
|  | new_main_rfh->GetDevToolsFrameToken(), wait_for_debugger, | 
|  | new_main_rfh->GetDocumentToken(), | 
|  | new_main_rfh->policy_container_host()->CreatePolicyContainerForBlink(), | 
|  | new_main_rfh->GetSiteInstance()->browsing_instance_token(), | 
|  | delegate_->GetColorProviderColorMaps(), | 
|  | std::move(partitioned_popin_params), /*widget_screen_rect=*/std::nullopt, | 
|  | /*window_screen_rect=*/std::nullopt); | 
|  |  | 
|  | new_main_rfh->render_view_host()->RenderViewCreated(new_main_rfh); | 
|  |  | 
|  | if (base::FeatureList::IsEnabled(blink::features::kCombineNewWindowIPCs)) { | 
|  | // ShowCreatedWindow will return nullptr if the new WebContents has been | 
|  | // destroyed, as described above (see NOTE). | 
|  | WebContents* shown_contents = delegate()->ShowCreatedWindow( | 
|  | this, new_rwh->GetRoutingID(), params->disposition, *params->features, | 
|  | params->consumes_user_activation); | 
|  |  | 
|  | if (!shown_contents) { | 
|  | // These point to freed memory, so null them out to prevent inadvertent | 
|  | // UAF in the future (see NOTE above). | 
|  | new_frame_tree = nullptr; | 
|  | new_main_rfh = nullptr; | 
|  | new_rwh = nullptr; | 
|  | } else if (new_main_rfh->GetView()) { | 
|  | // Cannot populate window geometry until after ShowCreatedWindow(). | 
|  | reply->widget_screen_rect.emplace( | 
|  | new_main_rfh->GetView()->GetViewBounds()); | 
|  | reply->window_screen_rect.emplace( | 
|  | new_main_rfh->GetView()->GetBoundsInRootWindow()); | 
|  | reply->visual_properties = new_rwh->GetVisualProperties(); | 
|  | } | 
|  | } | 
|  |  | 
|  | std::move(callback).Run(mojom::CreateNewWindowStatus::kSuccess, | 
|  | std::move(reply)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SendLegacyTechEvent( | 
|  | const std::string& type, | 
|  | blink::mojom::LegacyTechEventCodeLocationPtr code_location) { | 
|  | GetContentClient()->browser()->ReportLegacyTechEvent( | 
|  | this, type, | 
|  | /*url=*/GetOutermostMainFrameOrEmbedder()->GetLastCommittedURL(), | 
|  | /*frame_url=*/GetLastCommittedURL(), code_location->filename, | 
|  | code_location->line, code_location->column, std::nullopt); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SendPrivateAggregationRequestsForFencedFrameEvent( | 
|  | const std::string& event_type) { | 
|  | if (!base::FeatureList::IsEnabled(blink::features::kPrivateAggregationApi) || | 
|  | !blink::features::kPrivateAggregationApiEnabledInProtectedAudience | 
|  | .Get()) { | 
|  | mojo::ReportBadMessage( | 
|  | "Private Aggregation must be enabled in Protected Audience to use " | 
|  | "reportEvent() for private aggregation events."); | 
|  | return; | 
|  | } | 
|  | // Only check if the event type starts with "reserved." - We allow event types | 
|  | // like "myevent.reserved.name". | 
|  | if (base::StartsWith(event_type, blink::kFencedFrameReservedPAEventPrefix)) { | 
|  | mojo::ReportBadMessage("Reserved events cannot be triggered manually."); | 
|  | return; | 
|  | } | 
|  | const std::optional<FencedFrameProperties>& fenced_frame_properties = | 
|  | frame_tree_node_->GetFencedFrameProperties(); | 
|  | if (!fenced_frame_properties.has_value()) { | 
|  | // No associated fenced frame properties. This should have been captured | 
|  | // in the renderer process at `Fence::reportEvent`. | 
|  | // This implies there is an inconsistency between the browser and the | 
|  | // renderer. | 
|  | mojo::ReportBadMessage( | 
|  | "This frame had fenced frame properties registered in its renderer " | 
|  | "process but not in its browser process. This should be consistent " | 
|  | "between the two."); | 
|  | return; | 
|  | } | 
|  | if (!fenced_frame_properties->fenced_frame_reporter()) { | 
|  | AddMessageToConsole( | 
|  | blink::mojom::ConsoleMessageLevel::kWarning, | 
|  | "This frame was loaded with a FencedFrameConfig that did not have any " | 
|  | "reporting metadata associated with it (via selectURL()'s " | 
|  | "reportingMetadata or Protected Audience's registerAdBeacon())."); | 
|  | return; | 
|  | } | 
|  | if (!fenced_frame_properties->mapped_url().has_value() || | 
|  | !GetLastCommittedOrigin().IsSameOriginWith( | 
|  | url::Origin::Create(fenced_frame_properties->mapped_url() | 
|  | ->GetValueIgnoringVisibility()))) { | 
|  | AddMessageToConsole( | 
|  | blink::mojom::ConsoleMessageLevel::kError, | 
|  | "This frame is cross-origin to the mapped url of its fenced frame " | 
|  | "config and cannot report a Private Aggregation event."); | 
|  | return; | 
|  | } | 
|  |  | 
|  | fenced_frame_properties->fenced_frame_reporter() | 
|  | ->SendPrivateAggregationRequestsForEvent(event_type); | 
|  | } | 
|  |  | 
|  | std::vector<FencedFrame*> RenderFrameHostImpl::GetFencedFrames() const { | 
|  | std::vector<FencedFrame*> result; | 
|  | for (const std::unique_ptr<FencedFrame>& fenced_frame : fenced_frames_) | 
|  | result.push_back(fenced_frame.get()); | 
|  | return result; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DestroyFencedFrame(FencedFrame& fenced_frame) { | 
|  | auto it = std::ranges::find_if(fenced_frames_, | 
|  | base::MatchesUniquePtr(&fenced_frame)); | 
|  | CHECK(it != fenced_frames_.end()); | 
|  |  | 
|  | RenderFrameHostImpl* inner_root = (*it)->GetInnerRoot(); | 
|  | std::optional<FencedFrameProperties> root_properties = | 
|  | inner_root->frame_tree_node()->GetFencedFrameProperties( | 
|  | FencedFramePropertiesNodeSource::kFrameTreeRoot); | 
|  | if (root_properties.has_value() && | 
|  | root_properties->HasDisabledNetworkForCurrentFrameTree()) { | 
|  | // When a fenced frame is removed, any nonces used to revoke the frame's | 
|  | // network access no longer need to be tracked. | 
|  | StoragePartitionImpl* storage_partition = inner_root->GetStoragePartition(); | 
|  | storage_partition->ClearNoncesInNetworkContextAfterDelay({ | 
|  | root_properties->partition_nonce()->GetValueIgnoringVisibility(), | 
|  | inner_root->GetPage().credentialless_iframes_nonce(), | 
|  | }); | 
|  | } | 
|  |  | 
|  | fenced_frames_.erase(it); | 
|  | // An ancestor's network revocation status could've changed as a result of | 
|  | // this fenced frame being removed. | 
|  | GetOutermostMainFrame()->CalculateUntrustedNetworkStatus(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::TakeGuestOwnership( | 
|  | std::unique_ptr<GuestPageHolderImpl> guest_page) { | 
|  | guest_pages_.push_back(std::move(guest_page)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DestroyGuestPage( | 
|  | const FrameTreeNode* child_frame_tree_node) { | 
|  | CHECK_EQ(this, child_frame_tree_node->parent()); | 
|  | std::erase_if(guest_pages_, [&](const auto& guest_page) { | 
|  | return child_frame_tree_node->frame_tree_node_id() == | 
|  | guest_page->GetOuterDelegateFrameTreeNodeId(); | 
|  | }); | 
|  | } | 
|  |  | 
|  | GuestPageHolderImpl* RenderFrameHostImpl::FindGuestPageHolder( | 
|  | const FrameTreeNode* child_frame_tree_node) { | 
|  | CHECK_EQ(this, child_frame_tree_node->parent()); | 
|  | for (const std::unique_ptr<GuestPageHolderImpl>& guest_page : guest_pages_) { | 
|  | if (child_frame_tree_node->frame_tree_node_id() == | 
|  | guest_page->GetOuterDelegateFrameTreeNodeId()) { | 
|  | return guest_page.get(); | 
|  | } | 
|  | } | 
|  | return nullptr; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CreateFencedFrame( | 
|  | mojo::PendingAssociatedReceiver<blink::mojom::FencedFrameOwnerHost> | 
|  | pending_receiver, | 
|  | blink::mojom::RemoteFrameInterfacesFromRendererPtr remote_frame_interfaces, | 
|  | const blink::RemoteFrameToken& frame_token, | 
|  | const base::UnguessableToken& devtools_frame_token) { | 
|  | // We should defer fenced frame creation during prerendering, so creation at | 
|  | // this point is an error. | 
|  | if (GetLifecycleState() == RenderFrameHost::LifecycleState::kPrerendering) { | 
|  | bad_message::ReceivedBadMessage(GetProcess(), | 
|  | bad_message::FF_CREATE_WHILE_PRERENDERING); | 
|  | return; | 
|  | } | 
|  | if (!blink::features::IsFencedFramesEnabled()) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | GetProcess(), bad_message::RFH_FENCED_FRAME_MOJO_WHEN_DISABLED); | 
|  | return; | 
|  | } | 
|  | // Cannot create a fenced frame in a sandbox iframe which doesn't allow | 
|  | // features that need to be allowed in the fenced frame. | 
|  | if (IsSandboxed(blink::kFencedFrameMandatoryUnsandboxedFlags)) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | GetProcess(), bad_message::RFH_CREATE_FENCED_FRAME_IN_SANDBOXED_FRAME); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Check that we have a unique `frame_token`. | 
|  | if (RenderFrameProxyHost::IsFrameTokenInUse(frame_token)) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | GetProcess(), bad_message::RFHI_CREATE_FENCED_FRAME_BAD_FRAME_TOKEN); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Ensure the devtools frame token doesn't exist in the FrameTree for | 
|  | // this tab. | 
|  | for (FrameTreeNode* node : | 
|  | GetOutermostMainFrame()->frame_tree()->NodesIncludingInnerTreeNodes()) { | 
|  | if (node->current_frame_host()->devtools_frame_token() == | 
|  | devtools_frame_token) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | GetProcess(), | 
|  | bad_message::RFHI_CREATE_FENCED_FRAME_BAD_DEVTOOLS_FRAME_TOKEN); | 
|  | return; | 
|  | } | 
|  | } | 
|  |  | 
|  | // Inactive pages cannot create fenced frames. If the page is in the BFCache, | 
|  | // it will be evicted. | 
|  | if (IsInactiveAndDisallowActivation( | 
|  | DisallowActivationReasonId::kCreateFencedFrame)) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | fenced_frames_.push_back(std::make_unique<FencedFrame>( | 
|  | weak_ptr_factory_.GetSafeRef(), was_discarded_)); | 
|  | FencedFrame* fenced_frame = fenced_frames_.back().get(); | 
|  | RenderFrameProxyHost* proxy_host = | 
|  | fenced_frame->InitInnerFrameTreeAndReturnProxyToOuterFrameTree( | 
|  | std::move(remote_frame_interfaces), frame_token, | 
|  | devtools_frame_token); | 
|  | fenced_frame->Bind(std::move(pending_receiver)); | 
|  |  | 
|  | // Since the fenced frame is newly created and has yet to commit a navigation, | 
|  | // this state is default-constructed. | 
|  | const blink::mojom::FrameReplicationState& initial_replicated_state = | 
|  | proxy_host->frame_tree_node()->current_replication_state(); | 
|  | // Note that a default-constructed `FrameReplicationState` always has an | 
|  | // opaque origin, simply because the frame hasn't had any navigations yet. | 
|  | // Fenced frames (after their first navigation) do not have opaque origins, | 
|  | // and this default-constructed FRS does not impact that. | 
|  | DCHECK(initial_replicated_state.origin.opaque()); | 
|  |  | 
|  | // A fenced frame that is added to a frame tree whose network has already been | 
|  | // revoked will never be able to navigate. For all intents and purposes, this | 
|  | // fenced frame has its network revoked as well. | 
|  | if (frame_tree_node_->GetFencedFrameProperties( | 
|  | FencedFramePropertiesNodeSource::kFrameTreeRoot) && | 
|  | frame_tree_node_ | 
|  | ->GetFencedFrameProperties( | 
|  | FencedFramePropertiesNodeSource::kFrameTreeRoot) | 
|  | ->HasDisabledNetworkForCurrentFrameTree()) { | 
|  | proxy_host->frame_tree_node() | 
|  | ->GetFencedFrameProperties() | 
|  | ->MarkDisabledNetworkForCurrentAndDescendantFrameTrees(); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ForwardFencedFrameEventAndUserActivationToEmbedder( | 
|  | const std::string& event_type) { | 
|  | if (!blink::features::IsFencedFramesEnabled()) { | 
|  | mojo::ReportBadMessage( | 
|  | "notifyEvent can only be called if fenced frames are enabled."); | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (!IsFencedFrameRoot()) { | 
|  | mojo::ReportBadMessage( | 
|  | "notifyEvent is only available in fenced frame roots."); | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (!blink::CanNotifyEventTypeAcrossFence(event_type)) { | 
|  | mojo::ReportBadMessage( | 
|  | "notifyEvent called with an unsupported event type."); | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (!IsActive()) { | 
|  | RecordNotifyEventOutcome(blink::NotifyEventOutcome::kNotActive); | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (!HasTransientUserActivation()) { | 
|  | RecordNotifyEventOutcome( | 
|  | blink::NotifyEventOutcome::kNoTransientUserActivation); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // The `window.fence.notifyEvent()` API allows a fenced frame to "transfer" | 
|  | // transient activation to its embedder. To transfer, the fenced frame | 
|  | // consumes transient activation on itself, and then applies transient | 
|  | // activation to its outer document afterwards. This ensures that the | 
|  | // embedder can use an activation-gated API in response to an event occurring | 
|  | // in the fenced frame, but that only one of those APIs can be used per event. | 
|  | // First, consume transient activation in the fenced frame document (this | 
|  | // RenderFrameHostImpl). | 
|  | CHECK(owner_); | 
|  | owner_->UpdateUserActivationState( | 
|  | blink::mojom::UserActivationUpdateType::kConsumeTransientActivation, | 
|  | blink::mojom::UserActivationNotificationType::kNone); | 
|  |  | 
|  | // Then, apply transient activation to the outer document. | 
|  | RenderFrameHostImpl* outer_document = GetParentOrOuterDocument(); | 
|  | outer_document->UpdateUserActivationState( | 
|  | blink::mojom::UserActivationUpdateType::kNotifyActivation, | 
|  | blink::mojom::UserActivationNotificationType::kInteraction); | 
|  |  | 
|  | // But the above won't apply activation to the outer document's *renderer*, | 
|  | // so let's do that too. | 
|  | outer_document->NotifyUserActivation( | 
|  | blink::mojom::UserActivationNotificationType::kInteraction); | 
|  |  | 
|  | GetProxyToOuterDelegate() | 
|  | ->GetAssociatedRemoteFrame() | 
|  | ->ForwardFencedFrameEventToEmbedder(event_type); | 
|  | RecordNotifyEventOutcome(blink::NotifyEventOutcome::kSuccess); | 
|  | } | 
|  |  | 
|  | // TODO(crbug.com/40250533): Move SendFencedFrameReportingBeacon into a separate | 
|  | // refcounted class, so that pending beacons can outlive the RFHI. | 
|  | void RenderFrameHostImpl::SendFencedFrameReportingBeacon( | 
|  | const std::string& event_data, | 
|  | const std::string& event_type, | 
|  | const std::vector<blink::FencedFrame::ReportingDestination>& destinations, | 
|  | bool cross_origin_exposed) { | 
|  | if (!IsFencedFrameReportingFromRendererAllowed(cross_origin_exposed)) { | 
|  | return; | 
|  | } | 
|  | if (event_data.length() > blink::kFencedFrameMaxBeaconLength) { | 
|  | mojo::ReportBadMessage( | 
|  | "The data provided to SendFencedFrameReportingBeacon() exceeds the " | 
|  | "maximum length, which is 64KB."); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Only check if the event type starts with "reserved." - We allow event types | 
|  | // like "myevent.reserved.name". | 
|  | if (base::StartsWith(event_type, blink::kFencedFrameReservedPAEventPrefix)) { | 
|  | mojo::ReportBadMessage("Reserved events cannot be triggered manually."); | 
|  | return; | 
|  | } | 
|  |  | 
|  | for (const blink::FencedFrame::ReportingDestination& destination : | 
|  | destinations) { | 
|  | SendFencedFrameReportingBeaconInternal( | 
|  | DestinationEnumEvent(event_type, event_data, cross_origin_exposed), | 
|  | destination); | 
|  | } | 
|  | } | 
|  |  | 
|  | // TODO(crbug.com/40250533): Move SendFencedFrameReportingBeaconToCustomURL into | 
|  | // a separate refcounted class, so that pending beacons can outlive the RFHI. | 
|  | void RenderFrameHostImpl::SendFencedFrameReportingBeaconToCustomURL( | 
|  | const GURL& destination_url, | 
|  | bool cross_origin_exposed) { | 
|  | if (!destination_url.is_valid() || | 
|  | !destination_url.SchemeIs(url::kHttpsScheme)) { | 
|  | mojo::ReportBadMessage( | 
|  | "SendFencedFrameReportingBeaconToCustomURL() received an invalid or " | 
|  | "non-HTTPS url, which should have been checked in the renderer."); | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (!IsFencedFrameReportingFromRendererAllowed(cross_origin_exposed)) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | SendFencedFrameReportingBeaconInternal( | 
|  | DestinationURLEvent(destination_url, cross_origin_exposed), | 
|  | blink::FencedFrame::ReportingDestination::kBuyer); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::MaybeSendFencedFrameAutomaticReportingBeacon( | 
|  | NavigationRequest& navigation_request, | 
|  | blink::mojom::AutomaticBeaconType event_type) { | 
|  | if (!blink::features::IsFencedFramesEnabled()) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // The automatic beacon only cares about top-frame navigations. | 
|  | if (!IsOutermostMainFrame()) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (!navigation_request.GetInitiatorFrameToken().has_value()) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Treat the automatic beacon as if it's being sent by the document that | 
|  | // initiated the top-level navigation. (You can think of it like a | 
|  | // reportEvent call from that document.) | 
|  | RenderFrameHostImpl* initiator_rfh = RenderFrameHostImpl::FromFrameToken( | 
|  | navigation_request.GetInitiatorProcessId(), | 
|  | navigation_request.GetInitiatorFrameToken().value()); | 
|  | if (!initiator_rfh) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Beacons can only be sent from inside a fenced frame/urn iframe tree, where | 
|  | // there is a fenced frame reporter. | 
|  | const std::optional<FencedFrameProperties>& properties = | 
|  | initiator_rfh->frame_tree_node()->GetFencedFrameProperties(); | 
|  | if (properties.has_value() && | 
|  | event_type == blink::mojom::AutomaticBeaconType::kTopNavigationCommit) { | 
|  | base::UmaHistogramEnumeration(blink::kFencedFrameTopNavigationHistogram, | 
|  | blink::FencedFrameNavigationState::kCommit); | 
|  | } | 
|  | if (!properties.has_value() || !properties->fenced_frame_reporter()) { | 
|  | return; | 
|  | } | 
|  | bool is_same_origin = | 
|  | properties->mapped_url().has_value() && | 
|  | initiator_rfh->GetLastCommittedOrigin().IsSameOriginWith( | 
|  | url::Origin::Create( | 
|  | properties->mapped_url()->GetValueIgnoringVisibility())); | 
|  | FencedDocumentData* fenced_document_data = nullptr; | 
|  | std::optional<AutomaticBeaconInfo> info; | 
|  | fenced_document_data = | 
|  | GetFencedDocumentData(initiator_rfh, event_type, is_same_origin); | 
|  | if (fenced_document_data) { | 
|  | info = fenced_document_data->GetAutomaticBeaconInfo(event_type); | 
|  | } | 
|  |  | 
|  | // The initiator of the navigation can opt-in to sending automatic beacons | 
|  | // when they are served using the `Allow-Fenced-Frame-Automatic-Beacons=true` | 
|  | // HTTP response header. This is used when automatic beacon data lives in a | 
|  | // different document as an alternative to opting in via setting automatic | 
|  | // beacon data itself, or when there is no data to be sent as part of the | 
|  | // beacon. | 
|  | bool initiator_allows_fenced_frame_automatic_beacons = | 
|  | FencedFrameAutomaticBeaconsAllowed(initiator_rfh); | 
|  |  | 
|  | // If there is no automatic beacon declared and no opt-in through a header, | 
|  | // don't send an automatic beacon. | 
|  | if (!info && !initiator_allows_fenced_frame_automatic_beacons) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Automatic beacons can only be sent if the initiating frame had transient | 
|  | // user activation when it navigated. For navigations originating from the | 
|  | // contextual menu (i.e. "Open Link in X"), or for navigations originating | 
|  | // from clicking a link directly, the navigation initiator activation status | 
|  | // will not be set, so we check the initiator frame's user activation directly | 
|  | // through the navigation request's common parameters. | 
|  | // It is safe to check both values at once. If one is not properly set, it | 
|  | // will always be set to a false negative and not a false positive, so there | 
|  | // is no way for that to cause an accidental beacon to be sent. | 
|  | if (navigation_request.GetNavigationInitiatorActivationAndAdStatus() == | 
|  | blink::mojom::NavigationInitiatorActivationAndAdStatus:: | 
|  | kDidNotStartWithTransientActivation && | 
|  | !navigation_request.common_params().has_user_gesture) { | 
|  | RecordAutomaticBeaconOutcome( | 
|  | blink::AutomaticBeaconOutcome::kNoUserActivation); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Beacons can be sent when the initiator document is cross-origin with the | 
|  | // fenced frame config's mapped url, but only if the document opts in through | 
|  | // a header. | 
|  | if (!is_same_origin && !initiator_allows_fenced_frame_automatic_beacons) { | 
|  | RecordAutomaticBeaconOutcome( | 
|  | blink::AutomaticBeaconOutcome::kNotSameOriginNotOptedIn); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Any destination registered in a Protected Audience/Shared Storage worklet | 
|  | // will have a beacon sent to its endpoint. | 
|  | RecordAutomaticBeaconOutcome(blink::AutomaticBeaconOutcome::kSuccess); | 
|  |  | 
|  | for (const auto& destination : | 
|  | properties->fenced_frame_reporter()->ReportingDestinations()) { | 
|  | std::string data; | 
|  | // For data to be sent in the automatic beacon, it must be specified in | 
|  | // the event's "destination" for setReportEventDataForAutomaticBeacons(). | 
|  | // For cross-origin frames, the data must be opted in to being used for | 
|  | // cross-origin beacons. | 
|  | if (info && base::Contains(info->destinations, destination) && | 
|  | (is_same_origin || info->cross_origin_exposed)) { | 
|  | data = info->data; | 
|  | } | 
|  | initiator_rfh->SendFencedFrameReportingBeaconInternal( | 
|  | AutomaticBeaconEvent(event_type, data), destination, | 
|  | navigation_request.GetNavigationId()); | 
|  | } | 
|  |  | 
|  | if (fenced_document_data) { | 
|  | fenced_document_data->MaybeResetAutomaticBeaconData(event_type); | 
|  | } | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsFencedFrameReportingFromRendererAllowed( | 
|  | bool cross_origin_exposed) { | 
|  | if (!blink::features::IsFencedFramesEnabled()) { | 
|  | mojo::ReportBadMessage( | 
|  | "Request to send reporting beacons received while FencedFrames not " | 
|  | "enabled."); | 
|  | return false; | 
|  | } | 
|  |  | 
|  | if (!IsActive()) { | 
|  | // reportEvent is not allowed when this RenderFrameHost or one of its | 
|  | // ancestors is not active. | 
|  | return false; | 
|  | } | 
|  |  | 
|  | const std::optional<FencedFrameProperties>& fenced_frame_properties = | 
|  | frame_tree_node_->GetFencedFrameProperties(); | 
|  |  | 
|  | if (cross_origin_exposed && | 
|  | !base::FeatureList::IsEnabled( | 
|  | blink::features::kFencedFramesCrossOriginEventReporting)) { | 
|  | mojo::ReportBadMessage( | 
|  | "Request to send cross-origin reporting beacons received while feature " | 
|  | "not enabled."); | 
|  | return false; | 
|  | } | 
|  |  | 
|  | if (!fenced_frame_properties.has_value()) { | 
|  | // No associated fenced frame properties. This should have been captured | 
|  | // in the renderer process at `Fence::reportEvent`. | 
|  | // This implies there is an inconsistency between the browser and the | 
|  | // renderer. | 
|  | mojo::ReportBadMessage( | 
|  | "This frame has no fenced frame properties registered in the browser."); | 
|  | return false; | 
|  | } | 
|  | if (!fenced_frame_properties->fenced_frame_reporter()) { | 
|  | AddMessageToConsole( | 
|  | blink::mojom::ConsoleMessageLevel::kWarning, | 
|  | "This frame was loaded with a FencedFrameConfig that did not have any " | 
|  | "reporting metadata associated with it (via selectURL()'s " | 
|  | "reportingMetadata or Protected Audience's registerAdBeacon())."); | 
|  | return false; | 
|  | } | 
|  |  | 
|  | if (fenced_frame_properties->is_ad_component()) { | 
|  | // Direct invocation of fence.reportEvent from an ad component is | 
|  | // disallowed. | 
|  | AddMessageToConsole( | 
|  | blink::mojom::ConsoleMessageLevel::kError, | 
|  | "This frame is an ad component. It is not allowed to call " | 
|  | "fence.reportEvent."); | 
|  | return false; | 
|  | } | 
|  |  | 
|  | if (!GetLastCommittedOrigin().IsSameOriginWith( | 
|  | url::Origin::Create(fenced_frame_properties->mapped_url() | 
|  | ->GetValueIgnoringVisibility()))) { | 
|  | if (!fenced_frame_properties->allow_cross_origin_event_reporting()) { | 
|  | mojo::ReportBadMessage( | 
|  | "This document is cross-origin to the document that contains " | 
|  | "reporting metadata, but the fenced frame's document was not served " | 
|  | "with the 'Allow-Cross-Origin-Event-Reporting' header."); | 
|  | return false; | 
|  | } | 
|  |  | 
|  | if (!cross_origin_exposed) { | 
|  | mojo::ReportBadMessage( | 
|  | "This document is cross-origin to the document that contains " | 
|  | "reporting metadata, but reportEvent() was not called with " | 
|  | "crossOriginExposed=true."); | 
|  | return false; | 
|  | } | 
|  | } | 
|  |  | 
|  | return true; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SendFencedFrameReportingBeaconInternal( | 
|  | const FencedFrameReporter::DestinationVariant& event_variant, | 
|  | blink::FencedFrame::ReportingDestination destination, | 
|  | std::optional<int64_t> navigation_id) { | 
|  | std::string error_message; | 
|  | // By default, log w/ error severity. Can be overwritten to lower severity | 
|  | // depending on the error. | 
|  | blink::mojom::ConsoleMessageLevel console_message_level = | 
|  | blink::mojom::ConsoleMessageLevel::kError; | 
|  |  | 
|  | auto properties = frame_tree_node()->GetFencedFrameProperties( | 
|  | FencedFramePropertiesNodeSource::kFrameTreeRoot); | 
|  | if (properties.has_value() && | 
|  | properties->HasDisabledNetworkForCurrentFrameTree()) { | 
|  | error_message = | 
|  | "Cannot send fenced frame event-level reports after " | 
|  | "calling window.fence.disableUntrustedNetwork()."; | 
|  | AddMessageToConsole(console_message_level, error_message); | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (!frame_tree_node_->GetFencedFrameProperties() | 
|  | ->fenced_frame_reporter() | 
|  | ->SendReport(event_variant, destination, | 
|  | /*request_initiator_frame=*/this, error_message, | 
|  | console_message_level, GetFrameTreeNodeId(), | 
|  | navigation_id)) { | 
|  | AddMessageToConsole(console_message_level, error_message); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetFencedFrameAutomaticBeaconReportEventData( | 
|  | blink::mojom::AutomaticBeaconType event_type, | 
|  | const std::string& event_data, | 
|  | const std::vector<blink::FencedFrame::ReportingDestination>& destinations, | 
|  | bool once, | 
|  | bool cross_origin_exposed) { | 
|  | if (!blink::features::IsFencedFramesEnabled()) { | 
|  | mojo::ReportBadMessage( | 
|  | "SetFencedFrameAutomaticBeaconReportEventData() received while " | 
|  | "FencedFrames not enabled."); | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (event_data.length() > blink::kFencedFrameMaxBeaconLength) { | 
|  | mojo::ReportBadMessage( | 
|  | "The data provided to SetFencedFrameAutomaticBeaconReportEventData() " | 
|  | "exceeds the maximum length, which is 64KB."); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // The call is ignored if the RenderFrameHost is not the currently active one | 
|  | // in the FrameTreeNode. For instance, this is ignored when it is pending | 
|  | // deletion or if it entered the BackForwardCache. | 
|  | // | 
|  | // Note: The renderer process already tests the document is not detached from | 
|  | // the frame tree before sending the IPC, but this might race with frame | 
|  | // deletion IPC sent from other processes. | 
|  | if (!IsActive()) { | 
|  | return; | 
|  | } | 
|  | CHECK(owner_);  // See `owner_` invariants about `IsActive()`. | 
|  |  | 
|  | const std::optional<FencedFrameProperties>& fenced_frame_properties = | 
|  | frame_tree_node_->GetFencedFrameProperties(); | 
|  |  | 
|  | // `fenced_frame_properties` will exist for both fenced frames as well as | 
|  | // iframes loaded with a urn:uuid. This allows URN iframes to call this | 
|  | // function without getting bad-messaged. | 
|  | if (!fenced_frame_properties) { | 
|  | mojo::ReportBadMessage( | 
|  | "Automatic beacon data can only be set in fenced frames or iframes " | 
|  | "loaded from a config."); | 
|  | return; | 
|  | } | 
|  | if (!fenced_frame_properties->fenced_frame_reporter()) { | 
|  | AddMessageToConsole( | 
|  | blink::mojom::ConsoleMessageLevel::kWarning, | 
|  | "This frame was loaded with a FencedFrameConfig that did not have any " | 
|  | "reporting metadata associated with it (via selectURL()'s " | 
|  | "reportingMetadata or Protected Audience's registerAdBeacon())."); | 
|  | return; | 
|  | } | 
|  | // This metadata should only be present in the renderer in frames that are | 
|  | // same-origin to the mapped url. | 
|  | if (!fenced_frame_properties->mapped_url().has_value() || | 
|  | !GetLastCommittedOrigin().IsSameOriginWith( | 
|  | url::Origin::Create(fenced_frame_properties->mapped_url() | 
|  | ->GetValueIgnoringVisibility()))) { | 
|  | if (!base::FeatureList::IsEnabled( | 
|  | blink::features::kFencedFramesCrossOriginAutomaticBeaconData)) { | 
|  | mojo::ReportBadMessage( | 
|  | "Automatic beacon data can only be set from frames that registered " | 
|  | "reporting metadata."); | 
|  | return; | 
|  | } | 
|  | if (!cross_origin_exposed) { | 
|  | mojo::ReportBadMessage( | 
|  | "This document is cross-origin to the document that contains " | 
|  | "reporting metadata, but setReportEventDataForAutomaticBeacons() was " | 
|  | "not called with crossOriginExposed=true."); | 
|  | return; | 
|  | } | 
|  | } | 
|  |  | 
|  | // Ad components cannot set event data for automatic beacons. | 
|  | std::string event_data_to_use = | 
|  | fenced_frame_properties->is_ad_component() ? std::string{} : event_data; | 
|  |  | 
|  | auto* fenced_document_data = | 
|  | FencedDocumentData::GetOrCreateForCurrentDocument(this); | 
|  | fenced_document_data->UpdateAutomaticBeaconData( | 
|  | event_type, event_data_to_use, destinations, once, cross_origin_exposed); | 
|  |  | 
|  | base::UmaHistogramEnumeration(blink::kAutomaticBeaconEventTypeHistogram, | 
|  | event_type); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DisableUntrustedNetworkInFencedFrame( | 
|  | DisableUntrustedNetworkInFencedFrameCallback callback) { | 
|  | if (!blink::features::IsFencedFramesEnabled()) { | 
|  | mojo::ReportBadMessage( | 
|  | "DisableUntrustedNetworkInFencedFrame() received while FencedFrames " | 
|  | "not enabled."); | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (!base::FeatureList::IsEnabled( | 
|  | blink::features::kFencedFramesLocalUnpartitionedDataAccess)) { | 
|  | mojo::ReportBadMessage( | 
|  | "DisableUntrustedNetworkInFencedFrame() received while " | 
|  | "FencedFramesLocalUnpartitionedDataAccess not enabled."); | 
|  | return; | 
|  | } | 
|  |  | 
|  | std::optional<FencedFrameProperties>& properties = | 
|  | frame_tree_node_->GetFencedFrameProperties(); | 
|  |  | 
|  | if (!properties.has_value() || !properties->can_disable_untrusted_network()) { | 
|  | mojo::ReportBadMessage( | 
|  | "DisableUntrustedNetworkInFencedFrame() received even though the API " | 
|  | "that generated the fenced frame config does not support it."); | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (!properties->mapped_url().has_value() || | 
|  | !frame_tree_node_->current_origin().IsSameOriginWith(url::Origin::Create( | 
|  | properties->mapped_url()->GetValueIgnoringVisibility()))) { | 
|  | mojo::ReportBadMessage( | 
|  | "DisableUntrustedNetworkInFencedFrame() received from document that is " | 
|  | "cross-origin to the mapped url from the fenced frame config, but this " | 
|  | "should be checked by the renderer."); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Register the nonce in the network service's data structure to deny network | 
|  | // access. | 
|  | CHECK(properties->partition_nonce().has_value()); | 
|  | StoragePartitionImpl* storage_partition = GetStoragePartition(); | 
|  | // TODO(crbug.com/41488151): Audit all existing transient IsolationInfo | 
|  | // constructors to ensure that they are tagged with the relevant partition | 
|  | // nonce. | 
|  | storage_partition->RevokeNetworkForNoncesInNetworkContext( | 
|  | { | 
|  | properties->partition_nonce()->GetValueIgnoringVisibility(), | 
|  | GetPage().credentialless_iframes_nonce(), | 
|  | }, | 
|  | base::BindOnce( | 
|  | &RenderFrameHostImpl::RevokeNetworkForNonceCallback, | 
|  | weak_ptr_factory_.GetWeakPtr(), | 
|  | properties->partition_nonce()->GetValueIgnoringVisibility(), | 
|  | std::move(callback))); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::RevokeNetworkForNonceCallback( | 
|  | base::UnguessableToken nonce, | 
|  | DisableUntrustedNetworkInFencedFrameCallback callback) { | 
|  | std::optional<FencedFrameProperties>& properties = | 
|  | frame_tree_node_->GetFencedFrameProperties(); | 
|  | // If the revoked nonce no longer corresponds to an active fenced frame tree | 
|  | // due to timing, do nothing. | 
|  | // TODO(crbug.com/40615943): After enabling RenderDocument fully, this | 
|  | // condition and the `nonce` argument to the callback can be removed. | 
|  | if (!properties.has_value() || !properties->partition_nonce().has_value() || | 
|  | properties->partition_nonce()->GetValueIgnoringVisibility() != nonce) { | 
|  | std::move(callback).Run(); | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (properties->HasDisabledNetworkForCurrentAndDescendantFrameTrees()) { | 
|  | std::move(callback).Run(); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Add the callback to the fenced frame root's document data. This is done | 
|  | // since we need to check all of a fenced frame's descendants before we can | 
|  | // determine if a fenced frame is ready for full network cutoff. | 
|  | FencedDocumentData* fenced_document_data = | 
|  | FencedDocumentData::GetOrCreateForCurrentDocument(GetMainFrame()); | 
|  | fenced_document_data->AddDisabledUntrustedNetworkCallback( | 
|  | std::move(callback)); | 
|  |  | 
|  | // We then need to recalculate the network revocation status of every frame in | 
|  | // the frame tree, as an ancestor's revocation status could've changed as a | 
|  | // result. Do not mark the network as having been disabled yet, as all | 
|  | // subframes need to have their network disabled before this frame's network | 
|  | // can be considered disabled. | 
|  | properties->MarkDisabledNetworkForCurrentFrameTree(); | 
|  | GetOutermostMainFrame()->CalculateUntrustedNetworkStatus(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CalculateUntrustedNetworkStatus() { | 
|  | FrameTree::NodeRange node_range = | 
|  | frame_tree()->NodesIncludingInnerTreeNodes(); | 
|  | std::vector<FrameTreeNode*> subframe_nodes(std::next(node_range.begin()), | 
|  | node_range.end()); | 
|  | std::reverse(subframe_nodes.begin(), subframe_nodes.end()); | 
|  | std::set<FrameTreeNodeId> nodes_not_eligible_for_network_cutoff; | 
|  | // This loop traverses up the frame tree, determining if each fenced frame | 
|  | // root node meets the criteria for network cutoff. We look at the most deeply | 
|  | // nested nodes first since each node's network cutoff status is reliant on | 
|  | // the network cutoff status of all its descendant fenced frame trees. | 
|  | for (auto it : subframe_nodes) { | 
|  | // If this is not a fenced frame root, we only need to check if there is | 
|  | // any ongoing navigation. | 
|  | if (!it->IsFencedFrameRoot()) { | 
|  | if (it->HasNavigation() && | 
|  | it->current_frame_host()->IsNestedWithinFencedFrame()) { | 
|  | // If iframe has an ongoing navigation, any of its ancestor fenced | 
|  | // frames cannot resolve the promise returned by the disable untrusted | 
|  | // network call. | 
|  | nodes_not_eligible_for_network_cutoff.insert( | 
|  | it->current_frame_host() | 
|  | ->GetMainFrame() | 
|  | ->frame_tree_node() | 
|  | ->frame_tree_node_id()); | 
|  | } | 
|  | continue; | 
|  | } | 
|  |  | 
|  | std::optional<FencedFrameProperties>& properties = | 
|  | it->GetFencedFrameProperties( | 
|  | FencedFramePropertiesNodeSource::kFrameTreeRoot); | 
|  | CHECK(properties.has_value()); | 
|  |  | 
|  | // Avoid redundant processing if network has already been disabled for this | 
|  | // FrameTreeNode and it does not have ongoing navigation. | 
|  | if (properties->HasDisabledNetworkForCurrentAndDescendantFrameTrees() && | 
|  | !it->HasNavigation()) { | 
|  | continue; | 
|  | } | 
|  |  | 
|  | // `can_disable_network` being true means: | 
|  | // 1. All descendant fenced frames have network access revoked. | 
|  | // 2. All descendant fenced frames do not have ongoing navigations. | 
|  | bool can_disable_network = !nodes_not_eligible_for_network_cutoff.contains( | 
|  | it->frame_tree_node_id()); | 
|  |  | 
|  | bool network_cutoff_ready = | 
|  | can_disable_network && | 
|  | properties->HasDisabledNetworkForCurrentFrameTree(); | 
|  |  | 
|  | if (network_cutoff_ready) { | 
|  | properties->MarkDisabledNetworkForCurrentAndDescendantFrameTrees(); | 
|  | if (FencedDocumentData* fenced_document_data = | 
|  | FencedDocumentData::GetForCurrentDocument( | 
|  | it->current_frame_host())) { | 
|  | // Run the relevant callbacks for this frame as well as any same-origin | 
|  | // child iframe that might've called disableUntrustedNetwork() as well. | 
|  | fenced_document_data->RunDisabledUntrustedNetworkCallbacks(); | 
|  | } | 
|  | } | 
|  |  | 
|  | if ((!network_cutoff_ready || it->HasNavigation()) && | 
|  | it->GetParentOrOuterDocument() && | 
|  | it->GetParentOrOuterDocument()->IsNestedWithinFencedFrame()) { | 
|  | // Check for ongoing navigations to prevent race conditions. If a parent | 
|  | // fenced frame embeds a child nested fenced frame, and that child frame | 
|  | // disables its network and then immediately is navigated by its parent, | 
|  | // we can end up in a state where the parent thinks network is revoked for | 
|  | // all its children, but network is still allowed in the child fenced | 
|  | // frame. | 
|  | nodes_not_eligible_for_network_cutoff.insert( | 
|  | it->GetParentOrOuterDocument() | 
|  | ->GetMainFrame() | 
|  | ->frame_tree_node() | 
|  | ->frame_tree_node_id()); | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl* RenderFrameHostImpl::GetBeforeUnloadInitiator() { | 
|  | for (RenderFrameHostImpl* frame = this; frame; frame = frame->GetParent()) { | 
|  | if (frame->is_waiting_for_beforeunload_completion_) { | 
|  | return frame; | 
|  | } | 
|  | } | 
|  | return nullptr; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ExemptUrlFromNetworkRevocationForTesting( | 
|  | const GURL& exempted_url, | 
|  | ExemptUrlFromNetworkRevocationForTestingCallback callback) { | 
|  | if (!blink::features::IsFencedFramesEnabled()) { | 
|  | mojo::ReportBadMessage( | 
|  | "DisableUntrustedNetworkInFencedFrame() received while " | 
|  | "fenced frames not enabled."); | 
|  | return; | 
|  | } | 
|  | if (!base::FeatureList::IsEnabled( | 
|  | blink::features::kFencedFramesLocalUnpartitionedDataAccess)) { | 
|  | mojo::ReportBadMessage( | 
|  | "DisableUntrustedNetworkInFencedFrame() received while " | 
|  | "FencedFramesLocalUnpartitionedDataAccess not enabled."); | 
|  | return; | 
|  | } | 
|  | if (!base::FeatureList::IsEnabled( | 
|  | blink::features::kExemptUrlFromNetworkRevocationForTesting)) { | 
|  | mojo::ReportBadMessage( | 
|  | "DisableUntrustedNetworkInFencedFrame() received while " | 
|  | "ExemptUrlFromNetworkRevocationForTesting not enabled."); | 
|  | return; | 
|  | } | 
|  |  | 
|  | std::optional<FencedFrameProperties>& properties = | 
|  | frame_tree_node_->GetFencedFrameProperties(); | 
|  | if (!properties.has_value() || !properties->partition_nonce().has_value()) { | 
|  | std::move(callback).Run(); | 
|  | return; | 
|  | } | 
|  | GetStoragePartition() | 
|  | ->GetNetworkContext() | 
|  | ->ExemptUrlFromNetworkRevocationForNonce( | 
|  | exempted_url, | 
|  | IsCredentialless() | 
|  | ? GetPage().credentialless_iframes_nonce() | 
|  | : properties->partition_nonce()->GetValueIgnoringVisibility(), | 
|  | std::move(callback)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnViewTransitionOptInChanged( | 
|  | blink::mojom::ViewTransitionSameOriginOptIn view_transition_opt_in) { | 
|  | ViewTransitionOptInState::GetOrCreateForCurrentDocument(this) | 
|  | ->set_same_origin_opt_in(view_transition_opt_in); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::StartDragging( | 
|  | blink::mojom::DragDataPtr drag_data, | 
|  | blink::DragOperationsMask drag_operations_mask, | 
|  | const SkBitmap& unsafe_bitmap, | 
|  | const gfx::Vector2d& cursor_offset_in_dip, | 
|  | const gfx::Rect& drag_obj_rect_in_dip, | 
|  | blink::mojom::DragEventSourceInfoPtr event_info) { | 
|  | #if BUILDFLAG(IS_ANDROID) | 
|  | RenderWidgetHostImpl* widget = GetRenderWidgetHost(); | 
|  | RenderWidgetHostViewBase* view = (widget) ? widget->GetView() : nullptr; | 
|  | if (view && view->IsTouchSequencePotentiallyActiveOnViz()) { | 
|  | view->RequestInputBackForDragAndDrop( | 
|  | std::move(drag_data), GetLastCommittedOrigin(), drag_operations_mask, | 
|  | unsafe_bitmap, cursor_offset_in_dip, drag_obj_rect_in_dip, | 
|  | std::move(event_info)); | 
|  | return; | 
|  | } | 
|  | #endif | 
|  | GetRenderWidgetHost()->StartDragging( | 
|  | std::move(drag_data), GetLastCommittedOrigin(), drag_operations_mask, | 
|  | unsafe_bitmap, cursor_offset_in_dip, drag_obj_rect_in_dip, | 
|  | std::move(event_info)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::IssueKeepAliveHandle( | 
|  | mojo::PendingReceiver<blink::mojom::NavigationStateKeepAliveHandle> | 
|  | receiver) { | 
|  | GetStoragePartition()->RegisterKeepAliveHandle( | 
|  | std::move(receiver), | 
|  | base::WrapUnique(new NavigationStateKeepAlive( | 
|  | GetFrameToken(), policy_container_host(), GetSiteInstance(), | 
|  | IsUntrustedNetworkDisabled()))); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::NotifyStorageAccessed( | 
|  | blink::mojom::StorageTypeAccessed storage_type, | 
|  | bool blocked) { | 
|  | delegate_->NotifyStorageAccessed(this, storage_type, blocked); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::RecordWindowProxyUsageMetrics( | 
|  | const blink::FrameToken& target_frame_token, | 
|  | blink::mojom::WindowProxyAccessType access_type) { | 
|  | if (IsInLifecycleState(LifecycleState::kPrerendering)) { | 
|  | // We cannot use GetPageUkmSourceId if we are prerendering. | 
|  | return; | 
|  | } | 
|  | RenderFrameHostImpl* target_frame = | 
|  | LookupRenderFrameHostOrProxy(GetProcess()->GetDeprecatedID(), | 
|  | target_frame_token) | 
|  | .GetCurrentFrameHost(); | 
|  | if (!target_frame) { | 
|  | return; | 
|  | } | 
|  | ukm::builders::WindowProxyUsage(GetPageUkmSourceId()) | 
|  | .SetAccessType(static_cast<int64_t>(access_type)) | 
|  | .SetIsSamePage(&target_frame->GetPage() == &this->GetPage()) | 
|  | .SetLocalFrameContext( | 
|  | static_cast<int64_t>(GetWindowProxyFrameContext(this))) | 
|  | .SetLocalPageContext( | 
|  | static_cast<int64_t>(GetWindowProxyPageContext(this))) | 
|  | .SetLocalUserActivationState( | 
|  | static_cast<int64_t>(GetWindowProxyUserActivationState(this))) | 
|  | .SetRemoteFrameContext( | 
|  | static_cast<int64_t>(GetWindowProxyFrameContext(target_frame))) | 
|  | .SetRemotePageContext( | 
|  | static_cast<int64_t>(GetWindowProxyPageContext(target_frame))) | 
|  | .SetRemoteUserActivationState( | 
|  | static_cast<int64_t>(GetWindowProxyUserActivationState(target_frame))) | 
|  | .SetStorageKeyComparison( | 
|  | static_cast<int64_t>(GetWindowProxyStorageKeyComparison( | 
|  | this->GetStorageKey(), target_frame->GetStorageKey()))) | 
|  | .Record(ukm::UkmRecorder::Get()); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetCrashReportStorageKey( | 
|  | const std::string& key, | 
|  | const std::string& value, | 
|  | SetCrashReportStorageKeyCallback callback) { | 
|  | crash_storage_map_.insert(std::make_pair(key, value)); | 
|  | std::move(callback).Run(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::RemoveCrashReportStorageKey( | 
|  | const std::string& key, | 
|  | RemoveCrashReportStorageKeyCallback callback) { | 
|  | crash_storage_map_.erase(key); | 
|  | std::move(callback).Run(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CreateNewPopupWidget( | 
|  | mojo::PendingAssociatedReceiver<blink::mojom::PopupWidgetHost> | 
|  | blink_popup_widget_host, | 
|  | mojo::PendingAssociatedReceiver<blink::mojom::WidgetHost> blink_widget_host, | 
|  | mojo::PendingAssociatedRemote<blink::mojom::Widget> blink_widget) { | 
|  | // Do not open popups in an inactive document. | 
|  | if (!IsActive()) { | 
|  | // Sending this message requires user activation, which is impossible | 
|  | // for a prerendering document, so the renderer process should be | 
|  | // terminated. See | 
|  | // https://html.spec.whatwg.org/multipage/interaction.html#tracking-user-activation. | 
|  | if (lifecycle_state() == LifecycleStateImpl::kPrerendering) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | GetProcess(), bad_message::RFH_POPUP_REQUEST_WHILE_PRERENDERING); | 
|  | } | 
|  | return; | 
|  | } | 
|  |  | 
|  | // We still need to allocate a widget routing id. Even though the renderer | 
|  | // doesn't receive it, the browser side still uses routing ids to track | 
|  | // widgets in various global tables. | 
|  | int32_t widget_route_id = GetProcess()->GetNextRoutingID(); | 
|  | RenderWidgetHostImpl* widget = delegate_->CreateNewPopupWidget( | 
|  | site_instance_->group()->GetSafeRef(), widget_route_id, | 
|  | std::move(blink_popup_widget_host), std::move(blink_widget_host), | 
|  | std::move(blink_widget)); | 
|  | if (!widget) | 
|  | return; | 
|  | // The renderer-owned widget was created before sending the IPC received here. | 
|  | widget->RendererWidgetCreated(/*for_frame_widget=*/false); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::GetKeepAliveHandleFactory( | 
|  | mojo::PendingReceiver<blink::mojom::KeepAliveHandleFactory> receiver) { | 
|  | DCHECK_CURRENTLY_ON(BrowserThread::UI); | 
|  | if (GetProcess()->AreRefCountsDisabled()) | 
|  | return; | 
|  |  | 
|  | keep_alive_handle_factory_.Bind(std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DidChangeSrcDoc( | 
|  | const blink::FrameToken& child_frame_token, | 
|  | const std::string& srcdoc_value) { | 
|  | auto* child = | 
|  | FindAndVerifyChild(child_frame_token, bad_message::RFH_OWNER_PROPERTY); | 
|  | if (!child) | 
|  | return; | 
|  |  | 
|  | child->SetSrcdocValue(srcdoc_value); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ReceivedDelegatedCapability( | 
|  | blink::mojom::DelegatedCapability delegated_capability) { | 
|  | // Every delegated capability that is checked or consumed on the browser side | 
|  | // needs to be (a) activated here and (b) consumed when RFH handles the | 
|  | // capability. | 
|  | if (delegated_capability == | 
|  | blink::mojom::DelegatedCapability::kFullscreenRequest) { | 
|  | fullscreen_request_token_.Activate(); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BeginNavigation( | 
|  | blink::mojom::CommonNavigationParamsPtr unvalidated_common_params, | 
|  | blink::mojom::BeginNavigationParamsPtr begin_params, | 
|  | mojo::PendingRemote<blink::mojom::BlobURLToken> blob_url_token, | 
|  | mojo::PendingAssociatedRemote<mojom::NavigationClient> navigation_client, | 
|  | mojo::PendingRemote<blink::mojom::NavigationStateKeepAliveHandle> | 
|  | initiator_navigation_state_keep_alive_handle, | 
|  | mojo::PendingReceiver<mojom::NavigationRendererCancellationListener> | 
|  | renderer_cancellation_listener) { | 
|  | TRACE_EVENT("navigation", "RenderFrameHostImpl::BeginNavigation", | 
|  | ChromeTrackEvent::kRenderFrameHost, this, "url", | 
|  | unvalidated_common_params->url.possibly_invalid_spec()); | 
|  |  | 
|  | // Only active and prerendered documents are allowed to start navigation in | 
|  | // their frame. | 
|  | if (lifecycle_state() != LifecycleStateImpl::kPrerendering) { | 
|  | // If this is reached in case the RenderFrameHost is in BackForwardCache | 
|  | // evict the document from BackForwardCache. | 
|  | if (IsInactiveAndDisallowActivation( | 
|  | DisallowActivationReasonId::kBeginNavigation)) { | 
|  | return; | 
|  | } | 
|  | } | 
|  |  | 
|  | //  TODO(crbug.com/40496584):Resolved an issue where creating RPHI would cause | 
|  | //  a crash when the browser context was shut down. We are actively exploring | 
|  | //  the appropriate long-term solution. Please remove this condition once the | 
|  | //  final fix is implemented. | 
|  | BrowserContext* browser_context = | 
|  | frame_tree_node()->navigator().controller().GetBrowserContext(); | 
|  | if (browser_context->ShutdownStarted()) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // See `owner_` invariants about `lifecycle_state_`. | 
|  | // `IsInactiveAndDisallowActivation()` check cause both pending deletion and | 
|  | // bfcached states to return early. | 
|  | DCHECK(owner_); | 
|  | if (owner_->GetRenderFrameHostManager().is_attaching_inner_delegate()) { | 
|  | // Avoid starting any new navigations since this frame is in the process of | 
|  | // attaching an inner delegate. | 
|  | return; | 
|  | } | 
|  |  | 
|  | DCHECK(navigation_client.is_valid()); | 
|  |  | 
|  | blink::mojom::CommonNavigationParamsPtr validated_common_params = | 
|  | unvalidated_common_params.Clone(); | 
|  | if (!VerifyBeginNavigationCommonParams(*this, &*validated_common_params, | 
|  | begin_params->initiator_frame_token)) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // BeginNavigation() should only be triggered when the navigation is | 
|  | // initiated by a document in the same process. | 
|  | int initiator_process_id = GetProcess()->GetDeprecatedID(); | 
|  | if (!VerifyNavigationInitiator(this, begin_params->initiator_frame_token, | 
|  | initiator_process_id)) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Container-initiated navigations must come from the same process as the | 
|  | // parent. | 
|  | if (begin_params->is_container_initiated) { | 
|  | if (!GetParent() || (initiator_process_id != | 
|  | GetParent()->GetProcess()->GetDeprecatedID())) { | 
|  | mojo::ReportBadMessage( | 
|  | "container initiated navigation from non-parent process"); | 
|  | return; | 
|  | } | 
|  | } | 
|  |  | 
|  | // If the request is bearing Private State Tokens parameters: | 
|  | // - it must not be a main-frame navigation, and | 
|  | // - for redemption and signing operations, the frame's parent needs the | 
|  | //   private-state-token-redemption Permissions Policy feature, | 
|  | // - for issue operation, the frame's parent needs the | 
|  | //   private-state-token-issuance Permission Policy. | 
|  | if (begin_params->trust_token_params) { | 
|  | // For Fenced Frame trust_token_params shouldn't be populated since that is | 
|  | // driven by the iframe specific attribute as defined here: | 
|  | // https://github.com/WICG/trust-token-api#extension-iframe-activation". If | 
|  | // this changes, the code below using `GetParent()` will need to be changed. | 
|  | if (IsFencedFrameRoot()) { | 
|  | mojo::ReportBadMessage( | 
|  | "RFHI: Private State Token params in fenced frame nav"); | 
|  | return; | 
|  | } | 
|  | if (!GetParent()) { | 
|  | mojo::ReportBadMessage( | 
|  | "RFHI: Private State Token params in main frame nav"); | 
|  | return; | 
|  | } | 
|  | RenderFrameHostImpl* parent = GetParent(); | 
|  | bool is_right_operation_policy_enabled = false; | 
