Introduce content::URLLoaderFactoryParamsHelper.

Summary ======= This CL consolidates creation of network::mojom::URLLoaderFactoryParams into a new class - content::URLLoaderFactoryParamsHelper. Motivation ========== This CL helps simplify the code by lowering the number of parameters that need to be propagated by various methods. This CL also makes it easier to audit security properties of the code, by grouping all assignments into the helper class. For example, after the CL, it is hopefully much easier to see when |is_trusted| is set. This CL also avoids exposing unnecessary public //content APIs through RenderProcessHost (e.g. by moving |is_trusted| and |network_isolation_key| parameters into the new helper class). No intended changes in behavior =============================== In general, this CL intends to introduce no changes in behavior. In particular, the values that various scenarios put inside network::mojom::URLLoaderFactoryParams should not be changed by this CL (except in the dedicated worker scenario listed below). The only change of URLLoaderFactoryParams is that WebPreferences of the |ancestor_render_frame_host| will now be (correctly) taken into account when creating a factory for a dedicated worker. Another change in behavior introduced by this CL, is changing which |origin| is passed to the WillCreateURLLoaderFactory method when creating a factory for content scripts / isolated worlds: - Before the CL, the isolated world origin would be passed - After the CL, the main world origin is passed This change should be insignificant: - AwContentBrowserClient::WillCreateURLLoaderFactory and ShellContentBrowserClient::WillCreateURLLoaderFactory overrides do not dereference the |request_initiator| parameter. - ChromeContentBrowserClient::WillCreateURLLoaderFactory passes the origin into signin::ProxyingURLLoaderFactory::MaybeProxyRequest and then into gaia::IsGaiaSignonRealm. I believe that it is okay if content script requests are also proxied - if an extension has permission to inject content scripts then it effectively "owns" the origin anyway. Bug: 1025303 Change-Id: I56c224dc67bcc637e77d4c9ffad91b87cb99d83c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1915299 Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Cr-Commit-Position: refs/heads/master@{#722626}

Introduce content::URLLoaderFactoryParamsHelper.
Summary ======= This CL consolidates creation of network::mojom::URLLoaderFactoryParams into a new class - content::URLLoaderFactoryParamsHelper. Motivation ========== This CL helps simplify the code by lowering the number of parameters that need to be propagated by various methods. This CL also makes it easier to audit security properties of the code, by grouping all assignments into the helper class. For example, after the CL, it is hopefully much easier to see when |is_trusted| is set. This CL also avoids exposing unnecessary public //content APIs through RenderProcessHost (e.g. by moving |is_trusted| and |network_isolation_key| parameters into the new helper class). No intended changes in behavior =============================== In general, this CL intends to introduce no changes in behavior. In particular, the values that various scenarios put inside network::mojom::URLLoaderFactoryParams should not be changed by this CL (except in the dedicated worker scenario listed below). The only change of URLLoaderFactoryParams is that WebPreferences of the |ancestor_render_frame_host| will now be (correctly) taken into account when creating a factory for a dedicated worker. Another change in behavior introduced by this CL, is changing which |origin| is passed to the WillCreateURLLoaderFactory method when creating a factory for content scripts / isolated worlds: - Before the CL, the isolated world origin would be passed - After the CL, the main world origin is passed This change should be insignificant: - AwContentBrowserClient::WillCreateURLLoaderFactory and ShellContentBrowserClient::WillCreateURLLoaderFactory overrides do not dereference the |request_initiator| parameter. - ChromeContentBrowserClient::WillCreateURLLoaderFactory passes the origin into signin::ProxyingURLLoaderFactory::MaybeProxyRequest and then into gaia::IsGaiaSignonRealm. I believe that it is okay if content script requests are also proxied - if an extension has permission to inject content scripts then it effectively "owns" the origin anyway. Bug: 1025303 Change-Id: I56c224dc67bcc637e77d4c9ffad91b87cb99d83c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1915299 Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Cr-Commit-Position: refs/heads/master@{#722626}
85176244 · Lukasz Anforowicz · Commit Bot · 071092e3 · 85176244 · 85176244
Commit 85176244 authored Dec 06, 2019 by Lukasz Anforowicz Committed by Commit Bot Dec 06, 2019
13 changed files
--- a/content/browser/BUILD.gn
+++ b/content/browser/BUILD.gn
@@ -1797,6 +1797,8 @@ jumbo_source_set("browser") {
    "tracing/tracing_ui.h",
    "url_loader_factory_getter.cc",
    "url_loader_factory_getter.h",
+    "url_loader_factory_params_helper.cc",
+    "url_loader_factory_params_helper.h",
    "utility_process_host.cc",
    "utility_process_host.h",
    "utility_process_host_receiver_bindings.cc",

--- a/content/browser/frame_host/render_frame_host_impl.cc
+++ b/content/browser/frame_host/render_frame_host_impl.cc
--- a/content/browser/frame_host/render_frame_host_impl.h
+++ b/content/browser/frame_host/render_frame_host_impl.h
@@ -1636,35 +1636,21 @@ class CONTENT_EXPORT RenderFrameHostImpl
      const mojom::CommonNavigationParams& common_params,
      const mojom::CommitNavigationParams& commit_params);

