Add metrics to record TCP/UDP connections made from Flash

BUG=472256

Review URL: https://codereview.chromium.org/1132093003

Cr-Commit-Position: refs/heads/master@{#329895}

content/browser/renderer_host/pepper/browser_ppapi_host_impl.cc

@@ -141,6 +141,14 @@ void BrowserPpapiHostImpl::SetOnKeepaliveCallback(
   on_keepalive_callback_ = callback;
 }
 
+bool BrowserPpapiHostImpl::IsPotentiallySecurePluginContext(
+    PP_Instance instance) {
+  auto* data = instance_map_.get(instance);
+  if (data == nullptr)
+    return false;
+  return data->renderer_data.is_potentially_secure_plugin_context;
+}
+
 void BrowserPpapiHostImpl::AddInstance(
     PP_Instance instance,
     const PepperRendererInstanceData& renderer_instance_data) {

content/browser/renderer_host/pepper/browser_ppapi_host_impl.h

@@ -72,6 +72,11 @@ class CONTENT_EXPORT BrowserPpapiHostImpl : public BrowserPpapiHost {
   void SetOnKeepaliveCallback(
       const BrowserPpapiHost::OnKeepaliveCallback& callback) override;
 
+  // Whether the plugin context is secure. That is, it is served from a secure
+  // origin and it is embedded within a hierarchy of secure frames. This value
+  // comes from the renderer so should not be trusted. It is used for metrics.
+  bool IsPotentiallySecurePluginContext(PP_Instance instance);
+
   void set_plugin_process(base::Process process) {
     plugin_process_ = process.Pass();
   }

content/browser/renderer_host/pepper/pepper_tcp_socket_message_filter.cc

@@ -9,6 +9,7 @@
 #include "base/bind.h"
 #include "base/location.h"
 #include "base/logging.h"
+#include "base/metrics/histogram_macros.h"
 #include "base/profiler/scoped_tracker.h"
 #include "build/build_config.h"
 #include "content/browser/renderer_host/pepper/content_browser_pepper_host_factory.h"
@@ -1000,6 +1001,9 @@ void PepperTCPSocketMessageFilter::SendConnectReply(
     int32_t pp_result,
     const PP_NetAddress_Private& local_addr,
     const PP_NetAddress_Private& remote_addr) {
+  UMA_HISTOGRAM_BOOLEAN("Pepper.PluginContextSecurity.TCPConnect",
+                        host_->IsPotentiallySecurePluginContext(instance_));
+
   ppapi::host::ReplyMessageContext reply_context(context);
   reply_context.params.set_result(pp_result);
   SendReply(reply_context,

content/browser/renderer_host/pepper/pepper_udp_socket_message_filter.cc

@@ -8,6 +8,7 @@
 
 #include "base/compiler_specific.h"
 #include "base/logging.h"
+#include "base/metrics/histogram_macros.h"
 #include "content/browser/renderer_host/pepper/browser_ppapi_host_impl.h"
 #include "content/browser/renderer_host/pepper/pepper_socket_utils.h"
 #include "content/public/browser/browser_thread.h"
@@ -60,7 +61,8 @@ PepperUDPSocketMessageFilter::PepperUDPSocketMessageFilter(
     BrowserPpapiHostImpl* host,
     PP_Instance instance,
     bool private_api)
-    : socket_options_(0),
+    : host_(host),
+      socket_options_(0),
       rcvbuf_size_(0),
       sndbuf_size_(0),
       multicast_ttl_(0),
@@ -645,6 +647,10 @@ void PepperUDPSocketMessageFilter::SendBindReply(
     const ppapi::host::ReplyMessageContext& context,
     int32_t result,
     const PP_NetAddress_Private& addr) {
+  UMA_HISTOGRAM_BOOLEAN(
+      "Pepper.PluginContextSecurity.UDPBind",
+      host_->IsPotentiallySecurePluginContext(resource_host()->pp_instance()));
+
   ppapi::host::ReplyMessageContext reply_context(context);
   reply_context.params.set_result(result);
   SendReply(reply_context, PpapiPluginMsg_UDPSocket_BindReply(addr));

content/browser/renderer_host/pepper/pepper_udp_socket_message_filter.h

@@ -133,6 +133,8 @@ class CONTENT_EXPORT PepperUDPSocketMessageFilter
 
   int32_t CanUseMulticastAPI(const PP_NetAddress_Private& addr);
 
+  BrowserPpapiHostImpl* host_;
+
   // Bitwise-or of SocketOption flags. This stores the state about whether
   // each option is set before Bind() is called.
   int socket_options_;

content/common/pepper_renderer_instance_data.cc

@@ -7,17 +7,21 @@
 namespace content {
 
 PepperRendererInstanceData::PepperRendererInstanceData()
-    : render_process_id(0), render_frame_id(0) {
+    : render_process_id(0),
+      render_frame_id(0),
+      is_potentially_secure_plugin_context(false) {
 }
 
 PepperRendererInstanceData::PepperRendererInstanceData(int render_process,
                                                        int render_frame,
                                                        const GURL& document,
-                                                       const GURL& plugin)
+                                                       const GURL& plugin,
+                                                       bool secure)
     : render_process_id(render_process),
       render_frame_id(render_frame),
       document_url(document),
-      plugin_url(plugin) {
+      plugin_url(plugin),
+      is_potentially_secure_plugin_context(secure) {
 }
 
