Add NetworkIsolationKey support to renderer-initiated preconnects.

Bug: 966896 Change-Id: Id119c1ad1f8ca675b77a4525ba6655d978bb980b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1713306Reviewed-by: Philip Jägenstedt <foolip@chromium.org> Reviewed-by: Charlie Harrison <csharrison@chromium.org> Reviewed-by: Greg Kerr <kerrnel@chromium.org> Reviewed-by: Alex Ilin <alexilin@chromium.org> Reviewed-by: Avi Drissman <avi@chromium.org> Reviewed-by: Shivani Sharma <shivanisha@chromium.org> Commit-Queue: Matt Menke <mmenke@chromium.org> Cr-Commit-Position: refs/heads/master@{#682675}

Add NetworkIsolationKey support to renderer-initiated preconnects.
Bug: 966896 Change-Id: Id119c1ad1f8ca675b77a4525ba6655d978bb980b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1713306Reviewed-by: Philip Jägenstedt <foolip@chromium.org> Reviewed-by: Charlie Harrison <csharrison@chromium.org> Reviewed-by: Greg Kerr <kerrnel@chromium.org> Reviewed-by: Alex Ilin <alexilin@chromium.org> Reviewed-by: Avi Drissman <avi@chromium.org> Reviewed-by: Shivani Sharma <shivanisha@chromium.org> Commit-Queue: Matt Menke <mmenke@chromium.org> Cr-Commit-Position: refs/heads/master@{#682675}
43960693 · Matt Menke · Commit Bot · 036f59e2 · 43960693 · 43960693
Commit 43960693 authored Jul 31, 2019 by Matt Menke Committed by Commit Bot Jul 31, 2019
16 changed files
--- a/chrome/browser/predictors/loading_predictor_browsertest.cc
+++ b/chrome/browser/predictors/loading_predictor_browsertest.cc
--- a/chrome/browser/renderer_host/chrome_render_message_filter.cc
+++ b/chrome/browser/renderer_host/chrome_render_message_filter.cc
@@ -30,7 +30,9 @@
 #include "components/web_cache/browser/web_cache_manager.h"
 #include "content/public/browser/browser_task_traits.h"
 #include "content/public/browser/notification_service.h"
+#include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/render_process_host.h"
+#include "content/public/browser/web_contents.h"
 #include "extensions/buildflags/buildflags.h"
 #include "net/base/network_isolation_key.h"
 #include "ppapi/buildflags/buildflags.h"
@@ -49,6 +51,34 @@ const uint32_t kRenderFilteredMessageClasses[] = {
    ChromeMsgStart, NetworkHintsMsgStart,
 };

+void StartPreconnect(
+    base::WeakPtr<predictors::PreconnectManager> preconnect_manager,
+    int render_process_id,
+    int render_frame_id,
+    const GURL& url,
+    bool allow_credentials) {
+  DCHECK_CURRENTLY_ON(BrowserThread::UI);
+
+  if (!preconnect_manager)
+    return;
+
+  content::RenderFrameHost* render_frame_host =
+      content::RenderFrameHost::FromID(render_process_id, render_frame_id);
+  if (!render_frame_host)
+    return;
+
+  content::WebContents* web_contents =
+      content::WebContents::FromRenderFrameHost(render_frame_host);
+  if (!web_contents)
+    return;
+
+  net::NetworkIsolationKey network_isolation_key(
+      web_contents->GetMainFrame()->GetLastCommittedOrigin(),
+      render_frame_host->GetLastCommittedOrigin());
+  preconnect_manager->StartPreconnectUrl(url, allow_credentials,
+                                         network_isolation_key);
+}
+
 }  // namespace

 ChromeRenderMessageFilter::ChromeRenderMessageFilter(int render_process_id,
@@ -117,7 +147,8 @@ void ChromeRenderMessageFilter::OnDnsPrefetch(
  }
 }

-void ChromeRenderMessageFilter::OnPreconnect(const GURL& url,
+void ChromeRenderMessageFilter::OnPreconnect(int render_frame_id,
+                                             const GURL& url,
                                             bool allow_credentials,
                                             int count) {
  if (count < 1) {
@@ -134,14 +165,12 @@ void ChromeRenderMessageFilter::OnPreconnect(const GURL& url,
  if (!preconnect_manager_initialized_)
    return;