+  network::mojom::URLLoaderFactoryParamsPtr
+  CreateURLLoaderFactoryParamsForMainWorld(
+      const url::Origin& main_world_origin);
+
  // Creates a Network Service-backed factory from appropriate |NetworkContext|
  // and sets a connection error handler to trigger
  // |OnNetworkServiceConnectionError()| if the factory is out-of-process.  If
  // this returns true, any redirect safety checks should be bypassed in
  // downstream loaders.
-  //
-  // |origin| is the origin that will use the URLLoaderFactory.
-  //
-  // |main_world_origin| is the origin that the RenderFrame is either committing
-  // (in the case of navigation) or has last committed (when handling network
-  // process crashes).  In most cases |main_world_origin| and |origin| should be
-  // the same, but they may differ if |origin| specifies an origin of an
-  // isolated world (e.g. a content script of a Chrome Extension - see also the
-  // doc comment for extensions::URLLoaderFactoryManager::CreateFactory).
-  //
-  // |network_isolation_key| is the NetworkIsolationKey for the URLLoaderFactory
-  // to be initialized with. A nullopt key means the created URLLoaderFactory
-  // should not be initialized with a NetworkIsolationKey, and will be trusted
-  // so it can consume requests with a TrustedParams::network_isolation_key.
  bool CreateNetworkServiceDefaultFactoryAndObserve(
-      const url::Origin& origin,
-      const url::Origin& main_world_origin,
-      base::Optional<net::NetworkIsolationKey> network_isolation_key,
+      network::mojom::URLLoaderFactoryParamsPtr params,
      mojo::PendingReceiver<network::mojom::URLLoaderFactory>
          default_factory_receiver);
  bool CreateNetworkServiceDefaultFactoryInternal(
-      const url::Origin& origin,
-      const url::Origin& main_world_origin,
-      base::Optional<net::NetworkIsolationKey> network_isolation_key,
+      network::mojom::URLLoaderFactoryParamsPtr params,
      mojo::PendingReceiver<network::mojom::URLLoaderFactory>
          default_factory_receiver);


--- a/content/browser/renderer_host/render_process_host_impl.cc
+++ b/content/browser/renderer_host/render_process_host_impl.cc
@@ -139,6 +139,7 @@
 #include "content/browser/storage_partition_impl.h"
 #include "content/browser/theme_helper.h"
 #include "content/browser/tracing/background_tracing_manager_impl.h"
+#include "content/browser/url_loader_factory_params_helper.h"
 #include "content/browser/v8_snapshot_files.h"
 #include "content/browser/websockets/websocket_connector_impl.h"
 #include "content/browser/webui/web_ui_controller_factory_registry.h"
@@ -2530,120 +2531,17 @@ mojom::Renderer* RenderProcessHostImpl::GetRendererInterface() {
 void RenderProcessHostImpl::CreateURLLoaderFactoryForRendererProcess(
    mojo::PendingReceiver<network::mojom::URLLoaderFactory> receiver) {
  DCHECK_CURRENTLY_ON(BrowserThread::UI);
-
-  base::Optional<url::Origin> request_initiator_site_lock;
-  GURL process_lock =
-      ChildProcessSecurityPolicyImpl::GetInstance()->GetOriginLock(GetID());
-  if (process_lock.is_valid()) {
-    request_initiator_site_lock =
-        SiteInstanceImpl::GetRequestInitiatorSiteLock(process_lock);
-  }
-
-  // Since this function is about to get deprecated (crbug.com/891872), it
-  // should be fine to not add support for network isolation thus sending empty
-  // key.
-  //
-  // We may not be able to allow powerful APIs such as memory measurement APIs
-  // (see https://crbug.com/887967) without removing this call.
-  CreateURLLoaderFactoryInternal(
-      request_initiator_site_lock.value_or(url::Origin()),
-      request_initiator_site_lock,
-      network::mojom::CrossOriginEmbedderPolicy::kNone,
-      nullptr /* preferences */, net::NetworkIsolationKey(),
-      mojo::NullRemote() /* header_client */,
-      base::nullopt /* top_frame_token */, std::move(receiver),
-      false /* is_trusted */, network::mojom::URLLoaderFactoryOverridePtr());
+  CreateURLLoaderFactory(
+      std::move(receiver),
+      URLLoaderFactoryParamsHelper::CreateForRendererProcess(this));
 }

