[wei] Ensure Origin Trial enables full feature

This CL moves the base::Feature from content_features.h to
a generated feature from runtime_enabled_features.json5.

This means that the base::Feature can be default-enabled
while the web API is controlled by the RuntimeFeature, which will
still be default-disabled.

An origin trial can enable the RuntimeFeature, which will
allow full access to the API, provided the base::Feature is also
enabled (see change to origin_trial_context.cc).

Meanwhile, the base::Feature can be disabled through Finch as a
kill-switch for the whole feature, and prevent origin trials
from turning the feature on.

Tests have been added to WebView test, as it allowed for easy
spoofing of responses on a known origin.

Bug: 1439945
Change-Id: Ifa0f5d4f5e0a0bf882dd1b0207698dddd6f71420
Fixed: b/278701736
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4681552
Reviewed-by: Rayan Kanso <rayankans@chromium.org>
Commit-Queue: Peter Pakkenberg <pbirk@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Reviewed-by: Richard Coles <torne@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1173344}

android_webview/browser/DEPS

@@ -104,6 +104,7 @@ include_rules = [
 
   "+third_party/blink/public/common/client_hints/enabled_client_hints.h",
   "+third_party/blink/public/common/features.h",
+  "+third_party/blink/public/common/features_generated.h",
   "+third_party/blink/public/common/origin_trials/origin_trial_feature.h",
   "+third_party/blink/public/common/origin_trials/origin_trials_settings_provider.h",
   "+third_party/blink/public/common/origin_trials/trial_token_validator.h",

android_webview/browser/aw_content_browser_client_receiver_bindings.cc

@@ -8,6 +8,7 @@
 #include "android_webview/browser/aw_print_manager.h"
 #include "android_webview/browser/renderer_host/aw_render_view_host_ext.h"
 #include "android_webview/browser/safe_browsing/aw_url_checker_delegate_impl.h"
+#include "base/feature_list.h"
 #include "components/autofill/content/browser/content_autofill_driver_factory.h"
 #include "components/cdm/browser/media_drm_storage_impl.h"
 #include "components/content_capture/browser/onscreen_content_provider.h"
@@ -29,6 +30,7 @@
 #include "mojo/public/cpp/bindings/self_owned_receiver.h"
 #include "services/service_manager/public/cpp/binder_registry.h"
 #include "third_party/blink/public/common/associated_interfaces/associated_interface_registry.h"
+#include "third_party/blink/public/common/features_generated.h"
 #include "third_party/blink/public/mojom/environment_integrity/environment_integrity_service.mojom.h"
 
 #if BUILDFLAG(ENABLE_SPELLCHECK)
@@ -215,7 +217,7 @@ void AwContentBrowserClient::RegisterBrowserInterfaceBindersForFrame(
   map->Add<network_hints::mojom::NetworkHintsHandler>(
       base::BindRepeating(&BindNetworkHintsHandler));
 
-  if (base::FeatureList::IsEnabled(features::kWebEnvironmentIntegrity)) {
+  if (base::FeatureList::IsEnabled(blink::features::kWebEnvironmentIntegrity)) {
     map->Add<blink::mojom::EnvironmentIntegrityService>(base::BindRepeating(
         &environment_integrity::AndroidEnvironmentIntegrityService::Create));
   }

android_webview/java/src/org/chromium/android_webview/common/ProductionSupportedFlagList.java

@@ -472,7 +472,7 @@ private ProductionSupportedFlagList() {}
                             + "Only onNetwork(Connected|Disconnected|SoonToDisconnect|MadeDefault) signals are propagated."),
             Flag.baseFeature(BlinkFeatures.REMOVE_NON_STANDARD_APPEARANCE_VALUE,
                     "Remove non-standard CSS appearance values."),
-            Flag.baseFeature(ContentFeatures.WEB_ENVIRONMENT_INTEGRITY,
+            Flag.baseFeature(BlinkFeatures.WEB_ENVIRONMENT_INTEGRITY,
                     "Enables Web Environment Integrity APIs. "
                             + "See https://chromestatus.com/feature/5796524191121408."),
             // Add new commandline switches and features above. The final entry should have a

android_webview/javatests/DEPS

@@ -4,6 +4,7 @@ include_rules = [
   "+components/background_task_scheduler/android/java",
   "+components/component_updater/android/java",
   "+components/embedder_support/android/metrics/java",
+  "+components/environment_integrity/android/java",
   "+components/minidump_uploader/android/java",
   "+components/minidump_uploader/android/javatests",
   "+components/policy/android/java",

android_webview/javatests/src/org/chromium/android_webview/test/AwWebEnvironmentIntegrityTest.java

