0
Commit Graph

14 Commits

Author SHA1 Message Date
Takashi Toyoshima
a35e5fc64f LinkPreview: Implement the capability control
This patch implements the capability control for the preview mode.
We prepare a variant policy set for the preview mode so that we can
adjust the rule for a visible page.

Also, we pass a different cancel closure as we don't need to cancel
a prerendering, but just need to navigate to an error page that shows
an explanation why the page cannot be shown in the preview mode.

The error page handling, and disabling the control on tab promotions
are not implemented yet in this CL.

Bug: b/299240273
Change-Id: I705de780a83fe975b85c0ab567565342b7467da2
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4941187
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org>
Reviewed-by: Ken Okada <kenoss@chromium.org>
Reviewed-by: Rakina Zata Amni <rakina@chromium.org>
Reviewed-by: Lingqi Chi <lingqi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1212566}
2023-10-20 04:00:34 +00:00
Avi Drissman
adac219925 Update header includes for /base/functional in /content
bind.h, callback.h, callback_forward.h, and callback_helpers.h
moved into /base/functional/. Update the include paths to
directly include them in their new location.

Bug: 1364441
Change-Id: I32ec425b9c0e52ec4b50047bf3290fecc5c905ff
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4148554
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Auto-Submit: Avi Drissman <avi@chromium.org>
Owners-Override: Avi Drissman <avi@chromium.org>
Owners-Override: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1091567}
2023-01-11 23:46:39 +00:00
Lingqi Chi
0611a4c1cb Prerender: Grant interfaces that can make sync IPCs during
activation

Prerender has to preform two-stage Mojo capability control to ensure
the status on the browser process and renderer processes are on sync.
For the second stage, prerender allows interfaces that can make sync
IPCs whose policies should be kCancel/kGrant to make IPCs.
However, some interfaces are treated in a different way: We defer the
binding requests on the renderer side, and resume them upon renderer
activation, so we can mark them kDefer. For these interfaces, they
should be treated as kGrant interfaces during the second stage.

So this CL fixes this issue which causes renderer hangs.

It is unfortunate that we have to add some hardcode rules for these
interfaces. This CL Left some TODOs that requires
I533dd0f0438d493ad8a7a74479526827bf93e1d9 to land first.

Bug: 1385623
Change-Id: I180c6f8b0cc37c4157346cc5a556cc07f8c2b1f5
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4082358
Commit-Queue: Lingqi Chi <lingqi@chromium.org>
Reviewed-by: Bo Liu <boliu@chromium.org>
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1083506}
2022-12-15 01:59:17 +00:00
Ali Hijazi
d87307de3e Rewrite T& into raw_ref<T> under content/
The changes were generated by running
tools/clang/rewrite_raw_ref_fields/rewrite-multiple-platforms.sh with
tool-arg=--enable_raw_ref_rewrite

`raw_ref` is a smart pointer for a pointer which can not be null, and
which provides Use-after-Free protection in the same ways as raw_ptr.
This class acts like a combination of std::reference_wrapper and
raw_ptr.

See raw_ptr and //base/memory/raw_ptr.md for more details on the
Use-after-Free protection.

Bug: 1357022
Change-Id: I14c1f8d4d890715fb9b9f0526ace78ecc625c08a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3999748
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Commit-Queue: Ali Hijazi <ahijazi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1068278}
2022-11-07 20:15:03 +00:00
Avi Drissman
4e1b7bc33d Update copyright headers in content/
The methodology used to generate this CL is documented in
https://crbug.com/1098010#c34.

No-Try: true
No-Presubmit: true
Bug: 1098010
Change-Id: I8c0f009d16350271f07d8e5e561085822cc9dd27
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3895935
Owners-Override: Avi Drissman <avi@chromium.org>
Reviewed-by: Mark Mentovai <mark@chromium.org>
Commit-Queue: Mark Mentovai <mark@chromium.org>
Auto-Submit: Avi Drissman <avi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1047456}
2022-09-15 14:03:50 +00:00
Sreeja Kamishetty
9d399667c7 Prerender: Update //content/browser/prererender references
In crrev.com/c/3740335 we have moved //content/browser/prerender
directory to //content/browser/preloading. In this CL we update the left
over comments and references with the new naming.

