// Copyright 2020 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "content/browser/mojo_binder_policy_map_impl.h"
#include <string_view>
#include "base/feature_list.h"
#include "base/no_destructor.h"
#include "base/not_fatal_until.h"
#include "content/common/dom_automation_controller.mojom.h"
#include "content/common/frame.mojom.h"
#include "content/public/browser/content_browser_client.h"
#include "content/public/browser/mojo_binder_policy_map.h"
#include "content/public/common/content_client.h"
#include "device/gamepad/public/mojom/gamepad.mojom.h"
#include "media/mojo/mojom/media_player.mojom.h"
#include "media/mojo/mojom/webrtc_video_perf.mojom.h"
#include "services/network/public/mojom/restricted_cookie_manager.mojom.h"
#include "third_party/blink/public/mojom/blob/blob_url_store.mojom.h"
#include "third_party/blink/public/mojom/broadcastchannel/broadcast_channel.mojom.h"
#include "third_party/blink/public/mojom/cache_storage/cache_storage.mojom.h"
#include "third_party/blink/public/mojom/clipboard/clipboard.mojom.h"
#include "third_party/blink/public/mojom/file/file_utilities.mojom.h"
#include "third_party/blink/public/mojom/frame/back_forward_cache_controller.mojom.h"
#include "third_party/blink/public/mojom/frame/frame.mojom.h"
#include "third_party/blink/public/mojom/indexeddb/indexeddb.mojom.h"
#include "third_party/blink/public/mojom/loader/fetch_later.mojom.h"
#if BUILDFLAG(IS_MAC)
#include "third_party/blink/public/mojom/input/text_input_host.mojom.h"
#endif
#include "third_party/blink/public/mojom/loader/code_cache.mojom.h"
#include "third_party/blink/public/mojom/manifest/manifest_observer.mojom.h"
#include "third_party/blink/public/mojom/media/renderer_audio_output_stream_factory.mojom.h"
#include "third_party/blink/public/mojom/notifications/notification_service.mojom.h"
#include "third_party/blink/public/mojom/page/display_cutout.mojom.h"
namespace content {
#if BUILDFLAG(IS_MAC)
// Put crbug.com/115920 fix under flag, so we can measure its CWV impact.
BASE_FEATURE(kTextInputHostMojoCapabilityControlWorkaround,
"TextInputHostMojoCapabilityControlWorkaround",
base::FEATURE_ENABLED_BY_DEFAULT);
#endif
namespace {
enum class PolicyClass {
kSameOriginPrerendering,
kPreview,
};
// Register feature specific policies for interfaces registered in
// `internal::PopulateBinderMap` and `internal::PopulateBinderMapWithContext`.
void RegisterNonAssociatedPolicies(MojoBinderPolicyMap& map,
PolicyClass policy) {
// For Prerendering, kCancel is usually used for those interfaces that cannot
// be granted because they can cause undesirable side-effects (e.g., playing
// audio, showing notification) and are non-deferrable.
// Please update `PrerenderCancelledInterface` and
// `GetCancelledInterfaceType()` in
// content/browser/preloading/prerender/prerender_metrics.h once you add a new
// kCancel interface.
map.SetNonAssociatedPolicy<device::mojom::GamepadHapticsManager>(
MojoBinderNonAssociatedPolicy::kCancel);
map.SetNonAssociatedPolicy<device::mojom::GamepadMonitor>(
MojoBinderNonAssociatedPolicy::kCancel);
if (policy == PolicyClass::kSameOriginPrerendering) {
// ClipboardHost has sync messages, so it cannot be kDefer. However, the
// renderer is not expected to request the interface; prerendering documents
// do not have system focus nor user activation, which is required before
// sending the request.
map.SetNonAssociatedPolicy<blink::mojom::ClipboardHost>(
MojoBinderNonAssociatedPolicy::kUnexpected);
}
// FileUtilitiesHost is only used by APIs that require user activations, being
// impossible for a prerendered document. For the reason, this is marked as
// kUnexpected.
map.SetNonAssociatedPolicy<blink::mojom::FileUtilitiesHost>(
MojoBinderNonAssociatedPolicy::kUnexpected);
map.SetNonAssociatedPolicy<blink::mojom::CacheStorage>(
MojoBinderNonAssociatedPolicy::kGrant);
map.SetNonAssociatedPolicy<blink::mojom::IDBFactory>(
MojoBinderNonAssociatedPolicy::kGrant);
// Grant this interface because some sync web APIs rely on it; deferring it
// leads to deadlock. However, granting this interface does not mean that
// prerenders are allowed to create output streams.
