Prevent tracking via alternative services (`Alt-Svc` header)

[pes10k]

alt-svc by default have a 24 hour lifetime, which can be modified with the ma option.

This can be used for tracking, in a similar way to HSTS cookies.

My initial best guess is that the safest option is to never cache alt-svc values

[tomlowenthal]

Right now @fmarier is going to set the alt-scv TTL to zero. Our goal is to have this merged and uplift as far as we can before the channel merge around the end of the month.

[fmarier]

Also related to QUIC is #3855.

[fmarier]

Here's how alternative services are implemented in Chrome.

When an Alt-Svc header or an equivalent H2 frame is seen, a new AlternativeServiceInfo object is created and eventually added via SetAlternativeServices() to an AlternativeServiceMap in HTTPServerProperties, a class used to hold information about the capabilities of HTTP servers.

Then we lookup alternative services in that data structure to verify whether the request supports priorities (also here) and to create HTTP "jobs".

Therefore, a good place to restrict this feature is at the point where we create and add the AlternativeServiceInfo object to the map:

diff --git a/chromium_src/net/http/http_server_properties_impl.cc b/chromium_src/net/http/http_server_properties_impl.cc
new file mode 100644
index 000000000..70f523ed9
--- /dev/null
+++ b/chromium_src/net/http/http_server_properties_impl.cc
@@ -0,0 +1,31 @@
+/* Copyright (c) 2019 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "net/http/http_server_properties_impl.h"
+
+namespace {
+
+// Override the expiry of cross-origin alternative services.
+base::Time BraveAlternativeServiceExpiration(
+    const url::SchemeHostPort& origin,
+    const net::AlternativeService& alternative_service,
+    base::Time now, base::Time expiration) {
+
+  if (origin.host() != alternative_service.host ||
+      origin.port() != alternative_service.port) {
+    expiration = std::max(expiration, now);  // Ignore dates in the past.
+    expiration = std::min(expiration, now + base::TimeDelta::FromSeconds(10));
+  }
+  return expiration;
+}
+
+}  // namespace
+
+#define BRAVE_RESTRICT_ALTERNATIVE_SERVICES_EXPIRATION \
+  expiration = BraveAlternativeServiceExpiration(origin, alternative_service,\
+                                                 clock_->Now(), expiration);
+
+#include "../../../../net/http/http_server_properties_impl.cc"
+#undef BRAVE_RESTRICT_ALTERNATIVE_SERVICES_EXPIRATION
diff --git a/patches/net-http-http_server_properties_impl.cc.patch b/patches/net-http-http_server_properties_impl.cc.patch
new file mode 100644
index 000000000..6d6ae1bd6
--- /dev/null
+++ b/patches/net-http-http_server_properties_impl.cc.patch
@@ -0,0 +1,20 @@
+diff --git a/net/http/http_server_properties_impl.cc b/net/http/http_server_properties_impl.cc
+index f18530db1060bfbd09c273f695714305ea9aa90e..a24ed108a8bbd734129d155d290b6aabfcaa14b0 100644
+--- a/net/http/http_server_properties_impl.cc
++++ b/net/http/http_server_properties_impl.cc
+@@ -374,6 +374,7 @@ bool HttpServerPropertiesImpl::SetHttp2AlternativeService(
+     base::Time expiration) {
+   DCHECK_EQ(alternative_service.protocol, kProtoHTTP2);
+ 
++  BRAVE_RESTRICT_ALTERNATIVE_SERVICES_EXPIRATION
+   return SetAlternativeServices(
+       origin,
+       AlternativeServiceInfoVector(
+@@ -388,6 +389,7 @@ bool HttpServerPropertiesImpl::SetQuicAlternativeService(
+     const quic::ParsedQuicVersionVector& advertised_versions) {
+   DCHECK(alternative_service.protocol == kProtoQUIC);
+ 
++  BRAVE_RESTRICT_ALTERNATIVE_SERVICES_EXPIRATION
+   return SetAlternativeServices(
+       origin, AlternativeServiceInfoVector(
+                   /*size=*/1,

[fmarier]

Alternative services are used for the following purposes:

1. load-balancing on the client-side without using DNS (e.g. https://example.com sends Alt-Svc: h2="other.example.com:443")
2. upgrading an HTTP/1.1 connection to H2 (e.g. https://example.com sends Alt-Svc: h2=":443")
3. upgrading an HTTP connection over Tor to an .onion address (e.g. https://example.com sends Alt-Svc: h2="hipejsaf3b...o2exyd.onion:443")
4. opportunistically upgrading an HTTP connection to "encrypted HTTP" (e.g. http://example.com sends Alt-Svc: h2=":443")
5. upgrading an HTTP/1.1 or H2 connection to QUIC (e.g. https://example.com sends Alt-Svc: quic=":443"; v="46,43,39"")

I have successfully tested cases 1-3 on Firefox and 4 is also implemented while case 5 is waiting on QUIC support.

Chrome on the other hand only supports upgrading connections to QUIC (case 5 above) on the same host. In other words, it only supports Alt-Svc: quic=":443". There is some support for H2 alternative services, including on different hosts (i.e. cases 1-3) but it's disabled by default and is completely broken in the presence of SNI.

Given that Brave doesn't enable QUIC by default (users have to enabled it via chrome://flags), in practice, Alt-Svc are not used for anything in Brave.

Should the support for H2 alternative services be fixed and enabled in Chrome, we should revisit this bug and perhaps limit the alternative services to same-origin ones only. Right now, I don't believe that this is a viable tracking mechanism in Brave.

[fmarier]

QUIC will be enabled by default in Chromium 83: https://groups.google.com/a/chromium.org/d/topic/chromium-dev/JjKJ28aDLxg/discussion