[Backport] Dependency for CVE-2024-11116

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/5381283:
view-transition: Add paint holding for same-origin cross-RFH navigations

For a same-origin navigation within the same RFH, there is no change in
the SurfaceID embedded by the parent frame. This means when the
navigation commits, redraws by the embedder display painted content from
the previous Document until the new Document is ready to render.

However for same-origin navigations which are cross-RFH, i.e. the default
path for RenderDocument, the SurfaceID embedded by the parent frame is
changed to point to the new RFH's FrameSinkId. This means there is a
flash of no content until the new Document paints.

Avoid the above by using the old Document's SurfaceID as a fallback with
a timeout. The approach is similar to the fallback Surface logic in the
browser process for main frame navigations.

[email protected], [email protected]

Bug: 330920526
Change-Id: Iec7d0a3bc5b8d5d9191f935a8ea20c1f08f2cefd
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5381283
Reviewed-by: Charlie Reis <[email protected]>
Reviewed-by: Ken Buchanan <[email protected]>
Reviewed-by: Chris Harrelson <[email protected]>
Auto-Submit: Khushal Sagar <[email protected]>
Commit-Queue: Khushal Sagar <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1292531}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/604271
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/607612

Author: khushalsagar

chromium/content/browser/renderer_host/cross_process_frame_connector.cc

@@ -60,10 +60,11 @@ CrossProcessFrameConnector::~CrossProcessFrameConnector() {
   }
 
   // Notify the view of this object being destroyed, if the view still exists.
-  SetView(nullptr);
+  SetView(nullptr, /*allow_paint_holding=*/false);
 }
 
-void CrossProcessFrameConnector::SetView(RenderWidgetHostViewChildFrame* view) {
+void CrossProcessFrameConnector::SetView(RenderWidgetHostViewChildFrame* view,
+                                         bool allow_paint_holding) {
   // Detach ourselves from the previous |view_|.
   if (view_) {
     RenderWidgetHostViewBase* root_view = GetRootRenderWidgetHostView();
@@ -110,7 +111,7 @@ void CrossProcessFrameConnector::SetView(RenderWidgetHostViewChildFrame* view) {
     if (frame_proxy_in_parent_renderer_ &&
         frame_proxy_in_parent_renderer_->is_render_frame_proxy_live()) {
       frame_proxy_in_parent_renderer_->GetAssociatedRemoteFrame()
-          ->SetFrameSinkId(view_->GetFrameSinkId());
+          ->SetFrameSinkId(view_->GetFrameSinkId(), allow_paint_holding);
     }
   }
 }

chromium/content/browser/renderer_host/cross_process_frame_connector.h

@@ -100,7 +100,7 @@ class CONTENT_EXPORT CrossProcessFrameConnector {
   // above.
   RenderWidgetHostViewChildFrame* get_view_for_testing() { return view_; }
 
-  void SetView(RenderWidgetHostViewChildFrame* view);
+  void SetView(RenderWidgetHostViewChildFrame* view, bool allow_paint_holding);
 
   // Returns the parent RenderWidgetHostView or nullptr if it doesn't have one.
   virtual RenderWidgetHostViewBase* GetParentRenderWidgetHostView();

chromium/content/browser/renderer_host/navigator.cc

@@ -516,6 +516,10 @@ void Navigator::DidNavigate(
   // Store this information before DidNavigateFrame() potentially swaps RFHs.
   url::Origin old_frame_origin = old_frame_host->GetLastCommittedOrigin();
 
+  // Only allow paint holding for same-origin navigations.
+  const bool allow_subframe_paint_holding =
+      old_frame_origin.IsSameOriginWith(params.origin);
+
   // DidNavigateFrame() must be called before replicating the new origin and
   // other properties to proxies.  This is because it destroys the subframes of
   // the frame we're navigating from, which might trigger those subframes to
@@ -526,7 +530,8 @@ void Navigator::DidNavigate(
       was_within_same_document,
       navigation_request->browsing_context_group_swap()
           .ShouldClearProxiesOnCommit(),
-      navigation_request->commit_params().frame_policy);
+      navigation_request->commit_params().frame_policy,
+      allow_subframe_paint_holding);
 
