blink_frame.md

Blink Frame Security Analysis

This document analyzes security considerations related to Blink frames, focusing on LocalFrame and RemoteFrame implementations, view transitions, lifecycle updates, and the visual representation of local frames. Key files include LocalFrame.cpp, RemoteFrame.cpp, and local_frame_view.cc.

Potential Vulnerabilities

• Layout and Rendering: Vulnerabilities in frame layout and rendering could lead to UI spoofing, data leakage, or denial-of-service attacks. The handling of frame sizes, positions, and visual updates, especially within the LocalFrameView class, should be carefully reviewed. Improper handling of layout and rendering could allow malicious websites to manipulate the visual presentation of content, potentially misleading users or causing crashes.
• Navigation and History: Flaws in frame navigation and history management could allow browsing history manipulation, redirects to unintended destinations, or security bypasses. The interaction between frames, the navigation controller, and the handling of URL fragments is critical for security.
• Cross-Origin Issues: Frames loading content from different origins introduce cross-origin vulnerabilities if not handled securely. The handling of CORS and other cross-origin security mechanisms, especially within the LocalFrameView and its interaction with cross-origin frames, should be reviewed.
• Lifecycle Management: Improper handling of frame lifecycle events, especially during frame creation, destruction, and navigation, could lead to vulnerabilities. The LocalFrameView's handling of lifecycle updates, including throttling and invalidation, is a critical area for analysis.
• Input Handling: Vulnerabilities in frame input handling could allow malicious websites to inject or spoof input events. The interaction between frames and the input event router should be reviewed. The LocalFrameView's handling of input events and coordinate transformations is crucial for security.
• Accessibility: Frames can expose accessibility information, potentially leading to data leakage. The interaction between frames and the accessibility tree should be analyzed. The LocalFrameView's accessibility-related functions should be reviewed.
• Visual Viewport: The visual viewport can be manipulated by web pages, potentially leading to UI spoofing. The interaction between frames and the visual viewport, especially in the LocalFrameView, should be reviewed.
• Scroll Anchoring: Scroll anchoring can be manipulated, potentially leading to unexpected behavior. The handling of scroll anchors in LocalFrameView should be analyzed.
• Fullscreen Handling: Fullscreen handling in frames, especially with video elements, should be reviewed. The LocalFrameView's handling of fullscreen video elements is a key area for analysis.
• View Transition Security: View transitions can be complex and introduce vulnerabilities. The ViewTransition class and its interaction with frames, particularly in the LocalFrameView, should be analyzed.
• Resource Loading and Scheduling: Resource loading within frames can have security implications. The ResourceLoadScheduler and its interaction with frames should be reviewed. The LocalFrameView's handling of resource loading and throttling is important for security and performance.

Further Analysis and Potential Issues

LocalFrame (third_party/blink/renderer/core/frame/local_frame.cc), RemoteFrame (third_party/blink/renderer/core/frame/remote_frame.cc)

The LocalFrame and RemoteFrame classes are fundamental to Blink's frame implementation. LocalFrame handles frames within the current process, while RemoteFrame handles frames in a different process. Key areas to investigate include frame creation and destruction, navigation and history management, event handling and dispatch, interaction with the DOM and layout trees, and communication with the browser process. Security considerations include preventing unauthorized access to frame content, protecting against cross-origin attacks, and ensuring proper handling of frame lifecycle events. The interaction between local and remote frames, and the handling of cross-process communication, are critical for security. The LocalFrame's handling of document attachment and detachment, and the RemoteFrame's communication with the browser process, should be carefully reviewed.

Local Frame View (third_party/blink/renderer/core/frame/local_frame_view.cc)

The local_frame_view.cc file ($5,375 VRP payout) implements the LocalFrameView class. Key areas and functions to investigate include:

