content / browser / mojo_binder_policy_map_impl.cc [blame]

// Copyright 2020 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "content/browser/mojo_binder_policy_map_impl.h"

#include <string_view>

#include "base/feature_list.h"
#include "base/no_destructor.h"
#include "base/not_fatal_until.h"
#include "content/common/dom_automation_controller.mojom.h"
#include "content/common/frame.mojom.h"
#include "content/public/browser/content_browser_client.h"
#include "content/public/browser/mojo_binder_policy_map.h"
#include "content/public/common/content_client.h"
#include "device/gamepad/public/mojom/gamepad.mojom.h"
#include "media/mojo/mojom/media_player.mojom.h"
#include "media/mojo/mojom/webrtc_video_perf.mojom.h"
#include "services/network/public/mojom/restricted_cookie_manager.mojom.h"
#include "third_party/blink/public/mojom/blob/blob_url_store.mojom.h"
#include "third_party/blink/public/mojom/broadcastchannel/broadcast_channel.mojom.h"
#include "third_party/blink/public/mojom/cache_storage/cache_storage.mojom.h"
#include "third_party/blink/public/mojom/clipboard/clipboard.mojom.h"
#include "third_party/blink/public/mojom/file/file_utilities.mojom.h"
#include "third_party/blink/public/mojom/frame/back_forward_cache_controller.mojom.h"
#include "third_party/blink/public/mojom/frame/frame.mojom.h"
#include "third_party/blink/public/mojom/indexeddb/indexeddb.mojom.h"
#include "third_party/blink/public/mojom/loader/fetch_later.mojom.h"
#if BUILDFLAG(IS_MAC)
#include "third_party/blink/public/mojom/input/text_input_host.mojom.h"
#endif
#include "third_party/blink/public/mojom/loader/code_cache.mojom.h"
#include "third_party/blink/public/mojom/manifest/manifest_observer.mojom.h"
#include "third_party/blink/public/mojom/media/renderer_audio_output_stream_factory.mojom.h"
#include "third_party/blink/public/mojom/notifications/notification_service.mojom.h"
#include "third_party/blink/public/mojom/page/display_cutout.mojom.h"

namespace content {

#if BUILDFLAG(IS_MAC)
// Put crbug.com/115920 fix under flag, so we can measure its CWV impact.
BASE_FEATURE(kTextInputHostMojoCapabilityControlWorkaround,
             "TextInputHostMojoCapabilityControlWorkaround",
             base::FEATURE_ENABLED_BY_DEFAULT);
#endif

namespace {

enum class PolicyClass {
  kSameOriginPrerendering,
  kPreview,
};

// Register feature specific policies for interfaces registered in
// `internal::PopulateBinderMap` and `internal::PopulateBinderMapWithContext`.
void RegisterNonAssociatedPolicies(MojoBinderPolicyMap& map,
                                   PolicyClass policy) {
  // For Prerendering, kCancel is usually used for those interfaces that cannot
  // be granted because they can cause undesirable side-effects (e.g., playing
  // audio, showing notification) and are non-deferrable.
  // Please update `PrerenderCancelledInterface` and
  // `GetCancelledInterfaceType()` in
  // content/browser/preloading/prerender/prerender_metrics.h once you add a new
  // kCancel interface.

  map.SetNonAssociatedPolicy<device::mojom::GamepadHapticsManager>(
      MojoBinderNonAssociatedPolicy::kCancel);
  map.SetNonAssociatedPolicy<device::mojom::GamepadMonitor>(
      MojoBinderNonAssociatedPolicy::kCancel);

  if (policy == PolicyClass::kSameOriginPrerendering) {
    // ClipboardHost has sync messages, so it cannot be kDefer. However, the
    // renderer is not expected to request the interface; prerendering documents
    // do not have system focus nor user activation, which is required before
    // sending the request.
    map.SetNonAssociatedPolicy<blink::mojom::ClipboardHost>(
        MojoBinderNonAssociatedPolicy::kUnexpected);
  }

  // FileUtilitiesHost is only used by APIs that require user activations, being
  // impossible for a prerendered document. For the reason, this is marked as
  // kUnexpected.
  map.SetNonAssociatedPolicy<blink::mojom::FileUtilitiesHost>(
      MojoBinderNonAssociatedPolicy::kUnexpected);

  map.SetNonAssociatedPolicy<blink::mojom::CacheStorage>(
      MojoBinderNonAssociatedPolicy::kGrant);
  map.SetNonAssociatedPolicy<blink::mojom::IDBFactory>(
      MojoBinderNonAssociatedPolicy::kGrant);

  // Grant this interface because some sync web APIs rely on it; deferring it
  // leads to deadlock. However, granting this interface does not mean that
  // prerenders are allowed to create output streams.
  // RenderFrameAudioOutputStreamFactory understands which pages are
  // prerendering and does not fulfill their requests for audio streams.
  map.SetNonAssociatedPolicy<blink::mojom::RendererAudioOutputStreamFactory>(
      MojoBinderNonAssociatedPolicy::kGrant);
  map.SetNonAssociatedPolicy<network::mojom::RestrictedCookieManager>(
      MojoBinderNonAssociatedPolicy::kGrant);
  // Set policy to Grant for CodeCacheHost. Without this loads won't progress
  // since we wait for a response from code cache when loading resources.
  map.SetNonAssociatedPolicy<blink::mojom::CodeCacheHost>(
      MojoBinderNonAssociatedPolicy::kGrant);