   // The main frame, same site, and cross-site navigation checks for user
   // activation mirror the checks in DocumentLoader::CommitNavigation() (note:

chromium/content/browser/renderer_host/render_frame_host_impl.cc

@@ -8546,7 +8546,8 @@ void RenderFrameHostImpl::AdoptPortal(
                                        ->render_manager()
                                        ->GetRenderWidgetHostView()
                                        ->GetFrameSinkId();
-  proxy_host->GetAssociatedRemoteFrame()->SetFrameSinkId(frame_sink_id);
+  // generally disallow paint holding for security reasons
+  proxy_host->GetAssociatedRemoteFrame()->SetFrameSinkId(frame_sink_id, /*allow_paint_holding*/ false);
 
   std::move(callback).Run(
       proxy_host->frame_tree_node()->current_replication_state().Clone(),

chromium/content/browser/renderer_host/render_frame_host_manager.cc

@@ -731,10 +731,11 @@ void RenderFrameHostManager::DidNavigateFrame(
     bool was_caused_by_user_gesture,
     bool is_same_document_navigation,
     bool clear_proxies_on_commit,
-    const blink::FramePolicy& frame_policy) {
+    const blink::FramePolicy& frame_policy,
+    bool allow_subframe_paint_holding) {
   CommitPendingIfNecessary(render_frame_host, was_caused_by_user_gesture,
-                           is_same_document_navigation,
-                           clear_proxies_on_commit);
+                           is_same_document_navigation, clear_proxies_on_commit,
+                           allow_subframe_paint_holding);
 
   // Make sure any dynamic changes to this frame's sandbox flags and permissions
   // policy that were made prior to navigation take effect.  This should only
@@ -770,7 +771,8 @@ void RenderFrameHostManager::CommitPendingIfNecessary(
     RenderFrameHostImpl* render_frame_host,
     bool was_caused_by_user_gesture,
     bool is_same_document_navigation,
-    bool clear_proxies_on_commit) {
+    bool clear_proxies_on_commit,
+    bool allow_subframe_paint_holding) {
   if (!speculative_render_frame_host_) {
     // There's no speculative RenderFrameHost so it must be that the current
     // RenderFrameHost completed a navigation.
@@ -784,7 +786,8 @@ void RenderFrameHostManager::CommitPendingIfNecessary(
   if (render_frame_host == speculative_render_frame_host_.get()) {
     // A cross-RenderFrameHost navigation completed, so show the new renderer.
     CommitPending(std::move(speculative_render_frame_host_),
-                  std::move(stored_page_to_restore_), clear_proxies_on_commit);
+                  std::move(stored_page_to_restore_), clear_proxies_on_commit,
+                  allow_subframe_paint_holding);
 
     if (GetNavigationQueueingFeatureLevel() >=
         NavigationQueueingFeatureLevel::kAvoidRedundantCancellations) {
@@ -1467,7 +1470,8 @@ void RenderFrameHostManager::PerformEarlyRenderFrameHostSwapIfNeeded(
 
   CommitPending(
       std::move(speculative_render_frame_host_), nullptr,
-      request->browsing_context_group_swap().ShouldClearProxiesOnCommit());
+      request->browsing_context_group_swap().ShouldClearProxiesOnCommit(),
+      /* allow_subframe_paint_holding */ false);
   request->SetAssociatedRFHType(
       NavigationRequest::AssociatedRenderFrameHostType::CURRENT);
 
