Disable various reports and uploads during Isolated Prerender

Domain Reliability Uploads, Web Reports, Certificate Reporting, etc all
pose a risk of being a privacy leak in the context of an isolated
prerender.
They are all explicitly disabled.

Note: All of these are disabled by default so this CL doesn't change
any behavior, but it does make the impl much more future-proof.

Bug: 1096109
Change-Id: I3a4b8f30994ad00de79bdec18482e959f31a1c95
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2248757Reviewed-by: Tarun Bansal <tbansal@chromium.org>
Commit-Queue: Robert Ogden <robertogden@chromium.org>
Cr-Commit-Position: refs/heads/master@{#781438}

chrome/browser/BUILD.gn

@@ -1244,6 +1244,8 @@ static_library("browser") {
     "prerender/isolated/isolated_prerender_features.h",
     "prerender/isolated/isolated_prerender_from_string_url_loader.cc",
     "prerender/isolated/isolated_prerender_from_string_url_loader.h",
+    "prerender/isolated/isolated_prerender_network_context_client.cc",
+    "prerender/isolated/isolated_prerender_network_context_client.h",
     "prerender/isolated/isolated_prerender_params.cc",
     "prerender/isolated/isolated_prerender_params.h",
     "prerender/isolated/isolated_prerender_proxy_configurator.cc",

chrome/browser/prerender/isolated/isolated_prerender_network_context_client.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/prerender/isolated/isolated_prerender_network_context_client.h"
+
+#include <memory>
+
+#include "mojo/public/cpp/bindings/remote.h"
+
+IsolatedPrerenderNetworkContextClient::IsolatedPrerenderNetworkContextClient() =
+    default;
+IsolatedPrerenderNetworkContextClient::
+    ~IsolatedPrerenderNetworkContextClient() = default;
+
+void IsolatedPrerenderNetworkContextClient::OnAuthRequired(
+    const base::Optional<base::UnguessableToken>& window_id,
+    int32_t process_id,
+    int32_t routing_id,
+    uint32_t request_id,
+    const GURL& url,
+    bool first_auth_attempt,
+    const net::AuthChallengeInfo& auth_info,
+    network::mojom::URLResponseHeadPtr head,
+    mojo::PendingRemote<network::mojom::AuthChallengeResponder>
+        auth_challenge_responder) {
+  mojo::Remote<network::mojom::AuthChallengeResponder>
+      auth_challenge_responder_remote(std::move(auth_challenge_responder));
+  auth_challenge_responder_remote->OnAuthCredentials(base::nullopt);
+}
+
+void IsolatedPrerenderNetworkContextClient::OnCertificateRequested(
+    const base::Optional<base::UnguessableToken>& window_id,
+    int32_t process_id,
+    int32_t routing_id,
+    uint32_t request_id,
+    const scoped_refptr<net::SSLCertRequestInfo>& cert_info,
+    mojo::PendingRemote<network::mojom::ClientCertificateResponder>
+        cert_responder_remote) {
+  mojo::Remote<network::mojom::ClientCertificateResponder> cert_responder(
+      std::move(cert_responder_remote));
+  cert_responder->CancelRequest();
+}
+
+void IsolatedPrerenderNetworkContextClient::OnSSLCertificateError(
+    int32_t process_id,
+    int32_t routing_id,
+    const GURL& url,
+    int net_error,
+    const net::SSLInfo& ssl_info,
+    bool fatal,
+    OnSSLCertificateErrorCallback response) {
+  std::move(response).Run(net::ERR_ABORTED);
+}
+
+void IsolatedPrerenderNetworkContextClient::OnFileUploadRequested(
+    int32_t process_id,
+    bool async,
+    const std::vector<base::FilePath>& file_paths,
+    OnFileUploadRequestedCallback callback) {
+  std::move(callback).Run(net::ERR_ACCESS_DENIED, std::vector<base::File>());
+}
+
+void IsolatedPrerenderNetworkContextClient::OnCanSendReportingReports(
+    const std::vector<url::Origin>& origins,
+    OnCanSendReportingReportsCallback callback) {
+  std::move(callback).Run(std::vector<url::Origin>());
+}
+
+void IsolatedPrerenderNetworkContextClient::OnCanSendDomainReliabilityUpload(
+    const GURL& origin,
+    OnCanSendDomainReliabilityUploadCallback callback) {
+  std::move(callback).Run(false);
+}
+
+void IsolatedPrerenderNetworkContextClient::OnClearSiteData(
+    int32_t process_id,
+    int32_t routing_id,
+    const GURL& url,
+    const std::string& header_value,
+    int load_flags,
+    OnClearSiteDataCallback callback) {
+  std::move(callback).Run();
+}
+
+#if defined(OS_ANDROID)
+void IsolatedPrerenderNetworkContextClient::OnGenerateHttpNegotiateAuthToken(
+    const std::string& server_auth_token,
+    bool can_delegate,
+    const std::string& auth_negotiate_android_account_type,
+    const std::string& spn,
+    OnGenerateHttpNegotiateAuthTokenCallback callback) {
+  std::move(callback).Run(net::ERR_FAILED, server_auth_token);
+}
+#endif
+
+#if defined(OS_CHROMEOS)
+void IsolatedPrerenderNetworkContextClient::OnTrustAnchorUsed() {}
+#endif

