blob: 10109d4ac851f81c28296fe66183964461b0872e [file] [log] [blame]
// Copyright 2018 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
module network.mojom;
import "mojo/public/mojom/base/file_path.mojom";
import "mojo/public/mojom/base/time.mojom";
import "mojo/public/mojom/base/unguessable_token.mojom";
import "mojo/public/mojom/base/values.mojom";
import "sandbox/policy/mojom/context.mojom";
import "services/network/public/mojom/address_list.mojom";
import "services/network/public/mojom/url_loader_network_service_observer.mojom";
import "services/network/public/mojom/cert_verifier_service.mojom";
import "services/network/public/mojom/clear_data_filter.mojom";
import "services/network/public/mojom/client_security_state.mojom";
import "services/network/public/mojom/cookie_access_observer.mojom";
import "services/network/public/mojom/cookie_encryption_provider.mojom";
import "services/network/public/mojom/cookie_manager.mojom";
import "services/network/public/mojom/cookie_setting_overrides.mojom";
import "services/network/public/mojom/cors_origin_pattern.mojom";
import "services/network/public/mojom/cross_origin_embedder_policy.mojom";
import "services/network/public/mojom/default_credentials.mojom";
import "services/network/public/mojom/devtools_observer.mojom";
import "services/network/public/mojom/restricted_udp_socket.mojom";
import "services/network/public/mojom/fetch_api.mojom";
import "services/network/public/mojom/first_party_sets_access_delegate.mojom";
import "services/network/public/mojom/host_resolver.mojom";
import "services/network/public/mojom/http_cache_backend_file_operations.mojom";
import "services/network/public/mojom/http_request_headers.mojom";
import "services/network/public/mojom/ip_address.mojom";
import "services/network/public/mojom/ip_endpoint.mojom";
import "services/network/public/mojom/ip_address_space.mojom";
import "services/network/public/mojom/mdns_responder.mojom";
import "services/network/public/mojom/mutable_network_traffic_annotation_tag.mojom";
import "services/network/public/mojom/net_log.mojom";
import "services/network/public/mojom/network_isolation_key.mojom";
import "services/network/public/mojom/network_anonymization_key.mojom";
import "services/network/public/mojom/oblivious_http_request.mojom";
import "services/network/public/mojom/hash_value.mojom";
import "services/network/public/mojom/isolation_info.mojom";
import "services/network/public/mojom/network_context_client.mojom";
import "services/network/public/mojom/network_param.mojom";
import "services/network/public/mojom/parsed_headers.mojom";
import "services/network/public/mojom/proxy_config.mojom";
import "services/network/public/mojom/proxy_config_with_annotation.mojom";
import "services/network/public/mojom/proxy_lookup_client.mojom";
import "services/network/public/mojom/proxy_resolving_socket.mojom";
import "services/network/public/mojom/reporting_service.mojom";
import "services/network/public/mojom/restricted_cookie_manager.mojom";
import "services/network/public/mojom/shared_dictionary_access_observer.mojom";
import "services/network/public/mojom/shared_dictionary_isolation_key.mojom";
import "services/network/public/mojom/shared_dictionary_usage_info.mojom";
import "services/network/public/mojom/site_for_cookies.mojom";
import "services/network/public/mojom/socket_broker.mojom";
import "services/network/public/mojom/ssl_config.mojom";
import "services/network/public/mojom/tcp_socket.mojom";
import "services/network/public/mojom/transferable_directory.mojom";
import "services/network/public/mojom/trust_tokens.mojom";
import "services/network/public/mojom/trust_token_access_observer.mojom";
import "services/network/public/mojom/udp_socket.mojom";
import "services/network/public/mojom/url_loader.mojom";
import "services/network/public/mojom/url_loader_factory.mojom";
import "services/network/public/mojom/url_request.mojom";
import "services/network/public/mojom/url_response_head.mojom";
import "services/network/public/mojom/websocket.mojom";
import "services/network/public/mojom/web_transport.mojom";
import "services/proxy_resolver/public/mojom/proxy_resolver.mojom";
import "url/mojom/origin.mojom";
import "url/mojom/url.mojom";
[EnableIf=is_chromeos_ash]
import "services/network/public/mojom/dhcp_wpad_url_client.mojom";
[EnableIf=is_p2p_enabled]
import "services/network/public/mojom/p2p.mojom";
[EnableIf=is_p2p_enabled]
import "services/network/public/mojom/p2p_trusted.mojom";
[EnableIf=is_win]
import "services/proxy_resolver_win/public/mojom/proxy_resolver_win.mojom";
const uint32 kWebSocketOptionNone = 0;
// Disallow the request from sending cookies. Disallow the response from writing
// cookies.
const uint32 kWebSocketOptionBlockAllCookies = 1;
// Similar to |kWebSocketOptionBlockAllCookies|, but only for third party
// cookies.
const uint32 kWebSocketOptionBlockThirdPartyCookies = 2;
// The browser can provide a CustomProxyConfig to a CustomProxyConfigClient
// running in the network service. The network service will use the given proxy
// configuration if a request matches the proxy rules and all the other
// criteria contained within it.
struct CustomProxyConfig {
// The custom proxy rules to use. Note that ftp:// requests are not
// supported.
ProxyRules rules;
// Whether the custom proxy config should override other sources of proxy
// configuration. If false, the custom config is ignored if a proxy is set in
// the operating system, for example.
bool should_override_existing_config = false;
// Whether the custom proxy config should apply to requests using
// non-idempotent methods. Can be true if the proxy is known to handle this
// case properly.
bool allow_non_idempotent_methods = false;
// For tunneled requests (https://, ws://, wss://), these headers are added
// to the CONNECT request. Headers here will overwrite matching headers on
// the CONNECT request if a custom proxy is used.
HttpRequestHeaders connect_tunnel_headers;
};
// Observer of custom proxy connections, especially for when errors occur.
interface CustomProxyConnectionObserver {
// Called when use of |bad_proxy| fails due to |net_error|. |net_error| is the
// network error encountered, if any, and OK if the fallback was for a reason
// other than a network error (e.g. the proxy service was explicitly directed
// to skip a proxy).
OnFallback(ProxyChain bad_chain, int32 net_error);
// Called when the response headers for the proxy tunnel request have been
// received.
OnTunnelHeadersReceived(
ProxyChain proxy_chain,
uint64 chain_index,
HttpResponseHeaders response_headers);
};
// Includes a pipe to a CertVerifierService for usage by the
// NetworkContext.
struct CertVerifierServiceRemoteParams {
// A pipe to the CertVerifierService.
pending_remote<cert_verifier.mojom.CertVerifierService>?
cert_verifier_service;
// Receives notifications of changes to the CertVerifier.
pending_receiver<cert_verifier.mojom.CertVerifierServiceClient>?
cert_verifier_service_client_receiver;
};
// Client to update the custom proxy config.
interface CustomProxyConfigClient {
OnCustomProxyConfigUpdated(CustomProxyConfig proxy_config) => ();
};
// Sent by TrustedURLLoaderHeaderClient to perform modifications for a request.
interface TrustedHeaderClient {
// Allows modifying request headers before the request is sent.
OnBeforeSendHeaders(HttpRequestHeaders headers) =>
(int32 result, HttpRequestHeaders? headers);
// Allows modifying response headers, including sensitive headers such as
// set-cookie. This should only be used from a trusted process.
// If |preserve_fragment_on_redirect_url| is null, then when the headers
// indicate a redirect, URL fragments will be handled the standard way: the
// fragment of the original URL will be copied to the new URL, unless the
// new URL has a fragment, in which case the new URL's fragment will be
// used. If |preserve_fragment_on_redirect_url| is populated, and the
// request is redirected to exactly that URL, then the fragment of the
// original URL will not be copied to the redirect target URL.
OnHeadersReceived(string headers, IPEndPoint remote_endpoint) =>
(int32 result,
string? headers,
url.mojom.Url? preserve_fragment_on_redirect_url);
};
// Interface to allow modifying the full request and response headers. This
// interface exposes sensitive headers such as set-cookie, so should only be
// sent to trusted processes.
interface TrustedURLLoaderHeaderClient {
// When a new URLLoader is created, this will be called to pass a
// corresponding |header_client|.
OnLoaderCreated(int32 request_id,
pending_receiver<TrustedHeaderClient> header_client);
// When a new URLLoader is created for a CORS preflight request, this will
// be called to pass a corresponding |header_client|.
OnLoaderForCorsPreflightCreated(
URLRequest request,
pending_receiver<TrustedHeaderClient> header_client);
};
struct HttpAuthStaticNetworkContextParams {
// Whether authentication APIs that support fallback to the default account
// on the system can be used without specifying an account.
DefaultCredentials allow_default_credentials
= DefaultCredentials.ALLOW_DEFAULT_CREDENTIALS;
};
[EnableIf=is_ct_supported]
struct CTPolicy {
array<string> excluded_hosts;
array<string> excluded_spkis;
array<string> excluded_legacy_spkis;
};
struct NetworkContextFilePaths {
// Points to the shared dictionary directory containing the sqlite database
// file named "db" for metadata and the disk cache directory named "cache".
