[Backport] Dependency for CVE-2024-11116

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/5381283:
view-transition: Add paint holding for same-origin cross-RFH navigations

For a same-origin navigation within the same RFH, there is no change in
the SurfaceID embedded by the parent frame. This means when the
navigation commits, redraws by the embedder display painted content from
the previous Document until the new Document is ready to render.

However for same-origin navigations which are cross-RFH, i.e. the default
path for RenderDocument, the SurfaceID embedded by the parent frame is
changed to point to the new RFH's FrameSinkId. This means there is a
flash of no content until the new Document paints.

Avoid the above by using the old Document's SurfaceID as a fallback with
a timeout. The approach is similar to the fallback Surface logic in the
browser process for main frame navigations.

R=rakina@chromium.org, vmpstr@chromium.org

Bug: 330920526
Change-Id: Iec7d0a3bc5b8d5d9191f935a8ea20c1f08f2cefd
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5381283
Reviewed-by: Charlie Reis <creis@chromium.org>
Reviewed-by: Ken Buchanan <kenrb@chromium.org>
Reviewed-by: Chris Harrelson <chrishtr@chromium.org>
Auto-Submit: Khushal Sagar <khushalsagar@chromium.org>
Commit-Queue: Khushal Sagar <khushalsagar@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1292531}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/604271
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/607612

Author: khushalsagar

chromium/content/browser/renderer_host/cross_process_frame_connector.cc

@@ -60,10 +60,11 @@ CrossProcessFrameConnector::~CrossProcessFrameConnector() {
   }
 
   // Notify the view of this object being destroyed, if the view still exists.
-  SetView(nullptr);
+  SetView(nullptr, /*allow_paint_holding=*/false);
 }
 
-void CrossProcessFrameConnector::SetView(RenderWidgetHostViewChildFrame* view) {
+void CrossProcessFrameConnector::SetView(RenderWidgetHostViewChildFrame* view,
+                                         bool allow_paint_holding) {
   // Detach ourselves from the previous |view_|.
   if (view_) {
     RenderWidgetHostViewBase* root_view = GetRootRenderWidgetHostView();
@@ -110,7 +111,7 @@ void CrossProcessFrameConnector::SetView(RenderWidgetHostViewChildFrame* view) {
     if (frame_proxy_in_parent_renderer_ &&
         frame_proxy_in_parent_renderer_->is_render_frame_proxy_live()) {
       frame_proxy_in_parent_renderer_->GetAssociatedRemoteFrame()
-          ->SetFrameSinkId(view_->GetFrameSinkId());
+          ->SetFrameSinkId(view_->GetFrameSinkId(), allow_paint_holding);
     }
   }
 }

chromium/content/browser/renderer_host/cross_process_frame_connector.h

@@ -100,7 +100,7 @@ class CONTENT_EXPORT CrossProcessFrameConnector {
   // above.
   RenderWidgetHostViewChildFrame* get_view_for_testing() { return view_; }
 
-  void SetView(RenderWidgetHostViewChildFrame* view);
+  void SetView(RenderWidgetHostViewChildFrame* view, bool allow_paint_holding);
 
   // Returns the parent RenderWidgetHostView or nullptr if it doesn't have one.
   virtual RenderWidgetHostViewBase* GetParentRenderWidgetHostView();

chromium/content/browser/renderer_host/navigator.cc

@@ -516,6 +516,10 @@ void Navigator::DidNavigate(
   // Store this information before DidNavigateFrame() potentially swaps RFHs.
   url::Origin old_frame_origin = old_frame_host->GetLastCommittedOrigin();
 