|  | const network::mojom::TrustTokenOperationType& operation = | 
|  | begin_params->trust_token_params->operation; | 
|  | switch (operation) { | 
|  | case network::mojom::TrustTokenOperationType::kRedemption: | 
|  | case network::mojom::TrustTokenOperationType::kSigning: | 
|  | is_right_operation_policy_enabled = parent->IsFeatureEnabled( | 
|  | network::mojom::PermissionsPolicyFeature::kTrustTokenRedemption); | 
|  | break; | 
|  | case network::mojom::TrustTokenOperationType::kIssuance: | 
|  | is_right_operation_policy_enabled = | 
|  | parent->IsFeatureEnabled(network::mojom::PermissionsPolicyFeature:: | 
|  | kPrivateStateTokenIssuance); | 
|  | break; | 
|  | } | 
|  |  | 
|  | if (!is_right_operation_policy_enabled) { | 
|  | mojo::ReportBadMessage( | 
|  | "RFHI: Mandatory Private State Tokens Permissions Policy feature " | 
|  | "is absent"); | 
|  | return; | 
|  | } | 
|  | } | 
|  |  | 
|  | GetProcess()->FilterURL(true, &begin_params->searchable_form_url); | 
|  |  | 
|  | // If the request was for a blob URL, but the validated URL is no longer a | 
|  | // blob URL, reset the blob_url_token to prevent hitting the ReportBadMessage | 
|  | // below, and to make sure we don't incorrectly try to use the blob_url_token. | 
|  | if (unvalidated_common_params->url.SchemeIsBlob() && | 
|  | !validated_common_params->url.SchemeIsBlob()) { | 
|  | blob_url_token = mojo::NullRemote(); | 
|  | } | 
|  |  | 
|  | if (blob_url_token && !validated_common_params->url.SchemeIsBlob()) { | 
|  | mojo::ReportBadMessage("Blob URL Token, but not a blob: URL"); | 
|  | return; | 
|  | } | 
|  | scoped_refptr<network::SharedURLLoaderFactory> blob_url_loader_factory; | 
|  | if (blob_url_token) { | 
|  | blob_url_loader_factory = | 
|  | ChromeBlobStorageContext::URLLoaderFactoryForToken( | 
|  | GetStoragePartition(), std::move(blob_url_token)); | 
|  | } | 
|  |  | 
|  | // If the request was for a blob URL, but no blob_url_token was passed in this | 
|  | // is not necessarily an error. Renderer initiated reloads for example are one | 
|  | // situation where a renderer currently doesn't have an easy way of resolving | 
|  | // the blob URL. For those situations resolve the blob URL here, as we don't | 
|  | // care about ordering with other blob URL manipulation anyway. | 
|  | if (validated_common_params->url.SchemeIsBlob() && !blob_url_loader_factory) { | 
|  | blob_url_loader_factory = ChromeBlobStorageContext::URLLoaderFactoryForUrl( | 
|  | GetStoragePartition(), validated_common_params->url); | 
|  | } | 
|  |  | 
|  | if (waiting_for_init_) { | 
|  | pending_navigate_ = std::make_unique<PendingNavigation>( | 
|  | std::move(validated_common_params), std::move(begin_params), | 
|  | std::move(blob_url_loader_factory), std::move(navigation_client), | 
|  | std::move(renderer_cancellation_listener)); | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (begin_params->initiator_frame_token) { | 
|  | RenderFrameHostImpl* initiator_frame = RenderFrameHostImpl::FromFrameToken( | 
|  | GetProcess()->GetDeprecatedID(), | 
|  | begin_params->initiator_frame_token.value()); | 
|  | if (IsOutermostMainFrame()) { | 
|  | MaybeRecordAdClickMainFrameNavigationMetrics( | 
|  | initiator_frame, begin_params->initiator_activation_and_ad_status); | 
|  | } | 
|  | } | 
|  |  | 
|  | // We can discard the parameter | 
|  | // |initiator_navigation_state_keep_alive_handle|. This is just needed to | 
|  | // ensure that the NavigationStateKeepAlive of the initiator RenderFrameHost | 
|  | // can still be retrieved even if the RenderFrameHost has been deleted in | 
|  | // between. Since the NavigationRequest will be created synchronously as a | 
|  | // result of this function's execution, we don't need to pass | 
|  | // |initiator_navigation_state_keep_alive_handle| along. | 
|  |  | 
|  | owner_->GetCurrentNavigator().OnBeginNavigation( | 
|  | frame_tree_node(), std::move(validated_common_params), | 
|  | std::move(begin_params), std::move(blob_url_loader_factory), | 
|  | std::move(navigation_client), EnsurePrefetchedSignedExchangeCache(), | 
|  | initiator_process_id, std::move(renderer_cancellation_listener)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SubresourceResponseStarted( | 
|  | const url::SchemeHostPort& final_response_url, | 
|  | net::CertStatus cert_status) { | 
|  | OPTIONAL_TRACE_EVENT1("content", | 
|  | "RenderFrameHostImpl::SubresourceResponseStarted", | 
|  | "url", final_response_url.GetURL()); | 
|  | frame_tree_->controller().ssl_manager()->DidStartResourceResponse( | 
|  | final_response_url, cert_status); | 
|  | } | 
|  | void RenderFrameHostImpl::ResourceLoadComplete( | 
|  | blink::mojom::ResourceLoadInfoPtr resource_load_info) { | 
|  | GlobalRequestID global_request_id; | 
|  | const bool is_frame_request = | 
|  | blink::IsRequestDestinationFrame(resource_load_info->request_destination); | 
|  | if (main_frame_request_ids_.first == resource_load_info->request_id) { | 
|  | global_request_id = main_frame_request_ids_.second; | 
|  | } else if (is_frame_request) { | 
|  | // The load complete message for the main resource arrived before | 
|  | // |DidCommitProvisionalLoad()|. We save the load info so | 
|  | // |ResourceLoadComplete()| can be called later in | 
|  | // |DidCommitProvisionalLoad()| when we can map to the global request ID. | 
|  | deferred_main_frame_load_info_ = std::move(resource_load_info); | 
|  | return; | 
|  | } | 
|  | delegate_->ResourceLoadComplete(this, global_request_id, | 
|  | std::move(resource_load_info)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::HandleAXEvents( | 
|  | const ui::AXTreeID& tree_id, | 
|  | ui::AXUpdatesAndEvents updates_and_events, | 
|  | ui::AXLocationAndScrollUpdates location_and_scroll_updates, | 
|  | uint32_t reset_token, | 
|  | mojo::ReportBadMessageCallback report_bad_message_callback) { | 
|  | TRACE_EVENT0("accessibility", "RenderFrameHostImpl::HandleAXEvents"); | 
|  | SCOPED_UMA_HISTOGRAM_TIMER_MICROS( | 
|  | "Accessibility.Performance.HandleAXEvents2"); | 
|  |  | 
|  | if (!render_accessibility_) { | 
|  | // `ui::AXMode::kWebContents` was removed from the delegate's accessibility | 
|  | // mode, so any received updates and events are stale and should be ignored. | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (is_waiting_for_unload_ack_) { | 
|  | // This frame has been unloaded and is awaiting destruction following the | 
|  | // UnloadACK. There is no reason to process any received updates and events. | 
|  | // In particular, the RenderFrameHostImpl is no longer reachable from its | 
|  | // former RenderFrameHostDelegate (WebContentsImpl), so it may not be | 
|  | // notified of changes to the accessibility mode. | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (tree_id != GetAXTreeID()) { | 
|  | // The message has arrived after the frame has navigated which means its | 
|  | // events are no longer relevant and can be discarded. | 
|  | if (!accessibility_testing_callback_.is_null()) { | 
|  | // The callback must still run, otherwise dump event tests can hang. | 
|  | accessibility_testing_callback_.Run(this, ax::mojom::Event::kNone, 0); | 
|  | } | 
|  | return; | 
|  | } | 
|  |  | 
|  | // A renderer should never send an accessibility update before web | 
|  | // accessibility is enabled. | 
|  | if (!accessibility_reset_token_ && | 
|  | reset_token != kAccessibilityResetTokenForTesting) { | 
|  | std::move(report_bad_message_callback).Run( | 
|  | "Unexpected accessibility message."); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Don't process this IPC if either we're waiting on a reset and this IPC | 
|  | // doesn't have the matching token ID. | 
|  | // The token prevents obsolete data from being processed. | 
|  | if (*accessibility_reset_token_ != reset_token && | 
|  | reset_token != kAccessibilityResetTokenForTesting) { | 
|  | DVLOG(1) << "Ignoring obsolete accessibility data."; | 
|  | return; | 
|  | } | 
|  |  | 
|  | ui::AXMode accessibility_mode = delegate_->GetAccessibilityMode(); | 
|  | if (!accessibility_mode.has_mode(ui::AXMode::kWebContents)) { | 
|  | // Sometimes, this point is reached when the WebContents' mode is empty; | 
|  | // see https://crbug.com/326751711. | 
|  | SCOPED_CRASH_KEY_STRING256("ax", "ax_mode", accessibility_mode.ToString()); | 
|  | SCOPED_CRASH_KEY_STRING256("ax", "last_ax_mode", last_ax_mode_.ToString()); | 
|  | SCOPED_CRASH_KEY_NUMBER("ax", "page_close_state_", | 
|  | static_cast<int>(page_close_state_)); | 
|  | SCOPED_CRASH_KEY_BOOL("ax", "is_waiting_for_unload_ack_", | 
|  | is_waiting_for_unload_ack_); | 
|  | SCOPED_CRASH_KEY_BOOL("ax", "is_init_and_not_dead", | 
|  | GetProcess()->IsInitializedAndNotDead()); | 
|  | SCOPED_CRASH_KEY_NUMBER("ax", "render_frame_state", | 
|  | static_cast<int>(render_frame_state_)); | 
|  | SCOPED_CRASH_KEY_NUMBER("ax", "inner_tree_main_frame_tree_node_id", | 
|  | inner_tree_main_frame_tree_node_id_.value()); | 
|  | // TODO: crbug.com/40069097 - switch to CHECK. | 
|  | DUMP_WILL_BE_CHECK(false); | 
|  | } | 
|  |  | 
|  | // TODO(accessibility): we should probably consolidate these two params. | 
|  | updates_and_events.ax_tree_id = tree_id; | 
|  |  | 
|  | // If the page is in back/forward cache, do not return early and continue to | 
|  | // apply AX tree updates. | 
|  | // TODO(crbug.com/40841648): Define and implement the behavior for | 
|  | // when the page is prerendering, too. | 
|  | if (!IsInBackForwardCache() && | 
|  | IsInactiveAndDisallowActivation(DisallowActivationReasonId::kAXEvent)) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | GetOrCreateBrowserAccessibilityManager(); | 
|  |  | 
|  | if (!location_and_scroll_updates.location_changes.empty() || | 
|  | !location_and_scroll_updates.scroll_changes.empty()) { | 
|  | HandleAXLocationChanges( | 
|  | tree_id, std::move(location_and_scroll_updates), reset_token, | 
|  | std::move(report_bad_message_callback));  // There's no calls to | 
|  | // report_bad_message_callback | 
|  | // below this line so should | 
|  | // be safe to move it. | 
|  | } | 
|  |  | 
|  | for (auto& update : updates_and_events.updates) { | 
|  | if (update.has_tree_data) { | 
|  | DCHECK_EQ(tree_id, update.tree_data.tree_id); | 
|  | ax_tree_data_ = update.tree_data; | 
|  | update.tree_data = GetAXTreeData(); | 
|  | } | 
|  | } | 
|  |  | 
|  | if (needs_ax_root_id_) { | 
|  | // This is the first update after the tree id changed. AXTree must be sent | 
|  | // a new root id, otherwise crashes are likely to result. | 
|  | DCHECK(!updates_and_events.updates.empty()); | 
|  | DCHECK_NE(ui::kInvalidAXNodeID, updates_and_events.updates[0].root_id); | 
|  | needs_ax_root_id_ = false; | 
|  | } | 
|  |  | 
|  | // We have to ensure this call when moving rather than copying. | 
|  | delegate_->ProcessAccessibilityUpdatesAndEvents(updates_and_events); | 
|  |  | 
|  | // This call steals the contents of the data to avoid copying. | 
|  | SendAccessibilityEventsToManager(updates_and_events); | 
|  |  | 
|  | // For testing only. | 
|  | if (!accessibility_testing_callback_.is_null()) { | 
|  | if (updates_and_events.events.empty()) { | 
|  | // Objects were marked dirty but no events were provided. | 
|  | // The callback must still run, otherwise dump event tests can hang. | 
|  | accessibility_testing_callback_.Run(this, ax::mojom::Event::kNone, 0); | 
|  | } else { | 
|  | // Call testing callback functions for each event to fire. | 
|  | for (auto& event : updates_and_events.events) { | 
|  | if (static_cast<int>(event.event_type) < 0) | 
|  | continue; | 
|  |  | 
|  | accessibility_testing_callback_.Run(this, event.event_type, event.id); | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | if (!accessibility_reset_start_.is_null()) { | 
|  | base::UmaHistogramMediumTimes( | 
|  | is_first_accessibility_request_ | 
|  | ? "Accessibility.EventProcessingTime3.First" | 
|  | : "Accessibility.EventProcessingTime3.NotFirst", | 
|  | base::TimeTicks::Now() - accessibility_reset_start_); | 
|  | accessibility_reset_start_ = base::TimeTicks(); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::HandleAXLocationChanges( | 
|  | const ui::AXTreeID& tree_id, | 
|  | ui::AXLocationAndScrollUpdates changes, | 
|  | uint32_t reset_token, | 
|  | mojo::ReportBadMessageCallback report_bad_message_callback) { | 
|  | if (tree_id != GetAXTreeID()) { | 
|  | // The message has arrived after the frame has navigated which means its | 
|  | // changes are no longer relevant and can be discarded. | 
|  | return; | 
|  | } | 
|  |  | 
|  | // A renderer should never send an accessibility update before web | 
|  | // accessibility is enabled. | 
|  | if (!accessibility_reset_token_ && | 
|  | reset_token != kAccessibilityResetTokenForTesting) { | 
|  | std::move(report_bad_message_callback).Run( | 
|  | "Unexpected accessibility message."); | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (*accessibility_reset_token_ != reset_token && | 
|  | reset_token != kAccessibilityResetTokenForTesting) { | 
|  | DVLOG(1) << "Ignoring obsolete accessibility data."; | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (!base::FeatureList::IsEnabled(features::kDoNotEvictOnAXLocationChange)) { | 
|  | // If the flag is off, we should evict the back/forward cache entry. | 
|  | if (IsInactiveAndDisallowActivation( | 
|  | DisallowActivationReasonId::kAXLocationChange)) { | 
|  | return; | 
|  | } | 
|  | } | 
|  |  | 
|  | ui::BrowserAccessibilityManager* manager = | 
|  | GetOrCreateBrowserAccessibilityManager(); | 
|  | if (manager) { | 
|  | manager->OnLocationChanges(changes); | 
|  | } | 
|  |  | 
|  | delegate_->AccessibilityLocationChangesReceived(tree_id, changes); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ResetWaitingState() { | 
|  | // We don't allow resetting waiting state when the RenderFrameHost is either | 
|  | // in BackForwardCache or in pending deletion state, as we don't allow | 
|  | // navigations from either of these two states. | 
|  | DCHECK(!IsInBackForwardCache()); | 
|  | DCHECK(!IsPendingDeletion()); | 
|  |  | 
|  | // Whenever we reset the RFH state, we should not be waiting for beforeunload | 
|  | // or close acks.  We clear them here to be safe, since they can cause | 
|  | // navigations to be ignored in DidCommitProvisionalLoad. | 
|  | if (is_waiting_for_beforeunload_completion_) { | 
|  | is_waiting_for_beforeunload_completion_ = false; | 
|  | if (beforeunload_timeout_) | 
|  | beforeunload_timeout_->Stop(); | 
|  | has_shown_beforeunload_dialog_ = false; | 
|  | beforeunload_pending_replies_.clear(); | 
|  | } | 
|  | send_before_unload_start_time_ = base::TimeTicks(); | 
|  | page_close_state_ = PageCloseState::kNotClosing; | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsMhtmlSubframe() const { | 
|  | return !is_main_frame() && GetMainFrame()->is_mhtml_document(); | 
|  | } | 
|  |  | 
|  | CanCommitStatus RenderFrameHostImpl::CanCommitOriginAndUrl( | 
|  | const url::Origin& origin, | 
|  | const GURL& url, | 
|  | bool is_same_document_navigation, | 
|  | bool is_pdf, | 
|  | bool is_sandboxed) { | 
|  | // Note that callers are responsible for avoiding this function in modes that | 
|  | // can bypass these rules, such as --disable-web-security or certain Android | 
|  | // WebView features like universal access from file URLs. | 
|  |  | 
|  | // Renderer-debug URLs can never be committed. | 
|  | if (blink::IsRendererDebugURL(url)) { | 
|  | LogCanCommitOriginAndUrlFailureReason("is_renderer_debug_url"); | 
|  | return CanCommitStatus::CANNOT_COMMIT_URL; | 
|  | } | 
|  |  | 
|  | // Verify that if this RenderFrameHost is for a WebUI it is not committing a | 
|  | // URL which is not allowed in a WebUI process. As we are at the commit stage, | 
|  | // set OriginIsolationRequest to kNone (this is implicitly done by the | 
|  | // UrlInfoInit constructor). | 
|  | if (!Navigator::CheckWebUIRendererDoesNotDisplayNormalURL( | 
|  | this, UrlInfo(UrlInfoInit(url).WithOrigin(origin).WithIsPdf(is_pdf)), | 
|  | /*is_renderer_initiated_check=*/true)) { | 
|  | return CanCommitStatus::CANNOT_COMMIT_URL; | 
|  | } | 
|  |  | 
|  | // Same-document navigations cannot change origins. | 
|  | if (features::IsEnforceSameDocumentOriginInvariantsEnabled() && | 
|  | is_same_document_navigation && origin != GetLastCommittedOrigin()) { | 
|  | LogCanCommitOriginAndUrlFailureReason("cross_origin_same_document"); | 
|  | return CanCommitStatus::CANNOT_COMMIT_ORIGIN; | 
|  | } | 
|  |  | 
|  | // MHTML subframes can supply URLs at commit time that do not match the | 
|  | // process lock. For example, it can be either "cid:..." or arbitrary URL at | 
|  | // which the frame was at the time of generating the MHTML | 
|  | // (e.g. "http://localhost"). In such cases, don't verify the URL, but require | 
|  | // the URL to commit in the process of the main frame. | 
|  | if (IsMhtmlSubframe()) { | 
|  | RenderFrameHostImpl* main_frame = GetMainFrame(); | 
|  | if (IsSameSiteInstance(main_frame)) { | 
|  | return CanCommitStatus::CAN_COMMIT_ORIGIN_AND_URL; | 
|  | } | 
|  |  | 
|  | // If an MHTML subframe commits in a different process (even one that | 
|  | // appears correct for the subframe's URL), then we aren't correctly | 
|  | // loading it from the archive and should kill the renderer. | 
|  | static auto* const oopif_in_mhtml_page_key = | 
|  | base::debug::AllocateCrashKeyString("oopif_in_mhtml_page", | 
|  | base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString( | 
|  | oopif_in_mhtml_page_key, | 
|  | is_mhtml_document() ? "is_mhtml_doc" : "not_mhtml_doc"); | 
|  | LogCanCommitOriginAndUrlFailureReason("oopif_in_mhtml_page"); | 
|  | return CanCommitStatus::CANNOT_COMMIT_URL; | 
|  | } | 
|  |  | 
|  | // Same-document navigations cannot change origins, as long as these checks | 
|  | // aren't being bypassed in unusual modes. This check must be after the MHTML | 
|  | // check, as shown by NavigationMhtmlBrowserTest.IframeAboutBlankNotFound. | 
|  | // TODO(crbug.com/40580002): Remove this block in favor of the enforcement | 
|  | // above once kEnforceSameDocumentOriginInvariants and | 
|  | // kTreatMhtmlInitialDocumentLoadsAsCrossDocument finish launching. | 
|  | if (!features::IsEnforceSameDocumentOriginInvariantsEnabled()) { | 
|  | if (is_same_document_navigation && origin != GetLastCommittedOrigin()) { | 
|  | LogCanCommitOriginAndUrlFailureReason("cross_origin_same_document"); | 
|  | return CanCommitStatus::CANNOT_COMMIT_ORIGIN; | 
|  | } | 
|  | } | 
|  |  | 
|  | // Give the client a chance to disallow URLs from committing. | 
|  | if (!GetContentClient()->browser()->CanCommitURL(GetProcess(), url)) { | 
|  | LogCanCommitOriginAndUrlFailureReason( | 
|  | "content_client_disallowed_commit_url"); | 
|  | return CanCommitStatus::CANNOT_COMMIT_URL; | 
|  | } | 
|  |  | 
|  | // Check with ChildProcessSecurityPolicy, which enforces Site Isolation, etc. | 
|  | auto* policy = ChildProcessSecurityPolicyImpl::GetInstance(); | 
|  | const CanCommitStatus can_commit_status = policy->CanCommitOriginAndUrl( | 
|  | GetProcess()->GetDeprecatedID(), GetSiteInstance()->GetIsolationContext(), | 
|  | UrlInfo( | 
|  | UrlInfoInit(url) | 
|  | .WithOrigin(origin) | 
|  | .WithStoragePartitionConfig( | 
|  | GetSiteInstance()->GetSiteInfo().storage_partition_config()) | 
|  | .WithWebExposedIsolationInfo( | 
|  | GetSiteInstance()->GetWebExposedIsolationInfo()) | 
|  | .WithSandbox(is_sandboxed))); | 
|  | if (can_commit_status != CanCommitStatus::CAN_COMMIT_ORIGIN_AND_URL) { | 
|  | LogCanCommitOriginAndUrlFailureReason("cpspi_disallowed_commit"); | 
|  | return can_commit_status; | 
|  | } | 
|  |  | 
|  | const auto origin_tuple_or_precursor_tuple = | 
|  | origin.GetTupleOrPrecursorTupleIfOpaque(); | 
|  | if (origin_tuple_or_precursor_tuple.IsValid()) { | 
|  | // Verify that the origin/precursor is allowed to commit in this process. | 
|  | // Note: This also handles non-standard cases for |url|, such as | 
|  | // about:blank, data, and blob URLs. | 
|  |  | 
|  | // Renderer-debug URLs can never be committed. | 
|  | if (blink::IsRendererDebugURL(origin_tuple_or_precursor_tuple.GetURL())) { | 
|  | LogCanCommitOriginAndUrlFailureReason( | 
|  | "origin_or_precursor_is_renderer_debug_url"); | 
|  | return CanCommitStatus::CANNOT_COMMIT_ORIGIN; | 
|  | } | 
|  |  | 
|  | // Give the client a chance to disallow origin URLs from committing. | 
|  | // TODO(acolwell): Fix this code to work with opaque origins. Currently | 
|  | // some opaque origin precursors, like chrome-extension schemes, can trigger | 
|  | // the commit to fail. These need to be investigated. | 
|  | if (!origin.opaque() && !GetContentClient()->browser()->CanCommitURL( | 
|  | GetProcess(), origin.GetURL())) { | 
|  | LogCanCommitOriginAndUrlFailureReason( | 
|  | "content_client_disallowed_commit_origin"); | 
|  | return CanCommitStatus::CANNOT_COMMIT_ORIGIN; | 
|  | } | 
|  | } | 
|  |  | 
|  | return CanCommitStatus::CAN_COMMIT_ORIGIN_AND_URL; | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::CanSubframeCommitOriginAndUrl( | 
|  | NavigationRequest* navigation_request) { | 
|  | DCHECK(navigation_request); | 
|  | DCHECK(!is_main_frame()); | 
|  |  | 
|  | const int nav_entry_id = navigation_request->nav_entry_id(); | 
|  | // No validation of the main frame's origin is needed if the subframe | 
|  | // navigation doesn't target a different existing NavigationEntry. In such | 
|  | // cases, it's unlikely the wrong main frame origin could be displayed | 
|  | // afterward. | 
|  | if (nav_entry_id == 0) | 
|  | return true; | 
|  |  | 
|  | const int last_nav_entry_index = navigation_request->frame_tree_node() | 
|  | ->navigator() | 
|  | .controller() | 
|  | .GetLastCommittedEntryIndex(); | 
|  | const int dest_nav_entry_index = navigation_request->frame_tree_node() | 
|  | ->navigator() | 
|  | .controller() | 
|  | .GetEntryIndexWithUniqueID(nav_entry_id); | 
|  | if (dest_nav_entry_index <= 0 || dest_nav_entry_index == last_nav_entry_index) | 
|  | return true; | 
|  |  | 
|  | NavigationEntryImpl* dest_nav_entry = | 
|  | navigation_request->frame_tree_node() | 
|  | ->navigator() | 
|  | .controller() | 
|  | .GetEntryAtIndex(dest_nav_entry_index); | 
|  | auto dest_main_frame_fne = dest_nav_entry->root_node()->frame_entry; | 
|  |  | 
|  | // A subframe navigation should never lead to a NavigationEntry that looks | 
|  | // like a cross-document navigation in the main frame, since cross-document | 
|  | // navigations destroy all subframes. | 
|  | int64_t dest_main_frame_dsn = dest_main_frame_fne->document_sequence_number(); | 
|  | int64_t actual_main_frame_dsn = navigation_request->frame_tree_node() | 
|  | ->navigator() | 
|  | .controller() | 
|  | .GetLastCommittedEntry() | 
|  | ->root_node() | 
|  | ->frame_entry->document_sequence_number(); | 
|  | if (dest_main_frame_dsn != actual_main_frame_dsn) | 
|  | return false; | 
|  |  | 
|  | // At this point in request handling RenderFrameHostImpl may not have enough | 
|  | // information to derive an accurate value for what would be the new main | 
|  | // frame origin if this request gets committed. One case this can happen is | 
|  | // a NavigtionEntry from a restored session. To make the best of this | 
|  | // situation, skip validation of main frame origin and assume it will be valid | 
|  | // by assigning a known good value - i.e. the current main frame origin - then | 
|  | // continue so at least CanCommitOriginAndUrl can perform its checks using | 
|  | // dest_top_url. | 
|  | url::Origin dest_top_origin = | 
|  | dest_main_frame_fne->committed_origin().value_or( | 
|  | GetMainFrame()->GetLastCommittedOrigin()); | 
|  |  | 
|  | const GURL& dest_top_url = dest_nav_entry->GetURL(); | 
|  |  | 
|  | // Assume the change in main frame FrameNavigationEntry won't affect whether | 
|  | // the main frame is showing a PDF or a sandboxed document, since we don't | 
|  | // track that in FrameNavigationEntry. | 
|  | const bool is_top_pdf = | 
|  | GetMainFrame()->GetSiteInstance()->GetSiteInfo().is_pdf(); | 
|  | const bool is_top_sandboxed = | 
|  | GetMainFrame()->GetSiteInstance()->GetSiteInfo().is_sandboxed(); | 
|  |  | 
|  | return GetMainFrame()->CanCommitOriginAndUrl( | 
|  | dest_top_origin, dest_top_url, | 
|  | true /* is_same_document_navigation */, is_top_pdf, | 
|  | is_top_sandboxed) == CanCommitStatus::CAN_COMMIT_ORIGIN_AND_URL; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::Stop() { | 
|  | TRACE_EVENT1("navigation", "RenderFrameHostImpl::Stop", "render_frame_host", | 
|  | this); | 
|  | // Don't call GetAssociatedLocalFrame before the RenderFrame is created. | 
|  | if (!IsRenderFrameLive()) | 
|  | return; | 
|  | GetAssociatedLocalFrame()->StopLoading(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DispatchBeforeUnload(BeforeUnloadType type, | 
|  | bool is_reload) { | 
|  | TRACE_EVENT_WITH_FLOW0("navigation", | 
|  | "RenderFrameHostImpl::DispatchBeforeUnload", | 
|  | TRACE_ID_LOCAL(this), | 
|  | TRACE_EVENT_FLAG_FLOW_IN | TRACE_EVENT_FLAG_FLOW_OUT); | 
|  | bool for_navigation = | 
|  | type == BeforeUnloadType::BROWSER_INITIATED_NAVIGATION || | 
|  | type == BeforeUnloadType::RENDERER_INITIATED_NAVIGATION; | 
|  | bool for_inner_delegate_attach = | 
|  | type == BeforeUnloadType::INNER_DELEGATE_ATTACH; | 
|  | DCHECK(for_navigation || for_inner_delegate_attach || !is_reload); | 
|  |  | 
|  | // TAB_CLOSE and DISCARD should only dispatch beforeunload on outermost main | 
|  | // frames. | 
|  | DCHECK(type == BeforeUnloadType::BROWSER_INITIATED_NAVIGATION || | 
|  | type == BeforeUnloadType::RENDERER_INITIATED_NAVIGATION || | 
|  | type == BeforeUnloadType::INNER_DELEGATE_ATTACH || | 
|  | IsOutermostMainFrame()); | 
|  |  | 
|  | CHECK(owner_);  // Only active documents are subject to BeforeUnload. | 
|  |  | 
|  | if (!for_navigation) { | 
|  | // Cancel any pending navigations, to avoid their navigation commit/fail | 
|  | // event from wiping out the is_waiting_for_beforeunload_completion_ state. | 
|  | // Since this beforeunload is not for navigation, it must be for deleting | 
|  | // the frame (e.g. for tab discard), so set the reason accordingly. | 
|  | owner_->CancelNavigation(NavigationDiscardReason::kWillRemoveFrame); | 
|  | } | 
|  |  | 
|  | // In renderer-initiated navigations, don't check for beforeunload in the | 
|  | // navigating frame, as it has already run beforeunload before it sent the | 
|  | // BeginNavigation IPC. | 
|  | bool check_subframes_only = | 
|  | type == BeforeUnloadType::RENDERER_INITIATED_NAVIGATION; | 
|  | if (!ShouldDispatchBeforeUnload(check_subframes_only)) { | 
|  | // When running beforeunload for navigations, ShouldDispatchBeforeUnload() | 
|  | // is checked earlier and we would only get here if it had already returned | 
|  | // true. | 
|  | DCHECK(!for_navigation); | 
|  |  | 
|  | // Dispatch the ACK to prevent re-entrancy. | 
|  | base::SingleThreadTaskRunner::GetCurrentDefault()->PostTask( | 
|  | FROM_HERE, | 
|  | base::BindOnce(&RenderFrameHostManager::BeforeUnloadCompleted, | 
|  | owner_->GetRenderFrameHostManager().GetWeakPtr(), | 
|  | /*proceed=*/true)); | 
|  | return; | 
|  | } | 
|  | TRACE_EVENT_NESTABLE_ASYNC_BEGIN1( | 
|  | "navigation", "RenderFrameHostImpl BeforeUnload", TRACE_ID_LOCAL(this), | 
|  | "render_frame_host", this); | 
|  |  | 
|  | // This may be called more than once (if the user clicks the tab close button | 
|  | // several times, or if they click the tab close button then the browser close | 
|  | // button), and we only send the message once. | 
|  | if (is_waiting_for_beforeunload_completion_) { | 
|  | // Some of our close messages could be for the tab, others for cross-site | 
|  | // transitions. We always want to think it's for closing the tab if any | 
|  | // of the messages were, since otherwise it might be impossible to close | 
|  | // (if there was a cross-site "close" request pending when the user clicked | 
|  | // the close button). We want to keep the "for cross site" flag only if | 
|  | // both the old and the new ones are also for cross site. | 
|  | unload_ack_is_for_navigation_ = | 
|  | unload_ack_is_for_navigation_ && for_navigation; | 
|  | } else { | 
|  | // Start the hang monitor in case the renderer hangs in the beforeunload | 
|  | // handler. | 
|  | is_waiting_for_beforeunload_completion_ = true; | 
|  | beforeunload_dialog_request_cancels_unload_ = false; | 
|  | unload_ack_is_for_navigation_ = for_navigation; | 
|  | send_before_unload_start_time_ = base::TimeTicks::Now(); | 
|  | if (delegate_->IsJavaScriptDialogShowing()) { | 
|  | // If there is a JavaScript dialog up, don't bother sending the renderer | 
|  | // the unload event because it is known unresponsive, waiting for the | 
|  | // reply from the dialog. If this incoming request is for a DISCARD be | 
|  | // sure to reply with |proceed = false|, because the presence of a dialog | 
|  | // indicates that the page can't be discarded. | 
|  | SimulateBeforeUnloadCompleted(type != BeforeUnloadType::DISCARD); | 
|  | } else { | 
|  | // Start a timer that will be shared by all frames that need to run | 
|  | // beforeunload in the current frame's subtree. | 
|  | if (beforeunload_timeout_) | 
|  | beforeunload_timeout_->Start(beforeunload_timeout_delay_); | 
|  |  | 
|  | beforeunload_pending_replies_.clear(); | 
|  | beforeunload_dialog_request_cancels_unload_ = | 
|  | (type == BeforeUnloadType::DISCARD); | 
|  |  | 
|  | // Run beforeunload in this frame and its cross-process descendant | 
|  | // frames, in parallel. | 
|  | CheckOrDispatchBeforeUnloadForSubtree(check_subframes_only, | 
|  | /*send_ipc=*/true, is_reload); | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::CheckOrDispatchBeforeUnloadForSubtree( | 
|  | bool subframes_only, | 
|  | bool send_ipc, | 
|  | bool is_reload) { | 
|  | // Beforeunload is not supported inside fenced frame trees. | 
|  | if (IsFencedFrameRoot()) | 
|  | return false; | 
|  |  | 
|  | bool found_beforeunload = false; | 
|  | bool run_beforeunload_for_legacy = false; | 
|  |  | 
|  | ForEachRenderFrameHostImplWithAction( | 
|  | [this, subframes_only, send_ipc, is_reload, &found_beforeunload, | 
|  | &run_beforeunload_for_legacy]( | 
|  | RenderFrameHostImpl* rfh) -> FrameIterationAction { | 
|  | return CheckOrDispatchBeforeUnloadForFrame( | 
|  | subframes_only, send_ipc, is_reload, &found_beforeunload, | 
|  | &run_beforeunload_for_legacy, rfh); | 
|  | }); | 
|  |  | 
|  | if (run_beforeunload_for_legacy) { | 
|  | DCHECK(send_ipc); | 
|  | beforeunload_pending_replies_.insert(this); | 
|  | SendBeforeUnload(is_reload, GetWeakPtr(), /*for_legacy=*/true, | 
|  | /*is_renderer_initiated_navigation=*/subframes_only); | 
|  | } | 
|  |  | 
|  | return found_beforeunload; | 
|  | } | 
|  |  | 
|  | RenderFrameHost::FrameIterationAction | 
|  | RenderFrameHostImpl::CheckOrDispatchBeforeUnloadForFrame( | 
|  | bool subframes_only, | 
|  | bool send_ipc, | 
|  | bool is_reload, | 
|  | bool* found_beforeunload, | 
|  | bool* run_beforeunload_for_legacy, | 
|  | RenderFrameHostImpl* rfh) { | 
|  | // Don't traverse into inner pages. | 
|  | if (&GetPage() != &rfh->GetPage()) | 
|  | return FrameIterationAction::kSkipChildren; | 
|  |  | 
|  | // If |subframes_only| is true, skip this frame and its same-SiteInstanceGroup | 
|  | // descendants, which share a renderer-side frame tree.  This happens for | 
|  | // renderer-initiated navigations, where these frames have already run | 
|  | // beforeunload. | 
|  | if (subframes_only && | 
|  | rfh->GetSiteInstance()->group() == GetSiteInstance()->group()) { | 
|  | return FrameIterationAction::kContinue; | 
|  | } | 
|  |  | 
|  | // No need to run beforeunload if the RenderFrame isn't live. | 
|  | if (!rfh->IsRenderFrameLive()) | 
|  | return FrameIterationAction::kContinue; | 
|  |  | 
|  | // Only run beforeunload in frames that have registered a beforeunload | 
|  | // handler. See description of SendBeforeUnload() for details on simulating | 
|  | // beforeunload for legacy reasons. | 
|  | // | 
|  | // If `kAvoidUnnecessaryBeforeUnloadCheckSync` is enabled with | 
|  | // `kWithoutSendBeforeUnload` mode and there is no beforeunload handler for | 
|  | // the navigating frame, then do not simulate a beforeunload handler, and | 
|  | // navigation can continue. | 
|  | const bool run_beforeunload_for_legacy_frame = | 
|  | rfh == this && !rfh->has_before_unload_handler_ && | 
|  | !IsAvoidUnnecessaryBeforeUnloadCheckSyncEnabledFor( | 
|  | features::AvoidUnnecessaryBeforeUnloadCheckSyncMode:: | 
|  | kWithoutSendBeforeUnload); | 
|  | const bool should_run_beforeunload = | 
|  | rfh->has_before_unload_handler_ || run_beforeunload_for_legacy_frame; | 
|  |  | 
|  | if (!should_run_beforeunload) | 
|  | return FrameIterationAction::kContinue; | 
|  |  | 
|  | // If we're only checking whether there's at least one frame with | 
|  | // beforeunload, then we've just found one, so we can return now. | 
|  | *found_beforeunload = true; | 
|  | if (!send_ipc) | 
|  | return FrameIterationAction::kStop; | 
|  |  | 
|  | // Otherwise, figure out whether we need to send the IPC, or whether this | 
|  | // beforeunload was already triggered by an ancestor frame's IPC. | 
|  |  | 
|  | // Only send beforeunload to local roots, and let Blink handle any | 
|  | // same-site frames under them. That is, if a frame has a beforeunload | 
|  | // handler, ask its local root to run it. If we've already sent the message | 
|  | // to that local root, skip this frame. For example, in A1(A2,A3), if A2 | 
|  | // and A3 contain beforeunload handlers, and all three frames are | 
|  | // same-site, we ask A1 to run beforeunload for all three frames, and only | 
|  | // ask it once. | 
|  | while (!rfh->is_local_root() && rfh != this) | 
|  | rfh = rfh->GetParent(); | 
|  | if (base::Contains(beforeunload_pending_replies_, rfh)) | 
|  | return FrameIterationAction::kContinue; | 
|  |  | 
|  | // For a case like A(B(A)), it's not necessary to send an IPC for the | 
|  | // innermost frame, as Blink will walk all local (same-SiteInstanceGroup) | 
|  | // descendants. Detect cases like this and skip them. | 
|  | bool has_same_site_ancestor = false; | 
|  | for (RenderFrameHostImpl* added_rfh : beforeunload_pending_replies_) { | 
|  | if (rfh->IsDescendantOfWithinFrameTree(added_rfh) && | 
|  | rfh->GetSiteInstance()->group() == | 
|  | added_rfh->GetSiteInstance()->group()) { | 
|  | has_same_site_ancestor = true; | 
|  | break; | 
|  | } | 
|  | } | 
|  | if (has_same_site_ancestor) | 
|  | return FrameIterationAction::kContinue; | 
|  |  | 
|  | if (run_beforeunload_for_legacy_frame) { | 
|  | // Wait to schedule until all frames have been processed. The legacy | 
|  | // beforeunload is not needed if another frame has a beforeunload | 
|  | // handler. | 
|  | // Note for `kAvoidUnnecessaryBeforeUnloadCheckSync` feature: | 
|  | // `run_beforeunload_for_legacy_frame` is never true if | 
|  | // `kAvoidUnnecessaryBeforeUnloadCheckSync` is enabled with | 
|  | // `kWithoutSendBeforeUnload` mode. | 
|  | *run_beforeunload_for_legacy = true; | 
|  | return FrameIterationAction::kContinue; | 
|  | } | 
|  |  | 
|  | *run_beforeunload_for_legacy = false; | 
|  |  | 
|  | // Add |rfh| to the list of frames that need to receive beforeunload | 
|  | // ACKs. | 
|  | beforeunload_pending_replies_.insert(rfh); | 
|  |  | 
|  | SendBeforeUnload(is_reload, rfh->GetWeakPtr(), /*for_legacy=*/false, | 
|  | /*is_renderer_initiated_navigation=*/subframes_only); | 
|  | return FrameIterationAction::kContinue; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SimulateBeforeUnloadCompleted(bool proceed) { | 
|  | DCHECK(is_waiting_for_beforeunload_completion_); | 
|  | base::TimeTicks approx_renderer_start_time = send_before_unload_start_time_; | 
|  |  | 
|  | // Dispatch the ACK to prevent re-entrancy. | 
|  | base::SingleThreadTaskRunner::GetCurrentDefault()->PostTask( | 
|  | FROM_HERE, | 
|  | base::BindOnce(&RenderFrameHostImpl::ProcessBeforeUnloadCompleted, | 
|  | weak_ptr_factory_.GetWeakPtr(), proceed, | 
|  | /*treat_as_final_completion_callback=*/true, | 
|  | approx_renderer_start_time, base::TimeTicks::Now(), | 
|  | /*for_legacy=*/false)); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::ShouldDispatchBeforeUnload( | 
|  | bool check_subframes_only) { | 
|  | return CheckOrDispatchBeforeUnloadForSubtree( | 
|  | check_subframes_only, /*send_ipc=*/false, /*is_reload=*/false); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetBeforeUnloadTimeoutDelayForTesting( | 
|  | const base::TimeDelta& timeout) { | 
|  | beforeunload_timeout_delay_ = timeout; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::StartPendingDeletionOnSubtree( | 
|  | RenderFrameHostImpl::PendingDeletionReason pending_deletion_reason) { | 
|  | TRACE_EVENT("navigation", | 
|  | "RenderFrameHostImpl::StartPendingDeletionOnSubtree", | 
|  | ChromeTrackEvent::kRenderFrameHost, this); | 
|  | std::string_view histogram_suffix = | 
|  | (pending_deletion_reason == PendingDeletionReason::kFrameDetach) | 
|  | ? "Detach" | 
|  | : "SwappedOut"; | 
|  | base::ScopedUmaHistogramTimer histogram_timer(base::StrCat( | 
|  | {"Navigation.StartPendingDeletionOnSubtree.", histogram_suffix})); | 
|  | DCHECK(IsPendingDeletion()); | 
|  |  | 
|  | if (pending_deletion_reason == PendingDeletionReason::kFrameDetach || | 
|  | !ShouldAvoidRedundantNavigationCancellations()) { | 
|  | // Reset all navigations happening in the FrameTreeNode only when entering | 
|  | // "pending deletion" state due to frame detach if the | 
|  | // kStopCancellingNavigationsOnCommitAndNewNavigation flag is enabled, or | 
|  | // for all pending deletion cases otherwise. | 
|  | NavigationDiscardReason reason = NavigationDiscardReason::kWillRemoveFrame; | 
|  | GetFrameTreeNodeForUnload()->CancelNavigation(reason); | 
|  | GetFrameTreeNodeForUnload() | 
|  | ->GetRenderFrameHostManager() | 
|  | .DiscardSpeculativeRFH(reason); | 
|  | ResetOwnedNavigationRequests(reason); | 
|  | } else { | 
|  | CHECK(pending_deletion_reason == PendingDeletionReason::kSwappedOut || | 
|  | ShouldAvoidRedundantNavigationCancellations()); | 
|  | // The pending deletion state is caused by swapping out the RFH. Reset only | 
|  | // the navigations that are owned by or will be using the swapped out RFH, | 
|  | // and also reset all navigations happening in the descendant frames. | 
|  | ResetNavigationsUsingSwappedOutRFH(); | 
|  | } | 
|  |  | 
|  | // For the child frames, we should delete all ongoing navigations | 
|  | // unconditionally, because the child frames will be deleted when this RFH | 
|  | // gets unloaded. Note that we are going through the RFH's children instead of | 
|  | // the FrameTreeNode's children, as the FTN might already have children that | 
|  | // isn't shared with the detached/swapped out RFH, e.g. in case of prerender | 
|  | // activation. | 
|  | for (auto& subframe : children_) { | 
|  | subframe->ResetAllNavigationsForFrameDetach(); | 
|  | } | 
|  |  | 
|  | base::ScopedUmaHistogramTimer histogram_timer_loop(base::StrCat( | 
|  | {"Navigation.StartPendingDeletionOnSubtree.Loop", histogram_suffix})); | 
|  | for (std::unique_ptr<FrameTreeNode>& child_frame : children_) { | 
|  | for (FrameTreeNode* node : frame_tree()->SubtreeNodes(child_frame.get())) { | 
|  | RenderFrameHostImpl* child = node->current_frame_host(); | 
|  | if (child->IsPendingDeletion()) | 
|  | continue; | 
|  |  | 
|  | // Blink handles deletion of all same-process descendants, running their | 
|  | // unload handler if necessary. So delegate sending IPC on the topmost | 
|  | // ancestor using the same process. | 
|  | RenderFrameHostImpl* local_ancestor = child; | 
|  | for (auto* rfh = child->parent_.get(); rfh != parent_; | 
|  | rfh = rfh->parent_) { | 
|  | if (rfh->GetSiteInstance()->group() == | 
|  | child->GetSiteInstance()->group()) { | 
|  | local_ancestor = rfh; | 
|  | } | 
|  | } | 
|  |  | 
|  | local_ancestor->DeleteRenderFrame( | 
|  | mojom::FrameDeleteIntention::kNotMainFrame); | 
|  | if (local_ancestor != child) { | 
|  | // In case of BackForwardCache, page is evicted directly from the cache | 
|  | // and deleted immediately, without waiting for unload handlers. | 
|  | child->SetLifecycleState( | 
|  | child->ShouldWaitForUnloadHandlers() | 
|  | ? LifecycleStateImpl::kRunningUnloadHandlers | 
|  | : LifecycleStateImpl::kReadyToBeDeleted); | 
|  | } | 
|  |  | 
|  | node->frame_tree().FrameUnloading(node); | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::PendingDeletionCheckCompleted() { | 
|  | if (lifecycle_state() == LifecycleStateImpl::kReadyToBeDeleted && | 
|  | children_.empty()) { | 
|  | check_deletion_for_bug_1276535_ = false; | 
|  | if (is_waiting_for_unload_ack_) { | 
|  | OnUnloaded();  // Delete |this|. | 
|  | // Do not add code after this. | 
|  | } else { | 
|  | parent_->RemoveChild(GetFrameTreeNodeForUnload()); | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::PendingDeletionCheckCompletedOnSubtree() { | 
|  | TRACE_EVENT("navigation", | 
|  | "RenderFrameHostImpl::PendingDeletionCheckCompletedOnSubtree", | 
|  | ChromeTrackEvent::kRenderFrameHost, this); | 
|  | base::ScopedUmaHistogramTimer histogram_timer( | 
|  | "Navigation.PendingDeletionCheckCompletedOnSubtree"); | 
|  |  | 
|  | if (children_.empty()) { | 
|  | PendingDeletionCheckCompleted();  // This might delete |this|. | 
|  | // DO NOT add code after this. | 
|  | return; | 
|  | } | 
|  |  | 
|  | base::WeakPtr<RenderFrameHostImpl> self = GetWeakPtr(); | 
|  | check_deletion_for_bug_1276535_ = true; | 
|  |  | 
|  | // Collect children first before calling PendingDeletionCheckCompleted(). It | 
|  | // can delete them and invalidate |children_|. When the last child has been | 
|  | // deleted, it might also delete |this|. | 
|  | // | 
|  | // https://crbug.com/1276535: We collect WeakPtr, because we suspect deleting | 
|  | // a child might delete the whole WebContent and everything it contained. | 
|  | std::vector<base::WeakPtr<RenderFrameHostImpl>> weak_children; | 
|  | for (std::unique_ptr<FrameTreeNode>& child : children_) { | 
|  | RenderFrameHostImpl* child_rfh = child->current_frame_host(); | 
|  | CHECK(child_rfh); | 
|  | weak_children.push_back(child_rfh->GetWeakPtr()); | 
|  | } | 
|  |  | 
|  | // DO NOT use |this| after this line. | 
|  |  | 
|  | for (base::WeakPtr<RenderFrameHostImpl>& child_rfh : weak_children) { | 
|  | if (child_rfh) { | 
|  | child_rfh->PendingDeletionCheckCompletedOnSubtree(); | 
|  | } | 
|  | } | 
|  |  | 
|  | if (self) { | 
|  | check_deletion_for_bug_1276535_ = false; | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ResetNavigationsUsingSwappedOutRFH() { | 
|  | // Only delete the navigation owned by the swapped out RFH or those that | 
|  | // intend to use the swapped out RFH. | 
|  | ResetOwnedNavigationRequests( | 
|  | NavigationDiscardReason::kRenderFrameHostDestruction); | 
|  | const NavigationRequest* navigation_request = | 
|  | frame_tree_node_->navigation_request(); | 
|  | if (navigation_request && | 
|  | navigation_request->state() >= NavigationRequest::WILL_PROCESS_RESPONSE && | 
|  | navigation_request->GetRenderFrameHost() == this) { | 
|  | // It's possible for a RenderFrameHost to already have been picked for a | 
|  | // navigation but the NavigationRequest's ownership hasn't been moved to the | 
|  | // RenderFrameHost yet, if the navigation is deferred by a | 
|  | // NavigationThrottle or CommitDeferringCondition. We need to reset the | 
|  | // NavigationRequest to prevent it from trying to commit in the pending | 
|  | // deletion RFH. | 
|  | frame_tree_node_->ResetNavigationRequest( | 
|  | NavigationDiscardReason::kRenderFrameHostDestruction); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnSubframeDeletionUnloadTimeout() { | 
|  | DCHECK(IsPendingDeletion()); | 
|  | MaybeLogMissingUnloadAck(); | 
|  | parent_->RemoveChild(GetFrameTreeNodeForUnload()); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetFocusedFrame() { | 
|  | GetAssociatedLocalFrame()->Focus(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::AdvanceFocus(blink::mojom::FocusType type, | 
|  | RenderFrameProxyHost* source_proxy) { | 
|  | DCHECK(!source_proxy || (source_proxy->GetProcess()->GetDeprecatedID() == | 
|  | GetProcess()->GetDeprecatedID())); | 
|  |  | 
|  | std::optional<blink::RemoteFrameToken> frame_token; | 
|  | if (source_proxy) | 
|  | frame_token = source_proxy->GetFrameToken(); | 
|  |  | 
|  | GetAssociatedLocalFrame()->AdvanceFocusInFrame(type, frame_token); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::JavaScriptDialogClosed( | 
|  | JavaScriptDialogCallback dialog_closed_callback, | 
|  | bool success, | 
|  | const std::u16string& user_input) { | 
|  | GetProcess()->SetBlocked(false); | 
|  | std::move(dialog_closed_callback).Run(success, user_input); | 
|  | // If executing as part of beforeunload event handling, there may have been | 
|  | // timers stopped in this frame or a frame up in the frame hierarchy. Restart | 
|  | // any timers that were stopped in OnRunBeforeUnloadConfirm(). | 
|  | for (RenderFrameHostImpl* frame = this; frame; frame = frame->GetParent()) { | 
|  | if (frame->is_waiting_for_beforeunload_completion_ && | 
|  | frame->beforeunload_timeout_) { | 
|  | frame->beforeunload_timeout_->Start(beforeunload_timeout_delay_); | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::ShouldDispatchPagehideAndVisibilitychangeDuringCommit( | 
|  | RenderFrameHostImpl* old_frame_host, | 
|  | const UrlInfo& dest_url_info) { | 
|  | // Only return true if this is a same-site navigation and we did a proactive | 
|  | // BrowsingInstance swap but we're reusing the old page's renderer process. | 
|  | DCHECK(old_frame_host); | 
|  | if (old_frame_host->GetSiteInstance()->IsRelatedSiteInstance( | 
|  | GetSiteInstance())) { | 
|  | return false; | 
|  | } | 
|  | if (old_frame_host->GetProcess() != GetProcess()) { | 
|  | return false; | 
|  | } | 
|  | if (!old_frame_host->IsNavigationSameSite(dest_url_info)) { | 
|  | return false; | 
|  | } | 
|  | DCHECK(is_main_frame()); | 
|  | DCHECK_NE(old_frame_host, this); | 
|  | DCHECK_NE(old_frame_host->GetSiteInstance(), GetSiteInstance()); | 
|  | return GetContentClient()->browser()->ShouldDispatchPagehideDuringCommit( | 
|  | GetSiteInstance()->GetBrowserContext(), dest_url_info.url); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::is_initial_empty_document() const { | 
|  | return frame_tree_node_->is_on_initial_empty_document(); | 
|  | } | 
|  |  | 
|  | uint32_t RenderFrameHostImpl::FindSuddenTerminationHandlers(bool same_origin) { | 
|  | uint32_t navigation_termination = 0; | 
|  | // Search this frame and subframes for sudden termination disablers | 
|  | ForEachRenderFrameHostImplWithAction([this, same_origin, | 
|  | &navigation_termination]( | 
|  | RenderFrameHostImpl* rfh) { | 
|  | if (same_origin && | 
|  | GetLastCommittedOrigin() != rfh->GetLastCommittedOrigin()) { | 
|  | return FrameIterationAction::kSkipChildren; | 
|  | } | 
|  | if (rfh->GetSuddenTerminationDisablerState( | 
|  | blink::mojom::SuddenTerminationDisablerType::kUnloadHandler)) { | 
|  | navigation_termination = navigation_termination | | 
|  | NavigationSuddenTerminationDisablerType::kUnload; | 
|  | // We can stop when we find the first unload handler. If we ever start | 
|  | // reporting other types of sudden termination handler, we will need to | 
|  | // continue. | 
|  | return FrameIterationAction::kStop; | 
|  | } | 
|  | return FrameIterationAction::kContinue; | 
|  | }); | 
|  | return navigation_termination; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::RecordNavigationSuddenTerminationHandlers() { | 
|  | uint32_t navigation_termination = | 
|  | is_main_frame() ? NavigationSuddenTerminationDisablerType::kMainFrame : 0; | 
|  |  | 
|  | if (is_initial_empty_document()) { | 
|  | navigation_termination |= | 
|  | NavigationSuddenTerminationDisablerType::kInitialEmptyDocument; | 
|  | } | 
|  |  | 
|  | if (!GetLastCommittedURL().SchemeIsHTTPOrHTTPS()) { | 
|  | navigation_termination |= NavigationSuddenTerminationDisablerType::kNotHttp; | 
|  | } | 
|  |  | 
|  | base::UmaHistogramExactLinear( | 
|  | "Navigation.SuddenTerminationDisabler.AllOrigins", | 
|  | navigation_termination | | 
|  | FindSuddenTerminationHandlers(/*same_origin=*/false), | 
|  | NavigationSuddenTerminationDisablerType::kMaxValue * 2); | 
|  | base::UmaHistogramExactLinear( | 
|  | "Navigation.SuddenTerminationDisabler.SameOrigin", | 
|  | navigation_termination | | 
|  | FindSuddenTerminationHandlers(/*same_origin=*/true), | 
|  | NavigationSuddenTerminationDisablerType::kMaxValue * 2); | 
|  | } | 
|  |  | 
|  | const std::optional<base::UnguessableToken>& | 
|  | RenderFrameHostImpl::GetDevToolsNavigationToken() { | 
|  | // We shouldn't need to call this method while a RFH is speculative or pending | 
|  | // commit - there is a navigation in progress and its value will change | 
|  | // shortly. | 
|  | CHECK_GT(lifecycle_state(), LifecycleStateImpl::kPendingCommit); | 
|  | return document_associated_data_->devtools_navigation_token(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CommitNavigation( | 
|  | NavigationRequest* navigation_request, | 
|  | blink::mojom::CommonNavigationParamsPtr common_params, | 
|  | blink::mojom::CommitNavigationParamsPtr commit_params, | 
|  | network::mojom::URLResponseHeadPtr response_head, | 
|  | mojo::ScopedDataPipeConsumerHandle response_body, | 
|  | network::mojom::URLLoaderClientEndpointsPtr url_loader_client_endpoints, | 
|  | blink::mojom::ControllerServiceWorkerInfoPtr controller, | 
|  | std::optional<std::vector<blink::mojom::TransferrableURLLoaderPtr>> | 
|  | subresource_overrides, | 
|  | blink::mojom::ServiceWorkerContainerInfoForClientPtr container_info, | 
|  | const std::optional<blink::DocumentToken>& document_token, | 
|  | const base::UnguessableToken& devtools_navigation_token) { | 
|  | TRACE_EVENT2("navigation", "RenderFrameHostImpl::CommitNavigation", | 
|  | "navigation_request", navigation_request, "url", | 
|  | common_params->url); | 
|  | DCHECK(!blink::IsRendererDebugURL(common_params->url)); | 
|  | DCHECK(navigation_request); | 
|  | DCHECK_EQ(this, navigation_request->GetRenderFrameHost()); | 
|  | AssertBrowserContextShutdownHasntStarted(); | 
|  |  | 
|  | bool is_same_document = | 
|  | NavigationTypeUtils::IsSameDocument(common_params->navigation_type); | 
|  | bool is_mhtml_subframe = navigation_request->IsForMhtmlSubframe(); | 
|  |  | 
|  | // A |response| and a |url_loader_client_endpoints| must always be provided, | 
|  | // except for edge cases, where another way to load the document exist. | 
|  | DCHECK((response_head && url_loader_client_endpoints) || | 
|  | IsDocumentLoadedWithoutUrlLoaderClient( | 
|  | navigation_request, common_params->url, is_same_document, | 
|  | is_mhtml_subframe)); | 
|  |  | 
|  | // All children of MHTML documents must be MHTML documents. | 
|  | // As a defensive measure, crash the browser if something went wrong. | 
|  | if (!is_main_frame()) { | 
|  | RenderFrameHostImpl* root = GetMainFrame(); | 
|  | if (root->is_mhtml_document_) { | 
|  | bool loaded_from_outside_the_archive = | 
|  | response_head || url_loader_client_endpoints; | 
|  | CHECK(!loaded_from_outside_the_archive || | 
|  | common_params->url.SchemeIs(url::kDataScheme)); | 
|  | CHECK(navigation_request->IsForMhtmlSubframe()); | 
|  | CHECK_EQ(GetSiteInstance(), root->GetSiteInstance()); | 
|  | CHECK_EQ(GetProcess(), root->GetProcess()); | 
|  | } else { | 
|  | DCHECK(!navigation_request->IsForMhtmlSubframe()); | 
|  | } | 
