From 335cf0c77293ae06aafd75a2acfdea8ec761497e Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Thu, 14 Mar 2024 14:52:46 +0900
Subject: [PATCH] Re-do close watcher user activation tracking

As noted in #10046, the close watcher anti-abuse measures were overly strict, and would prevent firing the cancel event even when the close watcher was created with user interaction.

Additionally, the "is grouped with previous" infrastructure used to track close watcher groups was buggy, since close watchers could be destroyed and this would cause groups to spuriously collapse.

To fix both of these problems, we re-do the close watcher anti-abuse protections. We now track the groups as a list-of-lists, and explicitly track how many groups should be allowed at a given time. We can then compare them when making decisions about whether to group a new close watcher, or whether to fire a cancel event.

Note that the initial fix proposed in #10046 (and implemented in #10048) is incorrect, as it allows indefinite trapping of the user.

Closes #10046.
---
 source | 281 +++++++++++++++++++++++++++++++++++----------------------
 1 file changed, 173 insertions(+), 108 deletions(-)

diff --git a/source b/source
index 09230c2df53..402cad4fced 100644
--- a/source
+++ b/source
@@ -78586,9 +78586,17 @@ interface <dfn interface>VisibilityStateEntry</dfn> : <span>PerformanceEntry</sp
    data-x="concept-document-origin">origin</span> is <span>same origin</span> with
    <var>document</var>'s <span data-x="concept-document-origin">origin</span>.</p></li>
 
-   <li><p><span data-x="list iterate">For each</span> <var>window</var> in <var>windows</var>, set
-   <var>window</var>'s <span>last activation timestamp</span> to the <span>current high resolution
-   time</span>.</p></li>
+   <li>
+    <p><span data-x="list iterate">For each</span> <var>window</var> in <var>windows</var>:</p>
+
+    <ol>
+     <li><p>Set <var>window</var>'s <span>last activation timestamp</span> to the <span>current
+     high resolution time</span>.</p></li>
+
+     <li><p><span>Notify the close watcher manager about user activation</span> given
+     <var>window</var>.</p></li>
+    </ol>
+   </li>
   </ol>
 
   <p>An <dfn>activation triggering input event</dfn> is any event whose <code
@@ -81905,6 +81913,14 @@ body { display:none }
     data-x="event-fullscreenchange">fullscreenchange</code> to be eventually fired.</p>
    </li>
 
+   <li>
+    <p>Optionally, skip to the step labeled <a href="#close-request-fallback">alternative
+    processing</a>.</p>
+
+    <p class="note">For example, if the user agent detects user frustration at repeated close
+    request interception by the current web page, it might take this path.</p>
+   </li>
+
    <li>
     <p>Fire any relevant events, per <cite>UI Events</cite> or other relevant specifications.
     <ref>UIEVENTS</ref></p>
@@ -81946,9 +81962,9 @@ body { display:none }
 
    <li><p>If <var>closedSomething</var> is true, then return.</p></li>
 
-   <li><p>Otherwise, there was nothing watching for a <span>close request</span>. The user agent
-   may instead interpret this interaction as some other action, instead of interpreting it as a
-   close request.</p></li>
+   <li id="close-request-fallback"><p><i>Alternative processing</i>: Otherwise, there was nothing
+   watching for a <span>close request</span>. The user agent may instead interpret this interaction
+   as some other action, instead of interpreting it as a close request.</p></li>
   </ol>
 
   </div>
@@ -81963,25 +81979,83 @@ body { display:none }
 
   <p class="example">On platforms where a back button is a potential <span>close request</span>, no
   event is involved, so when the back button is pressed, the user agent proceeds directly to
-  <span>process close watchers</span>. If there is a <span>close watcher</span> on the <span>close
-  watcher stack</span>, then that will get triggered. If there is not, then the user agent can
-  interpret the back button press in another way, for example as a request to <span>traverse the
-  history by a delta</span> of &minus;1.</p>
+  <span>process close watchers</span>. If there is an <span
+  data-x="close-watcher-active">active</span> <span>close watcher</span>, then that will get
+  triggered. If there is not, then the user agent can interpret the back button press in another
+  way, for example as a request to <span>traverse the history by a delta</span> of &minus;1.</p>
 
