Trust Tokens: Add origin trial configuration

This change makes Trust Tokens configurable in two origin trial modes: - "Standard": issuance requires the "TrustTokens" origin trial (runtime_enabled_feature.json5) be active; redemption and signing don't - "Third party": all three operations require the trial be active This fairly complex configuration is motivated by the fact that we don't know whether we'll be running a standard origin trial or a third party origin trial [1], as the code for the latter has landed but not launched, so we need to be able to decide dynamically. This is implemented by gating all three Trust Tokens operations behind the same RuntimeEnabledFeature [2] and having a runtime check for the presence of the origin trial during issuance: - in "standard" mode, the RuntimeEnabledFeature is always on (so long as the corresponding base::Feature is; see below), so all three operations are always available, but issuance will fail in contexts without configured origin trial tokens; - in "third party" mode, the RuntimeEnabledFeature is left off even if the base::Feature is enabled: the Origin Trials framework will enable it, activating all operations, if there is an origin trial token. In both modes, we unconditionally require that the kTrustTokens base::Feature be enabled in order to execute any of the operations: if it's disabled, the Blink RuntimeEnabledFeature will start disabled and, additionally, the origin trial will not be permitted to activate (because of the new logic in OriginTrialContext). I wrote up a slightly longer description of the constraints and the implementation rationale: https://bit.ly/configuring-trust-tokens [1]: https://docs.google.com/document/u/1/d/1xALH9W7rWmX0FpjudhDeS2TNTEOXuPn4Tlc9VmuPdHA/edit [2]: The entry point for each operation is identical (e.g. you use the trustToken argument to RequestInit whether it's an issuance, redemption, or signing operation), so it's not possible to vary the "enabled or not" decision at an IDL level depending on the operation. Fixed: 1081739 Change-Id: I1e63f2c12a1e2a158011fa5e95676b48f36e38dc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2199910 Commit-Queue: David Van Cleve <davidvc@chromium.org> Reviewed-by: Jeremy Roman <jbroman@chromium.org> Reviewed-by: Matt Menke <mmenke@chromium.org> Reviewed-by: Charlie Harrison <csharrison@chromium.org> Reviewed-by: Jason Chase <chasej@chromium.org> Cr-Commit-Position: refs/heads/master@{#770811}

