Add net::SdchSourceStream and net::SdchPolicyDelegate

net/filter/sdch_policy_delegate.cc

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/filter/sdch_policy_delegate.h"
+
+#include "base/metrics/histogram_macros.h"
+#include "base/strings/string_util.h"
+#include "base/values.h"
+#include "net/base/sdch_problem_codes.h"
+#include "net/log/net_log.h"
+#include "net/log/net_log_event_type.h"
+#include "net/url_request/url_request_http_job.h"
+#include "sdch/open-vcdiff/src/google/vcdecoder.h"
+
+namespace net {
+
+namespace {
+
+const char kRefreshHtml[] =
+    "<head><META HTTP-EQUIV=\"Refresh\" CONTENT=\"0\"></head>";
+// Mime types:
+const char kTextHtml[] = "text/html";
+
+// Disambiguate various types of responses that trigger a meta-refresh,
+// failure, or fallback to pass-through.
+enum ResponseCorruptionDetectionCause {
+  RESPONSE_NONE,
+
+  // 404 Http Response Code
+  RESPONSE_404 = 1,
+
+  // Not a 200 Http Response Code
+  RESPONSE_NOT_200 = 2,
+
+  // Cached before dictionary retrieved.
+  RESPONSE_OLD_UNENCODED = 3,
+
+  // Speculative but incorrect SDCH filtering was added added.
+  RESPONSE_TENTATIVE_SDCH = 4,
+
+  // Missing correct dict for decoding.
+  RESPONSE_NO_DICTIONARY = 5,
+
+  // Not an SDCH response but should be.
+  RESPONSE_CORRUPT_SDCH = 6,
+
+  // No dictionary was advertised with the request, the server claims
+  // to have encoded with SDCH anyway, but it isn't an SDCH response.
+  RESPONSE_ENCODING_LIE = 7,
+
+  RESPONSE_MAX,
+};
+
+const char* ResponseCorruptionDetectionCauseToString(
+    ResponseCorruptionDetectionCause cause) {
+  const char* cause_string = "<unknown>";
+  switch (cause) {
+    case RESPONSE_NONE:
+      cause_string = "NONE";
+      break;
+    case RESPONSE_404:
+      cause_string = "404";
+      break;
+    case RESPONSE_NOT_200:
+      cause_string = "NOT_200";
+      break;
+    case RESPONSE_OLD_UNENCODED:
+      cause_string = "OLD_UNENCODED";
+      break;
+    case RESPONSE_TENTATIVE_SDCH:
+      cause_string = "TENTATIVE_SDCH";
+      break;
+    case RESPONSE_NO_DICTIONARY:
+      cause_string = "NO_DICTIONARY";
+      break;
+    case RESPONSE_CORRUPT_SDCH:
+      cause_string = "CORRUPT_SDCH";
+      break;
+    case RESPONSE_ENCODING_LIE:
+      cause_string = "ENCODING_LIE";
+      break;
+    case RESPONSE_MAX:
+      cause_string = "<Error: max enum value>";
+      break;
+  }
+  return cause_string;
+}
+
+std::unique_ptr<base::Value> NetLogResponseCorruptionDetectionCallback(
+    ResponseCorruptionDetectionCause cause,
+    bool cached,
+    NetLogCaptureMode capture_mode) {
+  std::unique_ptr<base::DictionaryValue> dict(new base::DictionaryValue());
+  dict->SetString("cause", ResponseCorruptionDetectionCauseToString(cause));
+  dict->SetBoolean("cached", cached);
+  return std::move(dict);
+}
+
+void LogCorruptionDetection(const NetLogWithSource& net_log,
+                            bool is_cached_content,
+                            ResponseCorruptionDetectionCause cause) {
+  // Use if statement rather than ?: because UMA_HISTOGRAM_ENUMERATION
+  // caches the histogram name based on the call site.