 void RenderProcessHostImpl::CreateURLLoaderFactory(
-    const url::Origin& origin,
-    const url::Origin& main_world_origin,
-    network::mojom::CrossOriginEmbedderPolicy embedder_policy,
-    const WebPreferences* preferences,
-    const net::NetworkIsolationKey& network_isolation_key,
-    mojo::PendingRemote<network::mojom::TrustedURLLoaderHeaderClient>
-        header_client,
-    const base::Optional<base::UnguessableToken>& top_frame_token,
-    mojo::PendingReceiver<network::mojom::URLLoaderFactory> receiver,
-    network::mojom::URLLoaderFactoryOverridePtr factory_override) {
-  CreateURLLoaderFactoryInternal(
-      origin, main_world_origin, embedder_policy, preferences,
-      network_isolation_key, std::move(header_client), top_frame_token,
-      std::move(receiver), false /* is_trusted */, std::move(factory_override));
-}
-
-void RenderProcessHostImpl::CreateTrustedURLLoaderFactory(
-    const url::Origin& origin,
-    const url::Origin& main_world_origin,
-    network::mojom::CrossOriginEmbedderPolicy embedder_policy,
-    const WebPreferences* preferences,
-    mojo::PendingRemote<network::mojom::TrustedURLLoaderHeaderClient>
-        header_client,
-    const base::Optional<base::UnguessableToken>& top_frame_token,
    mojo::PendingReceiver<network::mojom::URLLoaderFactory> receiver,
-    network::mojom::URLLoaderFactoryOverridePtr factory_override) {
-  CreateURLLoaderFactoryInternal(
-      origin, main_world_origin, embedder_policy, preferences, base::nullopt,
-      std::move(header_client), top_frame_token, std::move(receiver),
-      true /* is_trusted */, std::move(factory_override));
-}
-
-void RenderProcessHostImpl::CreateURLLoaderFactoryInternal(
-    const url::Origin& origin,
-    const base::Optional<url::Origin>& main_world_origin,
-    network::mojom::CrossOriginEmbedderPolicy embedder_policy,
-    const WebPreferences* preferences,
-    const base::Optional<net::NetworkIsolationKey>& network_isolation_key,
-    mojo::PendingRemote<network::mojom::TrustedURLLoaderHeaderClient>
-        header_client,
-    const base::Optional<base::UnguessableToken>& top_frame_token,
-    mojo::PendingReceiver<network::mojom::URLLoaderFactory> receiver,
-    bool is_trusted,
-    network::mojom::URLLoaderFactoryOverridePtr factory_override) {
+    network::mojom::URLLoaderFactoryParamsPtr params) {
  DCHECK_CURRENTLY_ON(BrowserThread::UI);
-
-  // "chrome-guest://..." is never used as a main or isolated world origin.
-  DCHECK(origin.scheme() != kGuestScheme);
-  DCHECK(!main_world_origin.has_value() ||
-         main_world_origin->scheme() != kGuestScheme);
-
-  network::mojom::URLLoaderFactoryParamsPtr params =
-      network::mojom::URLLoaderFactoryParams::New();
-  params->process_id = GetID();
-  params->request_initiator_site_lock = main_world_origin;
-  params->disable_web_security =
-      base::CommandLine::ForCurrentProcess()->HasSwitch(
-          switches::kDisableWebSecurity);
-  // If |network_isolation_key| does not have a value, we do not initialize
-  // the URLLoaderFactory with a NetworkIsolationKey.
-  if (network_isolation_key)
-    params->network_isolation_key = network_isolation_key.value();
-
-  params->top_frame_id = top_frame_token;
-  params->is_trusted = is_trusted;
-
-  params->header_client = std::move(header_client);
-  params->cross_origin_embedder_policy = embedder_policy;
-
-  if (params->disable_web_security) {
-    // --disable-web-security also disables Cross-Origin Read Blocking (CORB).
-    params->is_corb_enabled = false;
-  } else if (preferences &&
-             preferences->allow_universal_access_from_file_urls &&
-             main_world_origin.has_value() &&
-             main_world_origin->scheme() == url::kFileScheme) {
-    // allow_universal_access_from_file_urls disables CORB (via
-    // |is_corb_enabled|) and CORS (via |disable_web_security|) for requests
-    // made from a file: |origin|.
-    params->is_corb_enabled = false;
-    params->disable_web_security = true;
-  } else {
-    params->is_corb_enabled = true;
-  }
-  params->factory_override = std::move(factory_override);
-
-  GetContentClient()->browser()->OverrideURLLoaderFactoryParams(this, origin,
-                                                                params.get());
+  DCHECK(params);
+  DCHECK_EQ(GetID(), static_cast<int>(params->process_id));

  storage_partition_impl_->GetNetworkContext()->CreateURLLoaderFactory(
      std::move(receiver), std::move(params));

--- a/content/browser/renderer_host/render_process_host_impl.h
+++ b/content/browser/renderer_host/render_process_host_impl.h
@@ -237,16 +237,8 @@ class CONTENT_EXPORT RenderProcessHostImpl
  void Resume() override;
  mojom::Renderer* GetRendererInterface() override;
  void CreateURLLoaderFactory(
-      const url::Origin& origin,
-      const url::Origin& main_world_origin,
-      network::mojom::CrossOriginEmbedderPolicy embedder_policy,
-      const WebPreferences* preferences,
-      const net::NetworkIsolationKey& network_isolation_key,
-      mojo::PendingRemote<network::mojom::TrustedURLLoaderHeaderClient>
-          header_client,
-      const base::Optional<base::UnguessableToken>& top_frame_token,
      mojo::PendingReceiver<network::mojom::URLLoaderFactory> receiver,
-      network::mojom::URLLoaderFactoryOverridePtr factory_override) override;
+      network::mojom::URLLoaderFactoryParamsPtr params) override;

  bool MayReuseHost() override;
  bool IsUnused() override;
@@ -283,19 +275,6 @@ class CONTENT_EXPORT RenderProcessHostImpl
  void OnProcessLaunched() override;
  void OnProcessLaunchFailed(int error_code) override;

-  // Similar to the CreateURLLoaderFactory RenderProcessHost override, but this
-  // creates a trusted URLLoaderFactory with no default NetworkIsolationKey.
-  void CreateTrustedURLLoaderFactory(
-      const url::Origin& origin,
-      const url::Origin& main_world_origin,
-      network::mojom::CrossOriginEmbedderPolicy embedder_policy,
-      const WebPreferences* preferences,
-      mojo::PendingRemote<network::mojom::TrustedURLLoaderHeaderClient>
-          header_client,
-      const base::Optional<base::UnguessableToken>& top_frame_token,
-      mojo::PendingReceiver<network::mojom::URLLoaderFactory> receiver,
-      network::mojom::URLLoaderFactoryOverridePtr factory_override);
-
  // Update the total and low priority count as indicated by the previous and
  // new priorities of the underlying document.  The nullopt option is used when
  // there is no previous/subsequent navigation (when the frame is added/removed
@@ -890,26 +869,6 @@ class CONTENT_EXPORT RenderProcessHostImpl
  void CreateURLLoaderFactoryForRendererProcess(
      mojo::PendingReceiver<network::mojom::URLLoaderFactory> receiver);

