Add throttling to permission reporter

chrome/browser/safe_browsing/permission_reporter.cc

Index: chrome/browser/safe_browsing/permission_reporter.cc
diff --git a/chrome/browser/safe_browsing/permission_reporter.cc b/chrome/browser/safe_browsing/permission_reporter.cc
index 944411149f1a9480811bc0dee25489cde61da453..ad064290b7f15765a4b365619f1aa50d84bff2cd 100644
--- a/chrome/browser/safe_browsing/permission_reporter.cc
+++ b/chrome/browser/safe_browsing/permission_reporter.cc
@@ -2,8 +2,13 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "base/memory/ptr_util.h"
 #include "chrome/browser/safe_browsing/permission_reporter.h"
+
+#include <functional>
+
+#include "base/hash.h"
+#include "base/memory/ptr_util.h"
+#include "base/time/default_clock.h"
 #include "chrome/common/safe_browsing/permission_report.pb.h"
 #include "components/variations/active_field_trials.h"
 #include "content/public/browser/permission_type.h"
@@ -19,6 +24,8 @@ const char kPermissionActionReportingUploadUrl[] =
     "http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/"
     "permission-action";
 
+const int kMaximumReportsPerOriginPerPermissionPerMinute = 5;
+
 PermissionReport::PermissionType PermissionTypeForReport(
     PermissionType permission) {
   switch (permission) {
@@ -75,20 +82,39 @@ PermissionReport::Action PermissionActionForReport(PermissionAction action) {
 
 }  // namespace
 
+bool PermissionAndOrigin::operator==(const PermissionAndOrigin& other) const {
+  return (permission == other.permission && origin == other.origin);
+}
+
+std::size_t PermissionAndOriginHash::operator()(
+    const PermissionAndOrigin& permission_and_origin) const {
+  std::size_t permission_hash =
+      static_cast<std::size_t>(permission_and_origin.permission);
+  std::size_t origin_hash =
+      std::hash<std::string>()(permission_and_origin.origin.spec());
+  return base::HashInts(permission_hash, origin_hash);
+}
+
 PermissionReporter::PermissionReporter(net::URLRequestContext* request_context)
-    : PermissionReporter(base::WrapUnique(new net::ReportSender(
-          request_context,
-          net::ReportSender::CookiesPreference::DO_NOT_SEND_COOKIES))) {}
+    : PermissionReporter(
+          base::WrapUnique(new net::ReportSender(
+              request_context,
+              net::ReportSender::CookiesPreference::DO_NOT_SEND_COOKIES)),
+          base::WrapUnique(new base::DefaultClock)) {}
 
 PermissionReporter::PermissionReporter(
-    std::unique_ptr<net::ReportSender> report_sender)
-    : permission_report_sender_(std::move(report_sender)) {}
+    std::unique_ptr<net::ReportSender> report_sender,
+    std::unique_ptr<base::Clock> clock)
+    : permission_report_sender_(std::move(report_sender)),
+      clock_(std::move(clock)) {}
 
 PermissionReporter::~PermissionReporter() {}
 
 void PermissionReporter::SendReport(const GURL& origin,
                                     content::PermissionType permission,
                                     PermissionAction action) {
+  if (IsReportThresholdExceeded(permission, origin))
+    return;
   std::string serialized_report;
   BuildReport(origin, permission, action, &serialized_report);
   permission_report_sender_->Send(GURL(kPermissionActionReportingUploadUrl),
@@ -126,4 +152,22 @@ bool PermissionReporter::BuildReport(const GURL& origin,
   return report.SerializeToString(output);
 }
 
+bool PermissionReporter::IsReportThresholdExceeded(
+    content::PermissionType permission,
+    const GURL& origin) {
+  std::queue<base::Time>& history = sent_histories[{permission, origin}];

[Nathan Parker, 2016/07/14 22:00:24]

A caveat, probably with no action required:

This map will collect entries for every permission granted, and will never
delete them when they're no longer useful. I think this is probably fine, since
the rate of new permission requests x origins shouldn't be huge.

If that is a problem you could store
 [ {origin, permission, timestamp}, {.., .., ..}, ... ]

And then prune that list of old timestamps every time you hit this function. 
Then you'd need to count those that match origin + permission.

[stefanocs, 2016/07/15 02:04:28]

Yes, me and Raymes have discussed this before and we think this is okay. Kendra,
what do you think?

[raymes, 2016/07/18 01:16:51]

We also discussed just keeping:
{(origin, permissions, timestamp): count}

If timestamp is older than 1min we reset count. This gets an approximation of
the limit but is much simpler to implement, requires less storage, etc.

[kcarattini, 2016/07/18 01:56:36]

In the normal case I wouldn't expect this to be a problem. How about a TODO to
address this if memory becomes an issue?

+  base::Time current_time = clock_->Now();
+  // Remove entries that are sent more than one minute ago.
+  while (!history.empty() &&
+         current_time - history.front() > base::TimeDelta::FromMinutes(1)) {
+    history.pop();
+  }
+  if (history.size() < kMaximumReportsPerOriginPerPermissionPerMinute) {
+    history.push(current_time);
+    return false;
+  } else {
+    return true;
+  }
+}
+
 }  // namespace safe_browsing