// This field is used only when `shared_dictionary_enabled` field is set to
// true. If this field is empty, shared dictionaries will be stored in-memory
// only.
TransferableDirectory? shared_dictionary_directory;
// Points to the HTTP cache directory. Ignored if the cache is disabled.
// If null and the cache is enabled, an in-memory database is used.
TransferableDirectory? http_cache_directory;
// Points to a path that contains all the network service files and databases
// as listed below. If this network context is running inside a sandboxed
// network service, then this path should contain no other sensitive data
// since the sandboxed network service will have full access to this path.
// This should be a different path for each different network context running
// inside the network service.
TransferableDirectory data_directory;
// Points to a path that might contain existing network service data files and
// databases from network contexts created with the same `data_directory`.
// This parameter must be specified if `trigger_migration` is set to true.
// Once migration has been successful (see below), data is no longer read from
// this path. Data could continue to be read from this path if migration
// fails, or if `trigger_migration` has never been set to true.
// If this parameter is specified then the sandbox will be granted access to
// the `data_directory` specified above.
// This parameter, along with `trigger_migration` parameter below will be
// removed in the future, once migration of network context data to the new
// `data_directory` has been completed. At this point the sandbox will be
// granted access to `data_directory` unconditionally.
mojo_base.mojom.FilePath? unsandboxed_data_path;
// Points to the cookie database file name inside `data_directory`. An
// in-memory cookie store is used if it's empty, or if `data_directory` is
// empty.
mojo_base.mojom.FilePath? cookie_database_name;
// Points to the Trust Token database file name inside `data_directory`. An
// in-memory trust token store is used if it's empty, or if `data_directory`
// is empty, or (through a fallback in the initialization logic; see
// SQLiteTrustTokenPersister's comments) if initialization fails.
//
// Initializing the on-disk database takes place asynchronously, so requests
// near startup may not support Trust Tokens protocol operations.
mojo_base.mojom.FilePath? trust_token_database_name;
// The name of the file to store cached server properties (Like HTTP2 and QUIC
// support) inside `data_directory`. This information is used as a performance
// optimization in connection logic. If empty, or if `data_directory` is
// empty, an in-memory cache will be used instead.
mojo_base.mojom.FilePath? http_server_properties_file_name;
// The name of the file to store cached transport security properties (like
// HSTS) inside `data_directory`. If empty, or `data_directory` is empty, or
// the file can't be opened, an in-memory store will be used instead.
mojo_base.mojom.FilePath? transport_security_persister_file_name;
// Points to a sqlite database contained within `data_directory` containing
// persisted Reporting clients and NEL policies. If Reporting and NEL
// persistence is disabled, then this field is ignored. If this field is
// empty, or `data_directory` is empty, then persistence will be disabled
// regardless. This field should not be used if the ENABLE_REPORTING build
// flag is false.
mojo_base.mojom.FilePath? reporting_and_nel_store_database_name;
// The name of the file to store pending SCT auditing reports inside
// `data_directory`. If empty, or `data_directory` is empty, or the file can't
// be opened, pending reports will instead be stored in-memory only.
mojo_base.mojom.FilePath? sct_auditing_pending_reports_file_name;
// Specifies whether or not a migration of existing data should occur from
// `unsandboxed_data_path` to `data_directory`. It is not valid to set this
// to true if an `unsandboxed_data_path` is not specified.
// If the migration is successful then network context data will operate from
// `data_directory`, and the old data will be removed from
// `unsandboxed_data_path`.
// If migration is unsuccessful then data will continue to operate from
// `unsandboxed_data_path` and migration will be re-attempted the next time
// `trigger_migration` is set to true.
// Since migration is a one-way operation, setting `trigger_migration` to
// false does not move the data back to `unsandboxed_data_path`. The network
// context data will be read from `data_directory` or `unsandboxed_data_path`
// depending on whether a migration has successfully occurred previously.
// This parameter, along with `unsandboxed_data_path` parameter above will be
// removed in the future, once migration of network context data to the new
// `data_directory` has been completed. At this point the sandbox will be
// granted access to `data_directory` unconditionally.
bool trigger_migration = false;
};
// Socket brokers used by the ClientSocketFactory for client sockets and
// SocketFactory for server sockets.
[EnableIf=is_win]
struct SocketBrokerRemotes {
pending_remote<SocketBroker> client;
pending_remote<SocketBroker> server;
};
// Parameters for constructing a network context.
struct NetworkContextParams {
// The user agent string.
string user_agent;
// String to send as the Accept-Language header. This can be changed later
// by calling SetAcceptLanguage on the NetworkContext. If empty, the header
// will not be added.
string accept_language;
// Whether Brotli content-encoding should be enabled for HTTPS responses.
bool enable_brotli = true;
// Whether Zstd content-encoding should be enabled for HTTPS responses.
bool enable_zstd = false;
// If false, the referrer of requests is never populated.
bool enable_referrers = true;
// If true, requests initiated with referrers that don't match their referrer
// policy will fail.
bool validate_referrer_policy_on_initial_request = true;
// Handles PAC script execution. If not populated, will attempt to use
// platform implementation to execute PAC scripts, if available (Only
// available on Windows and Mac).
pending_remote<proxy_resolver.mojom.ProxyResolverFactory>?
proxy_resolver_factory;
// Handles all proxy resolution logic if the current proxy config comes from
// the operating system. Otherwise, or if this is not populated, proxy
// resolution is handled by Chrome as normal.
[EnableIf=is_win]
pending_remote<proxy_resolver_win.mojom.WindowsSystemProxyResolver>?
windows_system_proxy_resolver;
// Retrieves the PAC script URL set via DHCP from the browser process. Only
// used if |proxy_resolver_factory| is set. Note: optional because some tests
// build their own NetworkContextParams and don't need a DHCP WPAD client.
[EnableIf=is_chromeos_ash]
pending_remote<DhcpWpadUrlClient>? dhcp_wpad_url_client;
// If true, cookies will be stored encrypted.
bool enable_encrypted_cookies = true;
// On Windows, whether or not the cookie database should be opened with
// the sqlite3 flag `exclusive=true` which asks the sqlite VFS to open them
// without file sharing enabled. This has the consequence that other processes
// should not be able to open the cookie database file.
[EnableIf=is_win]
bool enable_locking_cookie_database = false;
// If the cookie file is given, this controls whether previously written
// session cookies are restored. Otherwise it should be false.
bool restore_old_session_cookies = false;
// If the cookie file is given, this controls whether to persist session
// cookies. Otherwise it should be false.
bool persist_session_cookies = false;
// True if an HTTP cache should be used.
bool http_cache_enabled = true;
// Maximum size of the HTTP cache. 0 means to use the default size.
// Ignored if the cache is disabled.
int32 http_cache_max_size = 0;
// A factory to broker file operations needed for the HTTP cache on some
// platforms (depending on the sandboxing mechanism the platform provides).
pending_remote<HttpCacheBackendFileOperationsFactory>?
http_cache_file_operations_factory;
// Enabled protocols. Note that these apply to all fetches, including those
// used to fetch PAC scripts. Note that currently data URLs are always enabled
// and file URLs are always disabled.
// Whether or not to check the Android platform's cleartext policy for
// requests. Under some conditions, Android may advise us to block cleartext
// traffic.
[EnableIf=is_android]
bool check_clear_text_permitted = false;
// If true, idle sockets won't be closed when memory pressure happens.
bool disable_idle_sockets_close_on_memory_pressure = false;
// SSL configuration. |initial_proxy_config| is the initial SSL configuration
// to use. If nullptr, uses the default configuration. Updated SSL
// configurations can be passed in via |ssl_config_client_receiver|.
SSLConfig? initial_ssl_config;
pending_receiver<SSLConfigClient>? ssl_config_client_receiver;
// Proxy configuration. If |initial_proxy_config| is set, it's the initial
// proxy configuration. Updated proxy configuration can be passed in via
// |proxy_config_client_request|. If |initial_proxy_config| is not set,
// proxy lookups will be deferred until a configuration is received via
// |proxy_config_client_request|.
//
// If both are null, the NetworkContext will not use a proxy.
ProxyConfigWithAnnotation? initial_proxy_config;
pending_receiver<ProxyConfigClient>? proxy_config_client_receiver;
// If |custom_proxy_config_client_receiver| is set, this context will listen
// for updates to the custom proxy config, and use it if applicable for URL
// requests.
// |initial_custom_proxy_config| is the initial config settings.
CustomProxyConfig? initial_custom_proxy_config;
pending_receiver<CustomProxyConfigClient>?
custom_proxy_config_client_receiver;
// If |initial_custom_proxy_config| or |custom_proxy_config_client_receiver|
// is set, information about custom proxy connections will be reported to this
// observer.
pending_remote<CustomProxyConnectionObserver>?
custom_proxy_connection_observer_remote;
// If |proxy_config_client_request| is non-null, this is called during
// periods of network activity, and can be used as a signal for polling-based
// logic to determine the proxy config.
