feat: add WebFrameMain detached property #43473

samuelmaddock · Aug 23, 2024

Description of Change

Note

This is an alternate proposal to #43456

In our security recommendations guide, we list validating senderFrame of IPCs. In the case of IPCs sent after the unload event, it's possible for senderFrame to point to a different RenderFrameHost than the sender of the IPC.

The process occurs as followed (gist to repro):

WebFrameMain is set to RFH A
Cross-origin navigation begins
WebFrameMain is swapped to RFH B
Window 'unload' listener is emitted in RFH A, now marked as kPendingDeletion
RFH A sends an IPC during the unload listener
IPC is received with senderFrame pointing to RFH B

WebFrameMain internally indexes a RFH by its FrameTreeNode ID. This is based on the design of WebFrameMain being similar to how <iframe> works.

To fix this without any breaking changes, we can introduce a few internal changes:

Modify all WebFrameMain lookups by RenderFrameHost to map directly to that RFH
- If the RFH is not attached to the FrameTreeNode, mark it as detached
Return null if event.senderFrame is accessed after the frame has already been disposed
- This ensures it never points to a differing RFH

The result is that IPCs received while an unload listener is running will have WebFrameMain.detached set, but all of the expected RFH properties will still be accessible. Once the RFH is finally deleted, the WebFrameMain instance will be disposed.

As long as we use dict.Set("frame", rfh) or dict.SetGetter("frame", rfh), it’s guaranteed to point to the correct RFH if immediately accessed after emitted.

ipcMain.on('unload-event', (event) => {
  event.senderFrame; // ✅
});

If accessed asynchronously, it will return null if the RFH has swapped or been destroyed.

ipcMain.on('unload-event', async (event) => {
  await crossOriginNavigationPromise;
  event.senderFrame; // ✅ returns `null` without throwing
  event.senderFrame.url; // ❌ throws due to indexing null
});

Todo:

Add isDestroyed() so it's easier to check if WFM was disposed already
Ensure mainFrame.ipc.on handlers are called in the case of detached frames
Document the important of checking WFM synchronously to ensure URL, etc. hasn't changed. This depends on which design we choose for frame properties.

Checklist

PR description included and stakeholders cc'd
npm test passes
tests are changed or added
relevant documentation, tutorials, templates and examples are changed or added
PR release notes describe the change in a way relevant to app developers, and are capitalized, punctuated, and past tense.

Release Notes

Notes:

Added WebFrameMain.detached for frames in an unloading state.
Added WebFrameMain.isDestroyed() to determine if a frame has been destroyed.
Fixed webFrameMain.fromId(processId, frameId) returning a WebFrameMain instance which doesn't match the given parameters when the frame is unloading.

samuelmaddock · Sep 1, 2024

Reminder todo for me: mainFrame.ipc.on should receive the detached frame messages. This can be looked up via FrameTreeNode ID when dispatching the emitters.

MarshallOfSound · Sep 12, 2024

I don't love introducing APIs that could throw under "normal usage". I think I made this point before but ensuring we attach the correct pinned WebFrameMain information should be doable even after the navigation. We just need to stash the information.

Personally I think the much better end-state is to align on things like our new permission handler API which will just expose an origin, then we suggest folks validate the origin instead of the frame and move on with our lives 🤔

samuelmaddock · Sep 12, 2024

I don't love introducing APIs that could throw under "normal usage". I think I made this point before but ensuring we attach the correct pinned WebFrameMain information should be doable even after the navigation. We just need to stash the information.

We currently stash the process and routing IDs associated with the RenderFrameHost. This effectively pins all frame property access.

The current design throws if accessed asynchronously. Previously it returned null (undocumented).

ipcMain.on('unload-event', async (event) => {
  await crossOriginNavigationPromise;
  event.senderFrame; // ❌ likely throws due to initial RFH destroyed
});

An alternate design could be to create an "empty" WebFrameMain which is initialized in a destroyed state.

ipcMain.on('unload-event', async (event) => {
  await crossOriginNavigationPromise;
  event.senderFrame; // ✅ object exists
  event.senderFrame.isDestroyed(); // ✅ true because pinned frame info no longer points to valid RFH
  event.senderFrame.url; // ❌ throws as RFH has been destroyed/uninitialized
});

The only thing I don't like about this design is that it's somewhat misleading since the frame could have swapped. Throwing outright will encourage developers to always access synchronously. Throwing also follows the behavior seen in property access such as frame.url of a destroyed frame.

Personally I think the much better end-state is to align on things like our new permission handler API which will just expose an origin, then we suggest folks validate the origin instead of the frame and move on with our lives 🤔

I agree on the security side of things, we should prefer exposing the origin directly. That's the approach I intend to follow with the permissions changes once I get to proposing the permissions-v2 branch.

This PR is addressing the edge case with unloaded frames which applies to IPCs, permissions, and anywhere else we expose frames as property.

samuelmaddock · Sep 12, 2024

The frame property is pinned to a specific RenderFrameHost. When accessed immediately upon emitting an event, the frame is expected to exist. If the property is accessed too late, we can't return the expected frame if it has navigated or been destroyed.

