First experimental implementation of the Clear-Site-Data header

content/browser/browsing_data/clear_site_data_header_observer.cc

Index: content/browser/browsing_data/clear_site_data_header_observer.cc
diff --git a/content/browser/browsing_data/clear_site_data_header_observer.cc b/content/browser/browsing_data/clear_site_data_header_observer.cc
new file mode 100644
index 0000000000000000000000000000000000000000..6c179bf4f0dbf731701c1a2a5b418dda13d4612f
--- /dev/null
+++ b/content/browser/browsing_data/clear_site_data_header_observer.cc
@@ -0,0 +1,254 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "content/browser/browsing_data/clear_site_data_header_observer.h"
+
+#include "base/command_line.h"
+#include "base/json/json_reader.h"
+#include "base/json/json_string_value_serializer.h"
+#include "base/memory/ptr_util.h"
+#include "base/strings/stringprintf.h"
+#include "base/values.h"
+#include "content/browser/frame_host/navigation_handle_impl.h"
+#include "content/public/browser/browser_context.h"
+#include "content/public/browser/content_browser_client.h"
+#include "content/public/browser/navigation_handle.h"
+#include "content/public/browser/web_contents.h"
+#include "content/public/common/content_client.h"
+#include "content/public/common/content_switches.h"
+#include "content/public/common/origin_util.h"
+#include "net/http/http_response_headers.h"
+#include "url/gurl.h"
+#include "url/origin.h"
+
+namespace content {
+
+namespace {
+
+static const char* kClearSiteDataHeader = "Clear-Site-Data";
+
+static const char* kTypesKey = "types";
+
+// Pretty-printed log output.
+static const char* kConsoleMessagePrefix =
+    "Clear-Site-Data header on '%s': %s";
+static const char* kClearingOneType = "Clearing %s.";
+static const char* kClearingTwoTypes = "Clearing %s and %s.";
+static const char* kClearingThreeTypes = "Clearing %s, %s, and %s.";
+
+// Console logging. Adds a |text| message with |level| to |messages|.
+void ConsoleLog(
+    std::vector<ClearSiteDataHeaderObserver::ConsoleMessage>* messages,
+    const GURL& url, const std::string& text, ConsoleMessageLevel level) {
+  messages->push_back({url, text, level});
+}
+
+bool AreExperimentalFeaturesEnabled() {
+  return base::CommandLine::ForCurrentProcess()->HasSwitch(
+      switches::kEnableExperimentalWebPlatformFeatures);
+}
+
+}  // namespace
+
+// static
+std::unique_ptr<ClearSiteDataHeaderObserver>
+    ClearSiteDataHeaderObserver::CreateFor(NavigationHandle* handle) {
+  ClearSiteDataHeaderObserver* observer = AreExperimentalFeaturesEnabled()
+      ? new ClearSiteDataHeaderObserver(handle->GetWebContents())

[nasko, 2016/07/28 17:30:30]

This looks wrong to me. You only need one observer to observe a specific
WebContents.

[msramek, 2016/08/01 16:03:18]

Acknowledged. Please see the other comment with the explanation how we got here.

+      : nullptr;
+
+  return base::WrapUnique(observer);
+}
+
+ClearSiteDataHeaderObserver::~ClearSiteDataHeaderObserver() {}
+
+void ClearSiteDataHeaderObserver::DidStartNavigation(
+    NavigationHandle* navigation_handle) {
+  current_url_ = navigation_handle->GetURL();
+}
+
+void ClearSiteDataHeaderObserver::DidRedirectNavigation(
+    NavigationHandle* navigation_handle) {
+  // We are processing a redirect from url1 to url2. GetResponseHeaders()
+  // contains headers from url1, but GetURL() is already equal to url2. Handle
+  // the headers before updating the URL, so that |current_url_| corresponds
+  // to the URL that sent the headers.
+  HandleHeader(navigation_handle);
+  current_url_ = navigation_handle->GetURL();
+}
+
+void ClearSiteDataHeaderObserver::DidFinishNavigation(
+    NavigationHandle* navigation_handle) {
+  HandleHeader(navigation_handle);
+
+  // Now that we have access to the correct RenderFrameHost,
+  // output the cached console messages. Prefix each sequence of messages
+  // belonging to the same URL with |kConsoleMessagePrefix|.
+  GURL last_seen_url;
+  for (const ConsoleMessage& message : messages_) {
+    std::string output;

[nasko, 2016/07/28 17:30:30]

What is output used for?