 
   <div w-nodev>
 
   <h4>Close watcher infrastructure</h4>
 
-  <p>Each <code>Window</code> has a <dfn>close watcher stack</dfn>, a <span>list</span> of <span
-  data-x="close watcher">close watchers</span>, initially empty.</p>
+  <p>Each <code>Window</code> has a <dfn>close watcher manager</dfn>, which is a
+  <span>struct</span> with the following <span data-x="struct item">items</span>:</p>
+
+  <ul>
+   <li><p><dfn data-x="close watcher manager groups">Groups</dfn>, a <span>list</span> of <span
+   data-x="list">lists</span> of <span data-x="close watcher">close watchers</span>, initially
+   empty.</p></li>
+
+   <li><p><dfn data-x="close watcher manager allowed number of groups">Allowed number of
+   groups</dfn>, a number, initially 1.</p></li>
+
+   <li><p><dfn data-x="close watcher manager next">Next user interaction allows a new group</dfn>,
+   a boolean, initially true.</p></li>
+  </ul>
+
+  <p>Most of the complexity of the <span>close watcher manager</span> comes from anti-abuse
+  protections designed to prevent developers from disabling users' history traversal abilities, for
+  platforms where a <span>close request</span>'s <a href="#close-request-fallback">fallback
+  action</a> is the main mechanism of history traversal. In particular:</p>
+
+  <p>The grouping of <span data-x="close watcher">close watchers</span> is designed so that if
+  multiple close watchers are created without <span>history-action activation</span>, they are
+  grouped together, so that a user-triggered <span>close request</span> will close all of the close
+  watchers in a group. This ensures that web developers can't intercept an unlimited number of
+  close requests by creating close watchers; instead they can create a number equal to at most 1 +
+  the number of times the <span data-x="user activation">user activates the page</span>.</p>
+
+  <p>The <span data-x="close watcher manager next">next user interaction allows a new group</span>
+  boolean encourages web developers to create <span data-x="close watcher">close watchers</span> in
+  a way that is tied to individual <span data-x="user activation">user activations</span>. Without
+  it, each user activation would increase the <span data-x="close watcher manager allowed number of
+  groups">allowed number of groups</span>, even if the web developer isn't "using" those user
+  activations to create close watchers. In short:</p>
+
+  <ul>
+   <li><p>Allowed: user interaction; create a close watcher in its own group; user interaction;
+   create a close watcher in a second independent group.</p></li>
+
+   <li><p>Disallowed: user interaction; user interaction; create a close watcher in its own group;
+   create a close watcher in a second independent group.</p></li>
 
-  <p class="note">It isn't quite a proper <span>stack</span>, as <span data-x="list
-  item">items</span> can get <span data-x="list remove">removed</span> from the middle of it if a
-  <span>close watcher</span> is <span data-x="close-watcher-destroy">destroyed</span> or <span
-  data-x="close-watcher-close">closed</span> via web developer code. User-initiated <span
-  data-x="close request">close requests</span> always act on the top of the <span>close watcher
-  stack</span>, however.</p>
+   <li><p>Allowed: user interaction; user interaction; create a close watcher in its own group;
+   create a close watcher grouped with the previous one.</p></li>
+  </ul>
+
+  <p>This protection is <em>not</em> important for upholding our desired invariant of creating at
+  most (1 + the number of times the <span data-x="user activation">user activates the page</span>)
+  groups. A determined abuser will just create one close watcher per user interaction, "banking"
+  them for future abuse. But this system causes more predictable behavior for the normal case, and
+  encourages non-abusive developers to create close watchers directly in response to user
+  interactions.</p>
+
+  <p>To <dfn>notify the close watcher manager about user activation</dfn> given a
+  <code>Window</code> <var>window</var>:</p>
+
+  <ol>
+   <li><p>Let <var>manager</var> be <var>window</var>'s <span>close watcher manager</span>.</p></li>
+
+   <li><p>If <var>manager</var>'s <span data-x="close watcher manager next">next user interaction
+   allows a new group</span> is true, then increment <var>manager</var>'s <span data-x="close
+   watcher manager allowed number of groups">allowed number of groups</span>.</p></li>
+
+   <li><p>Set <var>manager</var>'s <span data-x="close watcher manager next">next user interaction
+   allows a new group</span> to false.</p></li>
+  </ol>
+
+  <hr>
 