//
// TODO(mmenke): Can the consumer piggy back on other network events through
// other channels (navigation, issuing requests, etc)? Or can
// ProxyConfigServices be modified not to need this notification?
pending_remote<ProxyConfigPollerClient>? proxy_config_poller_client;
// Optional client that will be notified of errors related to the proxy
// settings.
pending_remote<ProxyErrorClient>? proxy_error_client;
// Broker used by the network service sandbox to create sockets in
// the browser. Set when the sandbox is enabled on Windows.
[EnableIf=is_win]
SocketBrokerRemotes? socket_brokers;
// A service to fetch blind-signed auth tokens and proxy configuration info
// for IP protection. If this is not set, then either this NetworkContext
// doesn't have its traffic proxied by IP Protection or the feature has been
// disabled (and can't be re-enabled until the browser is restarted).
pending_remote<IpProtectionConfigGetter>? ip_protection_config_getter;
// A receiver for sending notifications from the browser process to the IP
// Protection ProxyDelegate in the network service. This is set in the same
// cases as `ip_protection_config_getter`.
pending_receiver<IpProtectionProxyDelegate>? ip_protection_proxy_delegate;
// Whether the IP Protection feature is enabled at the time the NetworkContext
// is created. This setting can change via the
// `SetIpProtectionEnabled` method of the `IpProtectionProxyDelegate`
// interface.
bool enable_ip_protection = false;
// When PAC quick checking is enabled, DNS lookups for PAC script's host are
// timed out aggressively. This prevents hanging all network request on DNS
// lookups that are slow or are blockholed, at the cost of making it more
// likely that the network service erroneously fails to fetch a PAC file.
bool pac_quick_check_enabled = true;
// Enables reporting certain SSL errors, such as HTTP Public Key Pinning, to
// servers, so they can discover misconfigurations.
bool enable_certificate_reporting = false;
// True if the "Certificate Transparency in Chrome" policy (see
// https://github.com/chromium/ct-policy/blob/master/ct_policy.md) should
// be enforced for certificates and connections.
//
// See //net/docs/certificate-transparency.md before setting this flag to
// true.
[EnableIf=is_ct_supported]
bool enforce_chrome_ct_policy = false;
// The SCT auditing mode. SCT auditing sends reports for SCTs found in
// connections made by this network context. Can also be dynamically
// configured via NetworkContext::SetSCTAuditingMode().
[EnableIf=is_ct_supported]
SCTAuditingMode sct_auditing_mode = SCTAuditingMode.kDisabled;
// The initial CT policy to be used for requests. See
// NetworkContext.SetCTPolicy() for more.
[EnableIf=is_ct_supported]
CTPolicy? ct_policy;
// Contains a pipe to a CertVerifierService.
CertVerifierServiceRemoteParams cert_verifier_params;
// Parameters for constructing the cookie manager.
CookieManagerParams? cookie_manager_params;
// Binds to the cookie manager associated with this network context, which
// should only be handed out to trusted processes.
[EnableIf=is_android]
pending_receiver<CookieManager>? cookie_manager;
// Whether to enable Domain Reliability.
bool enable_domain_reliability = false;
// The uploader reporter name to use for Domain Reliability uploads.
string domain_reliability_upload_reporter;
// Whether to discard Domain Reliability uploads.
bool discard_domain_reliablity_uploads = false;
// When reporting is enabled, this sets the delay between sending reports.
// When omitted a default value is used.
mojo_base.mojom.TimeDelta? reporting_delivery_interval;
// Whether to bypass the ordinary permission checks for sending reports,
// rather than calling NetworkContextClient.OnCanSendReportingReports() to
// decide. This should only be used by tests.
bool skip_reporting_send_permission_check = false;
// Specifies the initial set of allowed and blocked origins for the
// URLLoaderFactory consumers to access beyond the same-origin-policy.
array<CorsOriginAccessPatterns> cors_origin_access_list;
// Specifies header keys that are allowed to be used in
// network::url_request.cors_exempt_headers.
array<string> cors_exempt_header_list;
// If true, no checking of cors exempt headers (from the browser) are done.
// If false, cors_exempt_headers are checked against
// |cors_exempt_header_list|.
bool allow_any_cors_exempt_header_for_browser = false;
// List of single-label hostnames that are exempted from the HSTS upgrade
// policy.
array<string> hsts_policy_bypass_list;
// The params are network context specific which will be merged with
// the dynamic preference from NetworkService side, to populate
// HttpAuthPreference.
HttpAuthStaticNetworkContextParams? http_auth_static_network_context_params;
// Indicates that the HttpCache back-end should be reset (e.g. when a Finch
// experiment changes the cache key representation via NetworkIsolationKey).
// A reset throws out all existing cache content when loading the cache,
// effectively starting with an empty cache.
bool reset_http_cache_backend = false;
// See comments on NetworkContext.SetSplitAuthCacheByNetworkAnonymizationKey.
bool split_auth_cache_by_network_anonymization_key = false;
// If true, all requests that can take a NetworkAnonymizationKey
// or IsolationInfo must be given a non-empty one.
bool require_network_anonymization_key = false;
// If true, then the correct permissions have been set on the network service
// files and sandbox can be enabled for this network context.
[EnableIf=win_permissions_validation]
bool win_permissions_set = false;
// The paths to data files used by this network context, except for the disk
// cache which is specified by the `http_cache_directory` parameter.
// If empty then persistent storage for all of the files within this
// parameter will be disabled for the network context and some data may be
// stored in memory or disabled. See the above definition of each inner field
// for details of these behaviors.
NetworkContextFilePaths? file_paths;
// Is true, Trust Token operations should be blocked.
bool block_trust_tokens;
// Whether "Compression dictionary transport" feature should be enabled.
bool shared_dictionary_enabled = false;
// Maximum size of the shared dictionary cache. If this value is 0, the max
// size will be propagated via SetSharedDictionaryCacheMaxSize message.
// Ignored if `shared_dictionary_enabled` field is false.
uint64 shared_dictionary_cache_max_size = 0;
// Parameters for constructing the FirstPartySetsAccessDelegate.
// |first_party_sets_access_delegate_params| is the initial configuration to
// use. If nullptr, uses the default configuration. Updated configurations
// can be passed in via |first_party_sets_access_delegate_receiver|.
FirstPartySetsAccessDelegateParams? first_party_sets_access_delegate_params;
pending_receiver<FirstPartySetsAccessDelegate>?
first_party_sets_access_delegate_receiver;
// TODO(crbug.com/40777535): This flag is intended to be temporary and to be
// removed (always enabled) in the future.
bool acam_preflight_spec_conformant = true;
// To support 3PCD experimentation, a per-partition `cookie_deprecation_label`
// will be sent to developers who opt-in to receiving it. This enables server
// side opt-in to testing without cookies. See:
// https://developer.chrome.com/en/docs/privacy-sandbox/chrome-testing/#mode-a
// A non defined value indicates that the 3PCD experimentation feature is
// disabled for this client or that the profile is guest or incognito.
// A defined and non-empty value indicates that the 3PCD experiment feature is
// enabled, the client is eligible to it and the profile is not guest or
// incognito.
// A defined but empty value indicates that the 3PCD experimentation feature
// is enabled for the client but the client is not eligible for it or the
// label value defined by the experiment is empty.
string? cookie_deprecation_label;
// Sets the cookie encryption provider to be used by this network context if
// `enable_encrypted_cookies` is also enabled.
// If both are set then the `GetEncryptor` method on the supplied
// `cookie_encryption_provider` is called to obtain a valid set of keys for
// cookie encryption.
pending_remote<CookieEncryptionProvider>? cookie_encryption_provider;
// Enables Device Bound Session Credential for this network context.
bool device_bound_sessions_enabled = false;
// Represents a net::handles::NetworkHandle.
// If != net::handles::kInvalidNetworkHandle (== -1), then the NetworkContext
// built out of this will own a URLRequestContext bound to that network (refer
// to net::UrlRequestContextBuilder::bindToNetwork documentation). This
// effectively means that URLLoaderFactories, returned by the NetworkContext
// created out of this, will perform all network request using only
// |bound_network|.
int64 bound_network = -1;
};
struct NetworkConditions {
// If set, the offline state is simulated and other fields are ignored.
bool offline;
// Channel round-trip latency, i.e. minimum time between request sent and
// response received.
mojo_base.mojom.TimeDelta latency;
// Maximal aggregated download throughput (bytes/sec). <=0 disables download
// throttling.
double download_throughput;
// Maximal aggregated upload throughput (bytes/sec). <=0 disables upload
// throttling.
double upload_throughput;
// Packet loss for WebRTC connections (percent, 0 to 100).<= 0 disables
// packet loss.
double packet_loss;
// Packet queue length for WebRTC connections (packet count). <=0 allows for
// an infinite queue.
int32 packet_queue_length;
// Allow packet reordering for WebRTC connections.
bool packet_reordering;
};
// Represents a shared dictionary.