@@ -4,8 +4,13 @@
 
 package org.chromium.android_webview.test;
 
+import android.webkit.JavascriptInterface;
+
 import androidx.test.filters.SmallTest;
 
+import com.google.common.util.concurrent.Futures;
+import com.google.common.util.concurrent.ListenableFuture;
+
 import org.junit.After;
 import org.junit.Assert;
 import org.junit.Before;
@@ -14,12 +19,22 @@
 import org.junit.runner.RunWith;
 
 import org.chromium.android_webview.AwContents;
+import org.chromium.android_webview.test.TestAwContentsClient.ShouldInterceptRequestHelper;
 import org.chromium.base.test.util.Batch;
+import org.chromium.base.test.util.CallbackHelper;
 import org.chromium.base.test.util.CommandLineFlags;
-import org.chromium.content_public.common.ContentFeatures;
+import org.chromium.blink_public.common.BlinkFeatures;
+import org.chromium.components.embedder_support.util.WebResourceResponseInfo;
+import org.chromium.components.environment_integrity.IntegrityServiceBridge;
+import org.chromium.components.environment_integrity.IntegrityServiceBridgeDelegate;
 import org.chromium.net.test.util.TestWebServer;
 
+import java.io.ByteArrayInputStream;
+import java.nio.charset.StandardCharsets;
 import java.util.Collections;
+import java.util.Map;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
 
 /**
  * Tests for WebEnvironmentIntegrity in WebView.
@@ -29,7 +44,6 @@
  * and only supposed to test WebView-specific differences.
  */
 @RunWith(AwJUnit4ClassRunner.class)
-@CommandLineFlags.Add({"enable-features=" + ContentFeatures.WEB_ENVIRONMENT_INTEGRITY})
 @Batch(Batch.PER_CLASS)
 public class AwWebEnvironmentIntegrityTest {
     @Rule
@@ -39,6 +53,17 @@ public class AwWebEnvironmentIntegrityTest {
     private AwContents mAwContents;
 
     private TestWebServer mWebServer;
+    private static final String ORIGIN_TRIAL_URL = "https://example.com/";
+    private static final String ORIGIN_TRIAL_HEADER = "Origin-Trial";
+    private static final String ORIGIN_TRIAL_TOKEN =
+            "A1GBGCeaLBRlky1ITf9uRak5iluqLWnUdSTKVTO0Ce/I7a35nik6DKqPJNZSPd9KEAIuJKmi2dmL9HWThDWgdA"
+            + "cAAABheyJvcmlnaW4iOiAiaHR0cHM6Ly9leGFtcGxlLmNvbTo0NDMiLCAiZmVhdHVyZSI6ICJXZWJFbnZpcm"
+            + "9ubWVudEludGVncml0eSIsICJleHBpcnkiOiAyMDAwMDAwMDAwfQ==";
+
+    private static final long HANDLE = 123456789L;
+
+    private static final byte[] TOKEN = {1, 2, 3, 4};
+    private static final String TOKEN_BASE64 = "AQIDBA==";
 
     @Before
     public void setUp() throws Exception {
@@ -58,6 +83,24 @@ public void tearDown() throws Exception {
 
