Hook up NetworkIsolationKey to ProxyResolvingClientSockets.

The NetworkIsolationKey determine's what site's DNS cache shard is used
for DNS lookups, and what requests can share a socket when using an
H2/QUIC proxy.

Also make Jingle and GCM pass in a NetworkIsolationKey that matches the
URL they're connecting to. This will currently only leak DNS of the
host they're looking up to top frames navigated to that same host,
which seems fine (though once WebRTC is using NIKs, too, this will mean
web-initiated WebRTC tunnels and GCM/Jingle tunnels to the same hos
will share H2/QUIC proxy connections, which allows more interesting,
but not too concerning leaks)

Bug: 1082280
Change-Id: I4625327940dc3b2ec4022f7e0937a5fec51634b8
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2209407
Reviewed-by: Shivani Sharma <shivanisha@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Sergey Ulanov <sergeyu@chromium.org>
Reviewed-by: Dmitry Titov <dimich@chromium.org>
Reviewed-by: Zhongyi Shi <zhongyi@chromium.org>
Commit-Queue: Matt Menke <mmenke@chromium.org>
Cr-Commit-Position: refs/heads/master@{#774866}

google_apis/gcm/base/socket_stream_unittest.cc

@@ -20,6 +20,7 @@
 #include "mojo/public/cpp/bindings/pending_remote.h"
 #include "mojo/public/cpp/bindings/remote.h"
 #include "net/base/ip_address.h"
+#include "net/base/network_isolation_key.h"
 #include "net/log/net_log_source.h"
 #include "net/socket/socket_test_util.h"
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
@@ -28,6 +29,7 @@
 #include "services/network/network_service.h"
 #include "services/network/public/mojom/proxy_resolving_socket.mojom.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "url/origin.h"
 
 namespace gcm {
 namespace {
@@ -231,8 +233,12 @@ void GCMSocketStreamTest::OpenConnection() {
   network::mojom::ProxyResolvingSocketOptionsPtr options =
       network::mojom::ProxyResolvingSocketOptions::New();
   options->use_tls = true;
+  const url::Origin kOrigin = url::Origin::Create(kDestination);
   mojo_socket_factory_remote_->CreateProxyResolvingSocket(
-      kDestination, std::move(options),
+      kDestination,
+      net::NetworkIsolationKey(kOrigin /* top_frame_origin */,
+                               kOrigin /* frame_origin */),
+      std::move(options),
       net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS),
       mojo_socket_remote_.BindNewPipeAndPassReceiver(),
       mojo::NullRemote() /* observer */,

google_apis/gcm/engine/connection_factory_impl.cc

@@ -17,6 +17,7 @@
 #include "google_apis/gcm/protocol/mcs.pb.h"
 #include "mojo/public/cpp/bindings/pending_remote.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_isolation_key.h"
 #include "net/http/http_request_headers.h"
 #include "net/http/proxy_fallback.h"
 #include "net/log/net_log_source_type.h"
@@ -26,6 +27,8 @@
 #include "net/ssl/ssl_config_service.h"
 #include "net/traffic_annotation/network_traffic_annotation.h"
 #include "services/network/public/mojom/tcp_socket.mojom.h"
+#include "url/gurl.h"
+#include "url/origin.h"
 
 namespace gcm {
 
@@ -359,8 +362,13 @@ void ConnectionFactoryImpl::StartConnection() {
   network::mojom::ProxyResolvingSocketOptionsPtr options =
       network::mojom::ProxyResolvingSocketOptions::New();
   options->use_tls = true;
+  // |current_endpoint| is always a Google URL, so this NetworkIsolationKey will
+  // be the same for all callers, and will allow pooling all connections to GCM
+  // in one socket connection, if an H2 or QUIC proxy is in use.
+  auto origin = url::Origin::Create(current_endpoint);
+  net::NetworkIsolationKey network_isolation_key(origin, origin);
   socket_factory_->CreateProxyResolvingSocket(
-      current_endpoint, std::move(options),
+      current_endpoint, std::move(network_isolation_key), std::move(options),
       net::MutableNetworkTrafficAnnotationTag(traffic_annotation),
       socket_.BindNewPipeAndPassReceiver(), mojo::NullRemote() /* observer */,
       base::BindOnce(&ConnectionFactoryImpl::OnConnectDone,

google_apis/gcm/engine/connection_handler_impl_unittest.cc

@@ -27,6 +27,7 @@
 #include "mojo/public/cpp/bindings/pending_remote.h"
 #include "mojo/public/cpp/bindings/remote.h"
 #include "net/base/ip_address.h"
+#include "net/base/network_isolation_key.h"
 #include "net/base/test_completion_callback.h"
 #include "net/log/net_log_source.h"
 #include "net/socket/socket_test_util.h"
@@ -38,6 +39,7 @@
 #include "services/network/network_service.h"
 #include "services/network/public/mojom/proxy_resolving_socket.mojom.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "url/origin.h"
 
 namespace gcm {
 namespace {
@@ -249,8 +251,12 @@ void GCMConnectionHandlerImplTest::BuildSocket(const ReadList& read_list,
       network::mojom::ProxyResolvingSocketOptions::New();
   options->use_tls = true;
   mojo_socket_remote_.reset();
+  const url::Origin kOrigin = url::Origin::Create(kDestination);
   mojo_socket_factory_remote_->CreateProxyResolvingSocket(
-      kDestination, std::move(options),
+      kDestination,
+      net::NetworkIsolationKey(kOrigin /* top_frame_origin */,
+                               kOrigin /* frame_origin */),
+      std::move(options),
       net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS),
       mojo_socket_remote_.BindNewPipeAndPassReceiver(),
       mojo::NullRemote() /* observer */,

