[chromecast] Adding URL filter logic

Adds a URL filter for generic Activity third party
applications. This introduces filter logic for http
and websocket requests according to a provided whitelist.

A follow up CL to introduce the whitelist entry in
cast_web_contents that enable the filters.

Bug: 1054535
Test: CQ, verified url request blocking in devtools
Change-Id: I6a6a50bea79b70e7e91e08832bf9807c91faa53a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2050038Reviewed-by: Dominic Battré <battre@chromium.org>
Reviewed-by: Karan Bhatia <karandeepb@chromium.org>
Reviewed-by: Ken Buchanan <kenrb@chromium.org>
Reviewed-by: Daniel Nicoara <dnicoara@chromium.org>
Commit-Queue: Jiaqi Han <jiaqih@google.com>
Cr-Commit-Position: refs/heads/master@{#743314}

chromecast/BUILD.gn

@@ -70,6 +70,7 @@ cast_test_group("cast_tests") {
     "//cc:cc_unittests",
     "//chromecast/base:cast_base_unittests",
     "//chromecast/base/component:cast_component_unittests",
+    "//chromecast/common:cast_common_unittests",
     "//chromecast/crypto:cast_crypto_unittests",
     "//chromecast/device/bluetooth:cast_bluetooth_unittests",
     "//chromecast/media:cast_media_unittests",

chromecast/common/BUILD.gn

@@ -26,6 +26,37 @@ cast_source_set("resource_delegate") {
   ]
 }
 
+cast_source_set("activity_url_filter") {
+  sources = [
+    "activity_filtering_url_loader_throttle.cc",
+    "activity_filtering_url_loader_throttle.h",
+    "activity_url_filter.cc",
+    "activity_url_filter.h",
+  ]
+
+  deps = [
+    "//base",
+    "//components/url_matcher",
+    "//content/public/common",
+    "//url",
+  ]
+}
+
+test("cast_common_unittests") {
+  testonly = true
+
+  sources = [ "activity_url_filter_unittest.cc" ]
+
+  deps = [
+    ":activity_url_filter",
+    "//base/test:run_all_unittests",
+    "//base/test:test_support",
+    "//testing/gmock",
+    "//testing/gtest",
+    "//url",
+  ]
+}
+
 cast_source_set("common") {
   sources = [
     "cast_content_client.cc",

chromecast/common/DEPS

 include_rules = [
   "+components/services/heap_profiling/public/cpp",
+  "+components/url_matcher",
   "+components/version_info",
   "+content/public/common",
   "+extensions/common",

chromecast/common/activity_filtering_url_loader_throttle.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chromecast/common/activity_filtering_url_loader_throttle.h"
+
+namespace chromecast {
+namespace {
+
+const char kCancelReason[] = "ActivityFilteringURLLoaderThrottle";
+
+}  // namespace
+
+ActivityFilteringURLLoaderThrottle::ActivityFilteringURLLoaderThrottle(
+    ActivityUrlFilter* filter)
+    : url_filter_(filter) {}
+
+ActivityFilteringURLLoaderThrottle::~ActivityFilteringURLLoaderThrottle() =
+    default;
+
+void ActivityFilteringURLLoaderThrottle::WillStartRequest(
+    network::ResourceRequest* request,
+    bool* /* defer */) {
+  FilterURL(request->url);
+}
+
+void ActivityFilteringURLLoaderThrottle::WillRedirectRequest(
+    net::RedirectInfo* redirect_info,
+    const network::mojom::URLResponseHead& /* response_head */,
+    bool* /* defer */,
+    std::vector<std::string>* /* to_be_removed_request_headers */,
+    net::HttpRequestHeaders* /* modified_request_headers */) {
+  FilterURL(redirect_info->new_url);
+}
+
+void ActivityFilteringURLLoaderThrottle::DetachFromCurrentSequence() {}
+
+void ActivityFilteringURLLoaderThrottle::FilterURL(const GURL& url) {
+  // Pass through allowed URLs, block otherwise.
+  if (!url_filter_->UrlMatchesWhitelist(url))
+    delegate_->CancelWithError(net::ERR_ACCESS_DENIED, kCancelReason);
+}
+
+}  // namespace chromecast