[msramek, 2016/08/01 16:03:19]

Argh :( This piece of code was added as a last-minute "improvement" as I was
hasting to send out this patchset in the afternoon before clamy@ left OOO.

This is not actually used.

+    if (message.url == last_seen_url) {

[nasko, 2016/07/28 17:30:30]

last_seen_url is never set to any meaningful URL. What is its purpose?

[msramek, 2016/08/01 16:03:18]

Ditto as above. Sorry for that.

|last_seen_url| is supposed to cache the URL from the previous iteration, so
that we only output the prefix "Clear-Site-Data header on <URL>" once per a
sequence of messages from the same URL.

+      output = message.text;
+    } else {
+      navigation_handle->GetRenderFrameHost()->AddMessageToConsole(
+          message.level,
+          base::StringPrintf(
+              kConsoleMessagePrefix, message.url.spec().c_str(),
+              message.text.c_str()));
+    }
+  }
+}
+
+ClearSiteDataHeaderObserver::ClearSiteDataHeaderObserver(

[nasko, 2016/07/28 17:30:30]

nit: I'd put the constructor next to the destructor, even though they are not
declared in that order in the header file.

[msramek, 2016/08/01 16:03:19]

Done.

+    WebContents* web_contents)
+    : WebContentsObserver(web_contents) {}
+
+void ClearSiteDataHeaderObserver::HandleHeader(
+    NavigationHandle* navigation_handle) {
+  NavigationHandleImpl* handle =
+      static_cast<NavigationHandleImpl*>(navigation_handle);
+
+  // Some navigations don't have response headers.
+  if (!handle->GetResponseHeaders())
+    return;
+
+  // Extract the instances of the header and parse them.
+  size_t iter = 0;
+  std::string header_name;
+  std::string header_value;
+  while (handle->GetResponseHeaders()->EnumerateHeaderLines(
+      &iter, &header_name, &header_value)) {
+    if (header_name != kClearSiteDataHeader)
+      continue;
+
+    // Only accept the header on secure origins.
+    if (!IsOriginSecure(current_url_)) {
+      ConsoleLog(&messages_,
+                 current_url_,
+                 "Not supported for insecure origins.",
+                 CONSOLE_MESSAGE_LEVEL_ERROR);
+      return;
+    }
+
+    bool clear_cookies;
+    bool clear_storage;
+    bool clear_cache;
+
+    if (!ParseHeader(header_value, &clear_cookies, &clear_storage, &clear_cache,
+                     &messages_)) {
+      continue;
+    }
+
+    // If the header is valid, clear the data for this browser context
+    // and origin.
+    BrowserContext* browser_context =
+        handle->GetWebContents()->GetBrowserContext();
+    url::Origin origin(current_url_);
+
+    GetContentClient()->browser()->ClearSiteData(
+        browser_context, origin, clear_cookies, clear_storage, clear_cache);
+  }
+}
+
+bool ClearSiteDataHeaderObserver::ParseHeader(
+    const std::string& header,
+    bool* clear_cookies, bool* clear_storage, bool* clear_cache,

[nasko, 2016/07/28 17:30:30]

style: Each param is on a new line.

[msramek, 2016/08/01 16:03:19]

Done.

+    std::vector<ConsoleMessage>* messages) {
+  std::unique_ptr<base::Value> parsed_header =
+      base::JSONReader::Read(header);

[nasko, 2016/07/28 17:30:30]

Since this is untrusted data from the network, you should use
components/safe_json. However, that means it is async and cannot be done in sync
fasion. If you want to keep this parser, you should at least reject non-ASCII
inputs.