|  | } | 
|  |  | 
|  | bool is_srcdoc = common_params->url.IsAboutSrcdoc(); | 
|  | if (is_srcdoc) { | 
|  | // TODO(wjmaclean): initialize this in NavigationRequest's constructor | 
|  | // instead. | 
|  | commit_params->srcdoc_value = | 
|  | navigation_request->frame_tree_node()->srcdoc_value(); | 
|  | // Main frame srcdoc navigation are meaningless. They are blocked whenever a | 
|  | // navigation attempt is made. It shouldn't reach CommitNavigation. | 
|  | CHECK(!is_main_frame()); | 
|  |  | 
|  | // For a srcdoc iframe, we expect it to either be in its parent's | 
|  | // SiteInstance (either AreIsolatedSandboxedIframesEnabled is false or | 
|  | // both parent and child are sandboxed), or that the two are in different | 
|  | // SiteInstances when only the child is sandboxed. | 
|  | CHECK(GetSiteInstance() == parent_->GetSiteInstance() || | 
|  | !parent_->GetSiteInstance()->GetSiteInfo().is_sandboxed() && | 
|  | GetSiteInstance()->GetSiteInfo().is_sandboxed()); | 
|  | } | 
|  |  | 
|  | // TODO(crbug.com/40092527): Compute the Origin to commit here. | 
|  |  | 
|  | // If this is an attempt to commit a URL in an incompatible process, capture a | 
|  | // crash dump to diagnose why it is occurring. | 
|  | // TODO(creis): Remove this check after we've gathered enough information to | 
|  | // debug issues with browser-side security checks. https://crbug.com/931895. | 
|  | auto* policy = ChildProcessSecurityPolicyImpl::GetInstance(); | 
|  | const ProcessLock process_lock = | 
|  | ProcessLock::FromSiteInfo(GetSiteInstance()->GetSiteInfo()); | 
|  | auto browser_calc_origin_to_commit = navigation_request->GetOriginToCommit(); | 
|  | if (!process_lock.is_error_page() && !is_mhtml_subframe && | 
|  | !policy->CanAccessOrigin( | 
|  | GetProcess()->GetDeprecatedID(), | 
|  | browser_calc_origin_to_commit.value(), | 
|  | ChildProcessSecurityPolicyImpl::AccessType::kCanCommitNewOrigin)) { | 
|  | SCOPED_CRASH_KEY_STRING64("CommitNavigation", "lock_url", | 
|  | process_lock.ToString()); | 
|  | SCOPED_CRASH_KEY_STRING64( | 
|  | "CommitNavigation", "commit_url_origin", | 
|  | common_params->url.DeprecatedGetOriginAsURL().spec()); | 
|  | SCOPED_CRASH_KEY_STRING64( | 
|  | "CommitNavigation", "browser_calc_origin", | 
|  | browser_calc_origin_to_commit.value().GetDebugString()); | 
|  | SCOPED_CRASH_KEY_BOOL("CommitNavigation", "is_main_frame", is_main_frame()); | 
|  | // The reason this isn't is_outermost_main_frame is so that the full name of | 
|  | // the key does not exceed the 40 character limit. | 
|  | SCOPED_CRASH_KEY_BOOL("CommitNavigation", "is_outermost_frame", | 
|  | IsOutermostMainFrame()); | 
|  | NOTREACHED() << "Commiting in incompatible process for URL: " | 
|  | << process_lock.lock_url() << " lock vs " | 
|  | << common_params->url.DeprecatedGetOriginAsURL(); | 
|  | } | 
|  |  | 
|  | const bool is_first_navigation = !has_committed_any_navigation_; | 
|  | has_committed_any_navigation_ = true; | 
|  |  | 
|  | UpdatePermissionsForNavigation(navigation_request); | 
|  |  | 
|  | // Get back to a clean state, in case we start a new navigation without | 
|  | // completing an unload handler. | 
|  | ResetWaitingState(); | 
|  |  | 
|  | // The renderer can exit view source mode when any error or cancellation | 
|  | // happen. When reusing the same renderer, overwrite to recover the mode. | 
|  | if (commit_params->is_view_source && IsActive()) { | 
|  | DCHECK(!GetParentOrOuterDocument()); | 
|  | GetAssociatedLocalFrame()->EnableViewSourceMode(); | 
|  | } | 
|  |  | 
|  | // TODO(lfg): The renderer is not able to handle a null response, so the | 
|  | // browser provides an empty response instead. See the DCHECK in the beginning | 
|  | // of this method for the edge cases where a response isn't provided. | 
|  | network::mojom::URLResponseHeadPtr head = | 
|  | response_head ? std::move(response_head) | 
|  | : network::mojom::URLResponseHead::New(); | 
|  |  | 
|  | std::unique_ptr<blink::PendingURLLoaderFactoryBundle> | 
|  | subresource_loader_factories; | 
|  | if (!is_same_document || is_first_navigation) { | 
|  | recreate_default_url_loader_factory_after_network_service_crash_ = false; | 
|  | subresource_loader_factories = | 
|  | std::make_unique<blink::PendingURLLoaderFactoryBundle>(); | 
|  | BrowserContext* browser_context = GetSiteInstance()->GetBrowserContext(); | 
|  | auto subresource_loader_factories_config = | 
|  | SubresourceLoaderFactoriesConfig::ForPendingNavigation( | 
|  | *navigation_request); | 
|  |  | 
|  | // Calculate `effective_scheme` - this will be the main input for deciding | 
|  | // whether the new document should have access to special URLLoaderFactories | 
|  | // like FileURLLoaderFactory, ContentURLLoaderFactory, | 
|  | // WebUIURLLoaderFactory, etc.  We look at GetTupleOrPrecursorTupleIfOpaque | 
|  | // to make sure the old behavior of sandboxed frames is preserved - see also | 
|  | // the FileURLLoaderFactory...SubresourcesInSandboxedFileFrame test. | 
|  | const std::string& effective_scheme = | 
|  | subresource_loader_factories_config.origin() | 
|  | .GetTupleOrPrecursorTupleIfOpaque() | 
|  | .scheme(); | 
|  |  | 
|  | ContentBrowserClient::NonNetworkURLLoaderFactoryMap non_network_factories; | 
|  |  | 
|  | // Set up the default factory. | 
|  | mojo::PendingRemote<network::mojom::URLLoaderFactory> | 
|  | pending_default_factory; | 
|  |  | 
|  | // See if this is for WebUI. | 
|  | const auto& webui_schemes = URLDataManagerBackend::GetWebUISchemes(); | 
|  | if (base::Contains(webui_schemes, effective_scheme)) { | 
|  | mojo::PendingRemote<network::mojom::URLLoaderFactory> factory_for_webui = | 
|  | url_loader_factory::CreatePendingRemote( | 
|  | ContentBrowserClient::URLLoaderFactoryType::kDocumentSubResource, | 
|  | url_loader_factory::TerminalParams::ForNonNetwork( | 
|  | CreateWebUIURLLoaderFactory(this, effective_scheme, {}), | 
|  | GetProcess()->GetDeprecatedID()), | 
|  | url_loader_factory::ContentClientParams( | 
|  | browser_context, this, GetProcess()->GetDeprecatedID(), | 
|  | subresource_loader_factories_config.origin(), | 
|  | net::IsolationInfo(), | 
|  | subresource_loader_factories_config.ukm_source_id())); | 
|  |  | 
|  | // If the renderer has webui bindings, then don't give it access to | 
|  | // network loader for security reasons. | 
|  | // http://crbug.com/829412: make an exception for a small whitelist | 
|  | // of WebUIs that need to be fixed to not make network requests in JS. | 
|  | if ((enabled_bindings_.HasAny(kWebUIBindingsPolicySet)) && | 
|  | !GetContentClient()->browser()->IsWebUIAllowedToMakeNetworkRequests( | 
|  | subresource_loader_factories_config.origin())) { | 
|  | pending_default_factory = std::move(factory_for_webui); | 
|  | // WebUIURLLoaderFactory will kill the renderer if it sees a request | 
|  | // with a non-chrome scheme. Register a URLLoaderFactory for the about | 
|  | // scheme so about:blank doesn't kill the renderer. | 
|  | non_network_factories[url::kAboutScheme] = | 
|  | AboutURLLoaderFactory::Create(); | 
|  | // Send resource metadata necessary to construct an in-process resource | 
|  | // loader in the WebUI renderer process. | 
|  | subresource_loader_factories->set_local_resource_loader_config( | 
|  | local_resource_loader_config_.Clone()); | 
|  | } else { | 
|  | // This is a webui scheme that doesn't have webui bindings. Give it | 
|  | // access to the network loader as it might require it. | 
|  | subresource_loader_factories->pending_scheme_specific_factories() | 
|  | .emplace(effective_scheme, std::move(factory_for_webui)); | 
|  | } | 
|  | } | 
|  |  | 
|  | if (navigation_request->IsMhtmlOrSubframe()) { | 
|  | // MHTML frames are not allowed to make any network requests - all their | 
|  | // subresource requests should be fulfilled from the MHTML archive. | 
|  | pending_default_factory = | 
|  | network::NotImplementedURLLoaderFactory::Create(); | 
|  | } | 
|  |  | 
|  | if (!pending_default_factory) { | 
|  | // Otherwise default to a Network Service-backed loader from the | 
|  | // appropriate NetworkContext. | 
|  | recreate_default_url_loader_factory_after_network_service_crash_ = true; | 
|  |  | 
|  | // Otherwise default to a Network Service-backed loader from the | 
|  | // appropriate NetworkContext. | 
|  | bool bypass_redirect_checks = | 
|  | CreateNetworkServiceDefaultFactoryAndObserve( | 
|  | CreateURLLoaderFactoryParamsForMainWorld( | 
|  | subresource_loader_factories_config, | 
|  | "RFHI::CommitNavigation"), | 
|  | subresource_loader_factories_config.ukm_source_id(), | 
|  | pending_default_factory.InitWithNewPipeAndPassReceiver()); | 
|  | subresource_loader_factories->set_bypass_redirect_checks( | 
|  | bypass_redirect_checks); | 
|  | } | 
|  |  | 
|  | DCHECK(pending_default_factory); | 
|  | subresource_loader_factories->pending_default_factory() = | 
|  | std::move(pending_default_factory); | 
|  |  | 
|  | // Only documents from a file precursor scheme can load file subresoruces. | 
|  | if (effective_scheme == url::kFileScheme) { | 
|  | // USER_BLOCKING because this scenario is exactly one of the examples | 
|  | // given by the doc comment for USER_BLOCKING: Loading and rendering a web | 
|  | // page after the user clicks a link. | 
|  | base::TaskPriority file_factory_priority = | 
|  | base::TaskPriority::USER_BLOCKING; | 
|  | non_network_factories.emplace( | 
|  | url::kFileScheme, | 
|  | FileURLLoaderFactory::Create( | 
|  | browser_context->GetPath(), | 
|  | browser_context->GetSharedCorsOriginAccessList(), | 
|  | file_factory_priority)); | 
|  | } | 
|  |  | 
|  | #if BUILDFLAG(IS_ANDROID) | 
|  | if (effective_scheme == url::kContentScheme && | 
|  | !navigation_request->GetUrlInfo().is_pdf) { | 
|  | // Only non-PDF content:// URLs can load content:// subresources. PDF URIs | 
|  | // shouldn't load other content URIs. | 
|  | non_network_factories.emplace(url::kContentScheme, | 
|  | ContentURLLoaderFactory::Create()); | 
|  | } | 
|  | #endif | 
|  |  | 
|  | auto* partition = GetStoragePartition(); | 
|  | non_network_factories.emplace( | 
|  | url::kFileSystemScheme, | 
|  | CreateFileSystemURLLoaderFactory( | 
|  | GetProcess()->GetDeprecatedID(), GetFrameTreeNodeId(), | 
|  | partition->GetFileSystemContext(), partition->GetPartitionDomain(), | 
|  | commit_params->storage_key)); | 
|  |  | 
|  | non_network_factories.emplace(url::kDataScheme, | 
|  | DataURLLoaderFactory::Create()); | 
|  |  | 
|  | GetContentClient() | 
|  | ->browser() | 
|  | ->RegisterNonNetworkSubresourceURLLoaderFactories( | 
|  | GetProcess()->GetDeprecatedID(), routing_id_, | 
|  | subresource_loader_factories_config.origin(), | 
|  | &non_network_factories); | 
|  |  | 
|  | for (auto& factory : non_network_factories) { | 
|  | const std::string& scheme = factory.first; | 
|  | mojo::PendingRemote<network::mojom::URLLoaderFactory> | 
|  | original_pending_factory = std::move(factory.second); | 
|  | // TODO(crbug.com/40243371): Remove the workaround below once the | 
|  | // root cause of the bug has been fixed. | 
|  | if (!original_pending_factory) | 
|  | continue; | 
|  |  | 
|  | mojo::PendingRemote<network::mojom::URLLoaderFactory> | 
|  | pending_factory_proxy; | 
|  | url_loader_factory::CreateAndConnectToPendingReceiver( | 
|  | pending_factory_proxy.InitWithNewPipeAndPassReceiver(), | 
|  | ContentBrowserClient::URLLoaderFactoryType::kDocumentSubResource, | 
|  | url_loader_factory::TerminalParams::ForNonNetwork( | 
|  | std::move(original_pending_factory), | 
|  | GetProcess()->GetDeprecatedID()), | 
|  | url_loader_factory::ContentClientParams( | 
|  | GetBrowserContext(), this, GetProcess()->GetDeprecatedID(), | 
|  | subresource_loader_factories_config.origin(), | 
|  | net::IsolationInfo(), | 
|  | subresource_loader_factories_config.ukm_source_id()), | 
|  | devtools_instrumentation::WillCreateURLLoaderFactoryParams::ForFrame( | 
|  | this)); | 
|  | subresource_loader_factories->pending_scheme_specific_factories().emplace( | 
|  | scheme, std::move(pending_factory_proxy)); | 
|  | } | 
|  |  | 
|  | subresource_loader_factories->pending_isolated_world_factories() = | 
|  | CreateURLLoaderFactoriesForIsolatedWorlds( | 
|  | subresource_loader_factories_config, | 
|  | isolated_worlds_requiring_separate_url_loader_factory_); | 
|  | } | 
|  |  | 
|  | // It is imperative that cross-document navigations always provide a set of | 
|  | // subresource ULFs. | 
|  | DCHECK(is_same_document || !is_first_navigation || is_srcdoc || | 
|  | subresource_loader_factories); | 
|  |  | 
|  | commit_params->should_skip_screenshot = | 
|  | NavigationTransitionUtils::ShouldSkipScreenshot(*navigation_request); | 
|  |  | 
|  | if (commit_params->load_with_storage_access != | 
|  | net::StorageAccessApiStatus::kNone) { | 
|  | SetStorageAccessApiStatus(commit_params->load_with_storage_access); | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl* previous_rfh = | 
|  | navigation_request->frame_tree_node()->current_frame_host(); | 
|  | if (is_same_document) { | 
|  | DCHECK_EQ(previous_rfh, this); | 
|  | const base::UnguessableToken& navigation_token = | 
|  | commit_params->navigation_token; | 
|  | commit_params->has_ua_visual_transition = | 
|  | navigation_request->was_initiated_by_animated_transition(); | 
|  | DCHECK(GetSameDocumentNavigationRequest(navigation_token)); | 
|  | bool should_replace_current_entry = | 
|  | common_params->should_replace_current_entry; | 
|  | { | 
|  | auto scope = MakeUrgentMessageScopeIfNeeded(); | 
|  | GetMojomFrameInRenderer()->CommitSameDocumentNavigation( | 
|  | std::move(common_params), std::move(commit_params), | 
|  | base::BindOnce(&RenderFrameHostImpl::OnSameDocumentCommitProcessed, | 
|  | base::Unretained(this), navigation_token, | 
|  | should_replace_current_entry)); | 
|  | } | 
|  | } else { | 
|  | // Set up the subresource loader factory that will pass requests from the | 
|  | // renderer to the originally intended network service endpoint. To save | 
|  | // memory, this is intentionally shared for prefetch, topics, and | 
|  | // keep-alive. | 
|  | scoped_refptr<network::SharedURLLoaderFactory> | 
|  | subresource_proxying_factory_bundle; | 
|  | if (subresource_loader_factories) { | 
|  | // Clone the factory bundle for prefetch. | 
|  | auto bundle = base::MakeRefCounted<blink::URLLoaderFactoryBundle>( | 
|  | std::move(subresource_loader_factories)); | 
|  | subresource_loader_factories = CloneFactoryBundle(bundle); | 
|  |  | 
|  | subresource_proxying_factory_bundle = | 
|  | network::SharedURLLoaderFactory::Create(CloneFactoryBundle(bundle)); | 
|  | } | 
|  |  | 
|  | // Set up the subresource loader factory to be passed to the renderer. It is | 
|  | // used to proxy relevant subresoruce requests (e.g. prefetch, topics) | 
|  | // through the browser process. | 
|  | mojo::PendingRemote<network::mojom::URLLoaderFactory> | 
|  | subresource_proxying_loader_factory_for_renderer; | 
|  | if (subresource_proxying_factory_bundle) { | 
|  | if (prefetched_signed_exchange_cache_) { | 
|  | prefetched_signed_exchange_cache_->RecordHistograms(); | 
|  | // Reset |prefetched_signed_exchange_cache_|, not to reuse the cached | 
|  | // signed exchange which was prefetched in the previous page. | 
|  | prefetched_signed_exchange_cache_.reset(); | 
|  | } | 
|  |  | 
|  | // Also set-up URLLoaderFactory for prefetch using the same loader | 
|  | // factories. TODO(kinuko): Consider setting this up only when relevant | 
|  | // requests are encountered. Currently we have this here to make sure we | 
|  | // have non-racy situation (https://crbug.com/849929). | 
|  | base::WeakPtr<SubresourceProxyingURLLoaderService::BindContext> | 
|  | bind_context = | 
|  | GetStoragePartition() | 
|  | ->GetSubresourceProxyingURLLoaderService() | 
|  | ->GetFactory(subresource_proxying_loader_factory_for_renderer | 
|  | .InitWithNewPipeAndPassReceiver(), | 
|  | navigation_request->frame_tree_node() | 
|  | ->frame_tree_node_id(), | 
|  | subresource_proxying_factory_bundle, | 
|  | weak_ptr_factory_.GetWeakPtr(), | 
|  | EnsurePrefetchedSignedExchangeCache()); | 
|  |  | 
|  | navigation_request | 
|  | ->set_subresource_proxying_url_loader_service_bind_context( | 
|  | bind_context); | 
|  | } | 
|  |  | 
|  | // Set up the keepalive loader factory. It is used to proxy the keepalive | 
|  | // requests, i.e. fetch(..., {keepalive: true}), via the browser process. | 
|  | // See | 
|  | // https://docs.google.com/document/d/1ZzxMMBvpqn8VZBZKnb7Go8TWjnrGcXuLS_USwVVRUvY/edit | 
|  | // Note that this loader does not depend on | 
|  | // `subresource_proxying_loader_factory_for_renderer`. | 
|  | // | 
|  | // TODO(crbug.com/40266418): consolidate with | 
|  | // `subresource_proxying_loader_factory_for_renderer` so that requests can | 
|  | // be properly handled when both keepalive and browsing_topics are | 
|  | // specified. | 
|  | mojo::PendingRemote<network::mojom::URLLoaderFactory> | 
|  | keep_alive_loader_factory; | 
|  | if (subresource_proxying_factory_bundle && | 
|  | base::FeatureList::IsEnabled( | 
|  | blink::features::kKeepAliveInBrowserMigration)) { | 
|  | // Set up URLLoaderFactory for keepalive using the same loader factories | 
|  | // `subresource_proxying_factory_bundle`. | 
|  | base::WeakPtr<KeepAliveURLLoaderService::FactoryContext> context = | 
|  | GetStoragePartition()->GetKeepAliveURLLoaderService()->BindFactory( | 
|  | keep_alive_loader_factory.InitWithNewPipeAndPassReceiver(), | 
|  | subresource_proxying_factory_bundle, | 
|  | navigation_request->GetPolicyContainerHost()); | 
|  | navigation_request->set_keep_alive_url_loader_factory_context(context); | 
|  | } | 
|  | // Set up the fetchlater loader factory. It is used to proxy FetchLater | 
|  | // requests via the browser process. | 
|  | // See | 
|  | // https://docs.google.com/document/d/1U8XSnICPY3j-fjzG35UVm6zjwL6LvX6ETU3T8WrzLyQ/edit | 
|  | mojo::PendingAssociatedRemote<blink::mojom::FetchLaterLoaderFactory> | 
|  | fetch_later_loader_factory; | 
|  | if (subresource_proxying_factory_bundle && | 
|  | base::FeatureList::IsEnabled(blink::features::kFetchLaterAPI)) { | 
|  | base::WeakPtr<KeepAliveURLLoaderService::FactoryContext> context = | 
|  | GetStoragePartition() | 
|  | ->GetKeepAliveURLLoaderService() | 
|  | ->BindFetchLaterLoaderFactory( | 
|  | fetch_later_loader_factory | 
|  | .InitWithNewEndpointAndPassReceiver(), | 
|  | subresource_proxying_factory_bundle, | 
|  | navigation_request->GetPolicyContainerHost()); | 
|  | navigation_request->set_fetch_later_loader_factory_context(context); | 
|  | } | 
|  |  | 
|  | mojom::NavigationClient* navigation_client = | 
|  | navigation_request->GetCommitNavigationClient(); | 
|  |  | 
|  | // Record the metrics about the state of the old main frame at the moment | 
|  | // when we navigate away from it as it matters for whether the page | 
|  | // is eligible for being put into back-forward cache. | 
|  | // | 
|  | // Ideally we would do this when we are just about to swap out the old | 
|  | // render frame and swap in the new one, but we can't do this for | 
|  | // same-process navigations yet as we are reusing the RenderFrameHost and | 
|  | // as the local frame navigates it overrides the values that we are | 
|  | // interested in. The cross-process navigation case is handled in | 
|  | // RenderFrameHostManager::UnloadOldFrame. | 
|  | // | 
|  | // Here we are recording the metrics for same-process navigations at the | 
|  | // point just before the navigation commits. | 
|  | // TODO(altimin, crbug.com/933147): Remove this logic after we are done with | 
|  | // implementing back-forward cache. | 
|  | if (!GetParent() && previous_rfh == this) { | 
|  | if (NavigationEntryImpl* last_committed_entry = | 
|  | NavigationEntryImpl::FromNavigationEntry( | 
|  | navigation_request->frame_tree_node() | 
|  | ->frame_tree() | 
|  | .controller() | 
|  | .GetLastCommittedEntry())) { | 
|  | if (last_committed_entry->back_forward_cache_metrics()) { | 
|  | last_committed_entry->back_forward_cache_metrics() | 
|  | ->RecordFeatureUsage(this); | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | blink::mojom::PolicyContainerPtr policy_container = | 
|  | navigation_request->CreatePolicyContainerForBlink(); | 
|  |  | 
|  | auto isolation_info = GetSiteInstance()->GetWebExposedIsolationInfo(); | 
|  |  | 
|  | std::optional<network::ParsedPermissionsPolicy> manifest_policy; | 
|  | if (IsOutermostMainFrame() && isolation_info.is_isolated_application()) { | 
|  | if (auto isolated_web_app_permissions_policy = | 
|  | delegate_->GetPermissionsPolicyForIsolatedWebApp(this)) { | 
|  | manifest_policy = std::move(isolated_web_app_permissions_policy); | 
|  | } | 
|  | } | 
|  |  | 
|  | if (common_params->url.SchemeIsHTTPOrHTTPS() && IsOutermostMainFrame() && | 
|  | (!navigation_request->IsRestore() || | 
|  | blink::features::kBoostRenderProcessForLoadingPrioritizeRestore | 
|  | .Get()) && | 
|  | ShouldBoostRenderProcessForLoading(lifecycle_state_, | 
|  | frame_tree_->is_prerendering()) && | 
|  | // By default, bump the process priority only for browser (embedder) | 
|  | // initiated prerendering, as a user is more likely to visit the page | 
|  | // than the renderer initiated prerendering (i.e., speculation rules). | 
|  | (!navigation_request->IsRendererInitiated() || | 
|  | BoostRendererInitiatedNavigation()) && | 
|  | IsTargetUrlOfBoostRenderProcessForLoading(common_params->url)) { | 
|  | BoostRenderProcessForLoading(); | 
|  | } | 
|  | if (common_params->url.SchemeIsHTTPOrHTTPS() && IsOutermostMainFrame()) { | 
|  | RecordIsProcessBackgrounded("OnCommit", GetProcess()->GetPriority()); | 
|  | } | 
|  |  | 
|  | SendCommitNavigation( | 
|  | navigation_client, navigation_request, std::move(common_params), | 
|  | std::move(commit_params), std::move(head), std::move(response_body), | 
|  | std::move(url_loader_client_endpoints), | 
|  | std::move(subresource_loader_factories), | 
|  | std::move(subresource_overrides), std::move(controller), | 
|  | std::move(container_info), | 
|  | std::move(subresource_proxying_loader_factory_for_renderer), | 
|  | std::move(keep_alive_loader_factory), | 
|  | std::move(fetch_later_loader_factory), manifest_policy, | 
|  | std::move(policy_container), *document_token, | 
|  | devtools_navigation_token); | 
|  | navigation_request->frame_tree_node() | 
|  | ->navigator() | 
|  | .LogCommitNavigationSent(); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::FailedNavigation( | 
|  | NavigationRequest* navigation_request, | 
|  | const blink::mojom::CommonNavigationParams& common_params, | 
|  | const blink::mojom::CommitNavigationParams& commit_params, | 
|  | bool has_stale_copy_in_cache, | 
|  | int error_code, | 
|  | int extended_error_code, | 
|  | const std::optional<std::string>& error_page_content, | 
|  | const blink::DocumentToken& document_token) { | 
|  | TRACE_EVENT2("navigation", "RenderFrameHostImpl::FailedNavigation", | 
|  | "navigation_request", navigation_request, "error", error_code); | 
|  |  | 
|  | DCHECK(navigation_request); | 
|  |  | 
|  | // Update renderer permissions even for failed commits, so that for example | 
|  | // the URL bar correctly displays privileged URLs instead of filtering them. | 
|  | UpdatePermissionsForNavigation(navigation_request); | 
|  |  | 
|  | // Get back to a clean state, in case a new navigation started without | 
|  | // completing an unload handler. | 
|  | ResetWaitingState(); | 
|  |  | 
|  | std::unique_ptr<blink::PendingURLLoaderFactoryBundle> | 
|  | subresource_loader_factories; | 
|  | mojo::PendingRemote<network::mojom::URLLoaderFactory> default_factory_remote; | 
|  | bool bypass_redirect_checks = CreateNetworkServiceDefaultFactoryAndObserve( | 
|  | CreateURLLoaderFactoryParamsForMainWorld( | 
|  | SubresourceLoaderFactoriesConfig::ForPendingNavigation( | 
|  | *navigation_request), | 
|  | "RFHI::FailedNavigation"), | 
|  | ukm::kInvalidSourceIdObj, | 
|  | default_factory_remote.InitWithNewPipeAndPassReceiver()); | 
|  | subresource_loader_factories = | 
|  | std::make_unique<blink::PendingURLLoaderFactoryBundle>( | 
|  | std::move(default_factory_remote), | 
|  | blink::PendingURLLoaderFactoryBundle::SchemeMap(), | 
|  | blink::PendingURLLoaderFactoryBundle::OriginMap(), | 
|  | /*local_resource_loader_config=*/nullptr, bypass_redirect_checks); | 
|  | recreate_default_url_loader_factory_after_network_service_crash_ = true; | 
|  |  | 
|  | mojom::NavigationClient* navigation_client = | 
|  | navigation_request->GetCommitNavigationClient(); | 
|  |  | 
|  | blink::mojom::PolicyContainerPtr policy_container = | 
|  | navigation_request->CreatePolicyContainerForBlink(); | 
|  |  | 
|  | SendCommitFailedNavigation( | 
|  | navigation_client, navigation_request, common_params.Clone(), | 
|  | commit_params.Clone(), has_stale_copy_in_cache, error_code, | 
|  | extended_error_code, error_page_content, | 
|  | std::move(subresource_loader_factories), document_token, | 
|  | navigation_request->devtools_navigation_token(), | 
|  | std::move(policy_container)); | 
|  |  | 
|  | // TODO(crbug.com/40149432): support UKM source creation for failed | 
|  | // navigations too. | 
|  |  | 
|  | has_committed_any_navigation_ = true; | 
|  | DCHECK(navigation_request && navigation_request->IsNavigationStarted() && | 
|  | navigation_request->DidEncounterError()); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::AddResourceTimingEntryForFailedSubframeNavigation( | 
|  | FrameTreeNode* child_frame, | 
|  | base::TimeTicks start_time, | 
|  | base::TimeTicks redirect_time, | 
|  | const GURL& initial_url, | 
|  | const GURL& final_url, | 
|  | network::mojom::URLResponseHeadPtr response_head, | 
|  | bool allow_response_details, | 
|  | const network::URLLoaderCompletionStatus& completion_status) { | 
|  | uint32_t status_code = 0; | 
|  | std::string mime_type; | 
|  | std::string normalized_server_timing = | 
|  | response_head->headers->GetNormalizedHeader("Server-Timing") | 
|  | .value_or(std::string()); | 
|  |  | 
|  | if (allow_response_details) { | 
|  | status_code = response_head->headers->response_code(); | 
|  | mime_type = response_head->mime_type; | 
|  | } | 
|  |  | 
|  | // To avoid cross-origin leaks, make sure to only to pass here data that | 
|  | // is OK when TAO-gated (as in, timing information only). | 
|  |  | 
|  | std::optional<blink::FrameToken> child_token_in_parent = | 
|  | child_frame->GetRenderFrameHostManager() | 
|  | .GetFrameTokenForSiteInstanceGroup(GetSiteInstance()->group()); | 
|  |  | 
|  | if (!child_token_in_parent) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | GetAssociatedLocalFrame()->AddResourceTimingEntryForFailedSubframeNavigation( | 
|  | child_token_in_parent.value(), initial_url, start_time, redirect_time, | 
|  | response_head->request_start, response_head->response_start, status_code, | 
|  | mime_type, response_head->load_timing, response_head->connection_info, | 
|  | response_head->alpn_negotiated_protocol, | 
|  | base::Contains(url::GetSecureSchemes(), | 
|  | url::Origin::Create(final_url).scheme()), | 
|  | response_head->is_validated, normalized_server_timing, completion_status); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::HandleRendererDebugURL(const GURL& url) { | 
|  | DCHECK(blink::IsRendererDebugURL(url)); | 
|  |  | 
|  | GetAssociatedLocalFrame()->HandleRendererDebugURL(url); | 
|  |  | 
|  | // Ensure that the renderer process is marked as used after processing a | 
|  | // renderer debug URL, since this process is now unsafe to be reused by sites | 
|  | // that require a dedicated process.  Usually this happens at ready-to-commit | 
|  | // (NavigationRequest::OnResponseStarted) time for regular navigations, but | 
|  | // renderer debug URLs don't go through that path.  This matters for initial | 
|  | // navigations to renderer debug URLs.  See https://crbug.com/1074108. | 
|  | GetProcess()->SetIsUsed(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DiscardFrame() { | 
|  | document_associated_data_->MarkDiscarded(); | 
|  | owner_->ResetNavigationsForDiscard(); | 
|  | BackForwardCache::DisableForRenderFrameHost( | 
|  | this, BackForwardCacheDisable::DisabledReason( | 
|  | BackForwardCacheDisable::DisabledReasonId::kDiscarded)); | 
|  | GetAssociatedLocalMainFrame()->Discard(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CreateBroadcastChannelProvider( | 
|  | mojo::PendingAssociatedReceiver<blink::mojom::BroadcastChannelProvider> | 
|  | receiver) { | 
|  | auto* storage_partition_impl = | 
|  | static_cast<StoragePartitionImpl*>(GetStoragePartition()); | 
|  |  | 
|  | auto* broadcast_channel_service = | 
|  | storage_partition_impl->GetBroadcastChannelService(); | 
|  | broadcast_channel_service->AddAssociatedReceiver( | 
|  | std::make_unique<BroadcastChannelProvider>(broadcast_channel_service, | 
|  | GetStorageKey()), | 
|  | std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::LogWebFeatureForCurrentPage( | 
|  | blink::mojom::WebFeature feature) { | 
|  | GetContentClient()->browser()->LogWebFeatureForCurrentPage(this, feature); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ReportBlockingCrossPartitionBlobURL( | 
|  | const GURL& blocked_url, | 
|  | std::optional<blink::mojom::PartitioningBlobURLInfo> info) { | 
|  | // Log the use of the web feature (increment the use counter). | 
|  | LogWebFeatureForCurrentPage( | 
|  | blink::mojom::WebFeature::kCrossPartitionSameOriginBlobURLFetch); | 
|  |  | 
|  | if (!info) { | 
|  | return; | 
|  | } | 
|  | // Report the DevTools issue. | 
|  | auto details = blink::mojom::InspectorIssueDetails::New(); | 
|  | auto partitioning_blob_url_issue_details = | 
|  | blink::mojom::PartitioningBlobURLIssueDetails::New(); | 
|  |  | 
|  | partitioning_blob_url_issue_details->url = blocked_url; | 
|  | partitioning_blob_url_issue_details->partitioning_blob_url_info = | 
|  | *std::move(info); | 
|  |  | 
|  | details->partitioning_blob_url_issue_details = | 
|  | std::move(partitioning_blob_url_issue_details); | 
|  |  | 
|  | ReportInspectorIssue(blink::mojom::InspectorIssueInfo::New( | 
|  | blink::mojom::InspectorIssueCode::kPartitioningBlobURLIssue, | 
|  | std::move(details))); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsFullCookieAccessAllowed() { | 
|  | return GetContentClient()->browser()->IsFullCookieAccessAllowed( | 
|  | GetBrowserContext(), WebContents::FromRenderFrameHost(this), | 
|  | GetLastCommittedURL(), GetStorageKey(), GetCookieSettingOverrides()); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindBlobUrlStoreAssociatedReceiver( | 
|  | mojo::PendingAssociatedReceiver<blink::mojom::BlobURLStore> receiver) { | 
|  | DCHECK_CURRENTLY_ON(BrowserThread::UI); | 
|  | auto* storage_partition_impl = | 
|  | static_cast<StoragePartitionImpl*>(GetStoragePartition()); | 
|  |  | 
|  | std::optional<GURL> top_level_blob_document_url; | 
|  | if (GetLastCommittedURL().SchemeIsBlob() && IsOutermostMainFrame()) { | 
|  | top_level_blob_document_url = GetLastCommittedURL(); | 
|  | } | 
|  |  | 
|  | storage_partition_impl->GetBlobUrlRegistry()->AddReceiver( | 
|  | GetStorageKey(), GetLastCommittedOrigin(), | 
|  | GetProcess()->GetDeprecatedID(), std::move(receiver), | 
|  | base::BindRepeating( | 
|  | &RenderFrameHostImpl::ReportBlockingCrossPartitionBlobURL, | 
|  | weak_ptr_factory_.GetWeakPtr()), | 
|  | base::BindRepeating( | 
|  | [](base::WeakPtr<RenderFrameHostImpl> frame) -> bool { | 
|  | if (!frame) { | 
|  | return false; | 
|  | } | 
|  | return frame->IsFullCookieAccessAllowed(); | 
|  | }, | 
|  | weak_ptr_factory_.GetWeakPtr()), | 
|  | std::move(top_level_blob_document_url), | 
|  | /*context_type_for_debugging=*/"Frame", | 
|  | base::BindRepeating( | 
|  | [](base::WeakPtr<RenderFrameHostImpl> frame) -> std::string { | 
|  | if (!frame) { | 
|  | return "destroyed RenderFrameHost"; | 
|  | } | 
|  | return frame->GetStorageKey().GetDebugString(); | 
|  | }, | 
|  | weak_ptr_factory_.GetWeakPtr()), | 
|  | !(GetContentClient()->browser()->IsBlobUrlPartitioningEnabled( | 
|  | GetBrowserContext()))); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindBlobUrlStoreReceiver( | 
|  | mojo::PendingReceiver<blink::mojom::BlobURLStore> receiver) { | 
|  | DCHECK_CURRENTLY_ON(BrowserThread::UI); | 
|  | auto* storage_partition_impl = | 
|  | static_cast<StoragePartitionImpl*>(GetStoragePartition()); | 
|  |  | 
|  | storage_partition_impl->GetBlobUrlRegistry()->AddReceiver( | 
|  | GetStorageKey(), GetLastCommittedOrigin(), | 
|  | GetProcess()->GetDeprecatedID(), std::move(receiver), | 
|  | /*context_type_for_debugging=*/"ThreadedWorklet", | 
|  | base::BindRepeating( | 
|  | [](base::WeakPtr<RenderFrameHostImpl> frame) -> std::string { | 
|  | if (!frame) { | 
|  | return "destroyed RenderFrameHost (threaded worklet)"; | 
|  | } | 
|  | return frame->GetStorageKey().GetDebugString(); | 
|  | }, | 
|  | weak_ptr_factory_.GetWeakPtr())); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsFocused() { | 
|  | if (!GetMainFrame()->GetRenderWidgetHost()->is_focused() || | 
|  | !frame_tree_->GetFocusedFrame()) | 
|  | return false; | 
|  |  | 
|  | RenderFrameHostImpl* focused_rfh = | 
|  | frame_tree_->GetFocusedFrame()->current_frame_host(); | 
|  | return focused_rfh == this || | 
|  | focused_rfh->IsDescendantOfWithinFrameTree(this); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetWebUI(NavigationRequest& request) { | 
|  | std::unique_ptr<WebUIImpl> new_web_ui = request.TakeWebUI(); | 
|  | // This function should only be called to set a WebUI object. To clear an | 
|  | // existing WebUI object, call `ClearWebUI()` instead. | 
|  | CHECK(new_web_ui); | 
|  | // If a WebUI has been set for a RenderFrameHost, we shouldn't overwrite it | 
|  | // with a new WebUI. | 
|  | CHECK(!web_ui_); | 
|  |  | 
|  | // Verify expectation that WebUI should not be created for error pages. | 
|  | DCHECK(!GetSiteInstance()->GetSiteInfo().is_error_page()); | 
|  |  | 
|  | // Ensure that the RenderFrameHost's process is locked.  Usually this happens | 
|  | // as part of creating a speculative RFH for WebUI navigations, but it's also | 
|  | // possible to reuse an initial RFH in an unassigned SiteInstance for a WebUI | 
|  | // navigation. In that case, the initial RFH needs to lock its process now and | 
|  | // also mark the process as used. The AllowBindings() call below requires that | 
|  | // the process is properly locked to WebUI. | 
|  | if (!GetSiteInstance()->HasSite()) { | 
|  | // WebUI URLs should also require assigning a site. | 
|  | CHECK(SiteInstanceImpl::ShouldAssignSiteForUrlInfo(request.GetUrlInfo())); | 
|  | GetSiteInstance()->ConvertToDefaultOrSetSite(request.GetUrlInfo()); | 
|  | } | 
|  | GetProcess()->SetIsUsed(); | 
|  |  | 
|  | WebUI::TypeID new_web_ui_type = | 
|  | WebUIControllerFactoryRegistry::GetInstance()->GetWebUIType( | 
|  | GetSiteInstance()->GetBrowserContext(), request.GetURL()); | 
|  | CHECK_NE(new_web_ui_type, WebUI::kNoWebUI); | 
|  |  | 
|  | web_ui_ = std::move(new_web_ui); | 
|  | web_ui_->SetRenderFrameHost(this); | 
|  |  | 
|  | // It is not expected for GuestView to be able to navigate to WebUI. | 
|  | DCHECK(!GetProcess()->IsForGuestsOnly()); | 
|  |  | 
|  | web_ui_type_ = new_web_ui_type; | 
|  |  | 
|  | // WebUIs need the ability to request certain schemes. | 
|  | for (const auto& scheme : web_ui_->GetRequestableSchemes()) { | 
|  | ChildProcessSecurityPolicyImpl::GetInstance()->GrantRequestScheme( | 
|  | GetProcess()->GetDeprecatedID(), scheme); | 
|  | } | 
|  |  | 
|  | // Since this is new WebUI instance, this RenderFrameHostImpl should not | 
|  | // have had any bindings. Verify that and grant the required bindings. | 
|  | DCHECK(GetEnabledBindings().empty()); | 
|  | AllowBindings(web_ui_->GetBindings()); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ClearWebUI() { | 
|  | web_ui_type_ = WebUI::kNoWebUI; | 
|  | web_ui_.reset();  // This might delete `this`. | 
|  | // DO NOT ADD CODE after this. | 
|  | } | 
|  |  | 
|  | const mojo::Remote<blink::mojom::ImageDownloader>& | 
|  | RenderFrameHostImpl::GetMojoImageDownloader() { | 
|  | // TODO(crbug.com/40197801): Call AssertFrameWasCommitted() here. | 
|  | if (!mojo_image_downloader_.is_bound() && GetRemoteInterfaces()) { | 
|  | GetRemoteInterfaces()->GetInterface( | 
|  | mojo_image_downloader_.BindNewPipeAndPassReceiver()); | 
|  | } | 
|  | return mojo_image_downloader_; | 
|  | } | 
|  |  | 
|  | const mojo::AssociatedRemote<blink::mojom::FindInPage>& | 
|  | RenderFrameHostImpl::GetFindInPage() { | 
|  | if (!find_in_page_) | 
|  | GetRemoteAssociatedInterfaces()->GetInterface(&find_in_page_); | 
|  | return find_in_page_; | 
|  | } | 
|  |  | 
|  | const mojo::AssociatedRemote<blink::mojom::LocalFrame>& | 
|  | RenderFrameHostImpl::GetAssociatedLocalFrame() { | 
|  | if (!local_frame_) | 
|  | GetRemoteAssociatedInterfaces()->GetInterface(&local_frame_); | 
|  | return local_frame_; | 
|  | } | 
|  |  | 
|  | blink::mojom::LocalMainFrame* | 
|  | RenderFrameHostImpl::GetAssociatedLocalMainFrame() { | 
|  | DCHECK(is_main_frame()); | 
|  | if (!local_main_frame_) | 
|  | GetRemoteAssociatedInterfaces()->GetInterface(&local_main_frame_); | 
|  | return local_main_frame_.get(); | 
|  | } | 
|  |  | 
|  | const mojo::AssociatedRemote<mojom::FrameBindingsControl>& | 
|  | RenderFrameHostImpl::GetFrameBindingsControl() { | 
|  | if (!frame_bindings_control_) | 
|  | GetRemoteAssociatedInterfaces()->GetInterface(&frame_bindings_control_); | 
|  | return frame_bindings_control_; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ResetLoadingState() { | 
|  | if (is_loading()) { | 
|  | // When pending deletion, just set the loading state to not loading. | 
|  | // Otherwise, DidStopLoading will take care of that, as well as sending | 
|  | // notification to the FrameTreeNode about the change in loading state. | 
|  | if (IsPendingDeletion() || IsInBackForwardCache()) { | 
|  | loading_state_ = LoadingState::NONE; | 
|  | } else { | 
|  | DidStopLoading(); | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ClearFocusedElement() { | 
|  | has_focused_editable_element_ = false; | 
|  | GetAssociatedLocalFrame()->ClearFocusedElement(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindDevToolsAgent( | 
|  | mojo::PendingAssociatedRemote<blink::mojom::DevToolsAgentHost> host, | 
|  | mojo::PendingAssociatedReceiver<blink::mojom::DevToolsAgent> receiver) { | 
|  | GetAssociatedLocalFrame()->BindDevToolsAgent(std::move(host), | 
|  | std::move(receiver)); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsSameSiteInstance( | 
|  | RenderFrameHostImpl* other_render_frame_host) { | 
|  | // As a sanity check, make sure the frame belongs to the same BrowserContext. | 
|  | CHECK_EQ(GetSiteInstance()->GetBrowserContext(), | 
|  | other_render_frame_host->GetSiteInstance()->GetBrowserContext()); | 
|  | return GetSiteInstance() == other_render_frame_host->GetSiteInstance(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::UpdateAccessibilityMode() { | 
|  | // Don't update accessibility mode for a frame that hasn't been created yet. | 
|  | if (!IsRenderFrameLive()) | 
|  | return; | 
|  |  | 
|  | ui::AXMode ax_mode = delegate_->GetAccessibilityMode(); | 
|  | last_ax_mode_ = ax_mode; | 
|  |  | 
|  | if (ax_mode.has_mode(ui::AXMode::kWebContents)) { | 
|  | is_first_accessibility_request_ = !render_accessibility_; | 
|  | accessibility_reset_start_ = base::TimeTicks::Now(); | 
|  | if (!render_accessibility_) { | 
|  | // Render accessibility is not enabled yet, so bind the interface first. | 
|  | GetRemoteAssociatedInterfaces()->GetInterface(&render_accessibility_); | 
|  | DCHECK(render_accessibility_); | 
|  | } | 
|  | accessibility_reset_token_ = ++g_accessibility_reset_token; | 
|  | render_accessibility_->SetMode(ax_mode, *accessibility_reset_token_); | 
|  | } else { | 
|  | // Resetting the Remote signals the renderer to shutdown accessibility | 
|  | // in the renderer. | 
|  | render_accessibility_.reset(); | 
|  | } | 
|  |  | 
|  | if (!ax_mode.has_mode(ui::kAXModeBasic.flags()) && | 
|  | browser_accessibility_manager_) { | 
|  | // Missing either kWebContents and kNativeAPIs, so | 
|  | // BrowserAccessibilityManager is no longer necessary. | 
|  | browser_accessibility_manager_->DetachFromParentManager(); | 
|  | browser_accessibility_manager_.reset(); | 
|  | // Retain ax_unique_ids_ so that if browser accessibility is re-enabled, the | 
|  | // platform nodes corresponding to the blink nodes will have the same IDs. | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::RequestAXTreeSnapshot( | 
|  | AXTreeSnapshotCallback callback, | 
|  | mojom::SnapshotAccessibilityTreeParamsPtr params) { | 
|  | // TODO(crbug.com/40583141): Remove once frame_ can no longer be null. | 
|  | if (!IsRenderFrameLive()) | 
|  | return; | 
|  |  | 
|  | GetMojomFrameInRenderer()->SnapshotAccessibilityTree( | 
|  | std::move(params), | 
|  | base::BindOnce(&RenderFrameHostImpl::RequestAXTreeSnapshotCallback, | 
|  | weak_ptr_factory_.GetWeakPtr(), std::move(callback))); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::GetSavableResourceLinksFromRenderer() { | 
|  | if (!IsRenderFrameLive()) | 
|  | return; | 
|  | GetAssociatedLocalFrame()->GetSavableResourceLinks( | 
|  | base::BindOnce(&RenderFrameHostImpl::GetSavableResourceLinksCallback, | 
|  | weak_ptr_factory_.GetWeakPtr())); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetAccessibilityCallbackForTesting( | 
|  | const AccessibilityCallbackForTesting& callback) { | 
|  | accessibility_testing_callback_ = callback; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::UpdateAXTreeData() { | 
|  | ui::AXMode accessibility_mode = delegate_->GetAccessibilityMode(); | 
|  | if (accessibility_mode.is_mode_off() || | 
|  | IsInactiveAndDisallowActivation( | 
|  | DisallowActivationReasonId::kAXUpdateTree)) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // If `needs_ax_root_id_` is true, an AXTreeUpdate has not been sent to | 
|  | // the renderer with a valid root id. This effectively means the renderer | 
|  | // does not really know about the tree, and the renderer should not be | 
|  | // updated. The renderer will be updated once the root id is known. | 
|  | if (needs_ax_root_id_) | 
|  | return; | 
|  |  | 
|  | if (ax_defer_scope_count_ > 0) { | 
|  | ax_update_deferred_ = true; | 
|  | return; | 
|  | } | 
|  |  | 
|  | ui::AXUpdatesAndEvents detail; | 
|  | detail.ax_tree_id = GetAXTreeID(); | 
|  | detail.updates.resize(1); | 
|  | detail.updates[0].has_tree_data = true; | 
|  | detail.updates[0].tree_data = GetAXTreeData(); | 
|  |  | 
|  | SendAccessibilityEventsToManager(detail); | 
|  | delegate_->ProcessAccessibilityUpdatesAndEvents(detail); | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl::UpdateAXFocusDeferScope::UpdateAXFocusDeferScope( | 
|  | RenderFrameHostImpl& rfh) | 
|  | : rfh_(rfh.GetSafeRef()) { | 
|  | ++rfh_->ax_defer_scope_count_; | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl::UpdateAXFocusDeferScope::~UpdateAXFocusDeferScope() { | 
|  | DCHECK_GE(rfh_->ax_defer_scope_count_, 1); | 
|  | --rfh_->ax_defer_scope_count_; | 
|  | if (!rfh_->ax_defer_scope_count_ && rfh_->ax_update_deferred_) { | 
|  | rfh_->ax_update_deferred_ = false; | 
|  | rfh_->UpdateAXTreeData(); | 
|  | } | 
|  | } | 
|  |  | 
|  | ui::BrowserAccessibilityManager* | 
|  | RenderFrameHostImpl::GetOrCreateBrowserAccessibilityManager() { | 
|  | // Never create a BrowserAccessibilityManager unless needed for the AXMode. | 
|  | // At least basic mode is required; it contains kWebContents and KNativeAPIs. | 
|  | ui::AXMode accessibility_mode = delegate_->GetAccessibilityMode(); | 
|  | if (!accessibility_mode.has_mode(ui::AXMode::kNativeAPIs)) { | 
|  | DCHECK(!browser_accessibility_manager_); | 
|  | return nullptr; | 
|  | } | 
|  |  | 
|  | if (browser_accessibility_manager_ || | 
|  | no_create_browser_accessibility_manager_for_testing_) | 
|  | return browser_accessibility_manager_.get(); | 
|  |  | 
|  | #if BUILDFLAG(IS_ANDROID) | 
|  | browser_accessibility_manager_.reset( | 
|  | BrowserAccessibilityManagerAndroid::Create(*this, this)); | 
|  | #else | 
|  | browser_accessibility_manager_.reset( | 
|  | ui::BrowserAccessibilityManager::Create(*this, this)); | 
|  | #endif | 
|  | return browser_accessibility_manager_.get(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ActivateFindInPageResultForAccessibility( | 
|  | int request_id) { | 
|  | ui::BrowserAccessibilityManager* manager = | 
|  | GetOrCreateBrowserAccessibilityManager(); | 
|  | if (manager) | 
|  | manager->ActivateFindInPageResult(request_id); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::InsertVisualStateCallback( | 
|  | VisualStateCallback callback) { | 
|  | GetRenderWidgetHost()->InsertVisualStateCallback(std::move(callback)); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsLastCommitIPAddressPubliclyRoutable() const { | 
|  | net::IPEndPoint ip_end_point = | 
|  | last_response_head().get() ? last_response_head().get()->remote_endpoint | 
|  | : net::IPEndPoint(); | 
|  |  | 
|  | return ip_end_point.address().IsPubliclyRoutable(); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsRenderFrameLive() { | 
|  | bool is_live = | 
|  | GetProcess()->IsInitializedAndNotDead() && is_render_frame_created(); | 
|  |  | 
|  | // Sanity check: the `blink::WebView` should always be live if the RenderFrame | 
|  | // is. | 
|  | DCHECK(!is_live || render_view_host_->IsRenderViewLive()); | 
|  |  | 
|  | return is_live; | 
|  | } | 
|  |  | 
|  | RenderFrameHost::LifecycleState RenderFrameHostImpl::GetLifecycleState() { | 
|  | return GetLifecycleStateFromImpl(lifecycle_state()); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsInLifecycleState(LifecycleState state) { | 
|  | if (lifecycle_state() == LifecycleStateImpl::kSpeculative) | 
|  | return false; | 
|  | return state == GetLifecycleState(); | 
|  | } | 
|  |  | 
|  | RenderFrameHost::LifecycleState RenderFrameHostImpl::GetLifecycleStateFromImpl( | 
|  | LifecycleStateImpl state) { | 
|  | switch (state) { | 
|  | case LifecycleStateImpl::kSpeculative: | 
|  | // TODO(crbug.com/40171294): Ensure that Speculative | 
|  | // RenderFrameHosts are not exposed to embedders. | 
|  | NOTREACHED(); | 
|  | case LifecycleStateImpl::kPendingCommit: | 
|  | return LifecycleState::kPendingCommit; | 
|  | case LifecycleStateImpl::kPrerendering: | 
|  | return LifecycleState::kPrerendering; | 
|  | case LifecycleStateImpl::kActive: | 
|  | return LifecycleState::kActive; | 
|  | case LifecycleStateImpl::kInBackForwardCache: | 
|  | return LifecycleState::kInBackForwardCache; | 
|  | case LifecycleStateImpl::kRunningUnloadHandlers: | 
|  | return LifecycleState::kPendingDeletion; | 
|  | case LifecycleStateImpl::kReadyToBeDeleted: | 
|  | return LifecycleState::kPendingDeletion; | 
|  | } | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsActive() const { | 
|  | // When the document is transitioning away from kActive/kPrerendering to a | 
|  | // yet-to-be-determined state, the RenderFrameHostManager has already | 
|  | // updated its active RenderFrameHost, and the old document is no longer | 
|  | // the active one. In that case, return false. | 
|  | if (has_pending_lifecycle_state_update_) | 
|  | return false; | 
|  |  | 
|  | return lifecycle_state() == LifecycleStateImpl::kActive; | 
|  | } | 
|  |  | 
|  | size_t RenderFrameHostImpl::GetProxyCount() { | 
|  | if (!IsActive()) | 
|  | return 0; | 
|  | return browsing_context_state_->GetProxyCount(); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::HasSelection() { | 
|  | return has_selection_; | 
|  | } | 
|  |  | 
|  | FrameTreeNode* RenderFrameHostImpl::PreviousSibling() const { | 
|  | return GetSibling(-1); | 
|  | } | 
|  |  | 
|  | FrameTreeNode* RenderFrameHostImpl::NextSibling() const { | 
|  | return GetSibling(1); | 
|  | } | 
|  |  | 
|  | FrameTreeNode* RenderFrameHostImpl::GetSibling(int relative_offset) const { | 
|  | if (!parent_ || !parent_->child_count()) | 
|  | return nullptr; | 
|  |  | 
|  | for (size_t i = 0; i < parent_->child_count(); ++i) { | 
|  | // Frame tree node id will only be known for subframes, and will therefore | 
|  | // be accessible in this iteration, as all children are subframes. | 
|  | if (parent_->child_at(i)->frame_tree_node_id() != GetFrameTreeNodeId()) { | 
|  | continue; | 
|  | } | 
|  |  | 
|  | if (relative_offset < 0 && base::checked_cast<size_t>(-relative_offset) > i) | 
|  | return nullptr; | 
|  | if (i + relative_offset >= parent_->child_count()) | 
|  | return nullptr; | 
|  | return parent_->child_at(i + relative_offset); | 
|  | } | 
|  |  | 
|  | NOTREACHED() << "FrameTreeNode not found in its parent's children."; | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl* RenderFrameHostImpl::GetMainFrame() { | 
|  | return const_cast<RenderFrameHostImpl*>(std::as_const(*this).GetMainFrame()); | 
|  | } | 
|  |  | 
|  | const RenderFrameHostImpl* RenderFrameHostImpl::GetMainFrame() const { | 
|  | // Iteration over the GetParent() chain is used below, because returning | 
|  | // |frame_tree().root()->current_frame_host()| might | 
|  | // give an incorrect result after |this| has been detached from the frame | 
|  | // tree. | 
|  | const RenderFrameHostImpl* main_frame = this; | 
|  | while (const RenderFrameHostImpl* parent = main_frame->GetParent()) { | 
|  | main_frame = parent; | 
|  | } | 
|  | return main_frame; | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsInPrimaryMainFrame() { | 
|  | if (GetParent()) { | 
|  | return false; | 
|  | } | 
|  | if (lifecycle_state() != LifecycleStateImpl::kActive) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | const FrameType frame_type = [&]() { | 
|  | // `IsInPrimaryMainFrame` is reachable during `CommitPending` between the | 
|  | // RenderFrameHost swap and the lifecycle state update. Callers expect this | 
|  | // method to continue to return true during this partially updated state. | 
|  | if (has_pending_lifecycle_state_update_) { | 
|  | CHECK(last_main_frame_type_pending_lifecycle_update_.has_value()); | 
|  | return *last_main_frame_type_pending_lifecycle_update_; | 
|  | } | 
|  |  | 
|  | // Since we've checked the lifecycle state and then explicitly handled the | 
|  | // pending lifecycle update case, we must be `IsActive()` and therefore have | 
|  | // an `owner_`. | 
|  | CHECK(IsActive()); | 
|  | CHECK(owner_); | 
|  | return owner_->GetCurrentFrameType(); | 
|  | }(); | 
|  |  | 
|  | const bool is_in_primary_main_frame = | 
|  | frame_type == FrameType::kPrimaryMainFrame; | 
|  |  | 
|  | if (is_in_primary_main_frame) { | 
|  | CHECK(!IsFencedFrameRoot()); | 
|  | } | 
|  |  | 
|  | return is_in_primary_main_frame; | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl* RenderFrameHostImpl::GetOutermostMainFrame() { | 
|  | RenderFrameHostImpl* current = this; | 
|  | while (RenderFrameHostImpl* parent_or_outer_doc = | 
|  | current->GetParentOrOuterDocument()) { | 
|  | current = parent_or_outer_doc; | 
|  | } | 
|  | return current; | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::CanAccessFilesOfPageState( | 
|  | const blink::PageState& state) { | 
|  | return ChildProcessSecurityPolicyImpl::GetInstance()->CanReadAllFiles( | 
|  | GetProcess()->GetDeprecatedID(), state.GetReferencedFiles()); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::GrantFileAccessFromPageState( | 
|  | const blink::PageState& state) { | 
|  | GrantFileAccess(GetProcess()->GetDeprecatedID(), state.GetReferencedFiles()); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetHasPendingLifecycleStateUpdate( | 