// RenderFrameAudioOutputStreamFactory understands which pages are
// prerendering and does not fulfill their requests for audio streams.
map.SetNonAssociatedPolicy<blink::mojom::RendererAudioOutputStreamFactory>(
MojoBinderNonAssociatedPolicy::kGrant);
map.SetNonAssociatedPolicy<network::mojom::RestrictedCookieManager>(
MojoBinderNonAssociatedPolicy::kGrant);
// Set policy to Grant for CodeCacheHost. Without this loads won't progress
// since we wait for a response from code cache when loading resources.
map.SetNonAssociatedPolicy<blink::mojom::CodeCacheHost>(
MojoBinderNonAssociatedPolicy::kGrant);
// Grant this for Media Capabilities APIs. This should be safe as the APIs
// just query encoding / decoding information.
map.SetNonAssociatedPolicy<media::mojom::WebrtcVideoPerfHistory>(
content::MojoBinderNonAssociatedPolicy::kGrant);
#if BUILDFLAG(IS_MAC)
// Set policy to Grant for TextInputHost.
// This is used to return macOS IME sync call results to the browser process,
// and will hang entire Chrome if paused.
// This is a prospective fix added for crbug.com/1480850
if (base::FeatureList::IsEnabled(
kTextInputHostMojoCapabilityControlWorkaround)) {
map.SetNonAssociatedPolicy<blink::mojom::TextInputHost>(
MojoBinderNonAssociatedPolicy::kGrant);
}
#endif
}
// Register same-origin prerendering policies for channel-associated interfaces
// registered in `RenderFrameHostImpl::SetUpMojoIfNeeded()`.
void RegisterChannelAssociatedPoliciesForSameOriginPrerendering(
MojoBinderPolicyMap& map) {
// Basic skeleton. All of them are critical to load a page so their policies
// have to be kGrant.
// TODO(crbug.com/40201285): Message-level control should be performed.
map.SetAssociatedPolicy<mojom::FrameHost>(MojoBinderAssociatedPolicy::kGrant);
map.SetAssociatedPolicy<blink::mojom::LocalFrameHost>(
MojoBinderAssociatedPolicy::kGrant);
map.SetAssociatedPolicy<blink::mojom::LocalMainFrameHost>(
MojoBinderAssociatedPolicy::kGrant);
// These interfaces do not leak sensitive information.
map.SetAssociatedPolicy<blink::mojom::BackForwardCacheControllerHost>(
MojoBinderAssociatedPolicy::kGrant);
map.SetAssociatedPolicy<blink::mojom::ManifestUrlChangeObserver>(
MojoBinderAssociatedPolicy::kGrant);
map.SetAssociatedPolicy<mojom::DomAutomationControllerHost>(
MojoBinderAssociatedPolicy::kGrant);
// BroadcastChannel is granted for prerendering, as this API is restricted to
// same-origin.
map.SetAssociatedPolicy<blink::mojom::BroadcastChannelProvider>(
MojoBinderAssociatedPolicy::kGrant);
// Granting this interface does not mean prerendering pages are allowed to
// play media. Feature-specific capability control is implemented to delay
// playing media. See `RenderFrameImpl::DeferMediaLoad` for more information.
map.SetAssociatedPolicy<media::mojom::MediaPlayerHost>(
MojoBinderAssociatedPolicy::kGrant);
// DisplayCutout supports the CSS viewport-fit property. It tracks
// the current viewport-fit on a per-document basis, but only calls
// the WebContents::NotifyViewportFitChanged and informs WebContents's
// observers when the document is fullscreened. Prerendered documents cannot
// enter fullscreen because they do not have transient activation, nor are
// they active documents (see RenderFrameHostImpl::EnterFullscreen), so it is
// safe to allow a prerendered document to use it.
map.SetAssociatedPolicy<blink::mojom::DisplayCutoutHost>(
MojoBinderAssociatedPolicy::kGrant);
// Prerendering pages are allowed to create urls for blobs.
map.SetAssociatedPolicy<blink::mojom::BlobURLStore>(
MojoBinderAssociatedPolicy::kGrant);
// Pages with FetchLater API calls should be allowed to prerender.
// TODO(crbug.com/40276121): Update according to feedback from
// https://github.com/WICG/pending-beacon/issues/82
map.SetAssociatedPolicy<blink::mojom::FetchLaterLoaderFactory>(
MojoBinderAssociatedPolicy::kGrant);
}
// Register mojo binder policies for same-origin prerendering for content/
// interfaces.
void RegisterContentBinderPoliciesForSameOriginPrerendering(
MojoBinderPolicyMap& map) {
RegisterNonAssociatedPolicies(map, PolicyClass::kSameOriginPrerendering);
RegisterChannelAssociatedPoliciesForSameOriginPrerendering(map);
}
// Register mojo binder policies for preview mode for content/ interfaces.
void RegisterContentBinderPoliciesForPreview(MojoBinderPolicyMap& map) {
RegisterNonAssociatedPolicies(map, PolicyClass::kPreview);
// Inherits the policies for same-origin prerendering.
// TODO(b:299240273): Adjust policies for preview.
