feat: route deprecated sync clipboard read through permission checks (#45471)

* feat: route deprecated clipboard commands through permission checks Co-authored-by: deepak1556 <hop2deep@gmail.com> * docs: address review feedback Co-authored-by: deepak1556 <hop2deep@gmail.com> * fix: enable checks for child windows Co-authored-by: deepak1556 <hop2deep@gmail.com> --------- Co-authored-by: trop[bot] <37223003+trop[bot]@users.noreply.github.com> Co-authored-by: deepak1556 <hop2deep@gmail.com>
2025-02-05 14:10:43 -05:00 · 2025-02-05 14:10:43 -05:00 · 46c9ed61da
commit 46c9ed61da
parent 51170c3652
30 changed files with 441 additions and 35 deletions
--- a/shell/browser/api/electron_api_service_worker_main.cc
+++ b/shell/browser/api/electron_api_service_worker_main.cc
@ -13,13 +13,13 @@
 #include "base/no_destructor.h"
 #include "content/browser/service_worker/service_worker_context_wrapper.h"  // nogncheck
 #include "content/browser/service_worker/service_worker_version.h"  // nogncheck
-#include "electron/shell/common/api/api.mojom.h"
 #include "gin/handle.h"
 #include "gin/object_template_builder.h"
 #include "services/service_manager/public/cpp/interface_provider.h"
 #include "shell/browser/api/message_port.h"
 #include "shell/browser/browser.h"
 #include "shell/browser/javascript_environment.h"
+#include "shell/common/api/api.mojom.h"
 #include "shell/common/gin_converters/blink_converter.h"
 #include "shell/common/gin_converters/gurl_converter.h"
 #include "shell/common/gin_converters/value_converter.h"
--- a/shell/browser/api/electron_api_web_contents.cc
+++ b/shell/browser/api/electron_api_web_contents.cc
@ -70,7 +70,6 @@
 #include "content/public/common/webplugininfo.h"
 #include "electron/buildflags/buildflags.h"
 #include "electron/mas.h"
-#include "electron/shell/common/api/api.mojom.h"
 #include "gin/arguments.h"
 #include "gin/data_object_builder.h"
 #include "gin/handle.h"
@ -110,6 +109,7 @@
 #include "shell/browser/web_contents_zoom_controller.h"
 #include "shell/browser/web_view_guest_delegate.h"
 #include "shell/browser/web_view_manager.h"
+#include "shell/common/api/api.mojom.h"
 #include "shell/common/api/electron_api_native_image.h"
 #include "shell/common/api/electron_bindings.h"
 #include "shell/common/color_util.h"
--- a/shell/browser/api/electron_api_web_contents.h
+++ b/shell/browser/api/electron_api_web_contents.h
@ -31,7 +31,6 @@
 #include "content/public/browser/web_contents_delegate.h"
 #include "content/public/browser/web_contents_observer.h"
 #include "electron/buildflags/buildflags.h"
-#include "electron/shell/common/api/api.mojom.h"
 #include "gin/handle.h"
 #include "gin/wrappable.h"
 #include "printing/buildflags/buildflags.h"
@ -43,9 +42,11 @@
 #include "shell/browser/preload_script.h"
 #include "shell/browser/ui/inspectable_web_contents_delegate.h"
 #include "shell/browser/ui/inspectable_web_contents_view_delegate.h"
+#include "shell/common/api/api.mojom.h"
 #include "shell/common/gin_helper/cleaned_up_at_exit.h"
 #include "shell/common/gin_helper/constructible.h"
 #include "shell/common/gin_helper/pinnable.h"
+#include "shell/common/web_contents_utility.mojom.h"
 #include "ui/base/models/image_model.h"