Here are some options we can go with for addressing late access.

Option A: Throw upon access

ipcMain.on('unload-event', async (event) => {
  await crossOriginNavigationPromise;
  event.senderFrame; // ❌ throws due to RFH destroyed
});

Matches existing behavior of throwing when accessing properties of destroyed frames (e.g. frame.url).
Doesn't require any breaking changes to types.

Option B: Return destroyed/empty WebFrameMain

ipcMain.on('unload-event', async (event) => {
  await crossOriginNavigationPromise;
  event.senderFrame; // ✅ object exists
  event.senderFrame.isDestroyed(); // ✅ true because pinned frame info no longer points to valid RFH
  event.senderFrame.url; // ❌ throws as RFH has been destroyed/uninitialized
});

Doesn't require any breaking changes to types.

✅ Option C: Return `null`

ipcMain.on('unload-event', async (event) => {
  await crossOriginNavigationPromise;
  event.senderFrame; // ✅ returns `null` without throwing
  event.senderFrame.url; // ❌ throws due to indexing null
});

This is the current, undocumented behavior.
If we document this, it will be a breaking change to the types.

Option D: Eagerly initialize frame property

ipcMain.on('unload-event', async (event) => {
  await crossOriginNavigationPromise;
  event.senderFrame; // ✅ object exists
  event.senderFrame.url; // URL points to navigated page
});

Frame properties are lazily evaluated which led us to this problem. We can have the WebFrameMain instance always be created with events instead of being done lazily. This has the drawback of allocations for each unique WebFrameMain instance emitted.

The frame will also continue to follow navigation which we may want to guide folks away from in cases such as IPCs.

With any of the lazily evaluated designs, we can detect when late access occurs and log a warning/error.

Warning: Frame property was accessed after it navigated or was destroyed. Frames should be accessed immediately upon receiving an event.

nornagon · Sep 26, 2024

API LGTM

nornagon · Sep 26, 2024

some color to my approval:

we've thought about this a long time. this is addressing a security issue, and I think we need to bias towards landing something here. we've gone through a lot of designs and this one seems pretty minimal in terms of what it adds and what it breaks.
as for checking origin vs checking frame, i agree we should recommend checking origin vs checking frame as it's simpler, and 99% of the time people are just checking the url of the frame anyway :)

itsananderson

API LGTM

Is it worth adding a short note to the breaking changes doc to mention that a bunch of APIs can now have a null value for the frame property? Even if this won't impact many people at runtime, it could cause a little friction with TypeScript type-checking, so it seems worth a high-level mention.

docs/api/session.md

samuelmaddock · Sep 30, 2024

Is it worth adding a short note to the breaking changes doc to mention that a bunch of APIs can now have a null value for the frame property?

@itsananderson I've added a notice about the change of behavior which mentions the possibility of the frame being null 09e9fba

jkleinsc

API LGTM

VerteDinde

If there are no API concerns, the code/approach here seems reasonable to me.

Is there any existing behavior where this could break handling event.senderFrame, where a developer is assuming it won’t return null? I think the answer is no, as we’re handling an edge case here, just asking in case any other existing documentation should be updated with the updated types.

lib/browser/api/web-contents.ts

samuelmaddock · Oct 1, 2024

Is there any existing behavior where this could break handling event.senderFrame, where a developer is assuming it won’t return null? I think the answer is no, as we’re handling an edge case here, just asking in case any other existing documentation should be updated with the updated types.

@VerteDinde the existing behavior is also to return null, albeit undocumented, so it's only new in the case of late-access after navigations.

fix: throw instead of returning null senderFrame test: detached frames fix: ensure IPCs of pending deletion RFHs are dispatched fix: lookup WFM by FTN ID to dispatch IPCs feat: add frame.isDestroyed() return null fix: return undefined docs: add null to all frame properties refactor: option c, return null and emit warning refactor: add routingId & processId to navigation events test: null frame property docs: clarify warning message better wording clarify null frame fix: browserwindow spec

release-clerk · Oct 11, 2024

Release Notes Persisted

Added WebFrameMain.detached for frames in an unloading state.

Added WebFrameMain.isDestroyed() to determine if a frame has been destroyed.

Fixed webFrameMain.fromId(processId, frameId) returning a WebFrameMain instance which doesn't match the given parameters when the frame is unloading.

trop · Oct 11, 2024

I have automatically backported this PR to "33-x-y", please check out #44209

* feat: add WebFrameMain detached property fix: throw instead of returning null senderFrame test: detached frames fix: ensure IPCs of pending deletion RFHs are dispatched fix: lookup WFM by FTN ID to dispatch IPCs feat: add frame.isDestroyed() return null fix: return undefined docs: add null to all frame properties refactor: option c, return null and emit warning refactor: add routingId & processId to navigation events test: null frame property docs: clarify warning message better wording clarify null frame fix: browserwindow spec * maybe fix 🤷 * fix: use updated util electron#43722 * docs: add notice for frame change of behavior * docs: clarify why frame properties may be null * lint * wip * fix: content::FrameTreeNodeId lookup and converter * refactor: avoid holey array deoptimization --------- Co-authored-by: John Kleinschmidt <jkleinsc@electronjs.org>

