Classify UMA data for extension messaging user activation triggering.

Split the UMA entry for extension messaging user activation triggering into four classes, based on whether the script contexts of the sender and the receiver are privileged or not. Bug: 1103249, 1047473 Change-Id: Ib23bf2e9427d2b836cdc21c1cf9ebbd685e27299 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2461251 Commit-Queue: Mustaq Ahmed <mustaq@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Mustaq Ahmed <mustaq@chromium.org> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Cr-Commit-Position: refs/heads/master@{#817247}

Classify UMA data for extension messaging user activation triggering.
Split the UMA entry for extension messaging user activation triggering into four classes, based on whether the script contexts of the sender and the receiver are privileged or not. Bug: 1103249, 1047473 Change-Id: Ib23bf2e9427d2b836cdc21c1cf9ebbd685e27299 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2461251 Commit-Queue: Mustaq Ahmed <mustaq@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Mustaq Ahmed <mustaq@chromium.org> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Cr-Commit-Position: refs/heads/master@{#817247}
15f771dc · Mustaq Ahmed · Commit Bot · 3e311f8f · 15f771dc · 15f771dc
Commit 15f771dc authored Oct 14, 2020 by Mustaq Ahmed Committed by Commit Bot Oct 14, 2020
6 changed files
--- a/extensions/common/api/messaging/message.h
+++ b/extensions/common/api/messaging/message.h
@@ -10,13 +10,20 @@ namespace extensions {
 // A message consists of both the data itself as well as a user gesture state.
 struct Message {
  std::string data;
-  bool user_gesture;
+  bool user_gesture = false;
+  bool from_privileged_context = false;

-  Message() : data(), user_gesture(false) {}
-  Message(const std::string& data, bool user_gesture)
-      : data(data), user_gesture(user_gesture) {}
+  Message() = default;
+  Message(const std::string& data,
+          bool user_gesture,
+          bool from_privileged_context = false)
+      : data(data),
+        user_gesture(user_gesture),
+        from_privileged_context(from_privileged_context) {}

  bool operator==(const Message& other) const {
+    // Skipping the equality check for |from_privileged_context| here
+    // because this field is used only for histograms.
    return data == other.data && user_gesture == other.user_gesture;
  }
 };

--- a/extensions/renderer/messaging_util.cc
+++ b/extensions/renderer/messaging_util.cc
@@ -81,14 +81,18 @@ std::unique_ptr<Message> MessageFromV8(v8::Local<v8::Context> context,
  ScriptContext* script_context = GetScriptContextFromV8Context(context);
  blink::WebLocalFrame* web_frame =
      script_context ? script_context->web_frame() : nullptr;
-  return MessageFromJSONString(isolate, stringified, error_out, web_frame);
+  bool privileged_context =
+      script_context && script_context->context_type() ==
+                            extensions::Feature::BLESSED_EXTENSION_CONTEXT;
+  return MessageFromJSONString(isolate, stringified, error_out, web_frame,
+                               privileged_context);
 }

-std::unique_ptr<Message> MessageFromJSONString(
-    v8::Isolate* isolate,
-    v8::Local<v8::String> json,
-    std::string* error_out,
-    blink::WebLocalFrame* web_frame) {
+std::unique_ptr<Message> MessageFromJSONString(v8::Isolate* isolate,
+                                               v8::Local<v8::String> json,
+                                               std::string* error_out,
+                                               blink::WebLocalFrame* web_frame,
+                                               bool privileged_context) {
  std::string message;
  message = gin::V8ToString(isolate, json);
  // JSON.stringify can fail to produce a string value in one of two ways: it
@@ -122,7 +126,8 @@ std::unique_ptr<Message> MessageFromJSONString(

  bool has_transient_user_activation =
      web_frame ? web_frame->HasTransientUserActivation() : false;
-  return std::make_unique<Message>(message, has_transient_user_activation);
+  return std::make_unique<Message>(message, has_transient_user_activation,
+                                   privileged_context);
 }

 v8::Local<v8::Value> MessageToV8(v8::Local<v8::Context> context,

--- a/extensions/renderer/messaging_util.h
+++ b/extensions/renderer/messaging_util.h
@@ -44,7 +44,8 @@ std::unique_ptr<Message> MessageFromV8(v8::Local<v8::Context> context,
 std::unique_ptr<Message> MessageFromJSONString(v8::Isolate* isolate,
                                               v8::Local<v8::String> json,
                                               std::string* error,
-                                               blink::WebLocalFrame* web_frame);
+                                               blink::WebLocalFrame* web_frame,
+                                               bool privileged_context);

 // Converts a message to a v8 value. This is expected not to fail, since it
 // should only be used for messages that have been validated.

