Support the Clear-Site-Data header on resource requests

content/browser/browsing_data/clear_site_data_throttle.cc

Index: content/browser/browsing_data/clear_site_data_throttle.cc
diff --git a/content/browser/browsing_data/clear_site_data_throttle.cc b/content/browser/browsing_data/clear_site_data_throttle.cc
index 9799e1c7a06cd8c6a5ab2d1a59d2472a7f47c40e..bdc32ae9888c2bb6d9f18f0faf9f41c55cd3ea8a 100644
--- a/content/browser/browsing_data/clear_site_data_throttle.cc
+++ b/content/browser/browsing_data/clear_site_data_throttle.cc
@@ -12,15 +12,20 @@
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/values.h"
-#include "content/browser/frame_host/navigation_handle_impl.h"
+#include "content/browser/service_worker/service_worker_response_info.h"
 #include "content/public/browser/browser_context.h"
-#include "content/public/browser/content_browser_client.h"
-#include "content/public/browser/navigation_handle.h"
+#include "content/public/browser/browser_thread.h"
+#include "content/public/browser/browsing_data_filter_builder.h"
+#include "content/public/browser/browsing_data_remover.h"
+#include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/web_contents.h"
-#include "content/public/common/content_client.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/origin_util.h"
+#include "content/public/common/resource_response_info.h"
+#include "net/base/load_flags.h"
+#include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 #include "net/http/http_response_headers.h"
+#include "net/url_request/redirect_info.h"
 #include "url/gurl.h"
 #include "url/origin.h"
 
@@ -28,6 +33,8 @@ namespace content {
 
 namespace {
 
+static const char* kNameForLogging = "ClearSiteDataThrottle";
+
 static const char* kClearSiteDataHeader = "Clear-Site-Data";
 
 static const char* kTypesKey = "types";
@@ -38,14 +45,6 @@ static const char* kClearingOneType = "Clearing %s.";
 static const char* kClearingTwoTypes = "Clearing %s and %s.";
 static const char* kClearingThreeTypes = "Clearing %s, %s, and %s.";
 
-// Console logging. Adds a |text| message with |level| to |messages|.
-void ConsoleLog(std::vector<ClearSiteDataThrottle::ConsoleMessage>* messages,
-                const GURL& url,
-                const std::string& text,
-                ConsoleMessageLevel level) {
-  messages->push_back({url, text, level});
-}
-
 bool AreExperimentalFeaturesEnabled() {
   return base::CommandLine::ForCurrentProcess()->HasSwitch(
       switches::kEnableExperimentalWebPlatformFeatures);
@@ -58,34 +57,146 @@ int ParametersMask(bool clear_cookies, bool clear_storage, bool clear_cache) {
          static_cast<int>(clear_cache) * (1 << 2);
 }
 
-}  // namespace
+// A helper function to pass an IO thread callback to a method called on
+// the UI thread.
+void JumpFromUIToIOThread(const base::Closure& callback) {
+  DCHECK_CURRENTLY_ON(BrowserThread::UI);
+  BrowserThread::PostTask(BrowserThread::IO, FROM_HERE, callback);
+}
 
-// static
-std::unique_ptr<NavigationThrottle>
-ClearSiteDataThrottle::CreateThrottleForNavigation(NavigationHandle* handle) {
-  if (AreExperimentalFeaturesEnabled())
-    return base::WrapUnique(new ClearSiteDataThrottle(handle));
+// A BrowsingDataRemover::Observer that waits for |count|
+// OnBrowsingDataRemoverDone() callbacks, translates them into
+// one base::Closure, and then destroys itself.
+class ClearSiteDataObserver : public BrowsingDataRemover::Observer {
+ public:
+  explicit ClearSiteDataObserver(BrowsingDataRemover* remover,
+                                 const base::Closure& callback,
+                                 int count)
+      : remover_(remover), callback_(callback), count_(count) {
+    remover_->AddObserver(this);
+  }
+
+  ~ClearSiteDataObserver() override { remover_->RemoveObserver(this); }
 