BUG=1337129

Change-Id: Ic787ce0930ec6d6d2bfbcacca667b4fcc375f75c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3756794
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Reviewed-by: Colin Blundell <blundell@chromium.org>
Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org>
Commit-Queue: Sreeja Kamishetty <sreejakshetty@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1024390}
2022-07-14 20:07:51 +00:00
Lingqi Chi
2e03d9d6a7 Prerender: Perform capability control on associated interfaces.
This CL generalizes Mojo capability control to associated interfaces.

Before this CL, all of the associated interfaces are granted except
mojom::PepperHost.

After this CL, Prerender2 cancels prerendering when a received
binding request is not allowed to bind during prerendering. The
allowlists are defined in
chrome/browser/chrome_content_browser_client_binder_policies.cc (for
//chrome)
and content/browser/mojo_binder_policy_map_impl.cc(for //content).

Design(chromium@):
https://docs.google.com/document/d/1LPLURqzJW1EuhTAuD3igf1HlP4YaaiF3JNpvTdSZ3LE/edit#heading=h.xfm7goxm51fp

Bug: 1259007
Change-Id: I20ab235d7c2d6fa37aba1b686a064b6ffad36088
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3218175
Commit-Queue: Lingqi Chi <lingqi@chromium.org>
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Reviewed-by: Alexander Timin <altimin@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Kouhei Ueno <kouhei@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Cr-Commit-Position: refs/heads/main@{#939240}
2021-11-08 05:45:41 +00:00
Lingqi Chi
fc4b7d9cd0 Prerender: Record Cancelled Interfaces
This CL includes the following changes.
- Updates the final state of PrerenderHost when MojoBinderPolicyApplier
cancels prerendering.
- Records the interface that causes the cancellation and reports it to
UMA.

Bug: 1132752, 1126305
Change-Id: Ibc156d588424917c2a8f05478e386b272c6cffe8
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2796850
Reviewed-by: Steven Holte <holte@chromium.org>
Reviewed-by: Matt Falkenhagen <falken@chromium.org>
Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org>
Commit-Queue: Lingqi Chi <lingqi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#870322}
2021-04-08 01:41:22 +00:00
Lingqi Chi
0ca6ac5a38 Prerender: Add kPrepareToGrantAll Mode to MojoBinderPolicyApplier
This CL allows Prerender2 to partially loosen its binding policies by
switching MojoBinderPolicyApplier(MBPA) into the kPrepareToGrantAll
mode.

The Prerender activation flow requires Mojo capability control to
loosen kCancel and kUnexpected policies before Blink dispatches the
`prerenderingchange` event.
(https://docs.google.com/document/d/1_l1LDUALf8PbZIz5y_UYNGZmYCMKNpePDLBHn-gTsTM/)

Mojo capability control controls when and whether to bind a interface
with MBPA. Before this CL, MBPA only runs in two modes, one applies
pre-set policies strictly, and will cancel the current prerender if it
receives a kCancel/kUnexpected interface; the other ignores these
policies and runs all binders immediately.

To meet the new requirement, this CL introduces a new
mode, kPrepareToGrantAll. When running in this mode, MBPA only defers
non-kGrant binding requests but not cancels prerendering.

Bug: 1132752
Change-Id: Ie93eb7aba458f3e687649d6c3859feb44ccdfe20
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2726016
Reviewed-by: Matt Falkenhagen <falken@chromium.org>
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org>
Commit-Queue: Lingqi Chi <lingqi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#863697}
2021-03-17 10:39:55 +00:00
Lingqi Chi
242d891e46 Prerender: Set MojoBinderPolicyApplier in the constructor of
RenderFrameHostImpl

After https://chromium-review.googlesource.com/c/chromium/src/+/2689551,
RenderFrameHostImpl(RFHI) can access the correct prerendering state in
its constructor. So RFHI can decide whether to enable Mojo capability
control here according to the prerendering state.
This CL sets MojoBinderPolicyApplier in RFHI::ctor. It brings the
following benefits:
1. In prerendering pages, we can ensure that
BrowserInterfaceBrokerImpl(BIB) receives interface binders after
RFHI sets MojoBinderPolicyApplier, i.e., Mojo capability control is
enabled before BIB receives the first binding request.
2. It unifies the logic of setting MojoBinderPolicyApplier; RFHI sets it
in three different methods before this CL.
3. It guarantees every RenderFrameHostImpl in the prerendering frame
tree enables Mojo capability control. Before this CL, activating the
prerendering page could happen before RFHI::CommitNavigation(), which
fails `CHECK(policy_applier_);` in ReleaseMojoBinderPolicies().

