[Android][Payments] Throttle payment handler pages on mime-types

Motivation:
Now, payment handler supports pages of any mime type on Android. This
exposes payment handlers to the vulnerabilities of some less maintained
mime-types. In order to make payment handlers safer to use, this CL
limits the mime types of payment handlers on Android by allowlisting.

Changes:
* Moved the WebContents user data setting logic into
  markPaymentHandlerWebContents() to
  payment_handler_navigation_throttle.cc.
* Let both Android & desktop's payment handler coordinators use the
  method to annotate a payment handler web-contents.
* Moved the throttle from //chrome/browser to //components to make it
  more convenient to depend on.

Bug: 1165367, 1159267
Change-Id: Ibc75bad9b47b2586e4222c2556c4bf6fb6bd28cd
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2614918
Commit-Queue: Liquan (Max) Gu <maxlg@chromium.org>
Reviewed-by: Rouslan Solomakhin <rouslan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#843892}

chrome/android/java/src/org/chromium/chrome/browser/payments/handler/PaymentHandlerCoordinator.java

@@ -15,6 +15,7 @@ import org.chromium.chrome.browser.version.ChromeVersionInfo;
 import org.chromium.components.browser_ui.bottomsheet.BottomSheetController;
 import org.chromium.components.browser_ui.bottomsheet.BottomSheetControllerProvider;
 import org.chromium.components.embedder_support.view.ContentView;
+import org.chromium.components.payments.PaymentHandlerNavigationThrottle;
 import org.chromium.components.thinwebview.ThinWebView;
 import org.chromium.components.thinwebview.ThinWebViewConstraints;
 import org.chromium.components.thinwebview.ThinWebViewFactory;
@@ -70,6 +71,7 @@ public class PaymentHandlerCoordinator {
                 activity.getWindowAndroid(), isIncognito);
         mPaymentHandlerWebContents =
                 WebContentsFactory.createWebContents(profile, /*initiallyHidden=*/false);
+        PaymentHandlerNavigationThrottle.markPaymentHandlerWebContents(mPaymentHandlerWebContents);
         ContentView webContentView = ContentView.createContentView(
                 activity, null /* eventOffsetHandler */, mPaymentHandlerWebContents);
         initializeWebContents(activity, webContentView, url);

chrome/browser/BUILD.gn

@@ -5301,8 +5301,6 @@ static_library("browser") {
       "payments/chrome_payment_request_delegate.h",
       "payments/payment_credential_factory.cc",
       "payments/payment_credential_factory.h",
-      "payments/payment_handler_navigation_throttle.cc",
-      "payments/payment_handler_navigation_throttle.h",
       "payments/payment_request_display_manager_factory.cc",
       "payments/payment_request_display_manager_factory.h",
       "payments/payment_request_factory.cc",

chrome/browser/chrome_content_browser_client.cc

@@ -90,17 +90,13 @@
 #include "chrome/browser/notifications/platform_notification_service_impl.h"
 #include "chrome/browser/password_manager/chrome_password_manager_client.h"
 #include "chrome/browser/payments/payment_request_display_manager_factory.h"
-#include "chrome/browser/policy/profile_policy_connector.h"
-#include "components/site_engagement/content/site_engagement_service.h"
-#if !defined(OS_ANDROID)
-#include "chrome/browser/payments/payment_handler_navigation_throttle.h"
-#endif
 #include "chrome/browser/performance_manager/chrome_browser_main_extra_parts_performance_manager.h"
 #include "chrome/browser/performance_manager/chrome_content_browser_client_performance_manager_part.h"
 #include "chrome/browser/permissions/attestation_permission_request.h"
 #include "chrome/browser/platform_util.h"
 #include "chrome/browser/plugins/pdf_iframe_navigation_throttle.h"
 #include "chrome/browser/plugins/plugin_utils.h"
+#include "chrome/browser/policy/profile_policy_connector.h"
 #include "chrome/browser/prefetch/no_state_prefetch/chrome_prerender_contents_delegate.h"
 #include "chrome/browser/prefetch/no_state_prefetch/prerender_manager_factory.h"
 #include "chrome/browser/prefetch/prefetch_proxy/prefetch_proxy_features.h"
@@ -246,6 +242,7 @@
 #include "components/omnibox/common/omnibox_features.h"
 #include "components/page_load_metrics/browser/metrics_navigation_throttle.h"
 #include "components/page_load_metrics/browser/metrics_web_contents_observer.h"
+#include "components/payments/content/payment_handler_navigation_throttle.h"
 #include "components/payments/content/payment_request_display_manager.h"
 #include "components/performance_manager/embedder/performance_manager_registry.h"
 #include "components/permissions/permission_context_base.h"
@@ -281,6 +278,7 @@
 #include "components/security_interstitials/content/ssl_error_handler.h"
 #include "components/security_interstitials/content/ssl_error_navigation_throttle.h"
 #include "components/signin/public/identity_manager/identity_manager.h"
+#include "components/site_engagement/content/site_engagement_service.h"
 #include "components/site_isolation/pref_names.h"
 #include "components/site_isolation/preloaded_isolated_origins.h"
 #include "components/site_isolation/site_isolation_policy.h"
@@ -4192,12 +4190,10 @@ ChromeContentBrowserClient::CreateThrottlesForNavigation(
         &throttles);
   }
 