[msramek, 2016/08/01 16:03:19]

I added the ASCII test for now. I'm happy to use safe_json for better security,
but before I start, I want to make sure that we all agree on whether this should
be a NavigationThrottle, a WebContentsObserver, or something else. The design of
this class might change significantly depending on that, because if this class
only lives for the duration of one navigation, I assume that the JSON parser
might easily take longer and then we'll have to process everything in static
functions.

+
+  if (!parsed_header) {

[nasko, 2016/07/28 17:30:30]

I'll stop reviewing this method for now, as I think we need to figure out what
the high level design is. Do you have a design document describing how this
feature is to be implemented?

[msramek, 2016/08/01 16:03:18]

I don't have a design doc at hand; I'm working with the spec at
https://www.w3.org/TR/clear-site-data/. The spec defines that the value should
be JSON of the form { "types": [ <string>, ... ] }. The spec doesn't prescribe
how the console error messages should look like, so I'm just outputting one
error message for each step where the parsing could fail.

+    ConsoleLog(messages,
+               current_url_,
+               base::StringPrintf("%s is not a valid JSON.", header.c_str()),
+               CONSOLE_MESSAGE_LEVEL_ERROR);
+    return false;
+  }
+
+  const base::ListValue* types = nullptr;
+  if (!parsed_header->GetAsDictionary(nullptr) ||
+      !static_cast<base::DictionaryValue*>(parsed_header.get())
+          ->GetListWithoutPathExpansion(kTypesKey, &types)) {
+    ConsoleLog(messages,
+               current_url_,
+               base::StringPrintf(
+                   "%s is not a JSON dictionary with a 'types' field.",
+                   header.c_str()),
+               CONSOLE_MESSAGE_LEVEL_ERROR);
+    return false;
+  }
+
+  DCHECK(types);
+
+  *clear_cookies = false;
+  *clear_storage = false;
+  *clear_cache = false;
+
+  std::vector<std::string> type_names;
+  for (const std::unique_ptr<base::Value>& value : *types) {
+    std::string type;
+    value->GetAsString(&type);
+
+    bool* datatype = nullptr;
+
+    if (type == "cookies") {
+      datatype = clear_cookies;
+    } else if (type == "storage") {
+      datatype = clear_storage;
+    } else if (type == "cache") {
+      datatype = clear_cache;
+    } else {
+      std::string serialized_type;
+      JSONStringValueSerializer serializer(&serialized_type);
+      serializer.Serialize(*value);
+      ConsoleLog(messages,
+                 current_url_,
+                 base::StringPrintf("Invalid type: %s.",
+                                    serialized_type.c_str()),
+                 CONSOLE_MESSAGE_LEVEL_ERROR);
+      continue;
+    }
+
+    // Each data type should only be processed once.
+    DCHECK(datatype);
+    if (*datatype)
+      continue;
+
+    *datatype = true;
+    type_names.push_back(type);
+  }
+
+  if (!*clear_cookies && !*clear_storage && !*clear_cache) {
+    ConsoleLog(messages,
+               current_url_,
+               base::StringPrintf(
+                   "No valid types specified in %s.", header.c_str()),
+               CONSOLE_MESSAGE_LEVEL_ERROR);
+    return false;
+  }
+
+  // Pretty-print which types are to be cleared.
+  std::string output;
+  switch (type_names.size()) {
+    case 1:
+      output = base::StringPrintf(kClearingOneType, type_names[0].c_str());
+      break;
+    case 2:
+      output = base::StringPrintf(
+          kClearingTwoTypes, type_names[0].c_str(), type_names[1].c_str());
+      break;
+    case 3:
+      output = base::StringPrintf(
+          kClearingThreeTypes,
+          type_names[0].c_str(), type_names[1].c_str(), type_names[2].c_str());
+      break;
+    default:
+      NOTREACHED();
+  }
+  ConsoleLog(messages, current_url_, output, CONSOLE_MESSAGE_LEVEL_LOG);
+
+  return true;
+}
+
+}  // namespace content