-  return std::unique_ptr<NavigationThrottle>();
+  // BrowsingDataRemover::Observer.
+  void OnBrowsingDataRemoverDone() override {
+    DCHECK(count_);
+    if (--count_)
+      return;
+
+    JumpFromUIToIOThread(callback_);
+    delete this;
+  }
+
+ private:
+  BrowsingDataRemover* remover_;
+  base::Closure callback_;
+  int count_;
+};
+
+// Finds the BrowserContext associated with the request and requests
+// the actual clearing of data for |origin|. The datatypes to be deleted
+// are determined by |clear_cookies|, |clear_storage|, and |clear_cache|.
+// |web_contents_getter| identifies the WebContents from which the request
+// originated. Must be run on the UI thread. The |callback| will be executed
+// on the IO thread.
+void ClearSiteDataOnUIThread(
+    const ResourceRequestInfo::WebContentsGetter& web_contents_getter,
+    url::Origin origin,
+    bool clear_cookies,
+    bool clear_storage,
+    bool clear_cache,
+    const base::Closure& callback) {
+  DCHECK_CURRENTLY_ON(BrowserThread::UI);
+
+  WebContents* web_contents = web_contents_getter.Run();
+  if (!web_contents)
+    return;
+
+  BrowsingDataRemover* remover =
+      BrowserContext::GetBrowsingDataRemover(web_contents->GetBrowserContext());
+
+  // ClearSiteDataObserver deletes itself when callbacks from both removal
+  // tasks are received.
+  ClearSiteDataObserver* observer =
+      new ClearSiteDataObserver(remover, callback, 2 /* number of tasks */);
+
+  // Cookies and channel IDs are scoped to
+  // a) eTLD+1 of |origin|'s host if |origin|'s host is a registrable domain
+  //    or a subdomain thereof
+  // b) |origin|'s host exactly if it is an IP address or an internal hostname
+  //    (e.g. "localhost" or "fileserver").
+  // TODO(msramek): What about plugin data?
+  if (clear_cookies) {
+    std::string domain = GetDomainAndRegistry(
+        origin.host(),
+        net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES);
+
+    if (domain.empty())
+      domain = origin.host();  // IP address or internal hostname.
+
+    std::unique_ptr<BrowsingDataFilterBuilder> domain_filter_builder(
+        BrowsingDataFilterBuilder::Create(
+            BrowsingDataFilterBuilder::WHITELIST));
+    domain_filter_builder->AddRegisterableDomain(domain);
+
+    remover->RemoveWithFilterAndReply(
+        base::Time(), base::Time::Max(),
+        BrowsingDataRemover::DATA_TYPE_COOKIES |
+            BrowsingDataRemover::DATA_TYPE_CHANNEL_IDS,
+        BrowsingDataRemover::ORIGIN_TYPE_UNPROTECTED_WEB |
+            BrowsingDataRemover::ORIGIN_TYPE_PROTECTED_WEB,
+        std::move(domain_filter_builder), observer);
+  } else {
+    // The first removal task is a no-op.
+    observer->OnBrowsingDataRemoverDone();
+  }
+
+  // Delete origin-scoped data.
+  int remove_mask = 0;
+  if (clear_storage)
+    remove_mask |= BrowsingDataRemover::DATA_TYPE_DOM_STORAGE;
+  if (clear_cache)
+    remove_mask |= BrowsingDataRemover::DATA_TYPE_CACHE;
+
+  if (remove_mask) {
+    std::unique_ptr<BrowsingDataFilterBuilder> origin_filter_builder(
+        BrowsingDataFilterBuilder::Create(
+            BrowsingDataFilterBuilder::WHITELIST));
+    origin_filter_builder->AddOrigin(origin);
+
+    remover->RemoveWithFilterAndReply(
+        base::Time(), base::Time::Max(), remove_mask,
+        BrowsingDataRemover::ORIGIN_TYPE_UNPROTECTED_WEB |
+            BrowsingDataRemover::ORIGIN_TYPE_PROTECTED_WEB,
+        std::move(origin_filter_builder), observer);
+  } else {
+    // The second removal task is a no-op.
+    observer->OnBrowsingDataRemoverDone();
+  }
 }
 