// Spec: https://datatracker.ietf.org/doc/draft-ietf-httpbis-compression-dictionary/
struct SharedDictionaryInfo {
// The "match" value of the Use-As-Dictionary header.
string match;
// The "match-dest" value of the Use-As-Dictionary header.
array<RequestDestination> match_dest;
// The "id" value of the Use-As-Dictionary header.
string id;
// The URL of the dictionary.
url.mojom.Url dictionary_url;
// The time when Chrome fetched the dictionary.
mojo_base.mojom.Time last_fetch_time;
// The time when Chrome received the dictionary.
mojo_base.mojom.Time response_time;
// The time when this dictionary will be unusable.
mojo_base.mojom.TimeDelta expiration;
// The time when this dictionary was used in the last time.
mojo_base.mojom.Time last_used_time;
// The size of the dictionary binary.
uint64 size;
// The SHA256 hash of the dictionary binary.
SHA256HashValue hash;
};
// Represents a signed exchange report.
// Spec: https://wicg.github.io/webpackage/loading.html#queue-report
struct SignedExchangeReport {
bool success;
string type;
url.mojom.Url outer_url;
url.mojom.Url inner_url;
url.mojom.Url cert_url;
string referrer;
IPAddress server_ip_address;
string protocol;
string method;
int32 status_code;
mojo_base.mojom.TimeDelta elapsed_time;
};
const int32 kBrowserProcessId = 0;
const int32 kInvalidProcessId = -1;
// URLLoaderFactory made by the network service consists of two layers of
// factories, the "internal" one that directly talks to the //net layer, and
// the "outer" one (which is also called CorsURLLoader) that enforces necessary
// security features such as CORS.
//
// This struct can be used to specify an alternative "internal"
// URLLoaderFactory so that the requests can still go through the "outer" one
// for security features, but then they are routed to the alternative
// |overriding_factory| rather than the one that talks to //net, which is also
// exposed to the consumer as |overridden_factory_receiver|.
//
// |overridden_factory_receiver| is useful when the receiver of
// |overriding_factory|| wants to decide which (of the "internal", or the
// "alternative" one) URLLoaderFactory to use on a per-request basis.
struct URLLoaderFactoryOverride {
// This factory replaces the "internal" factory.
pending_remote<URLLoaderFactory> overriding_factory;
// A receiver for the replaced "internal" URLLoaderFactory.
pending_receiver<URLLoaderFactory>? overridden_factory_receiver;
// Specifies if we should accept unknown schemes for CORS-enabled requests
// so that the |overriding_factory| can provide content for custom schemes.
bool skip_cors_enabled_scheme_check = false;
};
// Type for verdict on whether to forbid a Trust Tokens operation, based on
// permissions policy of the relevant context.
// (https://github.com/wicg/trust-token-api).
//
// kForbid is for requests from subframes with the underlying operation's
// Permissions Policy feature disabled by (1) policies inherited from their
// parents, or (2) the frames' iframe tag attributes.
//
// Note: Response headers can also disable a Trust Token operation Permissions
// Policy feature. This will not necessarily be reflected in the the enum's
// value. The response headers' value is only available from an untrusted
// source.
// - If the renderer behaves correctly, renderer-side checks guarantee that
// these operations will not be executed in frames with the policy disabled
// via response headers.
// - If the renderer doesn't behave correctly, there's no point in
// propagating the renderer's untrusted report about the response headers'
// value.
enum TrustTokenOperationPolicyVerdict {
kForbid,
kPotentiallyPermit,
};
[EnableIf=is_ct_supported]
enum SCTAuditingMode {
// SCT auditing is completely disabled.
kDisabled,
// The user has opted-in to ESBR, so sampled SCTs are sent to Google.
kEnhancedSafeBrowsingReporting,
// The user is not opted-in to ESBR, and hashdance auditing is enabled.
// Perform a k-anonymous prefix query for sampled SCTs, and upload only if the
// SCT is not present in a log.
kHashdance,
};
struct URLLoaderFactoryParams {
// Process that will be using the URLLoaderFactory to initiate HTTP requests.
// (This is *not* necessarily the same process that creates the factory,
// since only the Browser process should be able to call
// NetworkContext::CreateURLLoaderFactory.)
//
// Set to kBrowserProcessId to indicate the browser process.
// SECURITY NOTE: Factories with kBrowserProcessId should not be sent
// to untrustworthy processes.
//
// Set to RenderProcessHost::GetID() to indicate a renderer process.
// SECURITY NOTE: Factories should not be shared among multiple renderer
// processes (e.g. |request_initiator_origin_lock| is specific to a single
// renderer process).
int32 process_id = kInvalidProcessId;
// If specified, then |request_initiator_origin_lock| locks
// |ResourceRequest::request_initiator| to the specified origin.
//
// SECURITY NOTE: |request_initiator_origin_lock| should be present in all
// factories that may be vended to a Renderer process.
// |request_initiator_origin_lock| may be missing only in factories used by
// the Browser process.
url.mojom.Origin? request_initiator_origin_lock;
// Opaque Response Blocking (ORB) configuration.
bool is_orb_enabled = true;
// Whether |isolated_world_origin| from network::ResourceRequest should be
// ignored. Set |ignore_isolated_world_origin| to |false| to allow isolated
// worlds to bypass CORS security checks via OriginAccessList.
//
// TODO(crbug.com/40137011): Remove the `ignore_isolated_world_origin`
// field once Chrome Platform Apps are gone.
bool ignore_isolated_world_origin = true;
// Indicate whether a request is not from web page ( probably from chrome
// extension background page ).
bool unsafe_non_webby_initiator = false;
// If `true`, this factory is being created for a context that isn't
// considered to be of the web. "Site"-based features, like Fetch
// Metadata's `Sec-Fetch-Site` header will treat all requests from
// this factory as initiated by the user agent itself, not from any
// particular page.
bool disable_web_security = false;
// If this is set, requests with the kURLLoadOptionUseHeaderClient option will
// callback to the |header_client|, allowing the Cookie/Referrer request
// headers and Cookie response headers to be modified. This has a performance
// impact because of the extra process hops, so use should be minimized.
pending_remote<TrustedURLLoaderHeaderClient>? header_client;
// Information used restrict access to identity information (like SameSite
// cookies) and to shard network resources, like the cache. If set, takes
// precedence over ResourceRequest::TrustedParams::IsolationInfo field
// of individual requests.
IsolationInfo isolation_info;
// Whether secure DNS should be disabled for requests.
bool disable_secure_dns = false;
// True if this is for exclusive use by a trusted consumer. Only trusted
// consumers can issue requests with ResourceRequest::trusted_params
// populated.
bool is_trusted = false;
// If true, a cookie-less IsolationInfo is automatically assigned to
// URLLoaders based on the URL being requested. The IsolaitonInfo will
// have an empty SiteForCookies. If this is true, |isolation_info| must be
// null. ResourceRequest::TrustedParams::IsolationInfo, if non-empty, will
// take precedence over automatically assigning an IsolationInfo.
bool automatically_assign_isolation_info = false;
// Whether URLLoaders created by this factory need to call
// URLLoaderNetworkServiceObserver::OnLoadingStateUpdate.
bool provide_loading_state_updates = false;
// An identifier for toplevel frame. This is used for resource accounting
// for keepalive requests. When this factory is for a dedicated worker,
// the identifier for the toplevel frame of the ancestor's frame is given.
// When this factory is for a shared/service worker, null is given.
mojo_base.mojom.UnguessableToken? top_frame_id;
// Replaces the "internal" factory used by security features such as CORS.
URLLoaderFactoryOverride? factory_override;
// Used to enforce security properties on the requests loaded by the
// URLLoader based on the Fetch client state.
ClientSecurityState? client_security_state;
// Used to report CORP violations caused by COEP.
pending_remote<CrossOriginEmbedderPolicyReporter>? coep_reporter;
// Used to notify clients about cookie reads or writes.
pending_remote<CookieAccessObserver>? cookie_observer;
// Used to notify clients about Trust Token accesses.
pending_remote<TrustTokenAccessObserver>? trust_token_observer;
// Used to notify clients about shared dictionary reads or writes.
pending_remote<SharedDictionaryAccessObserver>? shared_dictionary_observer;
// Used to notify clients about authentication and certificate events.
pending_remote<URLLoaderNetworkServiceObserver>? url_loader_network_observer;
// Used to notify devtools about events.
pending_remote<DevToolsObserver>? devtools_observer;
// If this equals kForbid, the context to which this loader is bound does not
// allow Trust Tokens (https://github.com/wicg/trust-token-api) issuance
// operation.
//
// TODO(crbug.com/40126948): Once Permissions Policy headers are available from
// a trusted source, it would be good to set this depending on the headers'
// values, too.
TrustTokenOperationPolicyVerdict
trust_token_issuance_policy = kPotentiallyPermit;
// If this equals kForbid, the context to which this loader is bound does not
// allow any Trust Tokens (https://github.com/wicg/trust-token-api)
// redemption or signing operations.
//
// TODO(crbug.com/40126948): Once Permissions Policy headers are available from
// a trusted source, it would be good to set this depending on the headers'
// values, too.