   <p>A <dfn export>close watcher</dfn> is a <span>struct</span> with the following <span
   data-x="struct item">items</span>:</p>
@@ -81997,27 +82071,14 @@ body { display:none }
    <li><p>A <dfn data-x="close-watcher-close-action">close action</dfn>, a list of steps. These
    steps can never throw an exception.</p></li>
 
-   <li><p>A <dfn data-x="close-watcher-user-activation">was created with user activation</dfn>
-   boolean.</p></li>
-
-   <li><p>An <dfn data-x="close-watcher-grouped">is grouped with previous</dfn> boolean.</p></li>
-
    <li><p>An <dfn data-x="close-watcher-is-running-cancel">is running cancel action</dfn>
    boolean.</p></li>
   </ul>
 
-  <p class="note">The <span data-x="close-watcher-grouped">is grouped with previous</span> boolean
-  is set if a <span>close watcher</span> is created without <span>history-action activation</span>.
-  (Except the very first close watcher in the <span>close watcher stack</span> that is created
-  without transient activation, which gets a pass on this restriction.) It causes a user-triggered
-  <span>close request</span> to close all such grouped-together close watchers, thus ensuring that
-  web developers can't make close requests ineffective by creating an excessive number of close
-  watchers.</p>
-
   <p>A <span>close watcher</span> <var>closeWatcher</var> <dfn data-x="close-watcher-active">is
   active</dfn> if <var>closeWatcher</var>'s <span data-x="close-watcher-window">window</span>'s
-  <span>close watcher stack</span> <span data-x="list contains">contains</span>
-  <var>closeWatcher</var>.</p>
+  <span>close watcher manager</span> <span data-x="list contains">contains</span> any list which
+  <span data-x="list contains">contains</span> <var>closeWatcher</var>.</p>
 
   <hr>
 
@@ -82026,49 +82087,9 @@ body { display:none }
   list of steps <dfn data-x="create-close-watcher-closeAction"><var>closeAction</var></dfn>:</p>
 
   <ol>
-   <li><p><span>Assert</span>: <var>window</var>'s <span data-x="concept-document-window">associated
-   <code>Document</code></span> is <span>fully active</span>.</p></li>
-
-   <li><p>Let <var>wasCreatedWithUserActivation</var> and <var>isGroupedWithPrevious</var> be
-   null.</p></li>
-
-   <li>
-    <p>If <var>window</var> has <span>history-action activation</span>, then:</p>
-
-    <ol>
-     <li><p><span>Consume history-action user activation</span> given <var>window</var>.</p></li>
-
-     <li><p>Set <var>wasCreatedWithUserActivation</var> to true.</p></li>
-
-     <li><p>Set <var>isGroupedWithPrevious</var> to false.</p></li>
-    </ol>
-   </li>
-
-   <li>
-    <p>Otherwise, if there is no <span>close watcher</span> in <var>window</var>'s <span>close
-    watcher stack</span> whose <span data-x="close-watcher-user-activation">was created with user
-    activation</span> is false, then:</p>
-
-    <ol>
-     <li><p>Set <var>wasCreatedWithUserActivation</var> to false.</p></li>
-
-     <li><p>Set <var>isGroupedWithPrevious</var> to false.</p></li>
-    </ol>
-
-    <p class="note">This will be the one "free" close watcher created without user activation, which
-    is useful for cases like session inactivity timeout dialogs or notifications from the
-    server.</p>
-   </li>
-
-   <li>
-    <p>Otherwise:</p>
-
-    <ol>
-     <li><p>Set <var>wasCreatedWithUserActivation</var> to false.</p></li>
-
-     <li><p>Set <var>isGroupedWithPrevious</var> to true.</p></li>
-    </ol>
-   </li>
+   <li><p><span>Assert</span>: <var>window</var>'s <span
+   data-x="concept-document-window">associated <code>Document</code></span> is <span>fully
+   active</span>.</p></li>
 
    <li>
     <p>Let <var>closeWatcher</var> be a new <span>close watcher</span>, with</p>
@@ -82083,19 +82104,36 @@ body { display:none }
      <dt><span data-x="close-watcher-close-action">close action</span></dt>
      <dd><var>closeAction</var></dd>
 