|  | std::optional<FrameType> last_frame_type) { | 
|  | DCHECK(!has_pending_lifecycle_state_update_); | 
|  | CHECK(!last_main_frame_type_pending_lifecycle_update_); | 
|  |  | 
|  | for (auto& child : children_) { | 
|  | child->current_frame_host()->SetHasPendingLifecycleStateUpdate( | 
|  | /*last_frame_type=*/{}); | 
|  | } | 
|  | has_pending_lifecycle_state_update_ = true; | 
|  |  | 
|  | if (!GetParent()) { | 
|  | CHECK(last_frame_type.has_value()); | 
|  | CHECK_NE(*last_frame_type, FrameType::kSubframe); | 
|  | last_main_frame_type_pending_lifecycle_update_ = last_frame_type; | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::GrantFileAccessFromResourceRequestBody( | 
|  | const network::ResourceRequestBody& body) { | 
|  | GrantFileAccess(GetProcess()->GetDeprecatedID(), body.GetReferencedFiles()); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::UpdatePermissionsForNavigation( | 
|  | NavigationRequest* request) { | 
|  | ChildProcessSecurityPolicyImpl::GetInstance()->GrantCommitURL( | 
|  | GetProcess()->GetDeprecatedID(), request->common_params().url); | 
|  | if (request->IsLoadDataWithBaseURL()) { | 
|  | // When there's a base URL specified for the data URL, we also need to | 
|  | // grant access to the base URL. This allows file: and other unexpected | 
|  | // schemes to be accepted at commit time and during CORS checks (e.g., for | 
|  | // font requests). | 
|  | ChildProcessSecurityPolicyImpl::GetInstance()->GrantCommitURL( | 
|  | GetProcess()->GetDeprecatedID(), | 
|  | request->common_params().base_url_for_data_url); | 
|  | } | 
|  |  | 
|  | if (request->DidEncounterError()) { | 
|  | // Failed navigations will end up using chrome-error://chromewebdata as the | 
|  | // URL in RenderFrameImpl::CommitFailedNavigation. This does not immediately | 
|  | // get sent back at DidCommit time, but it can be inherited as the URL via | 
|  | // document.open, so we must grant access to that URL as well in case | 
|  | // embedders (e.g., Android WebView apps) call document.open on an error | 
|  | // page. See https://crbug.com/326250356#comment36. | 
|  | // TODO(crbug.com/40150370): The browser process should tell the renderer | 
|  | // process to use kUnreachableWebDataURL, rather than having the renderer | 
|  | // process make the change independently. | 
|  | ChildProcessSecurityPolicyImpl::GetInstance()->GrantCommitURL( | 
|  | GetProcess()->GetDeprecatedID(), GURL(kUnreachableWebDataURL)); | 
|  | } | 
|  |  | 
|  | // We may be returning to an existing NavigationEntry that had been granted | 
|  | // file access.  If this is a different process, we will need to grant the | 
|  | // access again.  Abuse is prevented, because the files listed in the page | 
|  | // state are validated earlier, when they are received from the renderer (in | 
|  | // RenderFrameHostImpl::CanAccessFilesOfPageState). | 
|  | blink::PageState page_state = blink::PageState::CreateFromEncodedData( | 
|  | request->commit_params().page_state); | 
|  | if (page_state.IsValid()) | 
|  | GrantFileAccessFromPageState(page_state); | 
|  |  | 
|  | // We may be here after transferring navigation to a different renderer | 
|  | // process.  In this case, we need to ensure that the new renderer retains | 
|  | // ability to access files that the old renderer could access.  Abuse is | 
|  | // prevented, because the files listed in ResourceRequestBody are validated | 
|  | // earlier, when they are received from the renderer. | 
|  | if (request->common_params().post_data) | 
|  | GrantFileAccessFromResourceRequestBody(*request->common_params().post_data); | 
|  |  | 
|  | // Add the origin that will be committed by this navigation to the list of | 
|  | // committed origins. We choose to do this at ready-to-commit time so that | 
|  | // subsequent code can check that the new origin is valid for this | 
|  | // RenderFrameHost's process prior to DidCommit time. For example, | 
|  | // RenderFrameHostImpl::CommitNavigation() has code that checks | 
|  | // CanAccessDataForOrigin while setting up storage interfaces. | 
|  | // | 
|  | // Note that GetOriginToCommit() internally CHECKs that the origin to commit | 
|  | // is valid for this process, using CanAccessOrigin() to perform jail and | 
|  | // citadel process lock checks, so this origin should to be safe to add. | 
|  | ChildProcessSecurityPolicyImpl::GetInstance()->AddCommittedOrigin( | 
|  | GetProcess()->GetDeprecatedID(), request->GetOriginToCommit().value()); | 
|  | } | 
|  |  | 
|  | mojo::AssociatedRemote<mojom::NavigationClient> | 
|  | RenderFrameHostImpl::GetNavigationClientFromInterfaceProvider() { | 
|  | mojo::AssociatedRemote<mojom::NavigationClient> navigation_client_remote; | 
|  | GetRemoteAssociatedInterfaces()->GetInterface(&navigation_client_remote); | 
|  | return navigation_client_remote; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::NavigationRequestCancelled( | 
|  | NavigationRequest* navigation_request, | 
|  | NavigationDiscardReason reason) { | 
|  | // Remove the requests from the list of NavigationRequests waiting to commit. | 
|  | // RenderDocument should obsolete the need for this, as always swapping RFHs | 
|  | // means that it won't be necessary to clean up the list of navigation | 
|  | // requests when the renderer aborts a navigation--instead, we'll always just | 
|  | // throw away the entire speculative RFH. | 
|  | navigation_request->set_navigation_discard_reason(reason); | 
|  | navigation_requests_.erase(navigation_request); | 
|  | } | 
|  |  | 
|  | NavigationRequest* | 
|  | RenderFrameHostImpl::FindLatestNavigationRequestThatIsStillCommitting() { | 
|  | // Find the most recent NavigationRequest that has triggered a Commit IPC to | 
|  | // the renderer process.  Once the renderer process handles the IPC, it may | 
|  | // possibly change the origin from |last_committed_origin_| to another origin. | 
|  | NavigationRequest* found_request = nullptr; | 
|  | for (const auto& it : navigation_requests_) { | 
|  | NavigationRequest* candidate = it.first; | 
|  | DCHECK_EQ(candidate, it.second.get()); | 
|  |  | 
|  | if (candidate->state() < NavigationRequest::READY_TO_COMMIT) | 
|  | continue; | 
|  | if (candidate->state() >= NavigationRequest::DID_COMMIT) | 
|  | continue; | 
|  |  | 
|  | if (!found_request || | 
|  | found_request->NavigationStart() < candidate->NavigationStart()) { | 
|  | found_request = candidate; | 
|  | } | 
|  | } | 
|  |  | 
|  | return found_request; | 
|  | } | 
|  |  | 
|  | network::mojom::URLLoaderFactoryParamsPtr | 
|  | RenderFrameHostImpl::CreateURLLoaderFactoryParamsForMainWorld( | 
|  | const SubresourceLoaderFactoriesConfig& config, | 
|  | std::string_view debug_tag) { | 
|  | return URLLoaderFactoryParamsHelper::CreateForFrame( | 
|  | this, config.origin(), config.isolation_info(), | 
|  | config.GetClientSecurityState(), config.GetCoepReporter(), | 
|  | config.GetDipReporter(), GetProcess(), | 
|  | config.trust_token_issuance_policy(), | 
|  | config.trust_token_redemption_policy(), config.cookie_setting_overrides(), | 
|  | debug_tag); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::CreateNetworkServiceDefaultFactoryAndObserve( | 
|  | network::mojom::URLLoaderFactoryParamsPtr params, | 
|  | ukm::SourceIdObj ukm_source_id, | 
|  | mojo::PendingReceiver<network::mojom::URLLoaderFactory> | 
|  | default_factory_receiver) { | 
|  | bool bypass_redirect_checks = CreateNetworkServiceDefaultFactoryInternal( | 
|  | std::move(params), ukm_source_id, std::move(default_factory_receiver)); | 
|  |  | 
|  | // Add a disconnect handler when Network Service is running | 
|  | // out-of-process. | 
|  | if (IsOutOfProcessNetworkService() && | 
|  | (!network_service_disconnect_handler_holder_ || | 
|  | !network_service_disconnect_handler_holder_.is_connected())) { | 
|  | network_service_disconnect_handler_holder_.reset(); | 
|  | StoragePartition* storage_partition = GetStoragePartition(); | 
|  | network::mojom::URLLoaderFactoryParamsPtr monitoring_factory_params = | 
|  | network::mojom::URLLoaderFactoryParams::New(); | 
|  | monitoring_factory_params->process_id = GetProcess()->GetDeprecatedID(); | 
|  | monitoring_factory_params->debug_tag = "RFHI - monitoring_factory_params"; | 
|  |  | 
|  | // This factory should never be used to issue actual requests (i.e. it | 
|  | // should only be used to monitor for Network Service crashes).  Below is an | 
|  | // attempt to enforce that the factory cannot be used in practice. | 
|  | monitoring_factory_params->request_initiator_origin_lock = | 
|  | url::Origin::Create( | 
|  | GURL("https://monitoring.url.loader.factory.invalid")); | 
|  |  | 
|  | storage_partition->GetNetworkContext()->CreateURLLoaderFactory( | 
|  | network_service_disconnect_handler_holder_.BindNewPipeAndPassReceiver(), | 
|  | std::move(monitoring_factory_params)); | 
|  | network_service_disconnect_handler_holder_.set_disconnect_handler( | 
|  | base::BindOnce(&RenderFrameHostImpl::UpdateSubresourceLoaderFactories, | 
|  | weak_ptr_factory_.GetWeakPtr())); | 
|  | } | 
|  | return bypass_redirect_checks; | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::CreateNetworkServiceDefaultFactoryInternal( | 
|  | network::mojom::URLLoaderFactoryParamsPtr params, | 
|  | ukm::SourceIdObj ukm_source_id, | 
|  | mojo::PendingReceiver<network::mojom::URLLoaderFactory> | 
|  | default_factory_receiver) { | 
|  | DCHECK(params->request_initiator_origin_lock.has_value()); | 
|  | const url::Origin request_initiator = | 
|  | params->request_initiator_origin_lock.value(); | 
|  | const net::IsolationInfo isolation_info = params->isolation_info; | 
|  |  | 
|  | bool bypass_redirect_checks = false; | 
|  | url_loader_factory::CreateAndConnectToPendingReceiver( | 
|  | std::move(default_factory_receiver), | 
|  | ContentBrowserClient::URLLoaderFactoryType::kDocumentSubResource, | 
|  | url_loader_factory::TerminalParams::ForNetworkContext( | 
|  | GetProcess()->GetStoragePartition()->GetNetworkContext(), | 
|  | std::move(params), url_loader_factory::HeaderClientOption::kAllow, | 
|  | url_loader_factory::FactoryOverrideOption::kAllow, | 
|  | url_loader_factory::DisableSecureDnsOption::kAllow), | 
|  | url_loader_factory::ContentClientParams( | 
|  | GetBrowserContext(), this, GetProcess()->GetDeprecatedID(), | 
|  | request_initiator, isolation_info, ukm_source_id, | 
|  | &bypass_redirect_checks), | 
|  | devtools_instrumentation::WillCreateURLLoaderFactoryParams::ForFrame( | 
|  | this)); | 
|  | return bypass_redirect_checks; | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::CanExecuteJavaScript() { | 
|  | if (g_allow_injecting_javascript) | 
|  | return true; | 
|  |  | 
|  | return !GetLastCommittedURL().is_valid() || | 
|  | GetLastCommittedURL().SchemeIs(kChromeDevToolsScheme) || | 
|  | ChildProcessSecurityPolicyImpl::GetInstance()->HasWebUIBindings( | 
|  | GetProcess()->GetDeprecatedID()) || | 
|  | // It's possible to load about:blank in a Web UI renderer. | 
|  | // See http://crbug.com/42547 | 
|  | (GetLastCommittedURL().spec() == url::kAboutBlankURL); | 
|  | } | 
|  |  | 
|  | // static | 
|  | FrameTreeNodeId RenderFrameHost::GetFrameTreeNodeIdForRoutingId( | 
|  | int process_id, | 
|  | int routing_id) { | 
|  | auto frame_or_proxy = LookupRenderFrameHostOrProxy(process_id, routing_id); | 
|  | if (frame_or_proxy) { | 
|  | return frame_or_proxy.GetFrameTreeNode()->frame_tree_node_id(); | 
|  | } | 
|  | return FrameTreeNodeId(); | 
|  | } | 
|  |  | 
|  | // static | 
|  | FrameTreeNodeId RenderFrameHost::GetFrameTreeNodeIdForFrameToken( | 
|  | int process_id, | 
|  | const ::blink::FrameToken& frame_token) { | 
|  | auto frame_or_proxy = LookupRenderFrameHostOrProxy(process_id, frame_token); | 
|  | if (frame_or_proxy) { | 
|  | return frame_or_proxy.GetFrameTreeNode()->frame_tree_node_id(); | 
|  | } | 
|  | return FrameTreeNodeId(); | 
|  | } | 
|  |  | 
|  | // static | 
|  | RenderFrameHost* RenderFrameHost::FromPlaceholderToken( | 
|  | int render_process_id, | 
|  | const blink::RemoteFrameToken& placeholder_frame_token) { | 
|  | RenderFrameProxyHost* rfph = RenderFrameProxyHost::FromFrameToken( | 
|  | render_process_id, placeholder_frame_token); | 
|  | FrameTreeNode* node = rfph ? rfph->frame_tree_node() : nullptr; | 
|  | return node ? node->current_frame_host() : nullptr; | 
|  | } | 
|  |  | 
|  | ui::AXTreeID RenderFrameHostImpl::GetParentAXTreeID() { | 
|  | auto* parent = GetParentOrOuterDocumentOrEmbedderExcludingProspectiveOwners(); | 
|  | if (!parent) { | 
|  | DCHECK(AccessibilityIsRootFrame()) | 
|  | << "Child frame requires a parent, root=" << GetLastCommittedURL(); | 
|  | return ui::AXTreeIDUnknown(); | 
|  | } | 
|  | // TODO(accessibility) The following check fails when running this test with | 
|  | // --force-renderer-accessibility: | 
|  | // http/tests/devtools/resource-tree/resource-tree-frame-in-crafted-frame.js | 
|  | // It seems that fabricating a frame with document.write() results in a | 
|  | // frame that has no embedding token. | 
|  | // DCHECK(parent->GetAXTreeID() != ui::AXTreeIDUnknown()) | 
|  | //     << "Parent frame must have an id, child url = " << | 
|  | //     GetLastCommittedURL() | 
|  | //     << "    parent url = " << parent->GetLastCommittedURL(); | 
|  | DCHECK(!AccessibilityIsRootFrame()) | 
|  | << "Root frame must not have a parent, root=" << GetLastCommittedURL() | 
|  | << "  parent=" << parent->GetLastCommittedURL(); | 
|  | return parent->GetAXTreeID(); | 
|  | } | 
|  |  | 
|  | ui::AXTreeID RenderFrameHostImpl::GetFocusedAXTreeID() { | 
|  | // If this is not the root frame tree node, we're done. | 
|  | if (!AccessibilityIsRootFrame()) | 
|  | return ui::AXTreeIDUnknown(); | 
|  |  | 
|  | RenderFrameHostImpl* focused_frame = delegate_->GetFocusedFrame(); | 
|  | if (focused_frame) | 
|  | return focused_frame->GetAXTreeID(); | 
|  |  | 
|  | // It's possible for there to be no focused RenderFrameHost (e.g. the frame | 
|  | // that had focus was destroyed). Note however, that this doesn't mean that | 
|  | // keyboard events are ignored; they'd be sent by default to the root | 
|  | // RenderWidgetHost. | 
|  | return ui::AXTreeIDUnknown(); | 
|  | } | 
|  |  | 
|  | ui::AXTreeData RenderFrameHostImpl::GetAXTreeData() { | 
|  | // Make sure to update the locally stored |ax_tree_data_| to include | 
|  | // references to the relevant AXTreeIDs before returning its value. | 
|  | ax_tree_data_.tree_id = GetAXTreeID(); | 
|  | ax_tree_data_.parent_tree_id = GetParentAXTreeID(); | 
|  | ax_tree_data_.focused_tree_id = GetFocusedAXTreeID(); | 
|  | return ax_tree_data_; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::AccessibilityHitTestCallback( | 
|  | int request_id, | 
|  | ax::mojom::Event event_to_fire, | 
|  | base::OnceCallback<void(ui::AXPlatformTreeManager* hit_manager, | 
|  | ui::AXNodeID hit_node_id)> opt_callback, | 
|  | blink::mojom::HitTestResponsePtr hit_test_response) { | 
|  | if (!hit_test_response) { | 
|  | if (opt_callback) | 
|  | std::move(opt_callback).Run(nullptr, ui::kInvalidAXNodeID); | 
|  | return; | 
|  | } | 
|  |  | 
|  | RenderFrameHostOrProxy frame_or_proxy = LookupRenderFrameHostOrProxy( | 
|  | GetProcess()->GetDeprecatedID(), hit_test_response->hit_frame_token); | 
|  | RenderFrameHostImpl* hit_frame = frame_or_proxy.GetCurrentFrameHost(); | 
|  |  | 
|  | if (!hit_frame || hit_frame->IsInactiveAndDisallowActivation( | 
|  | DisallowActivationReasonId::kAXHitTestCallback)) { | 
|  | if (opt_callback) | 
|  | std::move(opt_callback).Run(nullptr, ui::kInvalidAXNodeID); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // If the hit node's routing ID is the same frame, and there is no stitched | 
|  | // child tree on the browser side, we're done. If a callback was provided, | 
|  | // call it with the information about the hit node. | 
|  | if (hit_frame->GetFrameToken() == frame_token_) { | 
|  | if (opt_callback) { | 
|  | std::move(opt_callback) | 
|  | .Run(hit_frame->browser_accessibility_manager(), | 
|  | hit_test_response->hit_node_id); | 
|  | } | 
|  | if (hit_test_response->stitched_child_tree_id.type() == | 
|  | ax::mojom::AXTreeIDType::kUnknown) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Ask the stitched child tree's action handler to handle the action | 
|  | // instead. (See ax::mojom::Action::kStitchChildTree for more information on | 
|  | // stitched child trees.) | 
|  | auto* handler_registry = ui::AXActionHandlerRegistry::GetInstance(); | 
|  | DCHECK(handler_registry); | 
|  | AXActionHandlerBase* action_handler = handler_registry->GetActionHandler( | 
|  | hit_test_response->stitched_child_tree_id); | 
|  | if (!action_handler) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | ui::AXActionData action_data; | 
|  | action_data.action = ax::mojom::Action::kHitTest; | 
|  | action_data.hit_test_event_to_fire = event_to_fire; | 
|  | action_data.request_id = request_id; | 
|  | action_data.target_point = hit_test_response->hit_frame_transformed_point; | 
|  | action_data.target_tree_id = hit_test_response->stitched_child_tree_id; | 
|  | action_handler->PerformAction(action_data); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // The hit node has a child frame. Do a hit test in that frame's renderer. | 
|  | hit_frame->AccessibilityHitTest( | 
|  | hit_test_response->hit_frame_transformed_point, event_to_fire, request_id, | 
|  | std::move(opt_callback)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::RequestAXTreeSnapshotCallback( | 
|  | AXTreeSnapshotCallback callback, | 
|  | const ui::AXTreeUpdate& snapshot) { | 
|  | // Since |snapshot| is const, we need to make a copy in order to modify the | 
|  | // tree data. | 
|  | ui::AXTreeUpdate dst_snapshot; | 
|  | CopyAXTreeUpdate(snapshot, &dst_snapshot); | 
|  | std::move(callback).Run(dst_snapshot); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CopyAXTreeUpdate(const ui::AXTreeUpdate& snapshot, | 
|  | ui::AXTreeUpdate* snapshot_copy) { | 
|  | snapshot_copy->root_id = snapshot.root_id; | 
|  | snapshot_copy->nodes.resize(snapshot.nodes.size()); | 
|  | for (size_t i = 0; i < snapshot.nodes.size(); ++i) | 
|  | snapshot_copy->nodes[i] = snapshot.nodes[i]; | 
|  |  | 
|  | if (snapshot.has_tree_data) { | 
|  | ax_tree_data_ = snapshot.tree_data; | 
|  | // Set the AXTreeData to be the last |ax_tree_data_| received from the | 
|  | // render frame. | 
|  | snapshot_copy->tree_data = GetAXTreeData(); | 
|  | snapshot_copy->has_tree_data = true; | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CreatePaymentManager( | 
|  | mojo::PendingReceiver<payments::mojom::PaymentManager> receiver) { | 
|  | if (!IsFeatureEnabled(network::mojom::PermissionsPolicyFeature::kPayment)) { | 
|  | mojo::ReportBadMessage("Permissions policy blocks Payment"); | 
|  | return; | 
|  | } | 
|  | GetProcess()->CreatePaymentManagerForOrigin(GetLastCommittedOrigin(), | 
|  | std::move(receiver)); | 
|  |  | 
|  | // Blocklist PaymentManager from the back-forward cache as at the moment we | 
|  | // don't cancel pending payment requests when the RenderFrameHost is stored | 
|  | // in back-forward cache. | 
|  | OnBackForwardCacheDisablingStickyFeatureUsed( | 
|  | BackForwardCacheDisablingFeature::kPaymentManager); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CreateSecurePaymentConfirmationService( | 
|  | mojo::PendingReceiver<payments::mojom::SecurePaymentConfirmationService> | 
|  | receiver) { | 
|  | if (IsFrameAllowedToUseSecurePaymentConfirmation(this)) { | 
|  | GetContentClient()->browser()->CreateSecurePaymentConfirmationService( | 
|  | this, std::move(receiver)); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CreateWebUsbService( | 
|  | mojo::PendingReceiver<blink::mojom::WebUsbService> receiver) { | 
|  | if (!base::FeatureList::IsEnabled(features::kWebUsb)) { | 
|  | return; | 
|  | } | 
|  | if (!IsFeatureEnabled(network::mojom::PermissionsPolicyFeature::kUsb)) { | 
|  | mojo::ReportBadMessage("Permissions policy blocks access to USB."); | 
|  | return; | 
|  | } | 
|  | if (GetOutermostMainFrame()->GetLastCommittedOrigin().opaque()) { | 
|  | mojo::ReportBadMessage( | 
|  | "WebUSB is not allowed when the top-level document has an opaque " | 
|  | "origin."); | 
|  | return; | 
|  | } | 
|  | BackForwardCache::DisableForRenderFrameHost( | 
|  | this, BackForwardCacheDisable::DisabledReason( | 
|  | BackForwardCacheDisable::DisabledReasonId::kWebUSB)); | 
|  | WebUsbServiceImpl::Create(*this, std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ResetPermissionsPolicy( | 
|  | const network::ParsedPermissionsPolicy& header_policy) { | 
|  | if (IsFencedFrameRoot()) { | 
|  | const std::optional<FencedFrameProperties>& fenced_frame_properties = | 
|  | frame_tree_node()->GetFencedFrameProperties(); | 
|  | if (!fenced_frame_properties) { | 
|  | // Without fenced frame properties, there won't be a list of | 
|  | // effective enabled permissions or information about the embedder's | 
|  | // permissions policies, so we create a permissions policy with every | 
|  | // permission disabled. | 
|  | permissions_policy_ = | 
|  | network::PermissionsPolicy::CreateFixedForFencedFrame( | 
|  | last_committed_origin_, header_policy, {}); | 
|  | } else if (fenced_frame_properties->parent_permissions_info().has_value()) { | 
|  | // Fenced frames with flexible permissions are allowed to inherit certain | 
|  | // permissions from their parent's permissions policy. | 
|  | const network::PermissionsPolicy* parent_policy = | 
|  | GetParentOrOuterDocument()->GetPermissionsPolicy(); | 
|  | network::ParsedPermissionsPolicy container_policy = | 
|  | browsing_context_state_->effective_frame_policy().container_policy; | 
|  | permissions_policy_ = | 
|  | network::PermissionsPolicy::CreateFlexibleForFencedFrame( | 
|  | parent_policy, header_policy, container_policy, | 
|  | last_committed_origin_); | 
|  | } else { | 
|  | // Fenced frames with fixed permissions have a list of required permission | 
|  | // policies to load and can't be granted extra policies, so use the | 
|  | // required policies instead of inheriting from its parent. Note that the | 
|  | // parent policies must allow the required policies, which is checked | 
|  | // separately in | 
|  | // NavigationRequest::CheckPermissionsPoliciesForFencedFrames. | 
|  | permissions_policy_ = | 
|  | network::PermissionsPolicy::CreateFixedForFencedFrame( | 
|  | last_committed_origin_, header_policy, | 
|  | fenced_frame_properties->effective_enabled_permissions()); | 
|  | } | 
|  | return; | 
|  | } | 
|  |  | 
|  | auto isolation_info = GetSiteInstance()->GetWebExposedIsolationInfo(); | 
|  |  | 
|  | if (IsOutermostMainFrame() && isolation_info.is_isolated_application()) { | 
|  | // Isolated Apps start with a base policy as defined by the | 
|  | // permissions_policy field in its Web App Manifest, which is an allowlist, | 
|  | // and then have headers further restrict the policy if applicable. This | 
|  | // needs to be handled differently than the normal permissions policy | 
|  | // behavior, which uses a fully permissive policy as its base permissions | 
|  | // policy and accepts rules specifying which permissions policy features | 
|  | // should be blocked, aka a blocklist. | 
|  | permissions_policy_ = network::PermissionsPolicy::CreateFromParsedPolicy( | 
|  | header_policy, delegate_->GetPermissionsPolicyForIsolatedWebApp(this), | 
|  | last_committed_origin_); | 
|  | return; | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl* parent_frame_host = GetParent(); | 
|  | const network::PermissionsPolicy* parent_policy = | 
|  | parent_frame_host ? parent_frame_host->GetPermissionsPolicy() : nullptr; | 
|  | network::ParsedPermissionsPolicy container_policy = | 
|  | browsing_context_state_->effective_frame_policy().container_policy; | 
|  |  | 
|  | permissions_policy_ = network::PermissionsPolicy::CreateFromParentPolicy( | 
|  | parent_policy, header_policy, container_policy, last_committed_origin_); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CreateAudioInputStreamFactory( | 
|  | mojo::PendingReceiver<blink::mojom::RendererAudioInputStreamFactory> | 
|  | receiver) { | 
|  | BrowserMainLoop* browser_main_loop = BrowserMainLoop::GetInstance(); | 
|  | DCHECK(browser_main_loop); | 
|  | MediaStreamManager* msm = browser_main_loop->media_stream_manager(); | 
|  | audio_service_audio_input_stream_factory_.emplace(std::move(receiver), msm, | 
|  | this); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CreateAudioOutputStreamFactory( | 
|  | mojo::PendingReceiver<blink::mojom::RendererAudioOutputStreamFactory> | 
|  | receiver) { | 
|  | media::AudioSystem* audio_system = | 
|  | BrowserMainLoop::GetInstance()->audio_system(); | 
|  | MediaStreamManager* media_stream_manager = | 
|  | BrowserMainLoop::GetInstance()->media_stream_manager(); | 
|  | audio_service_audio_output_stream_factory_.emplace( | 
|  | this, audio_system, media_stream_manager, std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::GetFeatureObserver( | 
|  | mojo::PendingReceiver<blink::mojom::FeatureObserver> receiver) { | 
|  | if (!feature_observer_) { | 
|  | // Lazy initialize because tests sets the overridden content client | 
|  | // after the RFHI constructor. | 
|  | auto* client = GetContentClient()->browser()->GetFeatureObserverClient(); | 
|  | if (!client) | 
|  | return; | 
|  | feature_observer_ = std::make_unique<FeatureObserver>( | 
|  | client, | 
|  | GlobalRenderFrameHostId(GetProcess()->GetDeprecatedID(), routing_id_)); | 
|  | } | 
|  | feature_observer_->GetFeatureObserver(std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindRenderAccessibilityHost( | 
|  | mojo::PendingReceiver<blink::mojom::RenderAccessibilityHost> receiver) { | 
|  | // There must be an accessibility token as | 
|  | // RenderAccessibilityImpl::ScheduleSendPendingAccessibilityEvents will only | 
|  | // attempt to send updates once it has created one, which happens as part of | 
|  | // the commit which in turns updates the browser's token before this method | 
|  | // could be called. | 
|  | DCHECK(GetAXTreeID().token()); | 
|  | // `render_accessibility_host_` is reset in `TearDownMojoConnection()`, but | 
|  | // this Mojo endpoint lives on another sequence and posts tasks back to this | 
|  | // `RenderFrameHostImpl` on the UI thread. After the reset, there may still be | 
|  | // tasks in flight: use `render_frame_scoped_weak_ptr_factory_` to ensure | 
|  | // those tasks are dropped if they arrive after the reset of their | 
|  | // corresponding RenderAccessibilityHost. | 
|  | ui::AXTreeID ax_tree_id = GetAXTreeID(); | 
|  | if (!render_accessibility_host_ || | 
|  | ax_tree_id != render_accessibility_host_ax_tree_id_) { | 
|  | render_accessibility_host_ = base::SequenceBound<RenderAccessibilityHost>( | 
|  | base::ThreadPool::CreateSequencedTaskRunner({}), | 
|  | render_frame_scoped_weak_ptr_factory_.GetWeakPtr(), ax_tree_id); | 
|  | } | 
|  | render_accessibility_host_ax_tree_id_ = ax_tree_id; | 
|  | render_accessibility_host_.AsyncCall(&RenderAccessibilityHost::Bind) | 
|  | .WithArgs(std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindNonAssociatedLocalFrameHost( | 
|  | mojo::PendingReceiver<blink::mojom::NonAssociatedLocalFrameHost> receiver) { | 
|  | if (non_associated_local_frame_host_receiver_.is_bound()) { | 
|  | mojo::ReportBadMessage("NonAssociatedLocalFrameHost is already bound."); | 
|  | return; | 
|  | } | 
|  | non_associated_local_frame_host_receiver_.Bind(std::move(receiver)); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::CancelPrerendering( | 
|  | const PrerenderCancellationReason& reason) { | 
|  | // A prerendered page is identified by its root FrameTreeNode id, so if this | 
|  | // RenderFrameHost is in any way embedded, we need to iterate up to the | 
|  | // prerender root. | 
|  | FrameTreeNode* outermost_frame = | 
|  | GetOutermostMainFrameOrEmbedder()->frame_tree_node(); | 
|  |  | 
|  | // We need to explicitly check that `outermost_frame` is in a prerendering | 
|  | // frame tree before accessing `GetPrerenderHostRegistry()`. Non-prerendered | 
|  | // frames may outlive the PrerenderHostRegistry during WebContents | 
|  | // destruction. | 
|  | if (outermost_frame->GetFrameType() != FrameType::kPrerenderMainFrame) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | // If this runs during the WebContents destruction, PrerenderHostRegistry was | 
|  | // already destroyed and bound prerenderings are already cancelled. | 
|  | // We can check the FrameTree status as the tree's shutdown runs first. | 
|  | if (outermost_frame->frame_tree().IsBeingDestroyed()) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | return delegate_->GetPrerenderHostRegistry()->CancelHost( | 
|  | outermost_frame->frame_tree_node_id(), reason); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CancelPrerenderingByMojoBinderPolicy( | 
|  | const std::string& interface_name) { | 
|  | // A prerendered page is identified by its root FrameTreeNode id, so if this | 
|  | // RenderFrameHost is in any way embedded, we need to iterate up to the | 
|  | // prerender root. | 
|  | FrameTreeNode* outermost_frame = | 
|  | GetOutermostMainFrameOrEmbedder()->frame_tree_node(); | 
|  | PrerenderHost* prerender_host = | 
|  | delegate_->GetPrerenderHostRegistry()->FindNonReservedHostById( | 
|  | outermost_frame->frame_tree_node_id()); | 
|  | if (!prerender_host) | 
|  | return; | 
|  |  | 
|  | bool canceled = CancelPrerendering( | 
|  | PrerenderCancellationReason::BuildForMojoBinderPolicy(interface_name)); | 
|  | // This function is called from MojoBinderPolicyApplier, which should only be | 
|  | // active during prerendering. It would be an error to call this while not | 
|  | // prerendering, as it could mean an interface request is never resolved for | 
|  | // an active page. | 
|  | DCHECK(canceled); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CancelPreviewByMojoBinderPolicy( | 
|  | const std::string& interface_name) { | 
|  | frame_tree_->page_delegate()->CancelPreviewByMojoBinderPolicy(interface_name); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::RendererWillActivateForPrerenderingOrPreview() { | 
|  | // Loosen the policies of the Mojo capability control during dispatching the | 
|  | // prerenderingchange event in Blink, because the page may start legitimately | 
|  | // using controlled interfaces once prerenderingchange is dispatched. We | 
|  | // cannot release policies at this point, i.e., we cannot run the deferred | 
|  | // binders, because the Mojo message pipes are not channel-associated and we | 
|  | // should ensure that ActivateForPrerendering() arrives on the renderer | 
|  | // earlier than these deferred messages. | 
|  | CHECK(mojo_binder_policy_applier_) | 
|  | << "activating prerender or preview pages should have a policy applier"; | 
|  | mojo_binder_policy_applier_->PrepareToGrantAll(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindMediaInterfaceFactoryReceiver( | 
|  | mojo::PendingReceiver<media::mojom::InterfaceFactory> receiver) { | 
|  | MediaInterfaceProxy::GetOrCreateForCurrentDocument(this)->Bind( | 
|  | std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindKeySystemSupportReceiver( | 
|  | mojo::PendingReceiver<media::mojom::KeySystemSupport> receiver) { | 
|  | KeySystemSupportImpl::GetOrCreateForCurrentDocument(this)->Bind( | 
|  | std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindMediaMetricsProviderReceiver( | 
|  | mojo::PendingReceiver<media::mojom::MediaMetricsProvider> receiver) { | 
|  | // Only save decode stats when BrowserContext provides a VideoPerfHistory. | 
|  | // Off-the-record contexts will internally use an ephemeral history DB. | 
|  | media::VideoDecodePerfHistory::SaveCallback save_stats_cb; | 
|  | if (GetSiteInstance()->GetBrowserContext()->GetVideoDecodePerfHistory()) { | 
|  | save_stats_cb = GetSiteInstance() | 
|  | ->GetBrowserContext() | 
|  | ->GetVideoDecodePerfHistory() | 
|  | ->GetSaveCallback(); | 
|  | } | 
|  |  | 
|  | auto is_shutting_down_cb = base::BindRepeating( | 
|  | [](base::WeakPtr<RenderFrameHostImpl> rfh) { | 
|  | if (GetContentClient()->browser()->IsShuttingDown()) { | 
|  | return true; | 
|  | } | 
|  | return !rfh || | 
|  | rfh->GetLifecycleState() == LifecycleState::kPendingDeletion; | 
|  | }, | 
|  | weak_ptr_factory_.GetWeakPtr()); | 
|  |  | 
|  | media::MediaMetricsProvider::Create( | 
|  | GetProcess()->GetBrowserContext()->IsOffTheRecord() | 
|  | ? media::MediaMetricsProvider::BrowsingMode::kIncognito | 
|  | : media::MediaMetricsProvider::BrowsingMode::kNormal, | 
|  | IsOutermostMainFrame() | 
|  | ? media::MediaMetricsProvider::FrameStatus::kTopFrame | 
|  | : media::MediaMetricsProvider::FrameStatus::kNotTopFrame, | 
|  | GetPage().last_main_document_source_id(), | 
|  | media::learning::FeatureValue(GetLastCommittedOrigin().host()), | 
|  | std::move(save_stats_cb), | 
|  | base::BindRepeating( | 
|  | [](base::WeakPtr<RenderFrameHostImpl> frame) | 
|  | -> media::learning::LearningSession* { | 
|  | if (!base::FeatureList::IsEnabled(media::kMediaLearningFramework) || | 
|  | !frame) { | 
|  | return nullptr; | 
|  | } | 
|  |  | 
|  | return frame->GetProcess() | 
|  | ->GetBrowserContext() | 
|  | ->GetLearningSession(); | 
|  | }, | 
|  | weak_ptr_factory_.GetWeakPtr()), | 
|  | std::move(is_shutting_down_cb), CreateAutoPipReasonCallback(), | 
|  | std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindVideoEncoderMetricsProviderReceiver( | 
|  | mojo::PendingReceiver<media::mojom::VideoEncoderMetricsProvider> receiver) { | 
|  | // Ensure the frame is not in the prerendering state as we don't record UKM | 
|  | // while prerendering. This is ensured as the BrowserInterfaceBinders defers | 
|  | // binding until the frame's activation. | 
|  | CHECK(!IsInLifecycleState(LifecycleState::kPrerendering)); | 
|  | media::MojoVideoEncoderMetricsProviderService::Create(GetPageUkmSourceId(), | 
|  | std::move(receiver)); | 
|  | } | 
|  |  | 
|  | #if BUILDFLAG(ENABLE_MEDIA_REMOTING) | 
|  | void RenderFrameHostImpl::BindMediaRemoterFactoryReceiver( | 
|  | mojo::PendingReceiver<media::mojom::RemoterFactory> receiver) { | 
|  | mojo::MakeSelfOwnedReceiver(std::make_unique<RemoterFactoryImpl>( | 
|  | GetProcess()->GetDeprecatedID(), routing_id_), | 
|  | std::move(receiver)); | 
|  | } | 
|  | #endif | 
|  |  | 
|  | void RenderFrameHostImpl::CreateWebSocketConnector( | 
|  | mojo::PendingReceiver<blink::mojom::WebSocketConnector> receiver) { | 
|  | mojo::MakeSelfOwnedReceiver(std::make_unique<WebSocketConnectorImpl>( | 
|  | GetProcess()->GetDeprecatedID(), routing_id_, | 
|  | last_committed_origin_, isolation_info_), | 
|  | std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CreateWebTransportConnector( | 
|  | mojo::PendingReceiver<blink::mojom::WebTransportConnector> receiver) { | 
|  | mojo::MakeSelfOwnedReceiver( | 
|  | std::make_unique<WebTransportConnectorImpl>( | 
|  | GetProcess()->GetDeprecatedID(), weak_ptr_factory_.GetWeakPtr(), | 
|  | last_committed_origin_, isolation_info_.network_anonymization_key()), | 
|  | std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CreateNotificationService( | 
|  | mojo::PendingReceiver<blink::mojom::NotificationService> receiver) { | 
|  | GetProcess()->CreateNotificationService( | 
|  | GetGlobalId(), | 
|  | RenderProcessHost::NotificationServiceCreatorType::kDocument, | 
|  | GetStorageKey(), std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CreateInstalledAppProvider( | 
|  | mojo::PendingReceiver<blink::mojom::InstalledAppProvider> receiver) { | 
|  | InstalledAppProviderImpl::Create(*this, std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CreateCodeCacheHostWithKeys( | 
|  | mojo::PendingReceiver<blink::mojom::CodeCacheHost> receiver, | 
|  | const net::NetworkIsolationKey& nik, | 
|  | const blink::StorageKey& storage_key) { | 
|  | // Create a new CodeCacheHostImpl and bind it to the given receiver. | 
|  | code_cache_host_receivers_.Add(GetProcess()->GetDeprecatedID(), nik, | 
|  | storage_key, std::move(receiver), | 
|  | GetCodeCacheHostReceiverHandler()); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CreateCodeCacheHost( | 
|  | mojo::PendingReceiver<blink::mojom::CodeCacheHost> receiver) { | 
|  | CreateCodeCacheHostWithKeys(std::move(receiver), GetNetworkIsolationKey(), | 
|  | GetStorageKey()); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CreateDedicatedWorkerHostFactory( | 
|  | mojo::PendingReceiver<blink::mojom::DedicatedWorkerHostFactory> receiver) { | 
|  | // Allocate the worker in the same process as the creator. | 
|  | int worker_process_id = GetProcess()->GetDeprecatedID(); | 
|  |  | 
|  | base::WeakPtr<CrossOriginEmbedderPolicyReporter> coep_reporter; | 
|  | if (coep_reporter_) { | 
|  | coep_reporter = coep_reporter_->GetWeakPtr(); | 
|  | } | 
|  |  | 
|  | // When a dedicated worker is created from the frame script, the frame is both | 
|  | // the creator and the ancestor. | 
|  | mojo::MakeSelfOwnedReceiver( | 
|  | std::make_unique<DedicatedWorkerHostFactoryImpl>( | 
|  | worker_process_id, | 
|  | /*creator=*/GetGlobalId(), | 
|  | /*ancestor_render_frame_host_id=*/GetGlobalId(), GetStorageKey(), | 
|  | isolation_info_, BuildClientSecurityState(), | 
|  | /*creator_coep_reporter=*/coep_reporter), | 
|  | std::move(receiver)); | 
|  | } | 
|  |  | 
|  | #if BUILDFLAG(IS_ANDROID) || (BUILDFLAG(IS_IOS) && !BUILDFLAG(IS_IOS_TVOS)) | 
|  | void RenderFrameHostImpl::BindNFCReceiver( | 
|  | mojo::PendingReceiver<device::mojom::NFC> receiver) { | 
|  | delegate_->GetNFC(this, std::move(receiver)); | 
|  | } | 
|  | #endif | 
|  |  | 
|  | void RenderFrameHostImpl::BindSerialService( | 
|  | mojo::PendingReceiver<blink::mojom::SerialService> receiver) { | 
|  | if (!IsFeatureEnabled(network::mojom::PermissionsPolicyFeature::kSerial)) { | 
|  | mojo::ReportBadMessage("Permissions policy blocks access to Serial."); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Powerful features like Serial API for FencedFrames are blocked by | 
|  | // PermissionsPolicy. But as the interface is still exposed to the renderer, | 
|  | // still good to have a secondary check per-API basis to handle compromised | 
|  | // renderers. Ignore the request and mark it as bad to kill the initiating | 
|  | // renderer if it happened for some reason. | 
|  | if (IsNestedWithinFencedFrame()) { | 
|  | mojo::ReportBadMessage("Web Serial is not allowed in fences frames."); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Rejects using Serial API when the top-level document has an opaque origin. | 
|  | if (GetOutermostMainFrame()->GetLastCommittedOrigin().opaque()) { | 
|  | mojo::ReportBadMessage( | 
|  | "Web Serial is not allowed when the top-level document has an opaque " | 
|  | "origin."); | 
|  | return; | 
|  | } | 
|  |  | 
|  | SerialService::GetOrCreateForCurrentDocument(this)->Bind(std::move(receiver)); | 
|  | } | 
|  |  | 
|  | #if !BUILDFLAG(IS_ANDROID) | 
|  | void RenderFrameHostImpl::GetHidService( | 
|  | mojo::PendingReceiver<blink::mojom::HidService> receiver) { | 
|  | HidService::Create(this, std::move(receiver)); | 
|  | } | 
|  | #endif | 
|  |  | 
|  | #if BUILDFLAG(IS_CHROMEOS) | 
|  | void RenderFrameHostImpl::GetSmartCardService( | 
|  | mojo::PendingReceiver<blink::mojom::SmartCardService> receiver) { | 
|  | SmartCardService::Create(this, std::move(receiver)); | 
|  | } | 
|  | #endif | 
|  |  | 
|  | IdleManagerImpl* RenderFrameHostImpl::GetIdleManager() { | 
|  | return idle_manager_.get(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindIdleManager( | 
|  | mojo::PendingReceiver<blink::mojom::IdleManager> receiver) { | 
|  | if (!IsFeatureEnabled( | 
|  | network::mojom::PermissionsPolicyFeature::kIdleDetection)) { | 
|  | mojo::ReportBadMessage( | 
|  | "Permissions policy blocks access to IdleDetection."); | 
|  | return; | 
|  | } | 
|  |  | 
|  | idle_manager_->CreateService(std::move(receiver)); | 
|  | OnBackForwardCacheDisablingStickyFeatureUsed( | 
|  | BackForwardCacheDisablingFeature::kIdleManager); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::GetPresentationService( | 
|  | mojo::PendingReceiver<blink::mojom::PresentationService> receiver) { | 
|  | if (!presentation_service_) | 
|  | presentation_service_ = PresentationServiceImpl::Create(this); | 
|  | presentation_service_->Bind(std::move(receiver)); | 
|  | } | 
|  |  | 
|  | PresentationServiceImpl& | 
|  | RenderFrameHostImpl::GetPresentationServiceForTesting() { | 
|  | DCHECK(presentation_service_); | 
|  | return *presentation_service_.get(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::GetSpeechSynthesis( | 
|  | mojo::PendingReceiver<blink::mojom::SpeechSynthesis> receiver) { | 
|  | if (!speech_synthesis_impl_) { | 
|  | speech_synthesis_impl_ = std::make_unique<SpeechSynthesisImpl>( | 
|  | GetProcess()->GetBrowserContext(), this); | 
|  | } | 
|  | speech_synthesis_impl_->AddReceiver(std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::GetSensorProvider( | 
|  | mojo::PendingReceiver<blink::mojom::WebSensorProvider> receiver) { | 
|  | FrameSensorProviderProxy::GetOrCreateForCurrentDocument(this)->Bind( | 
|  | std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindCacheStorage( | 
|  | mojo::PendingReceiver<blink::mojom::CacheStorage> receiver) { | 
|  | BindCacheStorageInternal( | 
|  | std::move(receiver), | 
|  | storage::BucketLocator::ForDefaultBucket(GetStorageKey())); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindCacheStorageInternal( | 
|  | mojo::PendingReceiver<blink::mojom::CacheStorage> receiver, | 
|  | const storage::BucketLocator& bucket_locator) { | 
|  | mojo::PendingRemote<network::mojom::CrossOriginEmbedderPolicyReporter> | 
|  | coep_reporter_remote; | 
|  | if (coep_reporter_) { | 
|  | coep_reporter_->Clone( | 
|  | coep_reporter_remote.InitWithNewPipeAndPassReceiver()); | 
|  | } | 
|  | mojo::PendingRemote<network::mojom::DocumentIsolationPolicyReporter> | 
|  | dip_reporter_remote; | 
|  | if (dip_reporter_) { | 
|  | dip_reporter_->Clone(dip_reporter_remote.InitWithNewPipeAndPassReceiver()); | 
|  | } | 
|  | GetProcess()->BindCacheStorage( | 
|  | cross_origin_embedder_policy(), std::move(coep_reporter_remote), | 
|  | policy_container_host_->document_isolation_policy(), | 
|  | std::move(dip_reporter_remote), bucket_locator, std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindInputInjectorReceiver( | 
|  | mojo::PendingReceiver<mojom::InputInjector> receiver) { | 
|  | InputInjectorImpl::Create(weak_ptr_factory_.GetWeakPtr(), | 
|  | std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindWebOTPServiceReceiver( | 
|  | mojo::PendingReceiver<blink::mojom::WebOTPService> receiver) { | 
|  | auto* fetcher = SmsFetcher::Get(GetProcess()->GetBrowserContext()); | 
|  | if (WebOTPService::Create(fetcher, this, std::move(receiver))) | 
|  | document_used_web_otp_ = true; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindDigitalIdentityRequestReceiver( | 
|  | mojo::PendingReceiver<blink::mojom::DigitalIdentityRequest> receiver) { | 
|  | DigitalIdentityRequestImpl::CreateInstance(*this, std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindFederatedAuthRequestReceiver( | 
|  | mojo::PendingReceiver<blink::mojom::FederatedAuthRequest> receiver) { | 
|  | FederatedAuthRequestImpl::Create(this, std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindRestrictedCookieManager( | 
|  | mojo::PendingReceiver<network::mojom::RestrictedCookieManager> receiver) { | 
|  | BindRestrictedCookieManagerWithOrigin( | 
|  | std::move(receiver), GetIsolationInfoForSubresources(), | 
|  | GetLastCommittedOrigin(), GetCookieSettingOverrides()); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindRestrictedCookieManagerWithOrigin( | 
|  | mojo::PendingReceiver<network::mojom::RestrictedCookieManager> receiver, | 
|  | const net::IsolationInfo& isolation_info, | 
|  | const url::Origin& origin, | 
|  | net::CookieSettingOverrides cookie_setting_overrides) { | 
|  | // Give devtools a chance to apply its cookie setting overrides | 
|  | net::CookieSettingOverrides devtools_cookie_setting_overrides; | 
|  | devtools_instrumentation::ApplyNetworkCookieControlsOverrides( | 
|  | *this, devtools_cookie_setting_overrides); | 
|  |  | 
|  | // CookieSettingOverrides is passesd in instead of calling | 
|  | // GetCookieSettingOverrides, because this call can happen before the frame | 
|  | // is committed. | 
|  | GetStoragePartition()->CreateRestrictedCookieManager( | 
|  | network::mojom::RestrictedCookieManagerRole::SCRIPT, origin, | 
|  | isolation_info, | 
|  | /*is_service_worker=*/false, GetProcess()->GetDeprecatedID(), | 
|  | GetRoutingID(), cookie_setting_overrides, | 
|  | devtools_cookie_setting_overrides, std::move(receiver), | 
|  | CreateCookieAccessObserver(CookieAccessDetails::Source::kNonNavigation)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindTrustTokenQueryAnswerer( | 
|  | mojo::PendingReceiver<network::mojom::TrustTokenQueryAnswerer> receiver) { | 
|  | auto top_frame_origin = ComputeTopFrameOrigin(GetLastCommittedOrigin()); | 
|  |  | 
|  | // A check at the callsite in the renderer ensures a correctly functioning | 
|  | // renderer will only request this Mojo handle if the top-frame origin is | 
|  | // potentially trustworthy and has scheme HTTP or HTTPS. | 
|  | if ((top_frame_origin.scheme() != url::kHttpScheme && | 
|  | top_frame_origin.scheme() != url::kHttpsScheme) || | 
|  | !network::IsOriginPotentiallyTrustworthy(top_frame_origin)) { | 
|  | mojo::ReportBadMessage( | 
|  | "Attempted to get a TrustTokenQueryAnswerer for a non-trustworthy or " | 
|  | "non-HTTP/HTTPS top-frame origin."); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // TODO(crbug.com/40729410): Document.hasPrivateToken is restricted to | 
|  | // secure contexts, so we could additionally add a check verifying that the | 
|  | // bind request "is coming from a secure context"---but there's currently no | 
|  | // direct way to perform such a check in the browser. | 
|  | GetProcess()->GetStoragePartition()->CreateTrustTokenQueryAnswerer( | 
|  | std::move(receiver), ComputeTopFrameOrigin(GetLastCommittedOrigin())); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::GetAudioContextManager( | 
|  | mojo::PendingReceiver<blink::mojom::AudioContextManager> receiver) { | 
|  | AudioContextManagerImpl::Create(this, std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::GetFileSystemManager( | 
|  | mojo::PendingReceiver<blink::mojom::FileSystemManager> receiver) { | 
|  | // This is safe because file_system_manager_ is deleted on the IO thread | 
|  | GetIOThreadTaskRunner({})->PostTask( | 
|  | FROM_HERE, base::BindOnce(&FileSystemManagerImpl::BindReceiver, | 
|  | base::Unretained(file_system_manager_.get()), | 
|  | GetStorageKey(), std::move(receiver))); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::GetGeolocationService( | 
|  | mojo::PendingReceiver<blink::mojom::GeolocationService> receiver) { | 
|  | if (!geolocation_service_) { | 
|  | auto* geolocation_context = delegate_->GetGeolocationContext(); | 
|  | if (!geolocation_context) | 
|  | return; | 
|  | geolocation_service_ = | 
|  | std::make_unique<GeolocationServiceImpl>(geolocation_context, this); | 
|  | } | 
|  | geolocation_service_->Bind(std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::GetDeviceInfoService( | 
|  | mojo::PendingReceiver<blink::mojom::DeviceAPIService> receiver) { | 
|  | GetContentClient()->browser()->CreateDeviceInfoService(this, | 
|  | std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::GetManagedConfigurationService( | 
|  | mojo::PendingReceiver<blink::mojom::ManagedConfigurationService> receiver) { | 
|  | GetContentClient()->browser()->CreateManagedConfigurationService( | 
|  | this, std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::GetFontAccessManager( | 
|  | mojo::PendingReceiver<blink::mojom::FontAccessManager> receiver) { | 
|  | GetStoragePartition()->GetFontAccessManager()->BindReceiver( | 
|  | GetGlobalId(), std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::GetFileSystemAccessManager( | 
|  | mojo::PendingReceiver<blink::mojom::FileSystemAccessManager> receiver) { | 
|  | DCHECK_CURRENTLY_ON(BrowserThread::UI); | 
|  | auto* manager = GetStoragePartition()->GetFileSystemAccessManager(); | 
|  | manager->BindReceiver( | 
|  | FileSystemAccessManagerImpl::BindingContext( | 
|  | GetStorageKey(), GetLastCommittedURL(), GetGlobalId()), | 
|  | std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CreateLockManager( | 
|  | mojo::PendingReceiver<blink::mojom::LockManager> receiver) { | 
|  | GetProcess()->CreateLockManager(GetStorageKey(), std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CreateIDBFactory( | 
|  | mojo::PendingReceiver<blink::mojom::IDBFactory> receiver) { | 
|  | GetProcess()->BindIndexedDB(GetStorageKey(), *this, std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CreateBucketManagerHost( | 
|  | mojo::PendingReceiver<blink::mojom::BucketManagerHost> receiver) { | 
|  | GetProcess()->BindBucketManagerHost(weak_ptr_factory_.GetWeakPtr(), | 
|  | std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CreatePermissionService( | 
|  | mojo::PendingReceiver<blink::mojom::PermissionService> receiver) { | 
|  | PermissionServiceContext::GetOrCreateForCurrentDocument(this)->CreateService( | 
|  | std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::GetWebAuthenticationService( | 
|  | mojo::PendingReceiver<blink::mojom::Authenticator> receiver) { | 
|  | #if !BUILDFLAG(IS_ANDROID) | 
|  | AuthenticatorImpl::Create(this, std::move(receiver)); | 
|  | #else | 
|  | GetJavaInterfaces()->GetInterface(std::move(receiver)); | 
|  | #endif  // !BUILDFLAG(IS_ANDROID) | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::GetPushMessaging( | 
|  | mojo::PendingReceiver<blink::mojom::PushMessaging> receiver) { | 
|  | if (!push_messaging_manager_) { | 
|  | auto* rph = GetProcess(); | 
|  | push_messaging_manager_ = std::make_unique<PushMessagingManager>( | 
|  | *rph, routing_id_, | 
|  | base::WrapRefCounted(GetStoragePartition()->GetServiceWorkerContext())); | 
|  | } | 
|  |  | 
|  | push_messaging_manager_->AddPushMessagingReceiver(std::move(receiver)); | 
|  | } | 
|  |  | 
|  | bool IsInitialSynchronousAboutBlankCommit(const GURL& url, | 
|  | bool is_initial_empty_document) { | 
|  | return url.SchemeIs(url::kAboutScheme) && url != GURL(url::kAboutSrcdocURL) && | 
|  | is_initial_empty_document; | 
|  | } | 
|  |  | 
|  | std::unique_ptr<NavigationRequest> | 
|  | RenderFrameHostImpl::CreateNavigationRequestForSynchronousRendererCommit( | 
|  | const GURL& url, | 
|  | const url::Origin& origin, | 
|  | const std::optional<GURL>& initiator_base_url, | 
|  | blink::mojom::ReferrerPtr referrer, | 
|  | const ui::PageTransition& transition, | 
|  | bool should_replace_current_entry, | 
|  | bool has_user_gesture, | 
|  | const std::vector<GURL>& redirects, | 
|  | const GURL& original_request_url, | 
|  | bool is_same_document, | 
|  | bool is_same_document_history_api_navigation, | 
|  | base::TimeTicks actual_navigation_start) { | 
|  | // This function must only be called when there are no NavigationRequests for | 
|  | // a navigation can be found at DidCommit time, which can only happen in two | 
|  | // cases: | 
|  | // 1) This was a synchronous renderer-initiated navigation to about:blank | 
|  | // after the initial empty document. | 
|  | // 2) This was a renderer-initiated same-document navigation. | 
|  | DCHECK(IsInitialSynchronousAboutBlankCommit( | 
|  | url, frame_tree_node_->is_on_initial_empty_document()) || | 
|  | is_same_document); | 