--- a/extensions/renderer/native_renderer_messaging_service.cc
+++ b/extensions/renderer/native_renderer_messaging_service.cc
@@ -20,6 +20,7 @@
 #include "extensions/common/api/messaging/messaging_endpoint.h"
 #include "extensions/common/api/messaging/port_id.h"
 #include "extensions/common/extension_messages.h"
+#include "extensions/common/features/feature.h"
 #include "extensions/common/manifest_handlers/externally_connectable.h"
 #include "extensions/renderer/api_activity_logger.h"
 #include "extensions/renderer/bindings/api_binding_util.h"
@@ -41,6 +42,8 @@
 #include "third_party/blink/public/web/web_scoped_window_focus_allowed_indicator.h"
 #include "v8/include/v8.h"

+using blink::mojom::UserActivationNotificationType;
+
 namespace extensions {

 namespace {
@@ -317,9 +320,26 @@ void NativeRendererMessagingService::DeliverMessageToScriptContext(
  std::unique_ptr<blink::WebScopedWindowFocusAllowedIndicator>
      allow_window_focus;
  if (message.user_gesture && script_context->web_frame()) {
-    // TODO(mustaq): Split this further for trusted/untrusted cases.
-    script_context->web_frame()->NotifyUserActivation(
-        blink::mojom::UserActivationNotificationType::kExtensionMessaging);
+    bool sender_is_privileged = message.from_privileged_context;
+    bool receiver_is_privileged =
+        script_context->context_type() ==
+        extensions::Feature::BLESSED_EXTENSION_CONTEXT;
+    UserActivationNotificationType notification_type;
+    if (sender_is_privileged && receiver_is_privileged) {
+      notification_type =
+          UserActivationNotificationType::kExtensionMessagingBothPrivileged;
+    } else if (sender_is_privileged && !receiver_is_privileged) {
+      notification_type =
+          UserActivationNotificationType::kExtensionMessagingSenderPrivileged;
+    } else if (!sender_is_privileged && receiver_is_privileged) {
+      notification_type =
+          UserActivationNotificationType::kExtensionMessagingReceiverPrivileged;
+    } else /* !sender_is_privileged && !receiver_is_privileged */ {
+      notification_type =
+          UserActivationNotificationType::kExtensionMessagingNeitherPrivileged;
+    }
+
+    script_context->web_frame()->NotifyUserActivation(notification_type);

    blink::WebDocument document = script_context->web_frame()->GetDocument();
    allow_window_focus =

--- a/third_party/blink/public/mojom/frame/user_activation_notification_type.mojom
+++ b/third_party/blink/public/mojom/frame/user_activation_notification_type.mojom
@@ -24,7 +24,9 @@ enum UserActivationNotificationType {
  // An extension API caused the notification call through GuestView.
  kExtensionGuestView,

-  // An extension messaging API caused the notification call.
+  // An extension messaging API caused the notification call.  This enum value
+  // is deprecated by more specific enums kExtensionMessaging* below, we are
+  // preserving this enum value only for UMA consistency.
  kExtensionMessaging,

  // A media API caused the notification call.
@@ -47,5 +49,24 @@ enum UserActivationNotificationType {
  kWebScriptExec,

  // Android voice search API caused the notification call.
-  kVoiceSearch
+  kVoiceSearch,
+
+  // An extension messaging API caused the notification call, where the script
+  // contexts of both the sender and the receiver of the message are privileged.
+  kExtensionMessagingBothPrivileged,
+
+  // An extension messaging API caused the notification call, where the script
+  // context of only the sender (and not the receiver) of the message is
+  // privileged.
+  kExtensionMessagingSenderPrivileged,
+
+  // An extension messaging API caused the notification call, where the script
+  // context of only the receiver (and not the sender) of the message is
+  // privileged.
+  kExtensionMessagingReceiverPrivileged,
+
+  // An extension messaging API caused the notification call, where the script
+  // context of neither the sender nor the receiver of the message is
+  // privileged.
+  kExtensionMessagingNeitherPrivileged
 };
--- a/tools/metrics/histograms/enums.xml
+++ b/tools/metrics/histograms/enums.xml
@@ -73450,6 +73450,10 @@ Full version information for the fingerprint enum values:
  <int value="9" label="kTest"/>
  <int value="10" label="kWebScriptExec"/>
  <int value="11" label="kVoiceSearch"/>
+  <int value="12" label="kExtensionMessagingBothPrivileged"/>
+  <int value="13" label="kExtensionMessagingSenderPrivileged"/>
+  <int value="14" label="kExtensionMessagingReceiverPrivileged"/>
+  <int value="15" label="kExtensionMessagingNeitherPrivileged"/>
 </enum>

 <enum name="UserCertContentDisposition">