@@ -4028,7 +4032,8 @@ void RenderFrameHostManager::SetRWHViewForInnerFrameTree(
     RenderWidgetHostViewChildFrame* child_rwhv) {
   DCHECK(IsMainFrameForInnerDelegate());
   DCHECK(GetProxyToOuterDelegate());
-  GetProxyToOuterDelegate()->SetChildRWHView(child_rwhv, nullptr);
+  GetProxyToOuterDelegate()->SetChildRWHView(child_rwhv, nullptr,
+                                             /*allow_paint_holding=*/false);
 }
 
 bool RenderFrameHostManager::InitRenderView(
@@ -4340,7 +4345,8 @@ RenderFrameHostManager::GetFrameTokenForSiteInstanceGroup(
 void RenderFrameHostManager::CommitPending(
     std::unique_ptr<RenderFrameHostImpl> pending_rfh,
     std::unique_ptr<StoredPage> pending_stored_page,
-    bool clear_proxies_on_commit) {
+    bool clear_proxies_on_commit,
+    bool allow_subframe_paint_holding) {
   TRACE_EVENT1("navigation", "RenderFrameHostManager::CommitPending",
                "FrameTreeNode id", frame_tree_node_->frame_tree_node_id());
   CHECK(pending_rfh);
@@ -4730,7 +4736,7 @@ void RenderFrameHostManager::CommitPending(
   if (proxy_to_parent_or_outer_delegate) {
     proxy_to_parent_or_outer_delegate->SetChildRWHView(
         static_cast<RenderWidgetHostViewChildFrame*>(new_view),
-        old_size ? &*old_size : nullptr);
+        old_size ? &*old_size : nullptr, allow_subframe_paint_holding);
   }
 
   if (render_frame_host_->is_local_root()) {
@@ -5136,8 +5142,10 @@ void RenderFrameHostManager::CreateNewFrameForInnerDelegateAttachIfNecessary() {
   // Swap in the speculative frame. It will later be replaced when
   // WebContents::AttachToOuterWebContentsFrame is called.
   speculative_render_frame_host_->SwapIn();
+
   CommitPending(std::move(speculative_render_frame_host_), nullptr,
-                false /* clear_proxies_on_commit */);
+                false /* clear_proxies_on_commit */,
+                /* allow_subframe_paint_holding */ false);
   NotifyPrepareForInnerDelegateAttachComplete(true /* success */);
 }
 

chromium/content/browser/renderer_host/render_frame_host_manager.h

@@ -322,7 +322,8 @@ class CONTENT_EXPORT RenderFrameHostManager {
                         bool was_caused_by_user_gesture,
                         bool is_same_document_navigation,
                         bool clear_proxies_on_commit,
-                        const blink::FramePolicy& frame_policy);
+                        const blink::FramePolicy& frame_policy,
+                        bool allow_subframe_paint_holding);
 
   // Called when this frame's opener is changed to the frame specified by
   // |opener_frame_token| in |source_site_instance_group|'s process.  This
@@ -971,15 +972,19 @@ class CONTENT_EXPORT RenderFrameHostManager {
   // |clear_proxies_on_commit| Indicates if the proxies and opener must be
   // removed during the commit. This can happen following some BrowsingInstance
   // swaps, such as those for COOP.
+  // |allow_subframe_paint_holding| Indicates that paint holding is allowed if
+  // this is a subframe navigation.
   void CommitPending(std::unique_ptr<RenderFrameHostImpl> pending_rfh,
                      std::unique_ptr<StoredPage> pending_stored_page,
-                     bool clear_proxies_on_commit);
+                     bool clear_proxies_on_commit,
+                     bool allow_subframe_paint_holding);
 
   // Helper to call CommitPending() in all necessary cases.
   void CommitPendingIfNecessary(RenderFrameHostImpl* render_frame_host,
                                 bool was_caused_by_user_gesture,
                                 bool is_same_document_navigation,
-                                bool clear_proxies_on_commit);
+                                bool clear_proxies_on_commit,
+                                bool allow_subframe_paint_holding);
 