Trust Tokens: Add origin trial configuration
This change makes Trust Tokens configurable in two origin trial modes: - "Standard": issuance requires the "TrustTokens" origin trial (runtime_enabled_feature.json5) be active; redemption and signing don't - "Third party": all three operations require the trial be active This fairly complex configuration is motivated by the fact that we don't know whether we'll be running a standard origin trial or a third party origin trial [1], as the code for the latter has landed but not launched, so we need to be able to decide dynamically. This is implemented by gating all three Trust Tokens operations behind the same RuntimeEnabledFeature [2] and having a runtime check for the presence of the origin trial during issuance: - in "standard" mode, the RuntimeEnabledFeature is always on (so long as the corresponding base::Feature is; see below), so all three operations are always available, but issuance will fail in contexts without configured origin trial tokens; - in "third party" mode, the RuntimeEnabledFeature is left off even if the base::Feature is enabled: the Origin Trials framework will enable it, activating all operations, if there is an origin trial token. In both modes, we unconditionally require that the kTrustTokens base::Feature be enabled in order to execute any of the operations: if it's disabled, the Blink RuntimeEnabledFeature will start disabled and, additionally, the origin trial will not be permitted to activate (because of the new logic in OriginTrialContext). I wrote up a slightly longer description of the constraints and the implementation rationale: https://bit.ly/configuring-trust-tokens [1]: https://docs.google.com/document/u/1/d/1xALH9W7rWmX0FpjudhDeS2TNTEOXuPn4Tlc9VmuPdHA/edit [2]: The entry point for each operation is identical (e.g. you use the trustToken argument to RequestInit whether it's an issuance, redemption, or signing operation), so it's not possible to vary the "enabled or not" decision at an IDL level depending on the operation. Fixed: 1081739 Change-Id: I1e63f2c12a1e2a158011fa5e95676b48f36e38dc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2199910 Commit-Queue: David Van Cleve <davidvc@chromium.org> Reviewed-by: Jeremy Roman <jbroman@chromium.org> Reviewed-by: Matt Menke <mmenke@chromium.org> Reviewed-by: Charlie Harrison <csharrison@chromium.org> Reviewed-by: Jason Chase <chasej@chromium.org> Cr-Commit-Position: refs/heads/master@{#770811}
fc3f8e13 · David Van Cleve · Commit Bot · 27253c26 · fc3f8e13 · fc3f8e13
Commit fc3f8e13 authored May 20, 2020 by David Van Cleve Committed by Commit Bot May 20, 2020
17 changed files
--- a/content/child/runtime_features.cc
+++ b/content/child/runtime_features.cc
@@ -313,7 +313,6 @@ void SetRuntimeFeaturesFromChromiumFeatures() {
 #if defined(OS_ANDROID)
    {wf::EnableWebNfc, features::kWebNfc, kDisableOnly},
 #endif
-    {wf::EnableTrustTokens, network::features::kTrustTokens, kEnableOnly},
    {wf::EnableInstalledApp, features::kInstalledApp, kDisableOnly},
    {wf::EnableWebAuthenticationGetAssertionFeaturePolicy,
     device::kWebAuthGetAssertionFeaturePolicy, kUseFeatureState},
@@ -563,6 +562,34 @@ void SetCustomizedRuntimeFeaturesFromCombinedArgs(
    if (!base::FeatureList::IsEnabled(blink::features::kAppCache))
      WebRuntimeFeatures::EnableFeatureFromString("AppCache", false);
  }
+
+  if (base::FeatureList::IsEnabled(network::features::kTrustTokens)) {
+    // See https://bit.ly/configuring-trust-tokens.
+    using network::features::TrustTokenOriginTrialSpec;
+    switch (
+        network::features::kTrustTokenOperationsRequiringOriginTrial.Get()) {
+      case TrustTokenOriginTrialSpec::kOriginTrialNotRequired:
+        // Setting TrustTokens=true enables the Trust Tokens interface;
+        // TrustTokensAlwaysAllowIssuance disables a runtime check during
+        // issuance that the origin trial is active (see
+        // blink/.../trust_token_issuance_authorization.h).
+        WebRuntimeFeatures::EnableTrustTokens(true);
+        WebRuntimeFeatures::EnableTrustTokensAlwaysAllowIssuance(true);
+        break;
+      case TrustTokenOriginTrialSpec::kAllOperationsRequireOriginTrial:
+        // The origin trial itself will be responsible for enabling the
+        // TrustTokens RuntimeEnabledFeature.
+        WebRuntimeFeatures::EnableTrustTokens(false);
+        WebRuntimeFeatures::EnableTrustTokensAlwaysAllowIssuance(false);
+        break;
+      case TrustTokenOriginTrialSpec::kOnlyIssuanceRequiresOriginTrial:
+        // At issuance, a runtime check will be responsible for checking that
+        // the origin trial is present.
+        WebRuntimeFeatures::EnableTrustTokens(true);
+        WebRuntimeFeatures::EnableTrustTokensAlwaysAllowIssuance(false);
+        break;
+    }
+  }
 }

 }  // namespace

--- a/content/test/BUILD.gn
+++ b/content/test/BUILD.gn
@@ -1145,6 +1145,7 @@ test("content_browsertests") {
    "../test/content_browser_test_test.cc",
    "../test/top_frame_population_browsertest.cc",
    "../test/trust_token_browsertest.cc",
+    "../test/trust_token_origin_trial_browsertest.cc",
    "../test/trust_token_parameters_browsertest.cc",
    "../test/url_loader_interceptor_test.cc",
    "../test/webui_resource_browsertest.cc",

--- a/content/test/trust_token_browsertest.cc
+++ b/content/test/trust_token_browsertest.cc
@@ -42,7 +42,14 @@ using network::test::TrustTokenRequestHandler;
 class TrustTokenBrowsertest : public ContentBrowserTest {
 public:
  TrustTokenBrowsertest() {
-    features_.InitAndEnableFeature(network::features::kTrustTokens);
+    auto& field_trial_param =
+        network::features::kTrustTokenOperationsRequiringOriginTrial;
+    features_.InitAndEnableFeatureWithParameters(
+        network::features::kTrustTokens,
+        {{field_trial_param.name,
+          field_trial_param.GetName(
+              network::features::TrustTokenOriginTrialSpec::
+                  kOriginTrialNotRequired)}});
  }

  // Registers the following handlers:

--- a/content/test/trust_token_origin_trial_browsertest.cc
+++ b/content/test/trust_token_origin_trial_browsertest.cc
--- a/content/test/trust_token_parameters_browsertest.cc
+++ b/content/test/trust_token_parameters_browsertest.cc
@@ -34,7 +34,14 @@ class TrustTokenParametersBrowsertest
      public ContentBrowserTest {
 public:
  TrustTokenParametersBrowsertest() {
-    features_.InitAndEnableFeature(network::features::kTrustTokens);
+    auto& field_trial_param =
+        network::features::kTrustTokenOperationsRequiringOriginTrial;
+    features_.InitAndEnableFeatureWithParameters(
+        network::features::kTrustTokens,
+        {{field_trial_param.name,
+          field_trial_param.GetName(
+              network::features::TrustTokenOriginTrialSpec::
+                  kOriginTrialNotRequired)}});
  }

 protected:

--- a/services/network/public/cpp/features.cc
+++ b/services/network/public/cpp/features.cc
@@ -206,6 +206,36 @@ const base::Feature kStrictAccessControlAllowListCheck = {
 const base::Feature kTrustTokens{"TrustTokens",
                                 base::FEATURE_DISABLED_BY_DEFAULT};

+// Determines which Trust Tokens operations require the TrustTokens origin trial
+// active in order to be used. This is runtime-configurable so that the Trust
+// Tokens operations of issuance, redemption, and signing are compatible with
+// both standard origin trials and third-party origin trials:
+//
+// - For standard origin trials, set kOnlyIssuanceRequiresOriginTrial. In Blink,
+// all of the interface will be enabled (so long as the base::Feature is!), and
+// issuance operations will check at runtime if the origin trial is enabled,
+// returning an error if it is not.
+// - For third-party origin trials, set kAllOperationsRequireOriginTrial. In
+// Blink, the interface will be enabled exactly when the origin trial is present
+// in the executing context (so long as the base::Feature is present).
+//
+// For testing, set kOriginTrialNotRequired. With this option, although all
+// operations will still only be available if the base::Feature is enabled, none
+// will additionally require that the origin trial be active.
+const base::FeatureParam<TrustTokenOriginTrialSpec>::Option
+    kTrustTokenOriginTrialParamOptions[] = {
+        {TrustTokenOriginTrialSpec::kOriginTrialNotRequired,
+         "origin-trial-not-required"},
+        {TrustTokenOriginTrialSpec::kAllOperationsRequireOriginTrial,
+         "all-operations-require-origin-trial"},
+        {TrustTokenOriginTrialSpec::kOnlyIssuanceRequiresOriginTrial,
+         "only-issuance-requires-origin-trial"}};
+const base::FeatureParam<TrustTokenOriginTrialSpec>
+    kTrustTokenOperationsRequiringOriginTrial{
+        &kTrustTokens, "TrustTokenOperationsRequiringOriginTrial",
+        TrustTokenOriginTrialSpec::kOriginTrialNotRequired,
+        &kTrustTokenOriginTrialParamOptions};
+
 bool ShouldEnableOutOfBlinkCorsForTesting() {
  return base::FeatureList::IsEnabled(features::kOutOfBlinkCors);
 }

--- a/services/network/public/cpp/features.h
+++ b/services/network/public/cpp/features.h
@@ -77,6 +77,16 @@ extern const base::Feature kStrictAccessControlAllowListCheck;
 COMPONENT_EXPORT(NETWORK_CPP)
 extern const base::Feature kTrustTokens;

+enum class TrustTokenOriginTrialSpec {
+  // See the .cc file for definitions.
+  kAllOperationsRequireOriginTrial,
+  kOnlyIssuanceRequiresOriginTrial,
+  kOriginTrialNotRequired,
+};
+COMPONENT_EXPORT(NETWORK_CPP)
+extern const base::FeatureParam<TrustTokenOriginTrialSpec>
+    kTrustTokenOperationsRequiringOriginTrial;
+
 COMPONENT_EXPORT(NETWORK_CPP)
 bool ShouldEnableOutOfBlinkCorsForTesting();


--- a/third_party/blink/public/platform/web_runtime_features.h
+++ b/third_party/blink/public/platform/web_runtime_features.h
@@ -236,6 +236,7 @@ class WebRuntimeFeatures {
  BLINK_PLATFORM_EXPORT static void EnableAcceleratedSmallCanvases(bool);

  BLINK_PLATFORM_EXPORT static void EnableTrustTokens(bool);
+  BLINK_PLATFORM_EXPORT static void EnableTrustTokensAlwaysAllowIssuance(bool);

  BLINK_PLATFORM_EXPORT static void EnableInstalledApp(bool);


