1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
|
// Copyright 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "content/browser/renderer_host/frame_tree.h"
#include <stddef.h>
#include <queue>
#include <set>
#include <utility>
#include "base/bind.h"
#include "base/callback.h"
#include "base/lazy_instance.h"
#include "base/memory/ptr_util.h"
#include "base/stl_util.h"
#include "base/unguessable_token.h"
#include "content/browser/renderer_host/frame_tree_node.h"
#include "content/browser/renderer_host/navigation_controller_impl.h"
#include "content/browser/renderer_host/navigation_entry_impl.h"
#include "content/browser/renderer_host/navigation_request.h"
#include "content/browser/renderer_host/navigator.h"
#include "content/browser/renderer_host/navigator_delegate.h"
#include "content/browser/renderer_host/render_frame_host_factory.h"
#include "content/browser/renderer_host/render_frame_host_impl.h"
#include "content/browser/renderer_host/render_frame_proxy_host.h"
#include "content/browser/renderer_host/render_view_host_factory.h"
#include "content/browser/renderer_host/render_view_host_impl.h"
#include "content/common/content_switches_internal.h"
#include "content/common/input_messages.h"
#include "third_party/blink/public/common/frame/frame_policy.h"
#include "third_party/blink/public/mojom/frame/frame_owner_properties.mojom.h"
namespace content {
namespace {
// Helper function to collect SiteInstances involved in rendering a single
// FrameTree (which is a subset of SiteInstances in main frame's proxy_hosts_
// because of openers).
std::set<SiteInstance*> CollectSiteInstances(FrameTree* tree) {
std::set<SiteInstance*> instances;
for (FrameTreeNode* node : tree->Nodes())
instances.insert(node->current_frame_host()->GetSiteInstance());
return instances;
}
} // namespace
FrameTree::NodeIterator::NodeIterator(const NodeIterator& other) = default;
FrameTree::NodeIterator::~NodeIterator() = default;
FrameTree::NodeIterator& FrameTree::NodeIterator::operator++() {
if (current_node_ != root_of_subtree_to_skip_) {
for (size_t i = 0; i < current_node_->child_count(); ++i) {
FrameTreeNode* child = current_node_->child_at(i);
queue_.push(child);
}
}
if (!queue_.empty()) {
current_node_ = queue_.front();
queue_.pop();
} else {
current_node_ = nullptr;
}
return *this;
}
bool FrameTree::NodeIterator::operator==(const NodeIterator& rhs) const {
return current_node_ == rhs.current_node_;
}
FrameTree::NodeIterator::NodeIterator(FrameTreeNode* starting_node,
FrameTreeNode* root_of_subtree_to_skip)
: current_node_(starting_node),
root_of_subtree_to_skip_(root_of_subtree_to_skip) {}
FrameTree::NodeIterator FrameTree::NodeRange::begin() {
// We shouldn't be attempting a frame tree traversal while the tree is
// being constructed.
DCHECK(root_->current_frame_host());
return NodeIterator(root_, root_of_subtree_to_skip_);
}
FrameTree::NodeIterator FrameTree::NodeRange::end() {
return NodeIterator(nullptr, nullptr);
}
FrameTree::NodeRange::NodeRange(FrameTreeNode* root,
FrameTreeNode* root_of_subtree_to_skip)
: root_(root), root_of_subtree_to_skip_(root_of_subtree_to_skip) {}
FrameTree::FrameTree(NavigationControllerImpl* navigation_controller,
NavigatorDelegate* navigator_delegate,
RenderFrameHostDelegate* render_frame_delegate,
RenderViewHostDelegate* render_view_delegate,
RenderWidgetHostDelegate* render_widget_delegate,
RenderFrameHostManager::Delegate* manager_delegate)
: render_frame_delegate_(render_frame_delegate),
render_view_delegate_(render_view_delegate),
render_widget_delegate_(render_widget_delegate),
manager_delegate_(manager_delegate),
navigator_(navigation_controller, navigator_delegate),
root_(new FrameTreeNode(this,
nullptr,
// The top-level frame must always be in a
// document scope.