-ClearSiteDataThrottle::ClearSiteDataThrottle(
-    NavigationHandle* navigation_handle)
-    : NavigationThrottle(navigation_handle),
-      clearing_in_progress_(false),
-      weak_ptr_factory_(this) {}
+// Outputs |messages| to the console of WebContents retrieved from
+// |web_contents_getter|. Must be run on the UI thread.
+void OutputMessagesOnUIThread(
+    const ResourceRequestInfo::WebContentsGetter& web_contents_getter,
+    const std::vector<ClearSiteDataThrottle::ConsoleMessagesDelegate::Message>&
+        messages) {
+  DCHECK_CURRENTLY_ON(BrowserThread::UI);
 
-ClearSiteDataThrottle::~ClearSiteDataThrottle() {
-  // At the end of the navigation we finally have access to the correct
-  // RenderFrameHost. Output the cached console messages. Prefix each sequence
-  // of messages belonging to the same URL with |kConsoleMessagePrefix|.
+  WebContents* web_contents = web_contents_getter.Run();
+  if (!web_contents)
+    return;
+
+  // Prefix each sequence of messages belonging to the same URL with
+  // |kConsoleMessagePrefix|.
   GURL last_seen_url;
-  for (const ConsoleMessage& message : messages_) {
+  for (const auto& message : messages) {
     if (message.url == last_seen_url) {
-      navigation_handle()->GetRenderFrameHost()->AddMessageToConsole(
-          message.level, message.text);
+      web_contents->GetMainFrame()->AddMessageToConsole(message.level,
+                                                        message.text);
     } else {
-      navigation_handle()->GetRenderFrameHost()->AddMessageToConsole(
+      web_contents->GetMainFrame()->AddMessageToConsole(
           message.level,
           base::StringPrintf(kConsoleMessagePrefix, message.url.spec().c_str(),
                              message.text.c_str()));
@@ -95,101 +206,193 @@ ClearSiteDataThrottle::~ClearSiteDataThrottle() {
   }
 }
 
-ClearSiteDataThrottle::ThrottleCheckResult
-ClearSiteDataThrottle::WillStartRequest() {
-  current_url_ = navigation_handle()->GetURL();
-  return PROCEED;
+}  // namespace
+
+////////////////////////////////////////////////////////////////////////////////
+// ConsoleMessagesDelegate
+
+ClearSiteDataThrottle::ConsoleMessagesDelegate::ConsoleMessagesDelegate() {}
+
+ClearSiteDataThrottle::ConsoleMessagesDelegate::~ConsoleMessagesDelegate() {}
+
+void ClearSiteDataThrottle::ConsoleMessagesDelegate::AddMessage(
+    const GURL& url,
+    const std::string& text,
+    ConsoleMessageLevel level) {
+  messages_.push_back({url, text, level});
 }
 
-ClearSiteDataThrottle::ThrottleCheckResult
-ClearSiteDataThrottle::WillRedirectRequest() {
-  // We are processing a redirect from url1 to url2. GetResponseHeaders()
-  // contains headers from url1, but GetURL() is already equal to url2. Handle
-  // the headers before updating the URL, so that |current_url_| corresponds
-  // to the URL that sent the headers.
-  HandleHeader();
-  current_url_ = navigation_handle()->GetURL();
+void ClearSiteDataThrottle::ConsoleMessagesDelegate::OutputMessages(
+    const ResourceRequestInfo::WebContentsGetter& web_contents_getter) {
+  if (messages_.empty())
+    return;
+
+  DCHECK_CURRENTLY_ON(BrowserThread::IO);
+  BrowserThread::PostTask(
+      BrowserThread::UI, FROM_HERE,
+      base::Bind(&OutputMessagesOnUIThread, web_contents_getter,
+                 std::move(messages_)));
 