jingle/glue/network_service_async_socket.cc

@@ -17,6 +17,9 @@
 #include "mojo/public/cpp/bindings/pending_remote.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/io_buffer.h"
+#include "net/base/network_isolation_key.h"
+#include "url/gurl.h"
+#include "url/origin.h"
 
 namespace jingle_glue {
 
@@ -164,8 +167,13 @@ bool NetworkServiceAsyncSocket::Connect(const net::HostPortPair& address) {
       network::mojom::ProxyResolvingSocketOptions::New();
   options->use_tls = false;
   options->fake_tls_handshake = use_fake_tls_handshake_;
+  GURL url("https://" + address.ToString());
+  auto origin = url::Origin::Create(url);
   socket_factory_->CreateProxyResolvingSocket(
-      GURL("https://" + address.ToString()), std::move(options),
+      url,
+      net::NetworkIsolationKey(origin /* top_frame_origin */,
+                               origin /* frame_origin */),
+      std::move(options),
       net::MutableNetworkTrafficAnnotationTag(traffic_annotation_),
       socket_.BindNewPipeAndPassReceiver(), std::move(socket_observer),
       base::BindOnce(&NetworkServiceAsyncSocket::ProcessConnectDone,

jingle/glue/network_service_async_socket_unittest.cc

@@ -30,6 +30,7 @@
 #include "net/base/host_port_pair.h"
 #include "net/base/ip_address.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_isolation_key.h"
 #include "net/cert/mock_cert_verifier.h"
 #include "net/http/transport_security_state.h"
 #include "net/log/net_log_source.h"
@@ -42,6 +43,7 @@
 #include "services/network/public/mojom/proxy_resolving_socket.mojom.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "third_party/webrtc/rtc_base/third_party/sigslot/sigslot.h"
+#include "url/origin.h"
 
 namespace jingle_glue {
 
@@ -191,11 +193,16 @@ class MockProxyResolvingSocketFactory
   // mojom::ProxyResolvingSocketFactory implementation.
   void CreateProxyResolvingSocket(
       const GURL& url,
+      const net::NetworkIsolationKey& network_isolation_key,
       network::mojom::ProxyResolvingSocketOptionsPtr options,
       const net::MutableNetworkTrafficAnnotationTag& traffic_annotation,
       mojo::PendingReceiver<network::mojom::ProxyResolvingSocket> receiver,
       mojo::PendingRemote<network::mojom::SocketObserver> observer,
       CreateProxyResolvingSocketCallback callback) override {
+    url::Origin origin = url::Origin::Create(url);
+    EXPECT_EQ(net::NetworkIsolationKey(origin /* top_frame_origin */,
+                                       origin /* frame_origin */),
+              network_isolation_key);
     auto socket = std::make_unique<MockProxyResolvingSocket>();
     socket_raw_ = socket.get();
     proxy_resolving_socket_receivers_.Add(std::move(socket),

services/network/p2p/socket_tcp.cc

@@ -14,6 +14,7 @@
 #include "jingle/glue/fake_ssl_client_socket.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_isolation_key.h"
 #include "net/socket/client_socket_factory.h"
 #include "net/socket/client_socket_handle.h"
 #include "net/socket/ssl_client_socket.h"
@@ -106,7 +107,9 @@ void P2PSocketTcpBase::Init(const net::IPEndPoint& local_address,
 
   socket_ = proxy_resolving_socket_factory_->CreateSocket(
       GURL("https://" + dest_host_port_pair.ToString()),
-      IsTlsClientSocket(type_));
+      // TODO(https://crbug.com/1021661): Pass in a non-empty
+      // NetworkIsolationKey here.
+      net::NetworkIsolationKey::Todo(), IsTlsClientSocket(type_));
 
   if (IsPseudoTlsClientSocket(type_)) {
     socket_ =

services/network/proxy_resolving_client_socket.cc

@@ -38,10 +38,12 @@ ProxyResolvingClientSocket::ProxyResolvingClientSocket(
     net::HttpNetworkSession* network_session,
     const net::CommonConnectJobParams* common_connect_job_params,
     const GURL& url,
+    const net::NetworkIsolationKey& network_isolation_key,
     bool use_tls)
     : network_session_(network_session),
       common_connect_job_params_(common_connect_job_params),
       url_(url),
+      network_isolation_key_(network_isolation_key),
       use_tls_(use_tls),
       net_log_(net::NetLogWithSource::Make(network_session_->net_log(),
                                            net::NetLogSourceType::SOCKET)),
@@ -245,8 +247,8 @@ int ProxyResolvingClientSocket::DoProxyResolve() {
   //
   // TODO(https://crbug.com/1023439): Pass along a NetworkIsolationKey.
   return network_session_->proxy_resolution_service()->ResolveProxy(
-      url_, net::HttpRequestHeaders::kPostMethod,
-      net::NetworkIsolationKey::Todo(), &proxy_info_,
+      url_, net::HttpRequestHeaders::kPostMethod, network_isolation_key_,
+      &proxy_info_,
       base::BindOnce(&ProxyResolvingClientSocket::OnIOComplete,
                      base::Unretained(this)),
       &proxy_resolve_request_, net_log_);
@@ -299,7 +301,7 @@ int ProxyResolvingClientSocket::DoInitConnection() {
       use_tls_, net::HostPortPair::FromURL(url_), proxy_info_.proxy_server(),
       proxy_annotation_tag, &ssl_config, &ssl_config, true /* force_tunnel */,
       net::PRIVACY_MODE_DISABLED, net::OnHostResolutionCallback(),
-      net::MAXIMUM_PRIORITY, net::SocketTag(), net::NetworkIsolationKey(),
+      net::MAXIMUM_PRIORITY, net::SocketTag(), network_isolation_key_,
       false /* disable_secure_dns */, common_connect_job_params_, this);
   return connect_job_->Connect();
 }

services/network/proxy_resolving_client_socket.h

@@ -17,6 +17,7 @@
 #include "base/memory/weak_ptr.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_isolation_key.h"
 #include "net/log/net_log_with_source.h"
 #include "net/proxy_resolution/proxy_info.h"
 #include "net/proxy_resolution/proxy_resolution_service.h"
@@ -31,6 +32,7 @@ struct CommonConnectJobParams;
 class HttpAuthController;
 class HttpResponseInfo;
 class HttpNetworkSession;
+class NetworkIsolationKey;
 class ProxyResolutionRequest;
 }  // namespace net
 
