New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for blob partitioning. #12686
Conversation
d5cf988
to
a3f64d3
Compare
9eddc22
to
f719542
Compare
7fbf1a6
to
b7b07ba
Compare
The PR is ready for review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't look at the code in details, but the overall approach looks good to me.
#define BRAVE_WORKER_CONTENT_SETTINGS_CLIENT_H \ | ||
BraveFarblingLevel GetBraveFarblingLevel() override; \ | ||
bool AllowFingerprinting(bool enabled_per_settings) override; | ||
#define BRAVE_WORKER_CONTENT_SETTINGS_CLIENT_H \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unrelated to this PR - why are we doing a chromium src override here instead of BraveContentRendererClient::CreateWorkerContentSettingsClient
?
} else { | ||
valid_origin = origin_ == url_origin; | ||
} | ||
+ valid_origin |= IsBlobUrlValidForPartitionedOrigin(origin_, url_origin); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
these patches don't follow patching standards, please replace with a define from a chromium src override
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed.
chromium_src/url/origin.h
Outdated
#define GetTupleOrPrecursorTupleIfOpaque \ | ||
NotUsed() const; \ | ||
const base::UnguessableToken& GetNonceForEphemeralStorageKeying() const { \ | ||
return nonce_->raw_token(); \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why are we getting the raw token here?
// Do not use in cases where lazy initialization is expected! This
// accessor does not initialize the |token_| member.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the token must be initialized before. If an origin is opaque
, but token is not initialized, then it's an error and this whole thing shouldn't work. I've added some checks to ensure this is used properly.
is_stopped_(false), | ||
url_store_(context) { | ||
BlobDataHandle::GetBlobRegistry()->URLStoreForOrigin( | ||
- context->GetSecurityOrigin(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you can get rid of this patch with something like
#define URLStoreForOrigin(ORIGIN, URL_STORE) URLStoreForOrigin(!GetEphemeralOrOriginalSecurityOrigin(context).is_null() ? GetEphemeralOrOriginalSecurityOrigin(context) : ORIGIN, URL_STORE)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
actually why do we need this patch at all? This ends up calling BlobURLStoreImpl
which we are overriding anyway
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess we don't have access to the content settings there, but according to @pes10k this doesn't even need to be dependent on content settings which could potentially simplify a lot of this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you can get rid of this patch with something like
#define URLStoreForOrigin ....
Thanks, this is much better.
actually why do we need this patch at all? This ends up calling
BlobURLStoreImpl
which we are overriding anyway
I guess we don't have access to the content settings there
yes, we need to pass ephemeral storage origin which is available only on the renderer side. We can't do this inside BlobURLStoreImpl
which is located in Storage process.
but according to @pes10k this doesn't even need to be dependent on content settings which could potentially simplify a lot of this.
Our ephemeral storage approach relies on content settings to create and get an ephemeral storage key.
} | ||
} | ||
|
||
// Tests for the blob: URL scheme, originally implemented in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're copying upstream tests here? That seems problematic to me because they will get out of sync
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to have Blob tests now. These particular tests are pretty standard, there's no some weird upstream-specific test helpers which were made exactly for Blob tests, that's why I pulled those.
I did drop Chromium relation from the name and we can just think of it as our tests.
} | ||
}; | ||
|
||
IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, BlobsArePartitioned) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we need to test that they are not partitioned when the feature is off and also test based on content settings since we're checking those here https://github.com/brave/brave-core/pull/12686/files#diff-430f56739d7df3701057dcb1c3ea5412094160cc91008cfd596d42d889e4d8d4R72
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we also need to check that it's disabled when the main ephemeral storage is disabled and check that only 1p is disabled when the 1p flag is disabled
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added more test, including 1pes check, shields on/off states and feature on/off states.
chromium_src/url/origin.h
Outdated
#define GetTupleOrPrecursorTupleIfOpaque \ | ||
NotUsed() const; \ | ||
/* Checks if origin is opaque and nonce is initialized. */ \ | ||
bool CanUseNonceForEphemeralStorageKeying() const; \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this method needs to be on Origin, does it? It doesn't seem right to me to attach ephemeral storage specific logic to Origin and we have access to both opaque()
and now the raw_token through GetNonceForEphemeralStorageKeying
. Related I think we should change GetNonceForEphemeralStorageKeying
-> raw_token()
or something. Maybe both methods can become utility functions that take Origin as a param?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agree, it doesn't have to be here. Moved it into a dedicated helper to access Origin internals related to Ephemeral Storage more explicitly.
Added blob partitioning.
The idea is to use our custom ephemeral opaque origins which are safely passed via renderer<->browser boundary, but additionally carry a nonce that we can use on browser side to effectively partition the blob URLs by crafting a custom URL path that is mapped to a blob.
Resolves brave/brave-browser#21746
Submitter Checklist:
QA/Yes
orQA/No
;release-notes/include
orrelease-notes/exclude
;OS/...
) to the associated issuenpm run test -- brave_browser_tests
,npm run test -- brave_unit_tests
,npm run lint
,npm run gn_check
,npm run tslint
git rebase master
(if needed)Reviewer Checklist:
gn
After-merge Checklist:
changes has landed on
Test Plan: