Google Git
Sign in
chromium / chromium / src / 717647da6a67104cb0d74e630b132ff9f03d9e33 / . / services / network / network_context.cc
blob: e12089293f4e73a7a3e798619c389139e4c72021 [file] [log] [blame]
// Copyright 2017 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "services/network/network_context.h"
#include <memory>
#include <string>
#include <tuple>
#include <utility>
#include "base/barrier_closure.h"
#include "base/base64.h"
#include "base/bind.h"
#include "base/build_time.h"
#include "base/command_line.h"
#include "base/containers/unique_ptr_adapters.h"
#include "base/dcheck_is_on.h"
#include "base/feature_list.h"
#include "base/logging.h"
#include "base/memory/ptr_util.h"
#include "base/memory/ref_counted.h"
#include "base/metrics/histogram_functions.h"
#include "base/strings/string_number_conversions.h"
#include "base/strings/utf_string_conversions.h"
#include "base/task/current_thread.h"
#include "base/task/post_task.h"
#include "base/task/sequenced_task_runner.h"
#include "base/task/task_traits.h"
#include "base/task/thread_pool.h"
#include "base/threading/thread_task_runner_handle.h"
#include "build/build_config.h"
#include "build/chromecast_buildflags.h"
#include "build/chromeos_buildflags.h"
#include "components/cookie_config/cookie_store_util.h"
#include "components/domain_reliability/features.h"
#include "components/domain_reliability/monitor.h"
#include "components/network_session_configurator/browser/network_session_configurator.h"
#include "components/network_session_configurator/common/network_switches.h"
#include "components/prefs/json_pref_store.h"
#include "components/prefs/pref_registry_simple.h"
#include "components/prefs/pref_service.h"
#include "components/prefs/pref_service_factory.h"
#include "crypto/sha2.h"
#include "mojo/public/cpp/bindings/pending_receiver.h"
#include "net/base/features.h"
#include "net/base/isolation_info.h"
#include "net/base/load_flags.h"
#include "net/base/net_errors.h"
#include "net/base/network_delegate.h"
#include "net/base/network_isolation_key.h"
#include "net/base/port_util.h"
#include "net/base/registry_controlled_domains/registry_controlled_domain.h"
#include "net/cert/caching_cert_verifier.h"
#include "net/cert/cert_verifier.h"
#include "net/cert/coalescing_cert_verifier.h"
#include "net/cert_net/cert_net_fetcher_url_request.h"
#include "net/cookies/cookie_monster.h"
#include "net/dns/host_cache.h"
#include "net/dns/mapped_host_resolver.h"
#include "net/extras/sqlite/sqlite_persistent_cookie_store.h"
#include "net/http/http_auth.h"
#include "net/http/http_auth_handler_factory.h"
#include "net/http/http_auth_preferences.h"
#include "net/http/http_cache.h"
#include "net/http/http_network_session.h"
#include "net/http/http_request_headers.h"
#include "net/http/http_server_properties.h"
#include "net/http/http_transaction_factory.h"
#include "net/proxy_resolution/configured_proxy_resolution_service.h"
#include "net/proxy_resolution/proxy_config.h"
#include "net/traffic_annotation/network_traffic_annotation.h"
#include "net/url_request/report_sender.h"
#include "net/url_request/static_http_user_agent_settings.h"
#include "net/url_request/url_request.h"
#include "net/url_request/url_request_context.h"
#include "net/url_request/url_request_context_builder.h"
#include "services/network/cookie_manager.h"
#include "services/network/cors/cors_url_loader_factory.h"
#include "services/network/host_resolver.h"
#include "services/network/http_auth_cache_copier.h"
#include "services/network/http_server_properties_pref_delegate.h"
#include "services/network/ignore_errors_cert_verifier.h"
#include "services/network/net_log_exporter.h"
#include "services/network/network_service.h"
#include "services/network/network_service_network_delegate.h"
#include "services/network/network_service_proxy_delegate.h"
#include "services/network/proxy_config_service_mojo.h"
#include "services/network/proxy_lookup_request.h"
#include "services/network/proxy_resolving_socket_factory_mojo.h"
#include "services/network/public/cpp/cert_verifier/mojo_cert_verifier.h"
#include "services/network/public/cpp/content_security_policy/content_security_policy.h"
#include "services/network/public/cpp/features.h"
#include "services/network/public/cpp/network_switches.h"
#include "services/network/public/cpp/parsed_headers.h"
#include "services/network/public/mojom/network_context.mojom-forward.h"
#include "services/network/public/mojom/network_context.mojom.h"
#include "services/network/public/mojom/reporting_service.mojom.h"
#include "services/network/public/mojom/trust_tokens.mojom-forward.h"
#include "services/network/public/mojom/url_loader_factory.mojom.h"
#include "services/network/resolve_host_request.h"
#include "services/network/resource_scheduler/resource_scheduler_client.h"
#include "services/network/restricted_cookie_manager.h"
#include "services/network/session_cleanup_cookie_store.h"
#include "services/network/ssl_config_service_mojo.h"
#include "services/network/throttling/network_conditions.h"
#include "services/network/throttling/throttling_controller.h"
#include "services/network/throttling/throttling_network_transaction_factory.h"
#include "services/network/trust_tokens/expiry_inspecting_record_expiry_delegate.h"
#include "services/network/trust_tokens/has_trust_tokens_answerer.h"
#include "services/network/trust_tokens/in_memory_trust_token_persister.h"
#include "services/network/trust_tokens/pending_trust_token_store.h"
#include "services/network/trust_tokens/sqlite_trust_token_persister.h"
#include "services/network/trust_tokens/suitable_trust_token_origin.h"
#include "services/network/trust_tokens/trust_token_parameterization.h"
#include "services/network/trust_tokens/trust_token_store.h"
#include "services/network/url_loader.h"
#include "services/network/url_request_context_builder_mojo.h"
#include "services/network/web_transport.h"
#include "third_party/abseil-cpp/absl/types/optional.h"
#if BUILDFLAG(IS_CT_SUPPORTED)
#include "components/certificate_transparency/chrome_ct_policy_enforcer.h"
#include "components/certificate_transparency/chrome_require_ct_delegate.h"
#include "components/certificate_transparency/ct_known_logs.h"
#include "net/cert/cert_and_ct_verifier.h"
#include "net/cert/ct_log_verifier.h"
#include "net/cert/multi_log_ct_verifier.h"
#include "services/network/ct_log_list_distributor.h"
#include "services/network/expect_ct_reporter.h"
#include "services/network/sct_auditing/sct_auditing_cache.h"
#include "services/network/sct_auditing/sct_auditing_handler.h"
#endif // BUILDFLAG(IS_CT_SUPPORTED)
#if BUILDFLAG(IS_CHROMEOS)
#include "services/network/cert_verifier_with_trust_anchors.h"
#endif // BUILDFLAG(IS_CHROMEOS)
#if !BUILDFLAG(IS_IOS)
#include "services/network/websocket_factory.h"
#endif // !BUILDFLAG(IS_IOS)
#if BUILDFLAG(ENABLE_REPORTING)
#include "net/base/http_user_agent_settings.h"
#include "net/extras/sqlite/sqlite_persistent_reporting_and_nel_store.h"
#include "net/network_error_logging/network_error_logging_service.h"
#include "net/reporting/reporting_browsing_data_remover.h"
#include "net/reporting/reporting_policy.h"
#include "net/reporting/reporting_service.h"
#endif // BUILDFLAG(ENABLE_REPORTING)
#if BUILDFLAG(ENABLE_MDNS)
#include "services/network/mdns_responder.h"
#endif // BUILDFLAG(ENABLE_MDNS)
#if BUILDFLAG(IS_P2P_ENABLED)
#include "services/network/p2p/socket_manager.h"
#endif
#if BUILDFLAG(IS_ANDROID)
#include "base/android/application_status_listener.h"
#endif
namespace network {
namespace {
#if BUILDFLAG(IS_CT_SUPPORTED)
// A Base-64 encoded DER certificate for use in test Expect-CT reports. The
// contents of the certificate don't matter.
const char kTestReportCert[] =
"MIIDvzCCAqegAwIBAgIBAzANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQGEwJVUzET"
"MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEQMA4G"
"A1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290IENBMB4XDTE3MDYwNTE3"
"MTA0NloXDTI3MDYwMzE3MTA0NlowYDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh"
"bGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3Qg"
"Q0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC"
"AQoCggEBALS/0pcz5RNbd2W9cxp1KJtHWea3MOhGM21YW9ofCv/k5C3yHfiJ6GQu"
"9sPN16OO1/fN59gOEMPnVtL85ebTTuL/gk0YY4ewo97a7wo3e6y1t0PO8gc53xTp"
"w6RBPn5oRzSbe2HEGOYTzrO0puC6A+7k6+eq9G2+l1uqBpdQAdB4uNaSsOTiuUOI"
"ta4UZH1ScNQFHAkl1eJPyaiC20Exw75EbwvU/b/B7tlivzuPtQDI0d9dShOtceRL"
"X9HZckyD2JNAv2zNL2YOBNa5QygkySX9WXD+PfKpCk7Cm8TenldeXRYl5ni2REkp"
"nfa/dPuF1g3xZVjyK9aPEEnIAC2I4i0CAwEAAaOBgDB+MAwGA1UdEwEB/wQCMAAw"
"HQYDVR0OBBYEFODc4C8HiHQ6n9Mwo3GK+dal5aZTMB8GA1UdIwQYMBaAFJsmC4qY"
"qbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAP"
"BgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQB6FEQuUDRcC5jkX3aZ"
"uuTeZEqMVL7JXgvgFqzXsPb8zIdmxr/tEDfwXx2qDf2Dpxts7Fq4vqUwimK4qV3K"
"7heLnWV2+FBvV1eeSfZ7AQj+SURkdlyo42r41+t13QUf+Z0ftR9266LSWLKrukeI"
"Mxk73hOkm/u8enhTd00dy/FN9dOFBFHseVMspWNxIkdRILgOmiyfQNRgxNYdOf0e"
"EfELR8Hn6WjZ8wAbvO4p7RTrzu1c/RZ0M+NLkID56Brbl70GC2h5681LPwAOaZ7/"
"mWQ5kekSyJjmLfF12b+h9RVAt5MrXZgk2vNujssgGf4nbWh4KZyQ6qrs778ZdDLm"
"yfUn";
#endif // BUILDFLAG(IS_CT_SUPPORTED)
net::CertVerifier* g_cert_verifier_for_testing = nullptr;
// A CertVerifier that forwards all requests to |g_cert_verifier_for_testing|.
// This is used to allow NetworkContexts to have their own
// std::unique_ptr<net::CertVerifier> while forwarding calls to the shared
// verifier.
class WrappedTestingCertVerifier : public net::CertVerifier {
public:
~WrappedTestingCertVerifier() override = default;
// CertVerifier implementation
int Verify(const RequestParams& params,
net::CertVerifyResult* verify_result,
net::CompletionOnceCallback callback,
std::unique_ptr<Request>* out_req,
const net::NetLogWithSource& net_log) override {
verify_result->Reset();
if (!g_cert_verifier_for_testing)
return net::ERR_FAILED;
return g_cert_verifier_for_testing->Verify(
params, verify_result, std::move(callback), out_req, net_log);
}
void SetConfig(const Config& config) override {
if (!g_cert_verifier_for_testing)
return;
g_cert_verifier_for_testing->SetConfig(config);
}
};
// Predicate function to determine if the given |domain| matches the
// |filter_type| and |filter_domains| from a |mojom::ClearDataFilter|.
bool MatchesDomainFilter(mojom::ClearDataFilter_Type filter_type,
std::set<std::string> filter_domains,
const std::string& domain) {
bool found_domain = filter_domains.find(domain) != filter_domains.end();
return (filter_type == mojom::ClearDataFilter_Type::DELETE_MATCHES) ==
found_domain;
}
// Returns a callback that checks if a domain matches the |filter|. |filter|
// must contain no origins. A null filter matches everything.
base::RepeatingCallback<bool(const std::string& host_name)> MakeDomainFilter(
mojom::ClearDataFilter* filter) {
if (!filter)
return base::BindRepeating([](const std::string&) { return true; });
DCHECK(filter->origins.empty())
<< "Origin filtering not allowed in a domain-only filter";
std::set<std::string> filter_domains;
filter_domains.insert(filter->domains.begin(), filter->domains.end());
return base::BindRepeating(&MatchesDomainFilter, filter->type,
std::move(filter_domains));
}
// Predicate function to determine if the given |url| matches the |filter_type|,
// |filter_domains| and |filter_origins| from a |mojom::ClearDataFilter|.
bool MatchesUrlFilter(mojom::ClearDataFilter_Type filter_type,
std::set<std::string> filter_domains,
std::set<url::Origin> filter_origins,
const GURL& url) {
std::string url_registrable_domain =
net::registry_controlled_domains::GetDomainAndRegistry(
url, net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES);
bool found_domain =
(filter_domains.find(url_registrable_domain != ""
? url_registrable_domain
: url.host()) != filter_domains.end());
bool found_origin =
(filter_origins.find(url::Origin::Create(url)) != filter_origins.end());
return (filter_type == mojom::ClearDataFilter_Type::DELETE_MATCHES) ==
(found_domain || found_origin);
}
// Builds a generic GURL-matching predicate function based on |filter|. If
// |filter| is null, creates an always-true predicate.
base::RepeatingCallback<bool(const GURL&)> BuildUrlFilter(
mojom::ClearDataFilterPtr filter) {
if (!filter) {
return base::BindRepeating([](const GURL&) { return true; });
}
std::set<std::string> filter_domains;
filter_domains.insert(filter->domains.begin(), filter->domains.end());
std::set<url::Origin> filter_origins;
filter_origins.insert(filter->origins.begin(), filter->origins.end());
return base::BindRepeating(&MatchesUrlFilter, filter->type,
std::move(filter_domains),
std::move(filter_origins));
}
#if BUILDFLAG(IS_ANDROID)
class NetworkContextApplicationStatusListener
: public base::android::ApplicationStatusListener {
public:
// base::android::ApplicationStatusListener implementation:
void SetCallback(const ApplicationStateChangeCallback& callback) override {
DCHECK(!callback_);
DCHECK(callback);
callback_ = callback;
}
void Notify(base::android::ApplicationState state) override {
if (callback_)
callback_.Run(state);
}
private:
ApplicationStateChangeCallback callback_;
};
#endif
struct TestVerifyCertState {
net::CertVerifyResult result;
std::unique_ptr<net::CertVerifier::Request> request;
};
void TestVerifyCertCallback(
std::unique_ptr<TestVerifyCertState> request,
NetworkContext::VerifyCertificateForTestingCallback callback,
int result) {
std::move(callback).Run(result);
}
std::string HashesToBase64String(const net::HashValueVector& hashes) {
std::string str;
for (size_t i = 0; i != hashes.size(); ++i) {
if (i != 0)
str += ",";
str += hashes[i].ToString();
}
return str;
}
#if BUILDFLAG(IS_CT_SUPPORTED)
// SCTAuditingDelegate is an implementation of the delegate interface that is
// aware of per-NetworkContext details (to allow the cache to notify the
// associated NetworkContextClient of new reports, and to apply
// per-NetworkContext enabled/disabled status for the auditing feature).
class SCTAuditingDelegate : public net::SCTAuditingDelegate {
public:
explicit SCTAuditingDelegate(const base::WeakPtr<NetworkContext>& context);
~SCTAuditingDelegate() override;
// net::SCTAuditingDelegate:
void MaybeEnqueueReport(
const net::HostPortPair& host_port_pair,
const net::X509Certificate* validated_certificate_chain,
const net::SignedCertificateTimestampAndStatusList&
signed_certificate_timestamps) override;
bool IsSCTAuditingEnabled() override;
private:
base::WeakPtr<NetworkContext> context_;
};
SCTAuditingDelegate::SCTAuditingDelegate(
const base::WeakPtr<NetworkContext>& context)
: context_(context) {}
SCTAuditingDelegate::~SCTAuditingDelegate() = default;
void SCTAuditingDelegate::MaybeEnqueueReport(
const net::HostPortPair& host_port_pair,
const net::X509Certificate* validated_certificate_chain,
const net::SignedCertificateTimestampAndStatusList&
signed_certificate_timestamps) {
if (!context_)
return;
context_->MaybeEnqueueSCTReport(host_port_pair, validated_certificate_chain,
signed_certificate_timestamps);
}
bool SCTAuditingDelegate::IsSCTAuditingEnabled() {
if (!context_)
return false;
return context_->sct_auditing_handler()->is_enabled();
}
// Filters `log_list` for disqualified or Google-operated logs,
// returning them as sorted vectors in `disqualified_logs` and
// `operated_by_google_logs` suitable for use with a `CTPolicyEnforcer`.
void GetCTPolicyConfigForCTLogInfo(
const std::vector<mojom::CTLogInfoPtr>& log_list,
std::vector<std::pair<std::string, base::TimeDelta>>* disqualified_logs,
std::vector<std::string>* operated_by_google_logs,
std::map<std::string, certificate_transparency::OperatorHistoryEntry>*
operator_history) {
for (const auto& log : log_list) {
std::string log_id = crypto::SHA256HashString(log->public_key);
if (log->operated_by_google || log->disqualified_at) {
if (log->operated_by_google)
operated_by_google_logs->push_back(log_id);
if (log->disqualified_at) {
disqualified_logs->emplace_back(log_id, log->disqualified_at.value());
}
}
certificate_transparency::OperatorHistoryEntry entry;
entry.current_operator_ = log->current_operator;
for (const auto& previous_operator : log->previous_operators) {
entry.previous_operators_.emplace_back(previous_operator->name,
previous_operator->end_time);
}
(*operator_history)[log_id] = entry;
}
std::sort(std::begin(*operated_by_google_logs),
std::end(*operated_by_google_logs));
std::sort(std::begin(*disqualified_logs), std::end(*disqualified_logs));
}
#endif // BUILDFLAG(IS_CT_SUPPORTED)
// Obtains a full data file path from a NetworkContextFilePaths, a class member
// pointer to the data file. If valid, then returns true and places the full
// path into `full_path` otherwise returns false.
bool GetFullDataFilePath(
const mojom::NetworkContextFilePathsPtr& file_paths,
absl::optional<base::FilePath> network::mojom::NetworkContextFilePaths::*
field_name,
base::FilePath& full_path) {
if (!file_paths)
return false;
absl::optional<base::FilePath> relative_file_path =
file_paths.get()->*field_name;
if (!relative_file_path.has_value())
return false;
// Path to a data file should always be a plain filename.
DCHECK_EQ(relative_file_path->BaseName(), *relative_file_path);
full_path = file_paths->data_path.Append(relative_file_path->value());
return true;
}
} // namespace
constexpr uint32_t NetworkContext::kMaxOutstandingRequestsPerProcess;
NetworkContext::PendingCertVerify::PendingCertVerify() = default;
NetworkContext::PendingCertVerify::~PendingCertVerify() = default;
// net::NetworkDelegate that wraps
NetworkContext::NetworkContext(
NetworkService* network_service,
mojo::PendingReceiver<mojom::NetworkContext> receiver,
mojom::NetworkContextParamsPtr params,
OnConnectionCloseCallback on_connection_close_callback)
: network_service_(network_service),
url_request_context_(nullptr),
#if BUILDFLAG(ENABLE_REPORTING)
is_observing_reporting_service_(false),
#endif
params_(std::move(params)),
on_connection_close_callback_(std::move(on_connection_close_callback)),
#if BUILDFLAG(IS_ANDROID)
app_status_listener_(
std::make_unique<NetworkContextApplicationStatusListener>()),
#endif
receiver_(this, std::move(receiver)),
cors_preflight_controller_(network_service),
cors_non_wildcard_request_headers_support_(base::FeatureList::IsEnabled(
features::kCorsNonWildcardRequestHeadersSupport)) {
#if BUILDFLAG(IS_WIN) && DCHECK_IS_ON()
if (params_->file_paths) {
DCHECK(params_->win_permissions_set)
<< "Permissions not set on files. Network context should be created "
"using CreateNetworkContextInNetworkService rather than directly on "
"the network service.";
}
#endif // BUILDFLAG(IS_WIN) && DCHECK_IS_ON()
mojo::PendingRemote<mojom::URLLoaderFactory>
url_loader_factory_for_cert_net_fetcher;
mojo::PendingReceiver<mojom::URLLoaderFactory>
url_loader_factory_for_cert_net_fetcher_receiver =
url_loader_factory_for_cert_net_fetcher
.InitWithNewPipeAndPassReceiver();
scoped_refptr<SessionCleanupCookieStore> session_cleanup_cookie_store =
MakeSessionCleanupCookieStore();
url_request_context_owner_ =
MakeURLRequestContext(std::move(url_loader_factory_for_cert_net_fetcher),
session_cleanup_cookie_store);
url_request_context_ = url_request_context_owner_.url_request_context.get();
cookie_manager_ = std::make_unique<CookieManager>(
url_request_context_, network_service_->first_party_sets(),
std::move(session_cleanup_cookie_store),
std::move(params_->cookie_manager_params));
network_service_->RegisterNetworkContext(this);
// Only register for destruction if |this| will be wholly lifetime-managed
// by the NetworkService. In the other constructors, lifetime is shared with
// other consumers, and thus self-deletion is not safe and can result in
// double-frees.
receiver_.set_disconnect_handler(base::BindOnce(
&NetworkContext::OnConnectionError, base::Unretained(this)));
socket_factory_ = std::make_unique<SocketFactory>(
url_request_context_->net_log(), url_request_context_);
resource_scheduler_ = std::make_unique<ResourceScheduler>();
origin_policy_manager_ = std::make_unique<OriginPolicyManager>(this);
if (params_->http_auth_static_network_context_params) {
http_auth_merged_preferences_.SetAllowDefaultCredentials(
params_->http_auth_static_network_context_params
->allow_default_credentials);
}
InitializeCorsParams();
SetSplitAuthCacheByNetworkIsolationKey(
params_->split_auth_cache_by_network_isolation_key);
#if BUILDFLAG(IS_CT_SUPPORTED)
if (params_->ct_policy)
SetCTPolicy(std::move(params_->ct_policy));
base::FilePath sct_auditing_path;
if (base::FeatureList::IsEnabled(
features::kSCTAuditingRetryAndPersistReports)) {
GetFullDataFilePath(params_->file_paths,
&network::mojom::NetworkContextFilePaths::
sct_auditing_pending_reports_file_name,
sct_auditing_path);
}
sct_auditing_handler_ =
std::make_unique<SCTAuditingHandler>(this, sct_auditing_path);
sct_auditing_handler()->SetEnabled(params_->enable_sct_auditing);
#endif
#if BUILDFLAG(IS_ANDROID)
if (params_->cookie_manager)
GetCookieManager(std::move(params_->cookie_manager));
#endif
CreateURLLoaderFactoryForCertNetFetcher(
std::move(url_loader_factory_for_cert_net_fetcher_receiver));
}
NetworkContext::NetworkContext(
NetworkService* network_service,
mojo::PendingReceiver<mojom::NetworkContext> receiver,
net::URLRequestContext* url_request_context,
const std::vector<std::string>& cors_exempt_header_list)
: network_service_(network_service),
url_request_context_(url_request_context),
#if BUILDFLAG(ENABLE_REPORTING)
is_observing_reporting_service_(false),
#endif
#if BUILDFLAG(IS_ANDROID)
app_status_listener_(
std::make_unique<NetworkContextApplicationStatusListener>()),
#endif
receiver_(this, std::move(receiver)),
cookie_manager_(
std::make_unique<CookieManager>(url_request_context,
nullptr,
nullptr /* first_party_sets */,
nullptr)),
socket_factory_(
std::make_unique<SocketFactory>(url_request_context_->net_log(),
url_request_context)),
cors_preflight_controller_(network_service) {
// May be nullptr in tests.
if (network_service_)
network_service_->RegisterNetworkContext(this);
resource_scheduler_ = std::make_unique<ResourceScheduler>();
for (const auto& key : cors_exempt_header_list)
cors_exempt_header_list_.insert(key);
origin_policy_manager_ = std::make_unique<OriginPolicyManager>(this);
}
NetworkContext::~NetworkContext() {
// May be nullptr in tests.
if (network_service_)
network_service_->DeregisterNetworkContext(this);
if (cert_net_fetcher_)
cert_net_fetcher_->Shutdown();
if (domain_reliability_monitor_)
domain_reliability_monitor_->Shutdown();
// Because of the order of declaration in the class,
// domain_reliability_monitor_ will be destroyed before
// |url_loader_factories_| which could own URLLoader's whose destructor call
// back into this class and might use domain_reliability_monitor_. So we reset
// |domain_reliability_monitor_| here explicitly, instead of changing the
// order, because any work calling into |domain_reliability_monitor_| at
// shutdown would be unnecessary as the reports would be thrown out.
domain_reliability_monitor_.reset();
if (url_request_context_ &&
url_request_context_->transport_security_state()) {
if (certificate_report_sender_) {
// Destroy |certificate_report_sender_| before |url_request_context_|,
// since the former has a reference to the latter.
url_request_context_->transport_security_state()->SetReportSender(
nullptr);
certificate_report_sender_.reset();
}
#if BUILDFLAG(IS_CT_SUPPORTED)
if (expect_ct_reporter_) {
url_request_context_->transport_security_state()->SetExpectCTReporter(
nullptr);
expect_ct_reporter_.reset();
}
if (require_ct_delegate_) {
url_request_context_->transport_security_state()->SetRequireCTDelegate(
nullptr);
}
#endif // BUILDFLAG(IS_CT_SUPPORTED)
}
#if BUILDFLAG(ENABLE_REPORTING)
if (is_observing_reporting_service_) {
DCHECK(url_request_context());
// May be nullptr in tests.
if (url_request_context()->reporting_service()) {
url_request_context()->reporting_service()->RemoveReportingCacheObserver(
this);
}
}
#endif
}
// static
void NetworkContext::SetCertVerifierForTesting(
net::CertVerifier* cert_verifier) {
g_cert_verifier_for_testing = cert_verifier;
}
void NetworkContext::CreateURLLoaderFactory(
mojo::PendingReceiver<mojom::URLLoaderFactory> receiver,
mojom::URLLoaderFactoryParamsPtr params,
scoped_refptr<ResourceSchedulerClient> resource_scheduler_client) {
url_loader_factories_.emplace(std::make_unique<cors::CorsURLLoaderFactory>(
this, std::move(params), std::move(resource_scheduler_client),
std::move(receiver), &cors_origin_access_list_));
}
void NetworkContext::CreateURLLoaderFactoryForCertNetFetcher(
mojo::PendingReceiver<mojom::URLLoaderFactory> factory_receiver) {
// TODO(crbug.com/1087790): investigate changing these params.
auto url_loader_factory_params = mojom::URLLoaderFactoryParams::New();
url_loader_factory_params->is_trusted = true;
url_loader_factory_params->process_id = mojom::kBrowserProcessId;
url_loader_factory_params->automatically_assign_isolation_info = true;
url_loader_factory_params->is_corb_enabled = false;
CreateURLLoaderFactory(std::move(factory_receiver),
std::move(url_loader_factory_params));
}
void NetworkContext::ActivateDohProbes() {
DCHECK(url_request_context_->host_resolver());
doh_probes_request_.reset();
doh_probes_request_ =
url_request_context_->host_resolver()->CreateDohProbeRequest();
doh_probes_request_->Start();
}
void NetworkContext::SetClient(
mojo::PendingRemote<mojom::NetworkContextClient> client) {
client_.reset();
client_.Bind(std::move(client));
}
void NetworkContext::CreateURLLoaderFactory(
mojo::PendingReceiver<mojom::URLLoaderFactory> receiver,
mojom::URLLoaderFactoryParamsPtr params) {
scoped_refptr<ResourceSchedulerClient> resource_scheduler_client =
base::MakeRefCounted<ResourceSchedulerClient>(
params->process_id, ++current_resource_scheduler_client_id_,
resource_scheduler_.get(),
url_request_context_->network_quality_estimator());
CreateURLLoaderFactory(std::move(receiver), std::move(params),
std::move(resource_scheduler_client));
}
void NetworkContext::ResetURLLoaderFactories() {
// Move all factories to a temporary vector so ClearBindings() does not
// invalidate the iterator if the factory gets deleted.
std::vector<cors::CorsURLLoaderFactory*> factories;
factories.reserve(url_loader_factories_.size());
for (const auto& factory : url_loader_factories_)
factories.push_back(factory.get());
for (auto* factory : factories)
factory->ClearBindings();
}
void NetworkContext::GetCookieManager(
mojo::PendingReceiver<mojom::CookieManager> receiver) {
cookie_manager_->AddReceiver(std::move(receiver));
}
void NetworkContext::GetRestrictedCookieManager(
mojo::PendingReceiver<mojom::RestrictedCookieManager> receiver,
mojom::RestrictedCookieManagerRole role,
const url::Origin& origin,
const net::IsolationInfo& isolation_info,
mojo::PendingRemote<mojom::CookieAccessObserver> cookie_observer) {
restricted_cookie_manager_receivers_.Add(
std::make_unique<RestrictedCookieManager>(
role, url_request_context_->cookie_store(),
cookie_manager_->cookie_settings(), origin, isolation_info,
std::move(cookie_observer),
network_service_->first_party_sets()->is_enabled()),
std::move(receiver));
}
void NetworkContext::GetHasTrustTokensAnswerer(
mojo::PendingReceiver<mojom::HasTrustTokensAnswerer> receiver,
const url::Origin& top_frame_origin) {
// Only called when Trust Tokens is enabled, i.e. trust_token_store_ is
// non-null.