|  | DCHECK(!is_same_document_history_api_navigation || is_same_document); | 
|  | DCHECK(!IsPendingDeletion());     // IPC is filtered out by the caller. | 
|  | DCHECK(!IsInBackForwardCache());  // A page in the BackForwardCache is fully | 
|  | // loaded and has no pending navigations. | 
|  | // See `owner_` invariants about IsPendingDeletion() and | 
|  | // IsInBackForwardCache(). | 
|  | CHECK(owner_); | 
|  |  | 
|  | net::IsolationInfo isolation_info = ComputeIsolationInfoInternal( | 
|  | origin, net::IsolationInfo::RequestType::kOther, IsCredentialless(), | 
|  | /*fenced_frame_nonce_for_navigation=*/std::nullopt); | 
|  |  | 
|  | std::unique_ptr<CrossOriginEmbedderPolicyReporter> coep_reporter; | 
|  | std::unique_ptr<DocumentIsolationPolicyReporter> dip_reporter; | 
|  | // We don't switch the COEP and DIP reporters on same-document navigations, so | 
|  | // create one only for cross-document navigations. | 
|  | if (!is_same_document) { | 
|  | auto* storage_partition = | 
|  | static_cast<StoragePartitionImpl*>(GetProcess()->GetStoragePartition()); | 
|  | coep_reporter = std::make_unique<CrossOriginEmbedderPolicyReporter>( | 
|  | storage_partition->GetWeakPtr(), url, | 
|  | cross_origin_embedder_policy().reporting_endpoint, | 
|  | cross_origin_embedder_policy().report_only_reporting_endpoint, | 
|  | GetReportingSource(), isolation_info.network_anonymization_key()); | 
|  | dip_reporter = std::make_unique<DocumentIsolationPolicyReporter>( | 
|  | storage_partition->GetWeakPtr(), url, | 
|  | policy_container_host()->document_isolation_policy().reporting_endpoint, | 
|  | policy_container_host() | 
|  | ->document_isolation_policy() | 
|  | .report_only_reporting_endpoint, | 
|  | GetReportingSource(), isolation_info.network_anonymization_key()); | 
|  | } | 
|  |  | 
|  | std::string method = "GET"; | 
|  | if (is_same_document && !is_same_document_history_api_navigation) { | 
|  | // Preserve the HTTP method used by the last navigation if this is a | 
|  | // same-document navigation that is not triggered by the history API | 
|  | // (history.replaceState/pushState). See spec: | 
|  | // https://html.spec.whatwg.org/multipage/history.html#url-and-history-update-steps | 
|  | method = last_http_method_; | 
|  | } | 
|  |  | 
|  | // HTTP status code: | 
|  | // - For same-document navigations, we should retain the HTTP status code from | 
|  | // the last committed navigation. | 
|  | // - For initial about:blank navigation, the HTTP status code is 0. | 
|  | int http_status_code = is_same_document ? last_http_status_code_ : 0; | 
|  |  | 
|  | // Same-document navigation should retain is_overriding_user_agent from the | 
|  | // last committed navigation. | 
|  | bool is_overriding_user_agent = | 
|  | is_same_document && GetPage().is_overriding_user_agent(); | 
|  |  | 
|  | return owner_->CreateNavigationRequestForSynchronousRendererCommit( | 
|  | this, is_same_document, url, origin, initiator_base_url, isolation_info, | 
|  | std::move(referrer), transition, should_replace_current_entry, method, | 
|  | has_user_gesture, is_overriding_user_agent, redirects, | 
|  | original_request_url, std::move(coep_reporter), std::move(dip_reporter), | 
|  | http_status_code, actual_navigation_start); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BeforeUnloadTimeout() { | 
|  | if (delegate_->ShouldIgnoreUnresponsiveRenderer()) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | SimulateBeforeUnloadCompleted(/*proceed=*/true); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetLastCommittedSiteInfo(const UrlInfo& url_info) { | 
|  | BrowserContext* browser_context = GetSiteInstance()->GetBrowserContext(); | 
|  | SiteInfo site_info = | 
|  | url_info.url.is_empty() | 
|  | ? SiteInfo(browser_context) | 
|  | : SiteInfo::Create(GetSiteInstance()->GetIsolationContext(), | 
|  | url_info); | 
|  |  | 
|  | if (last_committed_url_derived_site_info_ == site_info) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (lifecycle_state_ == LifecycleStateImpl::kActive) { | 
|  | // Increment the active document count only if we're committing a new | 
|  | // document by replacing an old document in an existing RenderFrameHost | 
|  | // (i.e. not when this function is called on RenderFrameHost destruction), | 
|  | // which we know is the case if the RenderFrameHost is already active at | 
|  | // this point (if it was a speculative RenderFrameHost, it wouldn't have | 
|  | // been swapped in yet). | 
|  | // Note that this only handles same-RenderFrameHost document commits, | 
|  | // while a similar code in `RenderFrameHostImpl::SetLifecycle()` | 
|  | // handles cross-RenderFrameHost commits and activeness changes. | 
|  | GetSiteInstance()->DecrementActiveDocumentCount( | 
|  | last_committed_url_derived_site_info_); | 
|  | GetSiteInstance()->IncrementActiveDocumentCount(site_info); | 
|  | } | 
|  |  | 
|  | if (!last_committed_url_derived_site_info_.site_url().is_empty()) { | 
|  | RenderProcessHostImpl::RemoveFrameWithSite( | 
|  | browser_context, GetProcess(), last_committed_url_derived_site_info_); | 
|  | } | 
|  |  | 
|  | last_committed_url_derived_site_info_ = site_info; | 
|  |  | 
|  | if (!last_committed_url_derived_site_info_.site_url().is_empty()) { | 
|  | RenderProcessHostImpl::AddFrameWithSite( | 
|  | browser_context, GetProcess(), last_committed_url_derived_site_info_); | 
|  | } | 
|  | } | 
|  |  | 
|  | #if BUILDFLAG(IS_ANDROID) | 
|  | base::android::ScopedJavaLocalRef<jobject> | 
|  | RenderFrameHostImpl::GetJavaRenderFrameHost() { | 
|  | RenderFrameHostAndroid* render_frame_host_android = | 
|  | static_cast<RenderFrameHostAndroid*>( | 
|  | GetUserData(kRenderFrameHostAndroidKey)); | 
|  | if (!render_frame_host_android) { | 
|  | render_frame_host_android = new RenderFrameHostAndroid(this); | 
|  | SetUserData(kRenderFrameHostAndroidKey, | 
|  | base::WrapUnique(render_frame_host_android)); | 
|  | } | 
|  | return render_frame_host_android->GetJavaObject(); | 
|  | } | 
|  |  | 
|  | service_manager::InterfaceProvider* RenderFrameHostImpl::GetJavaInterfaces() { | 
|  | if (!java_interfaces_) { | 
|  | mojo::PendingRemote<service_manager::mojom::InterfaceProvider> provider; | 
|  | BindInterfaceRegistryForRenderFrameHost( | 
|  | provider.InitWithNewPipeAndPassReceiver(), this); | 
|  | java_interfaces_ = std::make_unique<service_manager::InterfaceProvider>( | 
|  | base::SingleThreadTaskRunner::GetCurrentDefault()); | 
|  | java_interfaces_->Bind(std::move(provider)); | 
|  | } | 
|  | return java_interfaces_.get(); | 
|  | } | 
|  | #endif | 
|  |  | 
|  | void RenderFrameHostImpl::ForEachImmediateLocalRoot( | 
|  | base::FunctionRef<void(RenderFrameHostImpl*)> func_ref) { | 
|  | ForEachRenderFrameHostImplWithAction( | 
|  | [func_ref, this](RenderFrameHostImpl* rfh) { | 
|  | if (rfh->is_local_root() && rfh != this) { | 
|  | func_ref(rfh); | 
|  | return FrameIterationAction::kSkipChildren; | 
|  | } | 
|  | return FrameIterationAction::kContinue; | 
|  | }); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetVisibilityForChildViews(bool visible) { | 
|  | ForEachImmediateLocalRoot([visible](RenderFrameHostImpl* frame_host) { | 
|  | if (auto* view = frame_host->GetView()) | 
|  | return visible ? view->Show() : view->Hide(); | 
|  | }); | 
|  |  | 
|  | if (base::FeatureList::IsEnabled( | 
|  | network::features::kVisibilityAwareResourceScheduler) && | 
|  | IsOutermostMainFrame()) { | 
|  | GetStoragePartition() | 
|  | ->GetNetworkContext() | 
|  | ->ResourceSchedulerClientVisibilityChanged(GetTopFrameToken().value(), | 
|  | visible); | 
|  | } | 
|  | } | 
|  |  | 
|  | mojom::Frame* RenderFrameHostImpl::GetMojomFrameInRenderer() { | 
|  | DCHECK(frame_); | 
|  | return frame_.get(); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::ShouldBypassSecurityChecksForErrorPage( | 
|  | NavigationRequest* navigation_request, | 
|  | bool* should_commit_error_page) { | 
|  | if (should_commit_error_page) | 
|  | *should_commit_error_page = false; | 
|  |  | 
|  | if (SiteIsolationPolicy::IsErrorPageIsolationEnabled(is_main_frame())) { | 
|  | if (GetSiteInstance()->GetSiteInfo().is_error_page()) { | 
|  | if (should_commit_error_page) | 
|  | *should_commit_error_page = true; | 
|  |  | 
|  | // With error page isolation, any URL can commit in an error page process. | 
|  | return true; | 
|  | } | 
|  | } else { | 
|  | // Without error page isolation, a blocked navigation is expected to | 
|  | // commit in the old renderer process.  This may be true for subframe | 
|  | // navigations even when error page isolation is enabled for main frames. | 
|  | if (navigation_request && | 
|  | net::IsRequestBlockedError(navigation_request->GetNetErrorCode())) { | 
|  | return true; | 
|  | } | 
|  | } | 
|  |  | 
|  | return false; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetAudioOutputDeviceIdForGlobalMediaControls( | 
|  | std::string hashed_device_id) { | 
|  | if (audio_service_audio_output_stream_factory_.has_value()) { | 
|  | audio_service_audio_output_stream_factory_ | 
|  | ->SetAuthorizedDeviceIdForGlobalMediaControls( | 
|  | std::move(hashed_device_id)); | 
|  | } | 
|  | } | 
|  |  | 
|  | std::unique_ptr<mojo::MessageFilter> | 
|  | RenderFrameHostImpl::CreateMessageFilterForAssociatedReceiver( | 
|  | const char* interface_name) { | 
|  | return CreateMessageFilterForAssociatedReceiverInternal( | 
|  | interface_name, | 
|  | BackForwardCacheImpl::GetChannelAssociatedMessageHandlingPolicy()); | 
|  | } | 
|  |  | 
|  | network::mojom::ClientSecurityStatePtr | 
|  | RenderFrameHostImpl::BuildClientSecurityState() const { | 
|  | // TODO(crbug.com/40752428) Remove this bandaid. | 
|  | // | 
|  | // Due to a race condition, CreateCrossOriginPrefetchLoaderFactoryBundle() is | 
|  | // sometimes called on the previous document, before the new document is | 
|  | // committed. In that case, it mistakenly builds a client security state | 
|  | // based on the policies of the previous document. If no document has ever | 
|  | // committed, there is no PolicyContainerHost to source policies from. To | 
|  | // avoid crashes, this returns a maximally-restrictive value instead. | 
|  | if (!policy_container_host_) { | 
|  | // Prevent other code paths from depending on this bandaid. | 
|  | DCHECK_EQ(lifecycle_state_, LifecycleStateImpl::kSpeculative); | 
|  |  | 
|  | // Omitted: reporting endpoint, report-only value and reporting endpoint. | 
|  | network::CrossOriginEmbedderPolicy coep; | 
|  | coep.value = network::mojom::CrossOriginEmbedderPolicyValue::kRequireCorp; | 
|  | network::DocumentIsolationPolicy dip; | 
|  | dip.value = | 
|  | network::mojom::DocumentIsolationPolicyValue::kIsolateAndRequireCorp; | 
|  |  | 
|  | return network::mojom::ClientSecurityState::New( | 
|  | std::move(coep), | 
|  | /*is_web_secure_context=*/false, | 
|  | network::mojom::IPAddressSpace::kUnknown, | 
|  | network::mojom::PrivateNetworkRequestPolicy::kBlock, std::move(dip)); | 
|  | } | 
|  |  | 
|  | const PolicyContainerPolicies& policies = policy_container_host_->policies(); | 
|  | return network::mojom::ClientSecurityState::New( | 
|  | policies.cross_origin_embedder_policy, policies.is_web_secure_context, | 
|  | policies.ip_address_space, private_network_request_policy_, | 
|  | policies.document_isolation_policy); | 
|  | } | 
|  |  | 
|  | network::mojom::ClientSecurityStatePtr | 
|  | RenderFrameHostImpl::BuildClientSecurityStateForWorkers() const { | 
|  | auto client_security_state = BuildClientSecurityState(); | 
|  |  | 
|  | client_security_state->private_network_request_policy = | 
|  | DerivePrivateNetworkRequestPolicy( | 
|  | client_security_state->ip_address_space, | 
|  | client_security_state->is_web_secure_context, | 
|  | PrivateNetworkRequestContext::kWorker); | 
|  |  | 
|  | return client_security_state; | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsNavigationSameSite( | 
|  | const UrlInfo& dest_url_info) const { | 
|  | if (!WebExposedIsolationInfo::AreCompatible( | 
|  | GetSiteInstance()->GetWebExposedIsolationInfo(), | 
|  | dest_url_info.web_exposed_isolation_info)) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | if (GetSiteInstance()->GetSiteInfo().agent_cluster_key() && | 
|  | GetSiteInstance() | 
|  | ->GetSiteInfo() | 
|  | .agent_cluster_key() | 
|  | ->GetCrossOriginIsolationKey() != | 
|  | dest_url_info.cross_origin_isolation_key) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | return GetSiteInstance()->IsNavigationSameSite( | 
|  | last_successful_url(), GetLastCommittedOrigin(), IsOutermostMainFrame(), | 
|  | dest_url_info); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::ValidateDidCommitParams( | 
|  | NavigationRequest* navigation_request, | 
|  | mojom::DidCommitProvisionalLoadParams* params, | 
|  | bool is_same_document_navigation) { | 
|  | DCHECK(params); | 
|  | RenderProcessHost* process = GetProcess(); | 
|  |  | 
|  | // Error pages may sometimes commit a URL in the wrong process, which requires | 
|  | // an exception for the CanCommitOriginAndUrl() checks.  This is ok as long | 
|  | // as the origin is opaque. | 
|  | bool should_commit_error_page = false; | 
|  | bool bypass_checks_for_error_page = ShouldBypassSecurityChecksForErrorPage( | 
|  | navigation_request, &should_commit_error_page); | 
|  |  | 
|  | // Commits in the error page process must only be failures, otherwise | 
|  | // successful navigations could commit documents from origins different | 
|  | // than the chrome-error://chromewebdata/ one and violate expectations. | 
|  | if (should_commit_error_page && | 
|  | (navigation_request && !navigation_request->DidEncounterError())) { | 
|  | DEBUG_ALIAS_FOR_ORIGIN(origin_debug_alias, params->origin); | 
|  | bad_message::ReceivedBadMessage( | 
|  | process, bad_message::RFH_ERROR_PROCESS_NON_ERROR_COMMIT); | 
|  | return false; | 
|  | } | 
|  |  | 
|  | // Error pages must commit in a opaque origin. Terminate the renderer | 
|  | // process if this is violated. | 
|  | if (bypass_checks_for_error_page && !params->origin.opaque()) { | 
|  | DEBUG_ALIAS_FOR_ORIGIN(origin_debug_alias, params->origin); | 
|  | bad_message::ReceivedBadMessage( | 
|  | process, bad_message::RFH_ERROR_PROCESS_NON_UNIQUE_ORIGIN_COMMIT); | 
|  | return false; | 
|  | } | 
|  |  | 
|  | if (!bypass_checks_for_error_page && | 
|  | !ValidateURLAndOrigin(params->url, params->origin, | 
|  | is_same_document_navigation, navigation_request)) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | // Without this check, an evil renderer can trick the browser into creating | 
|  | // a navigation entry for a banned URL.  If the user clicks the back button | 
|  | // followed by the forward button (or clicks reload, or round-trips through | 
|  | // session restore, etc), we'll think that the browser commanded the | 
|  | // renderer to load the URL and grant the renderer the privileges to request | 
|  | // the URL.  To prevent this attack, we block the renderer from inserting | 
|  | // banned URLs into the navigation controller in the first place. | 
|  | const RenderProcessHost::FilterURLResult url_filter_result = | 
|  | process->FilterURL(false, ¶ms->url); | 
|  | process->FilterURL(true, ¶ms->referrer->url); | 
|  |  | 
|  | // Check whether the URL was blocked by FilterURL, or by similar logic in the | 
|  | // renderer process. Exclude cases where the renderer may have actually | 
|  | // navigated same-document to about:blank#blocked. | 
|  | bool blocked_by_renderer = | 
|  | params->url == GURL(kBlockedURL) && !GetLastCommittedURL().IsAboutBlank(); | 
|  | if (is_same_document_navigation && | 
|  | (url_filter_result == RenderProcessHost::FilterURLResult::kBlocked || | 
|  | blocked_by_renderer)) { | 
|  | // For same-document navigations, keeping about:blank#blocked can lead to | 
|  | // some really strange results with navigating back/forward and session | 
|  | // restore. So if the URL was filtered, replace it with the current URL: | 
|  | // this still ends up not quite matching the state in the renderer, but at | 
|  | // least the current URL is in the current origin, and will result in less | 
|  | // confusion in the browser process. | 
|  | // | 
|  | // Note that this would be unsafe for cross-document navigations, which can | 
|  | // be cross-origin. | 
|  | // | 
|  | // TODO(crbug.com/40067230): It would be nice to catch and block this | 
|  | // earlier in the renderer process (causing the same-document navigation to | 
|  | // fail), so the browser process could just treat this as a 'bad message | 
|  | // received' situation. | 
|  | params->url = GetLastCommittedURL(); | 
|  | } | 
|  |  | 
|  | // Without this check, the renderer can trick the browser into using | 
|  | // filenames it can't access in a future session restore. | 
|  | if (!CanAccessFilesOfPageState(params->page_state)) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | process, bad_message::RFH_CAN_ACCESS_FILES_OF_PAGE_STATE_AT_COMMIT); | 
|  | return false; | 
|  | } | 
|  |  | 
|  | // An initiator base URL should either be nullopt or non-empty, to satisfy | 
|  | // checks later in the navigation. | 
|  | if (params->initiator_base_url.has_value() && | 
|  | params->initiator_base_url->is_empty()) { | 
|  | // For now, replace the empty URL with nullopt. | 
|  | // TODO(https://crbug.com/324772617): Upgrade this DumpWithoutCrashing to a | 
|  | // renderer kill once we confirm there aren't reports of it happening. | 
|  | SCOPED_CRASH_KEY_STRING32("ValidateDidCommit_empty_baseurl", "url", | 
|  | params->url.possibly_invalid_spec()); | 
|  | base::debug::DumpWithoutCrashing(); | 
|  | params->initiator_base_url = std::nullopt; | 
|  | } | 
|  |  | 
|  | // A cross-document navigation requires an embedding token. Navigations | 
|  | // activating an existing document do not require new embedding tokens as the | 
|  | // token is already set. | 
|  | bool is_page_activation = | 
|  | navigation_request && navigation_request->IsPageActivation(); | 
|  | DCHECK(!is_page_activation || embedding_token_.has_value()); | 
|  | if (!is_page_activation) { | 
|  | if (!is_same_document_navigation && !params->embedding_token.has_value()) { | 
|  | bad_message::ReceivedBadMessage(process, | 
|  | bad_message::RFH_MISSING_EMBEDDING_TOKEN); | 
|  | return false; | 
|  | } else if (is_same_document_navigation && | 
|  | params->embedding_token.has_value()) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | process, bad_message::RFH_UNEXPECTED_EMBEDDING_TOKEN); | 
|  | return false; | 
|  | } | 
|  | } | 
|  |  | 
|  | // Note: document_policy_header is the document policy state used to | 
|  | // initialize |document_policy_| in SecurityContext on renderer side. It is | 
|  | // supposed to be compatible with required_document_policy. If not, kill the | 
|  | // renderer. | 
|  | if (!blink::DocumentPolicy::IsPolicyCompatible( | 
|  | browsing_context_state_->effective_frame_policy() | 
|  | .required_document_policy, | 
|  | params->document_policy_header)) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | process, bad_message::RFH_BAD_DOCUMENT_POLICY_HEADER); | 
|  | return false; | 
|  | } | 
|  |  | 
|  | // If a frame claims the navigation was same-document, it must be the current | 
|  | // frame, not a pending one. | 
|  | if (is_same_document_navigation && | 
|  | lifecycle_state() == LifecycleStateImpl::kPendingCommit) { | 
|  | bad_message::ReceivedBadMessage(process, | 
|  | bad_message::NI_IN_PAGE_NAVIGATION); | 
|  | return false; | 
|  | } | 
|  |  | 
|  | // Same document navigations should not be possible on post-commit error pages | 
|  | // and would leave the NavigationController in a weird state. Kill the | 
|  | // renderer before getting to NavigationController::RendererDidNavigate if | 
|  | // that happens. | 
|  | if (is_same_document_navigation) { | 
|  | // `owner_` must exist, because `DidCommitSameDocumentNavigation()` returns | 
|  | // early for RenderFrameHost pending deletion or in the BackForwardCache. | 
|  | CHECK(owner_); | 
|  | if (owner_->GetCurrentNavigator() | 
|  | .controller() | 
|  | .has_post_commit_error_entry()) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | process, bad_message::NC_SAME_DOCUMENT_POST_COMMIT_ERROR); | 
|  | return false; | 
|  | } | 
|  | } | 
|  |  | 
|  | // Check(s) specific to sub-frame navigation. | 
|  | if (navigation_request && !is_main_frame()) { | 
|  | if (!CanSubframeCommitOriginAndUrl(navigation_request)) { | 
|  | // Terminate the renderer if allowing this subframe navigation to commit | 
|  | // would change the origin of the main frame. | 
|  | bad_message::ReceivedBadMessage( | 
|  | process, | 
|  | bad_message::RFHI_SUBFRAME_NAV_WOULD_CHANGE_MAINFRAME_ORIGIN); | 
|  | return false; | 
|  | } | 
|  | } | 
|  |  | 
|  | // TODO(https://crbug.com/402272788): Remove `origin` from DidCommitParams, | 
|  | // making this check unnecessary. | 
|  | if (navigation_request && | 
|  | navigation_request->commit_params().origin_to_commit != params->origin) { | 
|  | bad_message::ReceivedBadMessage(process, | 
|  | bad_message::RFH_ORIGIN_TO_COMMIT_MISMATCH); | 
|  | return false; | 
|  | } | 
|  |  | 
|  | return true; | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::ValidateURLAndOrigin( | 
|  | const GURL& url, | 
|  | const url::Origin& origin, | 
|  | bool is_same_document_navigation, | 
|  | NavigationRequest* navigation_request) { | 
|  | // WebView's allow_universal_access_from_file_urls setting allows file origins | 
|  | // to access any other origin and bypass normal commit checks. If new | 
|  | // documents in the same process and origin may also bypass these checks after | 
|  | // the setting is disabled (e.g., due to document.open), they are allowed a | 
|  | // narrower exemption in ChildProcessSecurityPolicyImpl::CanCommitOriginAndUrl | 
|  | // due to compatibility requirements for existing apps. | 
|  | if (origin.scheme() == url::kFileScheme) { | 
|  | auto prefs = GetOrCreateWebPreferences(); | 
|  | if (prefs.allow_universal_access_from_file_urls) { | 
|  | return true; | 
|  | } | 
|  | } | 
|  |  | 
|  | // If the --disable-web-security flag is specified, all bets are off and the | 
|  | // renderer process can send any origin it wishes. | 
|  | if (base::CommandLine::ForCurrentProcess()->HasSwitch( | 
|  | switches::kDisableWebSecurity)) { | 
|  | return true; | 
|  | } | 
|  |  | 
|  | // WebView's loadDataWithBaseURL API is allowed to bypass normal commit | 
|  | // checks because it is allowed to commit anything into its unlocked process | 
|  | // and its data: URL and (possibly non-opaque) origin would fail the normal | 
|  | // commit checks. | 
|  | // | 
|  | // We should also allow same-document navigations within pages loaded with | 
|  | // loadDataWithBaseURL. Since renderer-initiated same-document navigations | 
|  | // won't have a NavigationRequest at this point, we need to check | 
|  | // |renderer_url_info_.was_loaded_from_load_data_with_base_url|. | 
|  | // | 
|  | // Note that a LoadDataWithBaseURL document could require other same-origin | 
|  | // documents to bypass the same checks, such as calling document.open on them | 
|  | // to cause an otherwise illegal URL to be inherited. We only allow this type | 
|  | // of origin-wide bypass for opaque origins, where the LoadDataWithBaseURL | 
|  | // caller controls all the code in the origin. This reduces the risk of | 
|  | // bypassing the checks from non-opaque origins. | 
|  | // See https://crbug.com/326250356. | 
|  | DCHECK(navigation_request || is_same_document_navigation || | 
|  | frame_tree_node_->is_on_initial_empty_document()); | 
|  | RenderProcessHost* process = GetProcess(); | 
|  | if ((navigation_request && navigation_request->IsLoadDataWithBaseURL()) || | 
|  | (is_same_document_navigation && | 
|  | renderer_url_info_.was_loaded_from_load_data_with_base_url) || | 
|  | (origin.opaque() && ChildProcessSecurityPolicyImpl::GetInstance() | 
|  | ->HasOriginCheckExemptionForWebView( | 
|  | process->GetDeprecatedID(), origin))) { | 
|  | // Allow bypass if the process isn't locked. Otherwise run normal checks. | 
|  | if (!process->GetProcessLock().is_locked_to_site()) | 
|  | return true; | 
|  | } | 
|  |  | 
|  | // Use the value of `is_pdf` from `navigation_request` (if provided). This may | 
|  | // be needed to verify the process lock in `CanCommitOriginAndUrl()`, but | 
|  | // cannot be derived from the URL and origin alone. | 
|  | bool is_pdf = navigation_request && navigation_request->GetUrlInfo().is_pdf; | 
|  | bool is_sandboxed = | 
|  | navigation_request && navigation_request->GetUrlInfo().is_sandboxed; | 
|  |  | 
|  | // Attempts to commit certain off-limits URL should be caught more strictly | 
|  | // than our FilterURL checks.  If a renderer violates this policy, it | 
|  | // should be killed. | 
|  | switch (CanCommitOriginAndUrl(origin, url, is_same_document_navigation, | 
|  | is_pdf, is_sandboxed)) { | 
|  | case CanCommitStatus::CAN_COMMIT_ORIGIN_AND_URL: | 
|  | // The origin and URL are safe to commit. | 
|  | break; | 
|  | case CanCommitStatus::CANNOT_COMMIT_URL: | 
|  | DLOG(ERROR) << "CANNOT_COMMIT_URL url '" << url << "'" | 
|  | << " origin '" << origin << "'" | 
|  | << " lock '" << process->GetProcessLock().ToString() << "'"; | 
|  | VLOG(1) << "Blocked URL " << url.spec(); | 
|  | LogCannotCommitUrlCrashKeys(url, origin, is_same_document_navigation, | 
|  | navigation_request); | 
|  |  | 
|  | // Kills the process. | 
|  | bad_message::ReceivedBadMessage(process, | 
|  | bad_message::RFH_CAN_COMMIT_URL_BLOCKED); | 
|  | return false; | 
|  | case CanCommitStatus::CANNOT_COMMIT_ORIGIN: | 
|  | DLOG(ERROR) << "CANNOT_COMMIT_ORIGIN url '" << url << "'" | 
|  | << " origin '" << origin << "'" | 
|  | << " lock '" << process->GetProcessLock().ToString() << "'"; | 
|  | DEBUG_ALIAS_FOR_ORIGIN(origin_debug_alias, origin); | 
|  | LogCannotCommitOriginCrashKeys(url, origin, process->GetProcessLock(), | 
|  | is_same_document_navigation, | 
|  | navigation_request); | 
|  |  | 
|  | // Kills the process. | 
|  | bad_message::ReceivedBadMessage( | 
|  | process, bad_message::RFH_INVALID_ORIGIN_ON_COMMIT); | 
|  | return false; | 
|  | } | 
|  | return true; | 
|  | } | 
|  |  | 
|  | // Simulates the calculation for DidCommitProvisionalLoadParams' `referrer`. | 
|  | // This is written to preserve the behavior of the calculations that happened in | 
|  | // the renderer before being moved to the browser. In the future, we might want | 
|  | // to remove this function in favor of using NavigationRequest::GetReferrer() | 
|  | // or CommonNavigationParam's `referrer` directly. | 
|  | blink::mojom::ReferrerPtr GetReferrerForDidCommitParams( | 
|  | NavigationRequest* request) { | 
|  | if (request->DidEncounterError()) { | 
|  | // Error pages always use the referrer from CommonNavigationParams, since | 
|  | // it won't go through its server redirects in the renderer, and won't be | 
|  | // marked as a client redirect. | 
|  | // TODO(crbug.com/40771822): Maybe make this case just return the | 
|  | // sanitized referrer below once the client redirect bug is fixed. This | 
|  | // means GetReferrerForDidCommitParams(), NavigationRequest::GetReferrer() | 
|  | // (`sanitized_referrer_`), and CommonNavigationParams's `referrer` will all | 
|  | // return the same value, and GetReferrerForDidCommitParams() and | 
|  | // `sanitized_referrer_` can be removed, leaving only | 
|  | // CommonNavigationParams's `referrer`. | 
|  | return request->common_params().referrer.Clone(); | 
|  | } | 
|  |  | 
|  | // Otherwise, return the sanitized referrer saved in the NavigationRequest. | 
|  | // - For client redirects, this will be the the URL that initiated the | 
|  | // navigation. (Note: this will only be sanitized at the start, and not after | 
|  | // any redirects, including cross-origin ones. See https://crbug.com/1218786) | 
|  | // - For other navigations, this will be the referrer used after the final | 
|  | // redirect. | 
|  | return request->GetReferrer().Clone(); | 
|  | } | 
|  |  | 
|  | // static | 
|  | // This function logs metrics about potentially isolatable sandboxed iframes | 
|  | // that are tracked through calls to UpdateIsolatableSandboxedIframeTracking(). | 
|  | // In addition to reporting the number of potential OOPSIFs, it also reports the | 
|  | // number of unique origins encountered (to give insight into potential | 
|  | // behavior if a per-origin isolation model was implemented), and it counts the | 
|  | // actual number of RenderProcessHosts isolating OOPSIFs using the current | 
|  | // per-site isolation model. | 
|  | void RenderFrameHost::LogSandboxedIframesIsolationMetrics() { | 
|  | RoutingIDIsolatableSandboxedIframesSet* oopsifs = | 
|  | g_routing_id_isolatable_sandboxed_iframes_set.Pointer(); | 
|  |  | 
|  | base::UmaHistogramCounts1000("SiteIsolation.IsolatableSandboxedIframes", | 
|  | oopsifs->size()); | 
|  |  | 
|  | // Count the number of unique origins across all the isolatable sandboxed | 
|  | // iframes. This will give us a sense of the potential process overhead if we | 
|  | // chose a per-origin process model for isolating these frames instead of the | 
|  | // per-site model we plan to use. We use the precursor SchemeHostPort rather | 
|  | // than the url::Origin, which is always opaque in these cases. | 
|  | { | 
|  | std::set<SiteInfo> sandboxed_site_infos; | 
|  | std::set<url::SchemeHostPort> sandboxed_origins; | 
|  | for (auto rfh_global_id : *oopsifs) { | 
|  | auto* rfhi = RenderFrameHostImpl::FromID(rfh_global_id); | 
|  | DCHECK(rfhi->GetLastCommittedOrigin().opaque()); | 
|  | sandboxed_origins.insert( | 
|  | rfhi->GetLastCommittedOrigin().GetTupleOrPrecursorTupleIfOpaque()); | 
|  | sandboxed_site_infos.insert(rfhi->GetSiteInstance()->GetSiteInfo()); | 
|  | } | 
|  | base::UmaHistogramCounts1000( | 
|  | "SiteIsolation.IsolatableSandboxedIframes.UniqueOrigins", | 
|  | sandboxed_origins.size()); | 
|  | base::UmaHistogramCounts1000( | 
|  | "SiteIsolation.IsolatableSandboxedIframes.UniqueSites", | 
|  | sandboxed_site_infos.size()); | 
|  | } | 
|  |  | 
|  | // Walk the set and count the number of unique RenderProcessHosts. Using a set | 
|  | // allows us to accurately measure process overhead, including cases where | 
|  | // SiteInstances from multiple BrowsingInstances are coalesced into a single | 
|  | // RenderProcess. | 
|  | std::set<RenderProcessHost*> sandboxed_rphs; | 
|  | for (auto rfh_global_id : *oopsifs) { | 
|  | auto* rfhi = FromID(rfh_global_id); | 
|  | DCHECK(rfhi); | 
|  | auto* site_instance = | 
|  | static_cast<SiteInstanceImpl*>(rfhi->GetSiteInstance()); | 
|  | DCHECK(site_instance->HasProcess()); | 
|  | if (site_instance->GetSiteInfo().is_sandboxed()) | 
|  | sandboxed_rphs.insert(site_instance->GetProcess()); | 
|  | } | 
|  | // There should be no sandboxed RPHs if the feature isn't enabled. | 
|  | DCHECK(SiteIsolationPolicy::AreIsolatedSandboxedIframesEnabled() || | 
|  | sandboxed_rphs.size() == 0); | 
|  | base::UmaHistogramCounts1000( | 
|  | "Memory.RenderProcessHost.Count2.SandboxedIframeOverhead", | 
|  | sandboxed_rphs.size()); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::UpdateIsolatableSandboxedIframeTracking( | 
|  | NavigationRequest* navigation_request) { | 
|  | RoutingIDIsolatableSandboxedIframesSet* oopsifs = | 
|  | g_routing_id_isolatable_sandboxed_iframes_set.Pointer(); | 
|  | GlobalRenderFrameHostId global_id = GetGlobalId(); | 
|  |  | 
|  | // Check if the flags are correct. | 
|  | DCHECK(policy_container_host_); | 
|  | bool frame_is_isolatable = | 
|  | IsSandboxed(network::mojom::WebSandboxFlags::kOrigin); | 
|  |  | 
|  | if (frame_is_isolatable) { | 
|  | // Limit the "isolatable" sandboxed frames to those that are either in the | 
|  | // same SiteInstance as their parent/opener (and thus could be isolated), or | 
|  | // that are already isolated due to sandbox flags. | 
|  | GURL url = GetLastCommittedURL(); | 
|  | if (url.IsAboutBlank() || url.is_empty()) { | 
|  | frame_is_isolatable = false; | 
|  | } else { | 
|  | // Since this frame could be a main frame, we need to consider the | 
|  | // SiteInstance of either the parent or opener (if either exists) of this | 
|  | // frame, to see if the url can be placed in an OOPSIF, i.e. it's not | 
|  | // already isolated because of being cross-site. | 
|  | RenderFrameHost* frame_owner = GetParent(); | 
|  | FrameTreeNode* opener = navigation_request->frame_tree_node()->opener(); | 
|  | if (!frame_owner && opener) | 
|  | frame_owner = opener->current_frame_host(); | 
|  |  | 
|  | if (!frame_owner) { | 
|  | frame_is_isolatable = false; | 
|  | } else if (GetSiteInstance()->GetSiteInfo().is_sandboxed()) { | 
|  | DCHECK(frame_is_isolatable); | 
|  | } else if (frame_owner->GetSiteInstance() != GetSiteInstance()) { | 
|  | // If this host's SiteInstance isn't already marked as is_sandboxed | 
|  | // (with a frame owner), and yet the SiteInstance doesn't match that of | 
|  | // our parent/opener, then it is already isolated for some other reason | 
|  | // (cross-site, origin-keyed, etc.). | 
|  | frame_is_isolatable = false; | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | if (frame_is_isolatable) | 
|  | oopsifs->insert(global_id); | 
|  | else | 
|  | oopsifs->erase(global_id); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::DidCommitNavigationInternal( | 
|  | std::unique_ptr<NavigationRequest> navigation_request, | 
|  | mojom::DidCommitProvisionalLoadParamsPtr params, | 
|  | mojom::DidCommitSameDocumentNavigationParamsPtr same_document_params, | 
|  | const base::TimeTicks& did_commit_ipc_received_time) { | 
|  | const bool is_same_document_navigation = !!same_document_params; | 
|  | // Sanity-check the page transition for frame type. Fenced Frames | 
|  | // will set page transition to AUTO_SUBFRAME. | 
|  | DCHECK_EQ(ui::PageTransitionIsMainFrame(params->transition), | 
|  | !GetParent() && !IsFencedFrameRoot()); | 
|  | if (navigation_request && | 
|  | navigation_request->commit_params().navigation_token != | 
|  | params->navigation_token) { | 
|  | // We should have the same navigation_token in CommitNavigationParams and | 
|  | // DidCommit's |params| for all navigations, because: | 
|  | // - Cross-document navigations use NavigationClient. | 
|  | // - Same-document navigations will have a null |navigation_request| | 
|  | //   here if the navigation_token doesn't match (checked in | 
|  | //   DidCommitSameDocumentNavigation). | 
|  | // TODO(crbug.com/40150370): Make this a CHECK instead once we're | 
|  | // sure we never hit this case. | 
|  | LogCannotCommitUrlCrashKeys(params->url, params->origin, | 
|  | is_same_document_navigation, | 
|  | navigation_request.get()); | 
|  | base::debug::DumpWithoutCrashing(); | 
|  | } | 
|  |  | 
|  | // For same-document navigations, the committed origin and insecure-request | 
|  | // policy must be identical to the values that were already present in the | 
|  | // FrameTreeNode / RenderFrameHost before this commit. | 
|  | if (is_same_document_navigation && | 
|  | features::IsEnforceSameDocumentOriginInvariantsEnabled()) { | 
|  | if (params->insecure_request_policy != | 
|  | frame_tree_node_->current_replication_state().insecure_request_policy) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | GetProcess(), | 
|  | bad_message::RFH_SAME_DOC_INSECURE_REQUEST_POLICY_CHANGE); | 
|  | return false; | 
|  | } | 
|  |  | 
|  | if (params->insecure_navigations_set != | 
|  | frame_tree_node_->current_replication_state() | 
|  | .insecure_navigations_set) { | 
|  | bad_message::ReceivedBadMessage( | 
|  | GetProcess(), bad_message::RFH_SAME_DOC_INSECURE_NAV_SET_CHANGE); | 
|  | return false; | 
|  | } | 
|  | } | 
|  |  | 
|  | // A matching NavigationRequest should have been found, unless in a few very | 
|  | // specific cases: | 
|  | // 1) This was a synchronous about:blank navigation triggered by browsing | 
|  | // context creation. | 
|  | // 2) This was a renderer-initiated same-document navigation. | 
|  | // In these cases, we will create a NavigationRequest by calling | 
|  | // CreateNavigationRequestForSynchronousRendererCommit() further down. | 
|  | // TODO(crbug.com/40150370): Make these navigation go through a | 
|  | // separate path that does not send | 
|  | // FrameHostMsg_DidCommitProvisionalLoad_Params at all. | 
|  | // TODO(crbug.com/40184245): Tighten the checks for case 1 so that only | 
|  | // the synchronous about:blank commit can actually go through (e.g. check | 
|  | // if the URL is exactly "about:blank", currently we allow any "about:" URL | 
|  | // except for "about:srcdoc"). | 
|  | const bool is_synchronous_about_blank_commit = | 
|  | IsInitialSynchronousAboutBlankCommit( | 
|  | params->url, frame_tree_node_->is_on_initial_empty_document()); | 
|  | if (!navigation_request && !is_synchronous_about_blank_commit && | 
|  | !is_same_document_navigation) { | 
|  | LogCannotCommitUrlCrashKeys(params->url, params->origin, | 
|  | is_same_document_navigation, | 
|  | navigation_request.get()); | 
|  |  | 
|  | bad_message::ReceivedBadMessage( | 
|  | GetProcess(), | 
|  | bad_message::RFH_NO_MATCHING_NAVIGATION_REQUEST_ON_COMMIT); | 
|  | return false; | 
|  | } | 
|  |  | 
|  | // Any opaque origin loaded with LoadDataWithBaseURL can bypass some of the | 
|  | // URL and origin validation checks in unlocked processes, including both the | 
|  | // original document and any about:blank frames that inherit the same origin. | 
|  | // | 
|  | // This is limited to opaque origins because (1) we don't want to grant this | 
|  | // exception to all pages from a non-opaque origin when LoadDataWithBaseURL is | 
|  | // used, and (2) there are no known cases where non-opaque origins fail the | 
|  | // CanCommitURL checks (unlike opaque origins for pseudoschemes, as seen in | 
|  | // https://crbug.com/326250356). | 
|  | // | 
|  | // A similar exemption is granted for file origins when WebView's | 
|  | // allow_universal_access_from_file_urls setting is enabled, in case that | 
|  | // setting is later disabled and then a previously-exempted URL is inherited | 
|  | // by a new same-origin document via document.open. | 
|  | // | 
|  | // TODO(crbug.com/40092527): Move these to UpdatePermissionsForNavigation | 
|  | // once origin can be reliably computed by NavigationRequest at commit time. | 
|  | if (navigation_request && navigation_request->IsLoadDataWithBaseURL() && | 
|  | params->origin.opaque() && | 
|  | !GetProcess()->GetProcessLock().is_locked_to_site()) { | 
|  | ChildProcessSecurityPolicyImpl::GetInstance() | 
|  | ->GrantOriginCheckExemptionForWebView(GetProcess()->GetDeprecatedID(), | 
|  | params->origin); | 
|  | // Log a crash key when LoadDataWithBaseURL is given an exemption, to help | 
|  | // diagnose any renderer kills that result from it. | 
|  | static auto* const crash_key = base::debug::AllocateCrashKeyString( | 
|  | "ever_had_loaddatawithbaseurl_exemption", | 
|  | base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString(crash_key, "true"); | 
|  | } | 
|  | if (GetOrCreateWebPreferences().allow_universal_access_from_file_urls && | 
|  | params->origin.scheme() == url::kFileScheme) { | 
|  | ChildProcessSecurityPolicyImpl::GetInstance() | 
|  | ->GrantOriginCheckExemptionForWebView(GetProcess()->GetDeprecatedID(), | 
|  | params->origin); | 
|  | // Log a crash key when universal access is given an exemption, to help | 
|  | // diagnose any renderer kills that result from it. | 
|  | static auto* const crash_key = base::debug::AllocateCrashKeyString( | 
|  | "ever_had_universal_access_exemption", | 
|  | base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString(crash_key, "true"); | 
|  | } | 
|  |  | 
|  | if (!ValidateDidCommitParams(navigation_request.get(), params.get(), | 
|  | is_same_document_navigation)) { | 
|  | if (navigation_request) { | 
|  | navigation_request->set_navigation_discard_reason( | 
|  | NavigationDiscardReason::kFailedSecurityCheck); | 
|  | } | 
|  | return false; | 
|  | } | 
|  |  | 
|  | // NOTE: The navigation has committed in the renderer so it is safe | 
|  | // to pass ownership of the FrameSinkId to the new RFH. | 
|  | if (waiting_for_renderer_widget_creation_after_commit_) { | 
|  | RendererWidgetCreated(); | 
|  |  | 
|  | CHECK_NE(frame_tree_node_->current_frame_host(), this); | 
|  | auto* previous_rfh = | 
|  | frame_tree_node_->current_frame_host()->ShouldReuseCompositing( | 
|  | *GetSiteInstance()) | 
|  | ? frame_tree_node_->current_frame_host() | 
|  | : nullptr; | 
|  | CHECK(previous_rfh) << "Renderer widget creation is deferred only when " | 
|  | "we're reusing compositing"; | 
|  | previous_rfh->GetLocalRenderWidgetHost()->SetViewIsFrameSinkIdOwner(false); | 
|  | GetLocalRenderWidgetHost()->SetViewIsFrameSinkIdOwner(true); | 
|  | } | 
|  |  | 
|  | // TODO(clamy): We should stop having a special case for same-document | 
|  | // navigation and just put them in the general map of NavigationRequests. | 
|  | if (navigation_request && | 
|  | navigation_request->common_params().url != params->url && | 
|  | is_same_document_navigation) { | 
|  | same_document_navigation_requests_[navigation_request->commit_params() | 
|  | .navigation_token] = | 
|  | std::move(navigation_request); | 
|  | } | 
|  |  | 
|  | // Set is loading to true now if it has not been set yet. This happens for | 
|  | // renderer-initiated same-document navigations. It can also happen when a | 
|  | // racy DidStopLoading Mojo method resets the loading state that was set to | 
|  | // true in CommitNavigation. | 
|  | if (!is_loading()) { | 
|  | LoadingState previous_frame_tree_loading_state = | 
|  | frame_tree()->LoadingTree()->GetLoadingState(); | 
|  | loading_state_ = is_same_document_navigation | 
|  | ? LoadingState::LOADING_WITHOUT_UI | 
|  | : LoadingState::LOADING_UI_REQUESTED; | 
|  | // TODO(crbug.com/40252449): Explain why this is true. | 
|  | CHECK(owner_); | 
|  | owner_->DidStartLoading(previous_frame_tree_loading_state); | 
|  | } | 
|  |  | 
|  | if (navigation_request) | 
|  | was_discarded_ = navigation_request->commit_params().was_discarded; | 
|  |  | 
|  | if (navigation_request) { | 
|  | // If the navigation went through the browser before committing, it's | 
|  | // possible to calculate the referrer only using information known by the | 
|  | // browser. | 
|  | // TODO(crbug.com/40150370): Get rid of params->referrer completely. | 
|  | params->referrer = GetReferrerForDidCommitParams(navigation_request.get()); | 
|  | } else { | 
|  | // For renderer-initiated same-document navigations and the initial | 
|  | // about:blank navigation, the referrer policy shouldn't change. | 
|  | params->referrer->policy = policy_container_host_->referrer_policy(); | 
|  | } | 
|  |  | 
|  | if (!navigation_request) { | 
|  | // If there is no valid NavigationRequest corresponding to this commit, | 
|  | // create one in order to properly issue DidFinishNavigation calls to | 
|  | // WebContentsObservers. | 
|  | DCHECK(is_synchronous_about_blank_commit || is_same_document_navigation); | 
|  |  | 
|  | // Fill the redirect chain for the NavigationRequest. Since this is only for | 
|  | // initial empty commits or same-document navigation, we should just push | 
|  | // the client-redirect URL (if it is a client redirect) and the final URL. | 
|  | std::vector<GURL> redirects; | 
|  | if (is_same_document_navigation && | 
|  | same_document_params->is_client_redirect) { | 
|  | // If it is a same-document navigation, it might be a client redirect, in | 
|  | // which case we should put the previous URL at the front of the redirect | 
|  | // chain. | 
|  | redirects.push_back(GetLastCommittedURL()); | 
|  | } | 
|  | redirects.push_back(params->url); | 
|  |  | 
|  | // If this is a (renderer-initiated) same-document navigation, it might be | 
|  | // started by a transient activation. The only way to know this is from the | 
|  | // `started_with_transient_activation` value of `same_document_params` | 
|  | // (because we don't know anything about this navigation before DidCommit). | 
|  | bool started_with_transient_activation = | 
|  | (is_same_document_navigation && | 
|  | same_document_params->started_with_transient_activation); | 
|  |  | 
|  | // If this is a (renderer-initiated) same-document navigation, the renderer | 
|  | // will tell us whether the navigation should replace the current entry or | 
|  | // not. Otherwise, this must be a synchronously committed about:blank, which | 
|  | // should always do replacement. | 
|  | bool should_replace_current_entry = | 
|  | is_same_document_navigation | 
|  | ? same_document_params->should_replace_current_entry | 
|  | : true; | 
|  |  | 
|  | // TODO(crbug.com/40150370): Do not use |params| to get the values, | 
|  | // depend on values known at commit time instead. | 
|  | // TODO(crbug.com/409589669): `actual_navigation_start` should be set to an | 
|  | // earlier timestamp from the renderer process, rather than the time that | 
|  | // the renderer process begins the commit. | 
|  | navigation_request = CreateNavigationRequestForSynchronousRendererCommit( | 
|  | params->url, params->origin, params->initiator_base_url, | 
|  | params->referrer.Clone(), params->transition, | 
|  | should_replace_current_entry, started_with_transient_activation, | 
|  | redirects, params->url, is_same_document_navigation, | 
|  | same_document_params && | 
|  | same_document_params->same_document_navigation_type == | 
|  | blink::mojom::SameDocumentNavigationType::kHistoryApi, | 
|  | /*actual_navigation_start=*/params->commit_navigation_start); | 
|  |  | 
|  | // Add the origin from this navigation to the list of committed origins. In | 
|  | // the common case, this is done in UpdatePermissionsForNavigation() at | 
|  | // ready-to-commit time. However, synchronous renderer commits do not go | 
|  | // through that flow, and it is possible that they legitimately introduce a | 
|  | // new origin into a renderer process. Namely, this happens when adding a | 
|  | // sandboxed about:blank frame, where the browser process will only hear | 
|  | // about the new opaque origin here. | 
|  | // | 
|  | // Note that `params.origin` is safe to add since it's already been | 
|  | // validated in ValidateDidCommitParams() above prior to getting here. | 
|  | if (is_synchronous_about_blank_commit) { | 
|  | ChildProcessSecurityPolicyImpl::GetInstance()->AddCommittedOrigin( | 
|  | GetProcess()->GetDeprecatedID(), params->origin); | 
|  | } | 
|  | } | 
|  |  | 
|  | DCHECK(navigation_request); | 
|  | DCHECK(navigation_request->IsNavigationStarted()); | 
|  | VerifyThatBrowserAndRendererCalculatedDidCommitParamsMatch( | 
|  | navigation_request.get(), *params, same_document_params.Clone()); | 
|  |  | 
|  | // Update the page transition. For subframe navigations, the renderer process | 
|  | // only gives the correct page transition at commit time. | 
|  | // TODO(clamy): We should get the correct page transition when starting the | 
|  | // request. | 
|  | navigation_request->set_transition(params->transition); | 
|  |  | 
|  | SetLastCommittedSiteInfo(navigation_request->DidEncounterError() | 
|  | ? UrlInfo() | 
|  | : navigation_request->GetUrlInfo()); | 
|  |  | 
|  | if (lifecycle_state_ == LifecycleStateImpl::kActive) { | 
|  | // The NIK might change after this, so decrement the count for the current | 
|  | // NIK. | 
|  | GetStoragePartition()->DecrementActiveDocumentCount( | 
|  | GetNetworkIsolationKey()); | 
|  | } | 
|  |  | 
|  | isolation_info_ = navigation_request->isolation_info_for_subresources(); | 
|  |  | 
|  | if (lifecycle_state_ == LifecycleStateImpl::kActive) { | 
|  | // The NIK might have changed after the above call, so increment the count | 
|  | // for the new NIK. | 
|  | GetStoragePartition()->IncrementActiveDocumentCount( | 
|  | GetNetworkIsolationKey()); | 
|  | } | 
|  |  | 
|  | // Navigations in the same document and page activations do not create a new | 
|  | // document. | 
|  | bool created_new_document = | 
|  | !is_same_document_navigation && !navigation_request->IsPageActivation(); | 
|  |  | 
|  | // TODO(crbug.com/40615943): Remove this after we have RenderDocument. | 
|  | // IsWaitingToCommit can be false inside DidCommitNavigationInternal only in | 
|  | // specific circumstances listed above, and specifically for the fake | 
|  | // initial navigations triggered by the blank window.open() and creating a | 
|  | // blank iframe. In that case we do not want to reset the per-document | 
|  | // states as we are not really creating a new Document and we want to | 
|  | // preserve the states set by WebContentsCreated delegate notification | 
|  | // (which among other things create tab helpers) or RenderFrameCreated. | 
|  | bool navigated_to_new_document = | 
|  | created_new_document && navigation_request->IsWaitingToCommit(); | 
|  |  | 
|  | if (navigated_to_new_document) { | 
|  | TRACE_EVENT("content", "DidCommitProvisionalLoad_StateResetForNewDocument", | 
|  | ChromeTrackEvent::kRenderFrameHost, this); | 
|  |  | 
|  | last_committed_cross_document_navigation_id_ = | 
|  | navigation_request->GetNavigationId(); | 
|  |  | 
|  | if (ShouldResetDocumentAssociatedDataAtCommit()) { | 
|  | DCHECK_NE(lifecycle_state(), LifecycleStateImpl::kSpeculative); | 
|  | // The old Reporting API configuration is no longer valid, as a new | 
|  | // document is being loaded into the frame. Inform the network service | 
|  | // of this, so that it can send any queued reports and mark the source | 
|  | // as expired. | 
|  | GetStoragePartition()->GetNetworkContext()->SendReportsAndRemoveSource( | 
|  | GetReportingSource()); | 
|  |  | 
|  | // Clear all document-associated data for the non-pending commit | 
|  | // RenderFrameHosts because the navigation has created a new document. | 
|  | // Make sure the data doesn't get cleared for the cases when the | 
|  | // RenderFrameHost commits before the navigation commits. This happens | 
|  | // when the current RenderFrameHost crashes before navigating to a new | 
|  | // URL. | 
|  | document_associated_data_.emplace(*this, | 
|  | navigation_request->GetDocumentToken()); | 
|  | } else { | 
|  | // Cross-RenderFrameHost navigations that commit into a speculative | 
|  | // RenderFrameHost do not create a new DocumentAssociatedData. Ensure that | 
|  | // the NavigationRequest was populated with the correct DocumentToken to | 
|  | // avoid a mismatched token between the browser and the renderer. | 
|  | CHECK_EQ(document_associated_data_->token(), | 
|  | navigation_request->GetDocumentToken()); | 
|  | } | 
|  |  | 
|  | document_associated_data_->set_navigation_confidence( | 
|  | navigation_request->navigation_confidence()); | 
|  | document_associated_data_->set_devtools_navigation_token( | 
|  | navigation_request->devtools_navigation_token()); | 
|  |  | 
|  | // Stores fetch keepalive FactoryContext created before committing into | 
|  | // document-associated data, such that it can be referenced later when | 
|  | // DevTools tries to intercepts requests. | 
|  | document_associated_data_->set_keep_alive_url_loader_factory_context( | 
|  | navigation_request->keep_alive_url_loader_factory_context()); | 
|  |  | 
|  | const std::optional<FencedFrameProperties>& fenced_frame_properties = | 
|  | navigation_request->ComputeFencedFrameProperties(); | 
|  | // On navigations of fenced frame/urn iframe roots initiated within the | 
|  | // fenced frame/urn iframe tree, store document-scoped and page-scoped | 
|  | // metadata again. | 
|  | // TODO(crbug.com/40233168): Remove this metadata, and access the metadata | 