--- a/third_party/blink/renderer/core/fetch/BUILD.gn
+++ b/third_party/blink/renderer/core/fetch/BUILD.gn
@@ -40,6 +40,8 @@ blink_core_sources("fetch") {
    "request.h",
    "response.cc",
    "response.h",
+    "trust_token_issuance_authorization.cc",
+    "trust_token_issuance_authorization.h",
    "trust_token_to_mojom.cc",
    "trust_token_to_mojom.h",
  ]

--- a/third_party/blink/renderer/core/fetch/request.cc
+++ b/third_party/blink/renderer/core/fetch/request.cc
@@ -31,6 +31,7 @@
 #include "third_party/blink/renderer/core/fetch/body_stream_buffer.h"
 #include "third_party/blink/renderer/core/fetch/fetch_manager.h"
 #include "third_party/blink/renderer/core/fetch/form_data_bytes_consumer.h"
+#include "third_party/blink/renderer/core/fetch/trust_token_issuance_authorization.h"
 #include "third_party/blink/renderer/core/fetch/trust_token_to_mojom.h"
 #include "third_party/blink/renderer/core/fileapi/blob.h"
 #include "third_party/blink/renderer/core/fileapi/public_url_manager.h"
@@ -532,6 +533,16 @@ Request* Request::CreateRequestWithRequestOrString(
      return nullptr;
    }

+    VLOG(1) << "a";
+
+    if (params.type == TrustTokenOperationType::kIssuance &&
+        !IsTrustTokenIssuanceAvailableInExecutionContext(*execution_context)) {
+      exception_state.ThrowTypeError(
+          "trustToken: Issuance ('token-request') is disabled except in "
+          "contexts with the TrustTokens Origin Trial enabled.");
+      return nullptr;
+    }
+
    request->SetTrustTokenParams(std::move(params));
  }


--- a/third_party/blink/renderer/core/fetch/trust_token_issuance_authorization.cc
+++ b/third_party/blink/renderer/core/fetch/trust_token_issuance_authorization.cc
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "third_party/blink/renderer/core/fetch/trust_token_issuance_authorization.h"
+
+#include "third_party/blink/renderer/core/execution_context/execution_context.h"
+#include "third_party/blink/renderer/platform/runtime_enabled_features.h"
+
+namespace blink {
+
+bool IsTrustTokenIssuanceAvailableInExecutionContext(
+    const ExecutionContext& context) {
+  return context.FeatureEnabled(OriginTrialFeature::kTrustTokens) ||
+         RuntimeEnabledFeatures::TrustTokensAlwaysAllowIssuanceEnabled();
+}
+
+}  // namespace blink
--- a/third_party/blink/renderer/core/fetch/trust_token_issuance_authorization.h
+++ b/third_party/blink/renderer/core/fetch/trust_token_issuance_authorization.h
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef THIRD_PARTY_BLINK_RENDERER_CORE_FETCH_TRUST_TOKEN_ISSUANCE_AUTHORIZATION_H_
+#define THIRD_PARTY_BLINK_RENDERER_CORE_FETCH_TRUST_TOKEN_ISSUANCE_AUTHORIZATION_H_
+
+namespace blink {
+
+class ExecutionContext;
+
+// Returns whether it's OK to execute Trust Tokens issuance in the given
+// execution context. This depends on whether the context is participating in
+// the kTrustTokens origin trial, and whether the embedder has specified an
+// override of this requirement (e.g. for testing).
+//
+// For more information on Trust Tokens configuration, see the comment on
+// network::features::kTrustTokens.
+bool IsTrustTokenIssuanceAvailableInExecutionContext(
+    const ExecutionContext& context);
+
+}  // namespace blink
+
+#endif  // THIRD_PARTY_BLINK_RENDERER_CORE_FETCH_TRUST_TOKEN_ISSUANCE_AUTHORIZATION_H_
--- a/third_party/blink/renderer/core/html/html_iframe_element.cc
+++ b/third_party/blink/renderer/core/html/html_iframe_element.cc
@@ -36,6 +36,7 @@
 #include "third_party/blink/renderer/core/feature_policy/document_policy_parser.h"
 #include "third_party/blink/renderer/core/feature_policy/feature_policy_parser.h"
 #include "third_party/blink/renderer/core/feature_policy/iframe_policy.h"
+#include "third_party/blink/renderer/core/fetch/trust_token_issuance_authorization.h"
 #include "third_party/blink/renderer/core/frame/csp/content_security_policy.h"
 #include "third_party/blink/renderer/core/frame/sandbox_flags.h"
 #include "third_party/blink/renderer/core/html/html_document.h"
@@ -513,6 +514,18 @@ HTMLIFrameElement::ConstructTrustTokenParams() const {
    return nullptr;
  }

