[Web Payment] Hosting manifest at payment method identifier URL.

Before this patch, the payment method manifest had to be hosted at a location that is pointed to from the payment method identifier URL via the HTTP Link rel=payment-method-manifest header. This complicated testing in Chrome and prevented hosting payment method manifests on popular hosting services, such as GitHub pages. This patch falls back to returning the content of the page if it does not have HTTP Link rel=payment-method-manifest header or that header is not valid. The downloader uses HTTP GET instead of HTTP HEAD for the payment method manifest, since the response body has to be considered. An empty response body now generates an error earlier: in the downloader instead of parser, because the parser always rejected empty input. After this patch, it's possible to host the payment method manifest directly at the URL of the payment method identifier, which makes testing Chrome and developing payment apps easier. Bug: 1035147 Change-Id: Id07c9023bac222ed45eecb8df91108f4df51e356 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2113735Reviewed-by: Danyao Wang <danyao@chromium.org> Commit-Queue: Rouslan Solomakhin <rouslan@chromium.org> Cr-Commit-Position: refs/heads/master@{#753569}

[Web Payment] Hosting manifest at payment method identifier URL.
Before this patch, the payment method manifest had to be hosted at a location that is pointed to from the payment method identifier URL via the HTTP Link rel=payment-method-manifest header. This complicated testing in Chrome and prevented hosting payment method manifests on popular hosting services, such as GitHub pages. This patch falls back to returning the content of the page if it does not have HTTP Link rel=payment-method-manifest header or that header is not valid. The downloader uses HTTP GET instead of HTTP HEAD for the payment method manifest, since the response body has to be considered. An empty response body now generates an error earlier: in the downloader instead of parser, because the parser always rejected empty input. After this patch, it's possible to host the payment method manifest directly at the URL of the payment method identifier, which makes testing Chrome and developing payment apps easier. Bug: 1035147 Change-Id: Id07c9023bac222ed45eecb8df91108f4df51e356 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2113735Reviewed-by: Danyao Wang <danyao@chromium.org> Commit-Queue: Rouslan Solomakhin <rouslan@chromium.org> Cr-Commit-Position: refs/heads/master@{#753569}
4ab8845f · Rouslan Solomakhin · Commit Bot · faf7d2bb · 4ab8845f · 4ab8845f
Commit 4ab8845f authored Mar 26, 2020 by Rouslan Solomakhin Committed by Commit Bot Mar 26, 2020
9 changed files
--- a/chrome/android/javatests/src/org/chromium/chrome/browser/payments/PaymentManifestDownloaderTest.java
+++ b/chrome/android/javatests/src/org/chromium/chrome/browser/payments/PaymentManifestDownloaderTest.java
@@ -191,9 +191,8 @@ public class PaymentManifestDownloaderTest implements ManifestDownloadCallback {
        Assert.assertTrue(
                "Payment method manifest should have not have been downloaded.", mDownloadFailure);
-        Assert.assertEquals("Unable to make a HEAD request to \"" + uri.toString()
+        Assert.assertEquals(
-                        + "\" for payment method manifest.",
+                "Unable to download payment manifest \"" + uri.toString() + "\".", mErrorMessage);
-                mErrorMessage);
    }
    @Test

--- a/chrome/browser/payments/manifest_verifier_browsertest.cc
+++ b/chrome/browser/payments/manifest_verifier_browsertest.cc
@@ -533,8 +533,8 @@ IN_PROC_BROWSER_TEST_F(ManifestVerifierBrowserTest, ThreeTypesOfMethods) {
 IN_PROC_BROWSER_TEST_F(ManifestVerifierBrowserTest,
                       SinglePaymentMethodName404) {
  std::string expected_pattern =
-      "Unable to make a HEAD request to "
+      "Unable to download payment manifest "
-      "\"https://127.0.0.1:\\d+/404.test/webpay\" for payment method manifest.";
+      "\"https://127.0.0.1:\\d+/404.test/webpay\".";
  {
    content::PaymentAppProvider::PaymentApps apps;
    apps[0] = std::make_unique<content::StoredPaymentApp>();
@@ -572,9 +572,8 @@ IN_PROC_BROWSER_TEST_F(ManifestVerifierBrowserTest,
 IN_PROC_BROWSER_TEST_F(ManifestVerifierBrowserTest,
                       MultiplePaymentMethodName404) {
  std::string expected_pattern =
-      "Unable to make a HEAD request to "
+      "Unable to download payment manifest "
-      "\"https://127.0.0.1:\\d+/404(aswell)?.test/webpay\" for payment method "
+      "\"https://127.0.0.1:\\d+/404(aswell)?.test/webpay\".";
-      "manifest.";
  {
    content::PaymentAppProvider::PaymentApps apps;
    apps[0] = std::make_unique<content::StoredPaymentApp>();