blink::mojom::TreeScopeType::kDocument,
std::string(),
std::string(),
false,
base::UnguessableToken::Create(),
blink::mojom::FrameOwnerProperties(),
blink::mojom::FrameOwnerElementType::kNone)),
focused_frame_tree_node_id_(FrameTreeNode::kFrameTreeNodeInvalidId),
load_progress_(0.0) {}
FrameTree::~FrameTree() {
delete root_;
root_ = nullptr;
}
FrameTreeNode* FrameTree::FindByID(int frame_tree_node_id) {
for (FrameTreeNode* node : Nodes()) {
if (node->frame_tree_node_id() == frame_tree_node_id)
return node;
}
return nullptr;
}
FrameTreeNode* FrameTree::FindByRoutingID(int process_id, int routing_id) {
RenderFrameHostImpl* render_frame_host =
RenderFrameHostImpl::FromID(process_id, routing_id);
if (render_frame_host) {
FrameTreeNode* result = render_frame_host->frame_tree_node();
if (this == result->frame_tree())
return result;
}
RenderFrameProxyHost* render_frame_proxy_host =
RenderFrameProxyHost::FromID(process_id, routing_id);
if (render_frame_proxy_host) {
FrameTreeNode* result = render_frame_proxy_host->frame_tree_node();
if (this == result->frame_tree())
return result;
}
return nullptr;
}
FrameTreeNode* FrameTree::FindByName(const std::string& name) {
if (name.empty())
return root_;
for (FrameTreeNode* node : Nodes()) {
if (node->frame_name() == name)
return node;
}
return nullptr;
}
FrameTree::NodeRange FrameTree::Nodes() {
return NodesExceptSubtree(nullptr);
}
FrameTree::NodeRange FrameTree::SubtreeNodes(FrameTreeNode* subtree_root) {
return NodeRange(subtree_root, nullptr);
}
FrameTree::NodeRange FrameTree::NodesExceptSubtree(FrameTreeNode* node) {
return NodeRange(root_, node);
}
FrameTreeNode* FrameTree::AddFrame(
RenderFrameHostImpl* parent,
int process_id,
int new_routing_id,
mojo::PendingReceiver<service_manager::mojom::InterfaceProvider>
interface_provider_receiver,
mojo::PendingReceiver<blink::mojom::BrowserInterfaceBroker>
browser_interface_broker_receiver,
blink::mojom::TreeScopeType scope,
const std::string& frame_name,
const std::string& frame_unique_name,
bool is_created_by_script,
const base::UnguessableToken& frame_token,
const base::UnguessableToken& devtools_frame_token,
const blink::FramePolicy& frame_policy,
const blink::mojom::FrameOwnerProperties& frame_owner_properties,
bool was_discarded,
blink::mojom::FrameOwnerElementType owner_type) {
CHECK_NE(new_routing_id, MSG_ROUTING_NONE);
// A child frame always starts with an initial empty document, which means
// it is in the same SiteInstance as the parent frame. Ensure that the process
// which requested a child frame to be added is the same as the process of the
// parent node.
if (parent->GetProcess()->GetID() != process_id)
return nullptr;
std::unique_ptr<FrameTreeNode> new_node = base::WrapUnique(new FrameTreeNode(
this, parent, scope, frame_name, frame_unique_name, is_created_by_script,
devtools_frame_token, frame_owner_properties, owner_type));
// Set sandbox flags and container policy and make them effective immediately,
// since initial sandbox flags and feature policy should apply to the initial
// empty document in the frame. This needs to happen before the call to
// AddChild so that the effective policy is sent to any newly-created
// RenderFrameProxy objects when the RenderFrameHost is created.
// SetPendingFramePolicy is necessary here because next navigation on this
// frame will need the value of pending frame policy instead of effective
// frame policy.
new_node->SetPendingFramePolicy(frame_policy);
new_node->CommitFramePolicy(frame_policy);
if (was_discarded)
new_node->set_was_discarded();
// Add the new node to the FrameTree, creating the RenderFrameHost.