DCHECK(trust_token_store_);
absl::optional<SuitableTrustTokenOrigin> suitable_top_frame_origin =
SuitableTrustTokenOrigin::Create(top_frame_origin);
// It's safe to dereference |suitable_top_frame_origin| here as, during the
// process of vending the HasTrustTokensAnswerer, the browser ensures that
// the requesting context's top frame origin is suitable for Trust Tokens.
auto answerer = std::make_unique<HasTrustTokensAnswerer>(
std::move(*suitable_top_frame_origin), trust_token_store_.get());
has_trust_tokens_answerers_.Add(std::move(answerer), std::move(receiver));
}
void NetworkContext::GetStoredTrustTokenCounts(
GetStoredTrustTokenCountsCallback callback) {
if (trust_token_store_) {
auto get_trust_token_counts_from_store =
[](NetworkContext::GetStoredTrustTokenCountsCallback callback,
TrustTokenStore* trust_token_store) {
std::vector<mojom::StoredTrustTokensForIssuerPtr> result;
for (auto& issuer_count_pair :
trust_token_store->GetStoredTrustTokenCounts()) {
result.push_back(mojom::StoredTrustTokensForIssuer::New(
std::move(issuer_count_pair.first), issuer_count_pair.second));
}
std::move(callback).Run(std::move(result));
};
trust_token_store_->ExecuteOrEnqueue(
base::BindOnce(get_trust_token_counts_from_store, std::move(callback)));
} else {
// The Trust Tokens feature is disabled, return immediately with an empty
// vector.
std::move(callback).Run({});
}
}
void NetworkContext::DeleteStoredTrustTokens(
const url::Origin& issuer,
DeleteStoredTrustTokensCallback callback) {
if (!trust_token_store_) {
std::move(callback).Run(
mojom::DeleteStoredTrustTokensStatus::kFailureFeatureDisabled);
return;
}
absl::optional<SuitableTrustTokenOrigin> suitable_issuer_origin =
SuitableTrustTokenOrigin::Create(issuer);
if (!suitable_issuer_origin) {
std::move(callback).Run(
mojom::DeleteStoredTrustTokensStatus::kFailureInvalidOrigin);
return;
}
trust_token_store_->ExecuteOrEnqueue(base::BindOnce(
[](SuitableTrustTokenOrigin issuer,
DeleteStoredTrustTokensCallback callback, TrustTokenStore* store) {
const bool did_delete_tokens = store->DeleteStoredTrustTokens(issuer);
const auto status =
did_delete_tokens
? mojom::DeleteStoredTrustTokensStatus::kSuccessTokensDeleted
: mojom::DeleteStoredTrustTokensStatus::kSuccessNoTokensDeleted;
std::move(callback).Run(status);
},
std::move(*suitable_issuer_origin), std::move(callback)));
}
void NetworkContext::OnProxyLookupComplete(
ProxyLookupRequest* proxy_lookup_request) {
auto it = proxy_lookup_requests_.find(proxy_lookup_request);
DCHECK(it != proxy_lookup_requests_.end());
proxy_lookup_requests_.erase(it);
}
void NetworkContext::DisableQuic() {
url_request_context_->http_transaction_factory()->GetSession()->DisableQuic();
}
void NetworkContext::DestroyURLLoaderFactory(
cors::CorsURLLoaderFactory* url_loader_factory) {
auto it = url_loader_factories_.find(url_loader_factory);
DCHECK(it != url_loader_factories_.end());
url_loader_factories_.erase(it);
}
void NetworkContext::Remove(WebTransport* transport) {
auto it = web_transports_.find(transport);
if (it != web_transports_.end()) {
web_transports_.erase(it);
}
}
void NetworkContext::LoaderCreated(uint32_t process_id) {
loader_count_per_process_[process_id] += 1;
}
void NetworkContext::LoaderDestroyed(uint32_t process_id) {
auto it = loader_count_per_process_.find(process_id);
DCHECK(it != loader_count_per_process_.end());
it->second -= 1;
if (it->second == 0)
loader_count_per_process_.erase(it);
}
bool NetworkContext::CanCreateLoader(uint32_t process_id) {
auto it = loader_count_per_process_.find(process_id);
uint32_t count = (it == loader_count_per_process_.end() ? 0 : it->second);
return count < max_loaders_per_process_;
}
size_t NetworkContext::GetNumOutstandingResolveHostRequestsForTesting() const {
size_t sum = 0;
if (internal_host_resolver_)
sum += internal_host_resolver_->GetNumOutstandingRequestsForTesting();
for (const auto& host_resolver : host_resolvers_)
sum += host_resolver.first->GetNumOutstandingRequestsForTesting();
return sum;
}
bool NetworkContext::SkipReportingPermissionCheck() const {
return params_ && params_->skip_reporting_send_permission_check;
}
void NetworkContext::ClearTrustTokenData(mojom::ClearDataFilterPtr filter,
base::OnceClosure done) {
if (!trust_token_store_) {
std::move(done).Run();
return;
}
trust_token_store_->ExecuteOrEnqueue(base::BindOnce(
[](mojom::ClearDataFilterPtr filter, base::OnceClosure done,
TrustTokenStore* store) {
std::ignore = store->ClearDataForFilter(std::move(filter));
std::move(done).Run();
},
std::move(filter), std::move(done)));
}
void NetworkContext::ClearNetworkingHistoryBetween(
base::Time start_time,
base::Time end_time,
base::OnceClosure completion_callback) {
auto barrier = base::BarrierClosure(2, std::move(completion_callback));
url_request_context_->transport_security_state()->DeleteAllDynamicDataBetween(
start_time, end_time, barrier);
// TODO(mmenke): Neither of these methods waits until the changes have been
// commited to disk. They probably should, as most similar methods net/
// exposes do.
// May not be set in all tests.
if (network_qualities_pref_delegate_)
network_qualities_pref_delegate_->ClearPrefs();
url_request_context_->http_server_properties()->Clear(barrier);
}
void NetworkContext::ClearHttpCache(base::Time start_time,
base::Time end_time,
mojom::ClearDataFilterPtr filter,
ClearHttpCacheCallback callback) {
// It's safe to use Unretained below as the HttpCacheDataRemover is owned by
// |this| and guarantees it won't call its callback if deleted.
http_cache_data_removers_.push_back(HttpCacheDataRemover::CreateAndStart(
url_request_context_, std::move(filter), start_time, end_time,
base::BindOnce(&NetworkContext::OnHttpCacheCleared,
base::Unretained(this), std::move(callback))));
}
void NetworkContext::ComputeHttpCacheSize(
base::Time start_time,
base::Time end_time,
ComputeHttpCacheSizeCallback callback) {
// It's safe to use Unretained below as the HttpCacheDataCounter is owned by
// |this| and guarantees it won't call its callback if deleted.
http_cache_data_counters_.push_back(HttpCacheDataCounter::CreateAndStart(
url_request_context_, start_time, end_time,
base::BindOnce(&NetworkContext::OnHttpCacheSizeComputed,
base::Unretained(this), std::move(callback))));
}
void NetworkContext::ClearHostCache(mojom::ClearDataFilterPtr filter,
ClearHostCacheCallback callback) {
net::HostCache* host_cache =
url_request_context_->host_resolver()->GetHostCache();
DCHECK(host_cache);
host_cache->ClearForHosts(MakeDomainFilter(filter.get()));
std::move(callback).Run();
}
void NetworkContext::ClearHttpAuthCache(base::Time start_time,
base::Time end_time,
ClearHttpAuthCacheCallback callback) {
net::HttpNetworkSession* http_session =
url_request_context_->http_transaction_factory()->GetSession();
DCHECK(http_session);
http_session->http_auth_cache()->ClearEntriesAddedBetween(start_time,
end_time);
// TODO(mmenke): Use another error code for this, as ERR_ABORTED has somewhat
// magical handling with respect to navigations.
http_session->CloseAllConnections(net::ERR_ABORTED, "Clearing auth cache");
std::move(callback).Run();
}
#if BUILDFLAG(ENABLE_REPORTING)
void NetworkContext::ClearReportingCacheReports(
mojom::ClearDataFilterPtr filter,
ClearReportingCacheReportsCallback callback) {
net::ReportingService* reporting_service =
url_request_context_->reporting_service();
if (reporting_service) {
if (filter) {
reporting_service->RemoveBrowsingData(
net::ReportingBrowsingDataRemover::DATA_TYPE_REPORTS,
BuildUrlFilter(std::move(filter)));
} else {
reporting_service->RemoveAllBrowsingData(
net::ReportingBrowsingDataRemover::DATA_TYPE_REPORTS);
}
}
std::move(callback).Run();
}
void NetworkContext::ClearReportingCacheClients(
mojom::ClearDataFilterPtr filter,
ClearReportingCacheClientsCallback callback) {
net::ReportingService* reporting_service =
url_request_context_->reporting_service();
if (reporting_service) {
if (filter) {
reporting_service->RemoveBrowsingData(
net::ReportingBrowsingDataRemover::DATA_TYPE_CLIENTS,
BuildUrlFilter(std::move(filter)));
} else {
reporting_service->RemoveAllBrowsingData(
net::ReportingBrowsingDataRemover::DATA_TYPE_CLIENTS);
}
}
std::move(callback).Run();
}
void NetworkContext::ClearNetworkErrorLogging(
mojom::ClearDataFilterPtr filter,
ClearNetworkErrorLoggingCallback callback) {
net::NetworkErrorLoggingService* logging_service =
url_request_context_->network_error_logging_service();
if (logging_service) {
if (filter) {
logging_service->RemoveBrowsingData(BuildUrlFilter(std::move(filter)));
} else {
logging_service->RemoveAllBrowsingData();
}
}
std::move(callback).Run();
}
void NetworkContext::SetDocumentReportingEndpoints(
const base::UnguessableToken& reporting_source,
const url::Origin& origin,
const net::IsolationInfo& isolation_info,
const base::flat_map<std::string, std::string>& endpoints) {
DCHECK(!reporting_source.is_empty());
DCHECK_EQ(net::IsolationInfo::RequestType::kOther,
isolation_info.request_type());
net::ReportingService* reporting_service =
url_request_context()->reporting_service();
if (reporting_service) {
reporting_service->SetDocumentReportingEndpoints(reporting_source, origin,
isolation_info, endpoints);
}
}
void NetworkContext::SendReportsAndRemoveSource(
const base::UnguessableToken& reporting_source) {
DCHECK(!reporting_source.is_empty());
net::ReportingService* reporting_service =
url_request_context()->reporting_service();
if (reporting_service)
reporting_service->SendReportsAndRemoveSource(reporting_source);
}
void NetworkContext::QueueReport(
const std::string& type,
const std::string& group,
const GURL& url,
const absl::optional<base::UnguessableToken>& reporting_source,
const net::NetworkIsolationKey& network_isolation_key,
const absl::optional<std::string>& user_agent,
base::Value body) {
// If |reporting_source| is provided, it must not be empty.