chromecast/common/activity_filtering_url_loader_throttle.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROMECAST_COMMON_ACTIVITY_FILTERING_URL_LOADER_THROTTLE_H_
+#define CHROMECAST_COMMON_ACTIVITY_FILTERING_URL_LOADER_THROTTLE_H_
+
+#include <string>
+#include <vector>
+
+#include "base/macros.h"
+#include "chromecast/common/activity_url_filter.h"
+#include "third_party/blink/public/common/loader/url_loader_throttle.h"
+#include "url/gurl.h"
+
+namespace chromecast {
+
+// This class monitors requests issued by third-party javascript run via
+// Activities, and blocks the request based on URL whitelisting.
+class ActivityFilteringURLLoaderThrottle : public blink::URLLoaderThrottle {
+ public:
+  explicit ActivityFilteringURLLoaderThrottle(ActivityUrlFilter* filter);
+  ~ActivityFilteringURLLoaderThrottle() override;
+
+  // content::URLLoaderThrottle implementation:
+  void WillStartRequest(network::ResourceRequest* request,
+                        bool* defer) override;
+  void WillRedirectRequest(
+      net::RedirectInfo* redirect_info,
+      const network::mojom::URLResponseHead& response_head,
+      bool* defer,
+      std::vector<std::string>* to_be_removed_request_headers,
+      net::HttpRequestHeaders* modified_request_headers) override;
+
+ private:
+  // content::URLLoaderThrottle implementation:
+  void DetachFromCurrentSequence() override;
+
+  void FilterURL(const GURL& url);
+
+  ActivityUrlFilter* url_filter_;
+
+  DISALLOW_COPY_AND_ASSIGN(ActivityFilteringURLLoaderThrottle);
+};
+
+}  // namespace chromecast
+
+#endif  // CHROMECAST_COMMON_ACTIVITY_FILTERING_URL_LOADER_THROTTLE_H_

chromecast/common/activity_url_filter.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chromecast/common/activity_url_filter.h"
+
+namespace chromecast {
+
+ActivityUrlFilter::ActivityUrlFilter(
+    const std::vector<std::string>& url_filters)
+    : url_matcher_(std::make_unique<url_matcher::URLMatcher>()) {
+  url_matcher::URLMatcherConditionSet::ID id = 0;
+  url_matcher::URLMatcherConditionSet::Vector condition_sets;
+  for (const auto& url : url_filters) {
+    url_matcher::URLMatcherConditionSet::Conditions conditions;
+    conditions.insert(
+        url_matcher_->condition_factory()->CreateURLMatchesCondition(url));
+    scoped_refptr<url_matcher::URLMatcherConditionSet> condition_set =
+        new url_matcher::URLMatcherConditionSet(id++, conditions);
+    condition_sets.push_back(std::move(condition_set));
+  }
+  url_matcher_->AddConditionSets(condition_sets);
+}
+
+ActivityUrlFilter::~ActivityUrlFilter() = default;
+
+bool ActivityUrlFilter::UrlMatchesWhitelist(const GURL& url) {
+  return !url_matcher_->MatchURL(url).empty();
+}
+
+}  // namespace chromecast

chromecast/common/activity_url_filter.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROMECAST_COMMON_ACTIVITY_URL_FILTER_H_
+#define CHROMECAST_COMMON_ACTIVITY_URL_FILTER_H_
+
+#include <memory>
+#include <string>
+#include <vector>
+
+#include "base/macros.h"
+#include "components/url_matcher/url_matcher.h"
+#include "url/gurl.h"
+
+namespace chromecast {
+
+class ActivityUrlFilter {
+ public:
+  // |url_filters| are applied to network requests from the Activity.
+  explicit ActivityUrlFilter(const std::vector<std::string>& url_filters);
+  ~ActivityUrlFilter();
+
+  // Returns true if the given url matches to any whitelisted URL.
+  bool UrlMatchesWhitelist(const GURL& url);
+
+ private:
+  std::unique_ptr<url_matcher::URLMatcher> url_matcher_;
+
+  DISALLOW_COPY_AND_ASSIGN(ActivityUrlFilter);
+};
+
+}  // namespace chromecast
+
+#endif  // CHROMECAST_COMMON_ACTIVITY_URL_FILTER_H_

chromecast/common/activity_url_filter_unittest.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chromecast/common/activity_url_filter.h"
+
+#include "testing/gtest/include/gtest/gtest.h"
+#include "url/gurl.h"
+
+namespace chromecast {
+
+TEST(ActivityUrlFilterTest, TestWhitelistURLMatch) {
+  ActivityUrlFilter filter(
+      {"http://www.google.com/*", ".*://finance.google.com/"});
+  EXPECT_TRUE(filter.UrlMatchesWhitelist(
+      GURL("http://www.google.com/a_test_that_matches")));
+  EXPECT_FALSE(filter.UrlMatchesWhitelist(
+      GURL("http://www.goggles.com/i_should_not_match")));
+  EXPECT_TRUE(
+      filter.UrlMatchesWhitelist(GURL("http://finance.google.com/mystock")));
+  EXPECT_TRUE(
+      filter.UrlMatchesWhitelist(GURL("https://finance.google.com/mystock")));
+  EXPECT_FALSE(filter.UrlMatchesWhitelist(GURL("https://www.google.com")));
+  EXPECT_TRUE(filter.UrlMatchesWhitelist(GURL("http://www.google.com")));
+}
+
+}  // namespace chromecast

