Add disable_secure_dns field to ResourceRequest::TrustedParams.

This is a precursor to a follow-up change that will allow captive portal probes to bypass DoH. Bug: 10161646 Change-Id: I302111db7a1f3f9de7d5fc164775eea57b561547 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1870491Reviewed-by: Matt Menke <mmenke@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Commit-Queue: Katharine Daly <dalyk@google.com> Cr-Commit-Position: refs/heads/master@{#710804}

Add disable_secure_dns field to ResourceRequest::TrustedParams.
This is a precursor to a follow-up change that will allow captive portal probes to bypass DoH. Bug: 10161646 Change-Id: I302111db7a1f3f9de7d5fc164775eea57b561547 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1870491Reviewed-by: Matt Menke <mmenke@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Commit-Queue: Katharine Daly <dalyk@google.com> Cr-Commit-Position: refs/heads/master@{#710804}
879e2cc1 · dalyk · Commit Bot · 56d69d3b · 879e2cc1 · 879e2cc1
Commit 879e2cc1 authored Oct 30, 2019 by dalyk Committed by Commit Bot Oct 30, 2019
8 changed files
--- a/services/network/network_context_unittest.cc
+++ b/services/network/network_context_unittest.cc
@@ -3835,6 +3835,57 @@ TEST_F(NetworkContextTest, TrustedParams) {
  }
 }
+// Test that the disable_secure_dns trusted param is passed through to the
+// host resolver.
+TEST_F(NetworkContextTest, TrustedParams_DisableSecureDns) {
+  std::unique_ptr<net::MockHostResolver> resolver =
+      std::make_unique<net::MockHostResolver>();
+  std::unique_ptr<net::TestURLRequestContext> url_request_context =
+      std::make_unique<net::TestURLRequestContext>(
+          true /* delay_initialization */);
+  url_request_context->set_host_resolver(resolver.get());
+  url_request_context->Init();
+  network_context_remote_.reset();
+  std::unique_ptr<NetworkContext> network_context =
+      std::make_unique<NetworkContext>(
+          network_service_.get(),
+          network_context_remote_.BindNewPipeAndPassReceiver(),
+          url_request_context.get(),
+          /*cors_exempt_header_list=*/std::vector<std::string>());
+  mojo::Remote<mojom::URLLoaderFactory> loader_factory;
+  mojom::URLLoaderFactoryParamsPtr params =
+      mojom::URLLoaderFactoryParams::New();
+  params->process_id = mojom::kBrowserProcessId;
+  params->is_corb_enabled = false;
+  params->is_trusted = true;
+  network_context->CreateURLLoaderFactory(
+      loader_factory.BindNewPipeAndPassReceiver(), std::move(params));
+  for (bool disable_secure_dns : {false, true}) {
+    ResourceRequest request;
+    request.url = GURL("http://example.test");
+    request.load_flags = net::LOAD_BYPASS_CACHE;
+    request.trusted_params = ResourceRequest::TrustedParams();
+    request.trusted_params->disable_secure_dns = disable_secure_dns;
+    mojom::URLLoaderPtr loader;
+    TestURLLoaderClient client;
+    loader_factory->CreateLoaderAndStart(
+        mojo::MakeRequest(&loader), 0 /* routing_id */, 0 /* request_id */,
+        0 /* options */, request, client.CreateInterfacePtr(),
+        net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS));
+    client.RunUntilComplete();
+    EXPECT_EQ(disable_secure_dns,
+              resolver->last_secure_dns_mode_override().has_value());
+    if (disable_secure_dns) {
+      EXPECT_EQ(net::DnsConfig::SecureDnsMode::OFF,
+                resolver->last_secure_dns_mode_override().value());
+    }
+  }
+}
 #if BUILDFLAG(IS_CT_SUPPORTED)
 TEST_F(NetworkContextTest, ExpectCT) {
  std::unique_ptr<NetworkContext> network_context =