DCHECK(!(reporting_source.has_value() && reporting_source->is_empty()));
if (require_network_isolation_key_)
DCHECK(!network_isolation_key.IsEmpty());
DCHECK(body.is_dict());
if (!body.is_dict())
return;
// Get the ReportingService.
net::URLRequestContext* request_context = url_request_context();
net::ReportingService* reporting_service =
request_context->reporting_service();
// TODO(paulmeyer): Remove this once the network service ships everywhere.
if (!reporting_service) {
return;
}
std::string reported_user_agent = user_agent.value_or("");
if (reported_user_agent.empty() &&
request_context->http_user_agent_settings() != nullptr) {
reported_user_agent =
request_context->http_user_agent_settings()->GetUserAgent();
}
reporting_service->QueueReport(
url, reporting_source, network_isolation_key, reported_user_agent, group,
type, base::Value::ToUniquePtrValue(std::move(body)), 0 /* depth */);
}
void NetworkContext::QueueSignedExchangeReport(
mojom::SignedExchangeReportPtr report,
const net::NetworkIsolationKey& network_isolation_key) {
if (require_network_isolation_key_)
DCHECK(!network_isolation_key.IsEmpty());
net::NetworkErrorLoggingService* logging_service =
url_request_context_->network_error_logging_service();
if (!logging_service)
return;
std::string user_agent;
if (url_request_context_->http_user_agent_settings() != nullptr) {
user_agent =
url_request_context_->http_user_agent_settings()->GetUserAgent();
}
net::NetworkErrorLoggingService::SignedExchangeReportDetails details;
details.network_isolation_key = network_isolation_key;
details.success = report->success;
details.type = std::move(report->type);
details.outer_url = std::move(report->outer_url);
details.inner_url = std::move(report->inner_url);
details.cert_url = std::move(report->cert_url);
details.referrer = std::move(report->referrer);
details.server_ip_address = std::move(report->server_ip_address);
details.protocol = std::move(report->protocol);
details.method = std::move(report->method);
details.status_code = report->status_code;
details.elapsed_time = report->elapsed_time;
details.user_agent = std::move(user_agent);
logging_service->QueueSignedExchangeReport(std::move(details));
}
void NetworkContext::AddReportingApiObserver(
mojo::PendingRemote<network::mojom::ReportingApiObserver> observer) {
if (url_request_context() && url_request_context()->reporting_service()) {
if (!is_observing_reporting_service_) {
is_observing_reporting_service_ = true;
url_request_context()->reporting_service()->AddReportingCacheObserver(
this);
reporting_api_observers_.set_disconnect_handler(
base::BindRepeating(&NetworkContext::OnReportingObserverDisconnect,
weak_factory_.GetWeakPtr()));
}
auto id = reporting_api_observers_.Add(std::move(observer));
auto service_reports =
url_request_context()->reporting_service()->GetReports();
for (const auto* service_report : service_reports) {
reporting_api_observers_.Get(id)->OnReportAdded(*service_report);
}
base::flat_map<url::Origin, std::vector<net::ReportingEndpoint>>
endpoints_by_origin = url_request_context()
->reporting_service()
->GetV1ReportingEndpointsByOrigin();
for (auto const& origin_and_endpoints : endpoints_by_origin) {
OnEndpointsUpdatedForOrigin(origin_and_endpoints.second);
}
}
}
void NetworkContext::OnReportAdded(const net::ReportingReport* service_report) {
for (const auto& observer : reporting_api_observers_) {
observer->OnReportAdded(*service_report);
}
}
void NetworkContext::OnEndpointsUpdatedForOrigin(
const std::vector<net::ReportingEndpoint>& endpoints) {
for (const auto& observer : reporting_api_observers_) {
observer->OnEndpointsUpdatedForOrigin(endpoints);
}
}
void NetworkContext::OnReportUpdated(
const net::ReportingReport* service_report) {
for (const auto& observer : reporting_api_observers_) {
observer->OnReportUpdated(*service_report);
}
}
void NetworkContext::OnReportingObserverDisconnect(
mojo::RemoteSetElementId /*mojo_id*/) {
if (!reporting_api_observers_.size()) {
DCHECK(url_request_context());
DCHECK(url_request_context()->reporting_service());
url_request_context()->reporting_service()->RemoveReportingCacheObserver(
this);
is_observing_reporting_service_ = false;
}
}
#else // BUILDFLAG(ENABLE_REPORTING)
void NetworkContext::ClearReportingCacheReports(
mojom::ClearDataFilterPtr filter,
ClearReportingCacheReportsCallback callback) {
NOTREACHED();
}
void NetworkContext::ClearReportingCacheClients(
mojom::ClearDataFilterPtr filter,
ClearReportingCacheClientsCallback callback) {
NOTREACHED();
}
void NetworkContext::ClearNetworkErrorLogging(
mojom::ClearDataFilterPtr filter,
ClearNetworkErrorLoggingCallback callback) {
NOTREACHED();
}
void NetworkContext::SetDocumentReportingEndpoints(
const base::UnguessableToken& reporting_source,
const url::Origin& origin,
const net::IsolationInfo& isolation_info,
const base::flat_map<std::string, std::string>& endpoints) {
NOTREACHED();
}
void NetworkContext::SendReportsAndRemoveSource(
const base::UnguessableToken& reporting_source) {
NOTREACHED();
}
void NetworkContext::QueueReport(
const std::string& type,
const std::string& group,
const GURL& url,
const absl::optional<base::UnguessableToken>& reporting_source,
const net::NetworkIsolationKey& network_isolation_key,
const absl::optional<std::string>& user_agent,
base::Value body) {
NOTREACHED();
}
void NetworkContext::QueueSignedExchangeReport(
mojom::SignedExchangeReportPtr report,
const net::NetworkIsolationKey& network_isolation_key) {
NOTREACHED();
}
#endif // BUILDFLAG(ENABLE_REPORTING)
void NetworkContext::ClearDomainReliability(
mojom::ClearDataFilterPtr filter,
DomainReliabilityClearMode mode,
ClearDomainReliabilityCallback callback) {
if (domain_reliability_monitor_) {
domain_reliability::DomainReliabilityClearMode dr_mode;
if (mode ==
mojom::NetworkContext::DomainReliabilityClearMode::CLEAR_CONTEXTS) {
dr_mode = domain_reliability::CLEAR_CONTEXTS;
} else {
dr_mode = domain_reliability::CLEAR_BEACONS;
}
domain_reliability_monitor_->ClearBrowsingData(
dr_mode, BuildUrlFilter(std::move(filter)));
}
std::move(callback).Run();
}
void NetworkContext::GetDomainReliabilityJSON(
GetDomainReliabilityJSONCallback callback) {
if (!domain_reliability_monitor_) {
base::Value data(base::Value::Type::DICTIONARY);
data.SetStringKey("error", "no_service");
std::move(callback).Run(std::move(data));
return;
}
std::move(callback).Run(domain_reliability_monitor_->GetWebUIData());
}
void NetworkContext::CloseAllConnections(CloseAllConnectionsCallback callback) {
net::HttpNetworkSession* http_session =
url_request_context_->http_transaction_factory()->GetSession();
DCHECK(http_session);
// TODO(mmenke): Use another error code for this, as ERR_ABORTED has somewhat
// magical handling with respect to navigations.
http_session->CloseAllConnections(net::ERR_ABORTED,
"Embedder closing all connections");
std::move(callback).Run();
}
void NetworkContext::CloseIdleConnections(
CloseIdleConnectionsCallback callback) {
net::HttpNetworkSession* http_session =
url_request_context_->http_transaction_factory()->GetSession();
DCHECK(http_session);
http_session->CloseIdleConnections("Embedder closing idle connections");
std::move(callback).Run();
}
void NetworkContext::SetNetworkConditions(
const base::UnguessableToken& throttling_profile_id,
mojom::NetworkConditionsPtr conditions) {
std::unique_ptr<NetworkConditions> network_conditions;
if (conditions) {
network_conditions = std::make_unique<NetworkConditions>(
conditions->offline, conditions->latency.InMillisecondsF(),
conditions->download_throughput, conditions->upload_throughput);
}
ThrottlingController::SetConditions(throttling_profile_id,
std::move(network_conditions));
}
void NetworkContext::SetAcceptLanguage(const std::string& new_accept_language) {
// This may only be called on NetworkContexts created with the constructor
// that calls MakeURLRequestContext().
DCHECK(user_agent_settings_);
user_agent_settings_->set_accept_language(new_accept_language);
}
void NetworkContext::SetEnableReferrers(bool enable_referrers) {
// This may only be called on NetworkContexts created with the constructor
// that calls MakeURLRequestContext().
DCHECK(network_delegate_);
network_delegate_->set_enable_referrers(enable_referrers);
}
#if BUILDFLAG(IS_CHROMEOS)
void NetworkContext::UpdateAdditionalCertificates(
mojom::AdditionalCertificatesPtr additional_certificates) {
if (!cert_verifier_with_trust_anchors_) {
CHECK(g_cert_verifier_for_testing);
return;
}
if (!additional_certificates) {
cert_verifier_with_trust_anchors_->SetAdditionalCerts(
net::CertificateList(), net::CertificateList());
return;
}
cert_verifier_with_trust_anchors_->SetAdditionalCerts(
additional_certificates->trust_anchors,
additional_certificates->all_certificates);
}
#endif // BUILDFLAG(IS_CHROMEOS)
#if BUILDFLAG(IS_CT_SUPPORTED)
void NetworkContext::SetCTPolicy(mojom::CTPolicyPtr ct_policy) {
if (!require_ct_delegate_)
return;
require_ct_delegate_->UpdateCTPolicies(
ct_policy->required_hosts, ct_policy->excluded_hosts,
ct_policy->excluded_spkis, ct_policy->excluded_legacy_spkis);
}
void NetworkContext::AddExpectCT(
const std::string& domain,
base::Time expiry,
bool enforce,
const GURL& report_uri,
const net::NetworkIsolationKey& network_isolation_key,
AddExpectCTCallback callback) {
net::TransportSecurityState* transport_security_state =
url_request_context()->transport_security_state();
if (!transport_security_state) {
std::move(callback).Run(false);
return;
}
transport_security_state->AddExpectCT(domain, expiry, enforce, report_uri,
network_isolation_key);
std::move(callback).Run(true);
}
void NetworkContext::SetExpectCTTestReport(
const GURL& report_uri,
SetExpectCTTestReportCallback callback) {
std::string decoded_dummy_cert;
bool decoded = base::Base64Decode(kTestReportCert, &decoded_dummy_cert);
DCHECK(decoded);
scoped_refptr<net::X509Certificate> dummy_cert =
net::X509Certificate::CreateFromBytes(
base::as_bytes(base::make_span(decoded_dummy_cert)));
LazyCreateExpectCTReporter(url_request_context());
// We need to save |callback| into a queue because this implementation is
// relying on the success/failed observer methods of network::ExpectCTReporter
// which can be called at any time, and for other reasons. It's unlikely
// but it is possible that |callback| could be called for some other event
// other than the one initiated below when calling OnExpectCTFailed.
outstanding_set_expect_ct_callbacks_.push(std::move(callback));
// Send a test report with dummy data.
net::SignedCertificateTimestampAndStatusList dummy_sct_list;
expect_ct_reporter_->OnExpectCTFailed(
net::HostPortPair("expect-ct-report.test", 443), report_uri,
base::Time::Now(), dummy_cert.get(), dummy_cert.get(), dummy_sct_list,
// No need for a shared NetworkIsolationKey here, as this is test-only
// code and none
// of the tests that call it care about the NetworkIsolationKey.
net::NetworkIsolationKey::CreateTransient());
}
void NetworkContext::LazyCreateExpectCTReporter(
net::URLRequestContext* url_request_context) {
if (expect_ct_reporter_)
return;
// This instance owns owns and outlives expect_ct_reporter_, so safe to
// pass |this|.
expect_ct_reporter_ = std::make_unique<network::ExpectCTReporter>(
url_request_context,
base::BindRepeating(&NetworkContext::OnSetExpectCTTestReportSuccess,
base::Unretained(this)),
base::BindRepeating(&NetworkContext::OnSetExpectCTTestReportFailure,
base::Unretained(this)));
}
void NetworkContext::OnSetExpectCTTestReportSuccess() {
if (outstanding_set_expect_ct_callbacks_.empty())
return;
std::move(outstanding_set_expect_ct_callbacks_.front()).Run(true);
outstanding_set_expect_ct_callbacks_.pop();
}
void NetworkContext::OnSetExpectCTTestReportFailure() {
if (outstanding_set_expect_ct_callbacks_.empty())
return;
std::move(outstanding_set_expect_ct_callbacks_.front()).Run(false);
outstanding_set_expect_ct_callbacks_.pop();
}
void NetworkContext::GetExpectCTState(
const std::string& domain,
const net::NetworkIsolationKey& network_isolation_key,
GetExpectCTStateCallback callback) {
base::Value result(base::Value::Type::DICTIONARY);
if (base::IsStringASCII(domain)) {
net::TransportSecurityState* transport_security_state =
url_request_context()->transport_security_state();
if (transport_security_state) {
net::TransportSecurityState::ExpectCTState dynamic_expect_ct_state;
bool found = transport_security_state->GetDynamicExpectCTState(
domain, network_isolation_key, &dynamic_expect_ct_state);
// TODO(estark): query static Expect-CT state as well.