TrustTokenOperationPolicyVerdict
trust_token_redemption_policy = kPotentiallyPermit;
// TODO(lukasza): https://crbug.com/1151008: Consider removing this
// diagnostic aid once the bug is understood.
string debug_tag = "";
// Lists all the cookie setting overrides that should be specified on
// each URLRequest.
CookieSettingOverrides cookie_setting_overrides;
// If `require_cross_site_request_for_cookies` is specified, then all
// loaded requests must have an empty site_for_cookies to ensure only
// SameSite=None cookies can be attached to the request.
// For context on usage see:
// https://privacycg.github.io/saa-non-cookie-storage/shared-workers.html
bool require_cross_site_request_for_cookies = false;
};
// A blind-signed auth token, suitable for use with IP protection proxies.
struct BlindSignedAuthToken {
// The token value, for inclusion in a header.
string token;
// The expiration time of this token.
mojo_base.mojom.Time expiration;
};
// The proxy layer to fetch batches of tokens for.
enum IpProtectionProxyLayer {kProxyA, kProxyB};
// A source for IP protection information from the browser process.
interface IpProtectionConfigGetter {
// Try to get a batch of new tokens.
//
// This may take some time, if external network requests are required. If no
// tokens are available, it will return nullopt for `bsa_tokens` and
// `try_again_after` will contain the time after which the getter suggests
// trying again, as a form of backoff.
//
// It is forbidden for two calls to this method to be outstanding at the same
// time.
TryGetAuthTokens(uint32 batch_size, IpProtectionProxyLayer proxy_layer) =>
(array<BlindSignedAuthToken>? bsa_tokens,
mojo_base.mojom.Time? try_again_after);
// Get the list of IP Protection proxy chains. The list contains lists of
// proxy chain hostnames, in order of preference. Callers should prefer
// the first proxy, falling back to later proxies in the list. All proxies
// are implicitly HTTPS.
//
// This method will return an up-to-date list, possibly fetching that list
// remotely before returning it.
GetProxyList() => (array<ProxyChain>? proxy_list);
};
// Access to the IP Protection ProxyDelegate in the network service process.
interface IpProtectionProxyDelegate {
// Used to facilitate cross-process testing of the IP Protection feature. This
// method will:
// - Disable active cache management and reset the IP Protection cache to a
// no-tokens and no-cooldown state, and,
// - Return the current cooldown if one has been set, or,
// - Initiate an IP Protection token request to the browser process and
// return either a returned token or the returned cooldown time
VerifyIpProtectionConfigGetterForTesting()
=> (BlindSignedAuthToken? bsa_token,
mojo_base.mojom.Time? try_again_after);
// Indicates that the IP Protection config cache in the Network Service should
// no longer wait before requesting tokens from the browser process (called in
// response to user account status changes that allow IP Protection to start
// working as expected).
InvalidateIpProtectionConfigCacheTryAgainAfterTime();
// Indicates that the state of the IP Protection feature has changed and the
// network service should update it's state accordingly (including tearing
// down existing proxied connections, if `value` is false).
SetIpProtectionEnabled(bool value);
// Returns the Network Service's state regarding whether IP Protection is
// enabled, for testing.
IsIpProtectionEnabledForTesting() => (bool value);
};
// Represents a distinct context for making network requests, with its own
// storage (e.g. cookies and cache).
//
// NetworkContext is implemented by the network service. It is a trusted
// interface that must not be sent to an untrusted process like a renderer
// process. Only the browser process or privileged utilities should have access
// to it.
[RequireContext=sandbox.mojom.Context.kPrivilegedUtility]
interface NetworkContext {
// Sets a client for this network context.
SetClient(pending_remote<NetworkContextClient> client);
// Creates a new URLLoaderFactory with the given |params|.
CreateURLLoaderFactory(pending_receiver<URLLoaderFactory> url_loader_factory,
URLLoaderFactoryParams params);
// Destroys all URLLoaderFactory bindings, which should then be regenerated.
// This should be called if there is a change to the proxies which should be
// used on URLLoaders.
ResetURLLoaderFactories();
// Uses Oblivious HTTP to indirectly perform the request. Specification at
// https://ietf-wg-ohai.github.io/oblivious-http/draft-ietf-ohai-ohttp.html
GetViaObliviousHttp(ObliviousHttpRequest request,
pending_remote<ObliviousHttpClient> client);
// Gets the CookieManager associated with this network context.
//
// The CookieManager must only be passed to trusted processes. Whenever
// possible, a RestrictedCookieManager should be handed out instead.
[AllowedContext=sandbox.mojom.Context.kBrowser]
GetCookieManager(pending_receiver<CookieManager> cookie_manager);
// Gets a RestrictedCookieManager scoped to a given origin, and applying
// settings configured on the CookieManager associated with this domain.
//
// |origin| represents the domain for which the RestrictedCookieManager can
// access cookies. It could either be a frame origin when |role| is
// RestrictedCookieManagerRole::SCRIPT (a script scoped to a particular
// document's frame)), or a request origin when |role| is
// RestrictedCookieManagerRole::NETWORK (a network request).
//
// |isolation_info| contains info for SameSite cookie queries.
// Must be fully populated.
//
// If |role| == SCRIPT, this interface can be safely handed out to a process
// that is known to represent the given origin, such as a renderer process.
GetRestrictedCookieManager(
pending_receiver<RestrictedCookieManager> restricted_cookie_manager,
RestrictedCookieManagerRole role,
url.mojom.Origin origin,
IsolationInfo isolation_info,
CookieSettingOverrides cookie_setting_overrides,
pending_remote<CookieAccessObserver>? cookie_observer);
// Provides a TrustTokenQueryAnswerer scoped to the given top-frame origin
// (subsequent calls to its HasTrustTokens(issuer) and
// HasRedemptionRecord(issuer) methods will attempt to
// associate |issuer| with |top_frame_origin|, in the sense of
// TrustTokenStore::SetAssociation, and reject if |top_frame_origin| is
// already at its number-of-associated-issuers limit).
//
// The caller must ensure (enforced by ReportBadMessage) that
// |top_frame_origin| is both
// (1) potentially trustworthy and
// (2) either HTTP or HTTPS.
//
// The first is a general security requirement; the second is in order to
// ensure that the origin has a unique serialization (and, consequently, is
// suitable for keying persistent Trust Tokens state).
GetTrustTokenQueryAnswerer(
pending_receiver<TrustTokenQueryAnswerer> trust_token_query_answerer,
url.mojom.Origin top_frame_origin);
// Clears persistent Trust Tokens data keyed by the origins in |filter|, and
// by origins corresponding to the domains in |filter|.
//
// A null |filter| indicates that all Trust Tokens data should be cleared.
ClearTrustTokenData(ClearDataFilter? filter) => ();
// Clears session only Trust Tokens data. Depends on CookieSettings
// at determining which data is session only.
ClearTrustTokenSessionOnlyData() => (bool any_data_deleted);
// Returns the number of signed-but-not-spent Trust Tokens.
GetStoredTrustTokenCounts()
=> (array<StoredTrustTokensForIssuer> tokens);
// Deletes all Trust Tokens issued by |issuer|.
//
// This method is narrower as ClearTrustTokenData. ClearTrustTokenData
// also clears out Redemption Records.
DeleteStoredTrustTokens(url.mojom.Origin issuer)
=> (DeleteStoredTrustTokensStatus status);
// Set Trust Token blocking to |block|.
SetBlockTrustTokens(bool block);
// Clears network objects with implicit URL history information. Data related
// to events that happened prior to |start_time| and after |end_time| may be
// retained. Only applies to network objects without more specific methods
// (Cookies, and the cache have, or will have, their own clearing APIs). This
// currently only covers server properties and transport security state.
//
// The callback will be invoked once the data has been deleted.
ClearNetworkingHistoryBetween(mojo_base.mojom.Time start_time,
mojo_base.mojom.Time end_time) => ();
// Clears content from the HTTP cache. A specific range of time can be
// specified with `start_time` and `end_time`. This supports unbounded deletes
// in either direction by using null Time values for either argument.
// If a non-null |filter| is specified, will clear only entries matching the
// filter.
ClearHttpCache(mojo_base.mojom.Time start_time,
mojo_base.mojom.Time end_time,
ClearDataFilter? filter) => ();
// Computes the size of cache objects last accessed between |start_time| and
// |end_time|.
//
// If you don't want a lower bound, pass base::Time() for |start_time|.
// If you don't want an upper bound, pass base::Time::Max()
//
// |upper_bound| will be returned as true if the implementation had to
// overestimate; this may be as bad as giving the size of the entire cache.
//
// |size_or_error|, if non-negative, is the result in bytes; and a net error
// code if negative.
ComputeHttpCacheSize(mojo_base.mojom.Time start_time,
mojo_base.mojom.Time end_time)
=> (bool is_upper_bound, int64 size_or_error);
// Notifies the HttpCache of a renderer-level cache hit with |url|
// and |http_method|, with the network isolation key |key| and
// |is_subframe_document_resource| is true if this is a subframe navigation
// resource.