• Layout and Rendering (PerformLayout, UpdateLayout, AdjustViewSize, SetLayoutSize, SetLayoutSizeFixedToFrameSize, ViewportSizeChanged, DynamicViewportUnitsChanged, GetIntrinsicSizingInfo, HasIntrinsicSizingInfo, UpdateGeometry, FrameRectsChanged, PropagateFrameRects, PaintTree, Paint, PaintFrame, PrintPage, PaintOutsideOfLifecycle, GetPaintRecord, GetPaintArtifact, RootCcLayer, CreatePaintTimelineEvents, PushPaintArtifactToCompositor, AppendViewTransitionRequests, CompositedLayersAsJSON, SetBaseBackgroundColor, ShouldUseColorAdjustBackground, BaseBackgroundColor, UpdateBaseBackgroundColorRecursively, ShouldPaintBaseBackgroundColor, DocumentBackgroundColor, SetUseColorAdjustBackground, UpdateCanCompositeBackgroundAttachmentFixed, RequiresMainThreadScrollingForBackgroundAttachmentFixed, InvalidateBackgroundAttachmentFixedDescendantsOnScroll, AddBackgroundAttachmentFixedObject, RemoveBackgroundAttachmentFixedObject, SetNeedsPaintPropertyUpdate, SmallViewportSizeForViewportUnits, LargeViewportSizeForViewportUnits, ViewportSizeForMediaQueries, DynamicViewportSizeForViewportUnits, SetMediaType, MediaType, AdjustMediaTypeForPrinting, ShouldSetCursor, SetCursor, LogCursorSizeCounter): These handle layout, rendering, and painting. Review for UI spoofing, data leakage, DoS, and race conditions. The handling of frame sizes, viewport units, intrinsic sizing, and background colors is crucial.

• Navigation and URL Handling (ProcessUrlFragment, ConvertToRootFrame, ConvertFromRootFrame, MapToVisualRectInRemoteRootFrame, MapLocalToRemoteMainFrame, ViewportToFrame, FrameToViewport): These handle URL fragments and coordinate conversions. Review for URL manipulation, cross-origin navigation, and incorrect transformations.

• Lifecycle Management (Dispose, DidFirstLayout, LifecycleUpdatesActive, SetLifecycleUpdatesThrottledForTesting, Lifecycle, InvalidationDisallowed, RunPostLifecycleSteps, RunIntersectionObserverSteps, ForceUpdateViewportIntersections, UpdateAllLifecyclePhases, UpdateAllLifecyclePhasesForTest, UpdateLifecycleToCompositingInputsClean, UpdateAllLifecyclePhasesExceptPaint, DryRunPaintingForPrerender, UpdateLifecyclePhasesForPrinting, UpdateLifecycleToLayoutClean, InvalidationDisallowedScope, ScheduleVisualUpdateForVisualOverflowIfNeeded, ScheduleVisualUpdateForPaintInvalidationIfNeeded, IsUpdatingLifecycle, UpdateLifecyclePhases, UpdateLifecyclePhasesInternal, RunStyleAndLayoutLifecyclePhases, RunCompositingInputsLifecyclePhase, RunPrePaintLifecyclePhase, RunPaintLifecyclePhase, BeginLifecycleUpdates, WillDoPaintHoldingForFCP, WillBeRemovedFromFrame, DidAttachDocument, InitializeRootScroller, HandleLoadCompleted, AttachToLayout, DetachFromLayout, ParentVisibleChanged, SelfVisibleChanged, Show, Hide): These manage the frame view's lifecycle. Review for proper resource management, handling of asynchronous operations, and race conditions during lifecycle transitions.

• Input Handling (HitTestWithThrottlingAllowed, InputEventsScaleFactor): These handle hit testing and input event scaling. Review for input injection or spoofing vulnerabilities.

• Accessibility (RunAccessibilitySteps, ExistingAXObjectCache): These handle accessibility updates. Review for data leakage.

• Scroll Anchoring, Scrolling, and Viewport Management (InvokeFragmentAnchor, ClearFragmentAnchor, ScrollRectToVisibleInRemoteParent, VisualViewportSuppliesScrollbars, ViewportToDocument, DocumentToFrame, ConvertToContainingEmbeddedContentView, ConvertFromContainingEmbeddedContentView, AddScrollAnchoringScrollableArea, RemoveScrollAnchoringScrollableArea, AddAnimatingScrollableArea, RemoveAnimatingScrollableArea, AddUserScrollableArea, RemoveUserScrollableArea, ScrollableAreaWithElementId, GetScrollableArea, LayoutViewport, GetRootFrameViewport, DidChangeScrollOffset, DidStopFlinging, EnqueueScrollAnchoringAdjustment, DequeueScrollAnchoringAdjustment, PerformScrollAnchoringAdjustments, SetNeedsEnqueueScrollEvent, EnqueueScrollEvents, ShouldDeferLayoutSnap, EnqueueScrollSnapChangingFromImplIfNecessary, AddPendingSnapUpdate, RemovePendingSnapUpdate, ExecutePendingSnapUpdates): These handle scroll anchoring, scrolling, and viewport management. Review for scroll manipulation, viewport spoofing, and race conditions.