if (found) {
result.SetStringKey("dynamic_expect_ct_domain", domain);
result.SetDoubleKey("dynamic_expect_ct_observed",
dynamic_expect_ct_state.last_observed.ToDoubleT());
result.SetDoubleKey("dynamic_expect_ct_expiry",
dynamic_expect_ct_state.expiry.ToDoubleT());
result.SetBoolKey("dynamic_expect_ct_enforce",
dynamic_expect_ct_state.enforce);
result.SetStringKey("dynamic_expect_ct_report_uri",
dynamic_expect_ct_state.report_uri.spec());
}
result.SetBoolKey("result", found);
} else {
result.SetStringKey("error", "no Expect-CT state active");
}
} else {
result.SetStringKey("error", "non-ASCII domain name");
}
std::move(callback).Run(std::move(result));
}
void NetworkContext::MaybeEnqueueSCTReport(
const net::HostPortPair& host_port_pair,
const net::X509Certificate* validated_certificate_chain,
const net::SignedCertificateTimestampAndStatusList&
signed_certificate_timestamps) {
if (!sct_auditing_handler()->is_enabled())
return;
network_service()->sct_auditing_cache()->MaybeEnqueueReport(
this, host_port_pair, validated_certificate_chain,
signed_certificate_timestamps);
}
void NetworkContext::SetSCTAuditingEnabled(bool enabled) {
sct_auditing_handler()->SetEnabled(enabled);
}
void NetworkContext::OnCTLogListUpdated(
const std::vector<network::mojom::CTLogInfoPtr>& log_list,
base::Time update_time) {
if (!ct_policy_enforcer_)
return;
std::vector<std::pair<std::string, base::TimeDelta>> disqualified_logs;
std::vector<std::string> operated_by_google_logs;
std::map<std::string, certificate_transparency::OperatorHistoryEntry>
log_operator_history;
GetCTPolicyConfigForCTLogInfo(log_list, &disqualified_logs,
&operated_by_google_logs,
&log_operator_history);
ct_policy_enforcer_->UpdateCTLogList(
update_time, std::move(disqualified_logs),
std::move(operated_by_google_logs), std::move(log_operator_history));
}
#endif // BUILDFLAG(IS_CT_SUPPORTED)
void NetworkContext::CreateUDPSocket(
mojo::PendingReceiver<mojom::UDPSocket> receiver,
mojo::PendingRemote<mojom::UDPSocketListener> listener) {
socket_factory_->CreateUDPSocket(std::move(receiver), std::move(listener));
}
void NetworkContext::CreateTCPServerSocket(
const net::IPEndPoint& local_addr,
uint32_t backlog,
const net::MutableNetworkTrafficAnnotationTag& traffic_annotation,
mojo::PendingReceiver<mojom::TCPServerSocket> receiver,
CreateTCPServerSocketCallback callback) {
socket_factory_->CreateTCPServerSocket(
local_addr, backlog,
static_cast<net::NetworkTrafficAnnotationTag>(traffic_annotation),
std::move(receiver), std::move(callback));
}
void NetworkContext::CreateTCPConnectedSocket(
const absl::optional<net::IPEndPoint>& local_addr,
const net::AddressList& remote_addr_list,
mojom::TCPConnectedSocketOptionsPtr tcp_connected_socket_options,
const net::MutableNetworkTrafficAnnotationTag& traffic_annotation,
mojo::PendingReceiver<mojom::TCPConnectedSocket> receiver,
mojo::PendingRemote<mojom::SocketObserver> observer,
CreateTCPConnectedSocketCallback callback) {
socket_factory_->CreateTCPConnectedSocket(
local_addr, remote_addr_list, std::move(tcp_connected_socket_options),
static_cast<net::NetworkTrafficAnnotationTag>(traffic_annotation),
std::move(receiver), std::move(observer), std::move(callback));
}
void NetworkContext::CreateTCPBoundSocket(
const net::IPEndPoint& local_addr,
const net::MutableNetworkTrafficAnnotationTag& traffic_annotation,
mojo::PendingReceiver<mojom::TCPBoundSocket> receiver,
CreateTCPBoundSocketCallback callback) {
socket_factory_->CreateTCPBoundSocket(
local_addr,
static_cast<net::NetworkTrafficAnnotationTag>(traffic_annotation),
std::move(receiver), std::move(callback));
}
void NetworkContext::CreateProxyResolvingSocketFactory(
mojo::PendingReceiver<mojom::ProxyResolvingSocketFactory> receiver) {
proxy_resolving_socket_factories_.Add(
std::make_unique<ProxyResolvingSocketFactoryMojo>(url_request_context()),
std::move(receiver));
}
void NetworkContext::LookUpProxyForURL(
const GURL& url,
const net::NetworkIsolationKey& network_isolation_key,
mojo::PendingRemote<mojom::ProxyLookupClient> proxy_lookup_client) {
DCHECK(proxy_lookup_client);
std::unique_ptr<ProxyLookupRequest> proxy_lookup_request(
std::make_unique<ProxyLookupRequest>(std::move(proxy_lookup_client), this,
network_isolation_key));
ProxyLookupRequest* proxy_lookup_request_ptr = proxy_lookup_request.get();
proxy_lookup_requests_.insert(std::move(proxy_lookup_request));
proxy_lookup_request_ptr->Start(url);
}
void NetworkContext::ForceReloadProxyConfig(
ForceReloadProxyConfigCallback callback) {
net::ConfiguredProxyResolutionService* configured_proxy_resolution_service =
nullptr;
if (url_request_context()
->proxy_resolution_service()
->CastToConfiguredProxyResolutionService(
&configured_proxy_resolution_service)) {
configured_proxy_resolution_service->ForceReloadProxyConfig();
} else {
LOG(WARNING)
<< "NetworkContext::ForceReloadProxyConfig() had no effect, as the "
"underlying ProxyResolutionService does not support that concept.";
}
std::move(callback).Run();
}
void NetworkContext::ClearBadProxiesCache(
ClearBadProxiesCacheCallback callback) {
url_request_context()->proxy_resolution_service()->ClearBadProxiesCache();
std::move(callback).Run();
}
void NetworkContext::CreateWebSocket(
const GURL& url,
const std::vector<std::string>& requested_protocols,
const net::SiteForCookies& site_for_cookies,
const net::IsolationInfo& isolation_info,
std::vector<mojom::HttpHeaderPtr> additional_headers,
int32_t process_id,
const url::Origin& origin,
uint32_t options,
const net::MutableNetworkTrafficAnnotationTag& traffic_annotation,
mojo::PendingRemote<mojom::WebSocketHandshakeClient> handshake_client,
mojo::PendingRemote<mojom::URLLoaderNetworkServiceObserver>
url_loader_network_observer,
mojo::PendingRemote<mojom::WebSocketAuthenticationHandler> auth_handler,
mojo::PendingRemote<mojom::TrustedHeaderClient> header_client,
const absl::optional<base::UnguessableToken>& throttling_profile_id) {
#if !BUILDFLAG(IS_IOS)
if (!websocket_factory_)
websocket_factory_ = std::make_unique<WebSocketFactory>(this);
DCHECK_GE(process_id, 0);
websocket_factory_->CreateWebSocket(
url, requested_protocols, site_for_cookies, isolation_info,
std::move(additional_headers), process_id, origin, options,
static_cast<net::NetworkTrafficAnnotationTag>(traffic_annotation),
std::move(handshake_client), std::move(url_loader_network_observer),
std::move(auth_handler), std::move(header_client), throttling_profile_id);
#endif // !BUILDFLAG(IS_IOS)
}
void NetworkContext::CreateWebTransport(
const GURL& url,
const url::Origin& origin,
const net::NetworkIsolationKey& key,
std::vector<mojom::WebTransportCertificateFingerprintPtr> fingerprints,
mojo::PendingRemote<mojom::WebTransportHandshakeClient>
pending_handshake_client) {
web_transports_.insert(
std::make_unique<WebTransport>(url, origin, key, fingerprints, this,
std::move(pending_handshake_client)));
}
void NetworkContext::CreateNetLogExporter(
mojo::PendingReceiver<mojom::NetLogExporter> receiver) {
net_log_exporter_receivers_.Add(std::make_unique<NetLogExporter>(this),
std::move(receiver));
}
void NetworkContext::ResolveHost(
const net::HostPortPair& host,
const net::NetworkIsolationKey& network_isolation_key,
mojom::ResolveHostParametersPtr optional_parameters,
mojo::PendingRemote<mojom::ResolveHostClient> response_client) {
if (!internal_host_resolver_) {
internal_host_resolver_ = std::make_unique<HostResolver>(
url_request_context_->host_resolver(), url_request_context_->net_log());
}
internal_host_resolver_->ResolveHost(host, network_isolation_key,
std::move(optional_parameters),
std::move(response_client));
}
void NetworkContext::CreateHostResolver(
const absl::optional<net::DnsConfigOverrides>& config_overrides,
mojo::PendingReceiver<mojom::HostResolver> receiver) {
net::HostResolver* internal_resolver = url_request_context_->host_resolver();
std::unique_ptr<net::HostResolver> private_internal_resolver;
if (config_overrides &&
config_overrides.value() != net::DnsConfigOverrides()) {
// If custom configuration is needed, create a separate internal resolver
// with the specified configuration overrides. Because we are using a non-
// standard resolver, disable the cache.
//
// TODO(crbug.com/846423): Consider allowing per-resolve overrides, so the
// same net::HostResolver with the same scheduler and cache can be used with
// different overrides. But since this is only used for special cases for
// now, much easier to create entirely separate net::HostResolver instances.
net::HostResolver::ManagerOptions options;
options.insecure_dns_client_enabled = true;
// Assume additional types are unnecessary for these special cases.
options.additional_types_via_insecure_dns_enabled = false;
options.dns_config_overrides = config_overrides.value();
private_internal_resolver =
network_service_->host_resolver_factory()->CreateStandaloneResolver(
url_request_context_->net_log(), std::move(options),
"" /* host_mapping_rules */, false /* enable_caching */);
private_internal_resolver->SetRequestContext(url_request_context_);
internal_resolver = private_internal_resolver.get();
}
host_resolvers_.emplace(
std::make_unique<HostResolver>(
std::move(receiver),
base::BindOnce(&NetworkContext::OnHostResolverShutdown,
base::Unretained(this)),
internal_resolver, url_request_context_->net_log()),
std::move(private_internal_resolver));
}
void NetworkContext::VerifyCertForSignedExchange(
const scoped_refptr<net::X509Certificate>& certificate,
const GURL& url,
const net::NetworkIsolationKey& network_isolation_key,
const std::string& ocsp_result,
const std::string& sct_list,
VerifyCertForSignedExchangeCallback callback) {
if (require_network_isolation_key_)
DCHECK(!network_isolation_key.IsEmpty());
int cert_verify_id = ++next_cert_verify_id_;
auto pending_cert_verify = std::make_unique<PendingCertVerify>();
pending_cert_verify->callback = std::move(callback);
pending_cert_verify->result = std::make_unique<net::CertVerifyResult>();
pending_cert_verify->certificate = certificate;
pending_cert_verify->url = url;
pending_cert_verify->network_isolation_key = network_isolation_key;
pending_cert_verify->ocsp_result = ocsp_result;
pending_cert_verify->sct_list = sct_list;
net::CertVerifier* cert_verifier =
g_cert_verifier_for_testing ? g_cert_verifier_for_testing
: url_request_context_->cert_verifier();
int result = cert_verifier->Verify(
net::CertVerifier::RequestParams(certificate, url.host(),
0 /* cert_verify_flags */, ocsp_result,
sct_list),
pending_cert_verify->result.get(),
base::BindOnce(&NetworkContext::OnVerifyCertForSignedExchangeComplete,
base::Unretained(this), cert_verify_id),
&pending_cert_verify->request,
net::NetLogWithSource::Make(url_request_context_->net_log(),
net::NetLogSourceType::CERT_VERIFIER_JOB));
cert_verifier_requests_[cert_verify_id] = std::move(pending_cert_verify);
if (result != net::ERR_IO_PENDING)
OnVerifyCertForSignedExchangeComplete(cert_verify_id, result);
}
void NetworkContext::NotifyExternalCacheHit(const GURL& url,
const std::string& http_method,
const net::NetworkIsolationKey& key,
bool is_subframe_document_resource,
bool include_credentials) {
net::HttpCache* cache =
url_request_context_->http_transaction_factory()->GetCache();
if (!cache)
return;
cache->OnExternalCacheHit(url, http_method, key,
is_subframe_document_resource, include_credentials);
}
void NetworkContext::SetCorsOriginAccessListsForOrigin(
const url::Origin& source_origin,
std::vector<mojom::CorsOriginPatternPtr> allow_patterns,
std::vector<mojom::CorsOriginPatternPtr> block_patterns,
SetCorsOriginAccessListsForOriginCallback callback) {
cors_origin_access_list_.SetAllowListForOrigin(source_origin, allow_patterns);
cors_origin_access_list_.SetBlockListForOrigin(source_origin, block_patterns);
std::move(callback).Run();
}
void NetworkContext::AddHSTS(const std::string& host,
base::Time expiry,
bool include_subdomains,
AddHSTSCallback callback) {
net::TransportSecurityState* state =
url_request_context_->transport_security_state();
state->AddHSTS(host, expiry, include_subdomains);
std::move(callback).Run();
}
void NetworkContext::IsHSTSActiveForHost(const std::string& host,
IsHSTSActiveForHostCallback callback) {
net::TransportSecurityState* security_state =
url_request_context_->transport_security_state();
if (!security_state) {
std::move(callback).Run(false);
return;
}
std::move(callback).Run(security_state->ShouldUpgradeToSSL(host));
}
void NetworkContext::GetHSTSState(const std::string& domain,
GetHSTSStateCallback callback) {
base::Value result(base::Value::Type::DICTIONARY);
if (base::IsStringASCII(domain)) {
net::TransportSecurityState* transport_security_state =
url_request_context()->transport_security_state();
if (transport_security_state) {
net::TransportSecurityState::STSState static_sts_state;
net::TransportSecurityState::PKPState static_pkp_state;
bool found_static = transport_security_state->GetStaticDomainState(
domain, &static_sts_state, &static_pkp_state);
if (found_static) {
result.SetIntKey("static_upgrade_mode",
static_cast<int>(static_sts_state.upgrade_mode));
result.SetBoolKey("static_sts_include_subdomains",
static_sts_state.include_subdomains);
result.SetDoubleKey("static_sts_observed",
static_sts_state.last_observed.ToDoubleT());
result.SetDoubleKey("static_sts_expiry",
static_sts_state.expiry.ToDoubleT());
result.SetBoolKey("static_pkp_include_subdomains",
static_pkp_state.include_subdomains);
result.SetDoubleKey("static_pkp_observed",
static_pkp_state.last_observed.ToDoubleT());
result.SetDoubleKey("static_pkp_expiry",
static_pkp_state.expiry.ToDoubleT());
result.SetStringKey("static_spki_hashes",
HashesToBase64String(static_pkp_state.spki_hashes));
result.SetStringKey("static_sts_domain", static_sts_state.domain);
result.SetStringKey("static_pkp_domain", static_pkp_state.domain);
}
net::TransportSecurityState::STSState dynamic_sts_state;
net::TransportSecurityState::PKPState dynamic_pkp_state;
bool found_sts_dynamic = transport_security_state->GetDynamicSTSState(
domain, &dynamic_sts_state);
bool found_pkp_dynamic = transport_security_state->GetDynamicPKPState(
domain, &dynamic_pkp_state);
if (found_sts_dynamic) {
result.SetIntKey("dynamic_upgrade_mode",
static_cast<int>(dynamic_sts_state.upgrade_mode));
result.SetBoolKey("dynamic_sts_include_subdomains",
dynamic_sts_state.include_subdomains);
result.SetDoubleKey("dynamic_sts_observed",
dynamic_sts_state.last_observed.ToDoubleT());
result.SetDoubleKey("dynamic_sts_expiry",
dynamic_sts_state.expiry.ToDoubleT());
result.SetStringKey("dynamic_sts_domain", dynamic_sts_state.domain);
}
if (found_pkp_dynamic) {
result.SetBoolKey("dynamic_pkp_include_subdomains",
dynamic_pkp_state.include_subdomains);
result.SetDoubleKey("dynamic_pkp_observed",
dynamic_pkp_state.last_observed.ToDoubleT());
result.SetDoubleKey("dynamic_pkp_expiry",
dynamic_pkp_state.expiry.ToDoubleT());
result.SetStringKey(
"dynamic_spki_hashes",
HashesToBase64String(dynamic_pkp_state.spki_hashes));
result.SetStringKey("dynamic_pkp_domain", dynamic_pkp_state.domain);
}
result.SetBoolKey("result",
found_static || found_sts_dynamic || found_pkp_dynamic);
} else {
result.SetStringKey("error", "no TransportSecurityState active");
}
} else {
result.SetStringKey("error", "non-ASCII domain name");
}
std::move(callback).Run(std::move(result));
}
void NetworkContext::DeleteDynamicDataForHost(
const std::string& host,
DeleteDynamicDataForHostCallback callback) {
net::TransportSecurityState* transport_security_state =
url_request_context()->transport_security_state();
if (!transport_security_state) {
std::move(callback).Run(false);
return;
}
std::move(callback).Run(
transport_security_state->DeleteDynamicDataForHost(host));
}
void NetworkContext::EnableStaticKeyPinningForTesting(
EnableStaticKeyPinningForTestingCallback callback) {
net::TransportSecurityState* state =
url_request_context_->transport_security_state();
state->EnableStaticPinsForTesting();
std::move(callback).Run();
}
void NetworkContext::VerifyCertificateForTesting(
const scoped_refptr<net::X509Certificate>& certificate,
const std::string& hostname,
const std::string& ocsp_response,
const std::string& sct_list,
VerifyCertificateForTestingCallback callback) {
net::CertVerifier* cert_verifier = url_request_context_->cert_verifier();
auto state = std::make_unique<TestVerifyCertState>();
auto* request = &state->request;
auto* result = &state->result;
cert_verifier->Verify(
net::CertVerifier::RequestParams(certificate.get(), hostname, 0,
ocsp_response, sct_list),
result,
base::BindOnce(TestVerifyCertCallback, std::move(state),
std::move(callback)),
request, net::NetLogWithSource());
}
void NetworkContext::PreconnectSockets(
uint32_t num_streams,
const GURL& original_url,
bool allow_credentials,
const net::NetworkIsolationKey& network_isolation_key) {
DCHECK(!require_network_isolation_key_ || !network_isolation_key.IsEmpty());
GURL url = GetHSTSRedirect(original_url);
// |PreconnectSockets| may receive arguments from the renderer, which is not
// guaranteed to validate them.