 #if BUILDFLAG(ENABLE_ELECTRON_EXTENSIONS)
--- a/shell/browser/api/electron_api_web_frame_main.cc
+++ b/shell/browser/api/electron_api_web_frame_main.cc
@ -17,13 +17,13 @@
 #include "content/public/browser/frame_tree_node_id.h"
 #include "content/public/browser/render_frame_host.h"
 #include "content/public/common/isolated_world_ids.h"
-#include "electron/shell/common/api/api.mojom.h"
 #include "gin/handle.h"
 #include "gin/object_template_builder.h"
 #include "services/service_manager/public/cpp/interface_provider.h"
 #include "shell/browser/api/message_port.h"
 #include "shell/browser/browser.h"
 #include "shell/browser/javascript_environment.h"
+#include "shell/common/api/api.mojom.h"
 #include "shell/common/gin_converters/blink_converter.h"
 #include "shell/common/gin_converters/frame_converter.h"
 #include "shell/common/gin_converters/gurl_converter.h"
--- a/shell/browser/electron_api_ipc_handler_impl.h
+++ b/shell/browser/electron_api_ipc_handler_impl.h
@ -10,9 +10,9 @@
 #include "base/memory/weak_ptr.h"
 #include "content/public/browser/global_routing_id.h"
 #include "content/public/browser/web_contents_observer.h"
-#include "electron/shell/common/api/api.mojom.h"
 #include "mojo/public/cpp/bindings/associated_receiver.h"
 #include "shell/browser/api/electron_api_web_contents.h"
+#include "shell/common/api/api.mojom.h"

 namespace content {
 class RenderFrameHost;
--- a/shell/browser/electron_browser_client.cc
+++ b/shell/browser/electron_browser_client.cc
@ -53,7 +53,6 @@
 #include "crypto/crypto_buildflags.h"
 #include "electron/buildflags/buildflags.h"
 #include "electron/fuses.h"
-#include "electron/shell/common/api/api.mojom.h"
 #include "extensions/browser/extension_navigation_ui_data.h"
 #include "extensions/common/extension_id.h"
 #include "mojo/public/cpp/bindings/binder_map.h"
@ -117,6 +116,7 @@
 #include "shell/common/platform_util.h"
 #include "shell/common/plugin.mojom.h"
 #include "shell/common/thread_restrictions.h"
+#include "shell/common/web_contents_utility.mojom.h"
 #include "third_party/blink/public/common/associated_interfaces/associated_interface_registry.h"
 #include "third_party/blink/public/common/loader/url_loader_throttle.h"
 #include "third_party/blink/public/common/renderer_preferences/renderer_preferences.h"
--- a/shell/browser/electron_permission_manager.cc
+++ b/shell/browser/electron_permission_manager.cc
@ -298,8 +298,13 @@ bool ElectronPermissionManager::CheckPermissionWithDetails(
    content::RenderFrameHost* render_frame_host,
    const GURL& requesting_origin,
    base::Value::Dict details) const {
-  if (check_handler_.is_null())
-    return true;
+  if (check_handler_.is_null()) {
+    if (permission == blink::PermissionType::DEPRECATED_SYNC_CLIPBOARD_READ) {
+      return false;
+    } else {
+      return true;
+    }
+  }

  auto* web_contents =
      render_frame_host
--- a/shell/browser/electron_web_contents_utility_handler_impl.cc
+++ b/shell/browser/electron_web_contents_utility_handler_impl.cc
@ -6,15 +6,19 @@

 #include <utility>

+#include "content/public/browser/browser_context.h"
+#include "content/public/browser/permission_controller.h"
 #include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/render_process_host.h"
 #include "mojo/public/cpp/bindings/self_owned_receiver.h"
+#include "shell/browser/web_contents_permission_helper.h"
+#include "third_party/blink/public/mojom/permissions/permission_status.mojom.h"

 namespace electron {
 ElectronWebContentsUtilityHandlerImpl::ElectronWebContentsUtilityHandlerImpl(
    content::RenderFrameHost* frame_host,
    mojo::PendingAssociatedReceiver<mojom::ElectronWebContentsUtility> receiver)
-    : render_frame_host_id_(frame_host->GetGlobalId()) {
+    : render_frame_host_token_(frame_host->GetGlobalFrameToken()) {
  content::WebContents* web_contents =
      content::WebContents::FromRenderFrameHost(frame_host);
  DCHECK(web_contents);
@ -28,8 +32,11 @@ ElectronWebContentsUtilityHandlerImpl::ElectronWebContentsUtilityHandlerImpl(
 ElectronWebContentsUtilityHandlerImpl::
    ~ElectronWebContentsUtilityHandlerImpl() = default;

