Store Referrer Policy in the Policy Container

This CL stores the document's Referrer Policy inside the Policy
Container and uses it for inheritance in case of local scheme
URLs. The behaviour is hidden behind a feature flag, disabled by
default.

Change-Id: I5397f55afad0634f485cb5f79134db48b094b3a3
Bug: 1130587, 1075738
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2424345
Commit-Queue: Antonio Sartori <antoniosartori@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Dominic Farolino <dom@chromium.org>
Cr-Commit-Position: refs/heads/master@{#822715}

third_party/blink/common/features.cc

@@ -666,6 +666,12 @@ const base::Feature kThrottleInstallingServiceWorker{
 const base::FeatureParam<int> kInstallingServiceWorkerOutstandingThrottledLimit{
     &kThrottleInstallingServiceWorker, "limit", 3};
 
+// Enables storing and loading security policies (for now, referrer policy) in
+// the policy container. The policy container for the current document is
+// attached to the RenderFrameHost and mirrored to the LocalFrame in Blink.
+const base::Feature kPolicyContainer{"PolicyContainer",
+                                     base::FEATURE_DISABLED_BY_DEFAULT};
+
 const base::Feature kInputPredictorTypeChoice{
     "InputPredictorTypeChoice", base::FEATURE_DISABLED_BY_DEFAULT};
 

third_party/blink/public/common/features.h

@@ -230,6 +230,11 @@ BLINK_COMMON_EXPORT extern const base::Feature kThrottleInstallingServiceWorker;
 BLINK_COMMON_EXPORT extern const base::FeatureParam<int>
     kInstallingServiceWorkerOutstandingThrottledLimit;
 
+// Enables storing and loading security policies (for now, referrer policy) in
+// the policy container. The policy container for the current document is
+// attached to the RenderFrameHost and mirrored to the LocalFrame in Blink.
+BLINK_COMMON_EXPORT extern const base::Feature kPolicyContainer;
+
 // This flag is used to set field parameters to choose predictor we use when
 // kResamplingInputEvents is disabled. It's used for gatherig accuracy metrics
 // on finch and also for choosing predictor type for predictedEvents API without

third_party/blink/renderer/core/frame/local_dom_window.cc

@@ -34,6 +34,7 @@
 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 #include "third_party/blink/public/common/action_after_pagehide.h"
 #include "third_party/blink/public/common/browser_interface_broker_proxy.h"
+#include "third_party/blink/public/common/features.h"
 #include "third_party/blink/public/common/widget/screen_info.h"
 #include "third_party/blink/public/mojom/feature_policy/policy_disposition.mojom-blink.h"
 #include "third_party/blink/public/platform/platform.h"
@@ -362,6 +363,11 @@ String LocalDOMWindow::OutgoingReferrer() const {
 
 network::mojom::ReferrerPolicy LocalDOMWindow::GetReferrerPolicy() const {
   network::mojom::ReferrerPolicy policy = ExecutionContext::GetReferrerPolicy();
+
+  // PolicyContainer took care already of policy inheritance.
+  if (base::FeatureList::IsEnabled(blink::features::kPolicyContainer)) {
+    return policy;
+  }
   // For srcdoc documents without their own policy, walk up the frame
   // tree to find the document that is either not a srcdoc or doesn't
   // have its own policy. This algorithm is defined in

third_party/blink/renderer/core/html/html_meta_element.cc

@@ -22,6 +22,7 @@
 
 #include "third_party/blink/renderer/core/html/html_meta_element.h"
 
