1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
content / browser / renderer_host / origin_trial_state_host_impl.cc [blame]
// Copyright 2023 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "content/browser/renderer_host/origin_trial_state_host_impl.h"
#include "content/browser/bad_message.h"
#include "content/public/browser/browser_context.h"
#include "content/public/browser/origin_trials_controller_delegate.h"
#include "content/public/browser/runtime_feature_state/runtime_feature_state_document_data.h"
#include "third_party/blink/public/common/origin_trials/origin_trials.h"
#include "third_party/blink/public/common/origin_trials/trial_token_result.h"
#include "third_party/blink/public/common/origin_trials/trial_token_validator.h"
#include "third_party/blink/public/common/runtime_feature_state/runtime_feature_state_context.h"
#include "third_party/blink/public/mojom/origin_trials/origin_trial_state_host.mojom.h"
namespace content {
OriginTrialStateHostImpl::OriginTrialStateHostImpl(
RenderFrameHost& host,
mojo::PendingReceiver<blink::mojom::OriginTrialStateHost> receiver)
: DocumentService(host, std::move(receiver)) {}
OriginTrialStateHostImpl::~OriginTrialStateHostImpl() = default;
// static
void OriginTrialStateHostImpl::Create(
RenderFrameHost* host,
mojo::PendingReceiver<blink::mojom::OriginTrialStateHost> receiver) {
CHECK(host);
// The object is bound to the lifetime of `render_frame_host` and the mojo
// connection. See DocumentService for details.
new OriginTrialStateHostImpl(*host, std::move(receiver));
}
void OriginTrialStateHostImpl::ApplyFeatureDiffForOriginTrial(
base::flat_map<::blink::mojom::RuntimeFeature,
::blink::mojom::OriginTrialFeatureStatePtr>
origin_trial_features) {
// TODO(crbug.com/40243430): RuntimeFeatureState does not yet support
// HTTP header origin trial tokens, which currently cause this function to be
// called between RenderFrameHostImpl::CommitNavigation() and
// RenderFrameHostImpl::DidCommitNavigation(). As a result, we will reject all
// tokens that are sent before the navigation has committed, as we cannot
// validate them.
if (render_frame_host().GetLifecycleState() ==
content::RenderFrameHost::LifecycleState::kPendingCommit) {
return;
}
// Perform security checks by ensuring the following:
base::flat_map<::blink::mojom::RuntimeFeature, bool> validated_features{};
base::flat_map<::blink::mojom::RuntimeFeature, std::vector<std::string>>
possible_third_party_features{};
for (const auto& feature_pair : origin_trial_features) {
// Ensure the tokens we received are valid for this feature and origin.
std::string feature_name;
blink::TrialTokenValidator validator;
bool are_tokens_valid = true;
for (const auto& token : feature_pair.second->tokens) {
// Third party tokens will be rejected as invalid here. These will instead
// be collected in `possible_third_party_features` for later validation
// via Is$FEATURE$EnabledForThirdParty.
blink::TrialTokenResult result = validator.ValidateTokenAndTrial(
token, render_frame_host().GetLastCommittedOrigin(),
base::Time::Now());
if (result.Status() != blink::OriginTrialTokenStatus::kSuccess) {
are_tokens_valid = false;
} else {
// All tokens should contain the same feature name. Store that name for
// later validation checks.
if (feature_name.empty()) {
feature_name = result.ParsedToken()->feature_name();
} else {
DCHECK(feature_name == result.ParsedToken()->feature_name());
}
}
}
// We can add a feature to the RuntimeFeatureStateReadContext if:
// 1. All of the tokens for the given feature were validated.
// 2. The feature we received is an origin trial feature.
// 3. The feature we received is expected in the browser process.
if (are_tokens_valid) {
if (blink::origin_trials::IsTrialValid(feature_name) &&
blink::origin_trials::IsTrialEnabledForBrowserProcessReadAccess(
feature_name)) {
validated_features[feature_pair.first] =
feature_pair.second->is_enabled;
} else {
// The renderer is compromised so we terminate it.
bad_message::ReceivedBadMessage(
render_frame_host().GetProcess(),
bad_message::RFSCI_BROWSER_VALIDATION_BAD_ORIGIN_TRIAL_TOKEN);
return;
}
} else if (feature_pair.second->is_enabled) {
// If we could not validate the tokens it's possible there's a third-party
// origin trial among them. In this case we should store the tokens for
// later validation once the potential third-party origin is known.
possible_third_party_features[feature_pair.first] =
feature_pair.second->tokens;
}
}
// Apply the diff changes to the mutable RuntimeFeatureStateReadContext.
// TODO(crbug.com/347186599): CAVEAT EMPTOR - there are corner cases where
// RuntimeFeatureStateDocumentData::GetForCurrentDocument() returned a nullptr
// when it shouldn't have. To prevent CHECK failures, we will create a new
// RuntimeFeatureStateDocumentData, but this does not resolve the original
// corner case where the DocumentData is incorrectly created/deleted.
// This issue should be revisited to avoid silently dropping any feature
// overrides that are stored in the RFSDocumentData, in these corner cases
// when the data has become a nullptr.
RuntimeFeatureStateDocumentData* document_data =
RuntimeFeatureStateDocumentData::GetForCurrentDocument(
&render_frame_host());
if (!document_data) {
// We can't use
// RuntimeFeatureStateDocumentData::GetOrCreateForCurrentDocument() because
// that creates an empty RuntimeFeatureStateReadContext which will hit some
// internal CHECKs if used because all its member fields are empty. Passing
// in a RuntimeFeatureStateContext() will initialize those member fields.
RuntimeFeatureStateDocumentData::CreateForCurrentDocument(
&render_frame_host(), blink::RuntimeFeatureStateContext());
document_data = RuntimeFeatureStateDocumentData::GetForCurrentDocument(
&render_frame_host());
}
CHECK(document_data);
document_data
->GetMutableRuntimeFeatureStateReadContext(
base::PassKey<OriginTrialStateHostImpl>())
.ApplyFeatureChange(validated_features, possible_third_party_features);
}
void OriginTrialStateHostImpl::EnablePersistentTrial(
const std::string& token,
const std::vector<url::Origin>& script_origins) {
OriginTrialsControllerDelegate* delegate =
render_frame_host()
.GetBrowserContext()
->GetOriginTrialsControllerDelegate();
if (!delegate) {
return;
}
// No validation required here, as the delegate will fully validate the
// provided token.
std::vector<std::string> tokens = {token};
delegate->PersistAdditionalTrialsFromTokens(
/*origin=*/render_frame_host().GetLastCommittedOrigin(),
/*partition_origin=*/
render_frame_host().GetOutermostMainFrame()->GetLastCommittedOrigin(),
script_origins, tokens, base::Time::Now(),
render_frame_host().GetPageUkmSourceId());
}
} // namespace content