-     <dt><span data-x="close-watcher-user-activation">was created with user activation</span></dt>
-     <dd><var>wasCreatedWithUserActivation</var></dd>
-
-     <dt><span data-x="close-watcher-grouped">is grouped with previous</span></dt>
-     <dd><var>isGroupedWithPrevious</var></dd>
-
      <dt><span data-x="close-watcher-is-running-cancel">is running cancel action</span></dt>
      <dd>false</dd>
     </dl>
    </li>
 
-   <li><p><span data-x="list append">Append</span> <var>closeWatcher</var> to <var>window</var>'s
-   <span>close watcher stack</span>.</p></li>
+   <li><p>Let <var>manager</var> be <var>window</var>'s <span>close watcher manager</span>.</p></li>
+
+   <li><p>If <var>manager</var>'s <span data-x="close watcher manager groups">groups</span>'s <span
+   data-x="list size">size</span> is less than <var>manager</var>'s <span data-x="close watcher
+   manager allowed number of groups">allowed number of groups</span>, then <span data-x="list
+   append">append</span> « <var>closeWatcher</var> » to <var>manager</var>'s <span data-x="close
+   watcher manager groups">groups</span>.</p></li>
+
+   <li>
+    <p>Otherwise:</p>
+
+    <ol>
+     <li><p><span>Assert</span>: <var>manager</var>'s <span data-x="close watcher manager
+     groups">groups</span>'s <span data-x="list size">size</span> is at least 1 in this branch,
+     since <var>manager</var>'s <span data-x="close watcher manager allowed number of
+     groups">allowed number of groups</span> is always at least 1.</p></li>
+
+     <li><p><span data-x="list append">Append</span> <var>closeWatcher</var> to
+     <var>manager</var>'s <span data-x="close watcher manager groups">groups</span>'s last <span
+     data-x="list item">item</span>.</p></li>
+    </ol>
+   </li>
+
+   <li><p>Set <var>manager</var>'s <span data-x="close watcher manager next">next user interaction
+   allows a new group</span> to true.</p></li>
 
    <li><p>Return <var>closeWatcher</var>.</p></li>
   </ol>
@@ -82105,19 +82143,23 @@ body { display:none }
 
   <ol>
    <li><p>If <var>closeWatcher</var> <span data-x="close-watcher-active">is not active</span>, then
-   return.</p></li>
+   return true.</p></li>
 
    <li><p>If <var>closeWatcher</var>'s <span data-x="close-watcher-is-running-cancel">is running
-   cancel action</span> is true, then return.</p></li>
+   cancel action</span> is true, then return true.</p></li>
 
    <li><p>Let <var>window</var> be <var>closeWatcher</var>'s <span
    data-x="close-watcher-window">window</span>.</p></li>
 
    <li><p>If <var>window</var>'s <span data-x="concept-document-window">associated
-   <code>Document</code></span> is not <span>fully active</span>, then return.</p></li>
+   <code>Document</code></span> is not <span>fully active</span>, then return true.</p></li>
 
    <li>
-    <p>If <var>window</var> has <span>history-action activation</span>, then:</p>
+    <p>If <var>window</var>'s <span>close watcher manager</span>'s <span data-x="close watcher
+    manager groups">groups</span>'s <span data-x="list size">size</span> is less than
+    <var>window</var>'s <span>close watcher manager</span>'s <span data-x="close watcher manager
+    allowed number of groups">allowed number of groups</span>, and <var>window</var> has
+    <span>history-action activation</span>, then:</p>
 
     <ol>
      <li><p>Set <var>closeWatcher</var>'s <span data-x="close-watcher-is-running-cancel">is running
@@ -82135,21 +82177,20 @@ body { display:none }
       <ol>
        <li><p><span>Consume history-action user activation</span> given <var>window</var>.</p></li>
 
-       <li><p>Return.</p></li>
+       <li><p>Return false.</p></li>
       </ol>
      </li>
     </ol>
 