-  return clearing_in_progress_ ? DEFER : PROCEED;
+  messages_.clear();
 }
 
-ClearSiteDataThrottle::ThrottleCheckResult
-ClearSiteDataThrottle::WillProcessResponse() {
-  HandleHeader();
-  return clearing_in_progress_ ? DEFER : PROCEED;
+////////////////////////////////////////////////////////////////////////////////
+// ClearSiteDataThrottle
+
+// static
+std::unique_ptr<ResourceThrottle>
+ClearSiteDataThrottle::CreateThrottleForRequest(net::URLRequest* request) {
+  // This is an experimental feature.
+  if (!AreExperimentalFeaturesEnabled())
+    return std::unique_ptr<ResourceThrottle>();
+
+  // The throttle has no purpose if the request has no ResourceRequestInfo,
+  // because we won't be able to determine whose data should be deleted.
+  if (!ResourceRequestInfo::ForRequest(request))
+    return std::unique_ptr<ResourceThrottle>();
+
+  return base::WrapUnique(new ClearSiteDataThrottle(
+      request, base::MakeUnique<ConsoleMessagesDelegate>()));
 }
 
-const char* ClearSiteDataThrottle::GetNameForLogging() {
-  return "ClearSiteDataThrottle";
+ClearSiteDataThrottle::ClearSiteDataThrottle(
+    net::URLRequest* request,
+    std::unique_ptr<ConsoleMessagesDelegate> delegate)
+    : request_(request),
+      delegate_(std::move(delegate)),
+      weak_ptr_factory_(this) {
+  DCHECK(request_);
+  DCHECK(delegate_);
 }
 
-void ClearSiteDataThrottle::HandleHeader() {
-  NavigationHandleImpl* handle =
-      static_cast<NavigationHandleImpl*>(navigation_handle());
-  const net::HttpResponseHeaders* headers = handle->GetResponseHeaders();
+ClearSiteDataThrottle::~ClearSiteDataThrottle() {
+  // Output the cached console messages. We output console messages when the
+  // request is finished rather than in real time, since in case of navigations
+  // swapping RenderFrameHost would cause the outputs to disappear.
+  const ResourceRequestInfo* info = ResourceRequestInfo::ForRequest(request_);
+  if (info)
+    delegate_->OutputMessages(info->GetWebContentsGetterForRequest());
+}
 
-  if (!headers || !headers->HasHeader(kClearSiteDataHeader))
-    return;
+void ClearSiteDataThrottle::WillRedirectRequest(
+    const net::RedirectInfo& redirect_info,
+    bool* defer) {
+  *defer = HandleHeader();
+}
 
-  // Only accept the header on secure origins.
-  if (!IsOriginSecure(current_url_)) {
-    ConsoleLog(&messages_, current_url_, "Not supported for insecure origins.",
-               CONSOLE_MESSAGE_LEVEL_ERROR);
-    return;
-  }
+void ClearSiteDataThrottle::WillProcessResponse(bool* defer) {
+  *defer = HandleHeader();
+}
+
+const char* ClearSiteDataThrottle::GetNameForLogging() const {
+  return kNameForLogging;
+}
+
+bool ClearSiteDataThrottle::HandleHeader() {
+  const net::HttpResponseHeaders* headers = GetResponseHeaders();
 
   std::string header_value;
-  headers->GetNormalizedHeader(kClearSiteDataHeader, &header_value);
+  if (!headers ||
+      !headers->GetNormalizedHeader(kClearSiteDataHeader, &header_value)) {
+    return false;
+  }
+
+  // Only accept the header on secure non-unique origins.
+  if (!IsOriginSecure(request_->url())) {
+    delegate_->AddMessage(request_->url(),
+                          "Not supported for insecure origins.",
+                          CONSOLE_MESSAGE_LEVEL_ERROR);
+    return false;
+  }
+
+  url::Origin origin(request_->url());
+  if (origin.unique()) {
+    delegate_->AddMessage(request_->url(), "Not supported for unique origins.",
+                          CONSOLE_MESSAGE_LEVEL_ERROR);
+    return false;
+  }
+
+  // The LOAD_DO_NOT_SAVE_COOKIES flag prohibits the request from doing any
+  // modification to cookies. Clear-Site-Data applies this restriction to other
+  // datatypes as well.
+  if (request_->load_flags() & net::LOAD_DO_NOT_SAVE_COOKIES) {
+    delegate_->AddMessage(
+        request_->url(),
+        "The request's credentials mode prohibits modifying cookies "
+        "and other local data.",
+        CONSOLE_MESSAGE_LEVEL_ERROR);
+    return false;
+  }
+
+  // Service workers can handle fetches of third-party resources and inject
+  // arbitrary headers. Ignore responses that came from a service worker,
+  // as supporting Clear-Site-Data would give them the power to delete data from
+  // any website.