-  // TODO(mmenke):  Use process and frame ids to populate NetworkIsolationKey.
-  // May also need to think about enabling cross-site preconnects, though that
+  // TODO(mmenke):  Think about enabling cross-site preconnects, though that
  // will result in at least some cross-site information leakage.
  base::PostTaskWithTraits(
      FROM_HERE, {BrowserThread::UI},
-      base::BindOnce(&predictors::PreconnectManager::StartPreconnectUrl,
-                     preconnect_manager_, url, allow_credentials,
-                     net::NetworkIsolationKey()));
+      base::BindOnce(&StartPreconnect, preconnect_manager_, render_process_id_,
+                     render_frame_id, url, allow_credentials));
 }

 void ChromeRenderMessageFilter::OnAllowDatabase(

--- a/chrome/browser/renderer_host/chrome_render_message_filter.h
+++ b/chrome/browser/renderer_host/chrome_render_message_filter.h
@@ -49,7 +49,10 @@ class ChromeRenderMessageFilter : public content::BrowserMessageFilter {
  ~ChromeRenderMessageFilter() override;

  void OnDnsPrefetch(const network_hints::LookupRequest& request);
-  void OnPreconnect(const GURL& url, bool allow_credentials, int count);
+  void OnPreconnect(int render_frame_id,
+                    const GURL& url,
+                    bool allow_credentials,
+                    int count);

  void OnAllowDatabase(int render_frame_id,
                       const GURL& origin_url,

--- a/chrome/test/data/predictors/two_iframes.html
+++ b/chrome/test/data/predictors/two_iframes.html
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Page with two iframes on different origins</title>
+  </head>
+  <body>
+    <iframe src="/echo"></iframe>
+    <iframe src="http://host2.test:REPLACE_WITH_PORT/"></iframe>
+  </body>
+</html>
--- a/components/network_hints/common/OWNERS
+++ b/components/network_hints/common/OWNERS
-per-file *_messages.h=set noparent
-per-file *_messages.h=file://ipc/SECURITY_OWNERS
+per-file *_messages*.h=set noparent
+per-file *_messages*.h=file://ipc/SECURITY_OWNERS
 per-file *_messages.cc=set noparent
 per-file *_messages.cc=file://ipc/SECURITY_OWNERS
--- a/components/network_hints/common/network_hints_messages.h
+++ b/components/network_hints/common/network_hints_messages.h
@@ -2,7 +2,10 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

-// Multiply-included file, no traditional include guard.
+// Silence presubmit and Tricium warnings about include guards
+// no-include-guard-because-multiply-included
+// NOLINT(build/header_guard)
+
 #include <string>
 #include <vector>

@@ -44,7 +47,8 @@ IPC_MESSAGE_CONTROL1(NetworkHintsMsg_DNSPrefetch,


 // Request for preconnect to host providing resource specified by URL
-IPC_MESSAGE_CONTROL3(NetworkHintsMsg_Preconnect,
+IPC_MESSAGE_CONTROL4(NetworkHintsMsg_Preconnect,
+                     int /* render_frame_id */,
                     GURL /* preconnect target url */,
                     bool /* Does connection have its credentials flag set */,
                     int /* number of connections */)
--- a/components/network_hints/renderer/prescient_networking_dispatcher.cc
+++ b/components/network_hints/renderer/prescient_networking_dispatcher.cc
@@ -24,10 +24,12 @@ void PrescientNetworkingDispatcher::PrefetchDNS(
  dns_prefetch_.Resolve(hostname_utf8.data(), hostname_utf8.length());
 }

-void PrescientNetworkingDispatcher::Preconnect(const blink::WebURL& url,
+void PrescientNetworkingDispatcher::Preconnect(
+    blink::WebLocalFrame* web_local_frame,
+    const blink::WebURL& url,
    bool allow_credentials) {
  VLOG(2) << "Preconnect: " << url.GetString().Utf8();
-  preconnect_.Preconnect(url, allow_credentials);
+  preconnect_.Preconnect(web_local_frame, url, allow_credentials);
 }

 }  // namespace network_hints
--- a/components/network_hints/renderer/prescient_networking_dispatcher.h
+++ b/components/network_hints/renderer/prescient_networking_dispatcher.h
@@ -10,6 +10,10 @@
 #include "components/network_hints/renderer/renderer_preconnect.h"
 #include "third_party/blink/public/platform/web_prescient_networking.h"