-  // Creates a URLLoaderFactory whose NetworkIsolationKey is set if
-  // |network_isolation_key| has a value, and whose trust is given by
-  // |is_trusted|. Only called by CreateURLLoaderFactory,
-  // CreateTrustedURLLoaderFactory and CreateURLLoaderFactoryForRendererProcess.
-  void CreateURLLoaderFactoryInternal(
-      const url::Origin& origin,
-      // TODO(kinuko, lukasza): https://crbug.com/891872: Make
-      // |main_world_origin| non-optional, once
-      // CreateURLLoaderFactoryForRendererProcess is removed.
-      const base::Optional<url::Origin>& main_world_origin,
-      network::mojom::CrossOriginEmbedderPolicy embedder_policy,
-      const WebPreferences* preferences,
-      const base::Optional<net::NetworkIsolationKey>& network_isolation_key,
-      mojo::PendingRemote<network::mojom::TrustedURLLoaderHeaderClient>
-          header_client,
-      const base::Optional<base::UnguessableToken>& top_frame_token,
-      mojo::PendingReceiver<network::mojom::URLLoaderFactory> receiver,
-      bool is_trusted,
-      network::mojom::URLLoaderFactoryOverridePtr factory_override);
-
  // Binds a TracedProcess interface in the renderer process. This is used to
  // communicate with the Tracing service.
  void BindTracedProcess(

--- a/content/browser/service_worker/embedded_worker_instance.cc
+++ b/content/browser/service_worker/embedded_worker_instance.cc
@@ -28,6 +28,7 @@
 #include "content/browser/service_worker/service_worker_context_wrapper.h"
 #include "content/browser/service_worker/service_worker_script_loader_factory.h"
 #include "content/browser/url_loader_factory_getter.h"
+#include "content/browser/url_loader_factory_params_helper.h"
 #include "content/common/content_switches_internal.h"
 #include "content/common/url_schemes.h"
 #include "content/public/browser/browser_task_traits.h"
@@ -1053,9 +1054,8 @@ EmbeddedWorkerInstance::CreateFactoryBundleOnUI(
  mojo::PendingReceiver<network::mojom::URLLoaderFactory>
      default_factory_receiver = factory_bundle->pending_default_factory()
                                     .InitWithNewPipeAndPassReceiver();
-  mojo::PendingRemote<network::mojom::TrustedURLLoaderHeaderClient>
-      default_header_client;
-  network::mojom::URLLoaderFactoryOverridePtr factory_override;
+  network::mojom::URLLoaderFactoryParamsPtr factory_params =
+      URLLoaderFactoryParamsHelper::CreateForWorker(rph, origin);
  bool bypass_redirect_checks = false;

  DCHECK(factory_type ==
@@ -1067,26 +1067,20 @@ EmbeddedWorkerInstance::CreateFactoryBundleOnUI(
  GetContentClient()->browser()->WillCreateURLLoaderFactory(
      rph->GetBrowserContext(), nullptr /* frame_host */, rph->GetID(),
      factory_type, origin, base::nullopt /* navigation_id */,
-      &default_factory_receiver, &default_header_client,
-      &bypass_redirect_checks, &factory_override);
+      &default_factory_receiver, &factory_params->header_client,
+      &bypass_redirect_checks, &factory_params->factory_override);
  devtools_instrumentation::WillCreateURLLoaderFactoryForServiceWorker(
      rph, routing_id, &default_factory_receiver);

  // TODO(yhirano): Support COEP.
  if (GetNetworkFactoryCallbackForTest().is_null()) {
-    rph->CreateURLLoaderFactory(
-        origin, origin, network::mojom::CrossOriginEmbedderPolicy::kNone,
-        nullptr /* preferences */, net::NetworkIsolationKey(origin, origin),
-        std::move(default_header_client), base::nullopt /* top_frame_token */,
-        std::move(default_factory_receiver), std::move(factory_override));
+    rph->CreateURLLoaderFactory(std::move(default_factory_receiver),
+                                std::move(factory_params));
  } else {
    mojo::PendingRemote<network::mojom::URLLoaderFactory> original_factory;
    rph->CreateURLLoaderFactory(
-        origin, origin, network::mojom::CrossOriginEmbedderPolicy::kNone,
-        nullptr /* preferences */, net::NetworkIsolationKey(origin, origin),
-        std::move(default_header_client), base::nullopt /* top_frame_token */,
        original_factory.InitWithNewPipeAndPassReceiver(),
-        std::move(factory_override));
+        std::move(factory_params));
    GetNetworkFactoryCallbackForTest().Run(std::move(default_factory_receiver),
                                           rph->GetID(),
                                           std::move(original_factory));

