1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
content / browser / sms / webotp_service.cc [blame]
// Copyright 2019 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "content/browser/sms/webotp_service.h"
#include <iterator>
#include <memory>
#include <optional>
#include <queue>
#include <string>
#include <utility>
#include "base/check_op.h"
#include "base/command_line.h"
#include "base/functional/bind.h"
#include "base/functional/callback_helpers.h"
#include "base/metrics/histogram_functions.h"
#include "content/browser/renderer_host/render_frame_host_impl.h"
#include "content/browser/sms/sms_metrics.h"
#include "content/browser/sms/user_consent_handler.h"
#include "content/public/browser/render_frame_host.h"
#include "content/public/browser/sms_fetcher.h"
#include "content/public/browser/web_contents.h"
#include "content/public/browser/web_contents_delegate.h"
#include "content/public/common/content_features.h"
#include "content/public/common/content_switches.h"
#include "services/metrics/public/cpp/ukm_builders.h"
#include "third_party/blink/public/common/sms/webotp_constants.h"
#include "third_party/blink/public/mojom/sms/webotp_service.mojom-shared.h"
using blink::mojom::SmsStatus;
using Outcome = blink::WebOTPServiceOutcome;
namespace content {
namespace {
// Only |kMaxUniqueOriginInAncestorChainForWebOTP| unique origins in the chain
// is considered valid. In addition, the unique origins must be consecutive.
// e.g. the following are valid:
// A.com (calls WebOTP API)
// A.com -> A.com (calls WebOTP API)
// A.com -> A.com -> B.com (calls WebOTP API)
// A.com -> B.com -> B.com (calls WebOTP API)
// while the following are invalid:
// A.com -> B.com -> A.com (calls WebOTP API)
// A.com -> B.com -> C.com (calls WebOTP API)
bool ValidateAndCollectUniqueOrigins(RenderFrameHost& rfh,
OriginList& origin_list) {
url::Origin current_origin = rfh.GetLastCommittedOrigin();
origin_list.push_back(current_origin);
RenderFrameHost* parent = rfh.GetParent();
while (parent) {
url::Origin parent_origin = parent->GetLastCommittedOrigin();
if (!parent_origin.IsSameOriginWith(current_origin)) {
origin_list.push_back(parent_origin);
current_origin = parent_origin;
}
if (origin_list.size() > blink::kMaxUniqueOriginInAncestorChainForWebOTP)
return false;
parent = parent->GetParent();
}
return true;
}
bool IsCrossOriginFrame(RenderFrameHost& rfh) {
if (!rfh.GetParent())
return false;
url::Origin current_origin = rfh.GetLastCommittedOrigin();
RenderFrameHost* parent = rfh.GetParent();
while (parent) {
url::Origin parent_origin = parent->GetLastCommittedOrigin();
if (!parent_origin.IsSameOriginWith(current_origin))
return true;
parent = parent->GetParent();
}
return false;
}
Outcome FailureTypeToOutcome(SmsFetchFailureType failure_type) {
switch (failure_type) {
case SmsFetchFailureType::kPromptTimeout:
return Outcome::kTimeout;
case SmsFetchFailureType::kPromptCancelled:
return Outcome::kUserCancelled;
case SmsFetchFailureType::kCrossDeviceFailure:
return Outcome::kCrossDeviceFailure;
default:
NOTREACHED_IN_MIGRATION();
return Outcome::kTimeout;
}
}
Outcome SmsStatusToOutcome(SmsStatus status) {
switch (status) {
case SmsStatus::kSuccess:
return Outcome::kSuccess;
case SmsStatus::kUnhandledRequest:
return Outcome::kUnhandledRequest;
case SmsStatus::kAborted:
return Outcome::kAborted;
case SmsStatus::kCancelled:
return Outcome::kCancelled;
case SmsStatus::kBackendNotAvailable:
// Records when the backend is not available AND the request gets
// cancelled. i.e. client specifies GmsBackend.VERIFICATION but it's
// unavailable. If client specifies GmsBackend.AUTO and the verification
// backend is not available, we fall back to the user consent backend and
// the request will be handled accordingly. e.g. if the user declined the
// prompt, we record it as |kUserCancelled|.
return Outcome::kBackendNotAvailable;
case SmsStatus::kTimeout:
return Outcome::kTimeout;
}
}
ukm::SourceId GetPageUkmSourceId(RenderFrameHost& render_frame_host) {
// Ensure the lifecycle state as GetPageUkmSourceId doesn't support the
// prerendering page. As WebOTPService runs behind the
// BrowserInterfaceBinders, the service doesn't receive any request while
// prerendering, and the CHECK should always meet the condition.