+namespace blink {
+class WebLocalFrame;
+}
+
 namespace network_hints {

 // The main entry point from blink for sending DNS prefetch requests to the
@@ -20,7 +24,8 @@ class PrescientNetworkingDispatcher : public blink::WebPrescientNetworking {
  ~PrescientNetworkingDispatcher() override;

  void PrefetchDNS(const blink::WebString& hostname) override;
-  void Preconnect(const blink::WebURL& url,
+  void Preconnect(blink::WebLocalFrame* web_local_frame,
+                  const blink::WebURL& url,
                  const bool allow_credentials) override;

 private:

--- a/components/network_hints/renderer/renderer_preconnect.cc
+++ b/components/network_hints/renderer/renderer_preconnect.cc
@@ -8,6 +8,7 @@

 #include "components/network_hints/common/network_hints_common.h"
 #include "components/network_hints/common/network_hints_messages.h"
+#include "content/public/renderer/render_frame.h"
 #include "content/public/renderer/render_thread.h"

 using content::RenderThread;
@@ -20,12 +21,15 @@ RendererPreconnect::RendererPreconnect() {
 RendererPreconnect::~RendererPreconnect() {
 }

-void RendererPreconnect::Preconnect(const GURL& url, bool allow_credentials) {
-  if (!url.is_valid())
+void RendererPreconnect::Preconnect(blink::WebLocalFrame* web_local_frame,
+                                    const GURL& url,
+                                    bool allow_credentials) {
+  if (!url.is_valid() || !web_local_frame)
    return;

-  RenderThread::Get()->Send(
-      new NetworkHintsMsg_Preconnect(url, allow_credentials, 1));
+  RenderThread::Get()->Send(new NetworkHintsMsg_Preconnect(
+      content::RenderFrame::FromWebFrame(web_local_frame)->GetRoutingID(), url,
+      allow_credentials, 1));
 }

 }  // namespace network_hints
--- a/components/network_hints/renderer/renderer_preconnect.h
+++ b/components/network_hints/renderer/renderer_preconnect.h
@@ -20,6 +20,10 @@
 #include "base/macros.h"
 #include "url/gurl.h"

+namespace blink {
+class WebLocalFrame;
+}
+
 namespace network_hints {

 // An internal interface to the network_hints component for efficiently sending
@@ -30,7 +34,9 @@ class RendererPreconnect {
  ~RendererPreconnect();

  // Submit a preconnect request for a single connection.
-  void Preconnect(const GURL& url, bool allow_credentials);
+  void Preconnect(blink::WebLocalFrame* web_local_frame,
+                  const GURL& url,
+                  bool allow_credentials);

 private:


--- a/third_party/blink/public/platform/web_prescient_networking.h
+++ b/third_party/blink/public/platform/web_prescient_networking.h
@@ -31,12 +31,13 @@
 #ifndef THIRD_PARTY_BLINK_PUBLIC_PLATFORM_WEB_PRESCIENT_NETWORKING_H_
 #define THIRD_PARTY_BLINK_PUBLIC_PLATFORM_WEB_PRESCIENT_NETWORKING_H_

-#include "third_party/blink/public/platform/web_common.h"
 #include "third_party/blink/public/platform/web_string.h"
 #include "third_party/blink/public/platform/web_url.h"

 namespace blink {

+class WebLocalFrame;
+
 class WebPrescientNetworking {
 public:
  virtual ~WebPrescientNetworking() = default;
@@ -45,7 +46,9 @@ class WebPrescientNetworking {
  // the host resolution latency.
  virtual void PrefetchDNS(const WebString& hostname) {}

-  virtual void Preconnect(const WebURL& url, const bool allow_credentials) {}
+  virtual void Preconnect(blink::WebLocalFrame* web_local_frame,
+                          const WebURL& url,
+                          const bool allow_credentials) {}
 };

 }  // namespace blink

--- a/third_party/blink/renderer/core/html/parser/html_preload_scanner_document_test.cc
+++ b/third_party/blink/renderer/core/html/parser/html_preload_scanner_document_test.cc
@@ -18,7 +18,7 @@ class MockPrescientNetworking : public WebPrescientNetworking {
 private:
  void PrefetchDNS(const WebString&) override { did_dns_prefetch_ = true; }

-  void Preconnect(const WebURL&, const bool) override {
+  void Preconnect(WebLocalFrame*, const WebURL&, const bool) override {
    did_preconnect_ = true;
  }