|  | // directly in the FencedFrameProperties. | 
|  | if (fenced_frame_properties && | 
|  | (frame_tree_node()->IsFencedFrameRoot() || | 
|  | !frame_tree_node()->IsInFencedFrameTree())) { | 
|  | if (fenced_frame_properties->nested_urn_config_pairs().has_value()) { | 
|  | // Store nested ad components in the fenced frame's url map. | 
|  | // This may only be done after creating the DocumentAssociatedData for | 
|  | // the new document, if appropriate, since `fenced_frame_urls_map` hangs | 
|  | // off of that. In urn iframes, unlike in fenced frames, navigations of | 
|  | // the urn iframe root don't create a new Page (because the root of the | 
|  | // Page is the top-level frame). So this operation is a no-op. | 
|  | GetPage().fenced_frame_urls_map().ImportPendingAdComponents( | 
|  | fenced_frame_properties->nested_urn_config_pairs() | 
|  | ->GetValueIgnoringVisibility()); | 
|  | } | 
|  |  | 
|  | if (fenced_frame_properties->ad_auction_data().has_value()) { | 
|  | AdAuctionDocumentData::CreateForCurrentDocument( | 
|  | this, | 
|  | fenced_frame_properties->ad_auction_data() | 
|  | ->GetValueIgnoringVisibility() | 
|  | .interest_group_owner, | 
|  | fenced_frame_properties->ad_auction_data() | 
|  | ->GetValueIgnoringVisibility() | 
|  | .interest_group_name); | 
|  | } | 
|  | } | 
|  |  | 
|  | // Continue observing the events for the committed navigation. | 
|  | // This is intended to receive delayed IPC calls. If `navigation_request` | 
|  | // still has a valid receiver, `this` will receive delayed IPC calls from | 
|  | // the network service. When the remote interface in the network service is | 
|  | // destructed, `mojo::ReceiverSet` automatically removes the receiver. | 
|  | for (auto& [receiver, source] : navigation_request->TakeCookieObservers()) { | 
|  | cookie_observers_.Add(std::move(receiver), source); | 
|  | } | 
|  | for (auto& receiver : navigation_request->TakeTrustTokenObservers()) { | 
|  | trust_token_observers_.Add(this, std::move(receiver)); | 
|  | } | 
|  | for (auto& receiver : | 
|  | navigation_request->TakeSharedDictionaryAccessObservers()) { | 
|  | shared_dictionary_observers_.Add(this, std::move(receiver)); | 
|  | } | 
|  | for (auto& receiver : | 
|  | navigation_request->TakeDeviceBoundSessionAccessObservers()) { | 
|  | device_bound_session_observers_.Add(this, std::move(receiver)); | 
|  | } | 
|  |  | 
|  | // Resets when navigating to a new document. This is needed because | 
|  | // RenderFrameHost might be reused for a new document | 
|  | document_used_web_otp_ = false; | 
|  |  | 
|  | // Get the UKM source id sent to the renderer. | 
|  | const ukm::SourceId document_ukm_source_id = | 
|  | navigation_request->commit_params().document_ukm_source_id; | 
|  |  | 
|  | ukm::UkmRecorder* ukm_recorder = ukm::UkmRecorder::Get(); | 
|  |  | 
|  | // Associate the blink::Document source id to the URL. Only URLs on primary | 
|  | // main frames can be recorded. | 
|  | // TODO(crbug.com/40195952): For prerendering pages, record the source url | 
|  | // after activation. | 
|  | if (navigation_request->IsInPrimaryMainFrame() && | 
|  | document_ukm_source_id != ukm::kInvalidSourceId) { | 
|  | ukm_recorder->UpdateSourceURL(document_ukm_source_id, params->url); | 
|  | } | 
|  | RecordDocumentCreatedUkmEvent(params->origin, document_ukm_source_id, | 
|  | ukm_recorder); | 
|  |  | 
|  | // We only replace the `CookieChangeListener` and | 
|  | // `DeviceBoundSessionObserver` with the one initialized by the | 
|  | // navigation request when navigating to a new document. Otherwise, | 
|  | // the existing observers will be reused. | 
|  | cookie_change_listener_ = navigation_request->TakeCookieChangeListener(); | 
|  | device_bound_session_observer_ = | 
|  | navigation_request->TakeDeviceBoundSessionObserver(); | 
|  | } | 
|  |  | 
|  | // Note: The renderer never sets |params->is_overriding_user_agent| to true | 
|  | // for subframes, even if the value was set to true in CommitParams in the | 
|  | // browser process. | 
|  | if (!is_same_document_navigation) { | 
|  | DCHECK_EQ(navigation_request->is_overriding_user_agent() && is_main_frame(), | 
|  | params->is_overriding_user_agent); | 
|  | if (navigation_request->IsPrerenderedPageActivation()) { | 
|  | // Set the NavigationStart time for | 
|  | // PerformanceNavigationTiming.activationStart. | 
|  | // https://wicg.github.io/nav-speculation/prerendering.html#performance-navigation-timing-extension | 
|  | GetPage().SetActivationStartTime(navigation_request->NavigationStart()); | 
|  | } | 
|  |  | 
|  | } else { | 
|  | DCHECK_EQ(is_main_frame() && GetPage().is_overriding_user_agent(), | 
|  | params->is_overriding_user_agent); | 
|  | } | 
|  |  | 
|  | if (is_main_frame()) { | 
|  | document_associated_data_->owned_page()->set_last_main_document_source_id( | 
|  | ukm::ConvertToSourceId(navigation_request->GetNavigationId(), | 
|  | ukm::SourceIdType::NAVIGATION_ID)); | 
|  | } | 
|  |  | 
|  | if (is_same_document_navigation) { | 
|  | NavigationTransitionUtils::SetSameDocumentNavigationEntryScreenshotToken( | 
|  | *(navigation_request.get()), | 
|  | same_document_params->navigation_entry_screenshot_destination); | 
|  | } | 
|  |  | 
|  | // The navigation entry ID isn't updated until the call to DidNavigate(), so | 
|  | // this call to UpdateState() will target the previous navigation entry. | 
|  | if (params->previous_page_state.has_value()) { | 
|  | UpdateState(params->previous_page_state.value()); | 
|  | } | 
|  |  | 
|  | // Grab the navigation's timestamps and ukm builder for recording metrics at | 
|  | // the end of this function, since the NavigationRequest will be destroyed in | 
|  | // the DidNavigate call below. | 
|  | auto navigation_timeline = | 
|  | navigation_request->GenerateNavigationTimelineForMetrics( | 
|  | *params, did_commit_ipc_received_time); | 
|  | auto navigation_ukm_builder = | 
|  | navigation_request->GetNavigationTimelineUkmBuilder(); | 
|  |  | 
|  | // TODO(crbug.com/40150370): Do not pass |params| to DidNavigate(). | 
|  | NavigationRequest* raw_navigation_request = navigation_request.get(); | 
|  | raw_navigation_request->frame_tree_node()->navigator().DidNavigate( | 
|  | this, *params, std::move(navigation_request), | 
|  | is_same_document_navigation); | 
|  |  | 
|  | // Run any deferred shared storage operations from response headers now that | 
|  | // commit has occurred. | 
|  | while (!deferred_shared_storage_header_callbacks_.empty()) { | 
|  | std::move(deferred_shared_storage_header_callbacks_.front()) | 
|  | .Run(GetNavigationOrDocumentHandle().get()); | 
|  | deferred_shared_storage_header_callbacks_.pop_front(); | 
|  | } | 
|  |  | 
|  | // Reset back the state to false after navigation commits. | 
|  | // TODO(crbug.com/40052076): Undo this plumbing after removing the | 
|  | // early post-crash CommitPending() call. | 
|  | committed_speculative_rfh_before_navigation_commit_ = false; | 
|  |  | 
|  | // Store the Commit params so they can be reused if the page is ever | 
|  | // restored from the BackForwardCache or a Prerender2 page is activated. | 
|  | if (IsOutermostMainFrame()) { | 
|  | GetPage().SetLastCommitParams(std::move(params)); | 
|  | } | 
|  |  | 
|  | navigation_timeline.MarkFinish(); | 
|  |  | 
|  | // Record navigation trace events and annotate them with the committed URL, | 
|  | // rather than the initial URL. | 
|  | RecordNavigationTraceEventsAndMetrics( | 
|  | navigation_timeline, GetLastCommittedURL(), IsInPrimaryMainFrame(), | 
|  | is_same_document_navigation, navigation_ukm_builder); | 
|  |  | 
|  | return true; | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::ShouldResetDocumentAssociatedDataAtCommit() const { | 
|  | return lifecycle_state() != LifecycleStateImpl::kPendingCommit && | 
|  | !committed_speculative_rfh_before_navigation_commit_; | 
|  | } | 
|  |  | 
|  | // TODO(arthursonzogni): Investigate what must be done when | 
|  | // navigation_request->IsWaitingToCommit() is false here. | 
|  | void RenderFrameHostImpl::DidCommitNewDocument( | 
|  | const mojom::DidCommitProvisionalLoadParams& params, | 
|  | NavigationRequest* navigation_request) { | 
|  | // Navigations in the same document and page activations do not create a new | 
|  | // document. | 
|  | DCHECK(!navigation_request->IsSameDocument()); | 
|  | DCHECK(!navigation_request->IsPageActivation()); | 
|  |  | 
|  | const GURL& request_url = navigation_request->common_params().url; | 
|  | if (request_url.IsAboutBlank() || request_url.IsAboutSrcdoc()) { | 
|  | const std::optional<::GURL>& initiator_base_url = | 
|  | navigation_request->common_params().initiator_base_url; | 
|  | SetInheritedBaseUrl(initiator_base_url ? initiator_base_url.value() | 
|  | : GURL()); | 
|  | } else { | 
|  | SetInheritedBaseUrl(GURL()); | 
|  | } | 
|  |  | 
|  | navigation_id_ = navigation_request->GetNavigationId(); | 
|  |  | 
|  | // When the embedder navigates a fenced frame root, the navigation | 
|  | // stores a new set of fenced frame properties. | 
|  | // (Embedder-initiated fenced frame root navigation  will necessarily create | 
|  | // a new document.) | 
|  | // This must be done before `ResetPermissionsPolicy()` below, which looks up | 
|  | // the stored fenced frame properties. | 
|  | if (navigation_request->GetFencedFrameProperties()) { | 
|  | frame_tree_node()->set_fenced_frame_properties( | 
|  | navigation_request->GetFencedFrameProperties()); | 
|  | } | 
|  |  | 
|  | ResetPermissionsPolicy(params.permissions_policy_header); | 
|  |  | 
|  | permissions_policy_header_ = params.permissions_policy_header; | 
|  | document_policy_ = blink::DocumentPolicy::CreateWithHeaderPolicy({ | 
|  | params.document_policy_header,  // document_policy_header | 
|  | {},                             // endpoint_map | 
|  | }); | 
|  |  | 
|  | // Since we're changing documents, we should reset the event handler | 
|  | // trackers. | 
|  | has_before_unload_handler_ = false; | 
|  | has_unload_handler_ = false; | 
|  | has_pagehide_handler_ = false; | 
|  | has_visibilitychange_handler_ = false; | 
|  |  | 
|  | has_navigate_event_handler_ = false; | 
|  |  | 
|  | DCHECK(params.embedding_token.has_value()); | 
|  | SetEmbeddingToken(params.embedding_token.value()); | 
|  |  | 
|  | renderer_reported_bfcache_blocking_details_.clear(); | 
|  | browser_reported_bfcache_disabling_features_counts_.clear(); | 
|  | holding_blocking_idb_lock_count_ = 0; | 
|  |  | 
|  | TakeNewDocumentPropertiesFromNavigation(navigation_request); | 
|  |  | 
|  | // Set embedded documents' cross-origin-opener-policy from their top level: | 
|  | //  - Use top level's policy if they are same-origin. | 
|  | //  - Use the default policy otherwise. | 
|  | // This COOP value is not used to enforce anything on this frame, but will be | 
|  | // inherited to every local-scheme document created from them. | 
|  | // It will also be inherited by the initial empty document from its opener. | 
|  |  | 
|  | // TODO(crbug.com/40092527) Computing and assigning the | 
|  | // cross-origin-opener-policy of an embedded frame should be done in | 
|  | // |NavigationRequest::ComputePoliciesToCommit| , but this is not currently | 
|  | // possible because we need the origin for the computation. The linked bug | 
|  | // moves the origin computation earlier in the navigation request, which will | 
|  | // enable the move to |NavigationRequest::ComputePoliciesToCommit|. | 
|  | if (parent_) { | 
|  | const network::CrossOriginOpenerPolicy& top_level_coop = | 
|  | GetMainFrame()->cross_origin_opener_policy(); | 
|  | if (GetMainFrame()->GetLastCommittedOrigin().IsSameOriginWith( | 
|  | params.origin)) { | 
|  | policy_container_host_->set_cross_origin_opener_policy(top_level_coop); | 
|  | } else { | 
|  | policy_container_host_->set_cross_origin_opener_policy( | 
|  | network::CrossOriginOpenerPolicy()); | 
|  | } | 
|  | } | 
|  |  | 
|  | CrossOriginOpenerPolicyAccessReportManager::InstallAccessMonitorsIfNeeded( | 
|  | navigation_request->frame_tree_node()); | 
|  |  | 
|  | // Reset the salt so that media device IDs are reset for the new document | 
|  | // if necessary. | 
|  | media_device_id_salt_base_ = CreateRandomMediaDeviceIDSalt(); | 
|  |  | 
|  | UpdateIsolatableSandboxedIframeTracking(navigation_request); | 
|  |  | 
|  | if (IsInPrimaryMainFrame() && !navigation_request->IsRestore() && | 
|  | !navigation_request->IsReload()) { | 
|  | bool has_match = GetBackForwardCache().HasPotentiallyMatchingEntry( | 
|  | *this, navigation_request->GetInitiatorOrigin(), | 
|  | /*require_no_subframes=*/false); | 
|  | if (navigation_request->IsHistory()) { | 
|  | base::UmaHistogramBoolean("BackForwardCache.HistoryNavHasPotentialMatch", | 
|  | has_match); | 
|  | } else { | 
|  | base::UmaHistogramBoolean("BackForwardCache.NewPageNavHasPotentialMatch", | 
|  | has_match); | 
|  |  | 
|  | base::UmaHistogramBoolean( | 
|  | "BackForwardCache.NewPageNavHasPotentialMatchWithNoSubframes", | 
|  | GetBackForwardCache().HasPotentiallyMatchingEntry( | 
|  | *this, navigation_request->GetInitiatorOrigin(), | 
|  | /*require_no_subframes=*/true)); | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | // TODO(arthursonzogni): Below, many NavigationRequest's objects are passed from | 
|  | // the navigation to the new document. Consider grouping them in a single | 
|  | // struct. | 
|  | void RenderFrameHostImpl::TakeNewDocumentPropertiesFromNavigation( | 
|  | NavigationRequest* navigation_request) { | 
|  | // It should be kept in sync with the check in | 
|  | // NavigationRequest::DidCommitNavigation. | 
|  | is_error_document_ = navigation_request->DidEncounterError(); | 
|  | // Overwrite reporter's reporting source with rfh's reporting source. | 
|  | std::unique_ptr<CrossOriginOpenerPolicyReporter> coop_reporter = | 
|  | navigation_request->coop_status().TakeCoopReporter(); | 
|  | if (coop_reporter) | 
|  | coop_reporter->set_reporting_source(GetReportingSource()); | 
|  | SetCrossOriginOpenerPolicyReporter(std::move(coop_reporter)); | 
|  | virtual_browsing_context_group_ = | 
|  | navigation_request->coop_status().virtual_browsing_context_group(); | 
|  | soap_by_default_virtual_browsing_context_group_ = | 
|  | navigation_request->coop_status() | 
|  | .soap_by_default_virtual_browsing_context_group(); | 
|  |  | 
|  | // Store the required CSP (it will be used by the AncestorThrottle if | 
|  | // this frame embeds a subframe when that subframe navigates). | 
|  | required_csp_ = navigation_request->TakeRequiredCSP(); | 
|  |  | 
|  | // After commit, the browser process's access of the features' state becomes | 
|  | // read-only. (i.e. It can only get feature state, not set) | 
|  | if (RuntimeFeatureStateDocumentData::GetForCurrentDocument(this)) { | 
|  | // There ideally shouldn't be any existing DocumentData for this | 
|  | // RenderFrameHost because we haven't finished committing yet. However, | 
|  | // there might be if the renderer attempted to apply a header OT token | 
|  | // (which isn't supported), when that occurs we create an empty, "dummy", | 
|  | // DocumentData to avoid crashing. Now that the real DocumentData is ready | 
|  | // we should delete the "dummy" DocumentData. See | 
|  | // `OriginTrialStateHostImpl::ApplyFeatureDiffForOriginTrial()` for when the | 
|  | // "dummy" is created. | 
|  | RuntimeFeatureStateDocumentData::DeleteForCurrentDocument(this); | 
|  | } | 
|  | RuntimeFeatureStateDocumentData::CreateForCurrentDocument( | 
|  | this, navigation_request->GetRuntimeFeatureStateContext()); | 
|  |  | 
|  | // TODO(crbug.com/40092527): Once we are able to compute the origin to | 
|  | // commit in the browser, `navigation_request->commit_params().storage_key` | 
|  | // will contain the correct origin and it won't be necessary to override it | 
|  | // with `param.origin` anymore. | 
|  | const blink::StorageKey& provisional_storage_key = | 
|  | navigation_request->commit_params().storage_key; | 
|  |  | 
|  | url::Origin origin = GetLastCommittedOrigin(); | 
|  | blink::StorageKey storage_key_to_commit = CalculateStorageKey( | 
|  | origin, base::OptionalToPtr(provisional_storage_key.nonce())); | 
|  | SetStorageKey(storage_key_to_commit); | 
|  |  | 
|  | coep_reporter_ = navigation_request->TakeCoepReporter(); | 
|  |  | 
|  | if (coep_reporter_) { | 
|  | // Set coep reporter to the document reporting source. | 
|  | coep_reporter_->set_reporting_source(GetReportingSource()); | 
|  | mojo::PendingRemote<blink::mojom::ReportingObserver> remote; | 
|  | mojo::PendingReceiver<blink::mojom::ReportingObserver> receiver = | 
|  | remote.InitWithNewPipeAndPassReceiver(); | 
|  | coep_reporter_->BindObserver(std::move(remote)); | 
|  | // As some tests override the associated frame after commit, do not | 
|  | // call GetAssociatedLocalFrame now. | 
|  | base::SingleThreadTaskRunner::GetCurrentDefault()->PostTask( | 
|  | FROM_HERE, | 
|  | base::BindOnce(&RenderFrameHostImpl::BindReportingObserver, | 
|  | weak_ptr_factory_.GetWeakPtr(), std::move(receiver))); | 
|  | } | 
|  |  | 
|  | dip_reporter_ = navigation_request->TakeDipReporter(); | 
|  |  | 
|  | if (dip_reporter_) { | 
|  | mojo::PendingRemote<blink::mojom::ReportingObserver> remote; | 
|  | mojo::PendingReceiver<blink::mojom::ReportingObserver> receiver = | 
|  | remote.InitWithNewPipeAndPassReceiver(); | 
|  | dip_reporter_->BindObserver(std::move(remote)); | 
|  | // As some tests override the associated frame after commit, do not | 
|  | // call GetAssociatedLocalFrame now. | 
|  | base::SingleThreadTaskRunner::GetCurrentDefault()->PostTask( | 
|  | FROM_HERE, | 
|  | base::BindOnce(&RenderFrameHostImpl::BindReportingObserver, | 
|  | weak_ptr_factory_.GetWeakPtr(), std::move(receiver))); | 
|  | } | 
|  |  | 
|  | // Set the state whether this navigation is to an MHTML document, since there | 
|  | // are certain security checks that we cannot apply to subframes in MHTML | 
|  | // documents. Do not trust renderer data when determining that, rather use | 
|  | // the |navigation_request|, which was generated and stays browser side. | 
|  | is_mhtml_document_ = navigation_request->IsWaitingToCommit() && | 
|  | navigation_request->IsMhtmlOrSubframe(); | 
|  |  | 
|  | if (is_main_frame() && navigation_request->is_overriding_user_agent()) { | 
|  | GetPage().set_is_overriding_user_agent(true); | 
|  | } | 
|  |  | 
|  | reload_type_ = navigation_request->GetReloadType(); | 
|  |  | 
|  | // Mark whether the navigation was intended as a loadDataWithBaseURL or not. | 
|  | // If |renderer_url_info_.was_loaded_from_load_data_with_base_url| is true, we | 
|  | // will bypass checks in VerifyDidCommitParams for same-document navigations | 
|  | // in the loaded document. | 
|  | renderer_url_info_.was_loaded_from_load_data_with_base_url = | 
|  | navigation_request->IsLoadDataWithBaseURL(); | 
|  |  | 
|  | // Transfer ownership of PeakGpuMemoryTracker to Page. It will eventually be | 
|  | // destroyed after the page finishes loading. | 
|  | if (IsInPrimaryMainFrame()) { | 
|  | GetPage().TakeLoadingMemoryTracker(navigation_request); | 
|  | } | 
|  |  | 
|  | early_hints_manager_ = navigation_request->TakeEarlyHintsManager(); | 
|  |  | 
|  | // Only take some properties if this is not the synchronous initial | 
|  | // `about:blank` navigation, because the values set at construction time | 
|  | // should remain unmodified. | 
|  | if (!navigation_request->IsWaitingToCommit()) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | private_network_request_policy_ = | 
|  | navigation_request->private_network_request_policy(); | 
|  |  | 
|  | reporting_endpoints_.clear(); | 
|  | DCHECK(navigation_request); | 
|  |  | 
|  | // Reporting API: If a Reporting-Endpoints header was received with this | 
|  | // document over secure connection, send it to the network service to | 
|  | // configure the endpoints in the reporting cache. | 
|  | if (GURL::SchemeIsCryptographic(origin.scheme()) && | 
|  | navigation_request->response() && | 
|  | navigation_request->response()->parsed_headers->reporting_endpoints) { | 
|  | base::flat_map<std::string, std::string> endpoints = | 
|  | navigation_request->response() | 
|  | ->parsed_headers->reporting_endpoints.value(); | 
|  | if (base::FeatureList::IsEnabled( | 
|  | blink::features::kOverrideCrashReportingEndpoint) && | 
|  | endpoints.find(kCrashReportingGroupName) != endpoints.end()) { | 
|  | crash_reporting_group_ = kCrashReportingGroupName; | 
|  | } | 
|  | GetStoragePartition()->GetNetworkContext()->SetDocumentReportingEndpoints( | 
|  | GetReportingSource(), origin, isolation_info_, endpoints); | 
|  | } | 
|  |  | 
|  | // We move the PolicyContainerHost of |navigation_request| into the | 
|  | // RenderFrameHost unless this is the initial, "fake" navigation to | 
|  | // about:blank (because otherwise we would overwrite the PolicyContainerHost | 
|  | // of the new document, inherited at RenderFrameHost creation time, with an | 
|  | // empty PolicyContainerHost). | 
|  | SetPolicyContainerHost(navigation_request->TakePolicyContainerHost()); | 
|  |  | 
|  | if (navigation_request->response()) | 
|  | last_response_head_ = navigation_request->response()->Clone(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnSameDocumentCommitProcessed( | 
|  | const base::UnguessableToken& navigation_token, | 
|  | bool should_replace_current_entry, | 
|  | blink::mojom::CommitResult result) { | 
|  | auto request = same_document_navigation_requests_.find(navigation_token); | 
|  | if (request == same_document_navigation_requests_.end()) { | 
|  | // OnSameDocumentCommitProcessed will be called after DidCommitNavigation on | 
|  | // successfull same-document commits, so |request| should already be deleted | 
|  | // by the time we got here. | 
|  | DCHECK_EQ(result, blink::mojom::CommitResult::Ok); | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (result == blink::mojom::CommitResult::RestartCrossDocument) { | 
|  | // The navigation could not be committed as a same-document navigation. | 
|  | // Restart the navigation cross-document. | 
|  | // TODO(crbug.com/40252449): Explain why `owner_` exists. | 
|  | CHECK(owner_); | 
|  | owner_->RestartNavigationAsCrossDocument(std::move(request->second)); | 
|  | same_document_navigation_requests_.erase(navigation_token); | 
|  | return; | 
|  | } | 
|  |  | 
|  | DCHECK_EQ(result, blink::mojom::CommitResult::Aborted); | 
|  | // Note: if the commit was successful, the NavigationRequest is moved in | 
|  | // DidCommitSameDocumentNavigation. | 
|  | request->second->set_navigation_discard_reason( | 
|  | NavigationDiscardReason::kInternalCancellation); | 
|  | request->second->set_error_navigation_trigger( | 
|  | ErrorNavigationTrigger::kSameDocumentCommitAborted); | 
|  | // If the pending_navigation_api_key is set, the NavigationRequest destructor | 
|  | // will notify the renderer of the cancellation. There's no need - the | 
|  | // renderer itself cancelled the navigation and already did its own cleanup. | 
|  | request->second->set_pending_navigation_api_key(std::nullopt); | 
|  | same_document_navigation_requests_.erase(navigation_token); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::MaybeGenerateCrashReport( | 
|  | base::TerminationStatus status, | 
|  | int exit_code) { | 
|  | if (!last_committed_url_.SchemeIsHTTPOrHTTPS()) | 
|  | return; | 
|  |  | 
|  | // Only generate reports for local root frames that are in a different | 
|  | // process than their parent. | 
|  | if (!is_main_frame() && !IsCrossProcessSubframe()) | 
|  | return; | 
|  | DCHECK(is_local_root()); | 
|  |  | 
|  | // Check the termination status to see if a crash occurred (and potentially | 
|  | // determine the |reason| for the crash). | 
|  | std::string reason; | 
|  | switch (status) { | 
|  | case base::TERMINATION_STATUS_ABNORMAL_TERMINATION: | 
|  | break; | 
|  | case base::TERMINATION_STATUS_PROCESS_CRASHED: | 
|  | if (exit_code == RESULT_CODE_HUNG) | 
|  | reason = "unresponsive"; | 
|  | break; | 
|  | case base::TERMINATION_STATUS_PROCESS_WAS_KILLED: | 
|  | if (exit_code == RESULT_CODE_HUNG) | 
|  | reason = "unresponsive"; | 
|  | else | 
|  | return; | 
|  | break; | 
|  | case base::TERMINATION_STATUS_OOM: | 
|  | #if BUILDFLAG(IS_CHROMEOS) | 
|  | case base::TERMINATION_STATUS_PROCESS_WAS_KILLED_BY_OOM: | 
|  | #endif | 
|  | #if BUILDFLAG(IS_ANDROID) | 
|  | case base::TERMINATION_STATUS_OOM_PROTECTED: | 
|  | #endif | 
|  | reason = "oom"; | 
|  | break; | 
|  | default: | 
|  | // Other termination statuses do not indicate a crash. | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Construct the crash report. | 
|  | base::Value::Dict body; | 
|  | if (base::FeatureList::IsEnabled( | 
|  | blink::features::kCrashReportingAPIMoreContextData)) { | 
|  | body.Set("is_top_level", IsOutermostMainFrame() ? true : false); | 
|  | body.Set("visibility_state", | 
|  | GetVisibilityState() == PageVisibilityState::kVisible ? "visible" | 
|  | : "hidden"); | 
|  | } | 
|  |  | 
|  | for (const auto& pair : crash_storage_map_) { | 
|  | body.Set(pair.first, pair.second); | 
|  | } | 
|  |  | 
|  | if (!reason.empty()) { | 
|  | body.Set("reason", reason); | 
|  | } | 
|  |  | 
|  | if (reason == "unresponsive" && | 
|  | base::FeatureList::IsEnabled( | 
|  | blink::features::kDocumentPolicyIncludeJSCallStacksInCrashReports)) { | 
|  | RenderProcessHostImpl* rph = | 
|  | static_cast<RenderProcessHostImpl*>(GetProcess()); | 
|  | const std::string& unresponsive_document_javascript_call_stack = | 
|  | rph->GetUnresponsiveDocumentJavascriptCallStack(); | 
|  | const blink::LocalFrameToken& unresponsive_document_token = | 
|  | rph->GetUnresponsiveDocumentToken(); | 
|  |  | 
|  | if (!unresponsive_document_javascript_call_stack.empty()) { | 
|  | if (unresponsive_document_token == GetFrameToken()) { | 
|  | body.Set("stack", unresponsive_document_javascript_call_stack); | 
|  | } else { | 
|  | body.Set("stack", "Unable to collect JS call stack."); | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | // Send the crash report to the Reporting API. | 
|  | GetProcess()->GetStoragePartition()->GetNetworkContext()->QueueReport( | 
|  | /*type=*/"crash", crash_reporting_group_, last_committed_url_, | 
|  | GetReportingSource(), isolation_info_.network_anonymization_key(), | 
|  | std::move(body)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::UpdateOrDisableCompositorMetricRecorder() const { | 
|  | if (RenderWidgetHostImpl* rwh = GetLocalRenderWidgetHost()) { | 
|  | if (rwh->compositor_metric_recorder()) { | 
|  | if (lifecycle_state() == LifecycleStateImpl::kPendingCommit) { | 
|  | // The navigation commits in a new RenderFrameHost with a new | 
|  | // RenderWidgetHost. Log the time when the commit happens to record | 
|  | // compositor-related metrics. | 
|  | rwh->compositor_metric_recorder()->DidStartNavigationCommit(); | 
|  | } else { | 
|  | // The navigation commits in a pre-existing RenderFrameHost. Make sure | 
|  | // that it won't record compositor-related metrics, since it's intended | 
|  | // to be recorded for navigations with a new RenderFrameHost. | 
|  | rwh->DisableCompositorMetricRecording(); | 
|  | } | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SendCommitNavigation( | 
|  | mojom::NavigationClient* navigation_client, | 
|  | NavigationRequest* navigation_request, | 
|  | blink::mojom::CommonNavigationParamsPtr common_params, | 
|  | blink::mojom::CommitNavigationParamsPtr commit_params, | 
|  | network::mojom::URLResponseHeadPtr response_head, | 
|  | mojo::ScopedDataPipeConsumerHandle response_body, | 
|  | network::mojom::URLLoaderClientEndpointsPtr url_loader_client_endpoints, | 
|  | std::unique_ptr<blink::PendingURLLoaderFactoryBundle> | 
|  | subresource_loader_factories, | 
|  | std::optional<std::vector<blink::mojom::TransferrableURLLoaderPtr>> | 
|  | subresource_overrides, | 
|  | blink::mojom::ControllerServiceWorkerInfoPtr controller, | 
|  | blink::mojom::ServiceWorkerContainerInfoForClientPtr container_info, | 
|  | mojo::PendingRemote<network::mojom::URLLoaderFactory> | 
|  | subresource_proxying_loader_factory, | 
|  | mojo::PendingRemote<network::mojom::URLLoaderFactory> | 
|  | keep_alive_loader_factory, | 
|  | mojo::PendingAssociatedRemote<blink::mojom::FetchLaterLoaderFactory> | 
|  | fetch_later_loader_factory, | 
|  | const std::optional<network::ParsedPermissionsPolicy>& permissions_policy, | 
|  | blink::mojom::PolicyContainerPtr policy_container, | 
|  | const blink::DocumentToken& document_token, | 
|  | const base::UnguessableToken& devtools_navigation_token) { | 
|  | TRACE_EVENT0("navigation", "RenderFrameHostImpl::SendCommitNavigation"); | 
|  | UpdateOrDisableCompositorMetricRecorder(); | 
|  |  | 
|  | base::ElapsedTimer timer; | 
|  | DCHECK_EQ(net::OK, navigation_request->GetNetErrorCode()); | 
|  | IncreaseCommitNavigationCounter(); | 
|  | mojo::PendingRemote<blink::mojom::CodeCacheHost> code_cache_host; | 
|  | mojo::PendingRemote<blink::mojom::CodeCacheHost> | 
|  | code_cache_host_for_background; | 
|  | mojom::CookieManagerInfoPtr cookie_manager_info; | 
|  | mojom::StorageInfoPtr storage_info; | 
|  |  | 
|  | // Until the browser is able to compute the origin accurately in all cases | 
|  | // (see https://crbug.com/888079), this is actually just a provisional | 
|  | // `storage_key`. The final storage key is computed by the document loader | 
|  | // taking into account the origin computed by the renderer. | 
|  | auto& code_cache_storage_key = commit_params->storage_key; | 
|  | CreateCodeCacheHostWithKeys( | 
|  | code_cache_host.InitWithNewPipeAndPassReceiver(), | 
|  | navigation_request->isolation_info_for_subresources() | 
|  | .network_isolation_key(), | 
|  | code_cache_storage_key); | 
|  | if (base::FeatureList::IsEnabled(blink::features::kBackgroundResourceFetch)) { | 
|  | CreateCodeCacheHostWithKeys( | 
|  | code_cache_host_for_background.InitWithNewPipeAndPassReceiver(), | 
|  | navigation_request->isolation_info_for_subresources() | 
|  | .network_isolation_key(), | 
|  | code_cache_storage_key); | 
|  | } | 
|  |  | 
|  | url::Origin origin_to_commit = | 
|  | navigation_request->GetOriginToCommit().value(); | 
|  |  | 
|  | // PDF processes should not need to access cookies or storage, so do not set | 
|  | // up those interfaces for them. | 
|  | // TODO(crbug.com/40205612): Remove the kill switch for this check. | 
|  | bool should_block_storage_access_for_pdf = | 
|  | GetSiteInstance()->GetSiteInfo().is_pdf() && | 
|  | base::FeatureList::IsEnabled(features::kPdfEnforcements); | 
|  |  | 
|  | // Make sure the origin of the isolation info and origin to commit match, | 
|  | // otherwise the cookie manager will crash. Sending the cookie manager here | 
|  | // is just an optimization, so it is fine for it to be null in the case | 
|  | // where these don't match. | 
|  | if (common_params->url.SchemeIsHTTPOrHTTPS() && !origin_to_commit.opaque() && | 
|  | !should_block_storage_access_for_pdf && | 
|  | navigation_request->isolation_info_for_subresources() | 
|  | .frame_origin() | 
|  | .value() == origin_to_commit) { | 
|  | cookie_manager_info = mojom::CookieManagerInfo::New(); | 
|  | cookie_manager_info->origin = origin_to_commit; | 
|  | auto subresource_loader_factories_config = | 
|  | SubresourceLoaderFactoriesConfig::ForPendingNavigation( | 
|  | *navigation_request); | 
|  |  | 
|  | BindRestrictedCookieManagerWithOrigin( | 
|  | cookie_manager_info->cookie_manager.InitWithNewPipeAndPassReceiver(), | 
|  | navigation_request->isolation_info_for_subresources(), origin_to_commit, | 
|  | subresource_loader_factories_config.cookie_setting_overrides()); | 
|  |  | 
|  | // Some tests need the StorageArea interfaces to come through DomStorage, | 
|  | // so ignore the optimizations in those cases. | 
|  | if (!RenderProcessHostImpl::HasDomStorageBinderForTesting()) { | 
|  | storage_info = mojom::StorageInfo::New(); | 
|  | // Bind local storage and session storage areas. | 
|  | auto* partition = GetStoragePartition(); | 
|  | int process_id = GetProcess()->GetDeprecatedID(); | 
|  | partition->OpenLocalStorageForProcess( | 
|  | process_id, commit_params->storage_key, | 
|  | storage_info->local_storage_area.InitWithNewPipeAndPassReceiver()); | 
|  |  | 
|  | // Session storage must match the default namespace. | 
|  | const std::string& namespace_id = | 
|  | navigation_request->frame_tree_node() | 
|  | ->frame_tree() | 
|  | .controller() | 
|  | .GetSessionStorageNamespace( | 
|  | GetSiteInstance()->GetStoragePartitionConfig()) | 
|  | ->id(); | 
|  | partition->BindSessionStorageAreaForProcess( | 
|  | process_id, commit_params->storage_key, namespace_id, | 
|  | storage_info->session_storage_area.InitWithNewPipeAndPassReceiver()); | 
|  | } | 
|  | } | 
|  |  | 
|  | // Save the last sent NotRestoredReasons value for testing, so that we can | 
|  | // verify them in tests. | 
|  | // TODO(yuzus): Remove |not_restored_reasons_for_testing_| and modify | 
|  | // |FrameNavigateParamsCapturer|. | 
|  | not_restored_reasons_for_testing_ = | 
|  | commit_params->not_restored_reasons.Clone(); | 
|  |  | 
|  | // If an automatic "top_navigation" beacon is registered in the FencedFrame | 
|  | // of the document initiator of the navigation, and the navigation | 
|  | // destination is an outermost main frame, send the beacon. We do this at | 
|  | // this point because: | 
|  | // 1. We need a handle to the initiator. | 
|  | // 2. The initiator hasn't been unloaded yet due to this navigation, and | 
|  | //    still exists at this point (unless explicitly removed from the DOM | 
|  | //    otherwise). | 
|  | MaybeSendFencedFrameAutomaticReportingBeacon( | 
|  | *navigation_request, | 
|  | blink::mojom::AutomaticBeaconType::kDeprecatedTopNavigation); | 
|  | MaybeSendFencedFrameAutomaticReportingBeacon( | 
|  | *navigation_request, | 
|  | blink::mojom::AutomaticBeaconType::kTopNavigationCommit); | 
|  |  | 
|  | // If this commit is for a main frame in another browsing context group, warn | 
|  | // the renderer that it should update the browsing context group information | 
|  | // of the page if this frame successfully commits. Note that the | 
|  | // Browsing Context Group Token in the params should only be populated at | 
|  | // commit time, and only in the case of a swap. | 
|  | CHECK(!commit_params->browsing_context_group_token.has_value()); | 
|  | if (is_main_frame() && | 
|  | navigation_request->browsing_context_group_swap().ShouldSwap()) { | 
|  | commit_params->browsing_context_group_token = | 
|  | GetSiteInstance()->browsing_instance_token(); | 
|  | } | 
|  |  | 
|  | auto* cookie_deprecation_label_manager = | 
|  | static_cast<CookieDeprecationLabelManagerImpl*>( | 
|  | GetStoragePartition()->GetCookieDeprecationLabelManager()); | 
|  | if (cookie_deprecation_label_manager) { | 
|  | url::Origin top_frame_origin = | 
|  | is_main_frame() ? origin_to_commit | 
|  | : GetMainFrame()->GetLastCommittedOrigin(); | 
|  | commit_params->cookie_deprecation_label = | 
|  | cookie_deprecation_label_manager->GetValue(top_frame_origin, | 
|  | origin_to_commit); | 
|  | } | 
|  |  | 
|  | // TODO(khushalsagar): This code-path can be removed after RenderDocument is | 
|  | // fully enabled. See crbug.com/346500010. | 
|  | if (!navigation_request->IsSameDocument() && | 
|  | NavigationTransitionUtils:: | 
|  | CaptureNavigationEntryScreenshotForCrossDocumentNavigations( | 
|  | *navigation_request, /*did_receive_commit_ack=*/false)) { | 
|  | commit_params->local_surface_id = | 
|  | GetView()->IncrementSurfaceIdForNavigation(); | 
|  | } | 
|  |  | 
|  | commit_params->commit_sent = base::TimeTicks::Now(); | 
|  | { | 
|  | auto scope = MakeUrgentMessageScopeIfNeeded(); | 
|  | navigation_client->CommitNavigation( | 
|  | std::move(common_params), std::move(commit_params), | 
|  | std::move(response_head), std::move(response_body), | 
|  | std::move(url_loader_client_endpoints), | 
|  | std::move(subresource_loader_factories), | 
|  | std::move(subresource_overrides), std::move(controller), | 
|  | std::move(container_info), | 
|  | std::move(subresource_proxying_loader_factory), | 
|  | std::move(keep_alive_loader_factory), | 
|  | std::move(fetch_later_loader_factory), document_token, | 
|  | devtools_navigation_token, base_auction_nonce_, permissions_policy, | 
|  | std::move(policy_container), std::move(code_cache_host), | 
|  | std::move(code_cache_host_for_background), | 
|  | std::move(cookie_manager_info), std::move(storage_info), | 
|  | BuildCommitNavigationCallback(navigation_request)); | 
|  | } | 
|  | base::UmaHistogramTimes( | 
|  | base::StrCat({"Navigation.SendCommitNavigationTime.", | 
|  | IsOutermostMainFrame() ? "MainFrame" : "Subframe"}), | 
|  | timer.Elapsed()); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SendCommitFailedNavigation( | 
|  | mojom::NavigationClient* navigation_client, | 
|  | NavigationRequest* navigation_request, | 
|  | blink::mojom::CommonNavigationParamsPtr common_params, | 
|  | blink::mojom::CommitNavigationParamsPtr commit_params, | 
|  | bool has_stale_copy_in_cache, | 
|  | int32_t error_code, | 
|  | int32_t extended_error_code, | 
|  | const std::optional<std::string>& error_page_content, | 
|  | std::unique_ptr<blink::PendingURLLoaderFactoryBundle> | 
|  | subresource_loader_factories, | 
|  | const blink::DocumentToken& document_token, | 
|  | const base::UnguessableToken& devtools_navigation_token, | 
|  | blink::mojom::PolicyContainerPtr policy_container) { | 
|  | DCHECK(navigation_client && navigation_request); | 
|  | DCHECK_NE(GURL(), common_params->url); | 
|  | DCHECK_NE(net::OK, error_code); | 
|  |  | 
|  | UpdateOrDisableCompositorMetricRecorder(); | 
|  | IncreaseCommitNavigationCounter(); | 
|  |  | 
|  | // If this commit is for a main frame in another browsing context group, warn | 
|  | // the renderer that it should update the browsing context group information | 
|  | // of the page. Note that the Browsing Context Group Token in the params | 
|  | // should only be populated at commit time, and only in the case of a swap. | 
|  | CHECK(!commit_params->browsing_context_group_token.has_value()); | 
|  | if (is_main_frame() && | 
|  | navigation_request->browsing_context_group_swap().ShouldSwap()) { | 
|  | commit_params->browsing_context_group_token = | 
|  | GetSiteInstance()->browsing_instance_token(); | 
|  | } | 
|  |  | 
|  | { | 
|  | auto scope = MakeUrgentMessageScopeIfNeeded(); | 
|  | navigation_client->CommitFailedNavigation( | 
|  | std::move(common_params), std::move(commit_params), | 
|  | has_stale_copy_in_cache, error_code, extended_error_code, | 
|  | navigation_request->GetResolveErrorInfo(), error_page_content, | 
|  | std::move(subresource_loader_factories), document_token, | 
|  | devtools_navigation_token, std::move(policy_container), | 
|  | GetContentClient()->browser()->GetAlternativeErrorPageOverrideInfo( | 
|  | navigation_request->GetURL(), this, GetBrowserContext(), | 
|  | error_code), | 
|  | BuildCommitFailedNavigationCallback(navigation_request)); | 
|  | } | 
|  | } | 
|  |  | 
|  | // Called when the renderer navigates. For every frame loaded, we'll get this | 
|  | // notification containing parameters identifying the navigation. | 
|  | void RenderFrameHostImpl::DidCommitNavigation( | 
|  | NavigationRequest* committing_navigation_request, | 
|  | mojom::DidCommitProvisionalLoadParamsPtr params, | 
|  | mojom::DidCommitProvisionalLoadInterfaceParamsPtr interface_params) { | 
|  | base::TimeTicks did_commit_ipc_received_time = base::TimeTicks().Now(); | 
|  | DCHECK(params); | 
|  | TRACE_EVENT("navigation", "RenderFrameHostImpl::DidCommitNavigation", | 
|  | ChromeTrackEvent::kRenderFrameHost, this, "params", params); | 
|  |  | 
|  | // BackForwardCacheImpl::CanStoreRenderFrameHost prevents placing the pages | 
|  | // with in-flight navigation requests in the back-forward cache and it's not | 
|  | // possible to start/commit a new one after the RenderFrameHost is in the | 
|  | // BackForwardCache (see the check IsInactiveAndDisallowActivation in | 
|  | // RFH::DidCommitSameDocumentNavigation() and RFH::BeginNavigation()) so it | 
|  | // isn't possible to get a DidCommitNavigation IPC from the renderer in | 
|  | // kInBackForwardCache state. | 
|  | DCHECK(!IsInBackForwardCache()); | 
|  |  | 
|  | std::unique_ptr<NavigationRequest> request; | 
|  | // TODO(crbug.com/40546539): a `committing_navigation_request` is not | 
|  | // present if and only if this is a synchronous re-navigation to about:blank | 
|  | // initiated by Blink. In all other cases it should be non-null and present in | 
|  | // the map of NavigationRequests. | 
|  | if (committing_navigation_request) { | 
|  | committing_navigation_request->IgnoreCommitInterfaceDisconnection(); | 
|  | if (!MaybeInterceptCommitCallback(committing_navigation_request, ¶ms, | 
|  | &interface_params)) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | auto find_request = | 
|  | navigation_requests_.find(committing_navigation_request); | 
|  | CHECK(find_request != navigation_requests_.end()); | 
|  |  | 
|  | request = std::move(find_request->second); | 
|  | navigation_requests_.erase(committing_navigation_request); | 
|  |  | 
|  | if (request->IsNavigationStarted()) { | 
|  | main_frame_request_ids_ = {params->request_id, | 
|  | request->GetGlobalRequestID()}; | 
|  | if (deferred_main_frame_load_info_) | 
|  | ResourceLoadComplete(std::move(deferred_main_frame_load_info_)); | 
|  | } | 
|  | } | 
|  |  | 
|  | // The commit IPC should be associated with the URL being committed (not with | 
|  | // the *last* committed URL that most other IPCs are associated with). | 
|  | // TODO(crbug.com/40169570): Investigate where the origin should come from | 
|  | // when we remove FrameTree/FrameTreeNode members of this class, and the last | 
|  | // committed origin may be incorrect. | 
|  | ScopedActiveURL scoped_active_url(params->url, | 
|  | frame_tree()->root()->current_origin()); | 
|  |  | 
|  | ScopedCommitStateResetter commit_state_resetter(this); | 
|  | RenderProcessHost* process = GetProcess(); | 
|  |  | 
|  | // If we're waiting for a cross-site beforeunload completion callback from | 
|  | // this renderer and we receive a Navigate message from the main frame, then | 
|  | // the renderer was navigating already and sent it before hearing the | 
|  | // blink::mojom::LocalFrame::StopLoading() message. Treat this as an implicit | 
|  | // beforeunload completion callback to allow the pending navigation to | 
|  | // continue. | 
|  | if (is_waiting_for_beforeunload_completion_ && | 
|  | unload_ack_is_for_navigation_ && !GetParent()) { | 
|  | base::TimeTicks approx_renderer_start_time = send_before_unload_start_time_; | 
|  | ProcessBeforeUnloadCompleted( | 
|  | /*proceed=*/true, /*treat_as_final_completion_callback=*/true, | 
|  | approx_renderer_start_time, base::TimeTicks::Now(), | 
|  | /*for_legacy=*/false); | 
|  | } | 
|  |  | 
|  | // When a frame enters pending deletion, it waits for itself and its children | 
|  | // to properly unload. Receiving DidCommitProvisionalLoad() here while the | 
|  | // frame is not active means it comes from a navigation that reached the | 
|  | // ReadyToCommit stage just before the frame entered pending deletion. | 
|  | // | 
|  | // We should ignore this message, because we have already committed to | 
|  | // destroying this RenderFrameHost. Note that we intentionally do not ignore | 
|  | // commits that happen while the current tab is being closed - see | 
|  | // https://crbug.com/805705. | 
|  | if (IsPendingDeletion()) { | 
|  | if (request) { | 
|  | request->set_navigation_discard_reason( | 
|  | NavigationDiscardReason::kInternalCancellation); | 
|  | request->set_error_navigation_trigger( | 
|  | ErrorNavigationTrigger::kCommittedOnPendingDeletion); | 
|  | } | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (interface_params) { | 
|  | if (broker_receiver_.is_bound()) { | 
|  | broker_receiver_.reset(); | 
|  | } | 
|  | BindBrowserInterfaceBrokerReceiver( | 
|  | std::move(interface_params->browser_interface_broker_receiver)); | 
|  | } else { | 
|  | // If the frame is no longer on the initial empty document, and this is not | 
|  | // a same-document navigation, then both the active document as well as the | 
|  | // global object was replaced in this browsing context. The RenderFrame | 
|  | // should have rebound its BrowserInterfaceBroker to a new pipe, but failed | 
|  | // to do so. Kill the renderer, and reset the old receiver to ensure that | 
|  | // any pending interface requests originating from the previous document, | 
|  | // hence possibly from a different security origin, will no longer be | 
|  | // dispatched. | 
|  | if (!frame_tree_node_->is_on_initial_empty_document()) { | 
|  | broker_receiver_.reset(); | 
|  | bad_message::ReceivedBadMessage( | 
|  | process, bad_message::RFH_INTERFACE_PROVIDER_MISSING); | 
|  |  | 
|  | if (request) { | 
|  | request->set_navigation_discard_reason( | 
|  | NavigationDiscardReason::kFailedSecurityCheck); | 
|  | } | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Otherwise, it is the first real load committed, for which the RenderFrame | 
|  | // is allowed to, and will re-use the existing BrowserInterfaceBroker | 
|  | // connection if the new document is same-origin with the initial empty | 
|  | // document, and therefore the global object is not replaced. | 
|  | } | 
|  |  | 
|  | if (!DidCommitNavigationInternal(std::move(request), std::move(params), | 
|  | /*same_document_params=*/nullptr, | 
|  | did_commit_ipc_received_time)) { | 
|  | return; | 
|  | } | 
|  |  | 
|  | // NOTE: Navigation metrics assume that not much work is done between | 
|  | // DidCommitNavigationInternal() and the end of this function. Avoid adding | 
|  | // code below unless absolutely needed. | 
|  |  | 
|  | // Since we didn't early return, it's safe to keep the commit state. | 
|  | commit_state_resetter.disable(); | 
|  |  | 
|  | // For a top-level frame, there are potential security concerns associated | 
|  | // with displaying graphics from a previously loaded page after the URL in | 
|  | // the omnibar has been changed. It is unappealing to clear the page | 
|  | // immediately, but if the renderer is taking a long time to issue any | 
|  | // compositor output (possibly because of script deliberately creating this | 
|  | // situation) then we clear it after a while anyway. | 
|  | // See https://crbug.com/497588. | 
|  | if (is_main_frame() && GetView()) { | 
|  | RenderWidgetHostImpl::From(GetView()->GetRenderWidgetHost())->DidNavigate(); | 
|  | } | 
|  |  | 
|  | // TODO(arthursonzogni): This can be removed when RenderDocument will be | 
|  | // implemented. See https://crbug.com/936696. | 
|  | EnsureDescendantsAreUnloading(); | 
|  | } | 
|  |  | 
|  | mojom::NavigationClient::CommitNavigationCallback | 
|  | RenderFrameHostImpl::BuildCommitNavigationCallback( | 
|  | NavigationRequest* navigation_request) { | 
|  | DCHECK(navigation_request); | 
|  | return base::BindOnce(&RenderFrameHostImpl::DidCommitNavigation, | 
|  | base::Unretained(this), navigation_request); | 
|  | } | 
|  |  | 
|  | mojom::NavigationClient::CommitFailedNavigationCallback | 
|  | RenderFrameHostImpl::BuildCommitFailedNavigationCallback( | 
|  | NavigationRequest* navigation_request) { | 
|  | DCHECK(navigation_request); | 
|  | return base::BindOnce(&RenderFrameHostImpl::DidCommitNavigation, | 
|  | base::Unretained(this), navigation_request); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SendBeforeUnload( | 
|  | bool is_reload, | 
|  | base::WeakPtr<RenderFrameHostImpl> rfh, | 
|  | bool for_legacy, | 
|  | const bool is_renderer_initiated_navigation) { | 
|  | TRACE_EVENT_WITH_FLOW0("navigation", "RenderFrameHostImpl::SendBeforeUnload", | 
|  | TRACE_ID_LOCAL(this), | 
|  | TRACE_EVENT_FLAG_FLOW_IN | TRACE_EVENT_FLAG_FLOW_OUT); | 
|  | auto before_unload_closure = base::BindOnce( | 
|  | [](base::WeakPtr<RenderFrameHostImpl> impl, bool for_legacy, bool proceed, | 
|  | base::TimeTicks renderer_before_unload_start_time, | 
|  | base::TimeTicks renderer_before_unload_end_time) { | 
|  | if (!impl) | 
|  | return; | 
|  | impl->ProcessBeforeUnloadCompleted( | 
|  | proceed, /*treat_as_final_completion_callback=*/false, | 
|  | renderer_before_unload_start_time, renderer_before_unload_end_time, | 
|  | for_legacy); | 
|  | }, | 
|  | rfh, for_legacy); | 
|  | if (for_legacy) { | 
|  | // We would like to synchronously continue navigation without the following | 
|  | // PostTask in the future to improve performance if the frame being | 
|  | // navigated (and all child frames) do not have beforeunload handlers. | 
|  | // However, as described in | 
|  | // `ContentBrowserClient::SupportsAvoidUnnecessaryBeforeUnloadCheckSync()`, | 
|  | // this can result in re-entrancy issues on navigation. The re-entrancy is | 
|  | // checked by NavigationController's `in_navigate_to_pending_entry` flag. | 
|  | // While this flag is true, we prohibit starting another navigation | 
|  | // synchronously while the existing navigation is still being processed on | 
|  | // the stack (CHECK(!in_navigate_to_pending_entry_)). | 
|  | // | 
|  | // The following `is_eligible_for_avoid_unnecessary_beforeunload` flag is | 
|  | // used to allow synchronous continuation of navigation if the value of | 
|  | // kAvoidUnnecessaryBeforeUnloadCheckSyncMode is either | 
|  | // kWithSendBeforeUnload or kWithoutSendBeforeUnload (To understand these | 
|  | // modes, please refer to the code comment of the | 
|  | // `AvoidUnnecessaryBeforeUnloadCheckSyncMode` enum in the header file). | 
|  | // | 
|  | // The following `can_be_in_navigate_to_pending_entry` flag is used to | 
|  | // investigate whether it is safe to do so, by checking whether the CHECK | 
|  | // would've failed if we continue synchronously instead of posting a task. | 
|  | // This flag is only used when kAvoidUnnecessaryBeforeUnloadCheckSyncMode is | 
|  | // set to kDumpWithoutCrashing. | 
|  | const bool is_eligible_for_avoid_unnecessary_beforeunload = | 
|  | is_waiting_for_beforeunload_completion_ && | 
|  | unload_ack_is_for_navigation_ && | 
|  | GetContentClient() | 
|  | ->browser() | 
|  | ->SupportsAvoidUnnecessaryBeforeUnloadCheckSync(); | 
|  | const bool can_be_in_navigate_to_pending_entry = | 
|  | is_eligible_for_avoid_unnecessary_beforeunload && | 
|  | IsAvoidUnnecessaryBeforeUnloadCheckSyncEnabledFor( | 
|  | features::AvoidUnnecessaryBeforeUnloadCheckSyncMode:: | 
|  | kDumpWithoutCrashing) && | 
|  | frame_tree()->controller().in_navigate_to_pending_entry(); | 
|  |  | 
|  | base::TimeTicks beforeunload_end_time_for_legacy = base::TimeTicks::Now(); | 
|  |  | 
|  | if (is_eligible_for_avoid_unnecessary_beforeunload && | 
|  | IsAvoidUnnecessaryBeforeUnloadCheckSyncEnabledFor( | 
|  | features::AvoidUnnecessaryBeforeUnloadCheckSyncMode:: | 
|  | kWithSendBeforeUnload)) { | 
|  | std::move(before_unload_closure) | 
|  | .Run(/*proceed=*/true, send_before_unload_start_time_, | 
|  | beforeunload_end_time_for_legacy); | 
|  | return; | 
|  | } | 
|  |  | 
|  | // Use a high-priority task to continue the navigation. This is safe as it | 
|  | // happens early in the navigation flow and shouldn't race with any other | 
|  | // tasks associated with this navigation. | 
|  | GetUIThreadTaskRunner({BrowserTaskType::kBeforeUnloadBrowserResponse}) | 
|  | ->PostTask( | 
|  | FROM_HERE, | 
|  | base::BindOnce( | 
|  | [](blink::mojom::LocalFrame::BeforeUnloadCallback callback, | 
|  | base::TimeTicks start_time, base::TimeTicks end_time, | 
