[Trusted Types] Implement metrics for Trusted Types

Complement the existing use counters for Trusted Types.
We need to record:
- whether a page has enabled trusted types, in enforcing or report-only mode,
- whether a page has accessed the Trusted Type Policy Factory, and
- whether (at least one) trusted type check has failed.

Bug: 1042731
Change-Id: I567776acb5df17a1dabe7d605c37dd96c6754608
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2035970
Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#738905}

docs/security/web-mitigation-metrics.md

@@ -65,3 +65,24 @@ but also avoids relying upon `'strict-dynamic'`, via
 [base-uri]: https://w3c.github.io/webappsec-csp/#directive-base-uri
 [script-src]: https://w3c.github.io/webappsec-csp/#directive-script-src
 [csp-is-dead]: https://research.google/pubs/pub45542/
+
+## Trusted Types
+
+[Trusted Types][tt] gives page authors a means to protect their sites against
+cross-site scripting attacks. In order to understand real-world Trusted Types
+usage we obtain the following usage counts:
+
+* General use:`kTrustedTypesEnabled`, `kTrustedTypesEnabledEnforcing`, and
+  `kTrustedTypesEnabledReportOnly`. The first tells us (relative to all page
+  loads) how many pages have any form of Trusted Types enabled, while the other
+  two allow us to determine which percentage of pages run in enforcing or
+  report-only mode (or both).
+
+* Tracking specific features: `kTrustedTypesDefaultPolicyUsed` notes whether a
+  "default" policy has been used. `kTrustedTyoesAllowDuplicates` records
+  whether an 'allow-duplicates' keyword has been used.
+
+* Error tracking: `kTrustedTypesAssignmentError` tracks whether Trusted Types
+  has blocked a string assignment.
+
+[tt]: https://github.com/w3c/webappsec-trusted-types/

third_party/blink/public/mojom/web_feature/web_feature.mojom

@@ -2532,6 +2532,9 @@ enum WebFeature {
   // allowed. See https://crbug.com/937131.
   kFeaturePolicyProposalWouldChangeBehaviour = 3158,
   kRTCLocalSdpModificationSimulcast = 3159,
+  kTrustedTypesEnabledEnforcing = 3160,
+  kTrustedTypesEnabledReportOnly = 3161,
+  kTrustedTypesAllowDuplicates = 3162,
 
   // Add new features immediately above this line. Don't change assigned
   // numbers of any item, and don't reuse removed slots.

third_party/blink/renderer/core/frame/csp/content_security_policy.cc

@@ -202,8 +202,10 @@ void ContentSecurityPolicy::ApplyPolicySideEffectsToDelegate() {
     delegate_->SetSandboxFlags(sandbox_mask_);
   }
 
-  if (require_trusted_types_)
+  if (require_trusted_types_) {
     delegate_->SetRequireTrustedTypes();
+    Count(WebFeature::kTrustedTypesEnabled);
+  }
 
   delegate_->AddInsecureRequestPolicy(insecure_request_policy_);
 
@@ -262,6 +264,13 @@ void ContentSecurityPolicy::ApplyPolicySideEffectsToDelegate() {
                   : WebFeature::kCSPROWithBetterThanReasonableRestrictions);
       }
     }
+    if (policy->RequiresTrustedTypes()) {
+      Count(policy->IsReportOnly() ? WebFeature::kTrustedTypesEnabledReportOnly
+                                   : WebFeature::kTrustedTypesEnabledEnforcing);
+    }
+    if (policy->TrustedTypesAllowDuplicates()) {
+      Count(WebFeature::kTrustedTypesAllowDuplicates);
+    }
   }
 
   // We disable 'eval()' even in the case of report-only policies, and rely on

third_party/blink/renderer/core/frame/csp/csp_directive_list.h

@@ -181,6 +181,13 @@ class CORE_EXPORT CSPDirectiveList final
   // this judgement.
   bool IsScriptRestrictionReasonable() const;
 
+  bool RequiresTrustedTypes() const {
+    return require_trusted_types_for_ && require_trusted_types_for_->require();
+  }
+  bool TrustedTypesAllowDuplicates() const {
+    return trusted_types_ && trusted_types_->IsAllowDuplicates();
+  }
+
   void Trace(blink::Visitor*);
 
  private:

third_party/blink/renderer/core/frame/csp/string_list_directive.h

@@ -20,6 +20,7 @@ class CORE_EXPORT StringListDirective final : public CSPDirective {
                       ContentSecurityPolicy*);
   void Trace(blink::Visitor*) override;
   bool Allows(const String& string_piece, bool is_duplicate);
+  bool IsAllowDuplicates() const { return allow_duplicates_; }
 
  private:
   // Determine whether a given string is a valid policy name or a special token

third_party/blink/renderer/core/trustedtypes/trusted_type_policy_factory.cc

@@ -73,7 +73,6 @@ TrustedTypePolicyFactory::TrustedTypePolicyFactory(ExecutionContext* context)
     : ContextClient(context),
       empty_html_(MakeGarbageCollected<TrustedHTML>("")),
       empty_script_(MakeGarbageCollected<TrustedScript>("")) {
-  UseCounter::Count(context, WebFeature::kTrustedTypesEnabled);
 }
 
 Vector<String> TrustedTypePolicyFactory::getPolicyNames() const {

tools/metrics/histograms/enums.xml

@@ -26420,6 +26420,9 @@ to ensure that the crash string is shown properly on the user-facing crash UI.
   <int value="3157" label="CSSComparisonFunctions"/>
   <int value="3158" label="FeaturePolicyProposalWouldChangeBehaviour"/>
   <int value="3159" label="RTCLocalSdpModificationSimulcast"/>
+  <int value="3160" label="TrustedTypesEnabledEnforcing"/>
+  <int value="3161" label="TrustedTypesEnabledReportOnly"/>
+  <int value="3162" label="TrustedTypesAllowDuplicates"/>
 </enum>
 
 <enum name="FeaturePolicyAllowlistType">