  // Grant this for Media Capabilities APIs. This should be safe as the APIs
  // just query encoding / decoding information.
  map.SetNonAssociatedPolicy<media::mojom::WebrtcVideoPerfHistory>(
      content::MojoBinderNonAssociatedPolicy::kGrant);

#if BUILDFLAG(IS_MAC)
  // Set policy to Grant for TextInputHost.
  // This is used to return macOS IME sync call results to the browser process,
  // and will hang entire Chrome if paused.
  // This is a prospective fix added for crbug.com/1480850
  if (base::FeatureList::IsEnabled(
          kTextInputHostMojoCapabilityControlWorkaround)) {
    map.SetNonAssociatedPolicy<blink::mojom::TextInputHost>(
        MojoBinderNonAssociatedPolicy::kGrant);
  }
#endif
}

// Register same-origin prerendering policies for channel-associated interfaces
// registered in `RenderFrameHostImpl::SetUpMojoIfNeeded()`.
void RegisterChannelAssociatedPoliciesForSameOriginPrerendering(
    MojoBinderPolicyMap& map) {
  // Basic skeleton. All of them are critical to load a page so their policies
  // have to be kGrant.
  // TODO(crbug.com/40201285): Message-level control should be performed.
  map.SetAssociatedPolicy<mojom::FrameHost>(MojoBinderAssociatedPolicy::kGrant);
  map.SetAssociatedPolicy<blink::mojom::LocalFrameHost>(
      MojoBinderAssociatedPolicy::kGrant);
  map.SetAssociatedPolicy<blink::mojom::LocalMainFrameHost>(
      MojoBinderAssociatedPolicy::kGrant);

  // These interfaces do not leak sensitive information.
  map.SetAssociatedPolicy<blink::mojom::BackForwardCacheControllerHost>(
      MojoBinderAssociatedPolicy::kGrant);
  map.SetAssociatedPolicy<blink::mojom::ManifestUrlChangeObserver>(
      MojoBinderAssociatedPolicy::kGrant);
  map.SetAssociatedPolicy<mojom::DomAutomationControllerHost>(
      MojoBinderAssociatedPolicy::kGrant);

  // BroadcastChannel is granted for prerendering, as this API is restricted to
  // same-origin.
  map.SetAssociatedPolicy<blink::mojom::BroadcastChannelProvider>(
      MojoBinderAssociatedPolicy::kGrant);

  // Granting this interface does not mean prerendering pages are allowed to
  // play media. Feature-specific capability control is implemented to delay
  // playing media. See `RenderFrameImpl::DeferMediaLoad` for more information.
  map.SetAssociatedPolicy<media::mojom::MediaPlayerHost>(
      MojoBinderAssociatedPolicy::kGrant);

  // DisplayCutout supports the CSS viewport-fit property. It tracks
  // the current viewport-fit on a per-document basis, but only calls
  // the WebContents::NotifyViewportFitChanged and informs WebContents's
  // observers when the document is fullscreened. Prerendered documents cannot
  // enter fullscreen because they do not have transient activation, nor are
  // they active documents (see RenderFrameHostImpl::EnterFullscreen), so it is
  // safe to allow a prerendered document to use it.
  map.SetAssociatedPolicy<blink::mojom::DisplayCutoutHost>(
      MojoBinderAssociatedPolicy::kGrant);

  // Prerendering pages are allowed to create urls for blobs.
  map.SetAssociatedPolicy<blink::mojom::BlobURLStore>(
      MojoBinderAssociatedPolicy::kGrant);

  // Pages with FetchLater API calls should be allowed to prerender.
  // TODO(crbug.com/40276121): Update according to feedback from
  // https://github.com/WICG/pending-beacon/issues/82
  map.SetAssociatedPolicy<blink::mojom::FetchLaterLoaderFactory>(
      MojoBinderAssociatedPolicy::kGrant);
}

// Register mojo binder policies for same-origin prerendering for content/
// interfaces.
void RegisterContentBinderPoliciesForSameOriginPrerendering(
    MojoBinderPolicyMap& map) {
  RegisterNonAssociatedPolicies(map, PolicyClass::kSameOriginPrerendering);
  RegisterChannelAssociatedPoliciesForSameOriginPrerendering(map);
}

// Register mojo binder policies for preview mode for content/ interfaces.
void RegisterContentBinderPoliciesForPreview(MojoBinderPolicyMap& map) {
  RegisterNonAssociatedPolicies(map, PolicyClass::kPreview);
  // Inherits the policies for same-origin prerendering.
  // TODO(b:299240273): Adjust policies for preview.
  RegisterChannelAssociatedPoliciesForSameOriginPrerendering(map);
}