|  | base::WeakPtr<NavigationControllerImpl> | 
|  | navigation_controller, | 
|  | const bool can_be_in_navigate_to_pending_entry, | 
|  | const bool is_renderer_initiated_navigation) { | 
|  | // Measures the time a posted task spends in the queue before | 
|  | // execution. Recorded only when `for_legacy` is true. | 
|  | base::UmaHistogramTimes( | 
|  | "Navigation.OnBeforeUnloadOverheadTime." | 
|  | "NoBeforeUnloadHandlerRegistered", | 
|  | base::TimeTicks::Now() - end_time); | 
|  | if (can_be_in_navigate_to_pending_entry && | 
|  | navigation_controller) { | 
|  | navigation_controller | 
|  | ->set_can_be_in_navigate_to_pending_entry(true); | 
|  | } | 
|  | SCOPED_CRASH_KEY_BOOL("RFHI", "is_renderer_init_nav", | 
|  | is_renderer_initiated_navigation); | 
|  | std::move(callback).Run(/*proceed=*/true, start_time, | 
|  | end_time); | 
|  | if (can_be_in_navigate_to_pending_entry && | 
|  | navigation_controller) { | 
|  | navigation_controller | 
|  | ->set_can_be_in_navigate_to_pending_entry(false); | 
|  | } | 
|  | }, | 
|  | std::move(before_unload_closure), | 
|  | send_before_unload_start_time_, | 
|  | beforeunload_end_time_for_legacy, | 
|  | frame_tree()->controller().GetWeakPtr(), | 
|  | can_be_in_navigate_to_pending_entry, | 
|  | is_renderer_initiated_navigation)); | 
|  | return; | 
|  | } | 
|  | auto scope = MakeUrgentMessageScopeIfNeeded(); | 
|  | rfh->GetAssociatedLocalFrame()->BeforeUnload( | 
|  | is_reload, std::move(before_unload_closure)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::AddServiceWorkerClient( | 
|  | const std::string& uuid, | 
|  | base::WeakPtr<content::ServiceWorkerClient> service_worker_client) { | 
|  | if (IsInBackForwardCache()) { | 
|  | // RenderFrameHost entered BackForwardCache before adding | 
|  | // ServiceWorkerClient. In this case, evict the entry from the cache. | 
|  | EvictFromBackForwardCacheWithReason( | 
|  | BackForwardCacheMetrics::NotRestoredReason:: | 
|  | kEnteredBackForwardCacheBeforeServiceWorkerHostAdded); | 
|  | } | 
|  | DCHECK(!base::Contains(service_worker_clients_, uuid)); | 
|  | last_committed_service_worker_client_ = service_worker_client; | 
|  | service_worker_clients_[uuid] = std::move(service_worker_client); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::RemoveServiceWorkerClient(const std::string& uuid) { | 
|  | DCHECK(!service_worker_clients_.empty()); | 
|  | DCHECK(base::Contains(service_worker_clients_, uuid)); | 
|  | service_worker_clients_.erase(uuid); | 
|  | } | 
|  |  | 
|  | base::WeakPtr<ServiceWorkerClient> | 
|  | RenderFrameHostImpl::GetLastCommittedServiceWorkerClient() { | 
|  | DCHECK_CURRENTLY_ON(BrowserThread::UI); | 
|  | return last_committed_service_worker_client_; | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::MaybeInterceptCommitCallback( | 
|  | NavigationRequest* navigation_request, | 
|  | mojom::DidCommitProvisionalLoadParamsPtr* params, | 
|  | mojom::DidCommitProvisionalLoadInterfaceParamsPtr* interface_params) { | 
|  | if (commit_callback_interceptor_) { | 
|  | did_ignore_last_commit_callback_ = | 
|  | !commit_callback_interceptor_->WillProcessDidCommitNavigation( | 
|  | navigation_request, params, interface_params); | 
|  | return !did_ignore_last_commit_callback_; | 
|  | } | 
|  | return true; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::PostMessageEvent( | 
|  | const std::optional<blink::RemoteFrameToken>& source_token, | 
|  | const std::u16string& source_origin, | 
|  | const std::u16string& target_origin, | 
|  | blink::TransferableMessage message) { | 
|  | DCHECK(is_render_frame_created()); | 
|  |  | 
|  | if (message.delegated_capability != blink::mojom::DelegatedCapability::kNone) | 
|  | ReceivedDelegatedCapability(message.delegated_capability); | 
|  |  | 
|  | // This is always called from either another renderer (through RemoteFrame) or | 
|  | // from the embedder itself. As such, we nullify the task state ID here, to | 
|  | // prevent this information from leaking between renderers. | 
|  | message.task_state_id = std::nullopt; | 
|  |  | 
|  | GetAssociatedLocalFrame()->PostMessageEvent( | 
|  | source_token, source_origin, target_origin, std::move(message)); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsTestRenderFrameHost() const { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | scoped_refptr<PrefetchedSignedExchangeCache> | 
|  | RenderFrameHostImpl::EnsurePrefetchedSignedExchangeCache() { | 
|  | if (!prefetched_signed_exchange_cache_) { | 
|  | prefetched_signed_exchange_cache_ = | 
|  | base::MakeRefCounted<PrefetchedSignedExchangeCache>(); | 
|  | } | 
|  | return prefetched_signed_exchange_cache_; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ClearPrefetchedSignedExchangeCache() { | 
|  | if (prefetched_signed_exchange_cache_) | 
|  | prefetched_signed_exchange_cache_->Clear(); | 
|  | } | 
|  |  | 
|  | RenderWidgetHostImpl* RenderFrameHostImpl::GetLocalRenderWidgetHost() const { | 
|  | if (is_main_frame()) | 
|  | return render_view_host_->GetWidget(); | 
|  | else | 
|  | return owned_render_widget_host_.get(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::EnsureDescendantsAreUnloading() { | 
|  | std::vector<FrameTreeNode*> frame_to_remove; | 
|  | std::vector<RenderFrameHostImpl*> rfh_to_be_checked = {this}; | 
|  | while (!rfh_to_be_checked.empty()) { | 
|  | RenderFrameHostImpl* document = rfh_to_be_checked.back(); | 
|  | rfh_to_be_checked.pop_back(); | 
|  |  | 
|  | // Every child is expected to be pending deletion. If it isn't the case, | 
|  | // their FrameTreeNode is immediately removed from the tree. | 
|  | for (auto& iframe : document->children_) { | 
|  | if (iframe->current_frame_host()->IsPendingDeletion()) { | 
|  | rfh_to_be_checked.push_back(iframe->current_frame_host()); | 
|  | } else { | 
|  | frame_to_remove.push_back(iframe.get()); | 
|  | } | 
|  | } | 
|  | } | 
|  | for (FrameTreeNode* child : frame_to_remove) { | 
|  | child->parent()->RemoveChild(child); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::AddMessageToConsoleImpl( | 
|  | blink::mojom::ConsoleMessageLevel level, | 
|  | const std::string& message, | 
|  | bool discard_duplicates) { | 
|  | GetAssociatedLocalFrame()->AddMessageToConsole(level, message, | 
|  | discard_duplicates); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::LogCannotCommitUrlCrashKeys( | 
|  | const GURL& url, | 
|  | const url::Origin& origin, | 
|  | bool is_same_document_navigation, | 
|  | NavigationRequest* navigation_request) { | 
|  | LogRendererKillCrashKeys(GetSiteInstance()->GetSiteInfo()); | 
|  |  | 
|  | // Temporary instrumentation to debug the root cause of renderer process | 
|  | // terminations. See https://crbug.com/931895. | 
|  | static auto* const navigation_url_key = base::debug::AllocateCrashKeyString( | 
|  | "navigation_url", base::debug::CrashKeySize::Size256); | 
|  | base::debug::SetCrashKeyString(navigation_url_key, url.spec()); | 
|  |  | 
|  | static auto* const is_same_document_key = base::debug::AllocateCrashKeyString( | 
|  | "is_same_document", base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString(is_same_document_key, | 
|  | base::ToString(is_same_document_navigation)); | 
|  |  | 
|  | static auto* const is_main_frame_key = base::debug::AllocateCrashKeyString( | 
|  | "is_main_frame", base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString(is_main_frame_key, | 
|  | base::ToString(is_main_frame())); | 
|  |  | 
|  | static auto* const is_outermost_frame_key = | 
|  | base::debug::AllocateCrashKeyString("is_outermost_frame", | 
|  | base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString(is_outermost_frame_key, | 
|  | base::ToString(IsOutermostMainFrame())); | 
|  |  | 
|  | static auto* const is_cross_process_subframe_key = | 
|  | base::debug::AllocateCrashKeyString("is_cross_process_subframe", | 
|  | base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString(is_cross_process_subframe_key, | 
|  | base::ToString(IsCrossProcessSubframe())); | 
|  |  | 
|  | static auto* const is_local_root_key = base::debug::AllocateCrashKeyString( | 
|  | "is_local_root", base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString(is_local_root_key, | 
|  | base::ToString(is_local_root())); | 
|  |  | 
|  | static auto* const is_opaque_origin_key = base::debug::AllocateCrashKeyString( | 
|  | "is_opaque_origin", base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString(is_opaque_origin_key, | 
|  | base::ToString(origin.opaque())); | 
|  |  | 
|  | static auto* const is_file_origin_key = base::debug::AllocateCrashKeyString( | 
|  | "is_file_origin", base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString( | 
|  | is_file_origin_key, base::ToString(origin.scheme() == url::kFileScheme)); | 
|  |  | 
|  | static auto* const is_data_url_key = base::debug::AllocateCrashKeyString( | 
|  | "is_data_url", base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString( | 
|  | is_data_url_key, base::ToString(url.SchemeIs(url::kDataScheme))); | 
|  |  | 
|  | static auto* const is_srcdoc_url_key = base::debug::AllocateCrashKeyString( | 
|  | "is_srcdoc_url", base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString(is_srcdoc_url_key, | 
|  | base::ToString(url.IsAboutSrcdoc())); | 
|  |  | 
|  | static auto* const is_loaddatawithbaseurl_key = | 
|  | base::debug::AllocateCrashKeyString("is_loaddatawithbaseurl_navrequest", | 
|  | base::debug::CrashKeySize::Size32); | 
|  | bool is_loaddatawithbaseurl = | 
|  | navigation_request && navigation_request->IsLoadDataWithBaseURL(); | 
|  | base::debug::SetCrashKeyString(is_loaddatawithbaseurl_key, | 
|  | base::ToString(is_loaddatawithbaseurl)); | 
|  |  | 
|  | static auto* const is_loaddatawithbaseurl_samedoc_key = | 
|  | base::debug::AllocateCrashKeyString("is_loaddatawithbaseurl_samedoc", | 
|  | base::debug::CrashKeySize::Size32); | 
|  | bool is_loaddatawithbaseurl_samedoc = | 
|  | is_same_document_navigation && | 
|  | renderer_url_info_.was_loaded_from_load_data_with_base_url; | 
|  | base::debug::SetCrashKeyString( | 
|  | is_loaddatawithbaseurl_samedoc_key, | 
|  | base::ToString(is_loaddatawithbaseurl_samedoc)); | 
|  |  | 
|  | static auto* const site_lock_key = base::debug::AllocateCrashKeyString( | 
|  | "site_lock", base::debug::CrashKeySize::Size256); | 
|  | base::debug::SetCrashKeyString( | 
|  | site_lock_key, | 
|  | ProcessLock::FromSiteInfo(GetSiteInstance()->GetSiteInfo()).ToString()); | 
|  |  | 
|  | static auto* const process_lock_key = base::debug::AllocateCrashKeyString( | 
|  | "process_lock", base::debug::CrashKeySize::Size256); | 
|  | base::debug::SetCrashKeyString(process_lock_key, | 
|  | GetProcess()->GetProcessLock().ToString()); | 
|  |  | 
|  | static auto* const is_process_locked_key = | 
|  | base::debug::AllocateCrashKeyString("is_process_locked", | 
|  | base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString( | 
|  | is_process_locked_key, | 
|  | base::ToString(GetProcess()->GetProcessLock().is_locked_to_site())); | 
|  |  | 
|  | if (!GetSiteInstance()->IsDefaultSiteInstance()) { | 
|  | static auto* const original_url_origin_key = | 
|  | base::debug::AllocateCrashKeyString("original_url_origin", | 
|  | base::debug::CrashKeySize::Size256); | 
|  | base::debug::SetCrashKeyString( | 
|  | original_url_origin_key, | 
|  | GetSiteInstance()->original_url().DeprecatedGetOriginAsURL().spec()); | 
|  | } | 
|  |  | 
|  | static auto* const is_mhtml_document_key = | 
|  | base::debug::AllocateCrashKeyString("is_mhtml_document", | 
|  | base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString(is_mhtml_document_key, | 
|  | base::ToString(is_mhtml_document())); | 
|  |  | 
|  | static auto* const last_committed_url_origin_key = | 
|  | base::debug::AllocateCrashKeyString("last_committed_url_origin", | 
|  | base::debug::CrashKeySize::Size256); | 
|  | base::debug::SetCrashKeyString( | 
|  | last_committed_url_origin_key, | 
|  | GetLastCommittedURL().DeprecatedGetOriginAsURL().spec()); | 
|  |  | 
|  | static auto* const last_successful_url_origin_key = | 
|  | base::debug::AllocateCrashKeyString("last_successful_url_origin", | 
|  | base::debug::CrashKeySize::Size256); | 
|  | base::debug::SetCrashKeyString( | 
|  | last_successful_url_origin_key, | 
|  | last_successful_url().DeprecatedGetOriginAsURL().spec()); | 
|  |  | 
|  | static auto* const is_on_initial_empty_document_key = | 
|  | base::debug::AllocateCrashKeyString("is_on_initial_empty_doc", | 
|  | base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString( | 
|  | is_on_initial_empty_document_key, | 
|  | base::ToString(frame_tree_node_->is_on_initial_empty_document())); | 
|  |  | 
|  | if (navigation_request && navigation_request->IsNavigationStarted()) { | 
|  | static auto* const is_renderer_initiated_key = | 
|  | base::debug::AllocateCrashKeyString("is_renderer_initiated", | 
|  | base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString( | 
|  | is_renderer_initiated_key, | 
|  | base::ToString(navigation_request->IsRendererInitiated())); | 
|  |  | 
|  | static auto* const is_server_redirect_key = | 
|  | base::debug::AllocateCrashKeyString("is_server_redirect", | 
|  | base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString( | 
|  | is_server_redirect_key, | 
|  | base::ToString(navigation_request->WasServerRedirect())); | 
|  |  | 
|  | static auto* const is_form_submission_key = | 
|  | base::debug::AllocateCrashKeyString("is_form_submission", | 
|  | base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString( | 
|  | is_form_submission_key, | 
|  | base::ToString(navigation_request->IsFormSubmission())); | 
|  |  | 
|  | static auto* const is_error_page_key = base::debug::AllocateCrashKeyString( | 
|  | "is_error_page", base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString( | 
|  | is_error_page_key, base::ToString(navigation_request->IsErrorPage())); | 
|  |  | 
|  | static auto* const from_begin_navigation_key = | 
|  | base::debug::AllocateCrashKeyString("from_begin_navigation", | 
|  | base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString( | 
|  | from_begin_navigation_key, | 
|  | base::ToString(navigation_request->from_begin_navigation())); | 
|  |  | 
|  | static auto* const net_error_key = base::debug::AllocateCrashKeyString( | 
|  | "net_error", base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString( | 
|  | net_error_key, | 
|  | base::NumberToString(navigation_request->GetNetErrorCode())); | 
|  |  | 
|  | static auto* const initiator_origin_key = | 
|  | base::debug::AllocateCrashKeyString("initiator_origin", | 
|  | base::debug::CrashKeySize::Size64); | 
|  | base::debug::SetCrashKeyString( | 
|  | initiator_origin_key, | 
|  | navigation_request->GetInitiatorOrigin() | 
|  | ? navigation_request->GetInitiatorOrigin()->GetDebugString() | 
|  | : "none"); | 
|  |  | 
|  | static auto* const starting_site_instance_key = | 
|  | base::debug::AllocateCrashKeyString("starting_site_instance", | 
|  | base::debug::CrashKeySize::Size256); | 
|  | base::debug::SetCrashKeyString(starting_site_instance_key, | 
|  | navigation_request->GetStartingSiteInstance() | 
|  | ->GetSiteInfo() | 
|  | .GetDebugString()); | 
|  |  | 
|  | // Recompute the target SiteInstance to see if it matches the current | 
|  | // one at commit time. | 
|  | BrowsingContextGroupSwap ignored_bcg_swap_info = | 
|  | BrowsingContextGroupSwap::CreateDefault(); | 
|  | scoped_refptr<SiteInstance> dest_instance = | 
|  | navigation_request->frame_tree_node() | 
|  | ->render_manager() | 
|  | ->GetSiteInstanceForNavigationRequest(navigation_request, | 
|  | &ignored_bcg_swap_info); | 
|  | static auto* const does_recomputed_site_instance_match_key = | 
|  | base::debug::AllocateCrashKeyString( | 
|  | "does_recomputed_site_instance_match", | 
|  | base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString( | 
|  | does_recomputed_site_instance_match_key, | 
|  | base::ToString(dest_instance == GetSiteInstance())); | 
|  | } | 
|  | } | 
|  |  | 
|  | int64_t CalculatePostID( | 
|  | const std::string& method, | 
|  | const scoped_refptr<network::ResourceRequestBody>& request_body, | 
|  | int64_t last_post_id, | 
|  | bool is_same_document) { | 
|  | if (method != "POST") | 
|  | return -1; | 
|  | // On same-document navigations that keep the "POST" method, use the POST ID | 
|  | // from the last navigation. | 
|  | if (is_same_document) | 
|  | return last_post_id; | 
|  | // Otherwise, this is a cross-document navigation. Use the POST ID from the | 
|  | // navigation request. | 
|  | return request_body ? request_body->identifier() : -1; | 
|  | } | 
|  |  | 
|  | const std::string CalculateMethod( | 
|  | const std::string& nav_request_method, | 
|  | const std::string& last_http_method, | 
|  | bool is_same_document, | 
|  | bool is_same_document_history_api_navigation) { | 
|  | DCHECK(is_same_document || !is_same_document_history_api_navigation); | 
|  | // History API navigations are always "GET" navigations. See spec: | 
|  | // https://html.spec.whatwg.org/multipage/history.html#url-and-history-update-steps | 
|  | if (is_same_document_history_api_navigation) | 
|  | return "GET"; | 
|  | // If this is a same-document navigation that isn't triggered by the history | 
|  | // API, we should preserve the HTTP method used by the last navigation. | 
|  | if (is_same_document) | 
|  | return last_http_method; | 
|  | // Otherwise, this is a cross-document navigation. Use the method specified in | 
|  | // the navigation request. | 
|  | return nav_request_method; | 
|  | } | 
|  |  | 
|  | int CalculateHTTPStatusCode(NavigationRequest* request, | 
|  | int last_http_status_code) { | 
|  | // Same-document navigations or prerender activation navigation should retain | 
|  | // the HTTP status code from the last committed navigation. | 
|  | if (request->IsSameDocument() || request->IsPrerenderedPageActivation()) | 
|  | return last_http_status_code; | 
|  |  | 
|  | // Navigations that are served from the back/forward cache will always have | 
|  | // the HTTP status code set to 200. | 
|  | if (request->IsServedFromBackForwardCache()) | 
|  | return 200; | 
|  |  | 
|  | // The HTTP status code is not set if we never received any HTTP response for | 
|  | // the navigation. | 
|  | const int request_response_code = request->commit_params().http_response_code; | 
|  | if (request_response_code == -1) | 
|  | return 0; | 
|  | // Otherwise, return the status code from |request|. | 
|  | return request_response_code; | 
|  | } | 
|  |  | 
|  | // Tries to simulate WebFrameLoadType in NavigationTypeToLoadType() in | 
|  | // render_frame_impl.cc and RenderFrameImpl::CommitFailedNavigation(). | 
|  | // TODO(crbug.com/40150370): This should only be here temporarily. | 
|  | // Remove this once the renderer behavior at commit time is more consistent with | 
|  | // what the browser instructed it to do (e.g. reloads will always be classified | 
|  | // as kReload). | 
|  | RendererLoadType CalculateRendererLoadType(NavigationRequest* request, | 
|  | bool should_replace_current_entry, | 
|  | const GURL& previous_document_url) { | 
|  | const bool is_history = | 
|  | NavigationTypeUtils::IsHistory(request->common_params().navigation_type); | 
|  | const bool is_reload = | 
|  | NavigationTypeUtils::IsReload(request->common_params().navigation_type); | 
|  | const bool has_valid_page_state = blink::PageState::CreateFromEncodedData( | 
|  | request->commit_params().page_state) | 
|  | .IsValid(); | 
|  | const bool is_error_document = request->DidEncounterError(); | 
|  |  | 
|  | // Predict if the renderer classified the navigation as a "back/forward" | 
|  | // navigation (WebFrameLoadType::kBackForward). | 
|  | bool will_be_classified_as_back_forward_navigation = false; | 
|  | if (is_error_document) { | 
|  | // For error documents, whenever the navigation has a valid PageState, it | 
|  | // will be considered as a back/forward navigation. This includes history | 
|  | // navigations and restores. See RenderFrameImpl's CommitFailedNavigation(). | 
|  | will_be_classified_as_back_forward_navigation = has_valid_page_state; | 
|  | } else { | 
|  | // For normal navigations, RenderFrameImpl's NavigationTypeToLoadType() | 
|  | // will classify a navigation as kBackForward if it's a history navigation. | 
|  | will_be_classified_as_back_forward_navigation = is_history; | 
|  | } | 
|  |  | 
|  | if (will_be_classified_as_back_forward_navigation) { | 
|  | // If the navigation is classified as kBackForward, it can't be changed to | 
|  | // another RendererLoadType below, so we can immediately return here. | 
|  | return RendererLoadType::kBackForward; | 
|  | } | 
|  |  | 
|  | if (!is_error_document && is_reload) { | 
|  | // For non-error documents, if the NavigationType given by the browser is | 
|  | // a reload, then the navigation will be classified as a reload. | 
|  | return RendererLoadType::kReload; | 
|  | } | 
|  |  | 
|  | return should_replace_current_entry ? RendererLoadType::kReplaceCurrentItem | 
|  | : RendererLoadType::kStandard; | 
|  | } | 
|  |  | 
|  | bool CalculateDidCreateNewEntry(NavigationRequest* request, | 
|  | bool should_replace_current_entry, | 
|  | RendererLoadType renderer_load_type) { | 
|  | // This function tries to simulate the calculation of |did_create_new_entry| | 
|  | // in RenderFrameImpl::MakeDidCommitProvisionalLoadParams(). | 
|  | // Standard navigations will always create a new entry. | 
|  | if (renderer_load_type == RendererLoadType::kStandard) | 
|  | return true; | 
|  |  | 
|  | // Back/Forward navigations won't create a new entry. | 
|  | if (renderer_load_type == RendererLoadType::kBackForward) | 
|  | return false; | 
|  |  | 
|  | // Otherwise, |did_create_new_entry| is true only for main frame | 
|  | // cross-document replacements. | 
|  | return request->IsInMainFrame() && should_replace_current_entry && | 
|  | !request->IsSameDocument(); | 
|  | } | 
|  |  | 
|  | ui::PageTransition CalculateTransition( | 
|  | NavigationRequest* request, | 
|  | RendererLoadType renderer_load_type, | 
|  | const mojom::DidCommitProvisionalLoadParams& params, | 
|  | bool is_in_fenced_frame_tree) { | 
|  | if (is_in_fenced_frame_tree) { | 
|  | // Navigations inside fenced frame trees do not add session history items | 
|  | // and must be marked with PAGE_TRANSITION_AUTO_SUBFRAME. This is set | 
|  | // regardless of the `is_main_frame` value since this is inside a fenced | 
|  | // frame tree and should behave the same as iframes. Also preserve client | 
|  | // redirects if they were set. | 
|  | ui::PageTransition transition = ui::PAGE_TRANSITION_AUTO_SUBFRAME; | 
|  | if (request->IsInMainFrame() && !request->DidEncounterError() && | 
|  | request->common_params().transition & | 
|  | ui::PAGE_TRANSITION_CLIENT_REDIRECT) { | 
|  | transition = | 
|  | ui::PageTransitionFromInt(ui::PAGE_TRANSITION_AUTO_SUBFRAME | | 
|  | ui::PAGE_TRANSITION_CLIENT_REDIRECT); | 
|  | } | 
|  |  | 
|  | return transition; | 
|  | } | 
|  | if (request->IsSameDocument()) | 
|  | return params.transition; | 
|  | if (request->IsInMainFrame()) { | 
|  | // This follows GetTransitionType() in render_frame_impl.cc. | 
|  | ui::PageTransition supplied_transition = | 
|  | ui::PageTransitionFromInt(request->common_params().transition); | 
|  | if (ui::PageTransitionCoreTypeIs(supplied_transition, | 
|  | ui::PAGE_TRANSITION_LINK) && | 
|  | request->common_params().post_data) { | 
|  | return ui::PAGE_TRANSITION_FORM_SUBMIT; | 
|  | } | 
|  | return supplied_transition; | 
|  | } | 
|  | // This follows RenderFrameImpl::MakeDidCommitProvisionalLoadParams(). | 
|  | if (renderer_load_type == RendererLoadType::kStandard) | 
|  | return ui::PAGE_TRANSITION_MANUAL_SUBFRAME; | 
|  | return ui::PAGE_TRANSITION_AUTO_SUBFRAME; | 
|  | } | 
|  |  | 
|  | // Calculates the "loading" URL for a given navigation. This tries to replicate | 
|  | // RenderFrameImpl::GetLoadingUrl() and is used to predict the value of "url" in | 
|  | // DidCommitProvisionalLoadParams. | 
|  | GURL CalculateLoadingURL( | 
|  | NavigationRequest* request, | 
|  | const mojom::DidCommitProvisionalLoadParams& params, | 
|  | const RenderFrameHostImpl::RendererURLInfo& last_renderer_url_info, | 
|  | bool last_document_is_error_document, | 
|  | const GURL& last_committed_url) { | 
|  | if (params.url.IsAboutBlank() && params.url.ref_piece() == "blocked") { | 
|  | // Some navigations can still be blocked by the renderer during the commit, | 
|  | // changing the URL to "about:blank#blocked". Currently we have no way of | 
|  | // predicting this in the browser, so just return the URL given by the | 
|  | // renderer in this case. | 
|  | // TODO(crbug.com/40150370): Block the navigations in the browser | 
|  | // instead and remove |params| as a parameter to this function. | 
|  | return params.url; | 
|  | } | 
|  |  | 
|  | if (!request->common_params().url.is_valid()) { | 
|  | // Empty URL (and invalid URLs, which are converted to the empty URL due | 
|  | // to IPC URL reparsing) will be rewritten to "about:blank" in the renderer. | 
|  | // TODO(crbug.com/40150370): Do the rewrite in the browser. | 
|  | return GURL(url::kAboutBlankURL); | 
|  | } | 
|  |  | 
|  | if (request->IsSameDocument() && | 
|  | (last_document_is_error_document || | 
|  | last_renderer_url_info.was_loaded_from_load_data_with_base_url)) { | 
|  | // Documents that have an "override" URL (loadDataWithBaseURL navigations, | 
|  | // error documents) will continue using that URL even after same-document | 
|  | // navigations. | 
|  | return last_committed_url; | 
|  | } | 
|  |  | 
|  | // For all other navigations, the returned URL should be the same as the URL | 
|  | // in CommonNavigationParams. | 
|  | return request->common_params().url; | 
|  | } | 
|  |  | 
|  | bool ShouldVerify(const std::string& param) { | 
|  | #if DCHECK_IS_ON() | 
|  | // Check for all params when DCHECK is on, to have full coverage on bots. | 
|  | return true; | 
|  | #else | 
|  | if (param == "origin") { | 
|  | // Always enable checking origin. To disable checking origin, turn off the | 
|  | // VerifyDidCommitParams flag. | 
|  | return true; | 
|  | } | 
|  |  | 
|  | // For other params, default to disable checking the param. However, it's | 
|  | // possible to force-enable checking the param via the VerifyDidCommitParams | 
|  | // flag's param. | 
|  | return GetFieldTrialParamByFeatureAsBool(features::kVerifyDidCommitParams, | 
|  | param, false); | 
|  | #endif | 
|  | } | 
|  |  | 
|  | std::string GetURLTypeForCrashKey(const GURL& url) { | 
|  | if (url == kUnreachableWebDataURL) | 
|  | return "error"; | 
|  | if (url == kBlockedURL) | 
|  | return "blocked"; | 
|  | if (url.IsAboutBlank()) | 
|  | return "about:blank"; | 
|  | if (url.IsAboutSrcdoc()) | 
|  | return "about:srcdoc"; | 
|  | if (url.is_empty()) | 
|  | return "empty"; | 
|  | if (!url.is_valid()) | 
|  | return "invalid"; | 
|  | return url.scheme(); | 
|  | } | 
|  |  | 
|  | std::string GetURLRelationForCrashKey( | 
|  | const GURL& actual_url, | 
|  | const GURL& predicted_url, | 
|  | const blink::mojom::CommonNavigationParams& common_params, | 
|  | const GURL& last_committed_url, | 
|  | const RenderFrameHostImpl::RendererURLInfo& renderer_url_info) { | 
|  | if (actual_url == predicted_url) | 
|  | return "as predicted"; | 
|  | if (actual_url == last_committed_url) | 
|  | return "last committed"; | 
|  | if (actual_url == common_params.url) | 
|  | return "common params URL"; | 
|  | if (actual_url == common_params.base_url_for_data_url) | 
|  | return "base URL"; | 
|  | if (actual_url == renderer_url_info.last_document_url) | 
|  | return "last document URL"; | 
|  | return "unknown"; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl:: | 
|  | VerifyThatBrowserAndRendererCalculatedDidCommitParamsMatch( | 
|  | NavigationRequest* request, | 
|  | const mojom::DidCommitProvisionalLoadParams& params, | 
|  | const mojom::DidCommitSameDocumentNavigationParamsPtr | 
|  | same_document_params) { | 
|  | #if !DCHECK_IS_ON() | 
|  | // Only check for the flag if DCHECK is not enabled, so that we will always | 
|  | // verify the params for tests. | 
|  | if (!base::FeatureList::IsEnabled(features::kVerifyDidCommitParams)) | 
|  | return; | 
|  | #endif | 
|  | // Check if these values from DidCommitProvisionalLoadParams sent by the | 
|  | // renderer can be calculated entirely in the browser side: | 
|  | // - method | 
|  | // - url_is_unreachable | 
|  | // - post_id | 
|  | // - is_overriding_user_agent | 
|  | // - http_status_code | 
|  | // - should_update_history | 
|  | // - url | 
|  | // - did_create_new_entry | 
|  | // - transition | 
|  | // - history_list_was_cleared | 
|  | // - origin | 
|  | // TODO(crbug.com/40150370): Verify more params. | 
|  | // To disable the check for all params, disable the VerifyDidCommitParams | 
|  | // flag. To disable the check for a subset of params, see `ShouldVerify()`. | 
|  |  | 
|  | // We can know if we're going to be in an error document after this navigation | 
|  | // if the net error code is not net::OK, or if we're doing a same-document | 
|  | // navigation on an error document (only possible for renderer-initiated | 
|  | // navigations). | 
|  | const bool is_error_document = | 
|  | (request->DidEncounterError() || | 
|  | (is_error_document_ && request->IsSameDocument())); | 
|  |  | 
|  | const bool browser_url_is_unreachable = is_error_document; | 
|  |  | 
|  | const bool is_same_document_navigation = !!same_document_params; | 
|  | const bool is_same_document_history_api_navigation = | 
|  | same_document_params && | 
|  | same_document_params->same_document_navigation_type == | 
|  | blink::mojom::SameDocumentNavigationType::kHistoryApi; | 
|  | DCHECK_EQ(is_same_document_navigation, request->IsSameDocument()); | 
|  |  | 
|  | const int64_t browser_post_id = | 
|  | CalculatePostID(params.method, request->common_params().post_data, | 
|  | last_post_id_, is_same_document_navigation); | 
|  |  | 
|  | const std::string& browser_method = CalculateMethod( | 
|  | request->common_params().method, last_http_method_, | 
|  | is_same_document_navigation, is_same_document_history_api_navigation); | 
|  |  | 
|  | const bool browser_is_overriding_user_agent = | 
|  | request->frame_tree_node()->IsMainFrame() && | 
|  | (is_same_document_navigation | 
|  | ? GetPage().is_overriding_user_agent() | 
|  | : request->commit_params().is_overriding_user_agent); | 
|  |  | 
|  | const int browser_http_status_code = | 
|  | CalculateHTTPStatusCode(request, last_http_status_code_); | 
|  |  | 
|  | // Note that this follows the calculation of should_update_history in | 
|  | // RenderFrameImpl::MakeDidCommitProvisionalLoadParams(). | 
|  | // TODO(crbug.com/40161149): Reconsider how we calculate | 
|  | // should_update_history. | 
|  | const bool browser_should_update_history = | 
|  | !browser_url_is_unreachable && browser_http_status_code != 404; | 
|  |  | 
|  | const bool should_replace_current_entry = | 
|  | request->common_params().should_replace_current_entry; | 
|  |  | 
|  | const GURL browser_url = | 
|  | CalculateLoadingURL(request, params, renderer_url_info_, | 
|  | is_error_document_, last_committed_url_); | 
|  |  | 
|  | const RendererLoadType renderer_load_type = | 
|  | CalculateRendererLoadType(request, should_replace_current_entry, | 
|  | renderer_url_info_.last_document_url); | 
|  |  | 
|  | const bool browser_did_create_new_entry = | 
|  | request->is_synchronous_renderer_commit() | 
|  | ? params.did_create_new_entry | 
|  | : CalculateDidCreateNewEntry(request, should_replace_current_entry, | 
|  | renderer_load_type); | 
|  |  | 
|  | const ui::PageTransition browser_transition = CalculateTransition( | 
|  | request, renderer_load_type, params, IsNestedWithinFencedFrame()); | 
|  |  | 
|  | const bool browser_history_list_was_cleared = | 
|  | request->commit_params().should_clear_history_list; | 
|  |  | 
|  | const bool everything_except_origin_matches = | 
|  | ((!ShouldVerify("method") || browser_method == params.method) && | 
|  | (!ShouldVerify("url_is_unreachable") || | 
|  | browser_url_is_unreachable == params.url_is_unreachable) && | 
|  | (!ShouldVerify("post_id") || browser_post_id == params.post_id) && | 
|  | (!ShouldVerify("is_overriding_user_agent") || | 
|  | browser_is_overriding_user_agent == params.is_overriding_user_agent) && | 
|  | (!ShouldVerify("http_status_code") || | 
|  | browser_http_status_code == params.http_status_code) && | 
|  | (!ShouldVerify("should_update_history") || | 
|  | browser_should_update_history == params.should_update_history) && | 
|  | (!ShouldVerify("url") || browser_url == params.url) && | 
|  | (!ShouldVerify("did_create_new_entry") || | 
|  | browser_did_create_new_entry == params.did_create_new_entry) && | 
|  | (!ShouldVerify("transition") || | 
|  | ui::PageTransitionTypeIncludingQualifiersIs(browser_transition, | 
|  | params.transition)) && | 
|  | (!ShouldVerify("history_list_was_cleared") || | 
|  | browser_history_list_was_cleared == params.history_list_was_cleared)); | 
|  | if (everything_except_origin_matches && | 
|  | (!ShouldVerify("origin") || | 
|  | request->state() < NavigationRequest::WILL_PROCESS_RESPONSE || | 
|  | request->GetOriginToCommit() == params.origin)) { | 
|  | // Don't do a DumpWithoutCrashing if everything matches. Note that we save | 
|  | // `everything_except_origin_matches` separately so that we can skip doing | 
|  | // a DumpWithoutCrashing at the end of this function if the origin turns | 
|  | // out to match (actual origin match checking is done below as it does its | 
|  | // own DumpWithoutCrashing). | 
|  | return; | 
|  | } | 
|  |  | 
|  | SCOPED_CRASH_KEY_BOOL( | 
|  | "VerifyDidCommit", "prev_ldwb", | 
|  | renderer_url_info_.was_loaded_from_load_data_with_base_url); | 
|  | SCOPED_CRASH_KEY_STRING32( | 
|  | "VerifyDidCommit", "base_url_fdu_type", | 
|  | GetURLTypeForCrashKey(request->common_params().base_url_for_data_url)); | 
|  | #if BUILDFLAG(IS_ANDROID) | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "data_url_empty", | 
|  | request->commit_params().data_url_as_string.empty()); | 
|  | #endif | 
|  |  | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "intended_as_new_entry", | 
|  | request->commit_params().intended_as_new_entry); | 
|  |  | 
|  | SCOPED_CRASH_KEY_STRING32("VerifyDidCommit", "method_browser", | 
|  | browser_method); | 
|  | SCOPED_CRASH_KEY_STRING32("VerifyDidCommit", "method_renderer", | 
|  | params.method); | 
|  | SCOPED_CRASH_KEY_STRING32("VerifyDidCommit", "original_method", | 
|  | request->commit_params().original_method); | 
|  | // For WebView, since we don't want to log potential PIIs. | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "method_post_browser", | 
|  | browser_method == "POST"); | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "method_post_renderer", | 
|  | params.method == "POST"); | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "original_method_post", | 
|  | request->commit_params().original_method == "POST"); | 
|  |  | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "unreachable_browser", | 
|  | browser_url_is_unreachable); | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "unreachable_renderer", | 
|  | params.url_is_unreachable); | 
|  |  | 
|  | SCOPED_CRASH_KEY_NUMBER("VerifyDidCommit", "post_id_browser", | 
|  | browser_post_id); | 
|  | SCOPED_CRASH_KEY_NUMBER("VerifyDidCommit", "post_id_renderer", | 
|  | params.post_id); | 
|  | // For WebView, since we don't want to log IDs. | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "post_id_matches", | 
|  | browser_post_id == params.post_id); | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "post_id_-1_browser", | 
|  | browser_post_id == -1); | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "post_id_-1_renderer", | 
|  | params.post_id == -1); | 
|  |  | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "override_ua_browser", | 
|  | browser_is_overriding_user_agent); | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "override_ua_renderer", | 
|  | params.is_overriding_user_agent); | 
|  |  | 
|  | SCOPED_CRASH_KEY_NUMBER("VerifyDidCommit", "code_browser", | 
|  | browser_http_status_code); | 
|  | SCOPED_CRASH_KEY_NUMBER("VerifyDidCommit", "code_renderer", | 
|  | params.http_status_code); | 
|  |  | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "suh_browser", | 
|  | browser_should_update_history); | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "suh_renderer", | 
|  | params.should_update_history); | 
|  |  | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "gesture", | 
|  | request->common_params().has_user_gesture); | 
|  |  | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "replace", | 
|  | should_replace_current_entry); | 
|  |  | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "create_browser", | 
|  | browser_did_create_new_entry); | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "create_renderer", | 
|  | params.did_create_new_entry); | 
|  |  | 
|  | SCOPED_CRASH_KEY_NUMBER("VerifyDidCommit", "transition_browser", | 
|  | browser_transition); | 
|  | SCOPED_CRASH_KEY_NUMBER("VerifyDidCommit", "transition_renderer", | 
|  | params.transition); | 
|  |  | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "cleared_browser", | 
|  | browser_history_list_was_cleared); | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "cleared_renderer", | 
|  | params.history_list_was_cleared); | 
|  |  | 
|  | SCOPED_CRASH_KEY_STRING256("VerifyDidCommit", "url_browser", | 
|  | browser_url.possibly_invalid_spec()); | 
|  | SCOPED_CRASH_KEY_STRING256("VerifyDidCommit", "url_renderer", | 
|  | params.url.possibly_invalid_spec()); | 
|  |  | 
|  | SCOPED_CRASH_KEY_STRING32( | 
|  | "VerifyDidCommit", "url_relation", | 
|  | GetURLRelationForCrashKey(params.url, browser_url, | 
|  | request->common_params(), GetLastCommittedURL(), | 
|  | renderer_url_info_)); | 
|  | SCOPED_CRASH_KEY_STRING32("VerifyDidCommit", "url_browser_type", | 
|  | GetURLTypeForCrashKey(browser_url)); | 
|  | SCOPED_CRASH_KEY_STRING32("VerifyDidCommit", "url_renderer_type", | 
|  | GetURLTypeForCrashKey(params.url)); | 
|  |  | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "is_same_document", | 
|  | is_same_document_navigation); | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "is_history_api", | 
|  | is_same_document_history_api_navigation); | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "renderer_initiated", | 
|  | request->IsRendererInitiated()); | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "is_subframe", | 
|  | !request->frame_tree_node()->IsMainFrame()); | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "is_form_submission", | 
|  | request->IsFormSubmission()); | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "is_error_document", | 
|  | is_error_document); | 
|  | SCOPED_CRASH_KEY_NUMBER("VerifyDidCommit", "net_error", | 
|  | request->GetNetErrorCode()); | 
|  |  | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "is_server_redirect", | 
|  | request->WasServerRedirect()); | 
|  | SCOPED_CRASH_KEY_NUMBER("VerifyDidCommit", "redirects_size", | 
|  | request->GetRedirectChain().size()); | 
|  |  | 
|  | SCOPED_CRASH_KEY_NUMBER("VerifyDidCommit", "entry_offset", | 
|  | request->GetNavigationEntryOffset()); | 
|  | SCOPED_CRASH_KEY_NUMBER( | 
|  | "VerifyDidCommit", "entry_count", | 
|  | request->frame_tree_node()->frame_tree().controller().GetEntryCount()); | 
|  | SCOPED_CRASH_KEY_NUMBER("VerifyDidCommit", "last_committed_index", | 
|  | request->frame_tree_node() | 
|  | ->frame_tree() | 
|  | .controller() | 
|  | .GetLastCommittedEntryIndex()); | 
|  |  | 
|  | SCOPED_CRASH_KEY_BOOL( | 
|  | "VerifyDidCommit", "is_reload", | 
|  | NavigationTypeUtils::IsReload(request->common_params().navigation_type)); | 
|  | SCOPED_CRASH_KEY_BOOL( | 
|  | "VerifyDidCommit", "is_restore", | 
|  | NavigationTypeUtils::IsRestore(request->common_params().navigation_type)); | 
|  | SCOPED_CRASH_KEY_BOOL( | 
|  | "VerifyDidCommit", "is_history", | 
|  | NavigationTypeUtils::IsHistory(request->common_params().navigation_type)); | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "has_valid_page_state", | 
|  | blink::PageState::CreateFromEncodedData( | 
|  | request->commit_params().page_state) | 
|  | .IsValid()); | 
|  |  | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "has_gesture", | 
|  | request->HasUserGesture()); | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "was_click", | 
|  | request->WasInitiatedByLinkClick()); | 
|  |  | 
|  | SCOPED_CRASH_KEY_STRING256("VerifyDidCommit", "original_req_url", | 
|  | request->commit_params().original_url.spec()); | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "original_same_doc", | 
|  | request->commit_params().original_url.EqualsIgnoringRef( | 
|  | GetLastCommittedURL())); | 
|  |  | 
|  | SCOPED_CRASH_KEY_BOOL( | 
|  | "VerifyDidCommit", "on_initial_empty_doc", | 
|  | request->frame_tree_node()->is_on_initial_empty_document()); | 
|  |  | 
|  | SCOPED_CRASH_KEY_STRING256("VerifyDidCommit", "last_committed_url", | 
|  | GetLastCommittedURL().spec()); | 
|  | SCOPED_CRASH_KEY_STRING256("VerifyDidCommit", "last_document_url", | 
|  | renderer_url_info_.last_document_url.spec()); | 
|  | SCOPED_CRASH_KEY_STRING32("VerifyDidCommit", "last_url_type", | 
|  | GetURLTypeForCrashKey(GetLastCommittedURL())); | 
|  |  | 
|  | SCOPED_CRASH_KEY_STRING256("VerifyDidCommit", "last_method", | 
|  | last_http_method_); | 
|  | SCOPED_CRASH_KEY_NUMBER("VerifyDidCommit", "last_code", | 
|  | last_http_status_code_); | 
|  |  | 
|  | bool has_original_url = | 
|  | GetSiteInstance() && !GetSiteInstance()->IsDefaultSiteInstance(); | 
|  | SCOPED_CRASH_KEY_STRING256( | 
|  | "VerifyDidCommit", "si_url", | 
|  | has_original_url | 
|  | ? GetSiteInstance()->original_url().possibly_invalid_spec() | 
|  | : ""); | 
|  | SCOPED_CRASH_KEY_BOOL("VerifyDidCommit", "has_si_url", has_original_url); | 
|  |  | 
|  | // These DCHECKs ensure that tests will fail if we got here, as | 
|  | // DumpWithoutCrashing won't fail tests. | 
|  | DCHECK_EQ(browser_method, params.method); | 
|  | DCHECK_EQ(browser_url_is_unreachable, params.url_is_unreachable); | 
|  | DCHECK_EQ(browser_post_id, params.post_id); | 
|  | DCHECK_EQ(browser_is_overriding_user_agent, params.is_overriding_user_agent); | 
|  | DCHECK_EQ(browser_http_status_code, params.http_status_code); | 
|  | DCHECK_EQ(browser_should_update_history, params.should_update_history); | 
|  | DCHECK_EQ(browser_url, params.url); | 
|  | DCHECK_EQ(browser_did_create_new_entry, params.did_create_new_entry); | 
|  | DCHECK(ui::PageTransitionTypeIncludingQualifiersIs(browser_transition, | 
|  | params.transition)); | 
|  | DCHECK_EQ(browser_history_list_was_cleared, params.history_list_was_cleared); | 
|  |  | 
|  | if (!everything_except_origin_matches) { | 
|  | // It's possible to get here when everything except the origin matches. | 
|  | // If the origin doesn't match, we would do a DumpWithoutCrashing above. | 
|  | // So, don't do a DumpWithoutCrashing unless there's another param that | 
|  | // doesn't match. | 
|  | // Note: This is temporarily disabled on Android as there has been a recent | 
|  | // spike of reports on Android WebView. | 
|  | #if !BUILDFLAG(IS_ANDROID) | 
|  | base::debug::DumpWithoutCrashing(); | 
|  | #endif  // !BUILDFLAG(IS_ANDROID) | 
|  | } | 
|  | } | 
|  |  | 
|  | BackForwardCacheImpl& RenderFrameHostImpl::GetBackForwardCache() { | 
|  | return GetOutermostMainFrame() | 
|  | ->frame_tree() | 
|  | ->controller() | 
|  | .GetBackForwardCache(); | 
|  | } | 
|  |  | 
|  | FrameTreeNode* RenderFrameHostImpl::GetFrameTreeNodeForUnload() { | 
|  | DCHECK(IsPendingDeletion()); | 
|  | return frame_tree_node_; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::MaybeEvictFromBackForwardCache() { | 
|  | if (!IsInBackForwardCache()) | 
|  | return; | 
|  |  | 
|  | RenderFrameHostImpl* outermost_main_frame = GetOutermostMainFrame(); | 
|  | BackForwardCacheCanStoreDocumentResultWithTree bfcache_eligibility = | 
|  | GetBackForwardCache().GetCurrentBackForwardCacheEligibility( | 
|  | outermost_main_frame); | 
|  |  | 
|  | TRACE_EVENT("navigation", | 
|  | "RenderFrameHostImpl::MaybeEvictFromBackForwardCache", | 
|  | "render_frame_host", this, "bfcache_eligibility", | 
|  | bfcache_eligibility.flattened_reasons.ToString()); | 
|  |  | 
|  | if (bfcache_eligibility.CanStore()) | 
|  | return; | 
|  | EvictFromBackForwardCacheWithFlattenedAndTreeReasons(bfcache_eligibility); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::LogCannotCommitOriginCrashKeys( | 
|  | const GURL& url, | 
|  | const url::Origin& origin, | 
|  | const ProcessLock& process_lock, | 
|  | bool is_same_document_navigation, | 
|  | NavigationRequest* navigation_request) { | 
|  | LogRendererKillCrashKeys(GetSiteInstance()->GetSiteInfo()); | 
|  |  | 
|  | // Temporary instrumentation to debug the root cause of | 
|  | // https://crbug.com/923144. | 
|  |  | 
|  | static auto* const target_url_key = base::debug::AllocateCrashKeyString( | 
|  | "target_url", base::debug::CrashKeySize::Size256); | 
|  | base::debug::SetCrashKeyString(target_url_key, url.spec()); | 
|  |  | 
|  | static auto* const target_origin_key = base::debug::AllocateCrashKeyString( | 
|  | "target_origin", base::debug::CrashKeySize::Size256); | 
|  | base::debug::SetCrashKeyString(target_origin_key, origin.GetDebugString()); | 
|  |  | 
|  | const url::Origin url_origin = url::Origin::Resolve(url, origin); | 
|  | const auto target_url_origin_tuple_or_precursor_tuple = | 
|  | url_origin.GetTupleOrPrecursorTupleIfOpaque(); | 
|  | static auto* const target_url_origin_tuple_key = | 
|  | base::debug::AllocateCrashKeyString("target_url_origin_tuple", | 
|  | base::debug::CrashKeySize::Size256); | 
|  | base::debug::SetCrashKeyString( | 
|  | target_url_origin_tuple_key, | 
|  | target_url_origin_tuple_or_precursor_tuple.Serialize()); | 
|  |  | 
|  | const auto target_origin_tuple_or_precursor_tuple = | 
|  | origin.GetTupleOrPrecursorTupleIfOpaque(); | 
|  | static auto* const target_origin_tuple_key = | 
|  | base::debug::AllocateCrashKeyString("target_origin_tuple", | 
|  | base::debug::CrashKeySize::Size256); | 
|  | base::debug::SetCrashKeyString( | 
|  | target_origin_tuple_key, | 
|  | target_origin_tuple_or_precursor_tuple.Serialize()); | 
|  |  | 
|  | static auto* const last_committed_url_key = | 
|  | base::debug::AllocateCrashKeyString("last_committed_url", | 
|  | base::debug::CrashKeySize::Size256); | 
|  | base::debug::SetCrashKeyString(last_committed_url_key, | 
|  | GetLastCommittedURL().spec()); | 
|  |  | 
|  | static auto* const last_committed_origin_key = | 
|  | base::debug::AllocateCrashKeyString("last_committed_origin", | 
|  | base::debug::CrashKeySize::Size256); | 
|  | base::debug::SetCrashKeyString(last_committed_origin_key, | 
|  | GetLastCommittedOrigin().GetDebugString()); | 
|  |  | 
|  | static auto* const process_lock_key = base::debug::AllocateCrashKeyString( | 
|  | "process_lock", base::debug::CrashKeySize::Size256); | 
|  | base::debug::SetCrashKeyString(process_lock_key, process_lock.ToString()); | 
|  |  | 
|  | static auto* const is_same_document_key = base::debug::AllocateCrashKeyString( | 
|  | "is_same_document", base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString(is_same_document_key, | 
|  | base::ToString(is_same_document_navigation)); | 
|  |  | 
|  | static auto* const is_subframe_key = base::debug::AllocateCrashKeyString( | 
|  | "is_subframe", base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString(is_subframe_key, | 
|  | base::ToString(GetMainFrame() != this)); | 
|  |  | 
|  | static auto* const lifecycle_state_key = base::debug::AllocateCrashKeyString( | 
|  | "lifecycle_state", base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString(lifecycle_state_key, | 
|  | LifecycleStateImplToString(lifecycle_state())); | 
|  |  | 
|  | static auto* const is_active_key = base::debug::AllocateCrashKeyString( | 
|  | "is_active", base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString(is_active_key, base::ToString(IsActive())); | 
|  |  | 
|  | static auto* const is_cross_process_subframe_key = | 
|  | base::debug::AllocateCrashKeyString("is_cross_process_subframe", | 
|  | base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString(is_cross_process_subframe_key, | 
|  | base::ToString(IsCrossProcessSubframe())); | 
|  |  | 
|  | static auto* const is_local_root_key = base::debug::AllocateCrashKeyString( | 
|  | "is_local_root", base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString(is_local_root_key, | 
|  | base::ToString(is_local_root())); | 
|  |  | 
|  | if (navigation_request && navigation_request->IsNavigationStarted()) { | 
|  | static auto* const is_renderer_initiated_key = | 
|  | base::debug::AllocateCrashKeyString("is_renderer_initiated", | 
|  | base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString( | 
|  | is_renderer_initiated_key, | 
|  | base::ToString(navigation_request->IsRendererInitiated())); | 
|  |  | 
|  | static auto* const is_server_redirect_key = | 
|  | base::debug::AllocateCrashKeyString("is_server_redirect", | 
|  | base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString( | 
|  | is_server_redirect_key, | 
|  | base::ToString(navigation_request->WasServerRedirect())); | 
|  |  | 
|  | static auto* const is_form_submission_key = | 
|  | base::debug::AllocateCrashKeyString("is_form_submission", | 
|  | base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString( | 
|  | is_form_submission_key, | 
|  | base::ToString(navigation_request->IsFormSubmission())); | 
|  |  | 
|  | static auto* const is_error_page_key = base::debug::AllocateCrashKeyString( | 
|  | "is_error_page", base::debug::CrashKeySize::Size32); | 
|  | base::debug::SetCrashKeyString( | 
|  | is_error_page_key, base::ToString(navigation_request->IsErrorPage())); | 
|  |  | 
|  | static auto* const initiator_origin_key = | 
|  | base::debug::AllocateCrashKeyString("initiator_origin", | 
|  | base::debug::CrashKeySize::Size64); | 
|  | base::debug::SetCrashKeyString( | 
|  | initiator_origin_key, | 
|  | navigation_request->GetInitiatorOrigin() | 
|  | ? navigation_request->GetInitiatorOrigin()->GetDebugString() | 
|  | : "none"); | 
|  |  | 
|  | static auto* const starting_site_instance_key = | 
|  | base::debug::AllocateCrashKeyString("starting_site_instance", | 
|  | base::debug::CrashKeySize::Size256); | 
|  | base::debug::SetCrashKeyString(starting_site_instance_key, | 
|  | navigation_request->GetStartingSiteInstance() | 
|  | ->GetSiteInfo() | 
|  | .GetDebugString()); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::EnableMojoJsBindings( | 
|  | content::mojom::ExtraMojoJsFeaturesPtr features) { | 
|  | // This method should only be called on RenderFrameHost which is for a WebUI. | 
|  | DCHECK_NE(WebUI::kNoWebUI, | 
|  | WebUIControllerFactoryRegistry::GetInstance()->GetWebUIType( | 
|  | GetSiteInstance()->GetBrowserContext(), | 
|  | site_instance_->GetSiteInfo().site_url())); | 
|  |  | 
|  | GetFrameBindingsControl()->EnableMojoJsBindings(std::move(features)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::EnableMojoJsBindingsWithBroker( | 
|  | mojo::PendingRemote<blink::mojom::BrowserInterfaceBroker> broker) { | 
|  | // This method should only be called on RenderFrameHost that has an associated | 
|  | // WebUI, because it needs to transfer the broker's ownership to its | 
|  | // WebUIController. EnableMojoJsBindings does this differently and can be | 
|  | // called before the WebUI object is created. | 