CHECK(!render_frame_host.IsInLifecycleState(
RenderFrameHost::LifecycleState::kPrerendering));
return render_frame_host.GetPageUkmSourceId();
}
} // namespace
WebOTPService::WebOTPService(
SmsFetcher* fetcher,
const OriginList& origin_list,
RenderFrameHost& host,
mojo::PendingReceiver<blink::mojom::WebOTPService> receiver)
: DocumentService(host, std::move(receiver)),
fetcher_(fetcher),
origin_list_(origin_list),
timeout_timer_(FROM_HERE,
blink::kWebOTPRequestTimeout,
this,
&WebOTPService::OnTimeout) {
CHECK(fetcher_);
}
WebOTPService::~WebOTPService() {
CHECK(!callback_);
}
// static
bool WebOTPService::Create(
SmsFetcher* fetcher,
RenderFrameHost* host,
mojo::PendingReceiver<blink::mojom::WebOTPService> receiver) {
CHECK(host);
OriginList origin_list;
if (!ValidateAndCollectUniqueOrigins(*host, origin_list))
return false;
// WebOTPService owns itself. It will self-destruct when a mojo interface
// error occurs, the RenderFrameHost is deleted, or the RenderFrameHost
// navigates to a new document.
new WebOTPService(fetcher, origin_list, *host, std::move(receiver));
static_cast<RenderFrameHostImpl*>(host)
->OnBackForwardCacheDisablingStickyFeatureUsed(
blink::scheduler::WebSchedulerTrackedFeature::kWebOTPService);
return true;
}
// static
WebOTPService& WebOTPService::CreateForTesting(
SmsFetcher* fetcher,
const OriginList& origins,
RenderFrameHost& frame_host,
mojo::PendingReceiver<blink::mojom::WebOTPService> receiver) {
return *new WebOTPService(fetcher, origins, frame_host, std::move(receiver));
}
void WebOTPService::WillBeDestroyed(DocumentServiceDestructionReason) {
// Resolve any pending callback and invoke clean up to unsubscribe this
// service from fetcher.
//
// TODO(crbug.com/40222530): Previously, running the callbacks in the
// destructor was required to avoid triggering CHECKs since the
// mojo::Receiver was (incorrectly) not yet reset in the destructor.
//
// The destruction order is fixed so running the reply callbacks should no
// longer be necessary; however, there are now unit test-only dependencies on
// this behavior. Remove those test dependencies and migrate any remaining
// cleanup logic that is still needed to the destructor and delete this
// `WillBeDestroyed()` override.
CompleteRequest(SmsStatus::kUnhandledRequest);
}
void WebOTPService::Receive(ReceiveCallback callback) {
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
CHECK(!origin_list_.empty());
// Cancels the last request if there is we have not yet handled it.
if (callback_)
CompleteRequest(SmsStatus::kCancelled);
start_time_ = base::TimeTicks::Now();
callback_ = std::move(callback);
timeout_timer_.Reset();
delayed_rejection_reason_.reset();
// |one_time_code_| and prompt are still present from the previous request so
// a new subscription is unnecessary. Note that it is only safe for us to use
// the in flight otp with the new request since both requests belong to the
// same origin.
// TODO(majidvp): replace is_active() check with a check on existence of the
// handler.
auto* consent_handler = GetConsentHandler();
if (consent_handler && consent_handler->is_active())
return;
fetcher_->Subscribe(origin_list_, *this, render_frame_host());
}
void WebOTPService::OnReceive(const OriginList& origin_list,
const std::string& one_time_code,
UserConsent consent_requirement) {
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
CHECK(!one_time_code_);
CHECK(!start_time_.is_null());
CHECK(!origin_list.empty());
receive_time_ = base::TimeTicks::Now();
RecordSmsReceiveTime(receive_time_ - start_time_,
GetPageUkmSourceId(render_frame_host()));
RecordSmsParsingStatus(SmsParsingStatus::kParsed,
GetPageUkmSourceId(render_frame_host()));
one_time_code_ = one_time_code;
// This function cannot get called during prerendering because WebOTPService
// is deferred during prerendering by MojoBinderPolicyApplier. This CHECK
// proves we don't have to worry about prerendering when using
// WebContents::FromRenderFrameHost() below (see function comments for
// WebContents::FromRenderFrameHost() for more details).