chromecast/common/mojom/BUILD.gn

@@ -6,6 +6,7 @@ import("//mojo/public/tools/bindings/mojom.gni")
 
 mojom("mojom") {
   sources = [
+    "activity_url_filter.mojom",
     "application_media_capabilities.mojom",
     "constants.mojom",
     "feature_manager.mojom",

chromecast/common/mojom/activity_url_filter.mojom

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+module chromecast.mojom;
+
+// This struct represents a set of whitelist URL matching conditions used by
+// the Activity URL filter logic. Each string is a regular expression that
+// matching URL requests are passed through. If none of the condition
+// matches, the URL request is blocked.
+struct ActivityUrlFilterCriteria {
+  array<string> criteria;
+};
+
+// This interface is used to configure the Activity URL filter with an
+// ActivityUrlFilterCriteria.
+interface ActivityUrlFilterConfiguration {
+  // Set the criteria used by the URL filter in the renderer.
+  SetFilter(ActivityUrlFilterCriteria filter);
+};

chromecast/renderer/BUILD.gn

@@ -26,12 +26,18 @@ grit("extensions_resources") {
 
 cast_source_set("renderer") {
   sources = [
+    "activity_filtering_websocket_handshake_throttle.cc",
+    "activity_filtering_websocket_handshake_throttle.h",
+    "cast_activity_url_filter_manager.cc",
+    "cast_activity_url_filter_manager.h",
     "cast_content_renderer_client.cc",
     "cast_content_renderer_client.h",
     "cast_media_playback_options.cc",
     "cast_media_playback_options.h",
     "cast_url_loader_throttle_provider.cc",
     "cast_url_loader_throttle_provider.h",
+    "cast_websocket_handshake_throttle_provider.cc",
+    "cast_websocket_handshake_throttle_provider.h",
     "js_channel_bindings.cc",
     "js_channel_bindings.h",
     "native_bindings_helper.cc",
@@ -55,6 +61,7 @@ cast_source_set("renderer") {
     "//chromecast:chromecast_buildflags",
     "//chromecast/base",
     "//chromecast/common",
+    "//chromecast/common:activity_url_filter",
     "//chromecast/common:queryable_data",
     "//chromecast/common/media",
     "//chromecast/common/mojom",

chromecast/renderer/activity_filtering_websocket_handshake_throttle.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chromecast/renderer/activity_filtering_websocket_handshake_throttle.h"
+
+#include "base/strings/stringprintf.h"
+#include "third_party/blink/public/platform/web_string.h"
+#include "url/gurl.h"
+
+namespace chromecast {
+
+ActivityFilteringWebSocketHandshakeThrottle::
+    ActivityFilteringWebSocketHandshakeThrottle(ActivityUrlFilter* filter)
+    : url_filter_(filter) {}
+
+ActivityFilteringWebSocketHandshakeThrottle::
+    ~ActivityFilteringWebSocketHandshakeThrottle() = default;
+
+void ActivityFilteringWebSocketHandshakeThrottle::ThrottleHandshake(
+    const blink::WebURL& url,
+    blink::WebSocketHandshakeThrottle::OnCompletion completion_callback) {
+  GURL gurl = GURL(url);
+
+  // Pass through allowed URLs, block otherwise.
+  if (url_filter_->UrlMatchesWhitelist(gurl)) {
+    std::move(completion_callback).Run(base::nullopt);
+    return;
+  }
+
+  std::move(completion_callback)
+      .Run(blink::WebString::FromUTF8(base::StringPrintf(
+          "WebSocket connection to %s is blocked", gurl.spec().c_str())));
+}
+
+}  // namespace chromecast