--- a/content/browser/url_loader_factory_params_helper.cc
+++ b/content/browser/url_loader_factory_params_helper.cc
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "content/browser/url_loader_factory_params_helper.h"
+
+#include "base/command_line.h"
+#include "base/optional.h"
+#include "content/browser/child_process_security_policy_impl.h"
+#include "content/browser/site_instance_impl.h"
+#include "content/public/browser/content_browser_client.h"
+#include "content/public/browser/render_process_host.h"
+#include "content/public/common/content_client.h"
+#include "content/public/common/content_switches.h"
+#include "content/public/common/url_constants.h"
+#include "content/public/common/web_preferences.h"
+#include "services/network/public/mojom/network_context.mojom.h"
+
+namespace content {
+
+namespace {
+
+// Helper used by the public URLLoaderFactoryParamsHelper::Create... methods.
+//
+// |origin| is the origin that will use the URLLoaderFactory.
+// |origin| is typically the same as the origin in
+// network::ResourceRequest::request_initiator, except when
+// |is_for_isolated_world|.  See also the doc comment for
+// extensions::URLLoaderFactoryManager::CreateFactory.
+//
+// TODO(kinuko, lukasza): https://crbug.com/891872: Make
+// |request_initiator_site_lock| non-optional, once
+// CreateURLLoaderFactoryForRendererProcess is removed.
+network::mojom::URLLoaderFactoryParamsPtr CreateParams(
+    RenderProcessHost* process,
+    const url::Origin& origin,
+    const base::Optional<url::Origin>& request_initiator_site_lock,
+    bool is_trusted,
+    const base::Optional<base::UnguessableToken>& top_frame_token,
+    const base::Optional<net::NetworkIsolationKey>& network_isolation_key,
+    network::mojom::CrossOriginEmbedderPolicy cross_origin_embedder_policy,
+    bool allow_universal_access_from_file_urls) {
+  DCHECK(process);
+
+  // "chrome-guest://..." is never used as a main or isolated world origin.
+  DCHECK_NE(kGuestScheme, origin.scheme());
+  DCHECK(!request_initiator_site_lock.has_value() ||
+         request_initiator_site_lock->scheme() != kGuestScheme);
+
+  network::mojom::URLLoaderFactoryParamsPtr params =
+      network::mojom::URLLoaderFactoryParams::New();
+
+  params->process_id = process->GetID();
+  params->request_initiator_site_lock = request_initiator_site_lock;
+
+  params->is_trusted = is_trusted;
+  params->top_frame_id = top_frame_token;
+  params->network_isolation_key = network_isolation_key;
+
+  params->disable_web_security =
+      base::CommandLine::ForCurrentProcess()->HasSwitch(
+          switches::kDisableWebSecurity);
+  params->cross_origin_embedder_policy = cross_origin_embedder_policy;
+
+  if (params->disable_web_security) {
+    // --disable-web-security also disables Cross-Origin Read Blocking (CORB).
+    params->is_corb_enabled = false;
+  } else if (allow_universal_access_from_file_urls &&
+             origin.scheme() == url::kFileScheme) {
+    // allow_universal_access_from_file_urls disables CORB (via
+    // |is_corb_enabled|) and CORS (via |disable_web_security|) for requests
+    // made from a file: |origin|.
+    params->is_corb_enabled = false;
+    params->disable_web_security = true;
+  } else {
+    params->is_corb_enabled = true;
+  }
+
+  GetContentClient()->browser()->OverrideURLLoaderFactoryParams(process, origin,
+                                                                params.get());
+
+  return params;
+}
+
+}  // namespace
+
+// static
+network::mojom::URLLoaderFactoryParamsPtr URLLoaderFactoryParamsHelper::Create(
+    RenderProcessHost* process,
+    const url::Origin& frame_origin,
+    const base::UnguessableToken& top_frame_token,
+    const net::NetworkIsolationKey& network_isolation_key,
+    network::mojom::CrossOriginEmbedderPolicy cross_origin_embedder_policy,
+    const WebPreferences& preferences) {
+  return CreateParams(process,
+                      frame_origin,  // origin
+                      frame_origin,  // request_initiator_site_lock
+                      false,         // is_trusted
+                      top_frame_token, network_isolation_key,
+                      cross_origin_embedder_policy,
+                      preferences.allow_universal_access_from_file_urls);
+}
+
+// static
+network::mojom::URLLoaderFactoryParamsPtr
+URLLoaderFactoryParamsHelper::CreateForIsolatedWorld(
+    RenderProcessHost* process,
+    const url::Origin& isolated_world_origin,
+    const url::Origin& main_world_origin,
+    const base::UnguessableToken& top_frame_token,
+    const net::NetworkIsolationKey& network_isolation_key,
+    network::mojom::CrossOriginEmbedderPolicy cross_origin_embedder_policy,
+    const WebPreferences& preferences) {
+  return CreateParams(process,
+                      isolated_world_origin,  // origin
+                      main_world_origin,      // request_initiator_site_lock
+                      false,                  // is_trusted
+                      top_frame_token, network_isolation_key,
+                      cross_origin_embedder_policy,
+                      preferences.allow_universal_access_from_file_urls);
+}
+
+network::mojom::URLLoaderFactoryParamsPtr
+URLLoaderFactoryParamsHelper::CreateForPrefetch(
+    RenderProcessHost* process,
+    const url::Origin& frame_origin,
+    const base::UnguessableToken& top_frame_token,
+    network::mojom::CrossOriginEmbedderPolicy cross_origin_embedder_policy,
+    const WebPreferences& preferences) {
+  return CreateParams(process,
+                      frame_origin,  // origin
+                      frame_origin,  // request_initiator_site_lock
+                      true,          // is_trusted
+                      top_frame_token,
+                      base::nullopt,  // network_isolation_key
+                      cross_origin_embedder_policy,
+                      preferences.allow_universal_access_from_file_urls);