   // Runs the unload handler in the old RenderFrameHost, after the new
   // RenderFrameHost has committed.  |old_render_frame_host| will either be

chromium/content/browser/renderer_host/render_frame_proxy_host.cc

@@ -192,10 +192,10 @@ RenderFrameProxyHost::~RenderFrameProxyHost() {
   TRACE_EVENT_END("navigation", perfetto::Track::FromPointer(this));
 }
 
-void RenderFrameProxyHost::SetChildRWHView(
-    RenderWidgetHostViewChildFrame* view,
-    const gfx::Size* initial_frame_size) {
-  cross_process_frame_connector_->SetView(view);
+void RenderFrameProxyHost::SetChildRWHView(RenderWidgetHostViewChildFrame* view,
+                                           const gfx::Size* initial_frame_size,
+                                           bool allow_paint_holding) {
+  cross_process_frame_connector_->SetView(view, allow_paint_holding);
   if (initial_frame_size)
     cross_process_frame_connector_->SetLocalFrameSize(*initial_frame_size);
 }

chromium/content/browser/renderer_host/render_frame_proxy_host.h

@@ -164,7 +164,8 @@ class CONTENT_EXPORT RenderFrameProxyHost
   // receives its size from the parent via FrameHostMsg_UpdateResizeParams
   // before it begins parsing the content.
   void SetChildRWHView(RenderWidgetHostViewChildFrame* view,
-                       const gfx::Size* initial_frame_size);
+                       const gfx::Size* initial_frame_size,
+                       bool allow_paint_holding);
 
   RenderViewHostImpl* GetRenderViewHost();
 

chromium/content/browser/renderer_host/render_widget_host_impl.cc

@@ -117,6 +117,7 @@
 #include "third_party/blink/public/common/input/synthetic_web_input_event_builders.h"
 #include "third_party/blink/public/common/storage_key/storage_key.h"
 #include "third_party/blink/public/common/web_preferences/web_preferences.h"
+#include "third_party/blink/public/common/widget/constants.h"
 #include "third_party/blink/public/common/widget/visual_properties.h"
 #include "third_party/blink/public/mojom/drag/drag.mojom.h"
 #include "third_party/blink/public/mojom/frame/intrinsic_sizing_info.mojom.h"
@@ -165,10 +166,6 @@ using blink::WebMouseWheelEvent;
 namespace content {
 namespace {
 
-// How long to wait for newly loaded content to send a compositor frame
-// before clearing previously displayed graphics.
-constexpr base::TimeDelta kNewContentRenderingDelay = base::Seconds(4);
-
 constexpr gfx::Rect kInvalidScreenRect(std::numeric_limits<int>::max(),
                                        std::numeric_limits<int>::max(),
                                        0,
@@ -438,7 +435,7 @@ RenderWidgetHostImpl::RenderWidgetHostImpl(
               switches::kDisableHangMonitor)),
       latency_tracker_(delegate_),
       hung_renderer_delay_(kHungRendererDelay),
-      new_content_rendering_delay_(kNewContentRenderingDelay),
+      new_content_rendering_delay_(blink::kNewContentRenderingDelay),
       frame_token_message_queue_(std::move(frame_token_message_queue)),
       render_frame_metadata_provider_(
 #if BUILDFLAG(IS_MAC)

chromium/content/browser/renderer_host/render_widget_host_view_child_frame.cc

@@ -406,7 +406,7 @@ void RenderWidgetHostViewChildFrame::Destroy() {
   // have already been cleared when RenderWidgetHostViewBase notified its
   // observers of our impending destruction.
   if (frame_connector_) {
-    frame_connector_->SetView(nullptr);
+    frame_connector_->SetView(nullptr, /*allow_paint_holding=*/false);
     SetFrameConnector(nullptr);
   }
 

chromium/third_party/blink/common/widget/constants.cc

@@ -8,4 +8,6 @@ namespace blink {
 
 const int kMinimumWindowSize = 100;
 
