[Lookalikes] Fail-safe on no allowlist available yet.

Before this CL, the lookalike interstitial would still block if the
allowlist proto was not yet available, such as immediately following
browser start.

That's bad. This CL changes the behavior to match that of Safety Tips,
and fails-open when the proto isn't yet available.

Fixed: 1129548
Change-Id: I45ee8876223158011f740863639c4f3abcc2a29c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2416403
Commit-Queue: Joe DeBlasio <jdeblasio@chromium.org>
Reviewed-by: Mustafa Emre Acer <meacer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#808130}

chrome/browser/lookalikes/lookalike_url_navigation_throttle.cc

@@ -138,14 +138,20 @@ ThrottleCheckResult LookalikeUrlNavigationThrottle::HandleThrottleRequest(
     return content::NavigationThrottle::PROCEED;
   }
 
-  // If the URL is in the component updater allowlist, don't show any warning.
+  // Fetch the component allowlist.
   const auto* proto = GetSafetyTipsRemoteConfigProto();
-  if (proto &&
-      IsUrlAllowlistedBySafetyTipsComponent(proto, url.GetWithEmptyPath())) {
+
+  // When there's no proto (like at browser start), fail-safe and don't block.
+  if (!proto) {
+    return content::NavigationThrottle::PROCEED;
+  }
+
+  // If the URL is in the component allowlist, don't show any warning.
+  if (IsUrlAllowlistedBySafetyTipsComponent(proto, url.GetWithEmptyPath())) {
     return content::NavigationThrottle::PROCEED;
   }
 
-  // If the URL is in the allowlist, don't show any warning.
+  // If the URL is in the local temporary allowlist, don't show any warning.
   if (tab_storage->IsDomainAllowed(url.host())) {
     return content::NavigationThrottle::PROCEED;
   }

chrome/browser/lookalikes/lookalike_url_navigation_throttle_browsertest.cc

@@ -19,6 +19,7 @@
 #include "chrome/browser/lookalikes/lookalike_url_service.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/reputation/safety_tip_test_utils.h"
+#include "chrome/browser/reputation/safety_tips_config.h"
 #include "chrome/browser/ui/browser.h"
 #include "chrome/browser/ui/browser_commands.h"
 #include "chrome/common/chrome_features.h"
@@ -212,6 +213,7 @@ class LookalikeUrlNavigationThrottleBrowserTest
     }
     feature_list_.InitWithFeaturesAndParameters(enabled_features,
                                                 disabled_features);
+    InitializeSafetyTipConfig();
     InProcessBrowserTest::SetUp();
   }
 
@@ -450,6 +452,20 @@ IN_PROC_BROWSER_TEST_P(LookalikeUrlNavigationThrottleBrowserTest,
            LookalikeUrlMatchType::kSkeletonMatchTop500);
 }
 
+// Navigate to a domain that would trigger the warning, but doesn't because it
+// fails-safe when the allowlist isn't available.
+IN_PROC_BROWSER_TEST_P(LookalikeUrlNavigationThrottleBrowserTest,
+                       NoMatchOnAllowlistMissing) {
+  const GURL kNavigatedUrl = GetURL("googlé.com");
+
+  // Clear out any existing proto.
+  SetSafetyTipsRemoteConfigProto(nullptr);
+
+  SetEngagementScore(browser(), kNavigatedUrl, kLowEngagement);
+  TestInterstitialNotShown(browser(), kNavigatedUrl);
+  CheckNoUkm();
+}
+
 // Embedding a top domain should show an interstitial when enabled. If disabled
 // this would trigger safety tips when target embedding feature parameter is
 // enabled for safety tips.

chrome/browser/lookalikes/lookalike_url_navigation_throttle_unittest.cc

@@ -6,6 +6,7 @@
 
 #include "base/test/metrics/histogram_tester.h"
 #include "base/test/scoped_feature_list.h"
+#include "chrome/browser/reputation/safety_tip_test_utils.h"
 #include "chrome/test/base/chrome_render_view_host_test_harness.h"
 #include "components/lookalikes/core/features.h"
 #include "components/url_formatter/spoof_checks/idn_spoof_checker.h"
@@ -89,6 +90,8 @@ class LookalikeThrottleTest : public ChromeRenderViewHostTestHarness {};
 TEST_F(LookalikeThrottleTest, SpoofsBlocked) {
   base::HistogramTester test;
 
+  InitializeSafetyTipConfig();
+
   const struct TestCase {
     const char* hostname;
     bool expected_blocked;