@@ -55,6 +57,7 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) ProxyResolvingClientSocket
       net::HttpNetworkSession* network_session,
       const net::CommonConnectJobParams* common_connect_job_params,
       const GURL& url,
+      const net::NetworkIsolationKey& network_isolation_key,
       bool use_tls);
   ~ProxyResolvingClientSocket() override;
 
@@ -132,6 +135,7 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) ProxyResolvingClientSocket
   std::unique_ptr<net::ProxyResolutionRequest> proxy_resolve_request_;
   net::ProxyInfo proxy_info_;
   const GURL url_;
+  const net::NetworkIsolationKey network_isolation_key_;
   const bool use_tls_;
 
   net::NetLogWithSource net_log_;

services/network/proxy_resolving_client_socket_factory.cc

@@ -76,6 +76,7 @@ ProxyResolvingClientSocketFactory::~ProxyResolvingClientSocketFactory() {}
 std::unique_ptr<ProxyResolvingClientSocket>
 ProxyResolvingClientSocketFactory::CreateSocket(
     const GURL& url,
+    const net::NetworkIsolationKey& network_isolation_key,
     bool use_tls) {
   // |request_context|'s HttpAuthCache might have updates. For example, a user
   // might have since entered proxy credentials. Clear the http auth of
@@ -96,7 +97,8 @@ ProxyResolvingClientSocketFactory::CreateSocket(
           ->http_auth_cache();
   network_session_->http_auth_cache()->CopyProxyEntriesFrom(*other_auth_cache);
   return std::make_unique<ProxyResolvingClientSocket>(
-      network_session_.get(), common_connect_job_params_.get(), url, use_tls);
+      network_session_.get(), common_connect_job_params_.get(), url,
+      network_isolation_key, use_tls);
 }
 
 }  // namespace network

services/network/proxy_resolving_client_socket_factory.h

@@ -16,6 +16,7 @@
 namespace net {
 struct CommonConnectJobParams;
 class HttpNetworkSession;
+class NetworkIsolationKey;
 class URLRequestContext;
 }  // namespace net
 
@@ -37,11 +38,20 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) ProxyResolvingClientSocketFactory {
   // doesn't need to explicitly sanitize the url, any sensitive data (like
   // embedded usernames and passwords), and local data (i.e. reference fragment)
   // will be sanitized by net::ProxyService::ResolveProxyHelper() before the url
-  // is disclosed to the proxy. If |use_tls|, TLS connect will be used in
-  // addition to TCP connect. The URLRequestContext's SSL configurations will be
-  // respected when establishing a TLS connection.
-  std::unique_ptr<ProxyResolvingClientSocket> CreateSocket(const GURL& url,
-                                                           bool use_tls);
+  // is disclosed to the proxy.
+  //
+  // |network_isolation_key| indicates the network shard to use for storing
+  // shared network state (DNS cache entries, shared H2/QUIC proxy connections,
+  // etc).  Proxy connections will only be shared with other
+  // ProxyResolvingClientSockets, not with standards HTTP/HTTPS requests.
+  //
+  // If |use_tls| is true, TLS connect will be used in addition to TCP connect.
+  // The URLRequestContext's SSL configurations will be respected when
+  // establishing a TLS connection.
+  std::unique_ptr<ProxyResolvingClientSocket> CreateSocket(
+      const GURL& url,
+      const net::NetworkIsolationKey& network_isolation_key,
+      bool use_tls);
 
   const net::HttpNetworkSession* network_session() const {
     return network_session_.get();

services/network/proxy_resolving_client_socket_unittest.cc

@@ -13,17 +13,21 @@
 #include "base/run_loop.h"
 #include "base/strings/stringprintf.h"
 #include "base/strings/utf_string_conversions.h"
+#include "base/test/scoped_feature_list.h"
 #include "base/test/task_environment.h"
 #include "base/threading/thread_task_runner_handle.h"
+#include "net/base/features.h"
 #include "net/base/network_isolation_key.h"
 #include "net/base/test_completion_callback.h"
 #include "net/dns/mock_host_resolver.h"
+#include "net/http/http_proxy_connect_job.h"
 #include "net/proxy_resolution/configured_proxy_resolution_service.h"
 #include "net/proxy_resolution/mock_proxy_resolver.h"
 #include "net/proxy_resolution/proxy_config_service_fixed.h"
 #include "net/proxy_resolution/proxy_config_with_annotation.h"
 #include "net/socket/client_socket_pool_manager.h"
 #include "net/socket/socket_test_util.h"
+#include "net/spdy/spdy_test_util_common.h"
 #include "net/test/gtest_util.h"
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
 #include "net/url_request/url_request_test_util.h"
@@ -44,7 +48,7 @@ class TestURLRequestContextWithProxy : public net::TestURLRequestContext {
         net::ConfiguredProxyResolutionService::CreateFixedFromPacResult(
             pac_result, TRAFFIC_ANNOTATION_FOR_TESTS));
     // net::MockHostResolver maps all hosts to localhost.
-    auto host_resolver = std::make_unique<net::MockHostResolver>();
+    auto host_resolver = std::make_unique<net::MockCachingHostResolver>();
     context_storage_.set_host_resolver(std::move(host_resolver));
     set_client_socket_factory(client_socket_factory);
     Init();
@@ -61,7 +65,14 @@ class ProxyResolvingClientSocketTest
   ProxyResolvingClientSocketTest()
       : context_with_proxy_("PROXY bad:99; PROXY maybe:80; DIRECT",
                             &mock_client_socket_factory_),
-        use_tls_(GetParam()) {}
+        use_tls_(GetParam()) {
+    feature_list_.InitWithFeatures(
+        // enabled_features
+        {net::features::kPartitionConnectionsByNetworkIsolationKey,
+         net::features::kSplitHostCacheByNetworkIsolationKey},
+        // disabled_features
+        {});
+  }
 