CHECK_NE(render_frame_host().GetLifecycleState(),
RenderFrameHost::LifecycleState::kPrerendering);
WebContents* web_contents =
content::WebContents::FromRenderFrameHost(&render_frame_host());
// With UserConsent API, users can see and interact with the permission prompt
// when they are on the different page other than the one that calls WebOTP.
// This is considered as a bad UX and we should measure how many successful
// verifications are exercising the UserConsent backend which is implied by
// UserConsent::kObtained.
if (consent_requirement == UserConsent::kObtained) {
RecordWebContentsVisibilityOnReceive(web_contents->GetVisibility() ==
Visibility::VISIBLE);
}
// Create a new consent handler for each OTP request. While we could
// potentially cache these across request but they are lightweight enought to
// not be worth the complexity associate with caching them.
UserConsentHandler* consent_handler =
CreateConsentHandler(consent_requirement);
consent_handler->RequestUserConsent(
one_time_code, base::BindOnce(&WebOTPService::OnUserConsentComplete,
weak_ptr_factory_.GetWeakPtr()));
}
void WebOTPService::OnFailure(FailureType failure_type) {
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
SmsParser::SmsParsingStatus status = SmsParsingStatus::kParsed;
switch (failure_type) {
case FailureType::kSmsNotParsed_OTPFormatRegexNotMatch:
status = SmsParsingStatus::kOTPFormatRegexNotMatch;
break;
case FailureType::kSmsNotParsed_HostAndPortNotParsed:
status = SmsParsingStatus::kHostAndPortNotParsed;
break;
case FailureType::kSmsNotParsed_kGURLNotValid:
status = SmsParsingStatus::kGURLNotValid;
break;
case FailureType::kPromptTimeout:
case FailureType::kPromptCancelled:
case FailureType::kCrossDeviceFailure:
// We do not complete the request here and instead rely on |OnTimeout| to
// complete the request. This delays the promise resolution for privacy
// reasons. e.g. if a promise gets resolved right after a user declines
// the prompt, sites would know that the SMS did reach the user and they
// could use such information for targeting. By using a timeout in all
// cases, it is not possible to distinguish between sms not being received
// and received but not shared.
// Note that we still unsubscribe it from the fetcher and |Unsubscribe|
// will be called again during the normal |CompleteRequest| process but it
// should be no-op.
delayed_rejection_reason_ = failure_type;
fetcher_->Unsubscribe(origin_list_, this);
return;
case FailureType::kBackendNotAvailable:
CompleteRequest(SmsStatus::kBackendNotAvailable);
return;
case FailureType::kNoFailure:
NOTREACHED_IN_MIGRATION();
}
// Records Sms parsing failures.
CHECK(status != SmsParsingStatus::kParsed);
RecordSmsParsingStatus(status, GetPageUkmSourceId(render_frame_host()));
}
void WebOTPService::Abort() {
if (!callback_) {
mojo::ReportBadMessage(
"The abort controller must be used after initiating an SMS request.");
return;
}
CompleteRequest(SmsStatus::kAborted);
}
void WebOTPService::CompleteRequest(blink::mojom::SmsStatus status) {
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
std::optional<std::string> code = std::nullopt;
if (status == SmsStatus::kSuccess) {
CHECK(one_time_code_);
code = one_time_code_;
}
if (callback_) {
RecordMetrics(status);
std::move(callback_).Run(status, code);
}
CleanUp();
}
void WebOTPService::CleanUp() {
// Skip resetting |one_time_code_|, |sms| and |receive_time_| while prompt is
// still open in case it needs to be returned to the next incoming request
// upon prompt confirmation.