//
// This is being proxied by the browser because the renderer is unable to
// directly interact with NetworkContext.
NotifyExternalCacheHit(url.mojom.Url url, string http_method,
NetworkIsolationKey key,
bool is_subframe_document_resource,
bool include_credentials);
// Clears the host cache. This will affect all NetworkContexts that share the
// same HostResolved as the NetworkContext this is called on.
//
// If a non-null |filter| is specified, will clear only entries for domains
// matching the filter. Filtering by origins is not supported. If |filter| is
// non-null, |filter.origins| must be empty.
ClearHostCache(ClearDataFilter? filter) => ();
// Clears all entries from the HTTP Auth cache that were between |start_time|
// and |end_time|, with |start_time| being inclusive and |end_time| exclusive.
//
// If a non-null |filter| is specified, ClearHttpAuthCache will clear only
// AuthCache entries for URLs matching the filter. Filtering by both origins
// and domains is supported. If |filter| is non-null, you must provide either
// |filter.origins| or |filter.domains|, or both to define the filtering.
ClearHttpAuthCache(mojo_base.mojom.Time start_time,
mojo_base.mojom.Time end_time,
ClearDataFilter? filter) => ();
// Clears entries from the Preflight Cache according to the specified filter.
// Clear browsing history supports time ranges for the last 1hr, 24hr, 7d, 4w,
// and all time.
// Chrome caps the Access-Control-Max-Age header value for CORS-preflight
// responses to 2hrs.
// We opted for not to implement time range removal of entries from the
// PreflightCache, as it will just serve the 1hr. period. Instead, we always
// perform an "all-time" removal.
// Clears all entries if |filter| isn't specified
ClearCorsPreflightCache(ClearDataFilter? filter) => ();
// Clears all report entries from the reporting cache. This has no effect if
// the ENABLE_REPORTING build flag is false.
//
// If a non-null |filter| is specified, will clear only entries matching the
// filter.
ClearReportingCacheReports(ClearDataFilter? filter) => ();
// Clears all client entries from the reporting cache. This has no effect if
// the ENABLE_REPORTING build flag is false.
//
// If a non-null |filter| is specified, will clear only entries matching the
// filter.
ClearReportingCacheClients(ClearDataFilter? filter) => ();
// Clears policy entries from the NetworkErrorLoggingService. This has no
// effect if the ENABLE_REPORTING build flag is false.
//
// If a non-null |filter| is specified, will clear only entries matching the
// filter.
ClearNetworkErrorLogging(ClearDataFilter? filter) => ();
// Mirror of domain_reliability::DomainReliabilityClearMode.
enum DomainReliabilityClearMode {CLEAR_CONTEXTS, CLEAR_BEACONS};
// Clears Domain Reliability entries, specified by |mode|.
ClearDomainReliability(ClearDataFilter? filter,
DomainReliabilityClearMode mode) => ();
// Clears dictionaries from the shared dictionary cache. A specific range of
// time can be specified with `start_time` and `end_time`. This supports
// unbounded deletes in either direction by using null Time values for either
// argument. If a non-null |filter| is specified, will clear only entries
// matching the filter.
ClearSharedDictionaryCache(mojo_base.mojom.Time start_time,
mojo_base.mojom.Time end_time,
ClearDataFilter? filter) => ();
// Clears dictionaries registered for `isolation_key` from the shared
// dictionary cache.
ClearSharedDictionaryCacheForIsolationKey(
SharedDictionaryIsolationKey isolation_key) => ();
// Configures per-resource reporting endpoints set with the
// Reporting-Endpoints header.
// |reporting_source| is a token which identifies the document or worker with
// which the header was received. The endpoints configured by this method are
// only used to deliver reports which are queued by that same source.
// |isolation_info| is used when creating the endpoints in the ReportingCache
// and when determining which credentials to send with uploaded reports. Its
// network isolation key will need to match the key sent when reports are
// queued, in order for these reporting endpoints to be considered for
// delivery, although this should always be the case when reports are queued
// by the same source which configured the endpoints.
// |endpoints| is a mapping of endpoint name to URL (URLs here are represented
// as strings, and will be rejected if they fail to parse or are not secure).
//
// Spec: https://w3c.github.io/reporting/#header
SetDocumentReportingEndpoints(
mojo_base.mojom.UnguessableToken reporting_source,
url.mojom.Origin origin, IsolationInfo isolation_info,
map<string,string> endpoints);
// Queues any outstanding reports for a single |reporting_source| (which
// must not be empty), and removes the reporting endpoint configuration for
// that source. This is called when the reporting source (document or worker)
// is destroyed.
SendReportsAndRemoveSource(
mojo_base.mojom.UnguessableToken reporting_source);
// Queues a report via the Reporting API. |type| describes the type of report
// (as well as what data will contained in |body|). |group| specifies the
// endpoint group that the report will be delivered to. |url| indicates the
// URL of the resource that the report describes. |user_agent| may be
// provided, or will be automatically generated if omitted; |body| holds the
// contents of the report.
//
// |reporting_source| and |network_isolation_key| are used both for looking
// up the appropriately scoped reporting information and for sending the
// report. |network_anonymization_key| indicates the NetworkAnonymizationKey
// associated with the request, while |reporting_source|, if not empty,
// identifies the specific document or worker instance causing the report to
// be queued. If |reporting_source| is not empty, then it will be used to
// look up reporting endpoints set with the SetDocumentReportingEndpoints
// method first, and if no matching endpoint is found, it will fall back to
// looking up a matching endpoint group configured for the origin and
// |network_isolation_key|.
//
// Note that this queued report will never be delivered if no reporting
// endpoint is registered for this |url| or |reporting_source| with the
// provided |network_isolation_key|.
//
// Spec: https://w3c.github.io/reporting/#concept-reports
QueueReport(string type,
string group,
url.mojom.Url url,
mojo_base.mojom.UnguessableToken? reporting_source,
NetworkAnonymizationKey network_anonymization_key,
string? user_agent,
mojo_base.mojom.DictionaryValue body);
// Queues a signed exchange report.
//
// Note that this queued report will never be delivered if no reporting
// endpoint matching is registered for with the provided
// |network_isolation_key|.
QueueSignedExchangeReport(SignedExchangeReport report,
NetworkAnonymizationKey network_anonymization_key);
// Closes all open connections within this context.
CloseAllConnections() => ();
// Close all idle connections for the HTTP network session used by
// this context.
CloseIdleConnections() => ();
// Configures network conditions for the specified throttling profile.
// The throttling will be applied only to requests that have matching
// throttling_profile_id.
// Passing null NetworkConditions disables the throttling.
SetNetworkConditions(mojo_base.mojom.UnguessableToken throttling_profile_id,
NetworkConditions? conditions);
// Updates the Accept-Language header to be used for requests.
SetAcceptLanguage(string new_accept_language);
// If false, the referrer of requests is never populated.
SetEnableReferrers(bool enable_referrers);
// Updates the CT policy to be used for requests. Only applies if the
// NetworkContextParams set enforce_chrome_ct_policy to true.
// TODO(rsleevi): Remove this once Chrome-specific policies are moved out
// of the network service.
[EnableIf=is_ct_supported]
SetCTPolicy(CTPolicy ct_policy);
// Creates a UDP socket. Caller can supply a |listener| interface pointer
// to listen for incoming datagrams. A null |listener| is acceptable if caller
// is not interested in incoming data.
// Any sockets that are created but are yet to be destroyed will be destroyed
// when NetworkContext goes away.
CreateUDPSocket(pending_receiver<UDPSocket> receiver,
pending_remote<UDPSocketListener>? listener);
// Creates a Restricted UDP socket that wraps an internal UDP Socket connected
// or bound to |addr| with |params| depending on the provided |mode|.
//
// The socket created can only be used for the purpose specified in
// |traffic_annotation|, and cannot be re-used for other purposes.
//
// Caller can supply a |listener| interface pointer to listen for incoming
// datagrams. A null |listener| is acceptable if caller is not interested in
// incoming data.
//
// On success, the resulting local address will be written to |local_addr_out|
// and |result| is net::OK. On failure, |result| is a network error code.
//
// Any sockets that are created but are yet to be destroyed will be destroyed
// when NetworkContext goes away.
CreateRestrictedUDPSocket(
IPEndPoint addr,
RestrictedUDPSocketMode mode,
MutableNetworkTrafficAnnotationTag traffic_annotation,
RestrictedUDPSocketParams? params,
pending_receiver<RestrictedUDPSocket> receiver,
pending_remote<UDPSocketListener>? listener)
=> (int32 result, IPEndPoint? local_addr_out);
// Creates a TCP server socket that listens on |local_addr|. The socket
// created can only be used for the purpose specified in |traffic_annotation|,
// and cannot be re-used for other purposes. Caller must specify an address
// family in |local_addr| to be either IPv4 or IPv6. If port in |local_addr|
// is 0, the OS will pick an available port. If address bytes are 0, the OS
// will pick a local address of the specified address family.