   ~ProxyResolvingClientSocketTest() override {}
 
@@ -72,6 +83,7 @@ class ProxyResolvingClientSocketTest
   }
 
   base::test::TaskEnvironment task_environment_;
+  base::test::ScopedFeatureList feature_list_;
   TestURLRequestContextWithProxy context_with_proxy_;
   net::MockClientSocketFactory mock_client_socket_factory_;
   const bool use_tls_;
@@ -81,6 +93,183 @@ INSTANTIATE_TEST_SUITE_P(All,
                          ProxyResolvingClientSocketTest,
                          ::testing::Bool());
 
+// Checks the correct NetworkIsolationKey is used for host resolution in the
+// case no proxy is in use.
+TEST_P(ProxyResolvingClientSocketTest, NetworkIsolationKeyDirect) {
+  // This deliberately uses a different origin than the one being connected to.
+  url::Origin kNetworkIsolationKeyOrigin =
+      url::Origin::Create(GURL("https://foopy.test"));
+  net::NetworkIsolationKey kNetworkIsolationKey(
+      kNetworkIsolationKeyOrigin /* top_frame_origin */,
+      kNetworkIsolationKeyOrigin /* frame_origin */);
+
+  TestURLRequestContextWithProxy url_request_context(
+      "DIRECT", &mock_client_socket_factory_);
+  const GURL kDestination("https://dest.test/");
+  net::StaticSocketDataProvider socket_data;
+  mock_client_socket_factory_.AddSocketDataProvider(&socket_data);
+  net::SSLSocketDataProvider ssl_data(net::ASYNC, net::OK);
+  mock_client_socket_factory_.AddSSLSocketDataProvider(&ssl_data);
+
+  ProxyResolvingClientSocketFactory proxy_resolving_socket_factory(
+      &url_request_context);
+  std::unique_ptr<ProxyResolvingClientSocket> socket =
+      proxy_resolving_socket_factory.CreateSocket(
+          kDestination, kNetworkIsolationKey, use_tls_);
+  net::TestCompletionCallback callback;
+  int status = socket->Connect(callback.callback());
+  EXPECT_THAT(callback.GetResult(status), net::test::IsOk());
+
+  // Check that the URL in kDestination is in the HostCache, with
+  // kNetworkIsolationInfo.
+  const net::HostPortPair kDestinationHostPortPair =
+      net::HostPortPair::FromURL(kDestination);
+  net::HostResolver::ResolveHostParameters params;
+  params.source = net::HostResolverSource::LOCAL_ONLY;
+  std::unique_ptr<net::HostResolver::ResolveHostRequest> request1 =
+      url_request_context.host_resolver()->CreateRequest(
+          kDestinationHostPortPair, kNetworkIsolationKey,
+          net::NetLogWithSource(), params);
+  net::TestCompletionCallback callback2;
+  int result = request1->Start(callback2.callback());
+  EXPECT_EQ(net::OK, callback2.GetResult(result));
+
+  // Check that the hostname is not in the DNS cache for other possible NIKs.
+  const url::Origin kDestinationOrigin = url::Origin::Create(kDestination);
+  const net::NetworkIsolationKey kOtherNiks[] = {
+      net::NetworkIsolationKey(),
+      net::NetworkIsolationKey(kDestinationOrigin /* top_frame_origin */,
+                               kDestinationOrigin /* frame_origin */)};
+  for (const auto& other_nik : kOtherNiks) {
+    std::unique_ptr<net::HostResolver::ResolveHostRequest> request2 =
+        url_request_context.host_resolver()->CreateRequest(
+            kDestinationHostPortPair, other_nik, net::NetLogWithSource(),
+            params);
+    net::TestCompletionCallback callback3;
+    int result = request2->Start(callback3.callback());
+    EXPECT_EQ(net::ERR_NAME_NOT_RESOLVED, callback3.GetResult(result));
+  }
+}
+
+// Checks the correct NetworkIsolationKey is used for host resolution in the
+// case an H2 proxy is in use. In the non-H2 proxy case, the NetworkIsolationKey
+// makes little difference, but in the H2 case, it affects which requests use
+// the same session. Unlike other tests, this test creates a
+// ProxyResolvingClientSocket instead of using the factory class, because it
+// uses SpdySessionDependencies to create a NetworkSession configured to test
+// H2.
+TEST_P(ProxyResolvingClientSocketTest, NetworkIsolationKeyWithH2Proxy) {
+  // Don't bother running this test in the SSL case - it's complicated enough
+  // without it, and testing HTTPS on top of H2 provides minimal value, since
+  // SSL is mocked out anyways and there are other tests that cover it on top of
+  // HTTP/1.x tunnels.
+  if (GetParam() == true)
+    return;
+  net::SpdySessionDependencies session_deps;
+  session_deps.proxy_resolution_service =
+      net::ConfiguredProxyResolutionService::CreateFixedFromPacResult(
+          "HTTPS proxy.test:80", TRAFFIC_ANNOTATION_FOR_TESTS);
+  std::unique_ptr<net::HttpNetworkSession> http_network_session =
+      net::SpdySessionDependencies::SpdyCreateSession(&session_deps);
+
+  net::NetworkIsolationKey kNetworkIsolationKey1 =
+      net::NetworkIsolationKey::CreateTransient();
+  net::NetworkIsolationKey kNetworkIsolationKey2 =
+      net::NetworkIsolationKey::CreateTransient();
+
+  const GURL kDestination1("https://dest1.test/");