RegisterChannelAssociatedPoliciesForSameOriginPrerendering(map);
}
// A singleton class that stores the `MojoBinderPolicyMap` of interfaces which
// are obtained via `BrowserInterfaceBrowser` for frames.
// content/ initializes the policy map with predefined policies, then allows
// embedders to update the map.
class BrowserInterfaceBrokerMojoBinderPolicyMapHolder {
public:
BrowserInterfaceBrokerMojoBinderPolicyMapHolder() {
RegisterContentBinderPoliciesForSameOriginPrerendering(same_origin_map_);
GetContentClient()
->browser()
->RegisterMojoBinderPoliciesForSameOriginPrerendering(same_origin_map_);
RegisterContentBinderPoliciesForPreview(preview_map_);
GetContentClient()->browser()->RegisterMojoBinderPoliciesForPreview(
preview_map_);
}
~BrowserInterfaceBrokerMojoBinderPolicyMapHolder() = default;
// Remove copy and move operations.
BrowserInterfaceBrokerMojoBinderPolicyMapHolder(
const BrowserInterfaceBrokerMojoBinderPolicyMapHolder& other) = delete;
BrowserInterfaceBrokerMojoBinderPolicyMapHolder& operator=(
const BrowserInterfaceBrokerMojoBinderPolicyMapHolder& other) = delete;
BrowserInterfaceBrokerMojoBinderPolicyMapHolder(
BrowserInterfaceBrokerMojoBinderPolicyMapHolder&&) = delete;
BrowserInterfaceBrokerMojoBinderPolicyMapHolder& operator=(
BrowserInterfaceBrokerMojoBinderPolicyMapHolder&&) = delete;
const MojoBinderPolicyMapImpl* GetSameOriginPolicyMap() const {
return &same_origin_map_;
}
const MojoBinderPolicyMapImpl* GetPreviewPolicyMap() const {
return &preview_map_;
}
private:
// TODO(crbug.com/40156088): Set default policy map for content/.
// Changes to `same_origin_map_` require security review.
MojoBinderPolicyMapImpl same_origin_map_;
MojoBinderPolicyMapImpl preview_map_;
};
} // namespace
MojoBinderPolicyMapImpl::MojoBinderPolicyMapImpl() = default;
MojoBinderPolicyMapImpl::MojoBinderPolicyMapImpl(
const base::flat_map<std::string, MojoBinderNonAssociatedPolicy>& init_map)
: non_associated_policy_map_(init_map) {}
MojoBinderPolicyMapImpl::~MojoBinderPolicyMapImpl() = default;
const MojoBinderPolicyMapImpl*
MojoBinderPolicyMapImpl::GetInstanceForSameOriginPrerendering() {
static const base::NoDestructor<
BrowserInterfaceBrokerMojoBinderPolicyMapHolder>
map;
return map->GetSameOriginPolicyMap();
}
const MojoBinderPolicyMapImpl*
MojoBinderPolicyMapImpl::GetInstanceForPreview() {
static const base::NoDestructor<
BrowserInterfaceBrokerMojoBinderPolicyMapHolder>
map;
return map->GetPreviewPolicyMap();
}
MojoBinderNonAssociatedPolicy
MojoBinderPolicyMapImpl::GetNonAssociatedMojoBinderPolicy(
const std::string& interface_name,
const MojoBinderNonAssociatedPolicy default_policy) const {
const auto& found = non_associated_policy_map_.find(interface_name);
if (found != non_associated_policy_map_.end())
return found->second;
return default_policy;
}
MojoBinderAssociatedPolicy
MojoBinderPolicyMapImpl::GetAssociatedMojoBinderPolicy(
const std::string& interface_name,
const MojoBinderAssociatedPolicy default_policy) const {
const auto& found = associated_policy_map_.find(interface_name);
if (found != associated_policy_map_.end())
return found->second;
return default_policy;
}
MojoBinderNonAssociatedPolicy
MojoBinderPolicyMapImpl::GetNonAssociatedMojoBinderPolicyOrDieForTesting(
const std::string& interface_name) const {
const auto& found = non_associated_policy_map_.find(interface_name);
CHECK(found != non_associated_policy_map_.end(), base::NotFatalUntil::M130);
return found->second;
}
MojoBinderAssociatedPolicy
MojoBinderPolicyMapImpl::GetAssociatedMojoBinderPolicyOrDieForTesting(
const std::string& interface_name) const {
const auto& found = associated_policy_map_.find(interface_name);
CHECK(found != associated_policy_map_.end(), base::NotFatalUntil::M130);
return found->second;
}
void MojoBinderPolicyMapImpl::SetPolicyByName(
const std::string_view& name,
MojoBinderNonAssociatedPolicy policy) {
non_associated_policy_map_.emplace(name, policy);
}
void MojoBinderPolicyMapImpl::SetPolicyByName(
const std::string_view& name,
MojoBinderAssociatedPolicy policy) {
associated_policy_map_.emplace(name, policy);
}
} // namespace content