Skip to content

GitLab

T
tangled
Switch branch/tag
Find file BlameHistoryPermalink
  • David Van Cleve's avatar
    Trust Tokens: Add origin trial configuration · fc3f8e13
    David Van Cleve authored 
    This change makes Trust Tokens configurable in two origin trial modes:
- "Standard": issuance requires the "TrustTokens" origin trial
(runtime_enabled_feature.json5) be active; redemption and signing don't
- "Third party": all three operations require the trial be active

This fairly complex configuration is motivated by the fact that we don't
know whether we'll be running a standard origin trial or a third party
origin trial [1], as the code for the latter has landed but not
launched, so we need to be able to decide dynamically.

This is implemented by gating all three Trust Tokens operations behind
the same RuntimeEnabledFeature [2] and having a runtime check for the
presence of the origin trial during issuance:
- in "standard" mode, the RuntimeEnabledFeature is always on (so long
as the corresponding base::Feature is; see below), so all three
operations are always available, but issuance will fail in contexts
without configured origin trial tokens;
- in "third party" mode, the RuntimeEnabledFeature is left off even if
the base::Feature is enabled: the Origin Trials framework will enable
it, activating all operations, if there is an origin trial token.

In both modes, we unconditionally require that the kTrustTokens
base::Feature be enabled in order to execute any of the operations: if
it's disabled, the Blink RuntimeEnabledFeature will start disabled and,
additionally, the origin trial will not be permitted to activate
(because of the new logic in OriginTrialContext).

I wrote up a slightly longer description of the constraints and the
implementation rationale: https://bit.ly/configuring-trust-tokens

[1]:
https://docs.google.com/document/u/1/d/1xALH9W7rWmX0FpjudhDeS2TNTEOXuPn4Tlc9VmuPdHA/edit
[2]: The entry point for each operation is identical (e.g. you use
the trustToken argument to RequestInit whether it's an issuance,
redemption, or signing operation), so it's not possible to vary the
"enabled or not" decision at an IDL level depending on the operation.

Fixed: 1081739
Change-Id: I1e63f2c12a1e2a158011fa5e95676b48f36e38dc
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2199910
Commit-Queue: David Van Cleve <davidvc@chromium.org>
Reviewed-by: default avatarJeremy Roman <jbroman@chromium.org>
Reviewed-by: default avatarMatt Menke <mmenke@chromium.org>
Reviewed-by: default avatarCharlie Harrison <csharrison@chromium.org>
Reviewed-by: default avatarJason Chase <chasej@chromium.org>
Cr-Commit-Position: refs/heads/master@{#770811}
    fc3f8e13
trust_token_browsertest.cc 10.9 KB