--- a/components/payments/core/native_error_strings.cc
+++ b/components/payments/core/native_error_strings.cc
@@ -53,9 +53,6 @@ const char kCrossOriginWebAppManifestNotAllowed[] =
 const char kDetailedInvalidSslCertificateMessageFormat[] =
    "SSL certificate is not valid. Security level: $.";
-const char kHttpHeadRequestFailed[] =
-    "Unable to make a HEAD request to \"$1\" for payment method manifest.";
 const char kHttpStatusCodeNotAllowed[] =
    "HTTP status code $1 \"$2\" not allowed for payment method manifest "
    "\"$3\".";
@@ -89,9 +86,6 @@ const char kMissingMethodNameFromPaymentApp[] =
 const char kMultiplePaymentMethodsNotSupportedFormat[] =
    "The payment methods $ are not supported.";
-const char kNoLinkRelPaymentMethodManifestHttpHeader[] =
-    "No \"Link: rel=payment-method-manifest\" HTTP header found at \"$1\".";
 const char kNoResponseToPaymentEvent[] =
    "Payment handler did not respond to \"paymentrequest\" event.";
@@ -220,5 +214,12 @@ const char kCanMakePaymentEventNoExplicitlyVerifiedMethods[] =
 const char kGenericPaymentMethodNotSupportedMessage[] =
    "Payment method not supported.";
+const char kNoContentAndNoLinkHeader[] =
+    "No content and no \"Link: rel=payment-method-manifest\" HTTP header found "
+    "at \"$1\".";
+const char kNoContentInPaymentManifest[] =
+    "No content found in payment manifest \"$1\".";
 }  // namespace errors
 }  // namespace payments
--- a/components/payments/core/native_error_strings.h
+++ b/components/payments/core/native_error_strings.h
@@ -71,10 +71,6 @@ extern const char kCrossOriginWebAppManifestNotAllowed[];
 // to replace.
 extern const char kDetailedInvalidSslCertificateMessageFormat[];
-// Used when a HEAD request for URL A fails. This format should be used with
-// base::ReplaceStringPlaceholders(fmt, {A}, nullptr).
-extern const char kHttpHeadRequestFailed[];
 // Used for HTTP redirects that are prohibited for payment method manifests.
 // This format should be used with base::ReplaceStringPlaceholders(fmt,
 // {http_code, http_code_phrase, original_url}, nullptr).
@@ -117,11 +113,6 @@ extern const char kMissingMethodNameFromPaymentApp[];
 // where "$" is the character to replace.
 extern const char kMultiplePaymentMethodsNotSupportedFormat[];
-// Used when the payment method URL A does not have a "Link:
-// rel=payment-method-manifest" HTTP header. This format should be used with
-// base::ReplaceStringPlaceholders(fmt, {A}, nullptr).
-extern const char kNoLinkRelPaymentMethodManifestHttpHeader[];
 // Payment handler did not respond to the "paymentrequest" event.
 extern const char kNoResponseToPaymentEvent[];
@@ -250,6 +241,14 @@ extern const char kCanMakePaymentEventNoExplicitlyVerifiedMethods[];
 // A message about unsupported payment method.
 extern const char kGenericPaymentMethodNotSupportedMessage[];
+// Used for errors downloading the payment method manifest. This format should
+// be used with base::ReplaceStringPlaceholders(fmt, {A}, nullptr).
+extern const char kNoContentAndNoLinkHeader[];
+// User when the downloaded payment manifest A is empty. This format should be
+// used with base::ReplaceStringPlaceholders(fmt, {A}, nullptr).
+extern const char kNoContentInPaymentManifest[];
 }  // namespace errors
 }  // namespace payments