electron-cation bot added the new-pr 🌱 PR opened recently label Aug 23, 2024

samuelmaddock mentioned this pull request Aug 23, 2024

feat: add pinned WebFrameMain variant #43456

Closed

5 tasks

samuelmaddock added the semver/minor backwards-compatible functionality label Aug 23, 2024

electron-cation bot added the api-review/requested 🗳 label Aug 23, 2024

samuelmaddock requested review from MarshallOfSound, codebytere and nornagon August 23, 2024 23:13

electron-cation bot removed the new-pr 🌱 PR opened recently label Aug 30, 2024

samuelmaddock added the wip ⚒ label Sep 12, 2024

samuelmaddock removed the wip ⚒ label Sep 13, 2024

samuelmaddock requested a review from a team as a code owner September 13, 2024 23:42

samuelmaddock force-pushed the feat/detached-webframemain branch 2 times, most recently from 62ef220 to 4fa45ef Compare September 19, 2024 16:14

samuelmaddock force-pushed the feat/detached-webframemain branch from 4fa45ef to bc851d4 Compare September 26, 2024 15:41

itsananderson approved these changes Sep 26, 2024

View reviewed changes

docs/api/session.md Outdated Show resolved Hide resolved

electron-cation bot added api-review/approved ✅ and removed api-review/requested 🗳 labels Sep 26, 2024

samuelmaddock added the target/33-x-y PR should also be added to the "33-x-y" branch. label Sep 30, 2024

samuelmaddock requested a review from a team as a code owner September 30, 2024 17:57

jkleinsc reviewed Sep 30, 2024

View reviewed changes

samuelmaddock force-pushed the feat/detached-webframemain branch from 014a4fd to d520445 Compare September 30, 2024 20:56

VerteDinde approved these changes Sep 30, 2024

View reviewed changes

georgexu99 approved these changes Sep 30, 2024

View reviewed changes

lib/browser/api/web-contents.ts Outdated Show resolved Hide resolved

samuelmaddock and others added 9 commits October 1, 2024 10:52

maybe fix 🤷

3ea5175

fix: use updated util electron#43722

5e766ea

docs: add notice for frame change of behavior

efdaa3e

docs: clarify why frame properties may be null

355b86b

lint

fd1b8d9

wip

a81f611

fix: content::FrameTreeNodeId lookup and converter

074ec1f

refactor: avoid holey array deoptimization

1bdc5dc

samuelmaddock force-pushed the feat/detached-webframemain branch from 4be5d6b to 1bdc5dc Compare October 1, 2024 14:53

Merge branch 'main' into feat/detached-webframemain

c4a19fb

jkleinsc added the backport/requested 🗳 label Oct 11, 2024

jkleinsc merged commit 8b3d70a into electron:main Oct 11, 2024
88 of 92 checks passed

trop bot mentioned this pull request Oct 11, 2024

feat: add WebFrameMain detached property #44209

Merged

trop bot added in-flight/33-x-y and removed target/33-x-y PR should also be added to the "33-x-y" branch. labels Oct 11, 2024

samuelmaddock deleted the feat/detached-webframemain branch October 24, 2024 15:59

trop bot added merged/33-x-y PR was merged to the "33-x-y" branch. and removed in-flight/33-x-y labels Oct 31, 2024

alexi mentioned this pull request Jan 7, 2025

WebFrameMain frames and name field access SIGSEGV #45142

Closed

3 tasks

samuelmaddock mentioned this pull request Feb 13, 2025

fix: dangling speculative frames #45609

Merged

5 tasks

Search code, repositories, users, issues, pull requests...

feat: add WebFrameMain detached property #43473

feat: add WebFrameMain detached property #43473

Uh oh!

Conversation

samuelmaddock commented Aug 23, 2024 • edited by jkleinsc Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description of Change

Checklist

Release Notes

Uh oh!

samuelmaddock commented Sep 1, 2024

Uh oh!

MarshallOfSound commented Sep 12, 2024

Uh oh!

samuelmaddock commented Sep 12, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

samuelmaddock commented Sep 12, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Option A: Throw upon access

Option B: Return destroyed/empty WebFrameMain

✅ Option C: Return null

Option D: Eagerly initialize frame property

Uh oh!

nornagon commented Sep 26, 2024

Uh oh!

nornagon commented Sep 26, 2024

Uh oh!

itsananderson left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

samuelmaddock commented Sep 30, 2024

Uh oh!

jkleinsc left a comment

Choose a reason for hiding this comment

Uh oh!

VerteDinde left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

samuelmaddock commented Oct 1, 2024

Uh oh!

Uh oh!

release-clerk bot commented Oct 11, 2024

Uh oh!

trop bot commented Oct 11, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

samuelmaddock commented Aug 23, 2024 •

edited by jkleinsc

Loading

samuelmaddock commented Sep 12, 2024 •

edited

Loading

samuelmaddock commented Sep 12, 2024 •

edited

Loading

✅ Option C: Return `null`

VerteDinde left a comment •

edited

Loading