Set network_isolation_key for signed exchange cert fetch

Currently network_isolation_key is not set for signed exchange cert fetch. So, even if the signed exchange and the certificate were prefetched, the certificate is fetched again while navigation when SplitCacheByNetworkIsolationKey is enabled. Bug=1047110 Change-Id: I524df1da097c6f544777f20cca5a3e53246693cf Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2029564Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Commit-Queue: Tsuyoshi Horo <horo@chromium.org> Cr-Commit-Position: refs/heads/master@{#737251}

Set network_isolation_key for signed exchange cert fetch
Currently network_isolation_key is not set for signed exchange cert fetch. So, even if the signed exchange and the certificate were prefetched, the certificate is fetched again while navigation when SplitCacheByNetworkIsolationKey is enabled. Bug=1047110 Change-Id: I524df1da097c6f544777f20cca5a3e53246693cf Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2029564Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Commit-Queue: Tsuyoshi Horo <horo@chromium.org> Cr-Commit-Position: refs/heads/master@{#737251}
64ab230d · Tsuyoshi Horo · Commit Bot · da215881 · 64ab230d · 64ab230d
Commit 64ab230d authored Jan 31, 2020 by Tsuyoshi Horo Committed by Commit Bot Jan 31, 2020
15 changed files
--- a/content/browser/web_package/signed_exchange_cert_fetcher.cc
+++ b/content/browser/web_package/signed_exchange_cert_fetcher.cc
@@ -81,14 +81,15 @@ SignedExchangeCertFetcher::CreateAndStart(
    CertificateCallback callback,
    SignedExchangeDevToolsProxy* devtools_proxy,
    SignedExchangeReporter* reporter,
-    const base::Optional<base::UnguessableToken>& throttling_profile_id) {
+    const base::Optional<base::UnguessableToken>& throttling_profile_id,
+    base::Optional<net::NetworkIsolationKey> network_isolation_key) {
  TRACE_EVENT0(TRACE_DISABLED_BY_DEFAULT("loading"),
               "SignedExchangeCertFetcher::CreateAndStart");
  std::unique_ptr<SignedExchangeCertFetcher> cert_fetcher(
-      new SignedExchangeCertFetcher(std::move(shared_url_loader_factory),
-                                    std::move(throttles), cert_url, force_fetch,
-                                    std::move(callback), devtools_proxy,
-                                    reporter, throttling_profile_id));
+      new SignedExchangeCertFetcher(
+          std::move(shared_url_loader_factory), std::move(throttles), cert_url,
+          force_fetch, std::move(callback), devtools_proxy, reporter,
+          throttling_profile_id, std::move(network_isolation_key)));
  cert_fetcher->Start();
  return cert_fetcher;
 }
@@ -102,7 +103,8 @@ SignedExchangeCertFetcher::SignedExchangeCertFetcher(
    CertificateCallback callback,
    SignedExchangeDevToolsProxy* devtools_proxy,
    SignedExchangeReporter* reporter,
-    const base::Optional<base::UnguessableToken>& throttling_profile_id)
+    const base::Optional<base::UnguessableToken>& throttling_profile_id,
+    base::Optional<net::NetworkIsolationKey> network_isolation_key)
    : shared_url_loader_factory_(std::move(shared_url_loader_factory)),
      throttles_(std::move(throttles)),
      resource_request_(std::make_unique<network::ResourceRequest>()),
@@ -131,6 +133,12 @@ SignedExchangeCertFetcher::SignedExchangeCertFetcher(
    resource_request_->enable_load_timing = true;
  }
  resource_request_->throttling_profile_id = throttling_profile_id;
+  if (network_isolation_key) {
+    resource_request_->trusted_params =
+        network::ResourceRequest::TrustedParams();
+    resource_request_->trusted_params->network_isolation_key =
+        *network_isolation_key;
+  }
 }

 SignedExchangeCertFetcher::~SignedExchangeCertFetcher() = default;

--- a/content/browser/web_package/signed_exchange_cert_fetcher.h
+++ b/content/browser/web_package/signed_exchange_cert_fetcher.h
@@ -18,6 +18,7 @@
 #include "content/common/content_export.h"
 #include "mojo/public/cpp/bindings/pending_receiver.h"
 #include "mojo/public/cpp/bindings/pending_remote.h"
+#include "net/base/network_isolation_key.h"
 #include "services/network/public/mojom/url_loader.mojom.h"

 namespace network {
@@ -64,7 +65,8 @@ class CONTENT_EXPORT SignedExchangeCertFetcher
      CertificateCallback callback,
      SignedExchangeDevToolsProxy* devtools_proxy,
      SignedExchangeReporter* reporter,
-      const base::Optional<base::UnguessableToken>& throttling_profile_id);
+      const base::Optional<base::UnguessableToken>& throttling_profile_id,
+      base::Optional<net::NetworkIsolationKey> network_isolation_key);