+  if (is_cached_content) {
+    UMA_HISTOGRAM_ENUMERATION("Sdch3.ResponseCorruptionDetection.Cached", cause,
+                              RESPONSE_MAX);
+  } else {
+    UMA_HISTOGRAM_ENUMERATION("Sdch3.ResponseCorruptionDetection.Uncached",
+                              cause, RESPONSE_MAX);
+  }
+  net_log.AddEvent(NetLogEventType::SDCH_RESPONSE_CORRUPTION_DETECTION,
+                   base::Bind(&NetLogResponseCorruptionDetectionCallback, cause,
+                              is_cached_content));
+}
+
+}  // namespace
+
+SdchPolicyDelegate::SdchPolicyDelegate(
+    bool possible_pass_through,
+    URLRequestHttpJob* job,
+    std::string mime_type,
+    const GURL& url,
+    bool is_cached_content,
+    SdchManager* sdch_manager,
+    std::unique_ptr<SdchManager::DictionarySet> dictionary_set,
+    int response_code,
+    const NetLogWithSource& net_log)
+    : possible_pass_through_(possible_pass_through),
+      job_(job),
+      mime_type_(mime_type),
+      url_(url),
+      is_cached_content_(is_cached_content),
+      sdch_manager_(sdch_manager),
+      dictionary_set_(std::move(dictionary_set)),
+      response_code_(response_code),
+      net_log_(net_log) {}
+
+SdchPolicyDelegate::~SdchPolicyDelegate() {}
+
+// static
+void SdchPolicyDelegate::FixUpSdchContentEncodings(
+    const NetLogWithSource& net_log,
+    const std::string& mime_type,
+    SdchManager::DictionarySet* dictionary_set,
+    std::vector<SourceStream::SourceType>* types) {
+  // If sdch dictionary is advertised, we might need to add some decoding, as
+  // some proxies strip encoding completely.

[Randy Smith (Not in Mondays), 2016/10/19 19:49:41]

nit, suggestion: I think this comment would be clearer if it was after this if
condition (since the if conditional is the opposite of what's in the comment,
and the additional decoding is later in the function).

[xunjieli, 2016/10/20 00:09:14]

Done.

+  if (!dictionary_set) {
+    // It was not an SDCH request, so we'll just record stats.
+    if (1 < types->size()) {
+      // Multiple filters were intended to only be used for SDCH (thus far!)
+      SdchManager::LogSdchProblem(net_log,
+                                  SDCH_MULTIENCODING_FOR_NON_SDCH_REQUEST);
+    }
+    if ((1 == types->size()) && (SourceStream::TYPE_SDCH == types->front())) {
+      SdchManager::LogSdchProblem(
+          net_log, SDCH_SDCH_CONTENT_ENCODE_FOR_NON_SDCH_REQUEST);
+    }
+    return;
+  }
+  // If content encoding included SDCH, then everything is "relatively" fine.
+  if (!types->empty() && types->front() == SourceStream::TYPE_SDCH) {
+    // Some proxies (found currently in Argentina) strip the Content-Encoding
+    // text from "sdch,gzip" to a mere "sdch" without modifying the compressed
+    // payload.  To handle this gracefully, we simulate the "probably" deleted
+    // ",gzip" by appending a tentative gzip decode, which will default to a
+    // no-op pass through filter if it doesn't get gzip headers where
+    // expected.
+    if (1 == types->size()) {
+      types->push_back(SourceStream::TYPE_GZIP_FALLBACK);
+      SdchManager::LogSdchProblem(net_log, SDCH_OPTIONAL_GUNZIP_ENCODING_ADDED);
+    }
+    return;
+  }
+
+  // There are now several cases to handle for an SDCH request. Foremost, if
+  // the outbound request was stripped so as not to advertise support for
+  // encodings, we might get back content with no encoding, or (for example)
+  // just gzip. We have to be sure that any changes we make allow for such
+  // minimal coding to work. That issue is why we use POSSIBLE_SDCH filters,
+  // as those filters sniff the content, and act as pass-through filters if
+  // headers are not found. TODO(xunjieli): Currently POSSIBLE_SDCH filters
+  // issue meta-refresh instead of pass-throughs to match old code. Change it
+  // to do pass-throughs.
+
+  // If the outbound GET is not modified, then the server will generally try to
+  // send us SDCH encoded content. As that content returns, there are several
+  // corruptions of the header "content-encoding" that proxies may perform (and
+  // have been detected in the wild). We already dealt with the a honest
+  // content encoding of "sdch,gzip" being corrupted into "sdch" with no change
+  // of the actual content. Another common corruption is to either discard
+  // the accurate content encoding, or to replace it with gzip only (again, with
+  // no change in actual content). The last observed corruption it to actually
+  // change the content, such as by re-gzipping it, and that may happen along
+  // with corruption of the stated content encoding (wow!).
+
+  // The one unresolved failure mode comes when we advertise a dictionary, and
+  // the server tries to *send* a gzipped file (not gzip encode content), and
+  // then we could do a gzip decode :-(.
+  // We will gather a lot of stats as we perform the fixups.