FrameTreeNode* added_node = parent->AddChild(std::move(new_node), process_id,
new_routing_id, frame_token);
DCHECK(interface_provider_receiver.is_valid());
added_node->current_frame_host()->BindInterfaceProviderReceiver(
std::move(interface_provider_receiver));
DCHECK(browser_interface_broker_receiver.is_valid());
added_node->current_frame_host()->BindBrowserInterfaceBrokerReceiver(
std::move(browser_interface_broker_receiver));
// The last committed NavigationEntry may have a FrameNavigationEntry with the
// same |frame_unique_name|, since we don't remove FrameNavigationEntries if
// their frames are deleted. If there is a stale one, remove it to avoid
// conflicts on future updates.
NavigationEntryImpl* last_committed_entry = static_cast<NavigationEntryImpl*>(
navigator_.GetController()->GetLastCommittedEntry());
if (last_committed_entry) {
last_committed_entry->RemoveEntryForFrame(
added_node, /* only_if_different_position = */ true);
}
// Now that the new node is part of the FrameTree and has a RenderFrameHost,
// we can announce the creation of the initial RenderFrame which already
// exists in the renderer process.
if (added_node->frame_owner_element_type() !=
blink::mojom::FrameOwnerElementType::kPortal) {
// Portals do not have a live RenderFrame in the renderer process.
added_node->current_frame_host()->SetRenderFrameCreated(true);
}
return added_node;
}
void FrameTree::RemoveFrame(FrameTreeNode* child) {
RenderFrameHostImpl* parent = child->parent();
if (!parent) {
NOTREACHED() << "Unexpected RemoveFrame call for main frame.";
return;
}
parent->RemoveChild(child);
}
void FrameTree::CreateProxiesForSiteInstance(FrameTreeNode* source,
SiteInstance* site_instance) {
// Create the RenderFrameProxyHost for the new SiteInstance.
if (!source || !source->IsMainFrame()) {
RenderViewHostImpl* render_view_host =
GetRenderViewHost(site_instance).get();
if (render_view_host) {
root()->render_manager()->EnsureRenderViewInitialized(render_view_host,
site_instance);
} else {
root()->render_manager()->CreateRenderFrameProxy(site_instance);
}
}
// Check whether we're in an inner delegate and |site_instance| corresponds
// to the outer delegate. Subframe proxies aren't needed if this is the
// case.
bool is_site_instance_for_outer_delegate = false;
RenderFrameProxyHost* outer_delegate_proxy =
root()->render_manager()->GetProxyToOuterDelegate();
if (outer_delegate_proxy) {
is_site_instance_for_outer_delegate =
(site_instance == outer_delegate_proxy->GetSiteInstance());
}
// Proxies are created in the FrameTree in response to a node navigating to a
// new SiteInstance. Since |source|'s navigation will replace the currently
// loaded document, the entire subtree under |source| will be removed, and
// thus proxy creation is skipped for all nodes in that subtree.
//
// However, a proxy *is* needed for the |source| node itself. This lets
// cross-process navigations in |source| start with a proxy and follow a
// remote-to-local transition, which avoids race conditions in cases where
// other navigations need to reference |source| before it commits. See
// https://crbug.com/756790 for more background. Therefore,
// NodesExceptSubtree(source) will include |source| in the nodes traversed
// (see NodeIterator::operator++).
for (FrameTreeNode* node : NodesExceptSubtree(source)) {
// If a new frame is created in the current SiteInstance, other frames in
// that SiteInstance don't need a proxy for the new frame.
RenderFrameHostImpl* current_host =
node->render_manager()->current_frame_host();
SiteInstance* current_instance = current_host->GetSiteInstance();
if (current_instance != site_instance) {
if (node == source && !current_host->IsRenderFrameLive()) {
// We don't create a proxy at |source| when the current RenderFrameHost
// isn't live. This is because either (1) the speculative
// RenderFrameHost will be committed immediately, and the proxy
// destroyed right away, in GetFrameHostForNavigation, which makes the
// races above impossible, or (2) the early commit will be skipped due
// to ShouldSkipEarlyCommitPendingForCrashedFrame, in which case the
// proxy for |source| *is* needed, but it will be created later in
// CreateProxiesForNewRenderFrameHost.