-#if !defined(OS_ANDROID)
   MaybeAddThrottle(
       payments::PaymentHandlerNavigationThrottle::MaybeCreateThrottleFor(
           handle),
       &throttles);
-#endif
 
   return throttles;
 }

chrome/browser/ui/views/payments/payment_handler_web_flow_view_controller.cc

@@ -19,7 +19,7 @@
 #include "chrome/grit/generated_resources.h"
 #include "components/omnibox/browser/location_bar_model_util.h"
 #include "components/payments/content/icon/icon_size.h"
-#include "components/payments/content/payments_userdata_key.h"
+#include "components/payments/content/payment_handler_navigation_throttle.h"
 #include "components/payments/content/ssl_validity_checker.h"
 #include "components/payments/core/features.h"
 #include "components/payments/core/native_error_strings.h"
@@ -240,8 +240,8 @@ void PaymentHandlerWebFlowViewController::FillContentView(
   auto* web_view =
       content_view->AddChildView(std::make_unique<views::WebView>(profile_));
   Observe(web_view->GetWebContents());
-  web_contents()->SetUserData(kPaymentHandlerWebContentsUserDataKey,
-                              std::make_unique<base::SupportsUserData::Data>());
+  PaymentHandlerNavigationThrottle::MarkPaymentHandlerWebContents(
+      web_contents());
   web_contents()->SetDelegate(this);
   DCHECK_NE(log_.web_contents(), web_contents());
   content::PaymentAppProvider::GetOrCreateForWebContents(

components/payments/content/BUILD.gn

@@ -34,6 +34,8 @@ static_library("content") {
     "payment_event_response_util.h",
     "payment_handler_host.cc",
     "payment_handler_host.h",
+    "payment_handler_navigation_throttle.cc",
+    "payment_handler_navigation_throttle.h",
     "payment_request_converter.cc",
     "payment_request_converter.h",
     "payment_request_spec.cc",

components/payments/content/android/BUILD.gn

@@ -24,6 +24,7 @@ static_library("android") {
     "payment_feature_list.h",
     "payment_handler_host.cc",
     "payment_handler_host.h",
+    "payment_handler_navigation_throttle_android.cc",
     "payment_manifest_downloader_android.cc",
     "payment_manifest_downloader_android.h",
     "payment_manifest_parser_android.cc",
@@ -62,6 +63,7 @@ generate_jni("jni_headers") {
     "java/src/org/chromium/components/payments/OriginSecurityChecker.java",
     "java/src/org/chromium/components/payments/PaymentFeatureList.java",
     "java/src/org/chromium/components/payments/PaymentHandlerHost.java",
+    "java/src/org/chromium/components/payments/PaymentHandlerNavigationThrottle.java",
     "java/src/org/chromium/components/payments/PaymentManifestDownloader.java",
     "java/src/org/chromium/components/payments/PaymentManifestParser.java",
     "java/src/org/chromium/components/payments/PaymentRequestSpec.java",
@@ -134,6 +136,7 @@ android_library("full_java") {
     "java/src/org/chromium/components/payments/MojoPaymentRequestGateKeeper.java",
     "java/src/org/chromium/components/payments/OriginSecurityChecker.java",
     "java/src/org/chromium/components/payments/PaymentDetailsConverter.java",
+    "java/src/org/chromium/components/payments/PaymentHandlerNavigationThrottle.java",
     "java/src/org/chromium/components/payments/PaymentManifestDownloader.java",
     "java/src/org/chromium/components/payments/PaymentManifestParser.java",
     "java/src/org/chromium/components/payments/PaymentNotShownError.java",

components/payments/content/android/java/src/org/chromium/components/payments/PaymentHandlerNavigationThrottle.java