+  // Only allow paint holding for same-origin navigations.
+  const bool allow_subframe_paint_holding =
+      old_frame_origin.IsSameOriginWith(params.origin);
+
   // DidNavigateFrame() must be called before replicating the new origin and
   // other properties to proxies.  This is because it destroys the subframes of
   // the frame we're navigating from, which might trigger those subframes to
@@ -526,7 +530,8 @@ void Navigator::DidNavigate(
       was_within_same_document,
       navigation_request->browsing_context_group_swap()
           .ShouldClearProxiesOnCommit(),
-      navigation_request->commit_params().frame_policy);
+      navigation_request->commit_params().frame_policy,
+      allow_subframe_paint_holding);
 
   // The main frame, same site, and cross-site navigation checks for user
   // activation mirror the checks in DocumentLoader::CommitNavigation() (note:

chromium/content/browser/renderer_host/render_frame_host_impl.cc

@@ -8546,7 +8546,8 @@ void RenderFrameHostImpl::AdoptPortal(
                                        ->render_manager()
                                        ->GetRenderWidgetHostView()
                                        ->GetFrameSinkId();
-  proxy_host->GetAssociatedRemoteFrame()->SetFrameSinkId(frame_sink_id);
+  // generally disallow paint holding for security reasons
+  proxy_host->GetAssociatedRemoteFrame()->SetFrameSinkId(frame_sink_id, /*allow_paint_holding*/ false);
 
   std::move(callback).Run(
       proxy_host->frame_tree_node()->current_replication_state().Clone(),

chromium/content/browser/renderer_host/render_frame_host_manager.cc

@@ -731,10 +731,11 @@ void RenderFrameHostManager::DidNavigateFrame(
     bool was_caused_by_user_gesture,
     bool is_same_document_navigation,
     bool clear_proxies_on_commit,
-    const blink::FramePolicy& frame_policy) {
+    const blink::FramePolicy& frame_policy,
+    bool allow_subframe_paint_holding) {
   CommitPendingIfNecessary(render_frame_host, was_caused_by_user_gesture,
-                           is_same_document_navigation,
-                           clear_proxies_on_commit);
+                           is_same_document_navigation, clear_proxies_on_commit,
+                           allow_subframe_paint_holding);
 
   // Make sure any dynamic changes to this frame's sandbox flags and permissions
   // policy that were made prior to navigation take effect.  This should only
@@ -770,7 +771,8 @@ void RenderFrameHostManager::CommitPendingIfNecessary(
     RenderFrameHostImpl* render_frame_host,
     bool was_caused_by_user_gesture,
     bool is_same_document_navigation,
-    bool clear_proxies_on_commit) {
+    bool clear_proxies_on_commit,
+    bool allow_subframe_paint_holding) {
   if (!speculative_render_frame_host_) {
     // There's no speculative RenderFrameHost so it must be that the current
     // RenderFrameHost completed a navigation.
@@ -784,7 +786,8 @@ void RenderFrameHostManager::CommitPendingIfNecessary(
   if (render_frame_host == speculative_render_frame_host_.get()) {
     // A cross-RenderFrameHost navigation completed, so show the new renderer.
     CommitPending(std::move(speculative_render_frame_host_),
-                  std::move(stored_page_to_restore_), clear_proxies_on_commit);
+                  std::move(stored_page_to_restore_), clear_proxies_on_commit,
+                  allow_subframe_paint_holding);
 
     if (GetNavigationQueueingFeatureLevel() >=
         NavigationQueueingFeatureLevel::kAvoidRedundantCancellations) {
@@ -1467,7 +1470,8 @@ void RenderFrameHostManager::PerformEarlyRenderFrameHostSwapIfNeeded(
 
   CommitPending(
       std::move(speculative_render_frame_host_), nullptr,
-      request->browsing_context_group_swap().ShouldClearProxiesOnCommit());
+      request->browsing_context_group_swap().ShouldClearProxiesOnCommit(),
+      /* allow_subframe_paint_holding */ false);
   request->SetAssociatedRFHType(
       NavigationRequest::AssociatedRenderFrameHostType::CURRENT);
 