-void ElectronWebContentsUtilityHandlerImpl::WebContentsDestroyed() {
-  delete this;
+void ElectronWebContentsUtilityHandlerImpl::RenderFrameDeleted(
+    content::RenderFrameHost* render_frame_host) {
+  if (render_frame_host->GetGlobalFrameToken() == render_frame_host_token_) {
+    delete this;
+  }
 }

 void ElectronWebContentsUtilityHandlerImpl::OnConnectionError() {
@ -59,9 +66,42 @@ void ElectronWebContentsUtilityHandlerImpl::DoGetZoomLevel(
  }
 }

+void ElectronWebContentsUtilityHandlerImpl::CanAccessClipboardDeprecated(
+    mojom::PermissionName name,
+    const blink::LocalFrameToken& frame_token,
+    CanAccessClipboardDeprecatedCallback callback) {
+  if (render_frame_host_token_.frame_token == frame_token) {
+    // Paste requires either (1) user activation, ...
+    if (web_contents()->HasRecentInteraction()) {
+      std::move(callback).Run(blink::mojom::PermissionStatus::GRANTED);
+      return;
+    }
+
+    // (2) granted permission, ...
+    content::RenderFrameHost* render_frame_host = GetRenderFrameHost();
+    content::BrowserContext* browser_context =
+        render_frame_host->GetBrowserContext();
+    content::PermissionController* permission_controller =
+        browser_context->GetPermissionController();
+    blink::PermissionType permission;
+    if (name == mojom::PermissionName::DEPRECATED_SYNC_CLIPBOARD_READ) {
+      permission = blink::PermissionType::DEPRECATED_SYNC_CLIPBOARD_READ;
+    } else {
+      std::move(callback).Run(blink::mojom::PermissionStatus::DENIED);
+      return;
+    }
+    blink::mojom::PermissionStatus status =
+        permission_controller->GetPermissionStatusForCurrentDocument(
+            permission, render_frame_host);
+    std::move(callback).Run(status);
+  } else {
+    std::move(callback).Run(blink::mojom::PermissionStatus::DENIED);
+  }
+}
+
 content::RenderFrameHost*
 ElectronWebContentsUtilityHandlerImpl::GetRenderFrameHost() {
-  return content::RenderFrameHost::FromID(render_frame_host_id_);
+  return content::RenderFrameHost::FromFrameToken(render_frame_host_token_);
 }

 // static
--- a/shell/browser/electron_web_contents_utility_handler_impl.h
+++ b/shell/browser/electron_web_contents_utility_handler_impl.h
@ -10,7 +10,7 @@
 #include "base/memory/weak_ptr.h"
 #include "content/public/browser/global_routing_id.h"
 #include "content/public/browser/web_contents_observer.h"
-#include "electron/shell/common/api/api.mojom.h"
+#include "electron/shell/common/web_contents_utility.mojom.h"
 #include "mojo/public/cpp/bindings/associated_receiver.h"
 #include "shell/browser/api/electron_api_web_contents.h"

@ -43,6 +43,10 @@ class ElectronWebContentsUtilityHandlerImpl
  void OnFirstNonEmptyLayout() override;
  void SetTemporaryZoomLevel(double level) override;
  void DoGetZoomLevel(DoGetZoomLevelCallback callback) override;
+  void CanAccessClipboardDeprecated(
+      mojom::PermissionName name,
+      const blink::LocalFrameToken& frame_token,
+      CanAccessClipboardDeprecatedCallback callback) override;

  base::WeakPtr<ElectronWebContentsUtilityHandlerImpl> GetWeakPtr() {
    return weak_factory_.GetWeakPtr();
@ -52,13 +56,13 @@ class ElectronWebContentsUtilityHandlerImpl
  ~ElectronWebContentsUtilityHandlerImpl() override;