|  | DCHECK(GetWebUI()); | 
|  | GetFrameBindingsControl()->EnableMojoJsBindingsWithBroker(std::move(broker)); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsOutermostMainFrame() const { | 
|  | return !GetParentOrOuterDocument(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetIsLoadingForRendererDebugURL() { | 
|  | LoadingState previous_frame_tree_loading_state = | 
|  | frame_tree()->LoadingTree()->GetLoadingState(); | 
|  | loading_state_ = LoadingState::LOADING_UI_REQUESTED; | 
|  | owner_->DidStartLoading(previous_frame_tree_loading_state); | 
|  | } | 
|  |  | 
|  | BackForwardCacheMetrics* RenderFrameHostImpl::GetBackForwardCacheMetrics() { | 
|  | NavigationEntryImpl* navigation_entry = | 
|  | frame_tree()->controller().GetEntryWithUniqueID(nav_entry_id()); | 
|  | if (!navigation_entry) | 
|  | return nullptr; | 
|  | return navigation_entry->back_forward_cache_metrics(); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsBackForwardCacheDisabled() const { | 
|  | return back_forward_cache_disabled_reasons_.size(); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsDOMContentLoaded() { | 
|  | return document_associated_data_->dom_content_loaded(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::UpdateIsAdFrame(bool is_ad_frame) { | 
|  | browsing_context_state_->SetIsAdFrame(is_ad_frame); | 
|  | } | 
|  |  | 
|  | #if BUILDFLAG(IS_ANDROID) | 
|  | void RenderFrameHostImpl::PerformGetAssertionWebAuthSecurityChecks( | 
|  | const std::string& relying_party_id, | 
|  | const url::Origin& effective_origin, | 
|  | bool is_payment_credential_get_assertion, | 
|  | const std::optional<url::Origin>& remote_desktop_client_override_origin, | 
|  | base::OnceCallback<void(blink::mojom::AuthenticatorStatus, bool)> | 
|  | callback) { | 
|  | bool is_cross_origin = true;  // Will be reset in ValidateAncestorOrigins(). | 
|  |  | 
|  | WebAuthRequestSecurityChecker::RequestType request_type = | 
|  | is_payment_credential_get_assertion | 
|  | ? WebAuthRequestSecurityChecker::RequestType:: | 
|  | kGetPaymentCredentialAssertion | 
|  | : WebAuthRequestSecurityChecker::RequestType::kGetAssertion; | 
|  | blink::mojom::AuthenticatorStatus status = | 
|  | GetWebAuthRequestSecurityChecker()->ValidateAncestorOrigins( | 
|  | effective_origin, request_type, &is_cross_origin); | 
|  | if (status != blink::mojom::AuthenticatorStatus::SUCCESS) { | 
|  | std::move(callback).Run(status, is_cross_origin); | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (!GetContentClient() | 
|  | ->browser() | 
|  | ->IsSecurityLevelAcceptableForWebAuthn(this, effective_origin)) { | 
|  | std::move(callback).Run( | 
|  | blink::mojom::AuthenticatorStatus::CERTIFICATE_ERROR, is_cross_origin); | 
|  | return; | 
|  | } | 
|  |  | 
|  | std::unique_ptr<WebAuthRequestSecurityChecker::RemoteValidation> | 
|  | remote_validation = | 
|  | GetWebAuthRequestSecurityChecker()->ValidateDomainAndRelyingPartyID( | 
|  | effective_origin, relying_party_id, request_type, | 
|  | remote_desktop_client_override_origin, | 
|  | base::BindOnce(&RenderFrameHostImpl:: | 
|  | OnGetAssertionWebAuthSecurityChecksCompleted, | 
|  | weak_ptr_factory_.GetWeakPtr(), | 
|  | std::move(callback), is_cross_origin)); | 
|  |  | 
|  | // If `remote_validation` is nullptr then this object may already have been | 
|  | // destroyed. | 
|  | if (remote_validation) { | 
|  | webauthn_remote_rp_id_validation_ = std::move(remote_validation); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnGetAssertionWebAuthSecurityChecksCompleted( | 
|  | base::OnceCallback<void(blink::mojom::AuthenticatorStatus, bool)> callback, | 
|  | bool is_cross_origin, | 
|  | blink::mojom::AuthenticatorStatus status) { | 
|  | webauthn_remote_rp_id_validation_.reset(); | 
|  | std::move(callback).Run(status, is_cross_origin); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::PerformMakeCredentialWebAuthSecurityChecks( | 
|  | const std::string& relying_party_id, | 
|  | const url::Origin& effective_origin, | 
|  | bool is_payment_credential_creation, | 
|  | const std::optional<url::Origin>& remote_desktop_client_override_origin, | 
|  | base::OnceCallback<void(blink::mojom::AuthenticatorStatus, bool)> | 
|  | callback) { | 
|  | bool is_cross_origin = true;  // Will be reset in ValidateAncestorOrigins(). | 
|  | WebAuthRequestSecurityChecker::RequestType request_type = | 
|  | is_payment_credential_creation | 
|  | ? WebAuthRequestSecurityChecker::RequestType::kMakePaymentCredential | 
|  | : WebAuthRequestSecurityChecker::RequestType::kMakeCredential; | 
|  | blink::mojom::AuthenticatorStatus status = | 
|  | GetWebAuthRequestSecurityChecker()->ValidateAncestorOrigins( | 
|  | effective_origin, request_type, &is_cross_origin); | 
|  | if (status != blink::mojom::AuthenticatorStatus::SUCCESS) { | 
|  | std::move(callback).Run(status, is_cross_origin); | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (!GetContentClient() | 
|  | ->browser() | 
|  | ->IsSecurityLevelAcceptableForWebAuthn(this, effective_origin)) { | 
|  | std::move(callback).Run( | 
|  | blink::mojom::AuthenticatorStatus::CERTIFICATE_ERROR, is_cross_origin); | 
|  | return; | 
|  | } | 
|  |  | 
|  | std::unique_ptr<WebAuthRequestSecurityChecker::RemoteValidation> | 
|  | remote_validation = | 
|  | GetWebAuthRequestSecurityChecker()->ValidateDomainAndRelyingPartyID( | 
|  | effective_origin, relying_party_id, request_type, | 
|  | remote_desktop_client_override_origin, | 
|  | base::BindOnce(&RenderFrameHostImpl:: | 
|  | OnMakeCredentialWebAuthSecurityChecksCompleted, | 
|  | weak_ptr_factory_.GetWeakPtr(), | 
|  | std::move(callback), is_cross_origin)); | 
|  |  | 
|  | // If `remote_validation` is nullptr then this object may already have been | 
|  | // destroyed. | 
|  | if (remote_validation) { | 
|  | webauthn_remote_rp_id_validation_ = std::move(remote_validation); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnMakeCredentialWebAuthSecurityChecksCompleted( | 
|  | base::OnceCallback<void(blink::mojom::AuthenticatorStatus, bool)> callback, | 
|  | bool is_cross_origin, | 
|  | blink::mojom::AuthenticatorStatus status) { | 
|  | webauthn_remote_rp_id_validation_.reset(); | 
|  | std::move(callback).Run(status, is_cross_origin); | 
|  | } | 
|  | #endif | 
|  |  | 
|  | void RenderFrameHostImpl::CleanUpMediaStreams() { | 
|  | for (int i = 0; i < static_cast<int>(MediaStreamType::kCount); ++i) { | 
|  | while (media_stream_counts_[i] != 0) { | 
|  | OnMediaStreamRemoved(static_cast<MediaStreamType>(i)); | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BoostRenderProcessForLoading() { | 
|  | MaybeResetBoostRenderProcessForLoading(); | 
|  | boost_render_process_for_loading_ = true; | 
|  | GetProcess()->OnBoostForLoadingAdded(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::MaybeResetBoostRenderProcessForLoading() { | 
|  | if (boost_render_process_for_loading_) { | 
|  | boost_render_process_for_loading_ = false; | 
|  | GetProcess()->OnBoostForLoadingRemoved(); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::CleanupRenderProcessForDiscardIfPossible() { | 
|  | DiscardedRFHProcessHelper::GetForRenderProcessHost(GetProcess()) | 
|  | ->ShutdownForDiscardIfPossible(); | 
|  | } | 
|  |  | 
|  | const blink::DocumentToken& RenderFrameHostImpl::GetDocumentToken() const { | 
|  | DCHECK_NE(LifecycleStateImpl::kPendingCommit, lifecycle_state()); | 
|  | DCHECK_NE(LifecycleStateImpl::kSpeculative, lifecycle_state()); | 
|  |  | 
|  | return GetDocumentTokenIgnoringSafetyRestrictions(); | 
|  | } | 
|  |  | 
|  | const blink::DocumentToken* | 
|  | RenderFrameHostImpl::GetDocumentTokenForCrossDocumentNavigationReuse( | 
|  | base::PassKey<NavigationRequest>) { | 
|  | if (ShouldResetDocumentAssociatedDataAtCommit()) { | 
|  | return nullptr; | 
|  | } | 
|  |  | 
|  | return &document_associated_data_->token(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ReinitializeDocumentAssociatedDataForReuseAfterCrash( | 
|  | base::PassKey<RenderFrameHostManager>) { | 
|  | DCHECK(is_main_frame()); | 
|  | DCHECK_EQ(RenderFrameState::kDeleted, render_frame_state_); | 
|  |  | 
|  | // Clear all the document-associated data for this RenderFrameHost when its | 
|  | // RenderFrame is recreated after a crash. Note that the user data is | 
|  | // intentionally not cleared at the time of crash. Please refer to | 
|  | // https://crbug.com/1099237 for more details. | 
|  | // | 
|  | // Clearing of user data should be called before RenderFrameCreated to | 
|  | // ensure: | 
|  | // - a) the new state set in RenderFrameCreated doesn't get deleted. | 
|  | // - b) the old state is not leaked to a new RenderFrameHost. | 
|  | document_associated_data_.emplace(*this, blink::DocumentToken()); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::ReinitializeDocumentAssociatedDataForTesting() { | 
|  | document_associated_data_.emplace(*this, blink::DocumentToken()); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::IsClipboardPasteAllowedByPolicy( | 
|  | const ClipboardEndpoint& source, | 
|  | const ClipboardEndpoint& destination, | 
|  | const ClipboardMetadata& metadata, | 
|  | ClipboardPasteData clipboard_paste_data, | 
|  | IsClipboardPasteAllowedCallback callback) { | 
|  | delegate_->IsClipboardPasteAllowedByPolicy(source, destination, metadata, | 
|  | std::move(clipboard_paste_data), | 
|  | std::move(callback)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnTextCopiedToClipboard( | 
|  | const std::u16string& copied_text) { | 
|  | delegate_->OnTextCopiedToClipboard(this, copied_text); | 
|  | } | 
|  |  | 
|  | std::optional<std::vector<std::u16string>> | 
|  | RenderFrameHostImpl::GetClipboardTypesIfPolicyApplied( | 
|  | const ui::ClipboardSequenceNumberToken& seqno) { | 
|  | return delegate_->GetClipboardTypesIfPolicyApplied(seqno); | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl* RenderFrameHostImpl::GetParentOrOuterDocument() const { | 
|  | return frame_tree_node()->GetParentOrOuterDocumentHelper( | 
|  | /*escape_guest_view=*/false, /*include_prospective=*/true); | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl* RenderFrameHostImpl::GetParentOrOuterDocumentOrEmbedder() | 
|  | const { | 
|  | return frame_tree_node()->GetParentOrOuterDocumentHelper( | 
|  | /*escape_guest_view=*/true, /*include_prospective=*/true); | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl* RenderFrameHostImpl::GetOutermostMainFrameOrEmbedder() { | 
|  | RenderFrameHostImpl* current = this; | 
|  | while (RenderFrameHostImpl* parent = | 
|  | current->GetParentOrOuterDocumentOrEmbedder()) { | 
|  | current = parent; | 
|  | } | 
|  | return current; | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl* RenderFrameHostImpl:: | 
|  | GetParentOrOuterDocumentOrEmbedderExcludingProspectiveOwners() const { | 
|  | return frame_tree_node()->GetParentOrOuterDocumentHelper( | 
|  | /*escape_guest_view=*/true, /*include_prospective=*/false); | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl* RenderFrameHostImpl:: | 
|  | GetOutermostMainFrameOrEmbedderExcludingProspectiveOwners() { | 
|  | RenderFrameHostImpl* current = this; | 
|  | while ( | 
|  | RenderFrameHostImpl* parent = | 
|  | current | 
|  | ->GetParentOrOuterDocumentOrEmbedderExcludingProspectiveOwners()) { | 
|  | current = parent; | 
|  | } | 
|  | return current; | 
|  | } | 
|  |  | 
|  | scoped_refptr<WebAuthRequestSecurityChecker> | 
|  | RenderFrameHostImpl::GetWebAuthRequestSecurityChecker() { | 
|  | if (!webauth_request_security_checker_) | 
|  | webauth_request_security_checker_ = | 
|  | base::MakeRefCounted<WebAuthRequestSecurityChecker>(this); | 
|  |  | 
|  | return webauth_request_security_checker_; | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsInBackForwardCache() const { | 
|  | return lifecycle_state() == LifecycleStateImpl::kInBackForwardCache; | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsPendingDeletion() const { | 
|  | return lifecycle_state() == LifecycleStateImpl::kRunningUnloadHandlers || | 
|  | lifecycle_state() == LifecycleStateImpl::kReadyToBeDeleted; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetLifecycleState(LifecycleStateImpl new_state) { | 
|  | TRACE_EVENT2("content", "RenderFrameHostImpl::SetLifecycleState", | 
|  | "render_frame_host", this, "new_state", | 
|  | LifecycleStateImplToString(new_state)); | 
|  | // Finish the slice corresponding to the old lifecycle state and begin a new | 
|  | // slice for the lifecycle state we are transitioning to. | 
|  | TRACE_EVENT_END("navigation", perfetto::Track::FromPointer(this)); | 
|  | TRACE_EVENT_BEGIN( | 
|  | "navigation", | 
|  | perfetto::StaticString{LifecycleStateImplToString(new_state)}, | 
|  | perfetto::Track::FromPointer(this)); | 
|  | // TODO(crbug.com/40200417): Consider associating expectations with each | 
|  | // transitions. | 
|  | #if DCHECK_IS_ON() | 
|  | static const base::NoDestructor<base::StateTransitions<LifecycleStateImpl>> | 
|  | allowed_transitions( | 
|  | // For a graph of state transitions, see | 
|  | // https://chromium.googlesource.com/chromium/src/+/HEAD/docs/render-frame-host-lifecycle-state.png | 
|  | // To update the graph, see the corresponding .gv file. | 
|  |  | 
|  | // RenderFrameHost is only set speculative during its creation and no | 
|  | // transitions happen to this state during its lifetime. | 
|  | base::StateTransitions<LifecycleStateImpl>({ | 
|  | {LifecycleStateImpl::kSpeculative, | 
|  | {LifecycleStateImpl::kActive, | 
|  | LifecycleStateImpl::kPendingCommit}}, | 
|  |  | 
|  | {LifecycleStateImpl::kPendingCommit, | 
|  | {LifecycleStateImpl::kPrerendering, LifecycleStateImpl::kActive, | 
|  | LifecycleStateImpl::kReadyToBeDeleted}}, | 
|  |  | 
|  | {LifecycleStateImpl::kPrerendering, | 
|  | {LifecycleStateImpl::kActive, | 
|  | LifecycleStateImpl::kRunningUnloadHandlers, | 
|  | LifecycleStateImpl::kReadyToBeDeleted}}, | 
|  |  | 
|  | {LifecycleStateImpl::kActive, | 
|  | {LifecycleStateImpl::kInBackForwardCache, | 
|  | LifecycleStateImpl::kRunningUnloadHandlers, | 
|  | LifecycleStateImpl::kReadyToBeDeleted}}, | 
|  |  | 
|  | {LifecycleStateImpl::kInBackForwardCache, | 
|  | {LifecycleStateImpl::kActive, | 
|  | LifecycleStateImpl::kReadyToBeDeleted}}, | 
|  |  | 
|  | {LifecycleStateImpl::kRunningUnloadHandlers, | 
|  | {LifecycleStateImpl::kReadyToBeDeleted}}, | 
|  |  | 
|  | {LifecycleStateImpl::kReadyToBeDeleted, {}}, | 
|  | })); | 
|  | DCHECK_STATE_TRANSITION(allowed_transitions, | 
|  | /*old_state=*/lifecycle_state_, | 
|  | /*new_state=*/new_state); | 
|  | #endif  // DCHECK_IS_ON() | 
|  |  | 
|  | // TODO(crbug.com/40200416): Use switch-case to make this more readable. | 
|  | // If the RenderFrameHost is restored from BackForwardCache or is part of a | 
|  | // prerender activation, update states of all the children to kActive. | 
|  | if (new_state == LifecycleStateImpl::kActive) { | 
|  | if (lifecycle_state_ == LifecycleStateImpl::kPendingCommit || | 
|  | lifecycle_state_ == LifecycleStateImpl::kSpeculative) { | 
|  | // Newly-created documents shouldn't have children, as child creation | 
|  | // happens after commit. | 
|  | DCHECK(children_.empty()); | 
|  | } | 
|  | if (GetOutermostMainFrameOrEmbedder() == this && | 
|  | (lifecycle_state() == LifecycleStateImpl::kInBackForwardCache || | 
|  | lifecycle_state() == LifecycleStateImpl::kPrerendering)) { | 
|  | // We mark all the children, including inner FrameTrees and delegate | 
|  | // nodes to have the same lifecycle state. | 
|  | FrameTree::NodeRange node_range = FrameTree::SubtreeAndInnerTreeNodes( | 
|  | this, | 
|  | /*include_delegate_nodes_for_inner_frame_trees=*/true); | 
|  | FrameTree::NodeIterator node_iter = node_range.begin(); | 
|  | while (node_iter != node_range.end()) { | 
|  | FrameTreeNode* ftn = *node_iter; | 
|  |  | 
|  | // We should not encounter an Inner WebContents. | 
|  | CHECK(!ftn->IsOutermostMainFrame()); | 
|  |  | 
|  | RenderFrameHostImpl* rfh = ftn->current_frame_host(); | 
|  | DCHECK_EQ(rfh->lifecycle_state(), lifecycle_state_); | 
|  | rfh->SetLifecycleState(new_state); | 
|  | ++node_iter; | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | if (lifecycle_state() == LifecycleStateImpl::kInBackForwardCache) | 
|  | was_restored_from_back_forward_cache_for_debugging_ = true; | 
|  |  | 
|  | if (new_state == LifecycleStateImpl::kPendingCommit || | 
|  | new_state == LifecycleStateImpl::kPrerendering) { | 
|  | DCHECK(children_.empty()); | 
|  | } | 
|  |  | 
|  | LifecycleStateImpl old_state = lifecycle_state_; | 
|  | lifecycle_state_ = new_state; | 
|  |  | 
|  | // If the state changes from or to kActive, update the active document count. | 
|  | if (old_state == LifecycleStateImpl::kActive && | 
|  | new_state != LifecycleStateImpl::kActive) { | 
|  | GetSiteInstance()->DecrementActiveDocumentCount( | 
|  | last_committed_url_derived_site_info_); | 
|  | GetStoragePartition()->DecrementActiveDocumentCount( | 
|  | GetNetworkIsolationKey()); | 
|  | } else if (old_state != LifecycleStateImpl::kActive && | 
|  | new_state == LifecycleStateImpl::kActive) { | 
|  | GetSiteInstance()->IncrementActiveDocumentCount( | 
|  | last_committed_url_derived_site_info_); | 
|  | GetStoragePartition()->IncrementActiveDocumentCount( | 
|  | GetNetworkIsolationKey()); | 
|  | } | 
|  |  | 
|  | // Unset the |has_pending_lifecycle_state_update_| value once the | 
|  | // LifecycleStateImpl is updated. | 
|  | if (has_pending_lifecycle_state_update_) { | 
|  | DCHECK(lifecycle_state() == LifecycleStateImpl::kInBackForwardCache || | 
|  | IsPendingDeletion() || | 
|  | old_state == LifecycleStateImpl::kPrerendering) | 
|  | << "Transitioned to unexpected state with resetting " | 
|  | "|has_pending_lifecycle_state_update_|\n "; | 
|  | has_pending_lifecycle_state_update_ = false; | 
|  | } | 
|  | last_main_frame_type_pending_lifecycle_update_.reset(); | 
|  |  | 
|  | // As kSpeculative state is not exposed to embedders, we can ignore the | 
|  | // transitions out of kSpeculative state while notifying delegate. | 
|  | if (old_state != LifecycleStateImpl::kSpeculative) { | 
|  | LifecycleState old_lifecycle_state = GetLifecycleStateFromImpl(old_state); | 
|  | LifecycleState new_lifecycle_state = GetLifecycleState(); | 
|  |  | 
|  | // Old and new lifecycle states can be equal due to the same LifecycleState | 
|  | // representing multiple LifecycleStateImpls, for example the | 
|  | // kPendingDeletion state. Don't notify the observers in such cases. | 
|  | if (old_lifecycle_state != new_lifecycle_state) { | 
|  | delegate_->RenderFrameHostStateChanged(this, old_lifecycle_state, | 
|  | new_lifecycle_state); | 
|  | } | 
|  | } | 
|  |  | 
|  | if (new_state == LifecycleStateImpl::kActive && | 
|  | old_state == LifecycleStateImpl::kInBackForwardCache) { | 
|  | if (auto* permission_service_context = | 
|  | PermissionServiceContext::GetForCurrentDocument(this)) { | 
|  | permission_service_context->NotifyPermissionStatusChangedIfNeeded(); | 
|  | } | 
|  | } | 
|  |  | 
|  | if (!ShouldBoostRenderProcessForLoading(lifecycle_state_, | 
|  | frame_tree_->is_prerendering())) { | 
|  | MaybeResetBoostRenderProcessForLoading(); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::RecordDocumentCreatedUkmEvent( | 
|  | const url::Origin& origin, | 
|  | const ukm::SourceId document_ukm_source_id, | 
|  | ukm::UkmRecorder* ukm_recorder, | 
|  | bool only_record_identifiability_metric) { | 
|  | DCHECK(ukm_recorder); | 
|  | if (document_ukm_source_id == ukm::kInvalidSourceId) | 
|  | return; | 
|  |  | 
|  | // Compares the subframe origin with the main frame origin. In the case of | 
|  | // nested subframes such as A(B(A)), the bottom-most frame A is expected to | 
|  | // have |is_cross_origin_frame| set to false, even though this frame is cross- | 
|  | // origin from its parent frame B. This value is only used in manual analysis. | 
|  | bool is_cross_origin_frame = | 
|  | !IsOutermostMainFrame() && | 
|  | !GetOutermostMainFrame()->GetLastCommittedOrigin().IsSameOriginWith( | 
|  | origin); | 
|  |  | 
|  | // Compares the subframe site with the main frame site. In the case of | 
|  | // nested subframes such as A(B(A)), the bottom-most frame A is expected to | 
|  | // have |is_cross_site_frame| set to false, even though this frame is cross- | 
|  | // site from its parent frame B. This value is only used in manual analysis. | 
|  | bool is_cross_site_frame = | 
|  | !IsOutermostMainFrame() && | 
|  | !net::SchemefulSite::IsSameSite( | 
|  | origin, GetOutermostMainFrame()->GetLastCommittedOrigin()); | 
|  |  | 
|  | bool is_main_frame = IsOutermostMainFrame(); | 
|  |  | 
|  | // Our data collection policy disallows collecting UKMs while prerendering. | 
|  | // So, assign a valid ID only when the page is not in the prerendering state. | 
|  | // See //content/browser/preloading/prerender/README.md and ask the team to | 
|  | // explore options to record data for prerendering pages. | 
|  | const ukm::SourceId navigation_ukm_source_id = | 
|  | IsInLifecycleState(LifecycleState::kPrerendering) ? ukm::kInvalidSourceId | 
|  | : GetPageUkmSourceId(); | 
|  |  | 
|  | RecordIdentifiabilityDocumentCreatedMetrics( | 
|  | document_ukm_source_id, ukm_recorder, navigation_ukm_source_id, | 
|  | is_cross_origin_frame, is_cross_site_frame, is_main_frame); | 
|  |  | 
|  | if (only_record_identifiability_metric) | 
|  | return; | 
|  |  | 
|  | ukm::builders::DocumentCreated(document_ukm_source_id) | 
|  | .SetNavigationSourceId(navigation_ukm_source_id) | 
|  | .SetIsMainFrame(is_main_frame) | 
|  | .SetIsCrossOriginFrame(is_cross_origin_frame) | 
|  | .SetIsCrossSiteFrame(is_cross_site_frame) | 
|  | .Record(ukm_recorder); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindReportingObserver( | 
|  | mojo::PendingReceiver<blink::mojom::ReportingObserver> receiver) { | 
|  | GetAssociatedLocalFrame()->BindReportingObserver(std::move(receiver)); | 
|  | } | 
|  |  | 
|  | mojo::PendingRemote<network::mojom::URLLoaderNetworkServiceObserver> | 
|  | RenderFrameHostImpl::CreateURLLoaderNetworkObserver() { | 
|  | return GetStoragePartition()->CreateURLLoaderNetworkObserverForFrame( | 
|  | GetProcess()->GetDeprecatedID(), GetRoutingID()); | 
|  | } | 
|  |  | 
|  | PeerConnectionTrackerHost& RenderFrameHostImpl::GetPeerConnectionTrackerHost() { | 
|  | return *PeerConnectionTrackerHost::GetOrCreateForCurrentDocument(this); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindPeerConnectionTrackerHost( | 
|  | mojo::PendingReceiver<blink::mojom::PeerConnectionTrackerHost> receiver) { | 
|  | GetPeerConnectionTrackerHost().BindReceiver(std::move(receiver)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::EnableWebRtcEventLogOutput(int lid, | 
|  | int output_period_ms) { | 
|  | GetPeerConnectionTrackerHost().StartEventLog(lid, output_period_ms); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DisableWebRtcEventLogOutput(int lid) { | 
|  | GetPeerConnectionTrackerHost().StopEventLog(lid); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::EnableWebRtcDataChannelLogOutput(int lid) { | 
|  | GetPeerConnectionTrackerHost().StartDataChannelLog(lid); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DisableWebRtcDataChannelLogOutput(int lid) { | 
|  | GetPeerConnectionTrackerHost().StopDataChannelLog(lid); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsDocumentOnLoadCompletedInMainFrame() { | 
|  | return GetPage().is_on_load_completed_in_main_document(); | 
|  | } | 
|  |  | 
|  | // TODO(crbug.com/40174718): Move this method to content::Page when available. | 
|  | const std::vector<blink::mojom::FaviconURLPtr>& | 
|  | RenderFrameHostImpl::FaviconURLs() { | 
|  | return GetPage().favicon_urls(); | 
|  | } | 
|  |  | 
|  | mojo::PendingRemote<network::mojom::CookieAccessObserver> | 
|  | RenderFrameHostImpl::CreateCookieAccessObserver( | 
|  | CookieAccessDetails::Source source) { | 
|  | mojo::PendingRemote<network::mojom::CookieAccessObserver> remote; | 
|  | cookie_observers_.Add(remote.InitWithNewPipeAndPassReceiver(), source); | 
|  | return remote; | 
|  | } | 
|  |  | 
|  | mojo::PendingRemote<network::mojom::TrustTokenAccessObserver> | 
|  | RenderFrameHostImpl::CreateTrustTokenAccessObserver() { | 
|  | mojo::PendingRemote<network::mojom::TrustTokenAccessObserver> remote; | 
|  | trust_token_observers_.Add(this, remote.InitWithNewPipeAndPassReceiver()); | 
|  | return remote; | 
|  | } | 
|  |  | 
|  | mojo::PendingRemote<network::mojom::SharedDictionaryAccessObserver> | 
|  | RenderFrameHostImpl::CreateSharedDictionaryAccessObserver() { | 
|  | mojo::PendingRemote<network::mojom::SharedDictionaryAccessObserver> remote; | 
|  | shared_dictionary_observers_.Add(this, | 
|  | remote.InitWithNewPipeAndPassReceiver()); | 
|  | return remote; | 
|  | } | 
|  |  | 
|  | mojo::PendingRemote<device::mojom::VibrationManagerListener> | 
|  | RenderFrameHostImpl::CreateVibrationManagerListener() { | 
|  | mojo::PendingRemote<device::mojom::VibrationManagerListener> remote; | 
|  | vibration_manager_listeners_.Add(this, | 
|  | remote.InitWithNewPipeAndPassReceiver()); | 
|  | return remote; | 
|  | } | 
|  |  | 
|  | mojo::PendingRemote<network::mojom::DeviceBoundSessionAccessObserver> | 
|  | RenderFrameHostImpl::CreateDeviceBoundSessionObserver() { | 
|  | mojo::PendingRemote<network::mojom::DeviceBoundSessionAccessObserver> remote; | 
|  | device_bound_session_observers_.Add(this, | 
|  | remote.InitWithNewPipeAndPassReceiver()); | 
|  | return remote; | 
|  | } | 
|  |  | 
|  | #if BUILDFLAG(ENABLE_MDNS) | 
|  | void RenderFrameHostImpl::CreateMdnsResponder( | 
|  | mojo::PendingReceiver<network::mojom::MdnsResponder> receiver) { | 
|  | GetStoragePartition()->GetNetworkContext()->CreateMdnsResponder( | 
|  | std::move(receiver)); | 
|  | } | 
|  | #endif  // BUILDFLAG(ENABLE_MDNS) | 
|  |  | 
|  | void RenderFrameHostImpl::Clone( | 
|  | mojo::PendingReceiver<network::mojom::TrustTokenAccessObserver> observer) { | 
|  | trust_token_observers_.Add(this, std::move(observer)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::Clone( | 
|  | mojo::PendingReceiver<network::mojom::SharedDictionaryAccessObserver> | 
|  | observer) { | 
|  | shared_dictionary_observers_.Add(this, std::move(observer)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::Clone( | 
|  | mojo::PendingReceiver<network::mojom::DeviceBoundSessionAccessObserver> | 
|  | observer) { | 
|  | device_bound_session_observers_.Add(this, std::move(observer)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::NotifyCookiesAccessed( | 
|  | std::vector<network::mojom::CookieAccessDetailsPtr> details_vector, | 
|  | CookieAccessDetails::Source source) { | 
|  | TRACE_EVENT("browser", "RenderFrameHostImpl::NotifyCookiesAccessed"); | 
|  | std::optional<base::ElapsedTimer> timer; | 
|  | if (base::ShouldRecordSubsampledMetric(0.01)) { | 
|  | timer.emplace(); | 
|  | } | 
|  | UMA_HISTOGRAM_COUNTS_1M("Cookie.OnCookiesAccessed.BatchSize", | 
|  | details_vector.size()); | 
|  | size_t access_sum = 0; | 
|  | for (auto& details : details_vector) { | 
|  | access_sum += details->cookie_list.size(); | 
|  | EmitCookieWarningsAndMetrics(/*rfh=*/this, details); | 
|  |  | 
|  | CookieAccessDetails allowed; | 
|  | CookieAccessDetails blocked; | 
|  | SplitCookiesIntoAllowedAndBlocked(details, source, &allowed, &blocked); | 
|  | if (!allowed.cookie_access_result_list.empty()) { | 
|  | delegate_->OnCookiesAccessed(this, allowed); | 
|  | } | 
|  | if (!blocked.cookie_access_result_list.empty()) { | 
|  | delegate_->OnCookiesAccessed(this, blocked); | 
|  | } | 
|  | } | 
|  | UMA_HISTOGRAM_COUNTS_1M("Cookie.OnCookiesAccessed.TotalAccesses", access_sum); | 
|  | if (timer) { | 
|  | base::UmaHistogramCustomMicrosecondsTimes( | 
|  | "Browser.CookieAccessObserver.RenderFrameHost.Duration.Subsampled", | 
|  | timer->Elapsed(), base::Microseconds(1), base::Seconds(1), 100); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnTrustTokensAccessed( | 
|  | network::mojom::TrustTokenAccessDetailsPtr details) { | 
|  | delegate_->OnTrustTokensAccessed(this, TrustTokenAccessDetails(details)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnSharedDictionaryAccessed( | 
|  | network::mojom::SharedDictionaryAccessDetailsPtr details) { | 
|  | delegate_->OnSharedDictionaryAccessed(this, *details); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnVibrate() { | 
|  | delegate_->OnVibrate(this); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnDeviceBoundSessionAccessed( | 
|  | const net::device_bound_sessions::SessionAccess& access) { | 
|  | delegate_->OnDeviceBoundSessionAccessed(this, access); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetEmbeddingToken( | 
|  | const base::UnguessableToken& embedding_token) { | 
|  | // Everything in this method depends on whether the embedding token has | 
|  | // actually changed, including setting the AXTreeID (backed by the token). | 
|  | if (embedding_token_ == embedding_token) | 
|  | return; | 
|  | embedding_token_ = embedding_token; | 
|  |  | 
|  | // The AXTreeID of a frame is backed by its embedding token, so we need to | 
|  | // update its AXTreeID, as well as the associated mapping in | 
|  | // AXActionHandlerRegistry. | 
|  | const ui::AXTreeID old_id = GetAXTreeID(); | 
|  | ui::AXTreeID ax_tree_id = ui::AXTreeID::FromToken(embedding_token); | 
|  | DCHECK_NE(old_id, ax_tree_id); | 
|  | SetAXTreeID(ax_tree_id); | 
|  | needs_ax_root_id_ = true; | 
|  | ui::AXActionHandlerRegistry::GetInstance()->SetFrameIDForAXTreeID( | 
|  | ui::AXActionHandlerRegistry::FrameID(GetProcess()->GetDeprecatedID(), | 
|  | routing_id_), | 
|  | ax_tree_id); | 
|  |  | 
|  | // Also important to notify the delegate so that the relevant observers can | 
|  | // adapt to the fact that the AXTreeID has changed for the primary main frame | 
|  | // (e.g. the WebView needs to update the ID tracking its child accessibility | 
|  | // tree). | 
|  | if (IsInPrimaryMainFrame()) | 
|  | delegate_->AXTreeIDForMainFrameHasChanged(); | 
|  |  | 
|  | // Propagate the embedding token to the RenderFrameProxyHost representing the | 
|  | // parent frame if needed, that is, if either this is a cross-process subframe | 
|  | // or the main frame of an inner web contents (i.e. would need to send it to | 
|  | // the RenderFrameProxyHost for the outer web contents owning the inner one). | 
|  | PropagateEmbeddingTokenToParentFrame(); | 
|  |  | 
|  | // The accessibility tree for the outermost root frame contains references | 
|  | // to the focused frame via its AXTreeID, so ensure that we update that. | 
|  | // For frames in a prerendering frame tree, they should never have focus, so | 
|  | // the outermost frame does not need to update the references. | 
|  | RenderFrameHostImpl* outermost = GetOutermostMainFrameOrEmbedder(); | 
|  | DCHECK(outermost); | 
|  | DCHECK(lifecycle_state_ != LifecycleStateImpl::kPrerendering || | 
|  | outermost->GetFocusedAXTreeID() != GetAXTreeID()); | 
|  |  | 
|  | if (outermost != this && | 
|  | lifecycle_state_ != LifecycleStateImpl::kPrerendering) { | 
|  | outermost->UpdateAXTreeData(); | 
|  | } | 
|  |  | 
|  | // Finally, since the AXTreeID changed, we have to ensure the | 
|  | // BrowserAccessibilityManager gets a new tree as well. | 
|  | if (browser_accessibility_manager_) { | 
|  | browser_accessibility_manager_->DetachFromParentManager(); | 
|  | browser_accessibility_manager_.reset(); | 
|  | // Clear the node id mapping on account of having a new tree. | 
|  | ax_unique_ids_.clear(); | 
|  | } | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::DocumentUsedWebOTP() { | 
|  | return document_used_web_otp_; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetFrameTreeNode(FrameTreeNode& frame_tree_node) { | 
|  | devtools_instrumentation::WillSwapFrameTreeNode(*frame_tree_node_, | 
|  | frame_tree_node); | 
|  | frame_tree_node_ = &frame_tree_node; | 
|  | SetFrameTree(frame_tree_node_->frame_tree()); | 
|  | // Setting the FrameTreeNode is only done for FrameTree/FrameTreeNode swaps | 
|  | // in MPArch (specifically prerender activation). This is to ensure that | 
|  | // fields such as proxies and ReplicationState are copied over correctly. In | 
|  | // the new functionality for swapping BrowsingContext on cross | 
|  | // BrowsingInstance navigations, the BrowsingContextState is the only field | 
|  | // that will need to be swapped. | 
|  | switch (features::GetBrowsingContextMode()) { | 
|  | case (features::BrowsingContextStateImplementationType:: | 
|  | kLegacyOneToOneWithFrameTreeNode): | 
|  | browsing_context_state_ = frame_tree_node_->render_manager() | 
|  | ->current_frame_host() | 
|  | ->browsing_context_state(); | 
|  | break; | 
|  | case (features::BrowsingContextStateImplementationType:: | 
|  | kSwapForCrossBrowsingInstanceNavigations): | 
|  | // TODO(crbug.com/40205442): implement functionality for swapping on cross | 
|  | // browsing instance navigations as needed. This will likely be removed | 
|  | // once BrowsingContextState is decoupled from FrameTreeNode. | 
|  | break; | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetFrameTree(FrameTree& frame_tree) { | 
|  | DCHECK_EQ(&frame_tree_node_->frame_tree(), &frame_tree); | 
|  | frame_tree_ = &frame_tree; | 
|  | render_view_host()->SetFrameTree(frame_tree); | 
|  | if (owned_render_widget_host_) { | 
|  | owned_render_widget_host_->SetFrameTree(frame_tree); | 
|  | } | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::SetPolicyContainerForEarlyCommitAfterCrash( | 
|  | scoped_refptr<PolicyContainerHost> policy_container_host) { | 
|  | DCHECK_EQ(lifecycle_state(), LifecycleStateImpl::kSpeculative); | 
|  | DCHECK(!policy_container_host_); | 
|  | SetPolicyContainerHost(std::move(policy_container_host)); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnDidRunInsecureContent(const GURL& security_origin, | 
|  | const GURL& target_url) { | 
|  | OPTIONAL_TRACE_EVENT2("content", "RenderFrameHostImpl::DidRunInsecureContent", | 
|  | "security_origin", security_origin, "target_url", | 
|  | target_url); | 
|  |  | 
|  | RecordAction(base::UserMetricsAction("SSL.RanInsecureContent")); | 
|  | if (base::EndsWith(security_origin.spec(), kDotGoogleDotCom, | 
|  | base::CompareCase::INSENSITIVE_ASCII)) { | 
|  | RecordAction(base::UserMetricsAction("SSL.RanInsecureContentGoogle")); | 
|  | } | 
|  | frame_tree_->controller().ssl_manager()->DidRunMixedContent(security_origin); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnDidRunContentWithCertificateErrors() { | 
|  | OPTIONAL_TRACE_EVENT0( | 
|  | "content", "RenderFrameHostImpl::OnDidRunContentWithCertificateErrors"); | 
|  | // For RenderFrameHosts that are inactive and going to be discarded, we can | 
|  | // disregard this message; there's no need to update the UI if the UI will | 
|  | // never be shown again. | 
|  | // | 
|  | // We still process this message for pending-commit RenderFrameHosts. This can | 
|  | // happen when a subframe's main resource has a certificate error. The | 
|  | // origin for the last committed navigation entry will get marked as having | 
|  | // run insecure content and that will carry over to the navigation entry for | 
|  | // the pending-commit RenderFrameHost when it commits. | 
|  | // | 
|  | // Generally our approach for active content with certificate errors follows | 
|  | // our approach for mixed content (DidRunInsecureContent): when a page loads | 
|  | // active insecure content, such as a script or iframe, the top-level origin | 
|  | // gets marked as insecure and that applies to any navigation entry using the | 
|  | // same renderer process with that same top-level origin. | 
|  | // | 
|  | // We shouldn't be receiving this message for speculative RenderFrameHosts | 
|  | // i.e., before the renderer is told to commit the navigation. | 
|  | DCHECK_NE(lifecycle_state(), LifecycleStateImpl::kSpeculative); | 
|  | if (lifecycle_state() != LifecycleStateImpl::kPendingCommit && | 
|  | IsInactiveAndDisallowActivation( | 
|  | DisallowActivationReasonId::kCertificateErrors)) { | 
|  | return; | 
|  | } | 
|  | // To update mixed content status in a fenced frame, we should call | 
|  | // an outer frame's OnDidRunContentWithCertificateErrors. | 
|  | // Otherwise, no update can be processed from fenced frames since they have | 
|  | // their own NavigationController" | 
|  | if (IsNestedWithinFencedFrame()) { | 
|  | GetParentOrOuterDocument()->OnDidRunContentWithCertificateErrors(); | 
|  | return; | 
|  | } | 
|  | frame_tree_->controller().ssl_manager()->DidRunContentWithCertErrors( | 
|  | GetMainFrame()->GetLastCommittedOrigin().GetURL()); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::OnDidDisplayContentWithCertificateErrors() { | 
|  | OPTIONAL_TRACE_EVENT0( | 
|  | "content", | 
|  | "RenderFrameHostImpl::OnDidDisplayContentWithCertificateErrors"); | 
|  | frame_tree_->controller().ssl_manager()->DidDisplayContentWithCertErrors(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::IncreaseCommitNavigationCounter() { | 
|  | if (commit_navigation_sent_counter_ < std::numeric_limits<int>::max()) | 
|  | ++commit_navigation_sent_counter_; | 
|  | else | 
|  | commit_navigation_sent_counter_ = 0; | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::ShouldWaitForUnloadHandlers() const { | 
|  | return has_unload_handlers() && !IsInBackForwardCache(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::AssertFrameWasCommitted() const { | 
|  | if (lifecycle_state() != LifecycleStateImpl::kSpeculative && | 
|  | lifecycle_state() != LifecycleStateImpl::kPendingCommit) [[likely]] { | 
|  | return; | 
|  | } | 
|  |  | 
|  | NOTREACHED(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::AssertBrowserContextShutdownHasntStarted() { | 
|  | if (!GetBrowserContext()->ShutdownStarted()) [[likely]] { | 
|  | return; | 
|  | } | 
|  |  | 
|  | std::string debug_string = ToDebugString(); | 
|  | SCOPED_CRASH_KEY_STRING256("shutdown", "frame->ToDebugString", debug_string); | 
|  | DUMP_WILL_BE_NOTREACHED() | 
|  | << "BrowserContext->ShutdownStarted() without first closing all " | 
|  | << "WebContents; debug_string = " << debug_string; | 
|  | } | 
|  |  | 
|  | blink::StorageKey RenderFrameHostImpl::GetBucketStorageKey() { | 
|  | return storage_key_; | 
|  | } | 
|  |  | 
|  | blink::mojom::PermissionStatus RenderFrameHostImpl::GetPermissionStatus( | 
|  | blink::PermissionType permission_type) { | 
|  | return GetBrowserContext() | 
|  | ->GetPermissionController() | 
|  | ->GetPermissionStatusForCurrentDocument( | 
|  | content::PermissionDescriptorUtil:: | 
|  | CreatePermissionDescriptorForPermissionType(permission_type), | 
|  | this); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindCacheStorageForBucket( | 
|  | const storage::BucketInfo& bucket, | 
|  | mojo::PendingReceiver<blink::mojom::CacheStorage> receiver) { | 
|  | BindCacheStorageInternal(std::move(receiver), bucket.ToBucketLocator()); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::GetSandboxedFileSystemForBucket( | 
|  | const storage::BucketInfo& bucket, | 
|  | const std::vector<std::string>& directory_path_components, | 
|  | blink::mojom::BucketHost::GetDirectoryCallback callback) { | 
|  | GetStoragePartition()->GetFileSystemAccessManager()->GetSandboxedFileSystem( | 
|  | FileSystemAccessManagerImpl::BindingContext( | 
|  | GetStorageKey(), GetLastCommittedURL(), GetGlobalId()), | 
|  | bucket.ToBucketLocator(), directory_path_components, std::move(callback)); | 
|  | } | 
|  |  | 
|  | storage::BucketClientInfo RenderFrameHostImpl::GetBucketClientInfo() const { | 
|  | return storage::BucketClientInfo{GetProcess()->GetDeprecatedID(), | 
|  | GetFrameToken(), GetDocumentToken()}; | 
|  | } | 
|  |  | 
|  | std::ostream& operator<<(std::ostream& o, | 
|  | const RenderFrameHostImpl::LifecycleStateImpl& s) { | 
|  | return o << RenderFrameHostImpl::LifecycleStateImplToString(s); | 
|  | } | 
|  |  | 
|  | net::CookieSettingOverrides RenderFrameHostImpl::GetCookieSettingOverrides() { | 
|  | // This shouldn't be called before committing the document. | 
|  | DCHECK_NE(lifecycle_state(), LifecycleStateImpl::kSpeculative); | 
|  | DCHECK_NE(lifecycle_state(), LifecycleStateImpl::kPendingCommit); | 
|  | auto subresource_loader_factories_config = | 
|  | SubresourceLoaderFactoriesConfig::ForLastCommittedNavigation(*this); | 
|  | return subresource_loader_factories_config.cookie_setting_overrides(); | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl::CookieChangeListener::CookieChangeListener( | 
|  | StoragePartition* storage_partition, | 
|  | GURL& url) { | 
|  | DCHECK(storage_partition); | 
|  | auto* cookie_manager = storage_partition->GetCookieManagerForBrowserProcess(); | 
|  | cookie_manager->AddCookieChangeListener( | 
|  | url, std::nullopt, | 
|  | cookie_change_listener_receiver_.BindNewPipeAndPassRemote()); | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl::CookieChangeListener::~CookieChangeListener() = default; | 
|  |  | 
|  | void RenderFrameHostImpl::CookieChangeListener::OnCookieChange( | 
|  | const net::CookieChangeInfo& change) { | 
|  | // TODO (https://crbug.com/1399741): After adding the invalidation signals | 
|  | // API, we could mark the page as ineligible for BFCache as soon as the cookie | 
|  | // change event is received after the navigation is committed. | 
|  | cookie_change_info_.cookie_modification_count_++; | 
|  | if (change.cookie.IsHttpOnly()) { | 
|  | cookie_change_info_.http_only_cookie_modification_count_++; | 
|  | } | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl::CookieChangeListener::CookieChangeInfo | 
|  | RenderFrameHostImpl::GetCookieChangeInfo() { | 
|  | return cookie_change_listener_ ? cookie_change_listener_->cookie_change_info() | 
|  | : CookieChangeListener::CookieChangeInfo{}; | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl::DeviceBoundSessionObserver::DeviceBoundSessionObserver( | 
|  | StoragePartition* storage_partition, | 
|  | GURL& url) { | 
|  | DCHECK(storage_partition); | 
|  | auto* device_bound_session_manager = | 
|  | storage_partition->GetDeviceBoundSessionManager(); | 
|  | if (device_bound_session_manager) { | 
|  | device_bound_session_manager->AddObserver( | 
|  | url, receiver_.BindNewPipeAndPassRemote()); | 
|  | } | 
|  | } | 
|  |  | 
|  | RenderFrameHostImpl::DeviceBoundSessionObserver::~DeviceBoundSessionObserver() = | 
|  | default; | 
|  |  | 
|  | void RenderFrameHostImpl::DeviceBoundSessionObserver:: | 
|  | OnDeviceBoundSessionAccessed( | 
|  | const net::device_bound_sessions::SessionAccess& access) { | 
|  | if (!is_terminated_ && | 
|  | access.access_type == | 
|  | net::device_bound_sessions::SessionAccess::AccessType::kTermination && | 
|  | terminated_callback_) { | 
|  | std::move(terminated_callback_).Run(); | 
|  | } | 
|  | is_terminated_ |= | 
|  | access.access_type == | 
|  | net::device_bound_sessions::SessionAccess::AccessType::kTermination; | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::DeviceBoundSessionObserver::Clone( | 
|  | mojo::PendingReceiver<network::mojom::DeviceBoundSessionAccessObserver> | 
|  | observer) { | 
|  | // The `Clone` method is only called for the observers that are part | 
|  | // of network requests, so it is not expected to be called here. | 
|  | NOTREACHED(); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsDeviceBoundSessionTerminated() { | 
|  | return device_bound_session_observer_ | 
|  | ? device_bound_session_observer_->IsTerminated() | 
|  | : false; | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::LoadedWithCacheControlNoStoreHeader() { | 
|  | return GetBackForwardCacheDisablingFeatures().Has( | 
|  | blink::scheduler::WebSchedulerTrackedFeature:: | 
|  | kMainResourceHasCacheControlNoStore); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::BindFileBackedBlobFactory( | 
|  | mojo::PendingAssociatedReceiver<blink::mojom::FileBackedBlobFactory> | 
|  | receiver) { | 
|  | FileBackedBlobFactoryFrameImpl::CreateForCurrentDocument(this, | 
|  | std::move(receiver)); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::ShouldChangeRenderFrameHostOnSameSiteNavigation() | 
|  | const { | 
|  | // Reloading from a discarded state will result in a same-site navigation. In | 
|  | // these cases we should always create a new RFH for the navigation. | 
|  | if (document_associated_data_->is_discarded()) { | 
|  | return true; | 
|  | } | 
|  | if (must_be_replaced_for_crash() || must_be_replaced_for_webtest()) { | 
|  | return true; | 
|  | } | 
|  |  | 
|  | ContentBrowserClient::ShouldAllowSameSiteRenderFrameHostChangeResult | 
|  | client_result = GetContentClient() | 
|  | ->browser() | 
|  | ->ShouldAllowSameSiteRenderFrameHostChange(*this); | 
|  | if (client_result == | 
|  | ContentBrowserClient::ShouldAllowSameSiteRenderFrameHostChangeResult:: | 
|  | kNotAllowed) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | return ShouldCreateNewRenderFrameHostOnSameSiteNavigation( | 
|  | is_main_frame(), is_local_root(), has_committed_any_navigation(), | 
|  | must_be_replaced_for_crash(), | 
|  | /*client_overrides_level=*/client_result == | 
|  | ContentBrowserClient::ShouldAllowSameSiteRenderFrameHostChangeResult:: | 
|  | kAllowedOverrideLevel); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::CanReadFromSharedStorage() { | 
|  | if (!IsNestedWithinFencedFrame()) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | auto properties = frame_tree_node()->GetFencedFrameProperties( | 
|  | FencedFramePropertiesNodeSource::kFrameTreeRoot); | 
|  | return properties.has_value() && | 
|  | properties->HasDisabledNetworkForCurrentAndDescendantFrameTrees(); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::ShouldReuseCompositing( | 
|  | SiteInstanceImpl& speculative_site_instance) const { | 
|  | if (!ShouldChangeRenderFrameHostOnSameSiteNavigation()) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | // Avoid compositor reuse if (1) the renderer process has crashed and there is | 
|  | // no compositor to reuse, or (2) we are going to start a new web test and | 
|  | // need a clean state. In particular, a fresh RenderWidgetHost ensures that a | 
|  | // test cannot receive synthetic input generated by the previous test. | 
|  | if (must_be_replaced_for_crash() || must_be_replaced_for_webtest()) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | if (!base::FeatureList::IsEnabled(features::kRenderDocumentCompositorReuse)) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | // NOTE: We can't reuse the compositor if the old RFH (and its associated | 
|  | // widget) will be persisted in the BFCache. Since we force a proactive | 
|  | // BrowsingInstance swap if a Document will be added to BFCache, this check | 
|  | // ensures we don't reuse the compositor if the old RFH will be persisted. | 
|  | if (GetSiteInstance()->group() != speculative_site_instance.group()) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | CHECK_EQ(GetProcess(), speculative_site_instance.GetProcess()); | 
|  | return true; | 
|  | } | 
|  |  | 
|  | std::optional<mojo::UrgentMessageScope> | 
|  | RenderFrameHostImpl::MakeUrgentMessageScopeIfNeeded() { | 
|  | // Don't prioritize navigations in RFHs that are prerendering, since that | 
|  | // isn't visible to the user. | 
|  | if (lifecycle_state_ == LifecycleStateImpl::kPrerendering) { | 
|  | return std::nullopt; | 
|  | } | 
|  |  | 
|  | // The visibility for speculative RFHs isn't updated until late in the | 
|  | // navigation process, so always use the RFH being replaced to determine | 
|  | // visibility, since that is what's actually shown to the user. | 
|  | RenderFrameHostImpl* rfh = frame_tree_node_->current_frame_host(); | 
|  | if (!rfh->IsOutermostMainFrame() || | 
|  | rfh->GetVisibilityState() != PageVisibilityState::kVisible) { | 
|  | return std::nullopt; | 
|  | } | 
|  |  | 
|  | return mojo::UrgentMessageScope(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::AddDeferredSharedStorageHeaderCallback( | 
|  | base::OnceCallback<void(NavigationOrDocumentHandle*)> callback) { | 
|  | deferred_shared_storage_header_callbacks_.push_back(std::move(callback)); | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::IsClipboardOwner( | 
|  | ui::ClipboardSequenceNumberToken seqno) const { | 
|  | auto* clipboard = ui::Clipboard::GetForCurrentThread(); | 
|  | if (clipboard->GetSequenceNumber(ui::ClipboardBuffer::kCopyPaste) != seqno) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | std::string pickled_rfh_token; | 
|  | clipboard->ReadData(SourceRFHTokenType(), /*data_dst=*/nullptr, | 
|  | &pickled_rfh_token); | 
|  |  | 
|  | auto rfh_token = GlobalRenderFrameHostToken::FromPickle( | 
|  | base::Pickle::WithData(base::as_byte_span(pickled_rfh_token))); | 
|  |  | 
|  | return rfh_token && RenderFrameHost::FromFrameToken(*rfh_token) == this; | 
|  | } | 
|  |  | 
|  | bool RenderFrameHostImpl::HasPolicyContainerHost() const { | 
|  | return policy_container_host_ != nullptr; | 
|  | } | 
|  |  | 
|  | const network::CrossOriginEmbedderPolicy& | 
|  | RenderFrameHostImpl::GetCrossOriginEmbedderPolicy() const { | 
|  | CHECK(HasPolicyContainerHost()); | 
|  | return cross_origin_embedder_policy(); | 
|  | } | 
|  |  | 
|  | void RenderFrameHostImpl::GetBoundInterfacesForTesting( | 
|  | std::vector<std::string>& out) { | 
|  | broker_.GetBinderMapInterfacesForTesting(out);  // IN-TEST | 
|  | } | 
|  |  | 
|  | std::optional<base::flat_map<blink::mojom::PermissionName, | 
|  | blink::mojom::PermissionStatus>> | 
|  | RenderFrameHostImpl::GetCachedPermissionStatuses() { | 
|  | using blink::PermissionType; | 
|  | using blink::mojom::PermissionName; | 
|  | static constexpr auto kPermissions = | 
|  | std::to_array<std::pair<PermissionName, PermissionType>>( | 
|  | {{PermissionName::VIDEO_CAPTURE, PermissionType::VIDEO_CAPTURE}, | 
|  | {PermissionName::AUDIO_CAPTURE, PermissionType::AUDIO_CAPTURE}, | 
|  | {PermissionName::GEOLOCATION, PermissionType::GEOLOCATION}, | 
|  | {PermissionName::WINDOW_MANAGEMENT, | 
|  | PermissionType::WINDOW_MANAGEMENT}}); | 
|  |  | 
|  | base::flat_map<PermissionName, PermissionStatus> permission_map; | 
|  | for (const auto& permission : kPermissions) { | 
|  | PermissionStatus status = GetCombinedPermissionStatus(permission.second); | 
|  | // Default value is ASK, we don't need add the permission status in this | 
|  | // case. | 
|  | if (status != PermissionStatus::ASK) { | 
|  | permission_map.emplace(permission.first, status); | 
|  | } | 
|  | } | 
|  |  | 
|  | return permission_map; | 
|  | } | 
|  |  | 
|  | blink::mojom::PermissionStatus RenderFrameHostImpl::GetCombinedPermissionStatus( | 
|  | blink::PermissionType permission_type) { | 
|  | auto descriptor = content::PermissionDescriptorUtil:: | 
|  | CreatePermissionDescriptorForPermissionType(permission_type); | 
|  | if (PermissionUtil::IsDevicePermission(descriptor)) { | 
|  | return GetBrowserContext() | 
|  | ->GetPermissionController() | 
|  | ->GetCombinedPermissionAndDeviceStatus(descriptor, this); | 
|  | } | 
|  | return GetBrowserContext() | 
|  | ->GetPermissionController() | 
|  | ->GetPermissionResultForCurrentDocument(descriptor, this) | 
|  | .status; | 
|  | } | 
|  |  | 
|  | media::PictureInPictureEventsInfo::AutoPipReasonCallback | 
|  | RenderFrameHostImpl::CreateAutoPipReasonCallback() { | 
|  | return base::BindRepeating( | 
|  | [](base::WeakPtr<RenderFrameHostImpl> rfh) { | 
|  | if (rfh == nullptr) { | 
|  | return media::PictureInPictureEventsInfo::AutoPipReason::kUnknown; | 
|  | } | 
|  | return rfh->delegate()->GetAutoPipInfo().auto_pip_reason; | 
|  | }, | 
|  | weak_ptr_factory_.GetWeakPtr()); | 
|  | } | 
|  |  | 
|  | }  // namespace content |