--- a/components/payments/core/payment_manifest_downloader.cc
+++ b/components/payments/core/payment_manifest_downloader.cc
--- a/components/payments/core/payment_manifest_downloader.h
+++ b/components/payments/core/payment_manifest_downloader.h
@@ -37,19 +37,24 @@ class ErrorLogger;
 //
 // Download failure results in empty contents. Failure to download the manifest
 // can happen because of the following reasons:
-//  - HTTP response code is not 200. (204 is also allowed for HEAD request.)
+//  - HTTP response code is not 200. (204 is also allowed for payment method
-//  - HTTP GET on the manifest URL returns empty content.
+//    manifest.)
 //
 // In the case of a payment method manifest download, can also fail when:
 //  - More than three redirects.
 //  - Cross-site redirects.
-//  - HTTP response headers are absent.
+//  - HTTP GET on the manifest URL returns empty content and:
-//  - HTTP response headers do not contain Link headers.
+//      - HTTP response headers are absent.
-//  - Link header does not contain rel="payment-method-manifest".
+//      - HTTP response headers do not contain Link headers.
-//  - Link header does not contain a valid URL of the same origin.
+//      - Link header does not contain rel="payment-method-manifest".
+//      - Link header does not contain a valid URL of the same origin.
+//  - After following the Link header:
+//      - There's a redirect.
+//      - HTTP GET returns empty content.
 //
 // In the case of a web app manifest download, can also also fail when:
 //  - There's a redirect.
+//  - HTTP GET on the manifest URL returns empty content.
 using PaymentManifestDownloadCallback =
    base::OnceCallback<void(const GURL& url,
                            const std::string& contents,
@@ -59,9 +64,9 @@ using PaymentManifestDownloadCallback =
 // payment method name that is a URL with HTTPS scheme, e.g.,
 // https://bobpay.com.
 //
-// The downloader follows up to three redirects for the HEAD request only (used
+// The downloader follows up to three redirects for the payment method manifest
-// for payment method manifests). Three is enough for known legitimate use cases
+// request only. Three is enough for known legitimate use cases and seems like a
-// and seems like a good upper bound.
+// good upper bound.
 //
 // The command line must be initialized to use this class in tests, because it
 // checks for --unsafely-treat-insecure-origin-as-secure=<origin> flag. For
@@ -75,24 +80,20 @@ class PaymentManifestDownloader {
  virtual ~PaymentManifestDownloader();
-  // Download a payment method manifest from |url| via two consecutive HTTP
+  // Download a payment method manifest from |url| via a GET. The HTTP response
-  // requests:
+  // header is parsed for Link header. If there is no Link header, then the body
-  //
+  // is returned. If there's a Link header, then it is followed exactly once.
-  // 1) HEAD request for the payment method name |url|. The HTTP response header
+  // Example header:
-  //    is parsed for Link header that points to the location of the payment
-  //    method manifest file. Example of a relative location:
  //
  //      Link: <data/payment-manifest.json>; rel="payment-method-manifest"
  //
-  //    (This is relative to the payment method URL.) Example of an absolute
+  // (This is relative to the payment method URL.) Example of an absolute
-  //    location:
+  // location:
  //
  //      Link: <https://bobpay.com/data/payment-manifest.json>;
  //      rel="payment-method-manifest"
  //
-  //    The absolute location must use HTTPS scheme.
+  // The absolute location must use HTTPS scheme.
-  //
-  // 2) GET request for the payment method manifest file.
  //
  // |merchant_origin| should be the origin of the iframe that created the
  // PaymentRequest object. It is used by security features like
@@ -129,11 +130,16 @@ class PaymentManifestDownloader {
  // Information about an ongoing download request.
  struct Download {
+    enum class Type {
+      RESPONSE_BODY_OR_LINK_HEADER,
+      RESPONSE_BODY,
+    };
    Download();
    ~Download();
    int allowed_number_of_redirects = 0;
-    std::string method;
+    Type type = Type::RESPONSE_BODY;
    url::Origin request_initiator;
    GURL original_url;
    std::unique_ptr<network::SimpleURLLoader> loader;
@@ -167,7 +173,7 @@ class PaymentManifestDownloader {
  // Overridden in TestDownloader.
  virtual void InitiateDownload(const url::Origin& request_initiator,
                                const GURL& url,
-                                const std::string& method,
+                                Download::Type download_type,
                                int allowed_number_of_redirects,
                                PaymentManifestDownloadCallback callback);

--- a/components/payments/core/payment_manifest_downloader_unittest.cc
+++ b/components/payments/core/payment_manifest_downloader_unittest.cc
--- a/components/payments/core/test_payment_manifest_downloader.cc
+++ b/components/payments/core/test_payment_manifest_downloader.cc
@@ -29,11 +29,11 @@ void TestDownloader::AddTestServerURL(const std::string& prefix,
 void TestDownloader::InitiateDownload(
    const url::Origin& request_initiator,
    const GURL& url,
-    const std::string& method,
+    Download::Type download_type,
    int allowed_number_of_redirects,
    PaymentManifestDownloadCallback callback) {
  PaymentManifestDownloader::InitiateDownload(
-      request_initiator, FindTestServerURL(url), method,
+      request_initiator, FindTestServerURL(url), download_type,
      allowed_number_of_redirects, std::move(callback));
 }

--- a/components/payments/core/test_payment_manifest_downloader.h
+++ b/components/payments/core/test_payment_manifest_downloader.h
@@ -97,7 +97,7 @@ class TestDownloader : public PaymentManifestDownloader {
  // PaymentManifestDownloader implementation.
  void InitiateDownload(const url::Origin& request_initiator,
                        const GURL& url,
-                        const std::string& method,
+                        Download::Type download_type,
                        int allowed_number_of_redirects,
                        PaymentManifestDownloadCallback callback) override;