  // content::WebContentsObserver:
-  void WebContentsDestroyed() override;
+  void RenderFrameDeleted(content::RenderFrameHost* render_frame_host) override;

  void OnConnectionError();

  content::RenderFrameHost* GetRenderFrameHost();

-  content::GlobalRenderFrameHostId render_frame_host_id_;
+  content::GlobalRenderFrameHostToken render_frame_host_token_;

  mojo::AssociatedReceiver<mojom::ElectronWebContentsUtility> receiver_{this};

--- a/shell/browser/web_contents_permission_helper.h
+++ b/shell/browser/web_contents_permission_helper.h
@ -32,7 +32,7 @@ class WebContentsPermissionHelper
    HID,
    USB,
    KEYBOARD_LOCK,
-    FILE_SYSTEM
+    FILE_SYSTEM,
  };

  // Asynchronous Requests
--- a/shell/browser/web_contents_preferences.cc
+++ b/shell/browser/web_contents_preferences.cc
@ -148,6 +148,7 @@ void WebContentsPreferences::Clear() {
      blink::mojom::ImageAnimationPolicy::kImageAnimationPolicyAllowed;
  preload_path_ = std::nullopt;
  v8_cache_options_ = blink::mojom::V8CacheOptions::kDefault;
+  deprecated_paste_enabled_ = false;

 #if BUILDFLAG(IS_MAC)
  scroll_bounce_ = false;
@ -245,6 +246,9 @@ void WebContentsPreferences::SetFromDictionary(

  web_preferences.Get("v8CacheOptions", &v8_cache_options_);

+  web_preferences.Get(options::kEnableDeprecatedPaste,
+                      &deprecated_paste_enabled_);
+
 #if BUILDFLAG(IS_MAC)
  web_preferences.Get(options::kScrollBounce, &scroll_bounce_);
 #endif
@ -472,6 +476,8 @@ void WebContentsPreferences::OverrideWebkitPrefs(
  prefs->webview_tag = webview_tag_;

  prefs->v8_cache_options = v8_cache_options_;
+
+  prefs->dom_paste_enabled = deprecated_paste_enabled_;
 }

 WEB_CONTENTS_USER_DATA_KEY_IMPL(WebContentsPreferences);
--- a/shell/browser/web_contents_preferences.h
+++ b/shell/browser/web_contents_preferences.h
@ -133,6 +133,7 @@ class WebContentsPreferences
  blink::mojom::ImageAnimationPolicy image_animation_policy_;
  std::optional<base::FilePath> preload_path_;
  blink::mojom::V8CacheOptions v8_cache_options_;
+  bool deprecated_paste_enabled_ = false;

 #if BUILDFLAG(IS_MAC)
  bool scroll_bounce_;
--- a/shell/common/BUILD.gn
+++ b/shell/common/BUILD.gn
@ -26,3 +26,16 @@ mojom("plugin") {
    "//mojo/public/mojom/base",
  ]
 }
+
+mojom("web_contents_utility") {
+  # We don't want Blink variants of these bindings to be generated.
+  disable_variants = true
+
+  sources = [ "web_contents_utility.mojom" ]
+
+  public_deps = [
+    "//content/public/common:interfaces",
+    "//third_party/blink/public/mojom/tokens",
+    "//url/mojom:url_mojom_origin",
+  ]
+}
--- a/shell/common/api/api.mojom
+++ b/shell/common/api/api.mojom
@ -25,17 +25,6 @@ interface ElectronAutofillDriver {
  HideAutofillPopup();
 };

