Mac: Block orderWindow on never-visible proxy windows
Moderate
提交哈希:
171e5b628510e610c91dbdcb533d7070170afbcd
提交时间: 2026-04-23 02:07:20
影响等级: Moderate
生成工具: chromium-watcher
上游审核链接:
查看上游审核 🔗
📋 摘要
This commit fixes a bug where macOS system frameworks (e.g., AuthenticationServicesCore presenting passkey/WebAuthn dialogs) could inadvertently make the invisible browser-side proxy window visible by calling orderWindow:. A guard is added to NativeWidgetMacNSWindow's orderWindow:relativeTo: method: when _isEnforcingNeverMadeVisible is set and the ordering mode is not NSWindowOut, the call returns early without executing. This upgrades the existing monitoring (DumpWithoutCrashing via KVO observer) to actual enforcement (blocking the operation). Unit tests and browser integration tests are added to validate the fix.
🎯 影响分析
This commit has a moderate impact on WebView2Mac. NativeWidgetMacNSWindow is a core window class in the remote_cocoa app_shim layer, directly serving WebView2Mac's cross-process window management architecture. In WebView2Mac, the browser process creates a proxy NSWindow marked with enforceNeverMadeVisible via CreateRemoteNSWindow, while actual rendering occurs in the host app process through the bridge mechanism. Previously, if macOS system frameworks (e.g., passkey dialogs) triggered orderWindow: on the proxy window, it would become unexpectedly visible ("zombie window"), producing DumpWithoutCrashing crash reports.
After this fix, the orderWindow: method directly blocks such illegitimate ordering operations, fundamentally eliminating the zombie window issue. The current Edge downstream code (native_widget_mac_nswindow.mm lines 667-671) does not yet contain this guard and still relies on the KVO monitoring mechanism. This fix will apply naturally with upstream merge, involves no changes to Mojo interfaces or bridge/host communication protocols, and requires no additional adaptation work. Notably, the commit author is a Microsoft employee (chunyanghuo@microsoft.com), suggesting this may be a proactive upstream contribution from the WebView2Mac team.
After this fix, the orderWindow: method directly blocks such illegitimate ordering operations, fundamentally eliminating the zombie window issue. The current Edge downstream code (native_widget_mac_nswindow.mm lines 667-671) does not yet contain this guard and still relies on the KVO monitoring mechanism. This fix will apply naturally with upstream merge, involves no changes to Mojo interfaces or bridge/host communication protocols, and requires no additional adaptation work. Notably, the commit author is a Microsoft employee (chunyanghuo@microsoft.com), suggesting this may be a proactive upstream contribution from the WebView2Mac team.
受影响的类:
NativeWidgetMacNSWindow