+  if (base::StartsWith(mime_type, kTextHtml,
+                       base::CompareCase::INSENSITIVE_ASCII)) {
+    // Suspicious case: Advertised dictionary, but server didn't use sdch, and
+    // we're HTML tagged.
+    if (types->empty()) {
+      SdchManager::LogSdchProblem(net_log, SDCH_ADDED_CONTENT_ENCODING);
+    } else if (1 == types->size()) {
+      SdchManager::LogSdchProblem(net_log, SDCH_FIXED_CONTENT_ENCODING);
+    } else {
+      SdchManager::LogSdchProblem(net_log, SDCH_FIXED_CONTENT_ENCODINGS);
+    }
+  } else {
+    // Remarkable case!?!  We advertised an SDCH dictionary, content-encoding
+    // was not marked for SDCH processing: Why did the server suggest an SDCH
+    // dictionary in the first place??. Also, the content isn't
+    // tagged as HTML, despite the fact that SDCH encoding is mostly likely
+    // for HTML: Did some anti-virus system strip this tag (sometimes they
+    // strip accept-encoding headers on the request)??  Does the content
+    // encoding not start with "text/html" for some other reason??  We'll
+    // report this as a fixup to a binary file, but it probably really is
+    // text/html (some how).
+    if (types->empty()) {
+      SdchManager::LogSdchProblem(net_log, SDCH_BINARY_ADDED_CONTENT_ENCODING);
+    } else if (1 == types->size()) {
+      SdchManager::LogSdchProblem(net_log, SDCH_BINARY_FIXED_CONTENT_ENCODING);
+    } else {
+      SdchManager::LogSdchProblem(net_log, SDCH_BINARY_FIXED_CONTENT_ENCODINGS);
+    }
+  }
+
+  // Leave the existing encoding type to be processed first, and add our
+  // tentative decodings to be done afterwards. Vodaphone UK reportedly will
+  // perform a second layer of gzip encoding atop the server's sdch,gzip
+  // encoding, and then claim that the content encoding is a mere gzip. As a
+  // result we'll need (in that case) to do the gunzip, plus our tentative
+  // gunzip and tentative SDCH decoding. This approach nicely handles the
+  // empty() list as well, and should work with other (as yet undiscovered)
+  // proxies the choose to re-compressed with some other encoding (such as
+  // bzip2, etc.).
+  types->insert(types->begin(), SourceStream::TYPE_GZIP_FALLBACK);
+  types->insert(types->begin(), SourceStream::TYPE_SDCH_POSSIBLE);
+}
+
+// Dictionary id errors are often the first indication that the SDCH stream has
+// become corrupt. There are many possible causes: non-200 response codes, a
+// cached non-SDCH-ified reply, or a response that claims to be SDCH but isn't
+// actually. These are handled here by issuing a meta-refresh or swapping to the
+// "passthrough" mode if appropriate, or failing the request if the error is
+// unrecoverable.
+SdchPolicyDelegate::ErrorRecovery SdchPolicyDelegate::OnDictionaryIdError(
+    std::string* replace_output) {
+  if (possible_pass_through_) {
+    LogCorruptionDetection(net_log_, is_cached_content_,
+                           RESPONSE_TENTATIVE_SDCH);
+    // Ideally we should return PASS_THROUGH here, but this is done to match
+    // the old behavior in sdch_filter.cc.
+  }
+  // HTTP 404 might be an unencoded error page, so if decoding failed, pass it
+  // through. TODO(xunjieli): Remove this. crbug.com/516773.
+  if (response_code_ == 404) {
+    SdchManager::LogSdchProblem(net_log_, SDCH_PASS_THROUGH_404_CODE);
+    LogCorruptionDetection(net_log_, is_cached_content_, RESPONSE_404);
+    return PASS_THROUGH;
+  }
+
+  // HTTP !200 gets a meta-refresh for HTML.
+  // TODO(xunjieli): remove this. crbug.com/654393.
+  if (response_code_ != 200) {
+    LogCorruptionDetection(net_log_, is_cached_content_, RESPONSE_NOT_200);
+    return IssueMetaRefreshIfPossible(replace_output);
+  }
+
+  // If this is a cached result and the source hasn't requested a dictionary, it
+  // probably never had a dictionary to begin and is an unencoded response from
+  // earlier.