  ~SignedExchangeCertFetcher() override;

@@ -86,7 +88,8 @@ class CONTENT_EXPORT SignedExchangeCertFetcher
      CertificateCallback callback,
      SignedExchangeDevToolsProxy* devtools_proxy,
      SignedExchangeReporter* reporter,
-      const base::Optional<base::UnguessableToken>& throttling_profile_id);
+      const base::Optional<base::UnguessableToken>& throttling_profile_id,
+      base::Optional<net::NetworkIsolationKey> network_isolation_key);
  void Start();
  void Abort();
  void OnHandleReady(MojoResult result);

--- a/content/browser/web_package/signed_exchange_cert_fetcher_factory.cc
+++ b/content/browser/web_package/signed_exchange_cert_fetcher_factory.cc
@@ -21,10 +21,12 @@ class SignedExchangeCertFetcherFactoryImpl
  SignedExchangeCertFetcherFactoryImpl(
      scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory,
      URLLoaderThrottlesGetter url_loader_throttles_getter,
-      const base::Optional<base::UnguessableToken>& throttling_profile_id)
+      const base::Optional<base::UnguessableToken>& throttling_profile_id,
+      base::Optional<net::NetworkIsolationKey> network_isolation_key)
      : url_loader_factory_(std::move(url_loader_factory)),
        url_loader_throttles_getter_(std::move(url_loader_throttles_getter)),
-        throttling_profile_id_(throttling_profile_id) {}
+        throttling_profile_id_(throttling_profile_id),
+        network_isolation_key_(std::move(network_isolation_key)) {}

  std::unique_ptr<SignedExchangeCertFetcher> CreateFetcherAndStart(
      const GURL& cert_url,
@@ -37,6 +39,7 @@ class SignedExchangeCertFetcherFactoryImpl
  scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory_;
  URLLoaderThrottlesGetter url_loader_throttles_getter_;
  const base::Optional<base::UnguessableToken> throttling_profile_id_;
+  const base::Optional<net::NetworkIsolationKey> network_isolation_key_;
 };

 std::unique_ptr<SignedExchangeCertFetcher>
@@ -53,7 +56,7 @@ SignedExchangeCertFetcherFactoryImpl::CreateFetcherAndStart(
  return SignedExchangeCertFetcher::CreateAndStart(
      std::move(url_loader_factory_), std::move(throttles), cert_url,
      force_fetch, std::move(callback), devtools_proxy, reporter,
-      throttling_profile_id_);
+      throttling_profile_id_, network_isolation_key_);
 }

 // static
@@ -61,10 +64,11 @@ std::unique_ptr<SignedExchangeCertFetcherFactory>
 SignedExchangeCertFetcherFactory::Create(
    scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory,
    URLLoaderThrottlesGetter url_loader_throttles_getter,
-    const base::Optional<base::UnguessableToken>& throttling_profile_id) {
+    const base::Optional<base::UnguessableToken>& throttling_profile_id,
+    base::Optional<net::NetworkIsolationKey> network_isolation_key) {
  return std::make_unique<SignedExchangeCertFetcherFactoryImpl>(
      std::move(url_loader_factory), std::move(url_loader_throttles_getter),
-      throttling_profile_id);
+      throttling_profile_id, std::move(network_isolation_key));
 }

 }  // namespace content
--- a/content/browser/web_package/signed_exchange_cert_fetcher_factory.h
+++ b/content/browser/web_package/signed_exchange_cert_fetcher_factory.h
@@ -13,6 +13,7 @@
 #include "base/unguessable_token.h"
 #include "content/browser/web_package/signed_exchange_cert_fetcher.h"
 #include "content/common/content_export.h"
+#include "net/base/network_isolation_key.h"

 namespace network {
 class SharedURLLoaderFactory;
@@ -46,7 +47,8 @@ class CONTENT_EXPORT SignedExchangeCertFetcherFactory {
  static std::unique_ptr<SignedExchangeCertFetcherFactory> Create(
      scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory,
      URLLoaderThrottlesGetter url_loader_throttles_getter,
-      const base::Optional<base::UnguessableToken>& throttling_profile_id);
+      const base::Optional<base::UnguessableToken>& throttling_profile_id,
+      base::Optional<net::NetworkIsolationKey> network_isolation_key);
 };