+#include "third_party/blink/public/common/features.h"
 #include "third_party/blink/public/mojom/frame/color_scheme.mojom-blink.h"
 #include "third_party/blink/renderer/core/css/style_engine.h"
 #include "third_party/blink/renderer/core/dom/document.h"
@@ -600,6 +601,17 @@ void HTMLMetaElement::ProcessContent() {
         content_value, true /* support legacy keywords */,
         /*from_meta_tag_with_list_of_policies=*/
         comma_in_content_value);
+    if (base::FeatureList::IsEnabled(blink::features::kPolicyContainer)) {
+      LocalFrame* frame = GetDocument().GetFrame();
+      // If frame is null, this document is not attached to a frame, hence it
+      // has no Policy Container, so we ignore the next step. This function will
+      // run again anyway, should this document or this element be attached to a
+      // frame.
+      if (frame) {
+        GetDocument().GetFrame()->GetPolicyContainer()->UpdateReferrerPolicy(
+            GetExecutionContext()->GetReferrerPolicy());
+      }
+    }
   } else if (EqualIgnoringASCIICase(name_value, "handheldfriendly") &&
              EqualIgnoringASCIICase(content_value, "true")) {
     ProcessViewportContentAttribute("width=device-width",

third_party/blink/renderer/core/html/html_meta_element_test.cc

@@ -4,7 +4,9 @@
 
 #include "third_party/blink/renderer/core/html/html_meta_element.h"
 
+#include "base/test/scoped_feature_list.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "third_party/blink/public/common/features.h"
 #include "third_party/blink/renderer/core/css/css_computed_style_declaration.h"
 #include "third_party/blink/renderer/core/css/media_query_list.h"
 #include "third_party/blink/renderer/core/css/media_query_matcher.h"
@@ -16,6 +18,7 @@
 #include "third_party/blink/renderer/core/html/html_head_element.h"
 #include "third_party/blink/renderer/core/style/computed_style.h"
 #include "third_party/blink/renderer/core/testing/color_scheme_helper.h"
+#include "third_party/blink/renderer/core/testing/mock_policy_container_host.h"
 #include "third_party/blink/renderer/core/testing/page_test_base.h"
 #include "third_party/blink/renderer/core/testing/sim/sim_compositor.h"
 #include "third_party/blink/renderer/core/testing/sim/sim_request.h"
@@ -249,6 +252,31 @@ TEST_F(HTMLMetaElementTest, ReferrerPolicyWithoutContent) {
             GetDocument().GetReferrerPolicy());
 }
 
+TEST_F(HTMLMetaElementTest, ReferrerPolicyUpdatesPolicyContainer) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndEnableFeature(blink::features::kPolicyContainer);
+
+  MockPolicyContainerHost policy_container_host;
+  mojo::PendingAssociatedRemote<mojom::blink::PolicyContainerHost>
+      stub_policy_container_remote =
+          policy_container_host.BindNewEndpointAndPassDedicatedRemote();
+  auto policy_container = std::make_unique<PolicyContainer>(
+      std::move(stub_policy_container_remote),
+      mojom::blink::PolicyContainerData::New());
+
+  GetFrame().SetPolicyContainer(std::move(policy_container));
+  EXPECT_CALL(policy_container_host,
+              SetReferrerPolicy(network::mojom::ReferrerPolicy::kStrictOrigin));
+  GetDocument().head()->setInnerHTML(R"HTML(
+    <meta name="referrer" content="strict-origin">
+  )HTML");
+  EXPECT_EQ(network::mojom::ReferrerPolicy::kStrictOrigin,
+            GetFrame().GetPolicyContainer()->GetReferrerPolicy());
+
+  // Wait for mojo messages to be received.
+  policy_container_host.FlushForTesting();
+}
+
 // This tests whether Web Monetization counter is properly triggered.
 TEST_F(HTMLMetaElementTest, WebMonetizationCounter) {
   // <meta> elements that don't have name equal to "monetization" or that lack

third_party/blink/renderer/core/loader/document_loader.cc

@@ -36,7 +36,6 @@
 #include "base/metrics/histogram_macros.h"
 #include "base/time/default_tick_clock.h"
 #include "build/chromeos_buildflags.h"
-#include "services/network/public/cpp/features.h"
 #include "services/network/public/cpp/web_sandbox_flags.h"
 #include "services/network/public/mojom/web_sandbox_flags.mojom-blink.h"
 #include "third_party/blink/public/common/features.h"
@@ -1663,11 +1662,25 @@ void DocumentLoader::InitializeWindow(Document* owner_document) {
   }
   frame_->DomWindow()->SetAddressSpace(ip_address_space_);
 