     @Test
     @SmallTest
+    public void testWebEnvironmentIntegrityApiNotAvailableByDefault() throws Throwable {
+        // Load a web page from localhost to get a secure context
+        mWebServer.setResponse("/", "<html>", Collections.emptyList());
+        mActivityTestRule.loadUrlSync(
+                mAwContents, mContentsClient.getOnPageFinishedHelper(), mWebServer.getBaseUrl());
+        // Check that the 'getEnvironmentIntegrity' method is available.
+        final String script = "'getEnvironmentIntegrity' in navigator ? 'available': 'missing'";
+        String result = mActivityTestRule.executeJavaScriptAndWaitForResult(
+                mAwContents, mContentsClient, script);
+        // The result is expected to have extra quotes as a JSON-encoded string.
+        Assert.assertEquals("This test is expected to fail if runtime_enabled_features.json5"
+                        + " is updated to mark the feature as 'stable'.",
+                "\"missing\"", result);
+    }
+
+    @Test
+    @SmallTest
+    @CommandLineFlags.Add({"enable-features=" + BlinkFeatures.WEB_ENVIRONMENT_INTEGRITY})
     public void testWebEnvironmentIntegrityApiAvailable() throws Throwable {
         // Load a web page from localhost to get a secure context
         mWebServer.setResponse("/", "<html>", Collections.emptyList());
@@ -70,4 +113,103 @@ public void testWebEnvironmentIntegrityApiAvailable() throws Throwable {
         // The result is expected to have extra quotes as a JSON-encoded string.
         Assert.assertEquals("\"available\"", result);
     }
+
+    @Test
+    @SmallTest
+    @CommandLineFlags.Add({"disable-features=" + BlinkFeatures.WEB_ENVIRONMENT_INTEGRITY})
+    public void testWebEnvironmentIntegrityApiCanBeDisabled() throws Throwable {
+        // Load a web page from localhost to get a secure context
+        mWebServer.setResponse("/", "<html>", Collections.emptyList());
+        mActivityTestRule.loadUrlSync(
+                mAwContents, mContentsClient.getOnPageFinishedHelper(), mWebServer.getBaseUrl());
+        // Check that the 'getEnvironmentIntegrity' method is available.
+        final String script = "'getEnvironmentIntegrity' in navigator ? 'available': 'missing'";
+        String result = mActivityTestRule.executeJavaScriptAndWaitForResult(
+                mAwContents, mContentsClient, script);
+        // The result is expected to have extra quotes as a JSON-encoded string.
+        Assert.assertEquals("\"missing\"", result);
+    }
+
+    @Test
+    @SmallTest
+    @CommandLineFlags.Add({"origin-trial-public-key=dRCs+TocuKkocNKa0AtZ4awrt9XKH2SQCI6o4FY6BNA="})
+    public void testAppIdentityEnabledByOriginTrial() throws Throwable {
+        // Set up a response with the origin trial header.
+        // Since origin trial tokens are tied to the origin, we use an request intercept to load
+        // the content when making a request to the origin trial URL, instead of relying on the
+        // server, which serves from an unknown port.
+        var body = new ByteArrayInputStream(
+                "<!DOCTYPE html><html><body>Hello, World".getBytes(StandardCharsets.UTF_8));
+        var responseInfo = new WebResourceResponseInfo("text/html", "utf-8", body, 200, "OK",
+                Map.of(ORIGIN_TRIAL_HEADER, ORIGIN_TRIAL_TOKEN));
+
+        final ShouldInterceptRequestHelper requestInterceptHelper =
+                mContentsClient.getShouldInterceptRequestHelper();
+        requestInterceptHelper.setReturnValueForUrl(ORIGIN_TRIAL_URL, responseInfo);
+
+        final TestIntegrityServiceBridgeDelegateImpl delegateForTesting =
+                new TestIntegrityServiceBridgeDelegateImpl();
+        mActivityTestRule.runOnUiThread(
+                () -> IntegrityServiceBridge.setDelegateForTesting(delegateForTesting));
+
+        final ExecutionCallbackListener listener = new ExecutionCallbackListener();
+        AwActivityTestRule.addJavascriptInterfaceOnUiThread(mAwContents, listener, "testListener");
+
+        mActivityTestRule.loadUrlSync(
+                mAwContents, mContentsClient.getOnPageFinishedHelper(), ORIGIN_TRIAL_URL);
+
+        final String script = "(() => {"
+                + "if ('getEnvironmentIntegrity' in navigator) {"
+                + "  navigator.getEnvironmentIntegrity('contentBinding')"
+                + "    .then(s => testListener.result(s.encode()))"
+                + "    .catch(e => testListener.result('error: ' + e));"
+                + "  return 'available';"
+                + "} else {return 'unavailable';}"
+                + "})();";
+        String scriptResult = mActivityTestRule.executeJavaScriptAndWaitForResult(
+                mAwContents, mContentsClient, script);
+        // The result is expected to have extra quotes as a JSON-encoded string.
+        Assert.assertEquals("\"available\"", scriptResult);
+
+        // Wait until the result callback has been triggered, to inspect the state of the delegate
+        // The actual result should just be an error we don't care about.
+        String result = listener.waitForResult();
+        Assert.assertEquals(TOKEN_BASE64, result);
+    }
+
+    static class ExecutionCallbackListener {
+        private final CallbackHelper mCallbackHelper = new CallbackHelper();
+        private String mResult;
+
+        @JavascriptInterface
+        public void result(String s) {
+            mResult = s;
+            mCallbackHelper.notifyCalled();
+        }
+
+        String waitForResult() throws TimeoutException {
+            mCallbackHelper.waitForNext(5, TimeUnit.SECONDS);
+            return mResult;
+        }
+    }
+
+    private static class TestIntegrityServiceBridgeDelegateImpl
+            implements IntegrityServiceBridgeDelegate {
+        @Override
+        public ListenableFuture<Long> createEnvironmentIntegrityHandle(
+                boolean bindAppIdentity, int timeoutMilliseconds) {
+            return Futures.immediateFuture(HANDLE);
+        }
+
+        @Override
+        public ListenableFuture<byte[]> getEnvironmentIntegrityToken(
+                long handle, byte[] requestHash, int timeoutMilliseconds) {
+            return Futures.immediateFuture(TOKEN);
+        }
+
+        @Override
+        public boolean canUseGms() {
+            return true;
+        }
+    }
 }