chromecast/renderer/activity_filtering_websocket_handshake_throttle.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROMECAST_RENDERER_ACTIVITY_FILTERING_WEBSOCKET_HANDSHAKE_THROTTLE_H_
+#define CHROMECAST_RENDERER_ACTIVITY_FILTERING_WEBSOCKET_HANDSHAKE_THROTTLE_H_
+
+#include "base/macros.h"
+#include "chromecast/common/activity_url_filter.h"
+#include "third_party/blink/public/platform/web_url.h"
+#include "third_party/blink/public/platform/websocket_handshake_throttle.h"
+
+namespace chromecast {
+
+// This class implements the WebSocketHandshakeThrottle class as a facility
+// to block WebSocket connection establishment. Specifically,
+// blink::Platform::CreateWebSocketHandshakeThrottle() is called when a
+// WebSocket handshake is started. If
+// ActivityFilteringWebSocketHandshakeThrottle is installed, the
+// ThrottleHandshake() will be called on the handshake. If the URL is not
+// whitelisted, the handshake will be aborted, and a connection error will be
+// reported to Javascript.
+class ActivityFilteringWebSocketHandshakeThrottle
+    : public blink::WebSocketHandshakeThrottle {
+ public:
+  explicit ActivityFilteringWebSocketHandshakeThrottle(
+      ActivityUrlFilter* filter);
+  ~ActivityFilteringWebSocketHandshakeThrottle() override;
+
+  // blink::WebSocketHandshakeThrottle implementation:
+  void ThrottleHandshake(const blink::WebURL& url,
+                         blink::WebSocketHandshakeThrottle::OnCompletion
+                             completion_callback) override;
+
+ private:
+  ActivityUrlFilter* const url_filter_;
+
+  DISALLOW_COPY_AND_ASSIGN(ActivityFilteringWebSocketHandshakeThrottle);
+};
+
+}  // namespace chromecast
+
+#endif  // CHROMECAST_RENDERER_ACTIVITY_FILTERING_WEBSOCKET_HANDSHAKE_THROTTLE_H_

chromecast/renderer/cast_activity_url_filter_manager.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chromecast/renderer/cast_activity_url_filter_manager.h"
+
+#include <string>
+#include <vector>
+
+#include "base/bind.h"
+#include "base/logging.h"
+#include "content/public/renderer/render_frame.h"
+
+namespace chromecast {
+
+CastActivityUrlFilterManager::UrlFilterReceiver::UrlFilterReceiver(
+    content::RenderFrame* render_frame,
+    base::OnceCallback<void()> on_removed_callback)
+    : content::RenderFrameObserver(render_frame),
+      on_removed_callback_(std::move(on_removed_callback)),
+      weak_factory_(this) {
+  weak_this_ = weak_factory_.GetWeakPtr();
+  render_frame->GetAssociatedInterfaceRegistry()->AddInterface(
+      base::BindRepeating(&CastActivityUrlFilterManager::UrlFilterReceiver::
+                              OnActivityUrlFilterConfigurationAssociatedRequest,
+                          weak_this_));
+}
+
+CastActivityUrlFilterManager::UrlFilterReceiver::~UrlFilterReceiver() {
+  std::move(on_removed_callback_).Run();
+}
+
+bool CastActivityUrlFilterManager::UrlFilterReceiver::
+    OnAssociatedInterfaceRequestForFrame(
+        const std::string& interface_name,
+        mojo::ScopedInterfaceEndpointHandle* handle) {
+  return associated_interfaces_.TryBindInterface(interface_name, handle);
+}
+
+void CastActivityUrlFilterManager::UrlFilterReceiver::OnDestruct() {
+  delete this;
+}
+
+void CastActivityUrlFilterManager::UrlFilterReceiver::SetFilter(
+    chromecast::mojom::ActivityUrlFilterCriteriaPtr filter_criteria) {
+  if (filter_criteria->criteria.empty())
+    return;
+
+  url_filter_ = std::make_unique<ActivityUrlFilter>(filter_criteria->criteria);
+}
+
+void CastActivityUrlFilterManager::UrlFilterReceiver::
+    OnActivityUrlFilterConfigurationAssociatedRequest(
+        mojo::PendingAssociatedReceiver<
+            chromecast::mojom::ActivityUrlFilterConfiguration> receiver) {
+  receivers_.Add(this, std::move(receiver));
+}
+
+ActivityUrlFilter*
+CastActivityUrlFilterManager::UrlFilterReceiver::GetUrlFilter() {
+  return url_filter_.get();
+}
+
+CastActivityUrlFilterManager::CastActivityUrlFilterManager()
+    : weak_factory_(this) {
+  weak_this_ = weak_factory_.GetWeakPtr();
+}
+
+CastActivityUrlFilterManager::~CastActivityUrlFilterManager() = default;
+
+ActivityUrlFilter*
+CastActivityUrlFilterManager::GetActivityUrlFilterForRenderFrameID(
+    int render_frame_id) {
+  const auto& it = activity_url_filters_.find(render_frame_id);
+  if (it == activity_url_filters_.end())
+    return nullptr;
+
+  return it->second->GetUrlFilter();
+}
+
+void CastActivityUrlFilterManager::OnRenderFrameCreated(
+    content::RenderFrame* render_frame) {
+  int render_frame_id = render_frame->GetRoutingID();
+
+  // Lifetime is tied to |render_frame| via content::RenderFrameObserver.
+  auto* filter_receiver = new CastActivityUrlFilterManager::UrlFilterReceiver(
+      render_frame,
+      base::BindOnce(&CastActivityUrlFilterManager::OnRenderFrameRemoved,
+                     weak_this_, render_frame->GetRoutingID()));
+
+  auto result = activity_url_filters_.emplace(render_frame_id, filter_receiver);
+
+  if (!result.second)
+    LOG(ERROR)
+        << "A URL filter for Activity already exists for Render frame ID "
+        << render_frame_id;
+}
+
+void CastActivityUrlFilterManager::OnRenderFrameRemoved(int render_frame_id) {
+  const auto& it = activity_url_filters_.find(render_frame_id);
+
+  if (it != activity_url_filters_.end())
+    activity_url_filters_.erase(it);
+}
+
+}  // namespace chromecast

