[NativeFileSystem] Make FileSystemHandle cloneable #18921
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
wpt-pr-bot
approved these changes
Sep 9, 2019
chromium-wpt-export-bot
force-pushed
the
chromium-export-cl-1791942
branch
14 times, most recently
from
4f4613c
to
bcae0e2
Compare
chromium-wpt-export-bot
force-pushed
the
chromium-export-cl-1791942
branch
from
bcae0e2
to
34aa2d6
Compare
chromium-wpt-export-bot
changed the title
chromium-wpt-export-bot
force-pushed
the
chromium-export-cl-1791942
branch
2 times, most recently
from
a9d1819
to
172da72
Compare
Updates postMessage() to clone FileSystemFileHandle and FileSystemDirectoryHandle objects for same origin targets. Including a FileSystemHandle object with a cross origin message fails by dispatching a 'messageerror' event instead of 'message' event. The change consists of four parts: (1) Updates V8ScriptValueSerializerForModules to serialize FileSystemFileHandle and FileSystemDirectoryHandle into blink::SerializedScriptValue, by following these steps: * Write a tag for the handle type (file or directory). * Write the name of the file or directory. * Creates a mojom::blink::NativeFileSystemTransferTokenPtr by calling blink:NativeFileSystemHandle::Transfer(). This token informs the storage::NativeFileSystemManagerImpl that a transfer is in progress. The NativeFileSystemManagerImpl creates a NativeFileSystemTransferTokenImpl to store the information required to clone the handle. * Stores the token in blink::SerializedScriptValue::native_file_system_tokens_. This array tracks all cloned FileSystemFileHandle. The blink::mojom::CloneableMessage struct is also updated to hold this array for MessagePort and BroadcastChannels. * Write the index of the token in the native_file_system_tokens_ array. (2) Updates V8ScriptValueDeserializerForModules to deserialize FileSystemFileHandle objects when creating clones for the message targets. This is the inverse of (1). Deserializing uses mojom::blink::NativeFileSystemManager to redeem the token, which creates the mojom::blink::NativeFileSystemFileHandlePtr or mojom::blink::NativeFileSystemDirectoryHandlePtr using the info stored by NativeFileSystemTransferTokenImpl. (3) Updates content::NativeFileSystemManagerImpl to support token transfers. To redeem a token, NativeFileSystemManagerImpl receives a mojo message that includes the token as well as a request for a handle interface like mojom::blink::NativeFileSystemFileHandlePtr. NativeFileSystemManagerImpl finds the token and then binds the request. Token redemption does not return any results. Token redemption should never fail, unless a render process is misbehaving. NativeFileSystemManagerImpl performs a few sanity checks before binding the mojo request, including a token existence check, a handle type check and an origin check. If any of the sanity checks fail, NativeFileSystemManagerImpl silently fails closing the redeemed FileHandle's pipe. (4) Adds a cross origin check to window and message port messaging. Most message targets, like dedicated workers, are same origin only. However, both windows and message port messages can go cross origin. When a cross origin message includes a FileSystemHandle, the message must fail with a 'messageerror' event to prevent cross origin access to the FileSystemHandle. Messaging between windows already included origin information before this change. This change adds a NativeFileSystem origin check before dispatching a message event to a window. The message event is replaced with a message error when a cross origin NativeFileSystem object exists in the message data. For message ports, no sender origin information existed before this change. This change updates the CloneableMessage structs to include a 'sender_origin' url::Origin property. Message ports use this property to perform the same cross origin NativeFileSystem check as the window. The NativeFileSystemManagerImpl performs an additional origin check before binding the FileSystemHandle mojo request. The NativeFileSystemManagerImpl cannot trust the postMessage() origin check performed in the render process. Bug: 955192 Change-Id: Ieeb76bd8102067d70c5d7719622ecd4930c3a88f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1791942 Commit-Queue: Steve Becker <stevebe@microsoft.com> Reviewed-by: Jeremy Roman <jbroman@chromium.org> Reviewed-by: Yuki Shiino <yukishiino@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Marijn Kruisselbrink <mek@chromium.org> Reviewed-by: Olivier Yiptong <oyiptong@chromium.org> Cr-Commit-Position: refs/heads/master@{#709407}
chromium-wpt-export-bot
force-pushed
the
chromium-export-cl-1791942
branch
from
172da72
to
a820ee4
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Updates postMessage() to clone FileSystemFileHandle and
FileSystemDirectoryHandle objects for same origin targets. Including
a FileSystemHandle object with a cross origin message fails by
dispatching a 'messageerror' event instead of 'message' event.