[falken, 2017/05/17 07:37:00]

Maybe worth linking to
https://w3c.github.io/webappsec-clear-site-data/#service-workers

[msramek, 2017/05/17 13:46:37]

Done.

+  const ServiceWorkerResponseInfo* response_info =
+      ServiceWorkerResponseInfo::ForRequest(request_);
+  if (response_info) {
+    ResourceResponseInfo extra_response_info;
+    response_info->GetExtraResponseInfo(&extra_response_info);
+
+    if (extra_response_info.was_fetched_via_service_worker) {

[falken, 2017/05/17 07:37:00]

Does the spec care if the response came from a foreign fetch service worker? If
so, you must check extra_response_info.was_fetched_via_foreign_fetch here too.

A foreign fetch service worker can only intercept requests to its origin, so the
third-party considerations don't apply.

[msramek, 2017/05/17 13:46:37]

Yes, that was my understanding too - thanks for confirming that this hasn't
changed since your last review.

In that case we trust a foreign fetch SW response from example.org the same way
as we trust a server response from example.org, and don't need to disable
Clear-Site-Data.

+      delegate_->AddMessage(
+          request_->url(),
+          "Ignoring, as the response came from a service worker.",
+          CONSOLE_MESSAGE_LEVEL_ERROR);
+      return false;
+    }
+  }
 
   bool clear_cookies;
   bool clear_storage;
   bool clear_cache;
 
   if (!ParseHeader(header_value, &clear_cookies, &clear_storage, &clear_cache,
-                   &messages_)) {
-    return;
+                   delegate_.get(), request_->url())) {
+    return false;
   }
 
+  // If the header is valid, clear the data for this browser context and origin.
+  clearing_started_ = base::TimeTicks::Now();
+
   // Record the call parameters.
   UMA_HISTOGRAM_ENUMERATION(
       "Navigation.ClearSiteData.Parameters",
       ParametersMask(clear_cookies, clear_storage, clear_cache), (1 << 3));
 
-  // If the header is valid, clear the data for this browser context and origin.
-  BrowserContext* browser_context =
-      navigation_handle()->GetWebContents()->GetBrowserContext();
-  url::Origin origin(current_url_);
+  base::WeakPtr<ClearSiteDataThrottle> weak_ptr =
+      weak_ptr_factory_.GetWeakPtr();
 
-  if (origin.unique()) {
-    ConsoleLog(&messages_, current_url_, "Not supported for unique origins.",
-               CONSOLE_MESSAGE_LEVEL_ERROR);
-    return;
-  }
+  // Immediately bind the weak pointer to the current thread (IO). This will
+  // make a potential misuse on the UI thread DCHECK immediately rather than
+  // later when it's correctly used on the IO thread again.
+  weak_ptr.get();
 
-  clearing_in_progress_ = true;
-  clearing_started_ = base::TimeTicks::Now();
-  GetContentClient()->browser()->ClearSiteData(
-      browser_context, origin, clear_cookies, clear_storage, clear_cache,
-      base::Bind(&ClearSiteDataThrottle::TaskFinished,
-                 weak_ptr_factory_.GetWeakPtr()));
+  ExecuteClearingTask(
+      origin, clear_cookies, clear_storage, clear_cache,
+      base::Bind(&ClearSiteDataThrottle::TaskFinished, weak_ptr));
+
+  return true;
 }
 
+// static
 bool ClearSiteDataThrottle::ParseHeader(const std::string& header,
                                         bool* clear_cookies,
                                         bool* clear_storage,
                                         bool* clear_cache,
-                                        std::vector<ConsoleMessage>* messages) {
+                                        ConsoleMessagesDelegate* delegate,
+                                        const GURL& current_url) {
   if (!base::IsStringASCII(header)) {
-    ConsoleLog(messages, current_url_, "Must only contain ASCII characters.",
-               CONSOLE_MESSAGE_LEVEL_ERROR);
+    delegate->AddMessage(current_url, "Must only contain ASCII characters.",
+                         CONSOLE_MESSAGE_LEVEL_ERROR);
     return false;
   }
 
   std::unique_ptr<base::Value> parsed_header = base::JSONReader::Read(header);
 
   if (!parsed_header) {
-    ConsoleLog(messages, current_url_, "Not a valid JSON.",
-               CONSOLE_MESSAGE_LEVEL_ERROR);
+    delegate->AddMessage(current_url, "Not a valid JSON.",
+                         CONSOLE_MESSAGE_LEVEL_ERROR);
     return false;
   }
 