--- a/third_party/blink/renderer/core/html/parser/html_resource_preloader.cc
+++ b/third_party/blink/renderer/core/html/parser/html_resource_preloader.cc
@@ -35,6 +35,7 @@
 #include "third_party/blink/renderer/core/dom/document.h"
 #include "third_party/blink/renderer/core/frame/deprecation.h"
 #include "third_party/blink/renderer/core/frame/settings.h"
+#include "third_party/blink/renderer/core/frame/web_local_frame_impl.h"
 #include "third_party/blink/renderer/core/loader/document_loader.h"
 #include "third_party/blink/renderer/platform/loader/fetch/resource.h"
 #include "third_party/blink/renderer/platform/loader/fetch/resource_fetcher.h"
@@ -48,7 +49,7 @@ void HTMLResourcePreloader::Trace(Visitor* visitor) {
  visitor->Trace(document_);
 }

-static void PreconnectHost(PreloadRequest* request) {
+static void PreconnectHost(LocalFrame* local_frame, PreloadRequest* request) {
  DCHECK(request);
  DCHECK(request->IsPreconnect());
  KURL host(request->BaseURL(), request->ResourceURL());
@@ -58,13 +59,14 @@ static void PreconnectHost(PreloadRequest* request) {
      Platform::Current()->PrescientNetworking();
  if (web_prescient_networking) {
    web_prescient_networking->Preconnect(
-        host, request->CrossOrigin() != kCrossOriginAttributeAnonymous);
+        WebLocalFrameImpl::FromFrame(local_frame), host,
+        request->CrossOrigin() != kCrossOriginAttributeAnonymous);
  }
 }

 void HTMLResourcePreloader::Preload(std::unique_ptr<PreloadRequest> preload) {
  if (preload->IsPreconnect()) {
-    PreconnectHost(preload.get());
+    PreconnectHost(document_->GetFrame(), preload.get());
    return;
  }


--- a/third_party/blink/renderer/core/html/parser/html_resource_preloader_test.cc
+++ b/third_party/blink/renderer/core/html/parser/html_resource_preloader_test.cc
@@ -25,7 +25,9 @@ class PreloaderNetworkHintsMock : public WebPrescientNetworking {
  PreloaderNetworkHintsMock() : did_preconnect_(false) {}

  void PrefetchDNS(const WebString& hostname) override {}
-  void Preconnect(const WebURL& url, const bool allow_credentials) override {
+  void Preconnect(WebLocalFrame* web_local_frame,
+                  const WebURL& url,
+                  const bool allow_credentials) override {
    did_preconnect_ = true;
    is_https_ = url.ProtocolIs("https");
    allow_credentials_ = allow_credentials;

--- a/third_party/blink/renderer/core/loader/link_loader_test.cc
+++ b/third_party/blink/renderer/core/loader/link_loader_test.cc
@@ -74,7 +74,9 @@ class NetworkHintsMock : public WebPrescientNetworking {
  void PrefetchDNS(const WebString& hostname) override {
    did_dns_prefetch_ = true;
  }
-  void Preconnect(const WebURL& url, const bool allow_credentials) override {
+  void Preconnect(WebLocalFrame* web_local_frame,
+                  const WebURL& url,
+                  const bool allow_credentials) override {
    did_preconnect_ = true;
    is_https_ = url.ProtocolIs("https");
    allow_credentials_ = allow_credentials;

--- a/third_party/blink/renderer/core/loader/preload_helper.cc
+++ b/third_party/blink/renderer/core/loader/preload_helper.cc
@@ -17,6 +17,7 @@
 #include "third_party/blink/renderer/core/frame/navigator.h"
 #include "third_party/blink/renderer/core/frame/settings.h"
 #include "third_party/blink/renderer/core/frame/viewport_data.h"
+#include "third_party/blink/renderer/core/frame/web_local_frame_impl.h"
 #include "third_party/blink/renderer/core/html/parser/html_preload_scanner.h"
 #include "third_party/blink/renderer/core/html/parser/html_srcset_parser.h"
 #include "third_party/blink/renderer/core/inspector/console_message.h"
@@ -188,7 +189,8 @@ void PreloadHelper::PreconnectIfNeeded(
        Platform::Current()->PrescientNetworking();
    if (web_prescient_networking) {
      web_prescient_networking->Preconnect(
-          params.href, params.cross_origin != kCrossOriginAttributeAnonymous);
+          WebLocalFrameImpl::FromFrame(frame), params.href,
+          params.cross_origin != kCrossOriginAttributeAnonymous);
    }
  }
 }