[Private Network Access] Add new CORS error for permission prompt

Bug: 1338439
Change-Id: Ia00ac9930bd66790ece1e26f85bdb0fdbb13375e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4614471
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Andrey Kosyakov <caseq@chromium.org>
Auto-Submit: Yifan Luo <lyf@chromium.org>
Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org>
Commit-Queue: Yifan Luo <lyf@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1160853}

content/browser/devtools/protocol/network_handler.cc

@@ -2364,6 +2364,22 @@ String BuildCorsError(network::mojom::CorsError cors_error) {
 
     case network::mojom::CorsError::kUnexpectedPrivateNetworkAccess:
       return protocol::Network::CorsErrorEnum::UnexpectedPrivateNetworkAccess;
+
+    case network::mojom::CorsError::kPreflightMissingPrivateNetworkAccessId:
+      return protocol::Network::CorsErrorEnum::
+          PreflightMissingPrivateNetworkAccessId;
+
+    case network::mojom::CorsError::kPreflightMissingPrivateNetworkAccessName:
+      return protocol::Network::CorsErrorEnum::
+          PreflightMissingPrivateNetworkAccessName;
+
+    case network::mojom::CorsError::kPrivateNetworkAccessPermissionUnavailable:
+      return protocol::Network::CorsErrorEnum::
+          PrivateNetworkAccessPermissionUnavailable;
+
+    case network::mojom::CorsError::kPrivateNetworkAccessPermissionDenied:
+      return protocol::Network::CorsErrorEnum::
+          PrivateNetworkAccessPermissionDenied;
   }
 }
 }  // namespace

services/network/cors/preflight_controller.cc

@@ -544,15 +544,36 @@ class PreflightController::PreflightLoader final {
         GetHeaderString(head.headers, header_names::kPrivateNetworkDeviceId);
     absl::optional<std::string> name =
         GetHeaderString(head.headers, header_names::kPrivateNetworkDeviceName);
-    if (!url_loader_network_service_observer_ || !id.has_value() ||
-        !name.has_value() ||
+
+    // TODO(https://crbug.com/1455395): `target_ip_address_space` should be
+    // checked in `CorsURLLoaderFactory`. Remove the following bit after that.
+    if (!url_loader_network_service_observer_ ||
         original_request_.target_ip_address_space ==
             mojom::IPAddressSpace::kUnknown ||
         original_request_.target_ip_address_space ==
             mojom::IPAddressSpace::kPublic) {
       FinishHandleResponseHeader(
           net::ERR_FAILED,
-          CorsErrorStatus(mojom::CorsError::kInsecurePrivateNetwork),
+          CorsErrorStatus(
+              mojom::CorsError::kPrivateNetworkAccessPermissionUnavailable),
+          std::move(result));
+      return;
+    }
+
+    if (!id.has_value()) {
+      FinishHandleResponseHeader(
+          net::ERR_FAILED,
+          CorsErrorStatus(
+              mojom::CorsError::kPreflightMissingPrivateNetworkAccessId),
+          std::move(result));
+      return;
+    }
+
+    if (!name.has_value()) {
+      FinishHandleResponseHeader(
+          net::ERR_FAILED,
+          CorsErrorStatus(
+              mojom::CorsError::kPreflightMissingPrivateNetworkAccessName),
           std::move(result));
       return;
     }
@@ -579,8 +600,8 @@ class PreflightController::PreflightLoader final {
       bool permission_granted) {
     if (!permission_granted) {
       net_error = net::ERR_FAILED;
-      detected_error_status =
-          CorsErrorStatus(mojom::CorsError::kInsecurePrivateNetwork);
+      detected_error_status = CorsErrorStatus(
+          mojom::CorsError::kPrivateNetworkAccessPermissionDenied);
     }
     FinishHandleResponseHeader(std::move(net_error),
                                std::move(detected_error_status),

services/network/public/mojom/cors.mojom

@@ -124,6 +124,33 @@ enum CorsError {
   // a private network request.
   // See: https://wicg.github.io/private-network-access/#request-target-ip-address-space
   kUnexpectedPrivateNetworkAccess,
+
+  // Could not request permission to access the private network from the user,
+  // because the Private-Network-Access-Id header was missing from the preflight
+  // response.
+  // See: https://github.com/WICG/private-network-access/blob/main/permission_prompt/explainer.md
+  // TODO(https://crbug.com/1455153): link to the spec.
+  kPreflightMissingPrivateNetworkAccessId,
+
+  // Could not request permission to access the private network from the user,
+  // because the Private-Network-Access-Name header was missing from the
+  // preflight response.
+  // See: https://github.com/WICG/private-network-access/blob/main/permission_prompt/explainer.md
+  // TODO(https://crbug.com/1455153): link to the spec.
+  kPreflightMissingPrivateNetworkAccessName,
+
+  // Could not request permission to access the private network from the user.
+  // See: https://github.com/WICG/private-network-access/blob/main/permission_prompt/explainer.md
+  // TODO(https://crbug.com/1455153): link to the spec.
+  kPrivateNetworkAccessPermissionUnavailable,
+
+  // User did not grant permission to access the private network.
+  //
+  // Permission is only required for requests that bypass mixed content
+  // using the `targetAddressSpace` fetch option.
+  // See: https://github.com/WICG/private-network-access/blob/main/permission_prompt/explainer.md
+  // TODO(https://crbug.com/1455153): link to the spec.
+  kPrivateNetworkAccessPermissionDenied,
 };
 