 PepperRendererInstanceData::~PepperRendererInstanceData() {

content/common/pepper_renderer_instance_data.h

@@ -22,12 +22,17 @@ struct PepperRendererInstanceData {
   PepperRendererInstanceData(int render_process,
                              int render_frame_id,
                              const GURL& document,
-                             const GURL& plugin);
+                             const GURL& plugin,
+                             bool secure);
   ~PepperRendererInstanceData();
   int render_process_id;
   int render_frame_id;
   GURL document_url;
   GURL plugin_url;
+  // Whether the plugin context is secure. That is, it is served from a secure
+  // origin and it is embedded within a hierarchy of secure frames. This value
+  // comes from the renderer so should not be trusted. It is used for metrics.
+  bool is_potentially_secure_plugin_context;
 };
 
 }  // namespace content

content/common/view_messages.h

@@ -226,6 +226,7 @@ IPC_STRUCT_TRAITS_BEGIN(content::PepperRendererInstanceData)
   IPC_STRUCT_TRAITS_MEMBER(render_frame_id)
   IPC_STRUCT_TRAITS_MEMBER(document_url)
   IPC_STRUCT_TRAITS_MEMBER(plugin_url)
+  IPC_STRUCT_TRAITS_MEMBER(is_potentially_secure_plugin_context)
 IPC_STRUCT_TRAITS_END()
 #endif
 

content/renderer/pepper/host_dispatcher_wrapper.cc

@@ -5,6 +5,7 @@
 #include "content/renderer/pepper/host_dispatcher_wrapper.h"
 
 #include "content/common/view_messages.h"
+#include "content/public/common/origin_util.h"
 #include "content/renderer/pepper/pepper_hung_plugin_filter.h"
 #include "content/renderer/pepper/pepper_plugin_instance_impl.h"
 #include "content/renderer/pepper/pepper_proxy_channel_delegate_impl.h"
@@ -12,6 +13,9 @@
 #include "content/renderer/pepper/renderer_ppapi_host_impl.h"
 #include "content/renderer/pepper/renderer_restrict_dispatch_group.h"
 #include "content/renderer/render_frame_impl.h"
+#include "third_party/WebKit/public/web/WebDocument.h"
+#include "third_party/WebKit/public/web/WebElement.h"
+#include "third_party/WebKit/public/web/WebPluginContainer.h"
 
 namespace content {
 
@@ -85,14 +89,19 @@ void HostDispatcherWrapper::AddInstance(PP_Instance instance) {
   if (host) {
     RenderFrame* render_frame = host->GetRenderFrameForInstance(instance);
     PepperPluginInstance* plugin_instance = host->GetPluginInstance(instance);
+    blink::WebString unused;
+    bool is_privileged_context =
+        plugin_instance->GetContainer()
+            ->element()
+            .document()
+            .isPrivilegedContext(unused) &&
+        content::IsOriginSecure(plugin_instance->GetPluginURL());
     render_frame->Send(new ViewHostMsg_DidCreateOutOfProcessPepperInstance(
-        plugin_child_id_,
-        instance,
+        plugin_child_id_, instance,
         PepperRendererInstanceData(
             0,  // The render process id will be supplied in the browser.
-            render_frame->GetRoutingID(),
-            host->GetDocumentURL(instance),
-            plugin_instance->GetPluginURL()),
+            render_frame->GetRoutingID(), host->GetDocumentURL(instance),
+            plugin_instance->GetPluginURL(), is_privileged_context),
         is_external_));
   }
 }

content/renderer/pepper/pepper_browser_connection.cc

@@ -42,11 +42,15 @@ void PepperBrowserConnection::DidCreateInProcessInstance(
     int render_frame_id,
     const GURL& document_url,
     const GURL& plugin_url) {
+  // We don't need to know if it's a privileged context for in-process plugins.
+  // In process plugins are deprecated and the only in-process plugin that
+  // exists is the "NaCl plugin" which will never need to know this.
+  bool is_privileged_context = false;
   Send(new ViewHostMsg_DidCreateInProcessInstance(
       instance,
       // Browser provides the render process id.
-      PepperRendererInstanceData(
-          0, render_frame_id, document_url, plugin_url)));
+      PepperRendererInstanceData(0, render_frame_id, document_url, plugin_url,
+                                 is_privileged_context)));
 }
 
 void PepperBrowserConnection::DidDeleteInProcessInstance(PP_Instance instance) {

tools/metrics/histograms/histograms.xml

@@ -26649,6 +26649,26 @@ Therefore, the affected-histogram name has to have at least one dot in it.
   </summary>
 </histogram>
 
+<histogram name="Pepper.PluginContextSecurity.TCPConnect" enum="BooleanSecure">
+  <owner>raymes@chromium.org</owner>
+  <owner>jww@chromium.org</owner>
+  <owner>rsleevi@chromium.org</owner>
+  <summary>
+    Whether a Pepper TCP connect attempt comes from a plugin in a secure or an
+    insecure origin.
+  </summary>
+</histogram>
+
+<histogram name="Pepper.PluginContextSecurity.UDPBind" enum="BooleanSecure">
+  <owner>raymes@chromium.org</owner>
+  <owner>jww@chromium.org</owner>
+  <owner>rsleevi@chromium.org</owner>
+  <summary>
+    Whether a Pepper UDP bind attempt comes from a plugin in a secure or an
+    insecure origin.
+  </summary>
+</histogram>
+
 <histogram name="PerformanceMonitor.AverageCPU" units="PercentCPUUsage">
   <owner>oysteine@chromium.org</owner>
   <summary>
@@ -48182,6 +48202,11 @@ Therefore, the affected-histogram name has to have at least one dot in it.
   <int value="1" label="Revoked"/>
 </enum>
 
+<enum name="BooleanSecure" type="int">
+  <int value="0" label="Insecure"/>
+  <int value="1" label="Secure"/>
+</enum>
+
 <enum name="BooleanSelected" type="int">
   <int value="0" label="No selection"/>
   <int value="1" label="Selected"/>