+  const GURL kDestination2("https://dest2.test/");
+  const GURL kDestination3("https://dest3.test/");
+
+  // A tunnel to kDestination1 and kDestination3 is requested using
+  // kNetworkIsolationKey1, so they should use the same H2 session, and a tunnel
+  // to kDestination2 is requested using kNetworkIsolationKey2, which should use
+  // a different session.
+  net::SpdyTestUtil spdy_util1;
+  spdy::SpdySerializedFrame connect_dest1(spdy_util1.ConstructSpdyConnect(
+      nullptr, 0, 1, net::HttpProxyConnectJob::kH2QuicTunnelPriority,
+      net::HostPortPair::FromURL(kDestination1)));
+  spdy::SpdySerializedFrame connect_dest1_resp(
+      spdy_util1.ConstructSpdyGetReply(nullptr, 0, 1));
+  spdy::SpdySerializedFrame connect_dest3(spdy_util1.ConstructSpdyConnect(
+      nullptr, 0, 3, net::HttpProxyConnectJob::kH2QuicTunnelPriority,
+      net::HostPortPair::FromURL(kDestination3)));
+  spdy::SpdySerializedFrame connect_dest3_resp(
+      spdy_util1.ConstructSpdyGetReply(nullptr, 0, 3));
+
+  net::MockWrite spdy_writes[] = {
+      net::CreateMockWrite(connect_dest1, 0),
+      net::CreateMockWrite(connect_dest3, 2),
+  };
+
+  net::MockRead spdy_reads[] = {
+      net::CreateMockRead(connect_dest1_resp, 1, net::ASYNC),
+      net::CreateMockRead(connect_dest3_resp, 3, net::ASYNC),
+      net::MockRead(net::SYNCHRONOUS, 0, 4),
+  };
+
+  net::SequencedSocketData socket_data(spdy_reads, spdy_writes);
+  session_deps.socket_factory->AddSocketDataProvider(&socket_data);
+  net::SSLSocketDataProvider ssl_data(net::ASYNC, net::OK);
+  ssl_data.next_proto = net::kProtoHTTP2;
+  session_deps.socket_factory->AddSSLSocketDataProvider(&ssl_data);
+
+  net::SpdyTestUtil spdy_util2;
+  spdy::SpdySerializedFrame connect_dest2(spdy_util2.ConstructSpdyConnect(
+      nullptr, 0, 1, net::HttpProxyConnectJob::kH2QuicTunnelPriority,
+      net::HostPortPair::FromURL(kDestination2)));
+  spdy::SpdySerializedFrame connect_dest2_resp(
+      spdy_util2.ConstructSpdyGetReply(nullptr, 0, 1));
+
+  net::MockWrite spdy_writes2[] = {
+      net::CreateMockWrite(connect_dest2, 0),
+  };
+
+  net::MockRead spdy_reads2[] = {
+      net::CreateMockRead(connect_dest2_resp, 1, net::ASYNC),
+      net::MockRead(net::SYNCHRONOUS, 0, 2),
+  };
+
+  net::SequencedSocketData socket_data2(spdy_reads2, spdy_writes2);
+  session_deps.socket_factory->AddSocketDataProvider(&socket_data2);
+  net::SSLSocketDataProvider ssl_data2(net::ASYNC, net::OK);
+  ssl_data2.next_proto = net::kProtoHTTP2;
+  session_deps.socket_factory->AddSSLSocketDataProvider(&ssl_data2);
+
+  // Connect to kDestination1 using kNetworkIsolationKey1. It should use a new
+  // H2 session.
+  net::CommonConnectJobParams common_connect_job_params =
+      http_network_session->CreateCommonConnectJobParams();
+  ProxyResolvingClientSocket socket1(
+      http_network_session.get(), &common_connect_job_params, kDestination1,
+      kNetworkIsolationKey1, false /* use_tls */);
+  net::TestCompletionCallback callback1;
+  int result = socket1.Connect(callback1.callback());
+  EXPECT_THAT(callback1.GetResult(result), net::test::IsOk());
+
+  // Connect to kDestination2 using kNetworkIsolationKey2. It should use a new
+  // H2 session.
+  ProxyResolvingClientSocket socket2(
+      http_network_session.get(), &common_connect_job_params, kDestination2,
+      kNetworkIsolationKey2, false /* use_tls */);
+  net::TestCompletionCallback callback2;
+  result = socket2.Connect(callback2.callback());
+  EXPECT_THAT(callback2.GetResult(result), net::test::IsOk());
+  EXPECT_TRUE(socket_data2.AllWriteDataConsumed());
+  EXPECT_TRUE(socket_data2.AllReadDataConsumed());
+
+  // Connect to kDestination3 using kNetworkIsolationKey1. It should reuse the
+  // first H2 session.
+  ProxyResolvingClientSocket socket3(
+      http_network_session.get(), &common_connect_job_params, kDestination3,
+      kNetworkIsolationKey1, false /* use_tls */);
+  net::TestCompletionCallback callback3;
+  result = socket3.Connect(callback3.callback());
+  EXPECT_THAT(callback3.GetResult(result), net::test::IsOk());
+  EXPECT_TRUE(socket_data.AllWriteDataConsumed());
+  EXPECT_TRUE(socket_data.AllReadDataConsumed());
+}
+
 // Tests that the global socket pool limit
 // (ClientSocketPoolManager::max_sockets_per_group) doesn't apply to this
 // type of sockets.
@@ -112,7 +301,8 @@ TEST_P(ProxyResolvingClientSocketTest, SocketLimitNotApply) {
   std::vector<std::unique_ptr<ProxyResolvingClientSocket>> sockets;
   for (int i = 0; i < kNumSockets; ++i) {
     std::unique_ptr<ProxyResolvingClientSocket> socket =
-        proxy_resolving_socket_factory.CreateSocket(kDestination, use_tls_);
+        proxy_resolving_socket_factory.CreateSocket(
+            kDestination, net::NetworkIsolationKey(), use_tls_);
     net::TestCompletionCallback callback;
     int status = socket->Connect(callback.callback());