// On success, the resulting local address will be written to |local_addr_out|
// and |result| is net::OK. On failure, |result| is a network error code.
//
// Any sockets that are created but are yet to be destroyed will be destroyed
// when NetworkContext goes away.
CreateTCPServerSocket(IPEndPoint local_addr,
TCPServerSocketOptions options,
MutableNetworkTrafficAnnotationTag traffic_annotation,
pending_receiver<TCPServerSocket> socket)
=> (int32 result, IPEndPoint? local_addr_out);
// Creates a TCP socket connected to |remote_addr|. |observer| if non-null
// will be used to listen for any network connection error on the newly
// established connection. The socket created can only be used for the purpose
// specified in |traffic_annotation|, and cannot be re-used for other
// purposes. |local_addr| should be set to null unless the caller wants to
// bind the socket to a specific address and port. On success, |result| is
// net::OK. Caller is to use |send_stream| to send data and |receive_stream|
// to receive data over the connection. On failure, |result| is a network
// error code.
//
// If the client closes |socket| before this completes, the callback will be
// invoked with net::ERR_ABORTED.
//
// Any sockets that are created but are yet to be destroyed will be destroyed
// when NetworkContext goes away.
CreateTCPConnectedSocket(
IPEndPoint? local_addr,
AddressList remote_addr_list,
TCPConnectedSocketOptions? tcp_connected_socket_options,
MutableNetworkTrafficAnnotationTag traffic_annotation,
pending_receiver<TCPConnectedSocket> socket,
pending_remote<SocketObserver>? observer)
=> (int32 result,
IPEndPoint? local_addr,
IPEndPoint? peer_addr,
handle<data_pipe_consumer>? receive_stream,
handle<data_pipe_producer>? send_stream);
// Creates a TCPSocket bound to |local_addr|. The socket created can only be
// used for the purpose specified in |traffic_annotation|, and cannot be
// re-used for other purposes. |local_addr| is treated the same as in
// CreateTCPServerSocket().
//
// On success, the resulting local address will be written to |local_addr_out|
// and |result| is net::OK. On failure, |result| is a network error code.
//
// It's recommended consumers use CreateTCPServerSocket() or
// CreateTCPConnectedSocket(). This method is just provided so legacy
// consumers can mimic Berkeley sockets semantics.
CreateTCPBoundSocket(IPEndPoint local_addr,
MutableNetworkTrafficAnnotationTag traffic_annotation,
pending_receiver<TCPBoundSocket> socket)
=> (int32 result, IPEndPoint? local_addr);
// Creates a ProxyResolvingSocketFactory that shares some configuration params
// with this NetworkContext, but uses separate socket pools.
//
// Any sockets that are created but are yet to be destroyed will be destroyed
// when NetworkContext goes away.
CreateProxyResolvingSocketFactory(
pending_receiver<ProxyResolvingSocketFactory> factory);
// Looks up what proxy to use for a particular URL. |network_isolation_key|
// is used to partition the DNS cache in the case a PAC script is used, and
// should match the NIK of the frame the lookup is for use with.
LookUpProxyForURL(url.mojom.Url url,
NetworkAnonymizationKey network_anonymization_key,
pending_remote<ProxyLookupClient> proxy_lookup_client);
// Forces refetching the proxy configuration, and applying it.
ForceReloadProxyConfig() => ();
// Clears the list of bad proxy servers that has been cached.
ClearBadProxiesCache() => ();
// Creates a WebSocket connection to |url|. |requested_protocols| is a
// list of tokens identifying sub-protocols the renderer would like to use,
// as described in RFC6455 "Subprotocols Using the WebSocket Protocol".
// |additional_headers| are miscellaneous HTTP headers to be added to the
// request. Headers semantically relevant to the WebSocket handshake such
// as "sec-websocket-protocol" and "origin" are handled separately, (e.g.,
// "sec-websocket-protocol" is constructed from |requested_protocols| in this
// message). |site_for_cookies| represents the first-party origin for the
// request. |has_storage_access| is whether the calling context has opted into
// using a "storage-access" permission grant. |options| may be a combination
// of the kWebSocketOption* flags. |isolation_info| includes SiteForCookies,
// top frame origin, and current frame origin, and is used to isolate shared
// network stack resources based on the context. It must have
// RediredMode::kUpdateNothing. Currently, |isolation_info|'s SiteForCookies
// field is ignored, but it will eventually replace the |site_for_cookies|
// parameter.
//
// If |header_client| is set, requests with the kURLLoadOptionUseHeaderClient
// option will callback to the |header_client|, allowing the Cookie/Referrer
// request headers and Cookie response headers to be modified. This has a
// performance impact because of the extra process hops, so use should be
// minimized.
//
// Requests from a system context should set |process_id| to
// |kBrowserProcessId|. In that case |render_frame_id| MUST be zero. These
// values will still be passed to |OnSSLCertificateError| as needed but no
// throttling will be performed for such WebSockets.
//
// Detect mojo connection errors on |handshake_client| until the connection
// is established.
// Do *NOT* interpret mojo connection errors on |auth_handler| and
// |header_client| as WebSocket connection errors. They are disconnected when
// the connection is established, and due to message ordering uncertainty we
// cannot know what happened.
//
// |throttling_profile_id| can be provided to allow network conditions
// emulation for this web socket connection. Emulated network conditions
// can be set by calling SetNetworkConditions with a matching throttling
// profile id.
CreateWebSocket(
url.mojom.Url url,
array<string> requested_protocols,
SiteForCookies site_for_cookies,
bool has_storage_access,
IsolationInfo isolation_info,
array<HttpHeader> additional_headers,
int32 process_id,
url.mojom.Origin origin,
uint32 options,
MutableNetworkTrafficAnnotationTag traffic_annotation,
pending_remote<WebSocketHandshakeClient> handshake_client,
pending_remote<URLLoaderNetworkServiceObserver>? url_loader_network_observer,
pending_remote<WebSocketAuthenticationHandler>? auth_handler,
pending_remote<TrustedHeaderClient>? header_client,
mojo_base.mojom.UnguessableToken? throttling_profile_id);
// Creates a WebTransport connection to |url|. |origin| is used for the
// client indication - see
// https://tools.ietf.org/html/draft-vvv-webtransport-quic-01#section-3.2 .
// When |fingerprints| is not empty, it is used to verify the certificate.
// https://wicg.github.io/web-transport/#dom-quictransportconfiguration-server_certificate_fingerprints
//
// It is recommended to detect mojo connection errors on |handshake_client|.
CreateWebTransport(
url.mojom.Url url,
url.mojom.Origin origin,
NetworkAnonymizationKey network_anonymization_key,
array<WebTransportCertificateFingerprint> fingerprints,
pending_remote<WebTransportHandshakeClient> handshake_client);
// Create a NetLogExporter, which helps export NetLog to an existing file.
// Note that the log is generally global, including all NetworkContexts
// managed by the same NetworkService. The particular NetworkContext this is
// called on will determine which NetworkContext gets its information and
// configuration summary written out at the end of the log.
CreateNetLogExporter(pending_receiver<NetLogExporter> receiver);
// Tries to preconnect to |url|. |num_streams| may be used to request more
// than one connection be established in parallel.
// The sockets will only be used for requests which share the same values for
// |credentials_mode| and |network_anonymization_key|.
PreconnectSockets(uint32 num_streams,
url.mojom.Url url,
network.mojom.CredentialsMode credentials_mode,
NetworkAnonymizationKey network_anonymization_key);
// Creates a P2PSocketManager instance, used for WebRTC.
// |network_isolation_key| is the network cache shard to associate with the
// P2PSocketManager instance, and affects DNS cache shard used and proxy
// connection sharing.
[EnableIf=is_p2p_enabled]
CreateP2PSocketManager(
NetworkAnonymizationKey network_anonymization_key,
pending_remote<P2PTrustedSocketManagerClient> client,
pending_receiver<P2PTrustedSocketManager> trusted_socket_manager,
pending_receiver<P2PSocketManager> socket_manager);
// Creates an MdnsResponder instance.
CreateMdnsResponder(pending_receiver<MdnsResponder> responder_receiver);
// Resolves the given hostname (or IP address literal). See documentation at
// HostResolver::ResolveHost.
//
// All outstanding requests are cancelled if the NetworkContext is destroyed.
// Such requests will receive ERR_FAILED via `response_client`.
//
// When `host` is a SchemeHostPort, behaves under the assumption that the
// resolution is being done for the purpose of making a connection with the
// specified scheme to the specified host and port. This could result in
// scheme-specific DNS queries, e.g. for HTTPS resource records, and special
// errors if DNS indicates a connection should not be made using the
// specified scheme, e.g. ERR_DNS_NAME_HTTPS_ONLY indicates that a connection
// should not be made without first redirecting an http or ws request to an
// https or wss request.
ResolveHost(HostResolverHost host,
NetworkAnonymizationKey network_anonymization_key,
ResolveHostParameters? optional_parameters,
pending_remote<ResolveHostClient> response_client);
// Creates a HostResolver interface that can be passed to code/processes
// without direct access to NetworkContext to make ResolveHost requests.