 }  // namespace content

--- a/content/browser/web_package/signed_exchange_cert_fetcher_unittest.cc
+++ b/content/browser/web_package/signed_exchange_cert_fetcher_unittest.cc
@@ -223,7 +223,8 @@ class SignedExchangeCertFetcherTest : public testing::Test {
            &mock_loader_factory_),
        std::move(throttles_), url, force_fetch, std::move(callback),
        nullptr /* devtools_proxy */, nullptr /* reporter */,
-        base::nullopt /* throttling_profile_id */);
+        base::nullopt /* throttling_profile_id */,
+        base::nullopt /* network_isolation_key */);
  }

  void CallOnReceiveResponse() {

--- a/content/browser/web_package/signed_exchange_loader.cc
+++ b/content/browser/web_package/signed_exchange_loader.cc
@@ -139,7 +139,11 @@ void SignedExchangeLoader::OnStartLoadingResponseBody(
    mojo::ScopedDataPipeConsumerHandle response_body) {
  auto cert_fetcher_factory = SignedExchangeCertFetcherFactory::Create(
      url_loader_factory_, url_loader_throttles_getter_,
-      outer_request_.throttling_profile_id);
+      outer_request_.throttling_profile_id,
+      outer_request_.trusted_params
+          ? base::make_optional(
+                outer_request_.trusted_params->network_isolation_key)
+          : base::nullopt);

  if (g_signed_exchange_factory_for_testing_) {
    signed_exchange_handler_ = g_signed_exchange_factory_for_testing_->Create(

--- a/third_party/blink/web_tests/NeverFixTests
+++ b/third_party/blink/web_tests/NeverFixTests
@@ -2065,6 +2065,7 @@ crbug.com/946022 [ Win7 ] paint/invalidation/window-resize/* [ Skip ]
 crbug.com/940797 external/wpt/signed-exchange/appcache/sxg-served-from-appcache.tentative.https.html [ Skip ]
 crbug.com/940797 virtual/sxg-with-network-service/external/wpt/signed-exchange/appcache/sxg-served-from-appcache.tentative.https.html [ Skip ]
 crbug.com/940797 virtual/sxg-subresource/external/wpt/signed-exchange/appcache/sxg-served-from-appcache.tentative.https.html [ Skip ]
+crbug.com/940797 virtual/split-http-cache/external/wpt/signed-exchange/appcache/sxg-served-from-appcache.tentative.https.html [ Skip ]

 external/wpt/css/css-overscroll-behavior/overscrollBehavior-manual.html [ Skip ]
 external/wpt/html/semantics/forms/the-input-element/event-select-manual.html [ Skip ]

--- a/third_party/blink/web_tests/VirtualTestSuites
+++ b/third_party/blink/web_tests/VirtualTestSuites
@@ -698,7 +698,8 @@
  },
  {
    "prefix": "split-http-cache",
-    "bases": ["external/wpt/fetch/http-cache"],
+    "bases": ["external/wpt/fetch/http-cache",
+              "external/wpt/signed-exchange"],
    "args": ["--enable-features=SplitCacheByNetworkIsolationKey"]
  },
  {

--- a/third_party/blink/web_tests/external/wpt/signed-exchange/resources/generate-test-sxgs.sh
+++ b/third_party/blink/web_tests/external/wpt/signed-exchange/resources/generate-test-sxgs.sh
@@ -576,4 +576,22 @@ gen-signedexchange \
  -miRecordSize 100 \
  -responseHeader "link:<$inner_url_origin/signed-exchange/resources/sxg-subresource-script.js>;rel=allowed-alt-sxg;header-integrity=\"$header_integrity\",<$inner_url_origin/signed-exchange/resources/sxg-subresource-script.js>;rel=preload;as=script"