Bug: 1132752, 1160611
Change-Id: Ie1bb0366fc01d3018ad7e6b52cff31152d000f78
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2738156
Commit-Queue: Lingqi Chi <lingqi@chromium.org>
Reviewed-by: Matt Falkenhagen <falken@chromium.org>
Cr-Commit-Position: refs/heads/master@{#861494}
2021-03-10 09:45:49 +00:00
Lingqi Chi
cd5239ed9e Prerender: rename *ForPrerendering to *ForSameOriginPrerendering
Same-origin prerendering and cross-origin prerendering should have
different Mojo binder policies to protect users' privacy.
Prerender2 plan to support only same-origin prerendering in the early
stage, so now all policies set for prerendering are for same-origin
prerendering.

This CL renames all policy-related *ForPrerendering functions to
*ForSameOriginPrerendering to make the intention clearer.

Bug: 1145976
Change-Id: Iad714876af22a29441071fcbbc62e0ae70bfa7bf
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2726024
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org>
Reviewed-by: Matt Falkenhagen <falken@chromium.org>
Commit-Queue: Lingqi Chi <lingqi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#859301}
2021-03-03 09:15:33 +00:00
Lingqi Chi
ee8814f71f Prerender: Enable Mojo Capability Control in Prerendering Frames
Prerender2 wants to defer running some interface binders so as to
control the capability of renderer processes in prerendering pages.
This CL creates MojoBinderPolicyApplier and adds it to
BrowserInterfaceBrokerImpl of prerendering frames to make it.

Bug: 1132752
Change-Id: I0777620c68eb0435611ab96e27bc3e56c4936029
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2629067
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Matt Falkenhagen <falken@chromium.org>
Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org>
Commit-Queue: Lingqi Chi <lingqi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#845087}
2021-01-20 07:35:07 +00:00
Lingqi Chi
775e6075d2 Prerender: Add content API MojoBinderPolicyMap
This is part of work to control the Mojo interfaces available to
prerendered pages. See design doc[1] for more details.

In addition to content/, embedders define their own Mojo interfaces,
so they need to add their binding policies.
This CL adds a new content API named MojoBinderPolicyMap that allows
embedders to register policies for embedder-specific interfaces by
overriding ContentBrowserClient::RegisterMojoBinderPolicyMap method.

[1] https://docs.google.com/document/d/1E3Ma8HQFmxx8OvWVrjqpLziYIRbTRgLat4cM-nyKB6w/edit?usp=sharing

Bug: 1132752
Change-Id: Ie47a9fc2517fd3cda8438e9c61a5fa6854a8f36d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2507230
Reviewed-by: Scott Violet <sky@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Matt Falkenhagen <falken@chromium.org>
Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org>
Commit-Queue: Lingqi Chi <lingqi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#836539}
2020-12-14 06:31:16 +00:00
Lingqi Chi
fa0dda127b Prerender: Equip BrowserInterfaceBroker with MojoBinderPolicyApplier
Some new features, such as prerendering, need to defer some binding
interface requests or stop the renderer when an unexpected mojo pipe is
requested to set up.
This CL introduces MojoBinderPolicyApplier that manages binding requests
and integrates it with BrowserInterfaceBroker.

Regarding the MojoBinderPolicyApplier, it should be initialized with a
predefined policy map. It decide the actions the applier takes when
handling incoming requests. Based on the predefined policies and the
current state, a MojoBinderPolicyApplier instance may take the following
actions:
1. Bind the given interface immediately. (kGrant or
`ResolveDeferredBinders` has been invoked)
2. Delay binding the interface until `ResolveDeferredBinders` is called.
(kDefer)
3. Call the cancelling closure. (kCancel)
4. Stop the renderer and collect some metrics for analysis. (kUnexpected)

Bug: 1132752
Change-Id: Ifdc2f0b27d2f4613274fe5c6e44ddb056a199509
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2513960
Commit-Queue: Lingqi Chi <lingqi@chromium.org>
Reviewed-by: Matt Falkenhagen <falken@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#828609}
2020-11-18 05:32:45 +00:00