chromecast/renderer/cast_activity_url_filter_manager.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROMECAST_RENDERER_CAST_ACTIVITY_URL_FILTER_MANAGER_H_
+#define CHROMECAST_RENDERER_CAST_ACTIVITY_URL_FILTER_MANAGER_H_
+
+#include <memory>
+#include <string>
+
+#include "base/containers/flat_map.h"
+#include "base/macros.h"
+#include "chromecast/common/activity_url_filter.h"
+#include "chromecast/common/mojom/activity_url_filter.mojom.h"
+#include "content/public/renderer/render_frame_observer.h"
+#include "mojo/public/cpp/bindings/associated_receiver_set.h"
+#include "mojo/public/cpp/bindings/binding.h"
+#include "mojo/public/cpp/bindings/pending_associated_receiver.h"
+#include "third_party/blink/public/common/associated_interfaces/associated_interface_registry.h"
+
+namespace chromecast {
+
+// This class accepts strings that represent URL filter criteria from
+// the browser through mojo, and constructs the URL matcher that filters
+// web requests.
+class CastActivityUrlFilterManager {
+ public:
+  CastActivityUrlFilterManager();
+  ~CastActivityUrlFilterManager();
+
+  // Returns nullptr if no Activity URL filter exists for the render frame.
+  ActivityUrlFilter* GetActivityUrlFilterForRenderFrameID(int render_frame_id);
+
+  void OnRenderFrameCreated(content::RenderFrame* render_frame);
+  void OnRenderFrameRemoved(int render_frame_id);
+
+ private:
+  class UrlFilterReceiver
+      : public content::RenderFrameObserver,
+        public chromecast::mojom::ActivityUrlFilterConfiguration {
+   public:
+    explicit UrlFilterReceiver(content::RenderFrame* render_frame,
+                               base::OnceCallback<void()> on_removed_callback);
+    ~UrlFilterReceiver() override;
+
+    // mojom::ActivityUrlFilterConfiguration implementation:
+    void SetFilter(
+        chromecast::mojom::ActivityUrlFilterCriteriaPtr filter) override;
+
+    ActivityUrlFilter* GetUrlFilter();
+
+   private:
+    // content::RenderFrameObserver implementation:
+    bool OnAssociatedInterfaceRequestForFrame(
+        const std::string& interface_name,
+        mojo::ScopedInterfaceEndpointHandle* handle) override;
+    void OnDestruct() override;
+
+    void OnActivityUrlFilterConfigurationAssociatedRequest(
+        mojo::PendingAssociatedReceiver<
+            chromecast::mojom::ActivityUrlFilterConfiguration> receiver);
+
+    std::unique_ptr<ActivityUrlFilter> url_filter_;
+
+    blink::AssociatedInterfaceRegistry associated_interfaces_;
+    mojo::AssociatedReceiverSet<
+        chromecast::mojom::ActivityUrlFilterConfiguration>
+        receivers_;
+
+    base::OnceCallback<void()> on_removed_callback_;
+
+    base::WeakPtr<UrlFilterReceiver> weak_this_;
+    base::WeakPtrFactory<UrlFilterReceiver> weak_factory_;
+
+    DISALLOW_COPY_AND_ASSIGN(UrlFilterReceiver);
+  };
+
+  base::flat_map<int, UrlFilterReceiver*> activity_url_filters_;
+
+  base::WeakPtr<CastActivityUrlFilterManager> weak_this_;
+  base::WeakPtrFactory<CastActivityUrlFilterManager> weak_factory_;
+
+  DISALLOW_COPY_AND_ASSIGN(CastActivityUrlFilterManager);
+};
+
+}  // namespace chromecast
+
+#endif  // CHROMECAST_RENDERER_CAST_ACTIVITY_URL_FILTER_MANAGER_H_