if (num_streams == 0)
return;
std::string user_agent;
if (url_request_context_->http_user_agent_settings()) {
user_agent =
url_request_context_->http_user_agent_settings()->GetUserAgent();
}
net::HttpRequestInfo request_info;
request_info.url = url;
request_info.method = net::HttpRequestHeaders::kGetMethod;
request_info.extra_headers.SetHeader(net::HttpRequestHeaders::kUserAgent,
user_agent);
if (allow_credentials) {
request_info.load_flags = net::LOAD_NORMAL;
request_info.privacy_mode = net::PRIVACY_MODE_DISABLED;
} else {
request_info.load_flags = net::LOAD_DO_NOT_SAVE_COOKIES;
request_info.privacy_mode = net::PRIVACY_MODE_ENABLED;
}
request_info.network_isolation_key = network_isolation_key;
net::HttpTransactionFactory* factory =
url_request_context_->http_transaction_factory();
net::HttpNetworkSession* session = factory->GetSession();
net::HttpStreamFactory* http_stream_factory = session->http_stream_factory();
http_stream_factory->PreconnectStreams(
base::saturated_cast<int32_t>(num_streams), request_info);
}
#if BUILDFLAG(IS_P2P_ENABLED)
void NetworkContext::CreateP2PSocketManager(
const net::NetworkIsolationKey& network_isolation_key,
mojo::PendingRemote<mojom::P2PTrustedSocketManagerClient> client,
mojo::PendingReceiver<mojom::P2PTrustedSocketManager>
trusted_socket_manager,
mojo::PendingReceiver<mojom::P2PSocketManager> socket_manager_receiver) {
std::unique_ptr<P2PSocketManager> socket_manager =
std::make_unique<P2PSocketManager>(
network_isolation_key, std::move(client),
std::move(trusted_socket_manager), std::move(socket_manager_receiver),
base::BindRepeating(&NetworkContext::DestroySocketManager,
base::Unretained(this)),
url_request_context_);
socket_managers_[socket_manager.get()] = std::move(socket_manager);
}
#endif // BUILDFLAG(IS_P2P_ENABLED)
void NetworkContext::CreateMdnsResponder(
mojo::PendingReceiver<mojom::MdnsResponder> responder_receiver) {
#if BUILDFLAG(ENABLE_MDNS)
if (!mdns_responder_manager_)
mdns_responder_manager_ = std::make_unique<MdnsResponderManager>();
mdns_responder_manager_->CreateMdnsResponder(std::move(responder_receiver));
#else
NOTREACHED();
#endif // BUILDFLAG(ENABLE_MDNS)
}
void NetworkContext::AddDomainReliabilityContextForTesting(
const GURL& origin,
const GURL& upload_url,
AddDomainReliabilityContextForTestingCallback callback) {
auto config = std::make_unique<domain_reliability::DomainReliabilityConfig>();
config->origin = origin;
config->include_subdomains = false;
config->collectors.push_back(std::make_unique<GURL>(upload_url));
config->success_sample_rate = 1.0;
config->failure_sample_rate = 1.0;
domain_reliability_monitor_->AddContextForTesting(std::move(config));
std::move(callback).Run();
}
void NetworkContext::ForceDomainReliabilityUploadsForTesting(
ForceDomainReliabilityUploadsForTestingCallback callback) {
domain_reliability_monitor_->ForceUploadsForTesting();
std::move(callback).Run();
}
void NetworkContext::SetSplitAuthCacheByNetworkIsolationKey(
bool split_auth_cache_by_network_isolation_key) {
url_request_context_->http_transaction_factory()
->GetSession()
->http_auth_cache()
->SetKeyServerEntriesByNetworkIsolationKey(
split_auth_cache_by_network_isolation_key);
}
void NetworkContext::SaveHttpAuthCacheProxyEntries(
SaveHttpAuthCacheProxyEntriesCallback callback) {
net::HttpAuthCache* http_auth_cache =
url_request_context_->http_transaction_factory()
->GetSession()
->http_auth_cache();
base::UnguessableToken cache_key =
network_service_->http_auth_cache_copier()->SaveHttpAuthCache(
*http_auth_cache);
std::move(callback).Run(cache_key);
}
void NetworkContext::LoadHttpAuthCacheProxyEntries(
const base::UnguessableToken& cache_key,
LoadHttpAuthCacheProxyEntriesCallback callback) {
net::HttpAuthCache* http_auth_cache =
url_request_context_->http_transaction_factory()
->GetSession()
->http_auth_cache();
network_service_->http_auth_cache_copier()->LoadHttpAuthCache(
cache_key, http_auth_cache);
std::move(callback).Run();
}
void NetworkContext::AddAuthCacheEntry(
const net::AuthChallengeInfo& challenge,
const net::NetworkIsolationKey& network_isolation_key,
const net::AuthCredentials& credentials,
AddAuthCacheEntryCallback callback) {
net::HttpAuthCache* http_auth_cache =
url_request_context_->http_transaction_factory()
->GetSession()
->http_auth_cache();
http_auth_cache->Add(
// TODO(https://crbug.com/): Convert AuthCredentials::challenger field to
// a SchemeHostPort.
challenge.challenger.GetTupleOrPrecursorTupleIfOpaque(),
challenge.is_proxy ? net::HttpAuth::AUTH_PROXY
: net::HttpAuth::AUTH_SERVER,
challenge.realm, net::HttpAuth::StringToScheme(challenge.scheme),
network_isolation_key, challenge.challenge, credentials, challenge.path);
std::move(callback).Run();
}
void NetworkContext::SetCorsNonWildcardRequestHeadersSupport(bool value) {
if (!base::FeatureList::IsEnabled(
features::kCorsNonWildcardRequestHeadersSupport)) {
return;
}
cors_non_wildcard_request_headers_support_ =
cors::NonWildcardRequestHeadersSupport(value);
}
void NetworkContext::LookupServerBasicAuthCredentials(
const GURL& url,
const net::NetworkIsolationKey& network_isolation_key,
LookupServerBasicAuthCredentialsCallback callback) {
net::HttpAuthCache* http_auth_cache =
url_request_context_->http_transaction_factory()
->GetSession()
->http_auth_cache();
net::HttpAuthCache::Entry* entry = http_auth_cache->LookupByPath(
url::SchemeHostPort(url), net::HttpAuth::AUTH_SERVER,
network_isolation_key, url.path());
if (entry && entry->scheme() == net::HttpAuth::AUTH_SCHEME_BASIC)
std::move(callback).Run(entry->credentials());
else
std::move(callback).Run(absl::nullopt);
}
#if BUILDFLAG(IS_CHROMEOS_ASH)
void NetworkContext::LookupProxyAuthCredentials(
const net::ProxyServer& proxy_server,
const std::string& auth_scheme,
const std::string& realm,
LookupProxyAuthCredentialsCallback callback) {
net::HttpAuth::Scheme net_scheme =
net::HttpAuth::StringToScheme(base::ToLowerASCII(auth_scheme));
if (net_scheme == net::HttpAuth::Scheme::AUTH_SCHEME_MAX) {
std::move(callback).Run(absl::nullopt);
return;
}
net::HttpAuthCache* http_auth_cache =
url_request_context_->http_transaction_factory()
->GetSession()
->http_auth_cache();
// TODO(https://crbug.com/1103768): Mapping proxy addresses to URLs is a
// lossy conversion, shouldn't do this.
const char* scheme =
proxy_server.is_secure_http_like() ? "https://" : "http://";
url::SchemeHostPort scheme_host_port(
GURL(scheme + proxy_server.host_port_pair().ToString()));
if (!scheme_host_port.IsValid()) {
std::move(callback).Run(absl::nullopt);
return;
}
// Unlike server credentials, proxy credentials are not keyed on
// NetworkIsolationKey.
net::HttpAuthCache::Entry* entry =
http_auth_cache->Lookup(scheme_host_port, net::HttpAuth::AUTH_PROXY,
realm, net_scheme, net::NetworkIsolationKey());
if (entry)
std::move(callback).Run(entry->credentials());
else
std::move(callback).Run(absl::nullopt);
}
#endif
const net::HttpAuthPreferences* NetworkContext::GetHttpAuthPreferences() const {
return &http_auth_merged_preferences_;
}
size_t NetworkContext::NumOpenWebTransports() const {
return std::count_if(web_transports_.begin(), web_transports_.end(),
[](const std::unique_ptr<WebTransport>& transport) {
return !transport->torn_down();
});
}
void NetworkContext::OnHttpAuthDynamicParamsChanged(
const mojom::HttpAuthDynamicParams*
http_auth_dynamic_network_service_params) {
http_auth_merged_preferences_.SetServerAllowlist(
http_auth_dynamic_network_service_params->server_allowlist);
http_auth_merged_preferences_.SetDelegateAllowlist(
http_auth_dynamic_network_service_params->delegate_allowlist);
http_auth_merged_preferences_.set_delegate_by_kdc_policy(
http_auth_dynamic_network_service_params->delegate_by_kdc_policy);
http_auth_merged_preferences_.set_negotiate_disable_cname_lookup(
http_auth_dynamic_network_service_params->negotiate_disable_cname_lookup);
http_auth_merged_preferences_.set_negotiate_enable_port(
http_auth_dynamic_network_service_params->enable_negotiate_port);
http_auth_merged_preferences_.set_basic_over_http_enabled(
http_auth_dynamic_network_service_params->basic_over_http_enabled);
#if BUILDFLAG(IS_POSIX) || BUILDFLAG(IS_FUCHSIA)
http_auth_merged_preferences_.set_ntlm_v2_enabled(
http_auth_dynamic_network_service_params->ntlm_v2_enabled);
#endif
#if BUILDFLAG(IS_ANDROID)
http_auth_merged_preferences_.set_auth_android_negotiate_account_type(
http_auth_dynamic_network_service_params->android_negotiate_account_type);
#endif
#if BUILDFLAG(IS_CHROMEOS_ASH)
http_auth_merged_preferences_.set_allow_gssapi_library_load(
http_auth_dynamic_network_service_params->allow_gssapi_library_load);
#endif
}
URLRequestContextOwner NetworkContext::MakeURLRequestContext(
mojo::PendingRemote<mojom::URLLoaderFactory>
url_loader_factory_for_cert_net_fetcher,
scoped_refptr<SessionCleanupCookieStore> session_cleanup_cookie_store) {
URLRequestContextBuilderMojo builder;
const base::CommandLine* command_line =
base::CommandLine::ForCurrentProcess();
std::unique_ptr<net::CertVerifier> cert_verifier;
if (g_cert_verifier_for_testing) {
cert_verifier = std::make_unique<WrappedTestingCertVerifier>();
} else {
DCHECK(params_->cert_verifier_params);
// base::Unretained() is safe below because |this| will own
// |cert_verifier|.
