Add Digital Asset Links verification for postMessage API

chrome/android/java/src/org/chromium/chrome/browser/customtabs/PostMessageHandler.java

Index: chrome/android/java/src/org/chromium/chrome/browser/customtabs/PostMessageHandler.java
diff --git a/chrome/android/java/src/org/chromium/chrome/browser/customtabs/PostMessageHandler.java b/chrome/android/java/src/org/chromium/chrome/browser/customtabs/PostMessageHandler.java
index f49c1957d3d354510e502a3fa2231237cb0c8bca..6fdc2339d0046789415c86f17c32b2864cff57c0 100644
--- a/chrome/android/java/src/org/chromium/chrome/browser/customtabs/PostMessageHandler.java
+++ b/chrome/android/java/src/org/chromium/chrome/browser/customtabs/PostMessageHandler.java
@@ -12,6 +12,8 @@ import android.support.customtabs.PostMessageServiceConnection;
 
 import org.chromium.base.ContextUtils;
 import org.chromium.base.ThreadUtils;
+import org.chromium.base.VisibleForTesting;
+import org.chromium.chrome.browser.customtabs.OriginVerifier.OriginVerificationListener;
 import org.chromium.chrome.browser.tab.Tab;
 import org.chromium.content.browser.AppWebMessagePort;
 import org.chromium.content_public.browser.MessagePort;
@@ -22,8 +24,10 @@ import org.chromium.content_public.browser.WebContentsObserver;
 /**
  * A class that handles postMessage communications with a designated {@link CustomTabsSessionToken}.
  */
-public class PostMessageHandler extends PostMessageServiceConnection {
+public class PostMessageHandler
+        extends PostMessageServiceConnection implements OriginVerificationListener {
     private final MessageCallback mMessageCallback;
+    private OriginVerifier mOriginVerifier;
     private WebContents mWebContents;
     private boolean mMessageChannelCreated;
     private boolean mBoundToService;
@@ -127,6 +131,18 @@ public class PostMessageHandler extends PostMessageServiceConnection {
     }
 
     /**
+     * Asynchronously verify the postMessage origin for the given package name and initialize with
+     * it if the result is a success. Can be called multiple times. If so, the previous requests

[nyquist, 2017/04/19 06:35:56]

If I call this with:
verifyAndInitializeWithOrigin("com.chrome.canary",
Uri.parse("https://chrome.com/"));
verifyAndInitializeWithOrigin("com.android.chrome",
Uri.parse("https://google.com/"));
It looks like the origin verifier will still use the initial package name. Is
that intentional? And if it is, could you please document that as it's not
really intuitive. If the package name is supposed to never change for a given
PostMessageHandler, maybe put it as a constructor parameter instead?

[Yusuf, 2017/04/26 00:51:35]

For technical reasons, we can't get access to the package name at the time this
is constructed. But it should be unique which means we should probably set it
only once. Moved it to a separate setter and started calling it as close as
possible to construction

[nyquist, 2017/04/27 04:38:25]

Acknowledged.

+     * will be overridden.
+     * @param packageName The package name to use.
+     * @param origin The origin to verify for.
+     */
+    public void verifyAndInitializeWithOrigin(String packageName, Uri origin) {
+        if (mOriginVerifier == null) mOriginVerifier = new OriginVerifier(this, packageName);
+        mOriginVerifier.start(origin);
+    }
+
+    /**
      * Relay a postMessage request through the current channel assigned to this session.
      * @param message The message to be sent.
      * @return The result of the postMessage request. Returning true means the request was accepted,
@@ -166,4 +182,18 @@ public class PostMessageHandler extends PostMessageServiceConnection {
     public void onPostMessageServiceDisconnected() {
         mBoundToService = false;
     }
+
+    @Override
+    public void onOriginVerified(String packageName, Uri origin, boolean result) {
+        if (!result) return;
+        initializeWithOrigin(origin);
+    }
+
+    /**
+     * @return The origin that has been declared for this handler.
+     */
+    @VisibleForTesting
+    Uri getOriginForTesting() {
+        return mOrigin;
+    }
 }