+}
+
+// static
+network::mojom::URLLoaderFactoryParamsPtr
+URLLoaderFactoryParamsHelper::CreateForWorker(
+    RenderProcessHost* process,
+    const url::Origin& worker_origin) {
+  net::NetworkIsolationKey network_isolation_key(
+      worker_origin,   // top_frame_origin
+      worker_origin);  // frame_origin
+
+  return CreateParams(process,
+                      worker_origin,  // origin
+                      worker_origin,  // request_initiator_site_lock
+                      false,          // is_trusted
+                      base::nullopt,  // top_frame_token
+                      network_isolation_key,
+                      network::mojom::CrossOriginEmbedderPolicy::kNone,
+                      false);  // allow_universal_access_from_file_urls
+}
+
+// static
+network::mojom::URLLoaderFactoryParamsPtr
+URLLoaderFactoryParamsHelper::CreateForRendererProcess(
+    RenderProcessHost* process) {
+  // Attempt to use the process lock as |request_initiator_site_lock|.
+  base::Optional<url::Origin> request_initiator_site_lock;
+  auto* policy = ChildProcessSecurityPolicyImpl::GetInstance();
+  GURL process_lock = policy->GetOriginLock(process->GetID());
+  if (process_lock.is_valid()) {
+    request_initiator_site_lock =
+        SiteInstanceImpl::GetRequestInitiatorSiteLock(process_lock);
+  }
+
+  // Since this function is about to get deprecated (crbug.com/891872), it
+  // should be fine to not add support for network isolation thus sending empty
+  // key.
+  //
+  // We may not be able to allow powerful APIs such as memory measurement APIs
+  // (see https://crbug.com/887967) without removing this call.
+  base::Optional<net::NetworkIsolationKey> network_isolation_key =
+      base::nullopt;
+  base::Optional<base::UnguessableToken> top_frame_token = base::nullopt;
+
+  return CreateParams(
+      process,
+      url::Origin(),                // origin
+      request_initiator_site_lock,  // request_initiator_site_lock
+      false,                        // is_trusted
+      top_frame_token, network_isolation_key,
+      network::mojom::CrossOriginEmbedderPolicy::kNone,
+      false);  // allow_universal_access_from_file_urls
+}
+
+}  // namespace content
--- a/content/browser/url_loader_factory_params_helper.h
+++ b/content/browser/url_loader_factory_params_helper.h
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CONTENT_BROWSER_URL_LOADER_FACTORY_PARAMS_HELPER_H_
+#define CONTENT_BROWSER_URL_LOADER_FACTORY_PARAMS_HELPER_H_
+
+#include "net/base/network_isolation_key.h"
+#include "services/network/public/mojom/network_context.mojom.h"
+#include "url/origin.h"
+
+namespace content {
+
+class RenderProcessHost;
+struct WebPreferences;
+
+// URLLoaderFactoryParamsHelper encapsulates details of how to create
+// network::mojom::URLLoaderFactoryParams (taking //content-focused parameters,
+// calling into ContentBrowserClient's OverrideURLLoaderFactoryParams method,
+// etc.)
+class URLLoaderFactoryParamsHelper {
+ public:
+  static network::mojom::URLLoaderFactoryParamsPtr Create(
+      RenderProcessHost* process,
+      const url::Origin& frame_origin,
+      const base::UnguessableToken& top_frame_token,
+      const net::NetworkIsolationKey& network_isolation_key,
+      network::mojom::CrossOriginEmbedderPolicy cross_origin_embedder_policy,
+      const WebPreferences& preferences);
+
+  static network::mojom::URLLoaderFactoryParamsPtr CreateForIsolatedWorld(
+      RenderProcessHost* process,
+      const url::Origin& isolated_world_origin,
+      const url::Origin& main_world_origin,
+      const base::UnguessableToken& top_frame_token,
+      const net::NetworkIsolationKey& network_isolation_key,
+      network::mojom::CrossOriginEmbedderPolicy cross_origin_embedder_policy,
+      const WebPreferences& preferences);
+
+  static network::mojom::URLLoaderFactoryParamsPtr CreateForPrefetch(
+      RenderProcessHost* process,
+      const url::Origin& frame_origin,
+      const base::UnguessableToken& top_frame_token,
+      network::mojom::CrossOriginEmbedderPolicy cross_origin_embedder_policy,
+      const WebPreferences& preferences);
+
+  static network::mojom::URLLoaderFactoryParamsPtr CreateForWorker(
+      RenderProcessHost* process,
+      const url::Origin& worker_origin);
+
+  // TODO(kinuko, lukasza): https://crbug.com/891872: Remove, once all
+  // URLLoaderFactories are associated with a specific execution context (e.g. a
+  // frame, a service worker or any other kind of worker).
+  static network::mojom::URLLoaderFactoryParamsPtr CreateForRendererProcess(
+      RenderProcessHost* process);
+
+ private:
+  // Only static methods.
+  URLLoaderFactoryParamsHelper() = delete;
+};
+
+}  // namespace content
+
+#endif  // CONTENT_BROWSER_URL_LOADER_FACTORY_PARAMS_HELPER_H_
--- a/content/browser/worker_host/dedicated_worker_host.cc
+++ b/content/browser/worker_host/dedicated_worker_host.cc
@@ -17,11 +17,13 @@
 #include "content/browser/service_worker/service_worker_navigation_handle.h"
 #include "content/browser/service_worker/service_worker_object_host.h"
 #include "content/browser/storage_partition_impl.h"
+#include "content/browser/url_loader_factory_params_helper.h"
 #include "content/browser/websockets/websocket_connector_impl.h"
 #include "content/browser/webtransport/quic_transport_connector_impl.h"
 #include "content/browser/worker_host/worker_script_fetch_initiator.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/render_frame_host.h"
+#include "content/public/browser/render_view_host.h"
 #include "content/public/browser/service_worker_context.h"
 #include "content/public/common/content_client.h"
 #include "content/public/common/network_service_util.h"
@@ -285,34 +287,32 @@ DedicatedWorkerHost::CreateNetworkFactoryForSubresources(
  DCHECK(ancestor_render_frame_host);
  DCHECK(bypass_redirect_checks);