     EXPECT_THAT(callback.GetResult(status), net::test::IsOk());
@@ -153,7 +343,8 @@ TEST_P(ProxyResolvingClientSocketTest, ConnectError) {
     ProxyResolvingClientSocketFactory proxy_resolving_socket_factory(
         context.get());
     std::unique_ptr<ProxyResolvingClientSocket> socket =
-        proxy_resolving_socket_factory.CreateSocket(kDestination, use_tls_);
+        proxy_resolving_socket_factory.CreateSocket(
+            kDestination, net::NetworkIsolationKey(), use_tls_);
     net::TestCompletionCallback callback;
     int status = socket->Connect(callback.callback());
     EXPECT_EQ(net::ERR_IO_PENDING, status);
@@ -203,7 +394,8 @@ TEST_P(ProxyResolvingClientSocketTest, ConnectToProxy) {
     ProxyResolvingClientSocketFactory proxy_resolving_socket_factory(
         context.get());
     std::unique_ptr<ProxyResolvingClientSocket> socket =
-        proxy_resolving_socket_factory.CreateSocket(kDestination, use_tls_);
+        proxy_resolving_socket_factory.CreateSocket(
+            kDestination, net::NetworkIsolationKey(), use_tls_);
     net::TestCompletionCallback callback;
     int status = socket->Connect(callback.callback());
     EXPECT_EQ(net::ERR_IO_PENDING, status);
@@ -238,7 +430,8 @@ TEST_P(ProxyResolvingClientSocketTest, SocketDestroyedBeforeConnectComplete) {
   ProxyResolvingClientSocketFactory proxy_resolving_socket_factory(
       context.get());
   std::unique_ptr<ProxyResolvingClientSocket> socket =
-      proxy_resolving_socket_factory.CreateSocket(kDestination, use_tls_);
+      proxy_resolving_socket_factory.CreateSocket(
+          kDestination, net::NetworkIsolationKey(), use_tls_);
   net::TestCompletionCallback callback;
   int status = socket->Connect(callback.callback());
   EXPECT_EQ(net::ERR_IO_PENDING, status);
@@ -305,7 +498,8 @@ TEST_P(ProxyResolvingClientSocketTest, ReadWriteErrors) {
     ProxyResolvingClientSocketFactory proxy_resolving_socket_factory(
         context.get());
     std::unique_ptr<ProxyResolvingClientSocket> socket =
-        proxy_resolving_socket_factory.CreateSocket(kDestination, use_tls_);
+        proxy_resolving_socket_factory.CreateSocket(
+            kDestination, net::NetworkIsolationKey(), use_tls_);
     net::TestCompletionCallback callback;
     int status = socket->Connect(callback.callback());
     EXPECT_EQ(net::ERR_IO_PENDING, status);
@@ -369,7 +563,8 @@ TEST_P(ProxyResolvingClientSocketTest, ReportsBadProxies) {
   ProxyResolvingClientSocketFactory proxy_resolving_socket_factory(
       &context_with_proxy_);
   std::unique_ptr<ProxyResolvingClientSocket> socket =
-      proxy_resolving_socket_factory.CreateSocket(kDestination, use_tls_);
+      proxy_resolving_socket_factory.CreateSocket(
+          kDestination, net::NetworkIsolationKey(), use_tls_);
   net::TestCompletionCallback callback;
   int status = socket->Connect(callback.callback());
   EXPECT_EQ(net::ERR_IO_PENDING, status);
@@ -405,7 +600,8 @@ TEST_P(ProxyResolvingClientSocketTest, ResetSocketAfterTunnelAuth) {
   ProxyResolvingClientSocketFactory proxy_resolving_socket_factory(
       &context_with_proxy_);
   std::unique_ptr<ProxyResolvingClientSocket> socket =
-      proxy_resolving_socket_factory.CreateSocket(kDestination, use_tls_);
+      proxy_resolving_socket_factory.CreateSocket(
+          kDestination, net::NetworkIsolationKey(), use_tls_);
   net::TestCompletionCallback callback;
   int status = socket->Connect(callback.callback());
   EXPECT_THAT(callback.GetResult(status),
@@ -483,7 +679,8 @@ TEST_P(ProxyResolvingClientSocketTest, MultiroundAuth) {
   ProxyResolvingClientSocketFactory proxy_resolving_socket_factory(
       &context_with_proxy_);
   std::unique_ptr<ProxyResolvingClientSocket> socket =
-      proxy_resolving_socket_factory.CreateSocket(kDestination, use_tls_);
+      proxy_resolving_socket_factory.CreateSocket(
+          kDestination, net::NetworkIsolationKey(), use_tls_);
   net::TestCompletionCallback callback;
   int status = socket->Connect(callback.callback());
   EXPECT_THAT(callback.GetResult(status), net::test::IsOk());
@@ -540,7 +737,8 @@ TEST_P(ProxyResolvingClientSocketTest, ReusesHTTPAuthCache_Lookup) {
   ProxyResolvingClientSocketFactory proxy_resolving_socket_factory(
       &context_with_proxy_);
   std::unique_ptr<ProxyResolvingClientSocket> socket =
-      proxy_resolving_socket_factory.CreateSocket(kDestination, use_tls_);
+      proxy_resolving_socket_factory.CreateSocket(
+          kDestination, net::NetworkIsolationKey(), use_tls_);
   net::TestCompletionCallback callback;
   int status = socket->Connect(callback.callback());
   EXPECT_THAT(callback.GetResult(status), net::test::IsOk());
@@ -598,7 +796,8 @@ TEST_P(ProxyResolvingClientSocketTest, FactoryUsesLatestHTTPAuthCache) {
   mock_client_socket_factory_.AddSSLSocketDataProvider(&ssl_socket);
 