// A singleton class that stores the `MojoBinderPolicyMap` of interfaces which
// are obtained via `BrowserInterfaceBrowser` for frames.
// content/ initializes the policy map with predefined policies, then allows
// embedders to update the map.
class BrowserInterfaceBrokerMojoBinderPolicyMapHolder {
 public:
  BrowserInterfaceBrokerMojoBinderPolicyMapHolder() {
    RegisterContentBinderPoliciesForSameOriginPrerendering(same_origin_map_);
    GetContentClient()
        ->browser()
        ->RegisterMojoBinderPoliciesForSameOriginPrerendering(same_origin_map_);

    RegisterContentBinderPoliciesForPreview(preview_map_);
    GetContentClient()->browser()->RegisterMojoBinderPoliciesForPreview(
        preview_map_);
  }

  ~BrowserInterfaceBrokerMojoBinderPolicyMapHolder() = default;

  // Remove copy and move operations.
  BrowserInterfaceBrokerMojoBinderPolicyMapHolder(
      const BrowserInterfaceBrokerMojoBinderPolicyMapHolder& other) = delete;
  BrowserInterfaceBrokerMojoBinderPolicyMapHolder& operator=(
      const BrowserInterfaceBrokerMojoBinderPolicyMapHolder& other) = delete;
  BrowserInterfaceBrokerMojoBinderPolicyMapHolder(
      BrowserInterfaceBrokerMojoBinderPolicyMapHolder&&) = delete;
  BrowserInterfaceBrokerMojoBinderPolicyMapHolder& operator=(
      BrowserInterfaceBrokerMojoBinderPolicyMapHolder&&) = delete;

  const MojoBinderPolicyMapImpl* GetSameOriginPolicyMap() const {
    return &same_origin_map_;
  }
  const MojoBinderPolicyMapImpl* GetPreviewPolicyMap() const {
    return &preview_map_;
  }

 private:
  // TODO(crbug.com/40156088): Set default policy map for content/.
  // Changes to `same_origin_map_` require security review.
  MojoBinderPolicyMapImpl same_origin_map_;

  MojoBinderPolicyMapImpl preview_map_;
};

}  // namespace

MojoBinderPolicyMapImpl::MojoBinderPolicyMapImpl() = default;

MojoBinderPolicyMapImpl::MojoBinderPolicyMapImpl(
    const base::flat_map<std::string, MojoBinderNonAssociatedPolicy>& init_map)
    : non_associated_policy_map_(init_map) {}

MojoBinderPolicyMapImpl::~MojoBinderPolicyMapImpl() = default;

const MojoBinderPolicyMapImpl*
MojoBinderPolicyMapImpl::GetInstanceForSameOriginPrerendering() {
  static const base::NoDestructor<
      BrowserInterfaceBrokerMojoBinderPolicyMapHolder>
      map;

  return map->GetSameOriginPolicyMap();
}

const MojoBinderPolicyMapImpl*
MojoBinderPolicyMapImpl::GetInstanceForPreview() {
  static const base::NoDestructor<
      BrowserInterfaceBrokerMojoBinderPolicyMapHolder>
      map;

  return map->GetPreviewPolicyMap();
}

MojoBinderNonAssociatedPolicy
MojoBinderPolicyMapImpl::GetNonAssociatedMojoBinderPolicy(
    const std::string& interface_name,
    const MojoBinderNonAssociatedPolicy default_policy) const {
  const auto& found = non_associated_policy_map_.find(interface_name);
  if (found != non_associated_policy_map_.end())
    return found->second;
  return default_policy;
}

MojoBinderAssociatedPolicy
MojoBinderPolicyMapImpl::GetAssociatedMojoBinderPolicy(
    const std::string& interface_name,
    const MojoBinderAssociatedPolicy default_policy) const {
  const auto& found = associated_policy_map_.find(interface_name);
  if (found != associated_policy_map_.end())
    return found->second;
  return default_policy;
}

MojoBinderNonAssociatedPolicy
MojoBinderPolicyMapImpl::GetNonAssociatedMojoBinderPolicyOrDieForTesting(
    const std::string& interface_name) const {
  const auto& found = non_associated_policy_map_.find(interface_name);
  CHECK(found != non_associated_policy_map_.end(), base::NotFatalUntil::M130);
  return found->second;
}

MojoBinderAssociatedPolicy
MojoBinderPolicyMapImpl::GetAssociatedMojoBinderPolicyOrDieForTesting(
    const std::string& interface_name) const {
  const auto& found = associated_policy_map_.find(interface_name);
  CHECK(found != associated_policy_map_.end(), base::NotFatalUntil::M130);
  return found->second;
}

void MojoBinderPolicyMapImpl::SetPolicyByName(
    const std::string_view& name,
    MojoBinderNonAssociatedPolicy policy) {
  non_associated_policy_map_.emplace(name, policy);
}

void MojoBinderPolicyMapImpl::SetPolicyByName(
    const std::string_view& name,
    MojoBinderAssociatedPolicy policy) {
  associated_policy_map_.emplace(name, policy);
}

}  // namespace content