-  auto* storage_partition_impl = static_cast<StoragePartitionImpl*>(
-      worker_process_host->GetStoragePartition());
-
  mojo::PendingRemote<network::mojom::URLLoaderFactory> pending_default_factory;
  mojo::PendingReceiver<network::mojom::URLLoaderFactory>
      default_factory_receiver =
          pending_default_factory.InitWithNewPipeAndPassReceiver();

-  mojo::PendingRemote<network::mojom::TrustedURLLoaderHeaderClient>
-      default_header_client;
-  network::mojom::URLLoaderFactoryOverridePtr factory_override;
+  network::mojom::URLLoaderFactoryParamsPtr factory_params =
+      URLLoaderFactoryParamsHelper::Create(
+          worker_process_host, origin_,
+          ancestor_render_frame_host->GetTopFrameToken(),
+          network_isolation_key_,
+          ancestor_render_frame_host->cross_origin_embedder_policy(),
+          ancestor_render_frame_host->GetRenderViewHost()
+              ->GetWebkitPreferences());
  GetContentClient()->browser()->WillCreateURLLoaderFactory(
-      storage_partition_impl->browser_context(),
+      worker_process_host->GetBrowserContext(),
      /*frame=*/nullptr, worker_process_id_,
      ContentBrowserClient::URLLoaderFactoryType::kWorkerSubResource, origin_,
      /*navigation_id=*/base::nullopt, &default_factory_receiver,
-      &default_header_client, bypass_redirect_checks, &factory_override);
+      &factory_params->header_client, bypass_redirect_checks,
+      &factory_params->factory_override);

  // TODO(nhiroki): Call devtools_instrumentation::WillCreateURLLoaderFactory()
  // here.

  worker_process_host->CreateURLLoaderFactory(
-      origin_, origin_,
-      ancestor_render_frame_host->cross_origin_embedder_policy(),
-      /*preferences=*/nullptr, network_isolation_key_,
-      std::move(default_header_client),
-      ancestor_render_frame_host->GetTopFrameToken(),
-      std::move(default_factory_receiver), std::move(factory_override));
+      std::move(default_factory_receiver), std::move(factory_params));

  return pending_default_factory;
 }

--- a/content/browser/worker_host/shared_worker_host.cc
+++ b/content/browser/worker_host/shared_worker_host.cc
@@ -18,6 +18,7 @@
 #include "content/browser/service_worker/service_worker_navigation_handle.h"
 #include "content/browser/service_worker/service_worker_object_host.h"
 #include "content/browser/storage_partition_impl.h"
+#include "content/browser/url_loader_factory_params_helper.h"
 #include "content/browser/webtransport/quic_transport_connector_impl.h"
 #include "content/browser/worker_host/shared_worker_content_settings_proxy_impl.h"
 #include "content/browser/worker_host/shared_worker_service_impl.h"
@@ -260,24 +261,23 @@ SharedWorkerHost::CreateNetworkFactoryForSubresources(
  DCHECK(bypass_redirect_checks);

  auto* worker_process_host = RenderProcessHost::FromID(worker_process_id_);
-  auto* storage_partition_impl = static_cast<StoragePartitionImpl*>(
-      worker_process_host->GetStoragePartition());
-  url::Origin origin = instance_.constructor_origin();

  mojo::PendingRemote<network::mojom::URLLoaderFactory> pending_default_factory;
  mojo::PendingReceiver<network::mojom::URLLoaderFactory>
      default_factory_receiver =
          pending_default_factory.InitWithNewPipeAndPassReceiver();

-  mojo::PendingRemote<network::mojom::TrustedURLLoaderHeaderClient>
-      default_header_client;
-  network::mojom::URLLoaderFactoryOverridePtr factory_override;
+  const url::Origin& origin = instance_.constructor_origin();
+  network::mojom::URLLoaderFactoryParamsPtr factory_params =
+      URLLoaderFactoryParamsHelper::CreateForWorker(worker_process_host,
+                                                    origin);
  GetContentClient()->browser()->WillCreateURLLoaderFactory(
-      storage_partition_impl->browser_context(),
+      worker_process_host->GetBrowserContext(),
      /*frame=*/nullptr, worker_process_id_,
      ContentBrowserClient::URLLoaderFactoryType::kWorkerSubResource, origin,
      /*navigation_id=*/base::nullopt, &default_factory_receiver,
-      &default_header_client, bypass_redirect_checks, &factory_override);
+      &factory_params->header_client, bypass_redirect_checks,
+      &factory_params->factory_override);

  // TODO(nhiroki): Call devtools_instrumentation::WillCreateURLLoaderFactory()
  // here.
@@ -285,18 +285,12 @@ SharedWorkerHost::CreateNetworkFactoryForSubresources(
  // TODO(yhirano): Support COEP.
  if (GetCreateNetworkFactoryCallbackForSharedWorker().is_null()) {
    worker_process_host->CreateURLLoaderFactory(
-        origin, origin, network::mojom::CrossOriginEmbedderPolicy::kNone,
-        nullptr /* preferences */, net::NetworkIsolationKey(origin, origin),
-        std::move(default_header_client), base::nullopt /* top_frame_token */,
-        std::move(default_factory_receiver), std::move(factory_override));
+        std::move(default_factory_receiver), std::move(factory_params));
  } else {
    mojo::PendingRemote<network::mojom::URLLoaderFactory> original_factory;
    worker_process_host->CreateURLLoaderFactory(
-        origin, origin, network::mojom::CrossOriginEmbedderPolicy::kNone,
-        nullptr /* preferences */, net::NetworkIsolationKey(origin, origin),
-        std::move(default_header_client), base::nullopt /* top_frame_token */,
        original_factory.InitWithNewPipeAndPassReceiver(),
-        std::move(factory_override));
+        std::move(factory_params));
    GetCreateNetworkFactoryCallbackForSharedWorker().Run(
        std::move(default_factory_receiver), worker_process_id_,
        std::move(original_factory));