   std::unique_ptr<ProxyResolvingClientSocket> socket =
-      proxy_resolving_socket_factory.CreateSocket(kDestination, use_tls_);
+      proxy_resolving_socket_factory.CreateSocket(
+          kDestination, net::NetworkIsolationKey(), use_tls_);
   net::TestCompletionCallback callback;
   int status = socket->Connect(callback.callback());
   EXPECT_THAT(callback.GetResult(status), net::test::IsOk());
@@ -638,7 +837,8 @@ TEST_P(ProxyResolvingClientSocketTest, ReusesHTTPAuthCache_Preemptive) {
   ProxyResolvingClientSocketFactory proxy_resolving_socket_factory(
       &context_with_proxy_);
   std::unique_ptr<ProxyResolvingClientSocket> socket =
-      proxy_resolving_socket_factory.CreateSocket(kDestination, use_tls_);
+      proxy_resolving_socket_factory.CreateSocket(
+          kDestination, net::NetworkIsolationKey(), use_tls_);
 
   net::TestCompletionCallback callback;
   int status = socket->Connect(callback.callback());
@@ -666,7 +866,8 @@ TEST_P(ProxyResolvingClientSocketTest, ReusesHTTPAuthCache_NoCredentials) {
   ProxyResolvingClientSocketFactory proxy_resolving_socket_factory(
       &context_with_proxy_);
   std::unique_ptr<ProxyResolvingClientSocket> socket =
-      proxy_resolving_socket_factory.CreateSocket(kDestination, use_tls_);
+      proxy_resolving_socket_factory.CreateSocket(
+          kDestination, net::NetworkIsolationKey(), use_tls_);
 
   net::TestCompletionCallback callback;
   int status = socket->Connect(callback.callback());
@@ -698,7 +899,8 @@ TEST_P(ProxyResolvingClientSocketTest, URLSanitized) {
   ProxyResolvingClientSocketFactory proxy_resolving_socket_factory(
       context.get());
   std::unique_ptr<ProxyResolvingClientSocket> socket =
-      proxy_resolving_socket_factory.CreateSocket(url, use_tls_);
+      proxy_resolving_socket_factory.CreateSocket(
+          url, net::NetworkIsolationKey(), use_tls_);
   net::TestCompletionCallback callback;
   int status = socket->Connect(callback.callback());
   EXPECT_EQ(net::ERR_IO_PENDING, status);
@@ -742,7 +944,8 @@ TEST_P(ProxyResolvingClientSocketTest,
   ProxyResolvingClientSocketFactory proxy_resolving_socket_factory(
       context.get());
   std::unique_ptr<ProxyResolvingClientSocket> socket =
-      proxy_resolving_socket_factory.CreateSocket(url, use_tls_);
+      proxy_resolving_socket_factory.CreateSocket(
+          url, net::NetworkIsolationKey(), use_tls_);
   net::TestCompletionCallback callback;
   EXPECT_EQ(net::ERR_IO_PENDING, socket->Connect(callback.callback()));
   socket.reset();
@@ -776,7 +979,8 @@ TEST_P(ProxyResolvingClientSocketTest, NoSupportedProxies) {
   ProxyResolvingClientSocketFactory proxy_resolving_socket_factory(
       context.get());
   std::unique_ptr<ProxyResolvingClientSocket> socket =
-      proxy_resolving_socket_factory.CreateSocket(kDestination, use_tls_);
+      proxy_resolving_socket_factory.CreateSocket(
+          kDestination, net::NetworkIsolationKey(), use_tls_);
   net::TestCompletionCallback callback;
   int status = socket->Connect(callback.callback());
   status = callback.GetResult(status);
@@ -868,7 +1072,8 @@ TEST_P(ReconsiderProxyAfterErrorTest, ReconsiderProxyAfterError) {
   ProxyResolvingClientSocketFactory proxy_resolving_socket_factory(
       &context_with_proxy_);
   std::unique_ptr<ProxyResolvingClientSocket> socket =
-      proxy_resolving_socket_factory.CreateSocket(kDestination, use_tls_);
+      proxy_resolving_socket_factory.CreateSocket(
+          kDestination, net::NetworkIsolationKey(), use_tls_);
   net::TestCompletionCallback callback;
   int status = socket->Connect(callback.callback());
   EXPECT_EQ(net::ERR_IO_PENDING, status);

services/network/proxy_resolving_socket_factory_mojo.cc

@@ -25,13 +25,14 @@ ProxyResolvingSocketFactoryMojo::~ProxyResolvingSocketFactoryMojo() {}
 
 void ProxyResolvingSocketFactoryMojo::CreateProxyResolvingSocket(
     const GURL& url,
+    const net::NetworkIsolationKey& network_isolation_key,
     mojom::ProxyResolvingSocketOptionsPtr options,
     const net::MutableNetworkTrafficAnnotationTag& traffic_annotation,
     mojo::PendingReceiver<mojom::ProxyResolvingSocket> receiver,
     mojo::PendingRemote<mojom::SocketObserver> observer,
     CreateProxyResolvingSocketCallback callback) {
-  std::unique_ptr<net::StreamSocket> net_socket =
-      factory_impl_.CreateSocket(url, options && options->use_tls);
+  std::unique_ptr<net::StreamSocket> net_socket = factory_impl_.CreateSocket(
+      url, network_isolation_key, options && options->use_tls);
   if (options && options->fake_tls_handshake) {
     DCHECK(!options->use_tls);
     net_socket = std::make_unique<jingle_glue::FakeSSLClientSocket>(

services/network/proxy_resolving_socket_factory_mojo.h

@@ -19,6 +19,7 @@
 #include "services/network/tls_socket_factory.h"
 
 namespace net {
+class NetworkIsolationKey;
 class URLRequestContext;
 }  // namespace net
 
