diff options
author | fsamuel <fsamuel@chromium.org> | 2015-02-13 15:40:40 -0800 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2015-02-13 23:41:31 +0000 |
commit | 833ee7ced817effed9202b9cfddf85b067cf0edf (patch) | |
tree | 911ff97253afa71dc8148b33db1c9b980cd06d62 /extensions/common/guest_view | |
parent | 7e094504b6010caa1e17ccd526738c374366f81f (diff) | |
download | chromium_src-833ee7ced817effed9202b9cfddf85b067cf0edf.zip chromium_src-833ee7ced817effed9202b9cfddf85b067cf0edf.tar.gz chromium_src-833ee7ced817effed9202b9cfddf85b067cf0edf.tar.bz2 |
GuestViewManager mapped <owner WebContents, element instance ID> => guest instance ID on attachment. This routed IPCs from a given BrowserPlugin to the appropriate guest.
Element instance IDs are unique per process. This mapping is fine in Chrome Apps where the embedder doesn't navigate but not for when the embedder is capable of cross-process navigation. In that case, element instance IDs of two BrowserPlugins in two different embedder processes of the same WebContents have the same key, and would thus route to the same guest.
This is an issue because the lifetime of the exiting document overlaps with the lifetime of the entering document. Thus, racy behavior can occur. In particular, when navigating from one PDF to another, IPCs for tear down destined for the exiting BrowserPlugin can occasionally get routed to the entering BrowserPlugin. In bug 436339's case, the first step of tear down is to hide the guest content. That IPC ends up going to the entering guest, and so the new PDF is not displayed on screen.
This CL fixes the issue by using <embedder process id, element instance ID> as the key to map to a guest instead of the embedder WebContents as the first component.
BUG=436339
Review URL: https://codereview.chromium.org/921473006
Cr-Commit-Position: refs/heads/master@{#316328}
Diffstat (limited to 'extensions/common/guest_view')
-rw-r--r-- | extensions/common/guest_view/OWNERS | 13 | ||||
-rw-r--r-- | extensions/common/guest_view/guest_view_messages.h | 3 |
2 files changed, 14 insertions, 2 deletions
diff --git a/extensions/common/guest_view/OWNERS b/extensions/common/guest_view/OWNERS index 057dbdc..bba0da4 100644 --- a/extensions/common/guest_view/OWNERS +++ b/extensions/common/guest_view/OWNERS @@ -1,2 +1,15 @@ fsamuel@chromium.org lazyboy@chromium.org + +# For security review of IPC message files. +per-file *_messages*.h=set noparent +per-file *_messages*.h=dcheng@chromium.org +per-file *_messages*.h=inferno@chromium.org +per-file *_messages*.h=jln@chromium.org +per-file *_messages*.h=jschuh@chromium.org +per-file *_messages*.h=kenrb@chromium.org +per-file *_messages*.h=mkwst@chromium.org +per-file *_messages*.h=nasko@chromium.org +per-file *_messages*.h=palmer@chromium.org +per-file *_messages*.h=tsepez@chromium.org +per-file *_messages*.h=wfh@chromium.org diff --git a/extensions/common/guest_view/guest_view_messages.h b/extensions/common/guest_view/guest_view_messages.h index 3f7096b..ac10c60 100644 --- a/extensions/common/guest_view/guest_view_messages.h +++ b/extensions/common/guest_view/guest_view_messages.h @@ -42,8 +42,7 @@ IPC_MESSAGE_CONTROL1(GuestViewMsg_GuestDetached, // Sent by the renderer to set initialization parameters of a Browser Plugin // that is identified by |element_instance_id|. -IPC_MESSAGE_CONTROL4(GuestViewHostMsg_AttachGuest, - int /* routing_id */, +IPC_MESSAGE_CONTROL3(GuestViewHostMsg_AttachGuest, int /* element_instance_id */, int /* guest_instance_id */, base::DictionaryValue /* attach_params */) |