Adds a field trial to control Web API kill switches.

chrome/browser/permissions/permission_context_base.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/permissions/permission_context_base.h"
 
 #include "base/logging.h"
 #include "base/prefs/pref_service.h"
 #include "chrome/browser/content_settings/host_content_settings_map_factory.h"
 #include "chrome/browser/permissions/permission_bubble_request_impl.h"
 #include "chrome/browser/permissions/permission_context_uma_util.h"
 #include "chrome/browser/permissions/permission_queue_controller.h"
 #include "chrome/browser/permissions/permission_request_id.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/ui/website_settings/permission_bubble_manager.h"
 #include "chrome/common/pref_names.h"
 #include "components/content_settings/core/browser/host_content_settings_map.h"
 #include "components/content_settings/core/browser/website_settings_registry.h"
+#include "components/variations/variations_associated_data.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/common/origin_util.h"
 
+// static
+const char PermissionContextBase::kApiKillSwitchFieldStudy[] = "ApiKillSwitch";

[mlamouri (slow - plz ping), 2015/10/20 13:35:45]

I would prefer if the name of the switch was more descriptive. What about
"PermissionsAutoDeny" ?

[kcarattini, 2015/10/21 03:39:37]

I switched to "Permission" from "Api" since that's more accurate. I think "kill
switch" is an accepted term for what we're doing here, though. Especially since
we plan to move to the Finch Kill Switch infrastructure which has the term in
its name.

+// static
+const char PermissionContextBase::kApiKillSwitchFieldParamBlockedValue[] =
+    "blocked";

[mlamouri (slow - plz ping), 2015/10/20 13:35:45]

I think we should just try to match the string "enabled".

[kcarattini, 2015/10/21 03:39:37]

I actually moved from "enabled" to "blocked" because Ben found it confusing to
have the term "enabled" used when an API is disabled by a kill switch. I think
we should go for clarity and stick with "blocked".

+
 PermissionContextBase::PermissionContextBase(
     Profile* profile,
     const ContentSettingsType permission_type)
     : profile_(profile),
       permission_type_(permission_type),
       weak_factory_(this) {
   permission_queue_controller_.reset(
       new PermissionQueueController(profile_, permission_type_));
 }
 
 PermissionContextBase::~PermissionContextBase() {
   DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
 }
 
 void PermissionContextBase::RequestPermission(
     content::WebContents* web_contents,
     const PermissionRequestID& id,
     const GURL& requesting_frame,
     bool user_gesture,
     const BrowserPermissionCallback& callback) {
   DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
 
+  // First check if this API has been disabled through Finch.
+  if (IsApiKillSwitchOn()) {

[mlamouri (slow - plz ping), 2015/10/20 13:35:45]

In order to make sure this is always called, I think you should make
::RequestPermission() not virtual. It is calling ::DecidePermission() which is
already virtual anyway.

[Bernhard Bauer, 2015/10/20 14:27:17]

I don't think that works, as this method is overridden by
GeolocationPermissionContext.

(It does mean that you'll need to check the kill switch in that class as well
though.)

[mlamouri (slow - plz ping), 2015/10/20 14:32:28]

The logic in GeolocationPermissionContext::RequestPermission could probably move
to ::DecidePermission().

[kcarattini, 2015/10/21 03:39:37]

GeolocationPermissionContext calls the base class method so it still picks up
some of this functionality (albeit after the extensions check).

[kcarattini, 2015/10/21 03:39:37]

I'm happy to do that in a followup cl, and then I could make RequestPermission
not virtual.

+    // The kill switch is enabled for this API; Block all requests.
+    NotifyPermissionSet(id, requesting_frame.GetOrigin(),
+        web_contents->GetLastCommittedURL().GetOrigin(), callback,
+        false /* persist */, CONTENT_SETTING_BLOCK);
+    return;
+  }
+
   DecidePermission(web_contents,
                    id,
                    requesting_frame.GetOrigin(),
                    web_contents->GetLastCommittedURL().GetOrigin(),
                    user_gesture,
                    callback);
 }
 
 ContentSetting PermissionContextBase::GetPermissionStatus(
     const GURL& requesting_origin,
     const GURL& embedding_origin) const {
+
+  // If the API has been disabled through Finch, block all requests.
+  if (IsApiKillSwitchOn())
+    return CONTENT_SETTING_BLOCK;
+
   if (IsRestrictedToSecureOrigins() &&
       !content::IsOriginSecure(requesting_origin)) {
     return CONTENT_SETTING_BLOCK;
   }
 
   return HostContentSettingsMapFactory::GetForProfile(profile_)
       ->GetContentSetting(requesting_origin,
                           embedding_origin,
                           permission_type_,
                           std::string());
@@ skipping 55 matching lines @@
       !content::IsOriginSecure(requesting_origin)) {
     NotifyPermissionSet(id, requesting_origin, embedding_origin, callback,
                         false /* persist */, CONTENT_SETTING_BLOCK);
     return;
   }
 
   ContentSetting content_setting =
       HostContentSettingsMapFactory::GetForProfile(profile_)
           ->GetContentSettingAndMaybeUpdateLastUsage(
               requesting_origin, embedding_origin, permission_type_,
               std::string());

[mlamouri (slow - plz ping), 2015/10/20 13:35:45]

I think you can refactor the two blocks above by calling GetPermissionStatus()
here. It would also automatically use |ShouldAutoDeny()| when
::DecidePermission() is called.

[kcarattini, 2015/10/21 03:39:37]

Happy to do all the refactoring in a followup cl. I think it's more clear to
keep the changes separate.

 
   if (content_setting == CONTENT_SETTING_ALLOW ||
       content_setting == CONTENT_SETTING_BLOCK) {
     NotifyPermissionSet(id, requesting_origin, embedding_origin, callback,
                         false /* persist */, content_setting);
     return;
   }
 
   PermissionContextUmaUtil::PermissionRequested(
       permission_type_, requesting_origin, embedding_origin, profile_);
@@ skipping 107 matching lines @@
   DCHECK_EQ(requesting_origin, requesting_origin.GetOrigin());
   DCHECK_EQ(embedding_origin, embedding_origin.GetOrigin());
   DCHECK(content_setting == CONTENT_SETTING_ALLOW ||
          content_setting == CONTENT_SETTING_BLOCK);
 
   HostContentSettingsMapFactory::GetForProfile(profile_)->SetContentSetting(
       ContentSettingsPattern::FromURLNoWildcard(requesting_origin),
       ContentSettingsPattern::FromURLNoWildcard(embedding_origin),
       permission_type_, std::string(), content_setting);
 }
+
+bool PermissionContextBase::IsApiKillSwitchOn() const {

[mlamouri (slow - plz ping), 2015/10/20 13:35:45]

nit: maybe rename: ShouldAutoDeny()?

[kcarattini, 2015/10/21 03:39:37]

Changed from Api to Permission.

+  const std::string param =
+      variations::GetVariationParamValue(kApiKillSwitchFieldStudy,
+          PermissionContextUmaUtil::GetPermissionString(permission_type_));
+
+  return param == kApiKillSwitchFieldParamBlockedValue;
+}