// TODO(majidvp): replace is_active() check with a check on existence of the
// handler.
auto* consent_handler = GetConsentHandler();
bool consent_in_progress = consent_handler && consent_handler->is_active();
if (!consent_in_progress) {
one_time_code_.reset();
receive_time_ = base::TimeTicks();
// Clear the consent handler to avoid reusing it by mistake.
consent_handler_.reset();
}
start_time_ = base::TimeTicks();
callback_.Reset();
delayed_rejection_reason_.reset();
fetcher_->Unsubscribe(origin_list_, this);
}
UserConsentHandler* WebOTPService::CreateConsentHandler(
UserConsent consent_requirement) {
if (consent_handler_for_test_)
return consent_handler_for_test_;
if (consent_requirement == UserConsent::kNotObtained) {
consent_handler_ = std::make_unique<PromptBasedUserConsentHandler>(
render_frame_host(), origin_list_);
} else {
consent_handler_ = std::make_unique<NoopUserConsentHandler>();
}
return consent_handler_.get();
}
UserConsentHandler* WebOTPService::GetConsentHandler() {
if (consent_handler_for_test_)
return consent_handler_for_test_;
return consent_handler_.get();
}
void WebOTPService::SetConsentHandlerForTesting(UserConsentHandler* handler) {
consent_handler_for_test_ = handler;
}
void WebOTPService::OnTimeout() {
CompleteRequest(SmsStatus::kTimeout);
}
void WebOTPService::RecordMetrics(blink::mojom::SmsStatus status) {
// Record ContinueOn timing values only if we are using an asynchronous
// consent handler (i.e. showing user prompts).
auto* consent_handler = GetConsentHandler();
if (consent_handler && consent_handler->is_async()) {
if (status == SmsStatus::kSuccess) {
CHECK(!receive_time_.is_null());
RecordContinueOnSuccessTime(base::TimeTicks::Now() - receive_time_);
} else if (delayed_rejection_reason_ && delayed_rejection_reason_.value() ==
FailureType::kPromptCancelled) {
CHECK(!receive_time_.is_null());
RecordCancelOnSuccessTime(base::TimeTicks::Now() - receive_time_);
}
}
ukm::SourceId source_id = GetPageUkmSourceId(render_frame_host());
ukm::UkmRecorder* recorder = ukm::UkmRecorder::Get();
// For privacy, metrics from inner frames are recorded with the top frame's
// origin. Given that WebOTP is supported in cross-origin iframes, it's better
// to indicate such information in the |Outcome| metrics to understand the
// impact and implications. e.g. does user decline more often if the API is
// used in an cross-origin iframe.
bool is_cross_origin_frame = IsCrossOriginFrame(render_frame_host());
// For privacy, we do not reject the request immediately when user declines
// the permission prompt. Therefore the recording of such outcome is also
// delayed. We record it at one of the following scenarios:
// 1. at the timeout when the delayed timer fires
// 2. before the timeout if the request is aborted
// 3. before the timeout if |this| gets destroyed (e.g. website navigates)
// 4. before the timeout if the request is cancelled in favor of a new
// request by the website.
// In 2, 3 and 4, there is a different SmsStatus when trying to record metrics
// so we need to do it based on delayed_rejection_reason_.
if (delayed_rejection_reason_) {
CHECK_NE(status, SmsStatus::kSuccess);
// Records Outcome for requests which we reject with delay.
RecordSmsOutcome(FailureTypeToOutcome(delayed_rejection_reason_.value()),
source_id, recorder, is_cross_origin_frame);
if (delayed_rejection_reason_.value() == FailureType::kPromptCancelled) {
RecordSmsUserCancelTime(base::TimeTicks::Now() - start_time_, source_id,
recorder);
}
delayed_rejection_reason_.reset();
return;
}
// Records Outcome for requests which we resolve / reject immediately.
RecordSmsOutcome(SmsStatusToOutcome(status), source_id, recorder,
is_cross_origin_frame);
if (status == SmsStatus::kSuccess) {
RecordSmsSuccessTime(base::TimeTicks::Now() - start_time_, source_id,
recorder);
} else if (status == SmsStatus::kCancelled) {
RecordSmsCancelTime(base::TimeTicks::Now() - start_time_);
}
}
void WebOTPService::OnUserConsentComplete(UserConsentResult result) {
switch (result) {
case UserConsentResult::kApproved:
CompleteRequest(SmsStatus::kSuccess);
break;
case UserConsentResult::kNoDelegate:
case UserConsentResult::kInactiveRenderFrameHost:
CompleteRequest(SmsStatus::kCancelled);
break;
case UserConsentResult::kDenied:
OnFailure(FailureType::kPromptCancelled);
break;
}
}
} // namespace content