chromecast/renderer/cast_content_renderer_client.cc

@@ -17,6 +17,7 @@
 #include "chromecast/public/media/media_capabilities_shlib.h"
 #include "chromecast/renderer/cast_media_playback_options.h"
 #include "chromecast/renderer/cast_url_loader_throttle_provider.h"
+#include "chromecast/renderer/cast_websocket_handshake_throttle_provider.h"
 #include "chromecast/renderer/js_channel_bindings.h"
 #include "chromecast/renderer/media/key_systems_cast.h"
 #include "chromecast/renderer/media/media_caps_observer_impl.h"
@@ -88,7 +89,9 @@ constexpr base::TimeDelta kAudioRendererStartingCapacityEncrypted =
 
 CastContentRendererClient::CastContentRendererClient()
     : supported_profiles_(
-          std::make_unique<media::SupportedCodecProfileLevelsMemo>()) {
+          std::make_unique<media::SupportedCodecProfileLevelsMemo>()),
+      activity_url_filter_manager_(
+          std::make_unique<CastActivityUrlFilterManager>()) {
 #if defined(OS_ANDROID)
   DCHECK(::media::MediaCodecUtil::IsMediaCodecAvailable())
       << "MediaCodec is not available!";
@@ -181,6 +184,7 @@ void CastContentRendererClient::RenderViewCreated(
 void CastContentRendererClient::RenderFrameCreated(
     content::RenderFrame* render_frame) {
   DCHECK(render_frame);
+
   // Lifetime is tied to |render_frame| via content::RenderFrameObserver.
   new CastMediaPlaybackOptions(render_frame);
   if (!::chromecast::IsFeatureEnabled(kUseQueryableDataBackend)) {
@@ -212,6 +216,8 @@ void CastContentRendererClient::RenderFrameCreated(
   // JsChannelBindings destroys itself when the RenderFrame is destroyed.
   JsChannelBindings::Create(render_frame);
 #endif
+
+  activity_url_filter_manager_->OnRenderFrameCreated(render_frame);
 }
 
 content::BrowserPluginDelegate*
@@ -369,10 +375,17 @@ void CastContentRendererClient::OnSupportedBitstreamAudioCodecsChanged(
   supported_bitstream_audio_codecs_info_ = info;
 }
 
+std::unique_ptr<content::WebSocketHandshakeThrottleProvider>
+CastContentRendererClient::CreateWebSocketHandshakeThrottleProvider() {
+  return std::make_unique<CastWebSocketHandshakeThrottleProvider>(
+      activity_url_filter_manager_.get());
+}
+
 std::unique_ptr<content::URLLoaderThrottleProvider>
 CastContentRendererClient::CreateURLLoaderThrottleProvider(
     content::URLLoaderThrottleProviderType type) {
-  return std::make_unique<CastURLLoaderThrottleProvider>(type);
+  return std::make_unique<CastURLLoaderThrottleProvider>(
+      type, activity_url_filter_manager_.get());
 }
 
 base::Optional<::media::AudioRendererAlgorithmParameters>

chromecast/renderer/cast_content_renderer_client.h

@@ -6,12 +6,14 @@
 #define CHROMECAST_RENDERER_CAST_CONTENT_RENDERER_CLIENT_H_
 
 #include <memory>
+#include <string>
 #include <vector>
 
 #include "base/macros.h"
 #include "build/build_config.h"
 #include "chromecast/chromecast_buildflags.h"
 #include "chromecast/common/mojom/application_media_capabilities.mojom.h"
+#include "chromecast/renderer/cast_activity_url_filter_manager.h"
 #include "content/public/renderer/content_renderer_client.h"
 #include "media/base/audio_codecs.h"
 #include "media/base/audio_parameters.h"
@@ -70,6 +72,8 @@ class CastContentRendererClient
                       base::OnceClosure closure) override;
   bool IsIdleMediaSuspendEnabled() override;
   void SetRuntimeFeaturesDefaultsBeforeBlinkInitialization() override;
+  std::unique_ptr<content::WebSocketHandshakeThrottleProvider>
+  CreateWebSocketHandshakeThrottleProvider() override;
   std::unique_ptr<content::URLLoaderThrottleProvider>
   CreateURLLoaderThrottleProvider(
       content::URLLoaderThrottleProviderType type) override;
@@ -85,6 +89,10 @@ class CastContentRendererClient
   virtual bool RunWhenInForeground(content::RenderFrame* render_frame,
                                    base::OnceClosure closure);
 