chrome/browser/prerender/isolated/isolated_prerender_network_context_client.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_PRERENDER_ISOLATED_ISOLATED_PRERENDER_NETWORK_CONTEXT_CLIENT_H_
+#define CHROME_BROWSER_PRERENDER_ISOLATED_ISOLATED_PRERENDER_NETWORK_CONTEXT_CLIENT_H_
+
+#include "build/build_config.h"
+#include "mojo/public/cpp/bindings/pending_remote.h"
+#include "services/network/public/mojom/network_context.mojom.h"
+
+// This is a NetworkContextClient that purposely does nothing so that no extra
+// network traffic can occur during an Isolated Prerender, potentially causing a
+// privacy leak to the user.
+class IsolatedPrerenderNetworkContextClient
+    : public network::mojom::NetworkContextClient {
+ public:
+  IsolatedPrerenderNetworkContextClient();
+  ~IsolatedPrerenderNetworkContextClient() override;
+
+  // network::mojom::NetworkContextClient implementation:
+  void OnAuthRequired(
+      const base::Optional<base::UnguessableToken>& window_id,
+      int32_t process_id,
+      int32_t routing_id,
+      uint32_t request_id,
+      const GURL& url,
+      bool first_auth_attempt,
+      const net::AuthChallengeInfo& auth_info,
+      network::mojom::URLResponseHeadPtr head,
+      mojo::PendingRemote<network::mojom::AuthChallengeResponder>
+          auth_challenge_responder) override;
+  void OnCertificateRequested(
+      const base::Optional<base::UnguessableToken>& window_id,
+      int32_t process_id,
+      int32_t routing_id,
+      uint32_t request_id,
+      const scoped_refptr<net::SSLCertRequestInfo>& cert_info,
+      mojo::PendingRemote<network::mojom::ClientCertificateResponder>
+          cert_responder) override;
+  void OnSSLCertificateError(int32_t process_id,
+                             int32_t routing_id,
+                             const GURL& url,
+                             int net_error,
+                             const net::SSLInfo& ssl_info,
+                             bool fatal,
+                             OnSSLCertificateErrorCallback response) override;
+  void OnFileUploadRequested(int32_t process_id,
+                             bool async,
+                             const std::vector<base::FilePath>& file_paths,
+                             OnFileUploadRequestedCallback callback) override;
+  void OnCanSendReportingReports(
+      const std::vector<url::Origin>& origins,
+      OnCanSendReportingReportsCallback callback) override;
+  void OnCanSendDomainReliabilityUpload(
+      const GURL& origin,
+      OnCanSendDomainReliabilityUploadCallback callback) override;
+  void OnClearSiteData(int32_t process_id,
+                       int32_t routing_id,
+                       const GURL& url,
+                       const std::string& header_value,
+                       int load_flags,
+                       OnClearSiteDataCallback callback) override;
+#if defined(OS_ANDROID)
+  void OnGenerateHttpNegotiateAuthToken(
+      const std::string& server_auth_token,
+      bool can_delegate,
+      const std::string& auth_negotiate_android_account_type,
+      const std::string& spn,
+      OnGenerateHttpNegotiateAuthTokenCallback callback) override;
+#endif
+#if defined(OS_CHROMEOS)
+  void OnTrustAnchorUsed() override;
+#endif
+};
+
+#endif  // CHROME_BROWSER_PRERENDER_ISOLATED_ISOLATED_PRERENDER_NETWORK_CONTEXT_CLIENT_H_

