Filter DownloadURL when starting drags from Blink and refactor drag source identification
Major
Commit Hash:
988ac5cb880ba06ce8ddd8fe6ebc60dab03ec972
Commit Time: 2026-04-01 21:24:12
Impact Level: Major
Generated By: webview2-upstream-sentry
Upstream Review:
View Upstream Review 🔗
📋 Summary
This commit is a security and architectural improvement that addresses the missed DownloadURL filtering in RenderWidgetHostImpl::StartDragging() and refactors drag source identification on Mac. Key changes include:
1. Changed DropData's download_metadata field from std::u16string to std::optional struct, with parsing moved earlier to the browser side.
2. StartDragging() signature change: replaced source_origin + RenderWidgetHostImpl pointer parameters with a RenderFrameHost reference.
3. Added ChildProcessId and DocumentToken parameters for cross-process drag on Mac: modified StartDrag and DragPromisedFileTo interface definitions in web_contents_ns_view_bridge.mojom, added ChildProcessId mojom struct definition.
4. Updated parameter signatures across all app shim side classes: WebDragSource, WebContentsViewCocoa, WebContentsNSViewBridge.
5. DragPromisedFileTo no longer receives download_url and source_origin parameters; instead uses render_process_id + document_token to look up RenderFrameHost on the browser side.
6. DragDownloadFile constructor now uses WeakDocumentPtr.
1. Changed DropData's download_metadata field from std::u16string to std::optional
2. StartDragging() signature change: replaced source_origin + RenderWidgetHostImpl pointer parameters with a RenderFrameHost reference.
3. Added ChildProcessId and DocumentToken parameters for cross-process drag on Mac: modified StartDrag and DragPromisedFileTo interface definitions in web_contents_ns_view_bridge.mojom, added ChildProcessId mojom struct definition.
4. Updated parameter signatures across all app shim side classes: WebDragSource, WebContentsViewCocoa, WebContentsNSViewBridge.
5. DragPromisedFileTo no longer receives download_url and source_origin parameters; instead uses render_process_id + document_token to look up RenderFrameHost on the browser side.
6. DragDownloadFile constructor now uses WeakDocumentPtr.
🎯 Impact Analysis
This change has a major impact on WebView2Mac and requires careful attention. Key analysis:
1. **Breaking Mojo interface changes**: StartDrag and DragPromisedFileTo interface signatures in web_contents_ns_view_bridge.mojom have changed, adding ChildProcessId and DocumentToken parameters while removing download_url and source_origin parameters. This is the core communication interface for drag operations between WebView2Mac's app shim and browser processes. All classes implementing these interfaces must be updated upon integration.
2. **DropData struct change**: download_metadata changed from std::u16string to std::optional, a cross-platform data structure change. Any WebView2Mac code accessing DropData::download_metadata needs updating (e.g., empty checks from .empty() to .has_value(), field access through struct members).
3. **WebContentsViewMac::StartDragging() signature change**: The RenderViewHostDelegateView interface's StartDragging method signature changed. If Edge repo has custom StartDragging handling for WebView2Mac, it needs to adapt to the new parameter list.
4. **DragPromisedFileTo security enhancement**: The new implementation dynamically looks up RenderFrameHost via render_process_id + document_token on the browser side, safely returning an empty path if the source document has been closed. This positively impacts drag-download security for WebView2Mac.
5. **WebDragSource comprehensive refactoring**: WebDragSource initialization and usage patterns changed; download_metadata parsing logic simplified (no longer parsed on app shim side), using pre-parsed struct fields directly. If WebView2Mac has custom modifications to WebDragSource, merge conflicts should be expected.
6. **New ChildProcessId mojom type**: A ChildProcessId struct is defined in web_contents_ns_view_bridge.mojom with corresponding traits in content/common. This is a new fundamental type for cross-process drag identification.
1. **Breaking Mojo interface changes**: StartDrag and DragPromisedFileTo interface signatures in web_contents_ns_view_bridge.mojom have changed, adding ChildProcessId and DocumentToken parameters while removing download_url and source_origin parameters. This is the core communication interface for drag operations between WebView2Mac's app shim and browser processes. All classes implementing these interfaces must be updated upon integration.
2. **DropData struct change**: download_metadata changed from std::u16string to std::optional
3. **WebContentsViewMac::StartDragging() signature change**: The RenderViewHostDelegateView interface's StartDragging method signature changed. If Edge repo has custom StartDragging handling for WebView2Mac, it needs to adapt to the new parameter list.
4. **DragPromisedFileTo security enhancement**: The new implementation dynamically looks up RenderFrameHost via render_process_id + document_token on the browser side, safely returning an empty path if the source document has been closed. This positively impacts drag-download security for WebView2Mac.
5. **WebDragSource comprehensive refactoring**: WebDragSource initialization and usage patterns changed; download_metadata parsing logic simplified (no longer parsed on app shim side), using pre-parsed struct fields directly. If WebView2Mac has custom modifications to WebDragSource, merge conflicts should be expected.
6. **New ChildProcessId mojom type**: A ChildProcessId struct is defined in web_contents_ns_view_bridge.mojom with corresponding traits in content/common. This is a new fundamental type for cross-process drag identification.
Impacted Classes:
remote_cocoa::mojom::WebContentsNSView
remote_cocoa::mojom::WebContentsNSViewHost
remote_cocoa::WebContentsNSViewBridge
content::WebContentsViewMac
content::WebDragSource
content::WebContentsViewCocoa
content::DropData
content::DownloadUrlMetadata
content::DragDownloadFile