//
// TODO(fergal): Consider creating a proxy for |source| here rather than
// in CreateProxiesForNewRenderFrameHost for case (2) above.
continue;
}
// Do not create proxies for subframes in the outer delegate's
// SiteInstance, since there is no need to expose these subframes to the
// outer delegate. See also comments in CreateProxiesForChildFrame() and
// https://crbug.com/1013553.
if (!node->IsMainFrame() && is_site_instance_for_outer_delegate)
continue;
node->render_manager()->CreateRenderFrameProxy(site_instance);
}
}
}
RenderFrameHostImpl* FrameTree::GetMainFrame() const {
return root_->current_frame_host();
}
FrameTreeNode* FrameTree::GetFocusedFrame() {
return FindByID(focused_frame_tree_node_id_);
}
void FrameTree::SetFocusedFrame(FrameTreeNode* node, SiteInstance* source) {
if (node == GetFocusedFrame())
return;
std::set<SiteInstance*> frame_tree_site_instances =
CollectSiteInstances(this);
SiteInstance* current_instance =
node->current_frame_host()->GetSiteInstance();
// Update the focused frame in all other SiteInstances. If focus changes to
// a cross-process frame, this allows the old focused frame's renderer
// process to clear focus from that frame and fire blur events. It also
// ensures that the latest focused frame is available in all renderers to
// compute document.activeElement.
//
// We do not notify the |source| SiteInstance because it already knows the
// new focused frame (since it initiated the focus change), and we notify the
// new focused frame's SiteInstance (if it differs from |source|) separately
// below.
for (auto* instance : frame_tree_site_instances) {
if (instance != source && instance != current_instance) {
RenderFrameProxyHost* proxy =
node->render_manager()->GetRenderFrameProxyHost(instance);
proxy->SetFocusedFrame();
}
}
// If |node| was focused from a cross-process frame (i.e., via
// window.focus()), tell its RenderFrame that it should focus.
if (current_instance != source)
node->current_frame_host()->SetFocusedFrame();
focused_frame_tree_node_id_ = node->frame_tree_node_id();
node->DidFocus();
// The accessibility tree data for the root of the frame tree keeps
// track of the focused frame too, so update that every time the
// focused frame changes.
root()->current_frame_host()->GetOutermostMainFrame()->UpdateAXTreeData();
}
void FrameTree::SetFrameRemoveListener(
base::RepeatingCallback<void(RenderFrameHost*)> on_frame_removed) {
on_frame_removed_ = std::move(on_frame_removed);
}
scoped_refptr<RenderViewHostImpl> FrameTree::CreateRenderViewHost(
SiteInstance* site_instance,
int32_t main_frame_routing_id,
bool swapped_out) {
RenderViewHostImpl* rvh =
static_cast<RenderViewHostImpl*>(RenderViewHostFactory::Create(
site_instance, render_view_delegate_, render_widget_delegate_,
main_frame_routing_id, swapped_out));
return base::WrapRefCounted(rvh);
}
scoped_refptr<RenderViewHostImpl> FrameTree::GetRenderViewHost(
SiteInstance* site_instance) {
auto it = render_view_host_map_.find(site_instance->GetId());
if (it == render_view_host_map_.end())
return nullptr;
return base::WrapRefCounted(it->second);
}
void FrameTree::RegisterRenderViewHost(RenderViewHostImpl* rvh) {
CHECK(
!base::Contains(render_view_host_map_, rvh->GetSiteInstance()->GetId()));
render_view_host_map_[rvh->GetSiteInstance()->GetId()] = rvh;
}
void FrameTree::UnregisterRenderViewHost(RenderViewHostImpl* rvh) {
auto it = render_view_host_map_.find(rvh->GetSiteInstance()->GetId());
CHECK(it != render_view_host_map_.end());
CHECK_EQ(it->second, rvh);
render_view_host_map_.erase(it);
}
void FrameTree::FrameUnloading(FrameTreeNode* frame) {
if (frame->frame_tree_node_id() == focused_frame_tree_node_id_)
focused_frame_tree_node_id_ = FrameTreeNode::kFrameTreeNodeInvalidId;
// Ensure frames that are about to be deleted aren't visible from the other
// processes anymore.