// TODO(https://crbug.com/1085233): this cert verifier should deal with
// disconnections if the CertVerifierService is run outside of the browser
// process.
cert_verifier = std::make_unique<cert_verifier::MojoCertVerifier>(
std::move(params_->cert_verifier_params->cert_verifier_service),
std::move(url_loader_factory_for_cert_net_fetcher),
base::BindRepeating(
&NetworkContext::CreateURLLoaderFactoryForCertNetFetcher,
base::Unretained(this)));
#if BUILDFLAG(IS_CT_SUPPORTED)
std::vector<scoped_refptr<const net::CTLogVerifier>> ct_logs;
for (const auto& log : network_service_->log_list()) {
scoped_refptr<const net::CTLogVerifier> log_verifier =
net::CTLogVerifier::Create(log->public_key, log->name);
if (!log_verifier) {
// TODO: Signal bad configuration (such as bad key).
continue;
}
ct_logs.push_back(std::move(log_verifier));
}
auto ct_verifier = std::make_unique<net::MultiLogCTVerifier>(
network_service_->ct_log_list_distributor());
ct_verifier->SetLogs(ct_logs);
cert_verifier = std::make_unique<net::CertAndCTVerifier>(
std::move(cert_verifier), std::move(ct_verifier));
#endif // BUILDFLAG(IS_CT_SUPPORTED)
// Whether the cert verifier is remote or in-process, we should wrap it in
// caching and coalescing layers to avoid extra verifications and IPCs.
cert_verifier = std::make_unique<net::CachingCertVerifier>(
std::make_unique<net::CoalescingCertVerifier>(
std::move(cert_verifier)));
#if BUILDFLAG(IS_CHROMEOS)
cert_verifier_with_trust_anchors_ =
new CertVerifierWithTrustAnchors(base::BindRepeating(
&NetworkContext::TrustAnchorUsed, base::Unretained(this)));
UpdateAdditionalCertificates(
std::move(params_->initial_additional_certificates));
cert_verifier_with_trust_anchors_->InitializeOnIOThread(
std::move(cert_verifier));
cert_verifier = base::WrapUnique(cert_verifier_with_trust_anchors_);
#endif // BUILDFLAG(IS_CHROMEOS)
}
builder.SetCertVerifier(IgnoreErrorsCertVerifier::MaybeWrapCertVerifier(
*command_line, nullptr, std::move(cert_verifier)));
#if BUILDFLAG(IS_CT_SUPPORTED)
if (params_->enforce_chrome_ct_policy) {
std::vector<std::pair<std::string, base::TimeDelta>> disqualified_logs;
std::vector<std::string> operated_by_google_logs;
std::map<std::string, certificate_transparency::OperatorHistoryEntry>
log_operator_history;
GetCTPolicyConfigForCTLogInfo(network_service_->log_list(),
&disqualified_logs, &operated_by_google_logs,
&log_operator_history);
auto ct_policy_enforcer =
std::make_unique<certificate_transparency::ChromeCTPolicyEnforcer>(
network_service_->ct_log_list_update_time(),
std::move(disqualified_logs), std::move(operated_by_google_logs),
std::move(log_operator_history));
ct_policy_enforcer_ = ct_policy_enforcer.get();
builder.set_ct_policy_enforcer(std::move(ct_policy_enforcer));
}
builder.set_sct_auditing_delegate(
std::make_unique<SCTAuditingDelegate>(weak_factory_.GetWeakPtr()));
#endif // BUILDFLAG(IS_CT_SUPPORTED)
std::unique_ptr<NetworkServiceNetworkDelegate> network_delegate =
std::make_unique<NetworkServiceNetworkDelegate>(
params_->enable_referrers,
params_->validate_referrer_policy_on_initial_request,
std::move(params_->proxy_error_client), this);
network_delegate_ = network_delegate.get();
builder.set_network_delegate(std::move(network_delegate));
if (params_->initial_custom_proxy_config ||
params_->custom_proxy_config_client_receiver) {
std::unique_ptr<NetworkServiceProxyDelegate> proxy_delegate =
std::make_unique<NetworkServiceProxyDelegate>(
std::move(params_->initial_custom_proxy_config),
std::move(params_->custom_proxy_config_client_receiver),
std::move(params_->custom_proxy_connection_observer_remote));
proxy_delegate_ = proxy_delegate.get();
builder.set_proxy_delegate(std::move(proxy_delegate));
}
net::NetLog* net_log = nullptr;
if (network_service_) {
net_log = network_service_->net_log();
builder.set_net_log(net_log);
builder.set_host_resolver_manager(
network_service_->host_resolver_manager());
builder.set_host_resolver_factory(
network_service_->host_resolver_factory());
builder.SetHttpAuthHandlerFactory(
network_service_->CreateHttpAuthHandlerFactory(this));
builder.set_network_quality_estimator(
network_service_->network_quality_estimator());
}
if (session_cleanup_cookie_store) {
std::unique_ptr<net::CookieMonster> cookie_store =
std::make_unique<net::CookieMonster>(
session_cleanup_cookie_store.get(), net_log,
network_service_->first_party_sets()->is_enabled());
if (params_->persist_session_cookies)
cookie_store->SetPersistSessionCookies(true);
builder.SetCookieStore(std::move(cookie_store));
}
if (base::FeatureList::IsEnabled(features::kTrustTokens)) {
trust_token_store_ = std::make_unique<PendingTrustTokenStore>();
base::FilePath trust_token_path;
if (GetFullDataFilePath(
params_->file_paths,
&network::mojom::NetworkContextFilePaths::trust_token_database_name,
trust_token_path)) {
SQLiteTrustTokenPersister::CreateForFilePath(
base::ThreadPool::CreateSequencedTaskRunner(
{base::MayBlock(), kTrustTokenDatabaseTaskPriority,
base::TaskShutdownBehavior::BLOCK_SHUTDOWN}),
trust_token_path, kTrustTokenWriteBufferingWindow,
base::BindOnce(&NetworkContext::FinishConstructingTrustTokenStore,
weak_factory_.GetWeakPtr()));
} else {
trust_token_store_->OnStoreReady(std::make_unique<TrustTokenStore>(
std::make_unique<InMemoryTrustTokenPersister>(),
std::make_unique<ExpiryInspectingRecordExpiryDelegate>(
network_service()->trust_token_key_commitments())));
}
}
std::unique_ptr<net::StaticHttpUserAgentSettings> user_agent_settings =
std::make_unique<net::StaticHttpUserAgentSettings>(
params_->accept_language, params_->user_agent);
// Borrow an alias for future use before giving the builder ownership.
user_agent_settings_ = user_agent_settings.get();
builder.set_http_user_agent_settings(std::move(user_agent_settings));
builder.set_enable_brotli(params_->enable_brotli);
if (params_->proxy_resolver_factory) {
builder.SetMojoProxyResolverFactory(
std::move(params_->proxy_resolver_factory));
}
#if BUILDFLAG(IS_WIN)
if (params_->windows_system_proxy_resolver) {
builder.SetMojoWindowsSystemProxyResolver(
std::move(params_->windows_system_proxy_resolver));
}
#endif
#if BUILDFLAG(IS_CHROMEOS_ASH)
if (params_->dhcp_wpad_url_client) {
builder.SetDhcpWpadUrlClient(std::move(params_->dhcp_wpad_url_client));
}
#endif // BUILDFLAG(IS_CHROMEOS_ASH)
if (!params_->http_cache_enabled) {
builder.DisableHttpCache();
} else {
net::URLRequestContextBuilder::HttpCacheParams cache_params;
cache_params.max_size = params_->http_cache_max_size;
if (!params_->http_cache_path) {
cache_params.type =
net::URLRequestContextBuilder::HttpCacheParams::IN_MEMORY;
} else {
cache_params.path = *params_->http_cache_path;
cache_params.type = network_session_configurator::ChooseCacheType();
}
cache_params.reset_cache = params_->reset_http_cache_backend;
#if BUILDFLAG(IS_ANDROID)
cache_params.app_status_listener = app_status_listener();
#endif
builder.EnableHttpCache(cache_params);
}
std::unique_ptr<SSLConfigServiceMojo> ssl_config_service =
std::make_unique<SSLConfigServiceMojo>(
std::move(params_->initial_ssl_config),
std::move(params_->ssl_config_client_receiver),
network_service_->crl_set_distributor());
SSLConfigServiceMojo* ssl_config_service_raw = ssl_config_service.get();
builder.set_ssl_config_service(std::move(ssl_config_service));
if (!params_->initial_proxy_config &&
!params_->proxy_config_client_receiver.is_valid()) {
params_->initial_proxy_config =
net::ProxyConfigWithAnnotation::CreateDirect();
}
builder.set_proxy_config_service(std::make_unique<ProxyConfigServiceMojo>(
std::move(params_->proxy_config_client_receiver),
std::move(params_->initial_proxy_config),
std::move(params_->proxy_config_poller_client)));
builder.set_pac_quick_check_enabled(params_->pac_quick_check_enabled);
std::unique_ptr<PrefService> pref_service;
base::FilePath http_server_properties_file_name;
if (GetFullDataFilePath(params_->file_paths,
&network::mojom::NetworkContextFilePaths::
http_server_properties_file_name,
http_server_properties_file_name)) {
scoped_refptr<JsonPrefStore> json_pref_store(new JsonPrefStore(
http_server_properties_file_name, nullptr,
base::ThreadPool::CreateSequencedTaskRunner(
{base::MayBlock(), base::TaskShutdownBehavior::BLOCK_SHUTDOWN,
base::TaskPriority::BEST_EFFORT})));
PrefServiceFactory pref_service_factory;
pref_service_factory.set_user_prefs(json_pref_store);
pref_service_factory.set_async(true);
scoped_refptr<PrefRegistrySimple> pref_registry(new PrefRegistrySimple());
HttpServerPropertiesPrefDelegate::RegisterPrefs(pref_registry.get());
NetworkQualitiesPrefDelegate::RegisterPrefs(pref_registry.get());
pref_service = pref_service_factory.Create(pref_registry.get());
builder.SetHttpServerProperties(std::make_unique<net::HttpServerProperties>(
std::make_unique<HttpServerPropertiesPrefDelegate>(pref_service.get()),
net_log));
network_qualities_pref_delegate_ =
std::make_unique<NetworkQualitiesPrefDelegate>(
pref_service.get(), network_service_->network_quality_estimator());
}
base::FilePath transport_security_persister_file_name;
if (GetFullDataFilePath(params_->file_paths,
&network::mojom::NetworkContextFilePaths::
transport_security_persister_file_name,
transport_security_persister_file_name)) {
builder.set_transport_security_persister_file_path(
transport_security_persister_file_name);
}
builder.set_hsts_policy_bypass_list(params_->hsts_policy_bypass_list);
#if BUILDFLAG(ENABLE_REPORTING)
bool reporting_enabled = base::FeatureList::IsEnabled(features::kReporting);
if (reporting_enabled) {
auto reporting_policy = net::ReportingPolicy::Create();
if (params_->reporting_delivery_interval) {
reporting_policy->delivery_interval =
*params_->reporting_delivery_interval;
reporting_policy->endpoint_backoff_policy.initial_delay_ms =
params_->reporting_delivery_interval->InMilliseconds();
}
builder.set_reporting_policy(std::move(reporting_policy));
} else {
builder.set_reporting_policy(nullptr);
}
bool nel_enabled =
base::FeatureList::IsEnabled(features::kNetworkErrorLogging);
builder.set_network_error_logging_enabled(nel_enabled);
base::FilePath reporting_and_nel_store_database_name;
if (GetFullDataFilePath(params_->file_paths,
&network::mojom::NetworkContextFilePaths::
reporting_and_nel_store_database_name,
reporting_and_nel_store_database_name) &&
(reporting_enabled || nel_enabled)) {
scoped_refptr<base::SequencedTaskRunner> client_task_runner =
base::ThreadTaskRunnerHandle::Get();
scoped_refptr<base::SequencedTaskRunner> background_task_runner =
base::ThreadPool::CreateSequencedTaskRunner(
{base::MayBlock(),
net::GetReportingAndNelStoreBackgroundSequencePriority(),
base::TaskShutdownBehavior::BLOCK_SHUTDOWN});
std::unique_ptr<net::SQLitePersistentReportingAndNelStore> sqlite_store(
new net::SQLitePersistentReportingAndNelStore(
reporting_and_nel_store_database_name, client_task_runner,
background_task_runner));
builder.set_persistent_reporting_and_nel_store(std::move(sqlite_store));
} else {
builder.set_persistent_reporting_and_nel_store(nullptr);
}
#endif // BUILDFLAG(ENABLE_REPORTING)
net::HttpNetworkSessionParams session_params;
bool is_quic_force_disabled = false;
if (network_service_ && network_service_->quic_disabled())
is_quic_force_disabled = true;
auto quic_context = std::make_unique<net::QuicContext>();
network_session_configurator::ParseCommandLineAndFieldTrials(
*base::CommandLine::ForCurrentProcess(), is_quic_force_disabled,
params_->quic_user_agent_id, &session_params, quic_context->params());
session_params.disable_idle_sockets_close_on_memory_pressure =
params_->disable_idle_sockets_close_on_memory_pressure;
if (network_service_) {
session_params.key_auth_cache_server_entries_by_network_isolation_key =
network_service_->split_auth_cache_by_network_isolation_key();
}
session_params.key_auth_cache_server_entries_by_network_isolation_key =
base::FeatureList::IsEnabled(
features::kSplitAuthCacheByNetworkIsolationKey);
builder.set_http_network_session_params(session_params);
builder.set_quic_context(std::move(quic_context));
builder.SetCreateHttpTransactionFactoryCallback(
base::BindOnce([](net::HttpNetworkSession* session)
-> std::unique_ptr<net::HttpTransactionFactory> {
return std::make_unique<ThrottlingNetworkTransactionFactory>(session);
}));
builder.set_host_mapping_rules(
command_line->GetSwitchValueASCII(switches::kHostResolverRules));
builder.set_first_party_sets_enabled(
network_service_->first_party_sets()->is_enabled());
auto result =
URLRequestContextOwner(std::move(pref_service), builder.Build());
require_network_isolation_key_ = params_->require_network_isolation_key;
// If `require_network_isolation_key_` is true, but the features that can
// trigger another URLRequest are not set to respect NetworkIsolationKeys,
// the URLRequests that they create might not have a NIK, so only set the
// corresponding value in the URLRequestContext to true at the URLRequest
// layer if all those features are set to respect NIK.