@@ -197,9 +400,9 @@ bool ClearSiteDataThrottle::ParseHeader(const std::string& header,
   const base::ListValue* types = nullptr;
   if (!parsed_header->GetAsDictionary(&dictionary) ||
       !dictionary->GetListWithoutPathExpansion(kTypesKey, &types)) {
-    ConsoleLog(messages, current_url_,
-               "Expecting a JSON dictionary with a 'types' field.",
-               CONSOLE_MESSAGE_LEVEL_ERROR);
+    delegate->AddMessage(current_url,
+                         "Expecting a JSON dictionary with a 'types' field.",
+                         CONSOLE_MESSAGE_LEVEL_ERROR);
     return false;
   }
 
@@ -226,9 +429,9 @@ bool ClearSiteDataThrottle::ParseHeader(const std::string& header,
       std::string serialized_type;
       JSONStringValueSerializer serializer(&serialized_type);
       serializer.Serialize(value);
-      ConsoleLog(
-          messages, current_url_,
-          base::StringPrintf("Invalid type: %s.", serialized_type.c_str()),
+      delegate->AddMessage(
+          current_url,
+          base::StringPrintf("Unrecognized type: %s.", serialized_type.c_str()),
           CONSOLE_MESSAGE_LEVEL_ERROR);
       continue;
     }
@@ -243,9 +446,9 @@ bool ClearSiteDataThrottle::ParseHeader(const std::string& header,
   }
 
   if (!*clear_cookies && !*clear_storage && !*clear_cache) {
-    ConsoleLog(messages, current_url_,
-               "No valid types specified in the 'types' field.",
-               CONSOLE_MESSAGE_LEVEL_ERROR);
+    delegate->AddMessage(current_url,
+                         "No recognized types specified in the 'types' field.",
+                         CONSOLE_MESSAGE_LEVEL_ERROR);
     return false;
   }
 
@@ -266,21 +469,37 @@ bool ClearSiteDataThrottle::ParseHeader(const std::string& header,
     default:
       NOTREACHED();
   }
-  ConsoleLog(messages, current_url_, output, CONSOLE_MESSAGE_LEVEL_INFO);
+  delegate->AddMessage(current_url, output, CONSOLE_MESSAGE_LEVEL_INFO);
 
   return true;
 }
 
-void ClearSiteDataThrottle::TaskFinished() {
-  DCHECK(clearing_in_progress_);
-  clearing_in_progress_ = false;
+const net::HttpResponseHeaders* ClearSiteDataThrottle::GetResponseHeaders()
+    const {
+  return request_->response_headers();
+}
+
+void ClearSiteDataThrottle::ExecuteClearingTask(const url::Origin& origin,
+                                                bool clear_cookies,
+                                                bool clear_storage,
+                                                bool clear_cache,
+                                                const base::Closure& callback) {
+  DCHECK_CURRENTLY_ON(BrowserThread::IO);
+  BrowserThread::PostTask(
+      BrowserThread::UI, FROM_HERE,
+      base::Bind(&ClearSiteDataOnUIThread,
+                 ResourceRequestInfo::ForRequest(request_)
+                     ->GetWebContentsGetterForRequest(),
+                 origin, clear_cookies, clear_storage, clear_cache, callback));
+}
 
+void ClearSiteDataThrottle::TaskFinished() {
   UMA_HISTOGRAM_CUSTOM_TIMES("Navigation.ClearSiteData.Duration",
                              base::TimeTicks::Now() - clearing_started_,
                              base::TimeDelta::FromMilliseconds(1),
                              base::TimeDelta::FromSeconds(1), 50);
 
-  navigation_handle()->Resume();
+  Resume();
 }
 
 }  // namespace content