@@ -4028,7 +4032,8 @@ void RenderFrameHostManager::SetRWHViewForInnerFrameTree(
     RenderWidgetHostViewChildFrame* child_rwhv) {
   DCHECK(IsMainFrameForInnerDelegate());
   DCHECK(GetProxyToOuterDelegate());
-  GetProxyToOuterDelegate()->SetChildRWHView(child_rwhv, nullptr);
+  GetProxyToOuterDelegate()->SetChildRWHView(child_rwhv, nullptr,
+                                             /*allow_paint_holding=*/false);
 }
 
 bool RenderFrameHostManager::InitRenderView(
@@ -4340,7 +4345,8 @@ RenderFrameHostManager::GetFrameTokenForSiteInstanceGroup(
 void RenderFrameHostManager::CommitPending(
     std::unique_ptr<RenderFrameHostImpl> pending_rfh,
     std::unique_ptr<StoredPage> pending_stored_page,
-    bool clear_proxies_on_commit) {
+    bool clear_proxies_on_commit,
+    bool allow_subframe_paint_holding) {
   TRACE_EVENT1("navigation", "RenderFrameHostManager::CommitPending",
                "FrameTreeNode id", frame_tree_node_->frame_tree_node_id());
   CHECK(pending_rfh);
@@ -4730,7 +4736,7 @@ void RenderFrameHostManager::CommitPending(
   if (proxy_to_parent_or_outer_delegate) {
     proxy_to_parent_or_outer_delegate->SetChildRWHView(
         static_cast<RenderWidgetHostViewChildFrame*>(new_view),
-        old_size ? &*old_size : nullptr);
+        old_size ? &*old_size : nullptr, allow_subframe_paint_holding);
   }
 
   if (render_frame_host_->is_local_root()) {
@@ -5136,8 +5142,10 @@ void RenderFrameHostManager::CreateNewFrameForInnerDelegateAttachIfNecessary() {
   // Swap in the speculative frame. It will later be replaced when
   // WebContents::AttachToOuterWebContentsFrame is called.
   speculative_render_frame_host_->SwapIn();
+
   CommitPending(std::move(speculative_render_frame_host_), nullptr,
-                false /* clear_proxies_on_commit */);
+                false /* clear_proxies_on_commit */,
+                /* allow_subframe_paint_holding */ false);
   NotifyPrepareForInnerDelegateAttachComplete(true /* success */);
 }
 

chromium/content/browser/renderer_host/render_frame_host_manager.h

@@ -322,7 +322,8 @@ class CONTENT_EXPORT RenderFrameHostManager {
                         bool was_caused_by_user_gesture,
                         bool is_same_document_navigation,
                         bool clear_proxies_on_commit,
-                        const blink::FramePolicy& frame_policy);
+                        const blink::FramePolicy& frame_policy,
+                        bool allow_subframe_paint_holding);
 
   // Called when this frame's opener is changed to the frame specified by
   // |opener_frame_token| in |source_site_instance_group|'s process.  This
@@ -971,15 +972,19 @@ class CONTENT_EXPORT RenderFrameHostManager {
   // |clear_proxies_on_commit| Indicates if the proxies and opener must be
   // removed during the commit. This can happen following some BrowsingInstance
   // swaps, such as those for COOP.
+  // |allow_subframe_paint_holding| Indicates that paint holding is allowed if
+  // this is a subframe navigation.
   void CommitPending(std::unique_ptr<RenderFrameHostImpl> pending_rfh,
                      std::unique_ptr<StoredPage> pending_stored_page,
-                     bool clear_proxies_on_commit);
+                     bool clear_proxies_on_commit,
+                     bool allow_subframe_paint_holding);
 
   // Helper to call CommitPending() in all necessary cases.
   void CommitPendingIfNecessary(RenderFrameHostImpl* render_frame_host,
                                 bool was_caused_by_user_gesture,
                                 bool is_same_document_navigation,
-                                bool clear_proxies_on_commit);
+                                bool clear_proxies_on_commit,
+                                bool allow_subframe_paint_holding);
 