 // Contains additional details about a CORS-related error.

third_party/blink/public/devtools_protocol/browser_protocol.pdl

@@ -5368,6 +5368,21 @@ domain Network
       # address space.
       UnexpectedPrivateNetworkAccess
       NoCorsRedirectModeNotFollow
+      # Request was a private network request and needed user permission yet did
+      # not carry `Private-Network-Access-Id` in the preflight response.
+      # https://github.com/WICG/private-network-access/blob/main/permission_prompt/explainer.md
+      PreflightMissingPrivateNetworkAccessId
+      # Request was a private network request and needed user permission yet did
+      # not carry `Private-Network-Access-Name` in the preflight response.
+      # https://github.com/WICG/private-network-access/blob/main/permission_prompt/explainer.md
+      PreflightMissingPrivateNetworkAccessName
+      # Request was a private network request and needed user permission yet not
+      # able to request for permission.
+      # https://github.com/WICG/private-network-access/blob/main/permission_prompt/explainer.md
+      PrivateNetworkAccessPermissionUnavailable
+      # Request was a private network request and is denied by user permission.
+      # https://github.com/WICG/private-network-access/blob/main/permission_prompt/explainer.md
+      PrivateNetworkAccessPermissionDenied
 
   type CorsErrorStatus extends object
     properties

third_party/blink/renderer/core/inspector/inspector_network_agent.cc

@@ -537,6 +537,22 @@ String BuildCorsError(network::mojom::CorsError cors_error) {
 
     case network::mojom::CorsError::kUnexpectedPrivateNetworkAccess:
       return protocol::Network::CorsErrorEnum::UnexpectedPrivateNetworkAccess;
+
+    case network::mojom::CorsError::kPreflightMissingPrivateNetworkAccessId:
+      return protocol::Network::CorsErrorEnum::
+          PreflightMissingPrivateNetworkAccessId;
+
+    case network::mojom::CorsError::kPreflightMissingPrivateNetworkAccessName:
+      return protocol::Network::CorsErrorEnum::
+          PreflightMissingPrivateNetworkAccessName;
+
+    case network::mojom::CorsError::kPrivateNetworkAccessPermissionUnavailable:
+      return protocol::Network::CorsErrorEnum::
+          PrivateNetworkAccessPermissionUnavailable;
+
+    case network::mojom::CorsError::kPrivateNetworkAccessPermissionDenied:
+      return protocol::Network::CorsErrorEnum::
+          PrivateNetworkAccessPermissionDenied;
   }
 }
 

third_party/blink/renderer/platform/loader/cors/cors_error_string.cc

@@ -238,6 +238,32 @@ String GetErrorString(const network::CorsErrorStatus& status,
       Append(builder, {"Request had no target IP address space, yet the "
                        "resource is in address space `",
                        ShortAddressSpace(status.resource_address_space), "`."});
+      break;
+    case CorsError::kPreflightMissingPrivateNetworkAccessId:
+      Append(
+          builder,
+          {"No 'Private-Network-Access-Id' header was present in the "
+           "preflight response for this private network request targeting "
+           "the `",
+           ShortAddressSpace(status.target_address_space), "` address space."});
+      break;
+    case CorsError::kPreflightMissingPrivateNetworkAccessName:
+      Append(
+          builder,
+          {"No 'Private-Network-Access-Name' header was present in the "
+           "preflight response for this private network request targeting "
+           "the `",
+           ShortAddressSpace(status.target_address_space), "` address space."});
+      break;
+    case CorsError::kPrivateNetworkAccessPermissionUnavailable:
+      Append(builder, {"Unable to ask for permission to access the `",
+                       ShortAddressSpace(status.target_address_space),
+                       "` IP address space."});
+      break;
+    case CorsError::kPrivateNetworkAccessPermissionDenied:
+      Append(builder, {"Permission was denied for this request to access the `",
+                       ShortAddressSpace(status.target_address_space),
+                       "` address space."});
   }
   return builder.ToString();
 }

tools/metrics/histograms/enums.xml

@@ -20539,6 +20539,10 @@ Called by update_net_error_codes.py.-->
   <int value="24" label="kInsecurePrivateNetwork"/>
   <int value="25" label="kInvalidPrivateNetworkAccess"/>
   <int value="26" label="kUnexpectedPrivateNetworkAccess"/>
+  <int value="27" label="kPreflightMissingPrivateNetworkAccessId"/>
+  <int value="28" label="kPreflightMissingPrivateNetworkAccessName"/>
+  <int value="29" label="kPrivateNetworkAccessPermissionUnavailable"/>
+  <int value="30" label="kPrivateNetworkAccessPermissionDenied"/>
 </enum>
 
 <enum name="CorsAccessCheckResult">