+
+# A Signed Exchange for testing prefetch.
+# The id query value "XXX..." of prefetch-test-cert.py will be replaced with
+# UUID for stash token by prefetch-test-sxg.py.
+gen-signedexchange \
+  -version $sxg_version \
+  -uri $inner_url_origin/signed-exchange/resources/inner-url.html \
+  -status 200 \
+  -content sxg-prefetch-test.html \
+  -certificate $certfile \
+  -certUrl $wpt_test_remote_origin/signed-exchange/resources/prefetch-test-cert.py?id=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX \
+  -validityUrl $inner_url_origin/signed-exchange/resources/resource.validity.msg \
+  -privateKey $keyfile \
+  -date 2020-01-29T00:00:00Z \
+  -expire 168h \
+  -o sxg/sxg-prefetch-test.sxg \
+  -miRecordSize 100
+
 rm -fr $tmpdir
--- a/third_party/blink/web_tests/external/wpt/signed-exchange/resources/prefetch-test-cert.py
+++ b/third_party/blink/web_tests/external/wpt/signed-exchange/resources/prefetch-test-cert.py
+import os
+
+
+def main(request, response):
+    stash_id = request.GET.first("id")
+    if request.server.stash.take(stash_id) is not None:
+        response.status = (404, "Not Found")
+        response.headers.set("Content-Type", "text/plain")
+        return "not found"
+    request.server.stash.put(stash_id, True)
+
+    path = os.path.join(os.path.dirname(__file__), "127.0.0.1.sxg.pem.cbor")
+    body = open(path, "rb").read()
+
+    response.headers.set("Content-Type", "application/cert-chain+cbor")
+    response.headers.set("Cache-Control", "public, max-age=600")
+    return body
--- a/third_party/blink/web_tests/external/wpt/signed-exchange/resources/prefetch-test-sxg.py
+++ b/third_party/blink/web_tests/external/wpt/signed-exchange/resources/prefetch-test-sxg.py
+import os
+
+
+def main(request, response):
+    stash_id = request.GET.first("id")
+    if request.server.stash.take(stash_id) is not None:
+        response.status = (404, "Not Found")
+        response.headers.set("Content-Type", "text/plain")
+        return "not found"
+    request.server.stash.put(stash_id, True)
+
+    path = os.path.join(os.path.dirname(__file__), "sxg", "sxg-prefetch-test.sxg")
+    body = open(path, "rb").read()
+
+    response.headers.set("Content-Type", "application/signed-exchange;v=b3")
+    response.headers.set("X-Content-Type-Options", "nosniff")
+    response.headers.set("Cache-Control", "public, max-age=600")
+
+    return body.replace('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', stash_id)
--- a/third_party/blink/web_tests/external/wpt/signed-exchange/resources/sxg-prefetch-test.html
+++ b/third_party/blink/web_tests/external/wpt/signed-exchange/resources/sxg-prefetch-test.html
+<!DOCTYPE html>
+<title>Prefetch test SXG</title>
+<script>
+window.opener.postMessage('loaded', '*');
+</script>
--- a/third_party/blink/web_tests/external/wpt/signed-exchange/resources/sxg/sxg-prefetch-test.sxg
+++ b/third_party/blink/web_tests/external/wpt/signed-exchange/resources/sxg/sxg-prefetch-test.sxg
--- a/third_party/blink/web_tests/external/wpt/signed-exchange/sxg-prefetch.tentative.https.html
+++ b/third_party/blink/web_tests/external/wpt/signed-exchange/sxg-prefetch.tentative.https.html
+<!DOCTYPE html>
+<title>Prefetched signed exchange and certificate must not be fetched again</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="./resources/sxg-util.js"></script>
+<body>
+<script>
+promise_test(async (t) => {
+  const id = token();
+  const sxgUrl = get_host_info().HTTPS_REMOTE_ORIGIN + '/signed-exchange/resources/prefetch-test-sxg.py?id=' + id;
+
+  await new Promise(resolve => {
+    const link = document.createElement('link');
+    link.rel = 'prefetch';
+    link.href = sxgUrl;
+    link.as = 'document';
+    link.addEventListener('error', t.step_func(() => {
+        assert_unreached('Prefetch should not fail');
+    }));
+    link.addEventListener('load', t.step_func(() => {
+        resolve();
+    }));
+    document.body.appendChild(link);
+  });
+  const message_promise = new Promise((resolve) => {
+    window.addEventListener('message', (event) => {
+      resolve(event.data);
+    }, false);
+  });
+  const win = window.open(sxgUrl, "_blank");
+  const message = await message_promise;
+  win.close();
+  assert_equals(message, 'loaded');
+}, 'Prefetched signed exchange and certificate must not be fetched again.');
+
+</script>
+</body>
--- a/third_party/blink/web_tests/virtual/split-http-cache/external/wpt/signed-exchange/README.txt
+++ b/third_party/blink/web_tests/virtual/split-http-cache/external/wpt/signed-exchange/README.txt
+This suite runs Signed Exchange tests with SplitCacheByNetworkIsolationKey
+enabled.