Closed Bug 1842036 Opened 2 years ago Closed 2 years ago

[wpt-sync] Sync PR 40903 - Synthetic gestures only dispatch to visible widget

Categories

(Testing :: web-platform-tests, task, P4)

Product:
Testing
Component:
web-platform-tests
Type:
task

Tracking

(firefox117 fixed)

Status:
RESOLVED FIXED
Milestone:
117 Branch
Tracking Flags:
Tracking Status
firefox117 --- fixed

People

(Reporter: wpt-sync, Unassigned)

References

(
URL
)

Details

(Whiteboard: [wptsync downstream])

Sync web-platform-tests PR 40903 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/40903
Details from upstream follow.

David Bokan <bokan@chromium.org> wrote:

Synthetic gestures only dispatch to visible widget

This UAF is caused by a synthetic pointer being routed to browser UI. In
this case, it starts dragging a tab which starts a nested message loop
Further events and gestures are processed in this nested loop and
cleaned up. When the message loop returns the stack contains the cleaned
up pointers.

Synthetic gestures shouldn't be able to target UI outside the web
contents area. The event location is intersected with the web contents'
RenderWidget's view bounds to prevent this [1]. However, the bounds will
be inaccurate if the widget is in a background tab; it won't receive
resizes until it's foregrounded (it's also bad that we can dispatch
events to a different tab).

This CL fixes the issue by ensuring events are dispatched only to a
foregrounded widget. If a synthetic gesture is started while the widget
is in a background tab, its start is deferred until it comes into the
foreground. If the widget is backgrounded while a gestuere is in
progress, the gesture is aborted.

Note: we don't do this for DevTools injected events as those skip event
routing and go straight to the injecting renderer. The comment in [2]
makes me think this is a common use case.

[1] https://source.chromium.org/chromium/chromium/src/+/refs/heads/main:content/browser/renderer_host/input/synthetic_gesture_target_base.cc;l=155;drc=ac872e771ce001fef191848bab4167d60dfda403
[2] https://source.chromium.org/chromium/chromium/src/+/refs/heads/main:content/browser/renderer_host/input/synthetic_gesture_target_aura.cc;l=140;drc=ac872e771ce001fef191848bab4167d60dfda403

Bug: 1444597
Change-Id: I2955ce60357f7f03e62f44fd1497bd4ea598f660
Reviewed-on: https://chromium-review.googlesource.com/4666793
WPT-Export-Revision: abda8cb1c3d36a63480a83f321702bed000c1136

CI Results

Ran 9 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI

Total 2 tests and 1 subtests

Status Summary

Firefox

OK : 1[Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows11-32-2009-qr-debug, Gecko-windows11-32-2009-qr-opt, Gecko-windows11-64-2009-qr-debug, Gecko-windows11-64-2009-qr-opt] 2[GitHub]
PASS : 1
FAIL : 1
ERROR : 1

Chrome

PASS : 1
TIMEOUT: 1
ERROR : 2

Safari

OK : 2
PASS : 1
FAIL : 1

Links

Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base

Details

Firefox-only Failures

New Tests That Don't Pass

  • /payment-request/payment-request-disallowed-when-hidden.https.html [wpt.fyi]: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows11-32-2009-qr-debug, Gecko-windows11-32-2009-qr-opt, Gecko-windows11-64-2009-qr-debug, Gecko-windows11-64-2009-qr-opt] (Chrome: ERROR, Safari: OK)
    • PaymentRequest.show() cannot be triggered from a hidden context: FAIL (Chrome: PASS, Safari: PASS)
  • /event-timing/event-click-visibilitychange.html [wpt.fyi]: ERROR [Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview], OK [Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows11-32-2009-qr-debug, Gecko-windows11-32-2009-qr-opt, Gecko-windows11-64-2009-qr-debug, Gecko-windows11-64-2009-qr-opt, GitHub] (Chrome: ERROR, Safari: OK)

Tests Disabled in Gecko Infrastructure

  • /payment-request/payment-request-disallowed-when-hidden.https.html [wpt.fyi]: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows11-32-2009-qr-debug, Gecko-windows11-32-2009-qr-opt, Gecko-windows11-64-2009-qr-debug, Gecko-windows11-64-2009-qr-opt] (Chrome: ERROR, Safari: OK)
Pushed by wptsync@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/99f430db30c7 [wpt PR 40903] - Synthetic gestures only dispatch to visible widget, a=testonly

https://hg.mozilla.org/mozilla-central/rev/99f430db30c7

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox117: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 117 Branch
You need to log in before you can comment on or make changes to this bug.