Add support for blob partitioning.

[goodov]

Added blob partitioning.

The idea is to use our custom ephemeral opaque origins which are safely passed via renderer<->browser boundary, but additionally carry a nonce that we can use on browser side to effectively partition the blob URLs by crafting a custom URL path that is mapped to a blob.

Resolves brave/brave-browser#21746

Submitter Checklist:

• I confirm that no security/privacy review is needed, or that I have requested one
• There is a ticket for my issue
• Used Github auto-closing keywords in the PR description above
• Wrote a good PR/commit description
• Squashed any review feedback or "fixup" commits before merge, so that history is a record of what happened in the repo, not your PR
• Added appropriate labels (QA/Yes or QA/No; release-notes/include or release-notes/exclude; OS/...) to the associated issue
• Checked the PR locally: npm run test -- brave_browser_tests, npm run test -- brave_unit_tests, npm run lint, npm run gn_check, npm run tslint
• Ran git rebase master (if needed)

Reviewer Checklist:

• A security review is not needed, or a link to one is included in the PR description
• New files have MPL-2.0 license header
• Adequate test coverage exists to prevent regressions
• Major classes, functions and non-trivial code blocks are well-commented
• Changes in component dependencies are properly reflected in gn
• Code follows the style guide
• Test plan is specified in PR before merging

After-merge Checklist:

• The associated issue milestone is set to the smallest version that the
  changes has landed on
• All relevant documentation has been updated, for instance:
  • https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)
  • https://github.com/brave/brave-browser/wiki/Proxy-redirected-URLs
  • https://github.com/brave/brave-browser/wiki/Fingerprinting-Protections
  • https://github.com/brave/brave-browser/wiki/Brave%E2%80%99s-Use-of-Referral-Codes
  • https://github.com/brave/brave-browser/wiki/Custom-Headers
  • https://github.com/brave/brave-browser/wiki/Web-Compatibility-Exceptions-in-Brave
  • https://github.com/brave/brave-browser/wiki/QA-Guide
  • https://github.com/brave/brave-browser/wiki/P3A

Test Plan:

[goodov]

The PR is ready for review.

[goodov]

@iefremov @fmarier @bridiver PTAL.

[fmarier]

I didn't look at the code in details, but the overall approach looks good to me.

[bridiver]

unrelated to this PR - why are we doing a chromium src override here instead of BraveContentRendererClient::CreateWorkerContentSettingsClient ?

[bridiver]

these patches don't follow patching standards, please replace with a define from a chromium src override

[goodov]

fixed.

[bridiver]

why are we getting the raw token here?

// Do not use in cases where lazy initialization is expected! This
    // accessor does not initialize the |token_| member.

[goodov]

the token must be initialized before. If an origin is opaque, but token is not initialized, then it's an error and this whole thing shouldn't work. I've added some checks to ensure this is used properly.

[bridiver]

I think you can get rid of this patch with something like

#define URLStoreForOrigin(ORIGIN, URL_STORE) URLStoreForOrigin(!GetEphemeralOrOriginalSecurityOrigin(context).is_null() ? GetEphemeralOrOriginalSecurityOrigin(context) : ORIGIN, URL_STORE)

[bridiver]

actually why do we need this patch at all? This ends up calling BlobURLStoreImpl which we are overriding anyway

[bridiver]

I guess we don't have access to the content settings there, but according to @pes10k this doesn't even need to be dependent on content settings which could potentially simplify a lot of this.

[goodov]

I think you can get rid of this patch with something like #define URLStoreForOrigin ....

Thanks, this is much better.

actually why do we need this patch at all? This ends up calling BlobURLStoreImpl which we are overriding anyway
I guess we don't have access to the content settings there

yes, we need to pass ephemeral storage origin which is available only on the renderer side. We can't do this inside BlobURLStoreImpl which is located in Storage process.

but according to @pes10k this doesn't even need to be dependent on content settings which could potentially simplify a lot of this.

Our ephemeral storage approach relies on content settings to create and get an ephemeral storage key.

[bridiver]

We're copying upstream tests here? That seems problematic to me because they will get out of sync

[goodov]

We need to have Blob tests now. These particular tests are pretty standard, there's no some weird upstream-specific test helpers which were made exactly for Blob tests, that's why I pulled those.
I did drop Chromium relation from the name and we can just think of it as our tests.

[bridiver]

we need to test that they are not partitioned when the feature is off and also test based on content settings since we're checking those here https://github.com/brave/brave-core/pull/12686/files#diff-430f56739d7df3701057dcb1c3ea5412094160cc91008cfd596d42d889e4d8d4R72

[bridiver]

we also need to check that it's disabled when the main ephemeral storage is disabled and check that only 1p is disabled when the 1p flag is disabled

[goodov]

added more test, including 1pes check, shields on/off states and feature on/off states.

[bridiver]

I don't think this method needs to be on Origin, does it? It doesn't seem right to me to attach ephemeral storage specific logic to Origin and we have access to both opaque() and now the raw_token through GetNonceForEphemeralStorageKeying. Related I think we should change GetNonceForEphemeralStorageKeying -> raw_token() or something. Maybe both methods can become utility functions that take Origin as a param?

[goodov]

agree, it doesn't have to be here. Moved it into a dedicated helper to access Origin internals related to Ephemeral Storage more explicitly.