+const base::TimeDelta kNewContentRenderingDelay = base::Seconds(4);
+
 }  // namespace blink

chromium/third_party/blink/public/common/widget/constants.h

@@ -5,6 +5,7 @@
 #ifndef THIRD_PARTY_BLINK_PUBLIC_COMMON_WIDGET_CONSTANTS_H_
 #define THIRD_PARTY_BLINK_PUBLIC_COMMON_WIDGET_CONSTANTS_H_
 
+#include "base/time/time.h"
 #include "third_party/blink/public/common/common_export.h"
 
 namespace blink {
@@ -13,6 +14,9 @@ namespace blink {
 // window object
 BLINK_COMMON_EXPORT extern const int kMinimumWindowSize;
 
+// The timeout for clearing old paint for a cross-document navigation.
+BLINK_COMMON_EXPORT extern const base::TimeDelta kNewContentRenderingDelay;
+
 }  // namespace blink
 
 #endif  // THIRD_PARTY_BLINK_PUBLIC_COMMON_WIDGET_CONSTANTS_H_

chromium/third_party/blink/public/mojom/frame/remote_frame.mojom

@@ -404,7 +404,11 @@ interface RemoteFrame {
 
   // Notifies this remote frame that its associated compositing
   // destination (RenderWidgetHostView) has changed.
-  SetFrameSinkId(viz.mojom.FrameSinkId frame_sink_id);
+  //
+  // The embedder can keep using the painted content from the previous frame
+  // sink until the new frame sink produces a new frame, i.e., paint holding.
+  // `allow_paint_holding` is used to limit this to same-origin navigations.
+  SetFrameSinkId(viz.mojom.FrameSinkId frame_sink_id, bool allow_paint_holding);
 
   // Notifies the remote frame that the process rendering the child frame's
   // contents has terminated.

chromium/third_party/blink/renderer/core/frame/child_frame_compositing_helper.cc

@@ -12,7 +12,10 @@
 #include "cc/paint/paint_image.h"
 #include "cc/paint/paint_image_builder.h"
 #include "skia/ext/image_operations.h"
+#include "third_party/blink/public/common/widget/constants.h"
 #include "third_party/blink/renderer/core/frame/child_frame_compositor.h"
+#include "third_party/blink/renderer/platform/runtime_enabled_features.h"
+#include "third_party/blink/renderer/platform/wtf/functional.h"
 #include "third_party/skia/include/core/SkBitmap.h"
 #include "third_party/skia/include/core/SkImage.h"
 #include "ui/gfx/geometry/point_f.h"
@@ -46,11 +49,14 @@ void ChildFrameCompositingHelper::ChildFrameGone(float device_scale_factor) {
 
 void ChildFrameCompositingHelper::SetSurfaceId(
     const viz::SurfaceId& surface_id,
-    bool capture_sequence_number_changed) {
+    CaptureSequenceNumberChanged capture_sequence_number_changed,
+    AllowPaintHolding allow_paint_holding) {
   if (surface_id_ == surface_id)
     return;
 
+  const auto current_surface_id = surface_id_;
   surface_id_ = surface_id;
+  paint_holding_timer_.Stop();
 
   surface_layer_ = cc::SurfaceLayer::Create();
   surface_layer_->SetMasksToBounds(true);
@@ -59,10 +65,12 @@ void ChildFrameCompositingHelper::SetSurfaceId(
 
   // If we're synchronizing surfaces, then use an infinite deadline to ensure
   // everything is synchronized.
-  cc::DeadlinePolicy deadline = capture_sequence_number_changed
-                                    ? cc::DeadlinePolicy::UseInfiniteDeadline()
-                                    : cc::DeadlinePolicy::UseDefaultDeadline();
+  cc::DeadlinePolicy deadline =
+      capture_sequence_number_changed == CaptureSequenceNumberChanged::kYes
+          ? cc::DeadlinePolicy::UseInfiniteDeadline()
+          : cc::DeadlinePolicy::UseDefaultDeadline();
   surface_layer_->SetSurfaceId(surface_id, deadline);
+  MaybeSetUpPaintHolding(current_surface_id, allow_paint_holding);
 