--- a/services/network/public/cpp/resource_request.cc
+++ b/services/network/public/cpp/resource_request.cc
@@ -15,7 +15,8 @@ bool ResourceRequest::TrustedParams::operator==(
    const TrustedParams& other) const {
  return network_isolation_key == other.network_isolation_key &&
         update_network_isolation_key_on_redirect ==
-             other.update_network_isolation_key_on_redirect;
+             other.update_network_isolation_key_on_redirect &&
+         disable_secure_dns == other.disable_secure_dns;
 }
 ResourceRequest::ResourceRequest() {}

--- a/services/network/public/cpp/resource_request.h
+++ b/services/network/public/cpp/resource_request.h
@@ -44,6 +44,7 @@ struct COMPONENT_EXPORT(NETWORK_CPP_BASE) ResourceRequest {
    mojom::UpdateNetworkIsolationKeyOnRedirect
        update_network_isolation_key_on_redirect =
            network::mojom::UpdateNetworkIsolationKeyOnRedirect::kDoNotUpdate;
+    bool disable_secure_dns = false;
  };
  ResourceRequest();

--- a/services/network/public/cpp/url_request_mojom_traits.cc
+++ b/services/network/public/cpp/url_request_mojom_traits.cc
@@ -158,6 +158,7 @@ bool StructTraits<network::mojom::TrustedUrlRequestParamsDataView,
    return false;
  out->update_network_isolation_key_on_redirect =
      data.update_network_isolation_key_on_redirect();
+  out->disable_secure_dns = data.disable_secure_dns();
  return true;
 }

--- a/services/network/public/cpp/url_request_mojom_traits.h
+++ b/services/network/public/cpp/url_request_mojom_traits.h
@@ -58,6 +58,10 @@ struct COMPONENT_EXPORT(NETWORK_CPP_BASE)
      const network::ResourceRequest::TrustedParams& trusted_params) {
    return trusted_params.update_network_isolation_key_on_redirect;
  }
+  static bool disable_secure_dns(
+      const network::ResourceRequest::TrustedParams& trusted_params) {
+    return trusted_params.disable_secure_dns;
+  }
  static bool Read(network::mojom::TrustedUrlRequestParamsDataView data,
                   network::ResourceRequest::TrustedParams* out);

--- a/services/network/public/cpp/url_request_mojom_traits_unittest.cc
+++ b/services/network/public/cpp/url_request_mojom_traits_unittest.cc
@@ -95,6 +95,7 @@ TEST(URLRequestMojomTraitsTest, Roundtrips_ResourceRequest) {
      net::NetworkIsolationKey(origin, origin);
  original.trusted_params->update_network_isolation_key_on_redirect = network::
      mojom::UpdateNetworkIsolationKeyOnRedirect::kUpdateTopFrameAndFrameOrigin;
+  original.trusted_params->disable_secure_dns = true;
  network::ResourceRequest copied;
  EXPECT_TRUE(mojo::test::SerializeAndDeserialize<mojom::URLRequest>(&original,

--- a/services/network/public/mojom/url_loader.mojom
+++ b/services/network/public/mojom/url_loader.mojom
@@ -94,6 +94,9 @@ struct TrustedUrlRequestParams {
  // Whether or not the network isolation key needs to be recomputed on
  // redirects. Typically this is only done for navigations.
  UpdateNetworkIsolationKeyOnRedirect update_network_isolation_key_on_redirect;
+  // Whether secure DNS should be disabled for the request.
+  bool disable_secure_dns;
 };
 // Typemapped to network::ResourceRequest.

--- a/services/network/url_loader.cc
+++ b/services/network/url_loader.cc
@@ -415,6 +415,11 @@ URLLoader::URLLoader(
        request.trusted_params->network_isolation_key);
  }
+  if (request.trusted_params) {
+    url_request_->SetDisableSecureDns(
+        request.trusted_params->disable_secure_dns);
+  }
  // |cors_excempt_headers| must be merged here to avoid breaking CORS checks.
  // They are non-empty when the values are given by the UA code, therefore
  // they should be ignored by CORS checks.