-    <p class="note">The guard on these substeps means that the <span
-    data-x="close-watcher-cancel-action">cancel action</span> only has a chance to prevent us from
-    continuing onward to the <span data-x="close-watcher-close-action">close action</span> when
-    <var>window</var> has <span>history-action activation</span>. In particular, since these
-    substeps <span>consume history-action user activation</span>, <span
-    data-x="close-watcher-request-close">requesting to close</span> a <span>close watcher</span>
-    twice without any intervening <span>user activation</span> will skip these substeps.</p>
+    <p class="note">Note that since these substeps <span>consume history-action user
+    activation</span>, <span data-x="close-watcher-request-close">requesting to close</span> a
+    <span>close watcher</span> twice without any intervening <span>user activation</span> will skip
+    these substeps.</p>
    </li>
 
    <li><p><span data-x="close-watcher-close">Close</span> <var>closeWatcher</var>.</p></li>
+
+   <li><p>Return true.</p></li>
   </ol>
 
   <p>To <dfn data-x="close-watcher-close">close</dfn> a <span>close watcher</span>
@@ -82170,34 +82211,58 @@ body { display:none }
   </ol>
 
   <p>To <dfn data-x="close-watcher-destroy">destroy</dfn> a <span>close watcher</span>
-  <var>closeWatcher</var>, <span data-x="list remove">remove</span> <var>closeWatcher</var> from
-  <var>closeWatcher</var>'s <span data-x="close-watcher-window">window</span>'s <span>close watcher
-  stack</span>.</p>
+  <var>closeWatcher</var>:</p>
+
+  <ol>
+   <li><p>Let <var>manager</var> be <var>closeWatcher</var>'s <span
+   data-x="close-watcher-window">window</span>'s <span>close watcher manager</span>.</p></li>
+
+   <li><p><span data-x="list iterate">For each</span> <var>group</var> of <var>manager</var>'s
+   <span data-x="close watcher manager groups">groups</span>: <span data-x="list
+   remove">remove</span> <var>closeWatcher</var> from <var>group</var>.</p></li>
+
+   <li><p><span data-x="list remove">Remove</span> any item from <var>manager</var>'s <span
+   data-x="close watcher manager groups">groups</span> that <span data-x="list is empty">is
+   empty</span>.</p></li>
+  </ol>
 
   <hr>
 
-  <p>To <dfn>process close watchers </dfn> given a <code>Window</code> <var>window</var>:</p>
+  <p>To <dfn>process close watchers</dfn> given a <code>Window</code> <var>window</var>:</p>
 
   <ol>
    <li><p>Let <var>processedACloseWatcher</var> be false.</p></li>
 
    <li>
-    <p>While <var>window</var>'s <span>close watcher stack</span> is not empty:</p>
+    <p>If <var>window</var>'s <span>close watcher manager</span>'s <span data-x="close watcher
+    manager groups">groups</span> is not empty:</p>
 
     <ol>
-     <li><p>Let <var>closeWatcher</var> be the last <span data-x="list item">item</span> in
-     <var>window</var>'s <span>close watcher stack</span>.</p></li>
+     <li><p>Let <var>group</var> be the last <span data-x="list item">item</span> in
+     <var>window</var>'s <span>close watcher manager</span>'s <span data-x="close watcher manager
+     groups">groups</span>.</p></li>
 
-     <li><p><span data-x="close-watcher-request-close">Request to close</span>
-     <var>closeWatcher</var>.</p></li>
+     <li>
+      <p><span data-x="list iterate">For each</span> <var>closeWatcher</var> of <var>group</var>,
+      in reverse order:</p>
 
-     <li><p>Set <var>processedACloseWatcher</var> to true.</p></li>
+      <ol>
+       <li><p>Set <var>processedACloseWatcher</var> to true.</p></li>
+
+       <li><p>Let <var>shouldProceed</var> be the result of <span
+       data-x="close-watcher-request-close">requesting to close</span>
+       <var>closeWatcher</var>.</p></li>
 
-     <li><p>If <var>closeWatcher</var>'s <span data-x="close-watcher-grouped">is grouped with
-     previous</span> is false, then <span>break</span>.</p></li>
+       <li><p>If <var>shouldProceed</var> is false, then <span>break</span>.</p></li>
+      </ol>
+     </li>
     </ol>
    </li>
 
+   <li><p>If <var>window</var>'s <span>close watcher manager</span>'s <span data-x="close watcher
+   manager allowed number of groups">allowed number of groups</span> is greater than 1, decrement
+   it by 1.</p></li>
+
    <li><p>Return <var>processedACloseWatcher</var>.</p></li>
   </ol>