Only set MouseLockDispatcher unlocked_by_target_ after mouse lock confirmed.

When a target application voluntarily unlocks the mouse we permit
relocking the mouse silently and with no user gesture requirement.
Check that the lock request is not currently pending and not yet
accepted by the browser process before setting |unlocked_by_target_|.

This corrects an ommision in https://chromiumcodereview.appspot.com/10443045/.

It is very difficult to test this possible failure, as the requests must be processed by the renderer process before the browser process can respond to the IPCs. An attempt was made to create this exploit, but was not able to produce the failure.

BUG=113460

Review URL: https://chromiumcodereview.appspot.com/10512011

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@140598 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 8 insertions, 1 deletions

diff --git a/content/renderer/mouse_lock_dispatcher.cc b/content/renderer/mouse_lock_dispatcher.cc
index 225c5a6..8d4c617 100644
--- a/content/renderer/mouse_lock_dispatcher.cc
+++ b/content/renderer/mouse_lock_dispatcher.cc
@@ -32,7 +32,14 @@ bool MouseLockDispatcher::LockMouse(LockTarget* target) {
 void MouseLockDispatcher::UnlockMouse(LockTarget* target) {
   if (target && target == target_ && !pending_unlock_request_) {
     pending_unlock_request_ = true;
-    unlocked_by_target_ = true;
+
+    // When a target application voluntarily unlocks the mouse we permit
+    // relocking the mouse silently and with no user gesture requirement.
+    // Check that the lock request is not currently pending and not yet
+    // accepted by the browser process before setting |unlocked_by_target_|.
+    if (!pending_lock_request_)
+      unlocked_by_target_ = true;
+
     SendUnlockMouseRequest();
   }
 }