--- a/content/public/browser/render_process_host.h
+++ b/content/public/browser/render_process_host.h
@@ -66,7 +66,6 @@ class BrowserMessageFilter;
 class IsolationContext;
 class RenderProcessHostObserver;
 class StoragePartition;
-struct WebPreferences;
 #if defined(OS_ANDROID)
 enum class ChildProcessImportance;
 #endif
@@ -419,56 +418,15 @@ class CONTENT_EXPORT RenderProcessHost : public IPC::Sender,
  // MockRenderProcessHost usage in tests.
  virtual mojom::Renderer* GetRendererInterface() = 0;

-  // Create an URLLoaderFactory that can be used by |origin| being hosted in
-  // |this| process.
+  // Create an URLLoaderFactory from |this| renderer process.
  //
-  // |main_world_origin| specifies the origin of the main world that will use
-  // the URLLoaderFactory.  In most cases |main_world_origin| and |origin|
-  // should be the same, but they may differ if |origin| specifies an origin of
-  // an isolated world (e.g. a content script of a Chrome Extension - see also
-  // the doc comment for extensions::URLLoaderFactoryManager::CreateFactory).
-  // TODO(lukasza): Remove |main_world_origin| once there is no need for
-  // a separate URLLoaderFactory for allowlisted extensions (in all other cases
-  // |main_world_origin| should be the same as |origin|).  At the same time,
-  // consider renaming |origin| to |request_initiator|.
-  //
-  // When NetworkService is enabled, |receiver| will be bound with a new
-  // URLLoaderFactory created from the storage partition's Network Context. Note
-  // that the URLLoaderFactory returned by this method does NOT support
-  // auto-reconnect after a crash of Network Service.
-  // When NetworkService is not enabled, |receiver| will be bound with a
-  // URLLoaderFactory which routes requests to ResourceDispatcherHost.
-  //
-  // |preferences| is an optional argument that might be used to control some
-  // aspects of the URLLoaderFactory (e.g. via
-  // allow_universal_access_from_file_urls).
-  //
-  // |header_client| will be used in URLLoaderFactoryParams when creating the
-  // factory.
-  //
-  // |network_isolation_key| will be used in URLLoaderFactoryParams when
-  // creating the factory. All resource requests through this factory will
-  // propagate the key to the network stack so that resources with different
-  // keys do not share network resources like the http cache.
-  //
-  // |top_frame_token| is a token for the top level frame, and used for resource
-  // accounting for keepalive requests.
-  //
-  // |factory_override|, when non-null, replaces the lower level network
-  // URLLoaderFactory used by security features (e.g., CORS) in the network
-  // service.
-
+  // This method will bind |receiver| with a new URLLoaderFactory created from
+  // the storage partition's Network Context. Note that the URLLoaderFactory
+  // returned by this method does NOT support auto-reconnect after a crash of
+  // Network Service.
  virtual void CreateURLLoaderFactory(
-      const url::Origin& origin,
-      const url::Origin& main_world_origin,
-      network::mojom::CrossOriginEmbedderPolicy embedder_policy,
-      const WebPreferences* preferences,
-      const net::NetworkIsolationKey& network_isolation_key,
-      mojo::PendingRemote<network::mojom::TrustedURLLoaderHeaderClient>
-          header_client,
-      const base::Optional<base::UnguessableToken>& top_frame_token,
      mojo::PendingReceiver<network::mojom::URLLoaderFactory> receiver,
-      network::mojom::URLLoaderFactoryOverridePtr factory_override) = 0;
+      network::mojom::URLLoaderFactoryParamsPtr params) = 0;

  // Whether this process is locked out from ever being reused for sites other
  // than the ones it currently has.

--- a/content/public/test/mock_render_process_host.cc
+++ b/content/public/test/mock_render_process_host.cc
@@ -403,16 +403,8 @@ mojom::Renderer* MockRenderProcessHost::GetRendererInterface() {
 }

 void MockRenderProcessHost::CreateURLLoaderFactory(
-    const url::Origin& origin,
-    const url::Origin& main_world_origin,
-    network::mojom::CrossOriginEmbedderPolicy embedder_policy,
-    const WebPreferences* preferences,
-    const net::NetworkIsolationKey& network_isolation_key,
-    mojo::PendingRemote<network::mojom::TrustedURLLoaderHeaderClient>
-        header_client,
-    const base::Optional<base::UnguessableToken>& top_frame_token,
    mojo::PendingReceiver<network::mojom::URLLoaderFactory> receiver,
-    network::mojom::URLLoaderFactoryOverridePtr factory_override) {
+    network::mojom::URLLoaderFactoryParamsPtr params) {
  if (GetNetworkFactoryCallback().is_null()) {
    url_loader_factory_->Clone(std::move(receiver));
    return;

--- a/content/public/test/mock_render_process_host.h
+++ b/content/public/test/mock_render_process_host.h
@@ -154,16 +154,8 @@ class MockRenderProcessHost : public RenderProcessHost {
  void Resume() override;
  mojom::Renderer* GetRendererInterface() override;
  void CreateURLLoaderFactory(
-      const url::Origin& origin,
-      const url::Origin& main_world_origin,
-      network::mojom::CrossOriginEmbedderPolicy embedder_policy,
-      const WebPreferences* preferences,
-      const net::NetworkIsolationKey& network_isolation_key,
-      mojo::PendingRemote<network::mojom::TrustedURLLoaderHeaderClient>
-          header_client,
-      const base::Optional<base::UnguessableToken>& top_frame_token,
      mojo::PendingReceiver<network::mojom::URLLoaderFactory> receiver,
-      network::mojom::URLLoaderFactoryOverridePtr factory_override) override;
+      network::mojom::URLLoaderFactoryParamsPtr params) override;

  bool MayReuseHost() override;
  bool IsUnused() override;