+  if (base::FeatureList::IsEnabled(blink::features::kPolicyContainer)) {
+    // SVG image documents go throught this but don't have a PolicyContainer, so
+    // ignore them.
+    if (frame_->GetPolicyContainer()) {
+      frame_->DomWindow()->SetReferrerPolicy(
+          frame_->GetPolicyContainer()->GetReferrerPolicy(), false);
+    }
+  }
   String referrer_policy_header =
       response_.HttpHeaderField(http_names::kReferrerPolicy);
   if (!referrer_policy_header.IsNull()) {
     CountUse(WebFeature::kReferrerPolicyHeader);
     frame_->DomWindow()->ParseAndSetReferrerPolicy(referrer_policy_header);
+    if (base::FeatureList::IsEnabled(blink::features::kPolicyContainer)) {
+      if (frame_->GetPolicyContainer()) {
+        frame_->GetPolicyContainer()->UpdateReferrerPolicy(
+            frame_->DomWindow()->GetReferrerPolicy());
+      }
+    }
   }
 }
 

third_party/blink/web_tests/VirtualTestSuites

@@ -706,6 +706,12 @@
     "bases": [ "external/wpt/content-security-policy/embedded-enforcement" ],
     "args": [ "--disable-features=OutOfBlinkCSPEE" ]
   },
+  {
+    "prefix": "policy-container",
+    "bases": [ "external/wpt/referrer-policy",
+               "fast/dom/DOMImplementation" ],
+    "args": [ "--enable-features=PolicyContainer" ]
+  },
   {
     "prefix": "subresource-web-bundles-disabled",
     "bases": [ "http/tests/loading/wbn/origin-trial/" ],

third_party/blink/web_tests/virtual/policy-container/README.md

+This directory is for testing Referrer Policy within the PolicyContainer.
+
+This test suite runs the tests with --enable-features=PolicyContainer. The
+experimental flag enables setting/inheriting Referrer Policy via the Policy
+Container, a new mechanism which uses policies stored in the browser on the
+RenderFrameHost as authoritative policies for creating new frames.

third_party/blink/web_tests/virtual/policy-container/external/wpt/referrer-policy/generic/inheritance/iframe-inheritance-about-blank-expected.txt

+This is a testharness.js-based test.
+PASS The fetch() API in an about:blank iframe with the 'client' referrer is fetched with no 'Referer' header
+PASS The fetch() API in an about:blank iframe with a custom URL referrer is fetched with a 'Referer` header that uses the outer document's URL along with its referrer policy
+FAIL The value of document.referrer in an about:blank iframe is the outer document's full URL, regardless of referrer policy assert_equals: expected "http://web-platform.test:8001/referrer-policy/generic/inheritance/iframe-inheritance-about-blank.html" but got "http://web-platform.test:8001/"
+PASS A subresource fetched from an about:blank iframe is fetched with no 'Referer' header
+Harness: the test ran to completion.
+

third_party/blink/web_tests/virtual/policy-container/external/wpt/referrer-policy/generic/inheritance/iframe-inheritance-javascript-child-expected.txt

+This is a testharness.js-based test.
+PASS Referrer Policy: iframes with javascript url reuse referrer policy
+PASS Referrer Policy: iframes with javascript url reuse referrer policy 1
+PASS Referrer Policy: iframes with javascript url reuse referrer policy 2
+PASS Referrer Policy: iframes with javascript url reuse referrer policy 3
+Harness: the test ran to completion.
+

third_party/blink/web_tests/virtual/policy-container/external/wpt/referrer-policy/generic/inheritance/iframe-inheritance-javascript-expected.txt

+This is a testharness.js-based test.
+PASS Referrer Policy: iframes with javascript url reuse referrer policy
+PASS Referrer Policy: iframes with javascript url reuse referrer policy 1
+Harness: the test ran to completion.
+