   // TODO(lfg): Investigate if it's possible to propagate the information
   // about the child surface's opacity. https://crbug.com/629851.
@@ -72,6 +80,33 @@ void ChildFrameCompositingHelper::SetSurfaceId(
   UpdateVisibility(true);
 }
 
+void ChildFrameCompositingHelper::MaybeSetUpPaintHolding(
+    const viz::SurfaceId& fallback_id,
+    AllowPaintHolding allow_paint_holding) {
+  if (!RuntimeEnabledFeatures::PaintHoldingForIframesEnabled()) {
+    return;
+  }
+
+  if (fallback_id.is_valid() &&
+      allow_paint_holding == AllowPaintHolding::kYes) {
+    surface_layer_->SetOldestAcceptableFallback(fallback_id);
+
+    paint_holding_timer_.Start(
+        FROM_HERE, kNewContentRenderingDelay,
+        WTF::BindOnce(&ChildFrameCompositingHelper::PaintHoldingTimerFired,
+                      base::Unretained(this)));
+  } else {
+    surface_layer_->SetOldestAcceptableFallback(viz::SurfaceId());
+  }
+}
+
+void ChildFrameCompositingHelper::PaintHoldingTimerFired() {
+  CHECK(RuntimeEnabledFeatures::PaintHoldingForIframesEnabled());
+  if (surface_layer_) {
+    surface_layer_->SetOldestAcceptableFallback(viz::SurfaceId());
+  }
+}
+
 void ChildFrameCompositingHelper::UpdateVisibility(bool visible) {
   const scoped_refptr<cc::Layer>& layer = child_frame_compositor_->GetCcLayer();
   if (layer) {

chromium/third_party/blink/renderer/core/frame/child_frame_compositing_helper.h

@@ -7,6 +7,7 @@
 
 #include <stdint.h>
 
+#include "base/timer/timer.h"
 #include "cc/layers/content_layer_client.h"
 #include "cc/layers/surface_layer.h"
 #include "components/viz/common/surfaces/surface_id.h"
@@ -29,8 +30,12 @@ class CORE_EXPORT ChildFrameCompositingHelper : public cc::ContentLayerClient {
       delete;
   ~ChildFrameCompositingHelper() override;
 
-  void SetSurfaceId(const viz::SurfaceId& surface_id,
-                    bool capture_sequence_number_changed);
+  enum class CaptureSequenceNumberChanged { kYes, kNo };
+  enum class AllowPaintHolding { kYes, kNo };
+  void SetSurfaceId(
+      const viz::SurfaceId& surface_id,
+      CaptureSequenceNumberChanged capture_sequence_number_changed,
+      AllowPaintHolding allow_paint_holding);
   void UpdateVisibility(bool visible);
   void ChildFrameGone(float device_scale_factor);
 
@@ -43,10 +48,15 @@ class CORE_EXPORT ChildFrameCompositingHelper : public cc::ContentLayerClient {
   scoped_refptr<cc::DisplayItemList> PaintContentsToDisplayList() override;
   bool FillsBoundsCompletely() const override;
 
+  void MaybeSetUpPaintHolding(const viz::SurfaceId& fallback_id,
+                              AllowPaintHolding allow_paint_holding);
+  void PaintHoldingTimerFired();
+
   ChildFrameCompositor* const child_frame_compositor_;
   viz::SurfaceId surface_id_;
   scoped_refptr<cc::SurfaceLayer> surface_layer_;
   scoped_refptr<cc::PictureLayer> crash_ui_layer_;
+  base::OneShotTimer paint_holding_timer_;
   float device_scale_factor_ = 1.f;
 };