+  if (is_cached_content_) {
+    SdchManager::LogSdchProblem(net_log_, SDCH_PASS_THROUGH_OLD_CACHED);
+    LogCorruptionDetection(net_log_, is_cached_content_,
+                           RESPONSE_OLD_UNENCODED);
+    return PASS_THROUGH;
+  }
+
+  // The original request didn't advertise any dictionaries, but the
+  // response claimed to be SDCH. There is no way to repair this situation: the
+  // original request already didn't advertise any dictionaries, and retrying it
+  // would likely have the/ same result. Blacklist the domain and try passing
+  // through.
+  if (!dictionary_set_) {
+    sdch_manager_->BlacklistDomain(url_, SDCH_PASSING_THROUGH_NON_SDCH);
+    LogCorruptionDetection(net_log_, is_cached_content_, RESPONSE_ENCODING_LIE);
+    return PASS_THROUGH;
+  }
+  // Since SDCH dictionaries are advertised, this is a corrupt SDCH response.
+  LogCorruptionDetection(net_log_, is_cached_content_, RESPONSE_CORRUPT_SDCH);
+  return IssueMetaRefreshIfPossible(replace_output);
+}
+
+// Dictionary fails to load when we have a plausible dictionay id. There are
+// many possible causes: a cached SDCH-ified reply for which the SdchManager did
+// not have the dictionary or a corrupted response. These are handled here by
+// issuing a meta-refresh except the case where response code is 404.
+SdchPolicyDelegate::ErrorRecovery SdchPolicyDelegate::OnGetDictionaryError(
+    std::string* replace_output) {
+  if (possible_pass_through_) {
+    LogCorruptionDetection(net_log_, is_cached_content_,
+                           RESPONSE_TENTATIVE_SDCH);
+    // Ideally we should return PASS_THROUGH here, but this is done to match
+    // the old behavior in sdch_filter.cc.
+  }
+  // HTTP 404 might be an unencoded error page, so if decoding failed, pass it
+  // through. TODO(xunjieli): Remove this case crbug.com/516773.
+  if (response_code_ == 404) {
+    SdchManager::LogSdchProblem(net_log_, SDCH_PASS_THROUGH_404_CODE);
+    LogCorruptionDetection(net_log_, is_cached_content_, RESPONSE_404);
+    return PASS_THROUGH;
+  }
+  SdchManager::LogSdchProblem(net_log_, SDCH_DICTIONARY_HASH_NOT_FOUND);
+  LogCorruptionDetection(net_log_, is_cached_content_, RESPONSE_NO_DICTIONARY);
+  return IssueMetaRefreshIfPossible(replace_output);
+}
+
+SdchPolicyDelegate::ErrorRecovery SdchPolicyDelegate::OnDecodingError(
+    std::string* replace_output) {
+  // A decoding error, as opposed to a dictionary error, indicates a
+  // decompression failure partway through the payload of the SDCH stream,
+  // which means that the filter already witnessed a valid dictionary ID and
+  // successfully retrieved a dictionary for it. Decoding errors are not
+  // recoverable and it is not appropriate to stop decoding, so there are
+  // relatively few error cases here.
+  //
+  // In particular, a decoding error for an HTML payload is recoverable by
+  // issuing a meta-refresh, but to avoid having that happen too often, this
+  // class also temporarily blacklists the domain. A decoding error for a
+  // non-HTML payload is unrecoverable, so such an error gets a permanent
+  // blacklist entry. If the content was cached, no blacklisting is needed.
+  // TODO(xunjieli): This case should be removed. crbug.com/651821.
+  return IssueMetaRefreshIfPossible(replace_output);
+}
+
+bool SdchPolicyDelegate::OnGetDictionary(const std::string& server_id,
+                                         const std::string** text) {
+  if (dictionary_set_) {
+    *text = dictionary_set_->GetDictionaryText(server_id);
+    if (*text) {
+      server_id_ = server_id;
+      return true;
+    }
+  }
+  // This is a hack. Naively, the dictionaries available for
+  // decoding should be only the ones advertised. However, there are
+  // cases, specifically resources encoded with old dictionaries living
+  // in the cache, that mean the full set of dictionaries should be made
+  // available for decoding. It's not known how often this happens;
+  // if it happens rarely enough, this code can be removed.
+  //
+  // TODO(rdsmith): Long-term, a better solution is necessary, since
+  // an entry in the cache being encoded with the dictionary doesn't
+  // guarantee that the dictionary is present. That solution probably
+  // involves storing unencoded resources in the cache, but might
+  // involve evicting encoded resources on dictionary removal.
+  // See http://crbug.com/383405.