-interface ElectronWebContentsUtility {
-  // Informs underlying WebContents that first non-empty layout was performed
-  // by compositor.
-  OnFirstNonEmptyLayout();
-
-  SetTemporaryZoomLevel(double zoom_level);
-
-  [Sync]
-  DoGetZoomLevel() => (double result);
-};
-
 interface ElectronApiIPC {
  // Emits an event on |channel| from the ipcMain JavaScript object in the main
  // process.
--- a/shell/common/gin_converters/content_converter.cc
+++ b/shell/common/gin_converters/content_converter.cc
@ -226,6 +226,8 @@ v8::Local<v8::Value> Converter<blink::PermissionType>::ToV8(
      return StringToV8(isolate, "speaker-selection");
    case blink::PermissionType::WEB_APP_INSTALLATION:
      return StringToV8(isolate, "web-app-installation");
+    case blink::PermissionType::DEPRECATED_SYNC_CLIPBOARD_READ:
+      return StringToV8(isolate, "deprecated-sync-clipboard-read");
    case blink::PermissionType::NUM:
      break;
  }
--- a/shell/common/options_switches.h
+++ b/shell/common/options_switches.h
@ -205,6 +205,11 @@ inline constexpr std::string_view kEnablePreferredSizeMode =
 inline constexpr std::string_view kHiddenPage = "hiddenPage";

 inline constexpr std::string_view kSpellcheck = "spellcheck";
+
+// Enables the permission managed support for
+// document.execCommand("paste").
+inline constexpr std::string_view kEnableDeprecatedPaste =
+    "enableDeprecatedPaste";
 }  // namespace options

 // Following are actually command line switches, should be moved to other files.
--- a/shell/common/web_contents_utility.mojom
+++ b/shell/common/web_contents_utility.mojom
@ -0,0 +1,25 @@
+module electron.mojom;
+
+import "third_party/blink/public/mojom/permissions/permission_status.mojom";
+import "third_party/blink/public/mojom/tokens/tokens.mojom";
+import "url/mojom/origin.mojom";
+
+enum PermissionName {
+  DEPRECATED_SYNC_CLIPBOARD_READ,
+};
+
+interface ElectronWebContentsUtility {
+  // Informs underlying WebContents that first non-empty layout was performed
+  // by compositor.
+  OnFirstNonEmptyLayout();
+
+  SetTemporaryZoomLevel(double zoom_level);
+
+  [Sync]
+  DoGetZoomLevel() => (double result);
+
+  [Sync]
+  CanAccessClipboardDeprecated(
+      PermissionName name,
+      blink.mojom.LocalFrameToken frame_token) => (blink.mojom.PermissionStatus status);
+};
--- a/shell/renderer/api/electron_api_web_frame.cc
+++ b/shell/renderer/api/electron_api_web_frame.cc
@ -31,6 +31,7 @@
 #include "shell/common/gin_helper/promise.h"
 #include "shell/common/node_includes.h"
 #include "shell/common/options_switches.h"
+#include "shell/common/web_contents_utility.mojom.h"
 #include "shell/renderer/api/context_bridge/object_cache.h"
 #include "shell/renderer/api/electron_api_context_bridge.h"
 #include "shell/renderer/api/electron_api_spell_check_client.h"
--- a/shell/renderer/content_settings_observer.cc
+++ b/shell/renderer/content_settings_observer.cc
@ -6,10 +6,12 @@

 #include "content/public/renderer/render_frame.h"
 #include "shell/common/options_switches.h"
+#include "third_party/blink/public/common/associated_interfaces/associated_interface_provider.h"
 #include "third_party/blink/public/common/web_preferences/web_preferences.h"
 #include "third_party/blink/public/platform/url_conversion.h"
 #include "third_party/blink/public/platform/web_security_origin.h"
 #include "third_party/blink/public/web/web_local_frame.h"
+#include "third_party/blink/public/web/web_view.h"

 namespace electron {

@ -21,6 +23,15 @@ ContentSettingsObserver::ContentSettingsObserver(

 ContentSettingsObserver::~ContentSettingsObserver() = default;