frame->render_manager()->ResetProxyHosts();
}
void FrameTree::FrameRemoved(FrameTreeNode* frame) {
if (frame->frame_tree_node_id() == focused_frame_tree_node_id_)
focused_frame_tree_node_id_ = FrameTreeNode::kFrameTreeNodeInvalidId;
// No notification for the root frame.
if (!frame->parent()) {
CHECK_EQ(frame, root_);
return;
}
// Notify observers of the frame removal.
if (!on_frame_removed_.is_null())
on_frame_removed_.Run(frame->current_frame_host());
}
void FrameTree::UpdateLoadProgress(double progress) {
if (progress <= load_progress_)
return;
load_progress_ = progress;
// Notify the WebContents.
root_->navigator().GetDelegate()->DidChangeLoadProgress();
}
void FrameTree::ResetLoadProgress() {
load_progress_ = 0.0;
}
bool FrameTree::IsLoading() const {
for (const FrameTreeNode* node : const_cast<FrameTree*>(this)->Nodes()) {
if (node->IsLoading())
return true;
}
return false;
}
void FrameTree::ReplicatePageFocus(bool is_focused) {
std::set<SiteInstance*> frame_tree_site_instances =
CollectSiteInstances(this);
// Send the focus update to main frame's proxies in all SiteInstances of
// other frames in this FrameTree. Note that the main frame might also know
// about proxies in SiteInstances for frames in a different FrameTree (e.g.,
// for window.open), so we can't just iterate over its proxy_hosts_ in
// RenderFrameHostManager.
for (auto* instance : frame_tree_site_instances)
SetPageFocus(instance, is_focused);
}
void FrameTree::SetPageFocus(SiteInstance* instance, bool is_focused) {
RenderFrameHostManager* root_manager = root_->render_manager();
// This is only used to set page-level focus in cross-process subframes, and
// requests to set focus in main frame's SiteInstance are ignored.
if (instance != root_manager->current_frame_host()->GetSiteInstance()) {
RenderFrameProxyHost* proxy =
root_manager->GetRenderFrameProxyHost(instance);
proxy->GetAssociatedRemoteFrame()->SetPageFocus(is_focused);
}
}
void FrameTree::RegisterExistingOriginToPreventOptInIsolation(
const url::Origin& previously_visited_origin,
NavigationRequest* navigation_request_to_exclude) {
std::unordered_set<SiteInstance*> matching_site_instances;
// Be sure to visit all RenderFrameHosts associated with this frame that might
// have an origin that could script other frames. We skip RenderFrameHosts
// that are in the bfcache, assuming there's no way for a frame to join the
// BrowsingInstance of a bfcache RFH while it's in the cache.
for (auto* frame_tree_node : SubtreeNodes(root())) {
auto* frame_host = frame_tree_node->current_frame_host();
if (previously_visited_origin == frame_host->GetLastCommittedOrigin())
matching_site_instances.insert(frame_host->GetSiteInstance());
if (frame_host->HasCommittingNavigationRequestForOrigin(
previously_visited_origin, navigation_request_to_exclude)) {
matching_site_instances.insert(frame_host->GetSiteInstance());
}
auto* spec_frame_host =
frame_tree_node->render_manager()->speculative_frame_host();
if (spec_frame_host &&
spec_frame_host->HasCommittingNavigationRequestForOrigin(
previously_visited_origin, navigation_request_to_exclude)) {
matching_site_instances.insert(spec_frame_host->GetSiteInstance());
}
auto* navigation_request = frame_tree_node->navigation_request();
if (navigation_request &&
navigation_request != navigation_request_to_exclude &&
navigation_request->HasCommittingOrigin(previously_visited_origin)) {
matching_site_instances.insert(frame_host->GetSiteInstance());
}
}
// Update any SiteInstances found to contain |origin|.
for (auto* site_instance : matching_site_instances) {
static_cast<SiteInstanceImpl*>(site_instance)
->PreventOptInOriginIsolation(previously_visited_origin);
}
}
} // namespace content
|