+  if (parsed_params->type ==
+          network::mojom::blink::TrustTokenOperationType::kIssuance &&
+      !IsTrustTokenIssuanceAvailableInExecutionContext(
+          *GetExecutionContext())) {
+    GetDocument().AddConsoleMessage(MakeGarbageCollected<ConsoleMessage>(
+        mojom::blink::ConsoleMessageSource::kOther,
+        mojom::blink::ConsoleMessageLevel::kError,
+        "Trust Tokens issuance is disabled except in "
+        "contexts with the TrustTokens Origin Trial enabled."));
+    return nullptr;
+  }
+
  return parsed_params;
 }


--- a/third_party/blink/renderer/core/origin_trials/origin_trial_context.cc
+++ b/third_party/blink/renderer/core/origin_trials/origin_trial_context.cc
@@ -6,6 +6,7 @@

 #include "base/metrics/histogram_macros.h"
 #include "base/time/time.h"
+#include "services/network/public/cpp/features.h"
 #include "third_party/blink/public/common/features.h"
 #include "third_party/blink/public/common/origin_trials/trial_token.h"
 #include "third_party/blink/public/common/origin_trials/trial_token_validator.h"
@@ -367,6 +368,10 @@ bool OriginTrialContext::CanEnableTrialFromName(const StringView& trial_name) {
      !base::FeatureList::IsEnabled(features::kAppCache)) {
    return false;
  }
+  if (trial_name == "TrustTokens" &&
+      !base::FeatureList::IsEnabled(network::features::kTrustTokens)) {
+    return false;
+  }

  return true;
 }

--- a/third_party/blink/renderer/core/xmlhttprequest/xml_http_request.cc
+++ b/third_party/blink/renderer/core/xmlhttprequest/xml_http_request.cc
@@ -48,6 +48,7 @@
 #include "third_party/blink/renderer/core/editing/serializers/serialization.h"
 #include "third_party/blink/renderer/core/events/progress_event.h"
 #include "third_party/blink/renderer/core/execution_context/execution_context.h"
+#include "third_party/blink/renderer/core/fetch/trust_token_issuance_authorization.h"
 #include "third_party/blink/renderer/core/fetch/trust_token_to_mojom.h"
 #include "third_party/blink/renderer/core/fileapi/blob.h"
 #include "third_party/blink/renderer/core/fileapi/file.h"
@@ -1476,6 +1477,17 @@ void XMLHttpRequest::setTrustToken(const TrustToken* trust_token,
    return;
  }

+  if (params->type ==
+          network::mojom::blink::TrustTokenOperationType::kIssuance &&
+      !IsTrustTokenIssuanceAvailableInExecutionContext(
+          *GetExecutionContext())) {
+    exception_state.ThrowDOMException(
+        DOMExceptionCode::kNotAllowedError,
+        "Trust Tokens issuance is disabled except in "
+        "contexts with the TrustTokens Origin Trial enabled.");
+    return;
+  }
+
  trust_token_params_ = std::move(params);
 }


--- a/third_party/blink/renderer/platform/exported/web_runtime_features.cc
+++ b/third_party/blink/renderer/platform/exported/web_runtime_features.cc
@@ -666,6 +666,10 @@ void WebRuntimeFeatures::EnableTrustTokens(bool enable) {
  RuntimeEnabledFeatures::SetTrustTokensEnabled(enable);
 }

+void WebRuntimeFeatures::EnableTrustTokensAlwaysAllowIssuance(bool enable) {
+  RuntimeEnabledFeatures::SetTrustTokensAlwaysAllowIssuanceEnabled(enable);
+}
+
 void WebRuntimeFeatures::EnableInstalledApp(bool enable) {
  RuntimeEnabledFeatures::SetInstalledAppEnabled(enable);
 }

--- a/third_party/blink/renderer/platform/runtime_enabled_features.json5
+++ b/third_party/blink/renderer/platform/runtime_enabled_features.json5
@@ -1775,6 +1775,15 @@
    },
    {
      name: "TrustTokens",
+      origin_trial_feature_name: "TrustTokens",
+      status: "test",
+    },
+    {
+      // Always allow trust token issuance (so long as the base::Feature
+      // is enabled). Used for testing; circumvents a runtime check that,
+      // if this RuntimeEnabledFeature is not present, guarantees the origin
+      // trial is enabled.
+      name: "TrustTokensAlwaysAllowIssuance",
      status: "test",
    },
    {