• Plugin and Embedded Content Management (ForAllChildViewsAndPlugins, ForAllChildLocalFrameViews, ForAllNonThrottledLocalFrameViews, ForAllThrottledLocalFrameViews, ForAllRemoteFrameViews, UpdatePlugins, UpdatePluginsTimerFired, FlushAnyPendingPostLayoutTasks, ScheduleUpdatePluginsIfNecessary, AddPlugin, RemovePlugin, UsesOverlayScrollbarsChanged, AddPartToUpdate, EmbeddedReplacedContent): These manage plugins and embedded content. Review for proper plugin lifecycle handling, secure plugin interaction, and prevention of plugin-related vulnerabilities.

• Other Functions and Interactions (CaretWidth, GetChromeClient, GetCompositorAnimationHost, GetScrollAnimationTimeline, SetLayoutOverflowSize, CountObjectsNeedingLayout, LayoutFromRootObject, ScheduleRelayout, ScheduleRelayoutOfSubtree, IsAncestorOfView, ScheduleVisualUpdate, RunPostLayoutIntersectionObserverSteps, ComputePostLayoutIntersections, ClearLayoutSubtreeRoot, ClearLayoutSubtreeRootsAndMarkContainingBlocks, CheckLayoutInvalidationIsAllowed, CheckDoesNotNeedLayout, NotifyPageThatContentAreaWillPaint, UpdateDocumentDraggableRegions, CollectDraggableRegions, UpdateViewportIntersection, DeliverSynchronousIntersectionObservations, SetIntersectionObservationState, UpdateIntersectionObservationStateOnScroll, SetVisualViewportOrOverlayNeedsRepaint, VisualViewportOrOverlayNeedsRepaintForTesting, SetPaintArtifactCompositorNeedsUpdate, GetPaintArtifactCompositor, EnsurePaintControllerPersistentData, CapturePaintPreview, PaintOutsideOfLifecycleWithThrottlingAllowed, PaintForTest, GetLayoutEmbeddedContent, LoadAllLazyLoadedIframes, SetNeedsUpdateGeometries, IsSelfVisible, IsParentVisible, SetParentVisible, SetSelfVisible, ParentFrameView, AddScrollScrollableArea, RemoveScrollScrollableArea, MainThreadScrollingReasonsAsText, RegisterTapEvent, GetUkmAggregator, ResetUkmAggregatorForTesting, OnFirstContentfulPaint, RegisterForLifecycleNotifications, UnregisterFromLifecycleNotifications, EnqueueStartOfLifecycleTask, NotifyVideoIsDominantVisibleStatus, HasDominantVideoElement, DisallowLayoutInvalidationScope, UpdatePaintDebugInfoEnabled, EnsureOverlayInterstitialAdDetector, EnsureStickyAdDetector, GetXROverlayLayer, SetCullRectNeedsUpdateForFrames, RunPaintBenchmark, EnsureDarkModeFilter, AddPendingTransformUpdate, RemovePendingTransformUpdate, AddPendingOpacityUpdate, RemovePendingOpacityUpdate, ExecuteAllPendingUpdates, RemoveAllPendingUpdates, AddPendingStickyUpdate, HasPendingStickyUpdate, ExecutePendingStickyUpdates, RemovePendingSnapUpdate, NotifyElementWithRememberedSizeDisconnected): These handle various other aspects of the frame view. Review for security implications, data leakage, and race conditions.

Areas Requiring Further Investigation:

• Layout and rendering security.
• Navigation and URL handling security.
• Lifecycle management security.
• Input handling security.
• Accessibility security.
• Visual viewport and scroll anchoring security.
• Fullscreen, view transitions, and resource loading security.
• Test the LocalFrameView thoroughly.

Secure Contexts and Blink Frames:

Blink frames should operate securely regardless of context.

Privacy Implications:

Frames can access and display sensitive information. Implementations should prioritize user privacy.

Additional Notes:

Files reviewed: LocalFrame.cpp, RemoteFrame.cpp, third_party/blink/renderer/core/frame/local_frame_view.cc.