//
// If set, |config_overrides| will override configuration read from the system
// DNS configuration when resolution is performed using the built-in resolver
// (which can be forced using ResolveHostParameters::source = Source.DNS).
//
// If this NetworkContext is destroyed, all outstanding requests from child
// HostResolvers will be cancelled. Such requests will receive ERR_FAILED via
// |response_client|.
//
// TODO(crbug.com/41375980): If necessary as usage and functionality is added to
// the contained ResolveHost method, consider adding the ability for this to
// be a restricted resolver with some functionality disabled (eg maybe MDNS).
CreateHostResolver(DnsConfigOverrides? config_overrides,
pending_receiver<HostResolver> host_resolver);
// Checks the given certificate against the CertVerifier and CTVerifier. This
// implementation is currently specific for use by Signed Exchange.
VerifyCertForSignedExchange(X509Certificate certificate,
url.mojom.Url url,
string ocsp_response,
string sct_list) => (int32 error_code,
CertVerifyResult cv_result,
bool pkp_bypassed);
// Adds explicitly-specified data as if it was processed from an
// HSTS header. Used by tests and implementation of chrome://net-internals.
AddHSTS(string host, mojo_base.mojom.Time expiry,
bool include_subdomains) => ();
// Returns true if it is known that |host| has requested to always be
// accessed via HTTPS.
IsHSTSActiveForHost(string host) => (bool result);
// Retrieve values from the HSTS state from the associated contexts
// transport security state.
GetHSTSState(string domain)
=> (mojo_base.mojom.DictionaryValue state);
// Sets allowed and blocked origins respectively for the URLLoaderFactory
// consumers to access beyond the same-origin policy. The list is managed per
// each |source_origin|, and each call will flash old set lists for the
// |source_origin|. The passed |patterns| will be set instead. If an empty
// array is given for |allow_patterns| and/or |block_patterns|, the
// |source_origin|'s origin list for each is set to empty respectively.
// TODO(crbug.com/40094155): Eventually, we want to stop using per-context
// access lists, and use only per-factory access lists, or stop managing the
// list in the NetworkService completely.
SetCorsOriginAccessListsForOrigin(
url.mojom.Origin source_origin, array<CorsOriginPattern> allow_patterns,
array<CorsOriginPattern> block_patterns) => ();
// Deletes any dynamic data stored for |host| from the transport
// security state. Returns true iff an entry was deleted.
// See net::TransportSecurityState::DeleteDynamicDataForHost for more detail.
DeleteDynamicDataForHost(string host) => (bool result);
// Sets whether the HTTP auth cache will be split the NetworkAnonymizationKey.
// Only affects server (not proxy) credentials. Whenever the effective value
// is changed, all cached server auth credentials will be cleared.
SetSplitAuthCacheByNetworkAnonymizationKey(
bool split_auth_cache_by_network_anonymization_key);
// Copies the proxy entries of this NetworkContext's auth cache and
// returns a key that can be used by LoadHttpAuthCache to load them into
// another NetworkContext's auth cache. The data referenced by the
// returned key is not associated with this NetworkContext, so will outlast
// its destruction. If there is no corresponding LoadHttpAuthCache call, the
// saved HttpAuthCache data will leak.
//
// TODO(crbug.com/40606065): Return a scoped handle that can automatically
// free the cache when it goes out of scope.
SaveHttpAuthCacheProxyEntries()
=> (mojo_base.mojom.UnguessableToken cache_key);
// Loads auth cache entries previously saved by SaveHttpAuthCacheProxyEntries,
// and copies them into this NetworkContext's HttpAuthCache. This may only be
// called once for each token returned by SaveHttpAuthCacheProxyEntries().
LoadHttpAuthCacheProxyEntries(mojo_base.mojom.UnguessableToken cache_key)
=> ();
// Adds an entry to the HttpAuthCache. `network_anonymization_key` is the
// NetworkAnonymizationKey to restrict the credentials to, and is only
// respected for server (not proxy) HTTP auth and only when the NetworkService
// was configured to split the auth cache by NetworkAnonymizationKey.
// `challenge` may not necessarily contain a stateful challenge that requires
// a persistent connection, allowing the cache to be pre-populated.
AddAuthCacheEntry(AuthChallengeInfo challenge,
NetworkAnonymizationKey network_anonymization_key,
AuthCredentials credentials) => ();
// Sets whether
// https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name is
// supported in this network context.
SetCorsNonWildcardRequestHeadersSupport(bool value);
// Looks up credentials in the HttpAuthCache using the origin and path from
// |url|. Only supports basic auth scheme. Only looks up server (not proxy)
// auth credentials, and only those that are usable in the scope of
// |network_anonymization_key|.
LookupServerBasicAuthCredentials(url.mojom.Url url,
NetworkAnonymizationKey network_anonymization_key)
=> (AuthCredentials? credentials);
// Looks up the proxy authentication credentials associated with
// |proxy_server|, |auth_scheme| and |realm| in the HttpAuthCache.
// |auth_scheme| is the authentication scheme of the challenge and it's
// specified as a case-insensitive string. Unlike server credentials, proxy
// credentials are not keyed on NetworkAnonymizationKey.
[EnableIf=is_chromeos_ash]
LookupProxyAuthCredentials(ProxyServer proxy_server,
string auth_scheme, string realm)
=> (AuthCredentials? credentials);
[Sync]
// Enables the checking of static PKP records.
EnableStaticKeyPinningForTesting() => ();
// Verifies the given certificate using the context's CertVerifier.
VerifyCertificateForTesting(X509Certificate certificate,
string hostname,
string ocsp_response,
string sct_list) => (int32 error_code);
[Sync]
// Adds a Domain Reliability Context.
AddDomainReliabilityContextForTesting(
url.mojom.Origin origin, url.mojom.Url upload_url) => ();
[Sync]
// Forces all pending Domain Reliability uploads to run now, even if their
// minimum delay has not yet passed.
ForceDomainReliabilityUploadsForTesting() => ();
// Set the SCT auditing mode for this NetworkContext.
[EnableIf=is_ct_supported]
SetSCTAuditingMode(SCTAuditingMode mode);
// Adds an observer that will receive Reporting Service callbacks. Generates
// events for Reporting API reports currently stored in the reporting service.
[EnableIf=enable_reporting]
AddReportingApiObserver(pending_remote<ReportingApiObserver> observer);
// Get the usage information of shared dictionaries.
GetSharedDictionaryUsageInfo()
=> (array<SharedDictionaryUsageInfo> usage_info);
// Get shared dictionaries information for `isolation_key`.
GetSharedDictionaryInfo(SharedDictionaryIsolationKey isolation_key)
=> (array<SharedDictionaryInfo> dictionaries);
// Get a list of origins where shared dictionaries are registered. A specific
// range of time can be specified with `start_time` and `end_time`.
GetSharedDictionaryOriginsBetween(mojo_base.mojom.Time start_time,
mojo_base.mojom.Time end_time)
=> (array<url.mojom.Origin> origins);
// Sets maximum size of the shared dictionary cache.
SetSharedDictionaryCacheMaxSize(uint64 cache_max_size);
// Called when visibility of ResourceSchedulerClient has changed.
// `client_token` identifies which client has changed its visibility.
ResourceSchedulerClientVisibilityChanged(
mojo_base.mojom.UnguessableToken client_token, bool visible);
// Will flush cached client certificate for `host` if `certificate`
// doesn't match the corresponding cached certificate.
FlushCachedClientCertIfNeeded(HostPortPair host, X509Certificate certificate);
// Flushes a cached client certificate preference if `certificate` matches
// the cached certificate.
FlushMatchingCachedClientCert(X509Certificate certificate);
// Sets cookie deprecation label.
SetCookieDeprecationLabel(string? label);
// Clients should revoke network access for nonces using
// `StoragePartitionImpl::RevokeNetworkForNoncesInNetworkContext` instead of
// this function. This is because `RevokeNetworkForNoncesInNetworkContext`
// replicates the nonces so that they can be restored in case of a
// `NetworkService` crash.
// Register that all network requests with nonces in `nonces` as their
// partition nonce should be blocked. Used for fenced frames network
// revocation:
// https://github.com/WICG/fenced-frame/blob/master/explainer/fenced_frames_with_local_unpartitioned_data_access.md#revoking-network-access
// Each fenced frame tree primarily uses one "fenced frame nonce" for
// requests that originate from it, but requests from credentialless iframes
// within the fenced frame tree use a different "credentialless iframes
// nonce". Currently these are the two nonces passed in `nonces`.
RevokeNetworkForNonces(array<mojo_base.mojom.UnguessableToken> nonces) => ();
// Register that network requests operating under the nonce `nonce` whose url
// without filename is `exempted_url` should be exempt from network
// revocation. This can be called before network is revoked for `nonce` with
// `RevokeNetworkForNonce`, and it will store the exemption so that it can
// take effect afterwards.
ExemptUrlFromNetworkRevocationForNonce(
url.mojom.Url exempted_url, mojo_base.mojom.UnguessableToken nonce) => ();
};