// Copyright 2022 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. // This header defines fenced frame configs, which are objects that can be // loaded into a fenced frame and determine its subsequent behavior. Different // APIs like Protected Audience and Shared Storage use fenced frame configs in // order to achieve different end-to-end privacy guarantees. // // Certain information stored in configs may be sensitive and therefore should // be redacted before it is sent to a renderer process. Whether information is // sensitive depends on the entity receiving the information, because // "sensitivity" often refers to the possibility of joining data from multiple // sites. // // As a way of specifying access controls, we represent different entities // using the `FencedFrameEntity` enum: // * `kEmbedder`: the renderer process that embeds the fenced frame and calls // the config-generating API // * `kSameOriginContent`: the renderer process for the fenced frame content, // if the fenced frame content is same-origin to the config's mapped url // * `kCrossOriginContent`: the renderer process for the fenced frame content, // if the fenced frame content is cross-origin to the config's mapped url // // When a config-generating API constructs a config, for each field in the // config it must specify whether the field is opaque or transparent to // the embedder and content (`VisibilityToEmbedder` and `VisibilityToContent`). // If a field is marked as opaque for an entity, the field is redacted whenever // the config is sent to that entity's renderer by IPC. When a field is // redacted, the viewer can tell whether there is a value defined for that // field, but not what the value is. // // Here is a summary of the information flow: // * The embedder calls a config-generating API on the web platform, let's say // Protected Audience, which makes an IPC to the browser. // * In the browser, Protected Audience generates a `FencedFrameConfig` // (including the visibility of each field to different entities) and stores // it in the Page's `FencedFrameURLMapping` data structure. // * Protected Audience constructs a `RedactedFencedFrameConfig` from the // `FencedFrameConfig` and the `kEmbedder` entity. The constructor // automatically performs the redaction process. // // * Protected Audience returns the redacted config to the embedder's renderer. // `RedactedFencedFrameConfig` supports mojom type mappings for // `blink::mojom::FencedFrameConfig`. // * Later, the embedder loads the config into a fenced frame on the web // platform, which sends an IPC to the browser, containing an identifier for // the config in the `FencedFrameURLMapping`. // // * The browser looks up the desired config, and creates an instance of it. // We call an instance of a config `FencedFrameProperties`. For most fields // of the config, instantiating just means copying over the original values. // But for some values, we do additional transformations. // * The browser stores the `FencedFrameProperties` in the `NavigationRequest` // for the navigation to the fenced frame's initial src. During the navigation // handling, certain values inside the `FencedFrameProperties` may be used by // the browser, e.g. the partition nonce for network requests. // * Upon navigation commit, the browser constructs a // `RedactedFencedFrameProperties` from the `FencedFrameProperties` and the // `kSameOriginContent` or `kCrossOriginContent` entity. The constructor // automatically performs the redaction process. // // Note: Because configs may contain nested configs (to be loaded into nested // fenced frames), the redaction process may recurse in order to redact these // nested configs. Nested configs are redacted for the `kEmbedder` entity, // because the top-level fenced frame is the embedder with respect to any nested // fenced frames. #ifndef CONTENT_BROWSER_FENCED_FRAME_FENCED_FRAME_CONFIG_H_ #define CONTENT_BROWSER_FENCED_FRAME_FENCED_FRAME_CONFIG_H_ #include <optional> #include "base/containers/flat_map.h" #include "base/functional/callback_forward.h" #include "base/memory/raw_ptr.h" #include "base/memory/ref_counted.h" #include "content/browser/fenced_frame/fenced_frame_reporter.h" #include "content/common/content_export.h" #include "third_party/blink/public/common/fenced_frame/redacted_fenced_frame_config.h" #include "third_party/blink/public/mojom/fenced_frame/fenced_frame.mojom.h" #include "ui/gfx/geometry/size.h" #include "url/gurl.h" #include "url/origin.h" namespace content { class FencedFrameURLMapping; extern const char kUrnUuidPrefix[]; GURL CONTENT_EXPORT GenerateUrnUuid(); // Used by the fenced frame properties getter. It specifies the node source // of the fenced frame properties. TODO(crbug/40256574): kClosestAncestor is an // artifact to support URN iframes. When URN iframes are removed, we can remove // FencedFramePropertiesNodeSource, and all FencedFrameProperties objects will // originate from the fenced frame root. enum class FencedFramePropertiesNodeSource { … }; // Returns a new string based on input where the matching substrings have been // replaced with the corresponding substitutions. This function avoids repeated // string operations by building the output based on all substitutions, one // substitution at a time. This effectively performs all substitutions // simultaneously, with the earliest match in the input taking precedence. std::string SubstituteMappedStrings( const std::string& input, const std::vector<std::pair<std::string, std::string>>& substitutions); AdAuctionData; DeprecatedFencedFrameMode; SharedStorageBudgetMetadata; ParentPermissionsInfo; // Different kinds of entities (renderers) that should receive different // views of the information in fenced frame configs. enum class FencedFrameEntity { … }; // Visibility levels specify whether information should be redacted when it is // communicated to different entities (renderers). // * kOpaque: must be concealed from the web platform // * kTransparent: may be exposed to the web platform // When renderer process allocation for site isolation is sufficiently // strict, this distinction provides security against compromised renderers, // because the renderers receive no more information than is necessary for // web platform-exposed features. // // Each entity has a different enum class, even though its values are // (currently) identical, for stronger type safety. enum class VisibilityToEmbedder { … }; enum class VisibilityToContent { … }; // A field in a fenced frame configuration, including: // * an actual value for the field // * a declaration of the visibility to the embedder // * a declaration of the visibility to the content template <class T> class CONTENT_EXPORT FencedFrameProperty { … }; enum class DisableUntrustedNetworkStatus { … }; // A collection of properties that can be loaded into a fenced frame and // specifies its subsequent behavior. (During a navigation, they are // transformed into a `FencedFrameProperties` object, and installed at // navigation commit. Most properties are copied over directly from the // configuration, but some require additional processing (e.g. // `nested_configs`.) // // Config-generating APIs like Protected Audience's runAdAuction and // sharedStorage's selectURL return urns as handles to `FencedFrameConfig`s. // TODO(crbug.com/40257432): Use a single constructor that requires values to be // specified for all fields, to ensure none are accidentally omitted. class CONTENT_EXPORT FencedFrameConfig { … }; // Contains a set of fenced frame properties. These are generated at // urn:uuid navigation time according to a fenced frame configuration, // specified by `FencedFrameConfig` above. // Most of these are copied from `FencedFrameConfig` directly, but some // are generated by another transformation, e.g.: // * We generate urns for the configs in `nested_configs` and store // them in `nested_urn_config_pairs`. // * We generate a pointer to `shared_storage_budget_metadata` and store it in // `shared_storage_budget_metadata`, because it should only take effect once // across all fenced frames navigated to a particular configuration. // These `FencedFrameProperties` are stored in the fenced frame root // `FrameTreeNode`, and live between embedder-initiated fenced frame // navigations. class CONTENT_EXPORT FencedFrameProperties { … }; } // namespace content #endif // CONTENT_BROWSER_FENCED_FRAME_FENCED_FRAME_CONFIG_H_
Codebase Browser
chromium