chrome/browser/prerender/isolated/isolated_prerender_tab_helper.cc

@@ -17,6 +17,7 @@
 #include "chrome/browser/navigation_predictor/navigation_predictor_keyed_service_factory.h"
 #include "chrome/browser/net/prediction_options.h"
 #include "chrome/browser/prerender/isolated/isolated_prerender_features.h"
+#include "chrome/browser/prerender/isolated/isolated_prerender_network_context_client.h"
 #include "chrome/browser/prerender/isolated/isolated_prerender_params.h"
 #include "chrome/browser/prerender/isolated/isolated_prerender_proxy_configurator.h"
 #include "chrome/browser/prerender/isolated/isolated_prerender_service.h"
@@ -39,6 +40,7 @@
 #include "content/public/browser/storage_partition.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/common/content_constants.h"
+#include "mojo/public/cpp/bindings/self_owned_receiver.h"
 #include "net/base/isolation_info.h"
 #include "net/base/load_flags.h"
 #include "net/base/net_errors.h"
@@ -508,6 +510,11 @@ void IsolatedPrerenderTabHelper::OnPrefetchComplete(
 
   if (page_->url_loader_->NetError() != net::OK) {
     OnPrefetchStatusUpdate(url, PrefetchStatus::kPrefetchFailedNetError);
+
+    for (auto& observer : observer_list_) {
+      observer.OnPrefetchCompletedWithError(url,
+                                            page_->url_loader_->NetError());
+    }
   }
 
   if (page_->url_loader_->NetError() == net::OK && body &&
@@ -926,10 +933,24 @@ void IsolatedPrerenderTabHelper::CreateIsolatedURLLoaderFactory() {
   isolated_prerender_service->proxy_configurator()->AddCustomProxyConfigClient(
       std::move(config_client));
 
+  // Explicitly disallow network service features which could cause a privacy
+  // leak.
+  context_params->enable_certificate_reporting = false;
+  context_params->enable_expect_ct_reporting = false;
+  context_params->enable_domain_reliability = false;
+
   content::GetNetworkService()->CreateNetworkContext(
       page_->isolated_network_context_.BindNewPipeAndPassReceiver(),
       std::move(context_params));
 
+  // Configure a context client to ensure Web Reports and other privacy leak
+  // surfaces won't be enabled.
+  mojo::PendingRemote<network::mojom::NetworkContextClient> client_remote;
+  mojo::MakeSelfOwnedReceiver(
+      std::make_unique<IsolatedPrerenderNetworkContextClient>(),
+      client_remote.InitWithNewPipeAndPassReceiver());
+  page_->isolated_network_context_->SetClient(std::move(client_remote));
+
   mojo::PendingRemote<network::mojom::URLLoaderFactory> isolated_factory_remote;
 
   CreateNewURLLoaderFactory(

chrome/browser/prerender/isolated/isolated_prerender_tab_helper.h

@@ -57,9 +57,11 @@ class IsolatedPrerenderTabHelper
     // Called when a prefetch for |url| is completed successfully.
     virtual void OnPrefetchCompletedSuccessfully(const GURL& url) {}
 
-    // Called when a prefetch for |url| is completed with an HTTP error code
-    // (non-2XX).
-    virtual void OnPrefetchCompletedWithError(const GURL& url, int code) {}
+    // Called when a prefetch for |url| is completed with an error code.
+    // Negative values for |error_code| are a net::Error and positive values are
+    // a HTTP error code.
+    virtual void OnPrefetchCompletedWithError(const GURL& url, int error_code) {
+    }
 
     // Called when a NoStatePrefetch finishes loading.
     virtual void OnNoStatePrefetchFinished() {}