if (require_network_isolation_key_ &&
base::FeatureList::IsEnabled(
net::features::kPartitionConnectionsByNetworkIsolationKey) &&
base::FeatureList::IsEnabled(
net::features::kPartitionExpectCTStateByNetworkIsolationKey) &&
base::FeatureList::IsEnabled(
net::features::kPartitionHttpServerPropertiesByNetworkIsolationKey) &&
base::FeatureList::IsEnabled(
net::features::kPartitionNelAndReportingByNetworkIsolationKey) &&
base::FeatureList::IsEnabled(
net::features::kPartitionSSLSessionsByNetworkIsolationKey) &&
base::FeatureList::IsEnabled(
domain_reliability::features::
kPartitionDomainReliabilityByNetworkIsolationKey)) {
result.url_request_context->set_require_network_isolation_key(true);
}
// Subscribe the CertVerifier to configuration changes that are exposed via
// the mojom::SSLConfig, but which are not part of the
// net::SSLConfig[Service] interfaces.
ssl_config_service_raw->SetCertVerifierForConfiguring(
result.url_request_context->cert_verifier());
// Attach some things to the URLRequestContextBuilder's
// TransportSecurityState. Since no requests have been made yet, safe to do
// this even after the call to Build().
if (params_->enable_certificate_reporting) {
net::NetworkTrafficAnnotationTag traffic_annotation =
net::DefineNetworkTrafficAnnotation("domain_security_policy", R"(
semantics {
sender: "Domain Security Policy"
description:
"Websites can opt in to have Chrome send reports to them when "
"Chrome observes connections to that website that do not meet "
"stricter security policies, such as with HTTP Public Key Pinning. "
"Websites can use this feature to discover misconfigurations that "
"prevent them from complying with stricter security policies that "
"they\'ve opted in to."
trigger:
"Chrome observes that a user is loading a resource from a website "
"that has opted in for security policy reports, and the connection "
"does not meet the required security policies."
data:
"The time of the request, the hostname and port being requested, "
"the certificate chain, and sometimes certificate revocation "
"information included on the connection."
destination: OTHER
}
policy {
cookies_allowed: NO
setting: "This feature cannot be disabled by settings."
policy_exception_justification:
"Not implemented, this is a feature that websites can opt into and "
"thus there is no Chrome-wide policy to disable it."
})");
certificate_report_sender_ = std::make_unique<net::ReportSender>(
result.url_request_context.get(), traffic_annotation);
result.url_request_context->transport_security_state()->SetReportSender(
certificate_report_sender_.get());
}
#if BUILDFLAG(IS_ANDROID)
result.url_request_context->set_check_cleartext_permitted(
params_->check_clear_text_permitted);
#endif // BUILDFLAG(IS_ANDROID)
#if BUILDFLAG(IS_CT_SUPPORTED)
if (params_->enable_expect_ct_reporting) {
LazyCreateExpectCTReporter(result.url_request_context.get());
result.url_request_context->transport_security_state()->SetExpectCTReporter(
expect_ct_reporter_.get());
}
if (params_->enforce_chrome_ct_policy) {
require_ct_delegate_ =
std::make_unique<certificate_transparency::ChromeRequireCTDelegate>();
result.url_request_context->transport_security_state()
->SetRequireCTDelegate(require_ct_delegate_.get());
}
#endif // BUILDFLAG(IS_CT_SUPPORTED)
if (params_->enable_domain_reliability) {
domain_reliability_monitor_ =
std::make_unique<domain_reliability::DomainReliabilityMonitor>(
result.url_request_context.get(),
params_->domain_reliability_upload_reporter,
base::BindRepeating(&NetworkContext::CanUploadDomainReliability,
base::Unretained(this)));
domain_reliability_monitor_->AddBakedInConfigs();
domain_reliability_monitor_->SetDiscardUploads(
params_->discard_domain_reliablity_uploads);
}
if (proxy_delegate_) {
proxy_delegate_->SetProxyResolutionService(
result.url_request_context->proxy_resolution_service());
}
if (cert_net_fetcher_)
cert_net_fetcher_->SetURLRequestContext(result.url_request_context.get());
return result;
}
scoped_refptr<SessionCleanupCookieStore>
NetworkContext::MakeSessionCleanupCookieStore() const {
base::FilePath cookie_path;
if (!GetFullDataFilePath(
params_->file_paths,
&network::mojom::NetworkContextFilePaths::cookie_database_name,
cookie_path)) {
DCHECK(!params_->restore_old_session_cookies);
DCHECK(!params_->persist_session_cookies);
return nullptr;
}
scoped_refptr<base::SequencedTaskRunner> client_task_runner =
base::ThreadTaskRunnerHandle::Get();
scoped_refptr<base::SequencedTaskRunner> background_task_runner =
base::ThreadPool::CreateSequencedTaskRunner(
{base::MayBlock(), net::GetCookieStoreBackgroundSequencePriority(),
base::TaskShutdownBehavior::BLOCK_SHUTDOWN});
net::CookieCryptoDelegate* crypto_delegate = nullptr;
if (params_->enable_encrypted_cookies) {
crypto_delegate = cookie_config::GetCookieCryptoDelegate();
}
scoped_refptr<net::SQLitePersistentCookieStore> sqlite_store(
new net::SQLitePersistentCookieStore(
cookie_path, client_task_runner, background_task_runner,
params_->restore_old_session_cookies, crypto_delegate));
return base::MakeRefCounted<SessionCleanupCookieStore>(sqlite_store);
}
void NetworkContext::OnHttpCacheCleared(ClearHttpCacheCallback callback,
HttpCacheDataRemover* remover) {
bool removed = false;
for (auto iter = http_cache_data_removers_.begin();
iter != http_cache_data_removers_.end(); ++iter) {
if (iter->get() == remover) {
removed = true;
http_cache_data_removers_.erase(iter);
break;
}
}
DCHECK(removed);
std::move(callback).Run();
}
void NetworkContext::OnHostResolverShutdown(HostResolver* resolver) {
auto found_resolver = host_resolvers_.find(resolver);
DCHECK(found_resolver != host_resolvers_.end());
host_resolvers_.erase(found_resolver);
}
void NetworkContext::OnHttpCacheSizeComputed(
ComputeHttpCacheSizeCallback callback,
HttpCacheDataCounter* counter,
bool is_upper_limit,
int64_t result_or_error) {
EraseIf(http_cache_data_counters_, base::MatchesUniquePtr(counter));
std::move(callback).Run(is_upper_limit, result_or_error);
}
void NetworkContext::OnConnectionError() {
// If owned by the network service, this call will delete |this|.
if (on_connection_close_callback_)
std::move(on_connection_close_callback_).Run(this);
}
GURL NetworkContext::GetHSTSRedirect(const GURL& original_url) {
// TODO(lilyhoughton) This needs to be gotten rid of once explicit
// construction with a URLRequestContext is no longer supported.
if (!url_request_context_->transport_security_state() ||
!original_url.SchemeIs("http") ||
!url_request_context_->transport_security_state()->ShouldUpgradeToSSL(
original_url.host())) {
return original_url;
}
url::Replacements<char> replacements;
const char kNewScheme[] = "https";
replacements.SetScheme(kNewScheme, url::Component(0, strlen(kNewScheme)));
return original_url.ReplaceComponents(replacements);
}
#if BUILDFLAG(IS_P2P_ENABLED)
void NetworkContext::DestroySocketManager(P2PSocketManager* socket_manager) {
auto iter = socket_managers_.find(socket_manager);
DCHECK(iter != socket_managers_.end());
socket_managers_.erase(iter);
}
#endif // BUILDFLAG(IS_P2P_ENABLED)
void NetworkContext::CanUploadDomainReliability(
const GURL& origin,
base::OnceCallback<void(bool)> callback) {
client_->OnCanSendDomainReliabilityUpload(
origin,
base::BindOnce([](base::OnceCallback<void(bool)> callback,
bool allowed) { std::move(callback).Run(allowed); },
std::move(callback)));
}
void NetworkContext::OnVerifyCertForSignedExchangeComplete(int cert_verify_id,
int result) {
auto iter = cert_verifier_requests_.find(cert_verify_id);
DCHECK(iter != cert_verifier_requests_.end());
auto pending_cert_verify = std::move(iter->second);
cert_verifier_requests_.erase(iter);
#if BUILDFLAG(IS_CT_SUPPORTED)
if (result == net::OK) {
net::X509Certificate* verified_cert =
pending_cert_verify->result->verified_cert.get();
net::ct::SCTList verified_scts;
for (const auto& sct_and_status : pending_cert_verify->result->scts) {
if (sct_and_status.status == net::ct::SCT_STATUS_OK)
verified_scts.push_back(sct_and_status.sct);
}
pending_cert_verify->result->policy_compliance =
url_request_context_->ct_policy_enforcer()->CheckCompliance(
verified_cert, verified_scts,
net::NetLogWithSource::Make(
network_service_ ? url_request_context_->net_log() : nullptr,
net::NetLogSourceType::CERT_VERIFIER_JOB));
// TODO(https://crbug.com/803774): We should determine whether EV & SXG
// should be a thing (due to the online/offline signing difference)
if (pending_cert_verify->result->cert_status & net::CERT_STATUS_IS_EV &&
pending_cert_verify->result->policy_compliance !=
net::ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS &&
pending_cert_verify->result->policy_compliance !=
net::ct::CTPolicyCompliance::CT_POLICY_BUILD_NOT_TIMELY) {
pending_cert_verify->result->cert_status |=
net::CERT_STATUS_CT_COMPLIANCE_FAILED;
pending_cert_verify->result->cert_status &= ~net::CERT_STATUS_IS_EV;
}
net::TransportSecurityState::CTRequirementsStatus ct_requirement_status =
url_request_context_->transport_security_state()->CheckCTRequirements(
net::HostPortPair::FromURL(pending_cert_verify->url),
pending_cert_verify->result->is_issued_by_known_root,
pending_cert_verify->result->public_key_hashes, verified_cert,
pending_cert_verify->certificate.get(),
pending_cert_verify->result->scts,
net::TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
pending_cert_verify->result->policy_compliance,
pending_cert_verify->network_isolation_key);
if (url_request_context_->sct_auditing_delegate() &&
url_request_context_->sct_auditing_delegate()->IsSCTAuditingEnabled()) {
url_request_context_->sct_auditing_delegate()->MaybeEnqueueReport(
net::HostPortPair::FromURL(pending_cert_verify->url), verified_cert,
pending_cert_verify->result->scts);
}
switch (ct_requirement_status) {
case net::TransportSecurityState::CT_REQUIREMENTS_NOT_MET:
result = net::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED;
break;
case net::TransportSecurityState::CT_REQUIREMENTS_MET:
break;
case net::TransportSecurityState::CT_NOT_REQUIRED:
// CT is not required if the certificate does not chain to a publicly
// trusted root certificate.
if (!pending_cert_verify->result->is_issued_by_known_root)
break;
// For old certificates (issued before 2018-05-01),
// CheckCTRequirements() may return CT_NOT_REQUIRED, so we check the
// compliance status here.
// TODO(https://crbug.com/851778): Remove this condition once we require
// signing certificates to have CanSignHttpExchanges extension, because
// such certificates should be naturally after 2018-05-01.
if (pending_cert_verify->result->policy_compliance ==
net::ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS ||
pending_cert_verify->result->policy_compliance ==
net::ct::CTPolicyCompliance::CT_POLICY_BUILD_NOT_TIMELY) {
break;
}
// Require CT compliance, by overriding CT_NOT_REQUIRED and treat it as
// ERR_CERTIFICATE_TRANSPARENCY_REQUIRED.
result = net::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED;
}
}
#endif // BUILDFLAG(IS_CT_SUPPORTED)
std::move(pending_cert_verify->callback)
.Run(result, *pending_cert_verify->result.get());
}
#if BUILDFLAG(IS_CHROMEOS)
void NetworkContext::TrustAnchorUsed() {
client_->OnTrustAnchorUsed();
}
#endif
void NetworkContext::InitializeCorsParams() {
for (const auto& pattern : params_->cors_origin_access_list) {
cors_origin_access_list_.SetAllowListForOrigin(pattern->source_origin,
pattern->allow_patterns);
cors_origin_access_list_.SetBlockListForOrigin(pattern->source_origin,
pattern->block_patterns);
}
for (const auto& key : params_->cors_exempt_header_list)
cors_exempt_header_list_.insert(key);
}
void NetworkContext::FinishConstructingTrustTokenStore(
std::unique_ptr<SQLiteTrustTokenPersister> persister) {
trust_token_store_->OnStoreReady(std::make_unique<TrustTokenStore>(
std::move(persister),
std::make_unique<ExpiryInspectingRecordExpiryDelegate>(
network_service()->trust_token_key_commitments())));
}
void NetworkContext::GetOriginPolicyManager(
mojo::PendingReceiver<mojom::OriginPolicyManager> receiver) {
origin_policy_manager_->AddReceiver(std::move(receiver));
}
void NetworkContext::CreateTrustedUrlLoaderFactoryForNetworkService(
mojo::PendingReceiver<mojom::URLLoaderFactory>
url_loader_factory_pending_receiver) {
auto url_loader_factory_params = mojom::URLLoaderFactoryParams::New();
url_loader_factory_params->is_trusted = true;
url_loader_factory_params->process_id = network::mojom::kBrowserProcessId;
CreateURLLoaderFactory(std::move(url_loader_factory_pending_receiver),
std::move(url_loader_factory_params));
}
} // namespace network