+  SdchProblemCode rv = SDCH_OK;
+  unexpected_dictionary_set_ =
+      sdch_manager_->GetDictionarySetByHash(url_, server_id, &rv);
+  if (unexpected_dictionary_set_) {
+    *text = unexpected_dictionary_set_->GetDictionaryText(server_id);
+    SdchManager::LogSdchProblem(
+        net_log_, is_cached_content_ ? SDCH_UNADVERTISED_DICTIONARY_USED_CACHED
+                                     : SDCH_UNADVERTISED_DICTIONARY_USED);
+    if (*text) {
+      server_id_ = server_id;
+      return true;
+    }
+  }
+  return false;
+}
+
+void SdchPolicyDelegate::OnStreamDestroyed(
+    SdchSourceStream::InputState input_state,
+    const std::string& buffered_output,
+    open_vcdiff::VCDiffStreamingDecoder* decoder) {
+  if (decoder) {
+    if (!decoder->FinishDecoding()) {
+      SdchManager::LogSdchProblem(net_log_, SDCH_INCOMPLETE_SDCH_CONTENT);
+      // Make it possible for the user to hit reload, and get non-sdch content.
+      // Note this will "wear off" quickly enough, and is just meant to assure
+      // in some rare case that the user is not stuck.
+      sdch_manager_->BlacklistDomain(url_, SDCH_INCOMPLETE_SDCH_CONTENT);
+    }
+  }
+  // Filter chaining error, or premature teardown.
+  if (!buffered_output.empty())
+    SdchManager::LogSdchProblem(net_log_, SDCH_UNFLUSHED_CONTENT);
+
+  // Only record packet stats for non-cached content.
+  if (is_cached_content_) {
+    // Not a real error, but it is useful to have this tally.
+    // TODO(jar): Remove this stat after SDCH stability is validated.
+    SdchManager::LogSdchProblem(net_log_, SDCH_CACHE_DECODED);
+    return;  // We don't need timing stats, and we aready got ratios.
+  }
+  switch (input_state) {
+    case SdchSourceStream::STATE_DECODE: {
+      job_->RecordPacketStats(FilterContext::StatisticSelector::SDCH_DECODE);
+      // Allow latency experiments to proceed.
+      sdch_manager_->SetAllowLatencyExperiment(url_, true);
+
+      // Notify successful dictionary usage.
+      DCHECK(!server_id_.empty());
+      sdch_manager_->OnDictionaryUsed(server_id_);
+      return;
+    }
+    case SdchSourceStream::STATE_LOAD_DICTIONARY:
+      SdchManager::LogSdchProblem(net_log_, SDCH_PRIOR_TO_DICTIONARY);
+      return;
+    case SdchSourceStream::STATE_PASS_THROUGH:
+      job_->RecordPacketStats(
+          FilterContext::StatisticSelector::SDCH_PASSTHROUGH);
+      return;
+    case SdchSourceStream::STATE_OUTPUT_REPLACE:
+      // This is meta refresh case. Already accounted for when set.
+      return;
+  }  // end of switch.
+}
+
+// TODO(xunjieli): Remove meta refresh. crbug.com/651821.
+SdchPolicyDelegate::ErrorRecovery
+SdchPolicyDelegate::IssueMetaRefreshIfPossible(std::string* replace_output) {
+  // Errors for non-HTML payloads are unrecoverable and get the domain
+  // blacklisted indefinitely.
+  if (mime_type_.npos == mime_type_.find("text/html")) {
+    SdchProblemCode problem =
+        (is_cached_content_ ? SDCH_CACHED_META_REFRESH_UNSUPPORTED
+                            : SDCH_META_REFRESH_UNSUPPORTED);
+    sdch_manager_->BlacklistDomainForever(url_, problem);
+    SdchManager::LogSdchProblem(net_log_, problem);
+    return NONE;
+  }
+
+  if (is_cached_content_) {
+    // Cached content is a probably startup tab, so just get the fresh content
+    // and try again, without disabling SDCH.
+    SdchManager::LogSdchProblem(net_log_, SDCH_META_REFRESH_CACHED_RECOVERY);
+  } else {
+    // Since it wasn't in the cache, blacklist for some period to get the
+    // correct content.
+    sdch_manager_->BlacklistDomain(url_, SDCH_META_REFRESH_RECOVERY);
+    SdchManager::LogSdchProblem(net_log_, SDCH_META_REFRESH_RECOVERY);
+  }
+
+  *replace_output = std::string(kRefreshHtml, strlen(kRefreshHtml));
+  return REPLACE_OUTPUT;
+}
+
+}  // namespace net