+  CastActivityUrlFilterManager* activity_url_filter_manager() {
+    return activity_url_filter_manager_.get();
+  }
+
  private:
   // mojom::ApplicationMediaCapabilitiesObserver implementation:
   void OnSupportedBitstreamAudioCodecsChanged(
@@ -115,6 +123,8 @@ class CastContentRendererClient
 
   BitstreamAudioCodecsInfo supported_bitstream_audio_codecs_info_;
 
+  std::unique_ptr<CastActivityUrlFilterManager> activity_url_filter_manager_;
+
   DISALLOW_COPY_AND_ASSIGN(CastContentRendererClient);
 };
 

chromecast/renderer/cast_url_loader_throttle_provider.cc

@@ -5,6 +5,7 @@
 #include "chromecast/renderer/cast_url_loader_throttle_provider.h"
 
 #include "base/feature_list.h"
+#include "chromecast/common/activity_filtering_url_loader_throttle.h"
 #include "chromecast/common/cast_url_loader_throttle.h"
 #include "content/public/renderer/render_frame.h"
 #include "content/public/renderer/render_thread.h"
@@ -14,8 +15,10 @@
 namespace chromecast {
 
 CastURLLoaderThrottleProvider::CastURLLoaderThrottleProvider(
-    content::URLLoaderThrottleProviderType type)
-    : type_(type) {
+    content::URLLoaderThrottleProviderType type,
+    CastActivityUrlFilterManager* url_filter_manager)
+    : type_(type), cast_activity_url_filter_manager_(url_filter_manager) {
+  DCHECK(cast_activity_url_filter_manager_);
   DETACH_FROM_THREAD(thread_checker_);
 }
 
@@ -25,7 +28,9 @@ CastURLLoaderThrottleProvider::~CastURLLoaderThrottleProvider() {
 
 CastURLLoaderThrottleProvider::CastURLLoaderThrottleProvider(
     const chromecast::CastURLLoaderThrottleProvider& other)
-    : type_(other.type_) {
+    : type_(other.type_),
+      cast_activity_url_filter_manager_(
+          other.cast_activity_url_filter_manager_) {
   DETACH_FROM_THREAD(thread_checker_);
 }
 
@@ -41,6 +46,15 @@ CastURLLoaderThrottleProvider::CreateThrottles(
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   std::vector<std::unique_ptr<blink::URLLoaderThrottle>> throttles;
+
+  auto* activity_url_filter =
+      cast_activity_url_filter_manager_->GetActivityUrlFilterForRenderFrameID(
+          render_frame_id);
+  if (activity_url_filter) {
+    throttles.push_back(std::make_unique<ActivityFilteringURLLoaderThrottle>(
+        activity_url_filter));
+  }
+
   return throttles;
 }
 

chromecast/renderer/cast_url_loader_throttle_provider.h

@@ -5,8 +5,12 @@
 #ifndef CHROMECAST_RENDERER_CAST_URL_LOADER_THROTTLE_PROVIDER_H_
 #define CHROMECAST_RENDERER_CAST_URL_LOADER_THROTTLE_PROVIDER_H_
 
+#include <vector>
+
 #include "base/macros.h"
 #include "base/threading/thread_checker.h"
+#include "chromecast/common/activity_url_filter.h"
+#include "chromecast/renderer/cast_activity_url_filter_manager.h"
 #include "content/public/renderer/url_loader_throttle_provider.h"
 
 namespace chromecast {
@@ -15,7 +19,8 @@ class CastURLLoaderThrottleProvider
     : public content::URLLoaderThrottleProvider {
  public:
   explicit CastURLLoaderThrottleProvider(
-      content::URLLoaderThrottleProviderType type);
+      content::URLLoaderThrottleProviderType type,
+      CastActivityUrlFilterManager* url_filter_manager);
   ~CastURLLoaderThrottleProvider() override;
 
   // content::URLLoaderThrottleProvider implementation:
@@ -25,13 +30,15 @@ class CastURLLoaderThrottleProvider
       const blink::WebURLRequest& request) override;
   void SetOnline(bool is_online) override;
 
+ protected:
+  content::URLLoaderThrottleProviderType type_;
+  CastActivityUrlFilterManager* const cast_activity_url_filter_manager_;
+
  private:
   // This copy constructor works in conjunction with Clone(), not intended for
   // general use.
   CastURLLoaderThrottleProvider(const CastURLLoaderThrottleProvider& other);
 
-  content::URLLoaderThrottleProviderType type_;
-
   THREAD_CHECKER(thread_checker_);
 