   // Runs the unload handler in the old RenderFrameHost, after the new
   // RenderFrameHost has committed.  |old_render_frame_host| will either be

chromium/content/browser/renderer_host/render_frame_proxy_host.cc

@@ -192,10 +192,10 @@ RenderFrameProxyHost::~RenderFrameProxyHost() {
   TRACE_EVENT_END("navigation", perfetto::Track::FromPointer(this));
 }
 
-void RenderFrameProxyHost::SetChildRWHView(
-    RenderWidgetHostViewChildFrame* view,
-    const gfx::Size* initial_frame_size) {
-  cross_process_frame_connector_->SetView(view);
+void RenderFrameProxyHost::SetChildRWHView(RenderWidgetHostViewChildFrame* view,
+                                           const gfx::Size* initial_frame_size,
+                                           bool allow_paint_holding) {
+  cross_process_frame_connector_->SetView(view, allow_paint_holding);
   if (initial_frame_size)
     cross_process_frame_connector_->SetLocalFrameSize(*initial_frame_size);
 }

chromium/content/browser/renderer_host/render_frame_proxy_host.h

@@ -164,7 +164,8 @@ class CONTENT_EXPORT RenderFrameProxyHost
   // receives its size from the parent via FrameHostMsg_UpdateResizeParams
   // before it begins parsing the content.
   void SetChildRWHView(RenderWidgetHostViewChildFrame* view,
-                       const gfx::Size* initial_frame_size);
+                       const gfx::Size* initial_frame_size,
+                       bool allow_paint_holding);
 
   RenderViewHostImpl* GetRenderViewHost();
 

chromium/content/browser/renderer_host/render_widget_host_impl.cc

@@ -117,6 +117,7 @@
 #include "third_party/blink/public/common/input/synthetic_web_input_event_builders.h"
 #include "third_party/blink/public/common/storage_key/storage_key.h"
 #include "third_party/blink/public/common/web_preferences/web_preferences.h"
+#include "third_party/blink/public/common/widget/constants.h"
 #include "third_party/blink/public/common/widget/visual_properties.h"
 #include "third_party/blink/public/mojom/drag/drag.mojom.h"
 #include "third_party/blink/public/mojom/frame/intrinsic_sizing_info.mojom.h"
@@ -165,10 +166,6 @@ using blink::WebMouseWheelEvent;
 namespace content {
 namespace {
 
-// How long to wait for newly loaded content to send a compositor frame
-// before clearing previously displayed graphics.
-constexpr base::TimeDelta kNewContentRenderingDelay = base::Seconds(4);
-
 constexpr gfx::Rect kInvalidScreenRect(std::numeric_limits<int>::max(),
                                        std::numeric_limits<int>::max(),
                                        0,
@@ -438,7 +435,7 @@ RenderWidgetHostImpl::RenderWidgetHostImpl(
               switches::kDisableHangMonitor)),
       latency_tracker_(delegate_),
       hung_renderer_delay_(kHungRendererDelay),
-      new_content_rendering_delay_(kNewContentRenderingDelay),
+      new_content_rendering_delay_(blink::kNewContentRenderingDelay),
       frame_token_message_queue_(std::move(frame_token_message_queue)),
       render_frame_metadata_provider_(
 #if BUILDFLAG(IS_MAC)

chromium/content/browser/renderer_host/render_widget_host_view_child_frame.cc

@@ -406,7 +406,7 @@ void RenderWidgetHostViewChildFrame::Destroy() {
   // have already been cleared when RenderWidgetHostViewBase notified its
   // observers of our impending destruction.
   if (frame_connector_) {
-    frame_connector_->SetView(nullptr);
+    frame_connector_->SetView(nullptr, /*allow_paint_holding=*/false);
     SetFrameConnector(nullptr);
   }