+// Copyright 2021 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+package org.chromium.components.payments;
+
+import org.chromium.base.annotations.JNINamespace;
+import org.chromium.base.annotations.NativeMethods;
+import org.chromium.content_public.browser.WebContents;
+
+/** The navigation throttle of the payment handler pages. */
+@JNINamespace("payments::android")
+public class PaymentHandlerNavigationThrottle {
+    /**
+     * Marks the given WebContents as a payment handler WebContents. This will allow the callers of
+     * payment_handler_navigation_throttle to identify the payment handler WebContents given its
+     * NavigationHandler.
+     * @param webContents The payment handler WebContents. Null or destroyed one will be ignored.
+     */
+    public static void markPaymentHandlerWebContents(WebContents webContents) {
+        if (webContents == null || webContents.isDestroyed()) return;
+        PaymentHandlerNavigationThrottleJni.get().markPaymentHandlerWebContents(webContents);
+    }
+
+    @NativeMethods
+    /* package */ interface Natives {
+        void markPaymentHandlerWebContents(WebContents webContents);
+    }
+}

components/payments/content/android/payment_handler_navigation_throttle_android.cc

+// Copyright 2021 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/payments/content/android/jni_headers/PaymentHandlerNavigationThrottle_jni.h"
+
+#include "base/android/jni_android.h"
+#include "components/payments/content/payment_handler_navigation_throttle.h"
+#include "content/public/browser/web_contents.h"
+
+namespace payments {
+namespace android {
+// static
+void JNI_PaymentHandlerNavigationThrottle_MarkPaymentHandlerWebContents(
+    JNIEnv* env,
+    const base::android::JavaParamRef<jobject>& jweb_contents) {
+  content::WebContents* web_contents =
+      content::WebContents::FromJavaWebContents(jweb_contents);
+  if (!web_contents)
+    return;
+  PaymentHandlerNavigationThrottle::MarkPaymentHandlerWebContents(web_contents);
+}
+}  // namespace android
+}  // namespace payments

chrome/browser/payments/payment_handler_navigation_throttle.cc → components/payments/content/payment_handler_navigation_throttle.cc

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "chrome/browser/payments/payment_handler_navigation_throttle.h"
+#include "components/payments/content/payment_handler_navigation_throttle.h"
 
 #include <cstddef>
 #include <string>
@@ -27,6 +27,15 @@ const char* PaymentHandlerNavigationThrottle::GetNameForLogging() {
   return "PaymentHandlerNavigationThrottle";
 }
 
+// static
+void PaymentHandlerNavigationThrottle::MarkPaymentHandlerWebContents(
+    content::WebContents* web_contents) {
+  if (!web_contents)
+    return;
+  web_contents->SetUserData(kPaymentHandlerWebContentsUserDataKey,
+                            std::make_unique<base::SupportsUserData::Data>());
+}
+
 // static
 std::unique_ptr<PaymentHandlerNavigationThrottle>
 PaymentHandlerNavigationThrottle::MaybeCreateThrottleFor(

chrome/browser/payments/payment_handler_navigation_throttle.h → components/payments/content/payment_handler_navigation_throttle.h

@@ -2,11 +2,12 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef CHROME_BROWSER_PAYMENTS_PAYMENT_HANDLER_NAVIGATION_THROTTLE_H_
-#define CHROME_BROWSER_PAYMENTS_PAYMENT_HANDLER_NAVIGATION_THROTTLE_H_
+#ifndef COMPONENTS_PAYMENTS_CONTENT_PAYMENT_HANDLER_NAVIGATION_THROTTLE_H_
+#define COMPONENTS_PAYMENTS_CONTENT_PAYMENT_HANDLER_NAVIGATION_THROTTLE_H_
 
 #include "base/macros.h"
 #include "content/public/browser/navigation_throttle.h"
+#include "content/public/browser/web_contents.h"
 
 namespace content {
 class NavigationHandle;
@@ -26,6 +27,10 @@ class PaymentHandlerNavigationThrottle : public content::NavigationThrottle {
   PaymentHandlerNavigationThrottle& operator=(
       const PaymentHandlerNavigationThrottle&) = delete;
 
+  // Marks the given WebContents as a PaymentHandler WebContents. Ignores null
+  // web_contents.
+  static void MarkPaymentHandlerWebContents(content::WebContents* web_contents);
+
   static std::unique_ptr<PaymentHandlerNavigationThrottle>
   MaybeCreateThrottleFor(content::NavigationHandle* handle);
 
@@ -35,4 +40,4 @@ class PaymentHandlerNavigationThrottle : public content::NavigationThrottle {
 };
 }  // namespace payments
 
-#endif  // CHROME_BROWSER_PAYMENTS_PAYMENT_HANDLER_NAVIGATION_THROTTLE_H_
+#endif  // COMPONENTS_PAYMENTS_CONTENT_PAYMENT_HANDLER_NAVIGATION_THROTTLE_H_