   DISALLOW_ASSIGN(CastURLLoaderThrottleProvider);

chromecast/renderer/cast_websocket_handshake_throttle_provider.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chromecast/renderer/cast_websocket_handshake_throttle_provider.h"
+
+#include "base/feature_list.h"
+#include "base/memory/ptr_util.h"
+#include "chromecast/renderer/activity_filtering_websocket_handshake_throttle.h"
+#include "services/network/public/cpp/features.h"
+
+namespace chromecast {
+
+CastWebSocketHandshakeThrottleProvider::CastWebSocketHandshakeThrottleProvider(
+    CastActivityUrlFilterManager* url_filter_manager)
+    : cast_activity_url_filter_manager_(url_filter_manager) {
+  DCHECK(url_filter_manager);
+  DETACH_FROM_THREAD(thread_checker_);
+}
+
+CastWebSocketHandshakeThrottleProvider::
+    ~CastWebSocketHandshakeThrottleProvider() {
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
+}
+
+CastWebSocketHandshakeThrottleProvider::CastWebSocketHandshakeThrottleProvider(
+    const chromecast::CastWebSocketHandshakeThrottleProvider& other)
+    : cast_activity_url_filter_manager_(
+          other.cast_activity_url_filter_manager_) {
+  DETACH_FROM_THREAD(thread_checker_);
+}
+
+std::unique_ptr<content::WebSocketHandshakeThrottleProvider>
+CastWebSocketHandshakeThrottleProvider::Clone(
+    scoped_refptr<base::SingleThreadTaskRunner> task_runner) {
+  return base::WrapUnique(new CastWebSocketHandshakeThrottleProvider(*this));
+}
+
+std::unique_ptr<blink::WebSocketHandshakeThrottle>
+CastWebSocketHandshakeThrottleProvider::CreateThrottle(
+    int render_frame_id,
+    scoped_refptr<base::SingleThreadTaskRunner> task_runner) {
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
+
+  if (!base::FeatureList::IsEnabled(network::features::kNetworkService))
+    return nullptr;
+
+  auto* activity_url_filter =
+      cast_activity_url_filter_manager_->GetActivityUrlFilterForRenderFrameID(
+          render_frame_id);
+  if (!activity_url_filter)
+    return nullptr;
+
+  return std::make_unique<ActivityFilteringWebSocketHandshakeThrottle>(
+      activity_url_filter);
+}
+
+}  // namespace chromecast

chromecast/renderer/cast_websocket_handshake_throttle_provider.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROMECAST_RENDERER_CAST_WEBSOCKET_HANDSHAKE_THROTTLE_PROVIDER_H_
+#define CHROMECAST_RENDERER_CAST_WEBSOCKET_HANDSHAKE_THROTTLE_PROVIDER_H_
+
+#include <memory>
+
+#include "base/macros.h"
+#include "base/threading/thread_checker.h"
+#include "chromecast/renderer/cast_activity_url_filter_manager.h"
+#include "content/public/renderer/websocket_handshake_throttle_provider.h"
+
+namespace chromecast {
+
+// This class allows cast_shell to provide a WebSocketHandshakeThrottle
+// implementation to delay or block WebSocket handshakes.
+// This must be constructed on the render thread, and then used and destructed
+// on a single thread, which can be different from the render thread.
+class CastWebSocketHandshakeThrottleProvider
+    : public content::WebSocketHandshakeThrottleProvider {
+ public:
+  explicit CastWebSocketHandshakeThrottleProvider(
+      CastActivityUrlFilterManager* url_filter_manager);
+  ~CastWebSocketHandshakeThrottleProvider() override;
+
+  // content::WebSocketHandshakeThrottleProvider implementation:
+  std::unique_ptr<content::WebSocketHandshakeThrottleProvider> Clone(
+      scoped_refptr<base::SingleThreadTaskRunner> task_runner) override;
+  std::unique_ptr<blink::WebSocketHandshakeThrottle> CreateThrottle(
+      int render_frame_id,
+      scoped_refptr<base::SingleThreadTaskRunner> task_runner) override;
+
+ private:
+  // This copy constructor works in conjunction with Clone(), not intended for
+  // general use.
+  CastWebSocketHandshakeThrottleProvider(
+      const CastWebSocketHandshakeThrottleProvider& other);
+
+  CastActivityUrlFilterManager* const cast_activity_url_filter_manager_;
+
+  THREAD_CHECKER(thread_checker_);
+
+  DISALLOW_ASSIGN(CastWebSocketHandshakeThrottleProvider);
+};
+
+}  // namespace chromecast
+
+#endif  // CHROMECAST_RENDERER_CAST_WEBSOCKET_HANDSHAKE_THROTTLE_PROVIDER_H_