The change consists of four parts:
(1) Updates V8ScriptValueSerializerForModules to serialize
FileSystemFileHandle and FileSystemDirectoryHandle into
blink::SerializedScriptValue, by following these steps:
Write a tag for the handle type (file or directory).
Write the name of the file or directory.
Creates a mojom::blink::NativeFileSystemTransferTokenPtr by calling
blink:NativeFileSystemHandle::Transfer(). This token informs the
storage::NativeFileSystemManagerImpl that a transfer is in progress.
The NativeFileSystemManagerImpl creates a
NativeFileSystemTransferTokenImpl to store the information required
to clone the handle.
Stores the token in
blink::SerializedScriptValue::native_file_system_tokens_. This
array tracks all cloned FileSystemFileHandle. The
blink::mojom::CloneableMessage struct is also updated to hold this
array for MessagePort and BroadcastChannels.
Write the index of the token in the native_file_system_tokens_
array.
(2) Updates V8ScriptValueDeserializerForModules to deserialize
FileSystemFileHandle objects when creating clones for the message
targets. This is the inverse of (1). Deserializing uses
mojom::blink::NativeFileSystemManager to redeem the token, which
creates the mojom::blink::NativeFileSystemFileHandlePtr or
mojom::blink::NativeFileSystemDirectoryHandlePtr using the info
stored by NativeFileSystemTransferTokenImpl.
(3) Updates content::NativeFileSystemManagerImpl to support token
transfers. To redeem a token, NativeFileSystemManagerImpl receives
a mojo message that includes the token as well as a request for a
handle interface like mojom::blink::NativeFileSystemFileHandlePtr.
NativeFileSystemManagerImpl finds the token and then binds the request.
Token redemption does not return any results. Token redemption should
never fail, unless a render process is misbehaving.
NativeFileSystemManagerImpl performs a few sanity checks before binding
the mojo request, including a token existence check, a handle type
check and an origin check. If any of the sanity checks fail,
NativeFileSystemManagerImpl silently fails closing the redeemed
FileHandle's pipe.
(4) Adds a cross origin check to window and message port messaging.
Most message targets, like dedicated workers, are same origin only.
However, both windows and message port messages can go cross origin.
When a cross origin message includes a FileSystemHandle, the message
must fail with a 'messageerror' event to prevent cross origin access
to the FileSystemHandle.
Messaging between windows already included origin information before
this change. This change adds a NativeFileSystem origin check before
dispatching a message event to a window. The message event is
replaced with a message error when a cross origin NativeFileSystem
object exists in the message data.
For message ports, no sender origin information existed before this
change. This change updates the CloneableMessage structs to
include a 'sender_origin' url::Origin property. Message ports use
this property to perform the same cross origin NativeFileSystem
check as the window.
The NativeFileSystemManagerImpl performs an additional origin check
before binding the FileSystemHandle mojo request. The
NativeFileSystemManagerImpl cannot trust the postMessage() origin
check performed in the render process.
Bug: 955192
Change-Id: Ieeb76bd8102067d70c5d7719622ecd4930c3a88f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1791942
Commit-Queue: Steve Becker <stevebe@microsoft.com>
Reviewed-by: Jeremy Roman <jbroman@chromium.org>
Reviewed-by: Yuki Shiino <yukishiino@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Marijn Kruisselbrink <mek@chromium.org>
Reviewed-by: Olivier Yiptong <oyiptong@chromium.org>
Cr-Commit-Position: refs/heads/master@{#709407}