From 275c0fdfb05f546b7137b15a054e34d11bd1f9a3 Mon Sep 17 00:00:00 2001 From: "scheib@chromium.org" Date: Tue, 5 Jun 2012 20:28:21 +0000 Subject: Only set MouseLockDispatcher unlocked_by_target_ after mouse lock confirmed. When a target application voluntarily unlocks the mouse we permit relocking the mouse silently and with no user gesture requirement. Check that the lock request is not currently pending and not yet accepted by the browser process before setting |unlocked_by_target_|. This corrects an ommision in https://chromiumcodereview.appspot.com/10443045/. It is very difficult to test this possible failure, as the requests must be processed by the renderer process before the browser process can respond to the IPCs. An attempt was made to create this exploit, but was not able to produce the failure. BUG=113460 Review URL: https://chromiumcodereview.appspot.com/10512011 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@140598 0039d316-1c4b-4281-b951-d872f2087c98 --- content/renderer/mouse_lock_dispatcher.cc | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'content') diff --git a/content/renderer/mouse_lock_dispatcher.cc b/content/renderer/mouse_lock_dispatcher.cc index 225c5a6..8d4c617 100644 --- a/content/renderer/mouse_lock_dispatcher.cc +++ b/content/renderer/mouse_lock_dispatcher.cc @@ -32,7 +32,14 @@ bool MouseLockDispatcher::LockMouse(LockTarget* target) { void MouseLockDispatcher::UnlockMouse(LockTarget* target) { if (target && target == target_ && !pending_unlock_request_) { pending_unlock_request_ = true; - unlocked_by_target_ = true; + + // When a target application voluntarily unlocks the mouse we permit + // relocking the mouse silently and with no user gesture requirement. + // Check that the lock request is not currently pending and not yet + // accepted by the browser process before setting |unlocked_by_target_|. + if (!pending_lock_request_) + unlocked_by_target_ = true; + SendUnlockMouseRequest(); } } -- cgit v1.1