@@ -33,6 +34,7 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) ProxyResolvingSocketFactoryMojo
   // mojom::ProxyResolvingSocketFactory implementation.
   void CreateProxyResolvingSocket(
       const GURL& url,
+      const net::NetworkIsolationKey& network_isolation_key,
       mojom::ProxyResolvingSocketOptionsPtr options,
       const net::MutableNetworkTrafficAnnotationTag& traffic_annotation,
       mojo::PendingReceiver<mojom::ProxyResolvingSocket> receiver,

services/network/proxy_resolving_socket_mojo_unittest.cc

@@ -18,6 +18,7 @@
 #include "mojo/public/cpp/bindings/remote.h"
 #include "mojo/public/cpp/system/data_pipe_utils.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_isolation_key.h"
 #include "net/base/test_completion_callback.h"
 #include "net/dns/mock_host_resolver.h"
 #include "net/proxy_resolution/configured_proxy_resolution_service.h"
@@ -122,7 +123,7 @@ class ProxyResolvingSocketTestBase {
     options->use_tls = use_tls_;
     options->fake_tls_handshake = fake_tls_handshake_;
     factory_remote_->CreateProxyResolvingSocket(
-        url, std::move(options),
+        url, net::NetworkIsolationKey(), std::move(options),
         net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS),
         std::move(receiver), std::move(socket_observer),
         base::BindLambdaForTesting(
@@ -401,7 +402,7 @@ TEST_F(ProxyResolvingSocketMojoTest, SocketDestroyedBeforeConnectCompletes) {
   base::RunLoop run_loop;
   int net_error = net::OK;
   factory()->CreateProxyResolvingSocket(
-      kDestination, nullptr,
+      kDestination, net::NetworkIsolationKey(), nullptr,
       net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS),
       socket.InitWithNewPipeAndPassReceiver(),
       mojo::NullRemote() /* observer */,

services/network/public/mojom/proxy_resolving_socket.mojom

@@ -6,6 +6,7 @@ module network.mojom;
 
 import "services/network/public/mojom/ip_endpoint.mojom";
 import "services/network/public/mojom/mutable_network_traffic_annotation_tag.mojom";
+import "services/network/public/mojom/network_isolation_key.mojom";
 import "services/network/public/mojom/network_param.mojom";
 import "services/network/public/mojom/ssl_config.mojom";
 import "services/network/public/mojom/tcp_socket.mojom";
@@ -52,19 +53,25 @@ struct ProxyResolvingSocketOptions {
 // factory instance.
 interface ProxyResolvingSocketFactory {
   // Creates a socket connected to |url|. This connection might be done through
-  // proxies if any is set in system's proxy settings. On success, |result| is
-  // net::OK. Caller is to use |send_stream| to send data and
-  // |receive_stream| to receive data over the connection. On failure, |result|
-  // is a network error code. |local_addr| contains the local address of the
-  // socket. |peer_addr| contains the peer address. If socket is connected to a
-  // proxy, |peer_addr| will be null.
+  // proxies if any is set in system's proxy settings.
+  //
+  // |network_isolation_key| indicates the network storage shard to use for
+  // shared resources, such as the DNS cache and shared proxy connections.
+  //
+  // On success, |result| is net::OK. Caller is to use |send_stream| to send
+  // data and |receive_stream| to receive data over the connection. On failure,
+  // |result| is a network error code. |local_addr| contains the local address
+  // of the socket. |peer_addr| contains the peer address. If socket is
+  // connected to a proxy, |peer_addr| will be null.
   //
   // If socket is closed before the callback can be completed, the callback will
   // be invoked with net::ERR_ABORTED.
   //
   // Any sockets that are created but are yet to be destroyed will be destroyed
   // when the implementation of this factory goes away.
-  CreateProxyResolvingSocket(url.mojom.Url url,
+  CreateProxyResolvingSocket(
+      url.mojom.Url url,
+      NetworkIsolationKey network_isolation_key,
       ProxyResolvingSocketOptions? options,
       MutableNetworkTrafficAnnotationTag traffic_annotation,
       pending_receiver<ProxyResolvingSocket> socket,

services/network/tls_client_socket_unittest.cc

@@ -19,6 +19,7 @@
 #include "mojo/public/cpp/bindings/remote.h"
 #include "net/base/completion_once_callback.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_isolation_key.h"
 #include "net/base/test_completion_callback.h"
 #include "net/proxy_resolution/configured_proxy_resolution_service.h"
 #include "net/socket/server_socket.h"
@@ -175,7 +176,7 @@ class TLSClientSocketTestBase {
     base::RunLoop run_loop;
     int net_error = net::ERR_FAILED;
     proxy_resolving_factory_->CreateProxyResolvingSocket(
-        url, nullptr /* options */,
+        url, net::NetworkIsolationKey(), nullptr /* options */,
         net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS),
         std::move(receiver), mojo::NullRemote() /* observer */,
         base::BindLambdaForTesting(