+mojom::ElectronWebContentsUtility&
+ContentSettingsObserver::GetWebContentsUtility() {
+  if (!web_contents_utility_) {
+    render_frame()->GetRemoteAssociatedInterfaces()->GetInterface(
+        &web_contents_utility_);
+  }
+  return *web_contents_utility_;
+}
+
 bool ContentSettingsObserver::AllowStorageAccessSync(StorageType storage_type) {
  blink::WebFrame* frame = render_frame()->GetWebFrame();
  if (frame->GetSecurityOrigin().IsOpaque() ||
@ -32,6 +43,20 @@ bool ContentSettingsObserver::AllowStorageAccessSync(StorageType storage_type) {
  return true;
 }

+bool ContentSettingsObserver::AllowReadFromClipboardSync() {
+  blink::WebLocalFrame* frame = render_frame()->GetWebFrame();
+  if (frame->View()->GetWebPreferences().dom_paste_enabled) {
+    blink::mojom::PermissionStatus status{
+        blink::mojom::PermissionStatus::DENIED};
+    GetWebContentsUtility().CanAccessClipboardDeprecated(
+        mojom::PermissionName::DEPRECATED_SYNC_CLIPBOARD_READ,
+        frame->GetLocalFrameToken(), &status);
+    return status == blink::mojom::PermissionStatus::GRANTED;
+  } else {
+    return false;
+  }
+}
+
 void ContentSettingsObserver::OnDestruct() {
  delete this;
 }
--- a/shell/renderer/content_settings_observer.h
+++ b/shell/renderer/content_settings_observer.h
@ -6,7 +6,10 @@
 #define ELECTRON_SHELL_RENDERER_CONTENT_SETTINGS_OBSERVER_H_

 #include "content/public/renderer/render_frame_observer.h"
+#include "mojo/public/cpp/bindings/associated_remote.h"
+#include "shell/common/web_contents_utility.mojom.h"
 #include "third_party/blink/public/platform/web_content_settings_client.h"
+#include "url/origin.h"

 namespace electron {

@ -22,10 +25,17 @@ class ContentSettingsObserver : public content::RenderFrameObserver,

  // blink::WebContentSettingsClient implementation.
  bool AllowStorageAccessSync(StorageType storage_type) override;
+  bool AllowReadFromClipboardSync() override;

 private:
  // content::RenderFrameObserver implementation.
  void OnDestruct() override;
+
+  // A getter for `content_settings_manager_` that ensures it is bound.
+  mojom::ElectronWebContentsUtility& GetWebContentsUtility();
+
+  mojo::AssociatedRemote<mojom::ElectronWebContentsUtility>
+      web_contents_utility_;
 };

 }  // namespace electron
--- a/shell/renderer/electron_api_service_impl.h
+++ b/shell/renderer/electron_api_service_impl.h
@ -10,9 +10,9 @@
 #include "base/memory/weak_ptr.h"
 #include "content/public/renderer/render_frame.h"
 #include "content/public/renderer/render_frame_observer.h"
-#include "electron/shell/common/api/api.mojom.h"
 #include "mojo/public/cpp/bindings/pending_receiver.h"
 #include "mojo/public/cpp/bindings/receiver.h"
+#include "shell/common/api/api.mojom.h"

 namespace electron {

--- a/shell/renderer/electron_render_frame_observer.cc
+++ b/shell/renderer/electron_render_frame_observer.cc
@ -9,13 +9,14 @@
 #include "base/memory/ref_counted_memory.h"
 #include "base/trace_event/trace_event.h"
 #include "content/public/renderer/render_frame.h"
-#include "electron/shell/common/api/api.mojom.h"
 #include "ipc/ipc_message_macros.h"
 #include "net/base/net_module.h"
 #include "net/grit/net_resources.h"
 #include "services/service_manager/public/cpp/interface_provider.h"
+#include "shell/common/api/api.mojom.h"
 #include "shell/common/gin_helper/microtasks_scope.h"
 #include "shell/common/options_switches.h"
+#include "shell/common/web_contents_utility.mojom.h"
 #include "shell/common/world_ids.h"
 #include "shell/renderer/renderer_client_base.h"
 #include "third_party/blink/public/common/associated_interfaces/associated_interface_provider.h"