android_webview/test/BUILD.gn

@@ -279,6 +279,7 @@ instrumentation_test_apk("webview_instrumentation_test_apk") {
     "//components/embedder_support/android:util_java",
     "//components/embedder_support/android:web_contents_delegate_java",
     "//components/embedder_support/android/metrics:java",
+    "//components/environment_integrity/android:java",
     "//components/heap_profiling/multi_process:heap_profiling_java_test_support",
     "//components/metrics:metrics_java",
     "//components/minidump_uploader:minidump_uploader_java",
@@ -314,6 +315,7 @@ instrumentation_test_apk("webview_instrumentation_test_apk") {
     "//third_party/androidx:androidx_test_runner_java",
     "//third_party/androidx_javascriptengine:javascriptengine_common_java",
     "//third_party/androidx_javascriptengine:javascriptengine_java",
+    "//third_party/blink/public/common:common_java",
     "//third_party/blink/public/mojom:mojom_platform_java",
     "//third_party/blink/public/mojom:web_feature_mojo_bindings_java",
     "//third_party/hamcrest:hamcrest_core_java",

chrome/browser/chrome_browser_interface_binders.cc

@@ -102,6 +102,7 @@
 #include "mojo/public/cpp/bindings/self_owned_receiver.h"
 #include "services/image_annotation/public/mojom/image_annotation.mojom.h"
 #include "third_party/blink/public/common/features.h"
+#include "third_party/blink/public/common/features_generated.h"
 #include "third_party/blink/public/mojom/credentialmanagement/credential_manager.mojom.h"
 #include "third_party/blink/public/mojom/lcp_critical_path_predictor/lcp_critical_path_predictor.mojom.h"
 #include "third_party/blink/public/mojom/loader/navigation_predictor.mojom.h"
@@ -880,7 +881,7 @@ void PopulateChromeFrameBinders(
   }
   map->Add<blink::mojom::ShareService>(base::BindRepeating(
       &ForwardToJavaWebContents<blink::mojom::ShareService>));
-  if (base::FeatureList::IsEnabled(features::kWebEnvironmentIntegrity)) {
+  if (base::FeatureList::IsEnabled(blink::features::kWebEnvironmentIntegrity)) {
     map->Add<blink::mojom::EnvironmentIntegrityService>(base::BindRepeating(
         &environment_integrity::AndroidEnvironmentIntegrityService::Create));
   }

components/environment_integrity/android/android_environment_integrity_service.cc

@@ -16,6 +16,7 @@
 #include "mojo/public/cpp/bindings/callback_helpers.h"
 #include "mojo/public/cpp/bindings/message.h"
 #include "mojo/public/cpp/bindings/pending_receiver.h"
+#include "third_party/blink/public/common/features_generated.h"
 #include "url/origin.h"
 
 namespace environment_integrity {
@@ -82,12 +83,12 @@ AndroidEnvironmentIntegrityService::GetDataManager() {
 void AndroidEnvironmentIntegrityService::GetEnvironmentIntegrity(
     const std::vector<uint8_t>& content_binding,
     GetEnvironmentIntegrityCallback callback) {
-  if (!base::FeatureList::IsEnabled(features::kWebEnvironmentIntegrity)) {
+  if (!base::FeatureList::IsEnabled(
+          blink::features::kWebEnvironmentIntegrity)) {
     ReportBadMessageAndDeleteThis(
         "Feature not enabled. IPC call not expected.");
     return;
   }
-
   if (!integrity_service_->IsIntegrityAvailable()) {
     std::move(callback).Run(EnvironmentIntegrityResponseCode::kInternalError,
                             std::vector<uint8_t>());

components/environment_integrity/android/android_environment_integrity_service_unittest.cc

@@ -22,6 +22,7 @@
 #include "content/public/test/test_renderer_host.h"
 #include "content/public/test/web_contents_tester.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "third_party/blink/public/common/features_generated.h"
 #include "third_party/blink/public/mojom/environment_integrity/environment_integrity_service.mojom.h"
 
 namespace environment_integrity {
@@ -109,7 +110,8 @@ class AndroidEnvironmentIntegrityServiceTest
  public:
   void SetUp() override {
     BaseAndroidEnvironmentIntegrityServiceTest::SetUp();
-    feature_list_.InitAndEnableFeature(features::kWebEnvironmentIntegrity);
+    feature_list_.InitAndEnableFeature(
+        blink::features::kWebEnvironmentIntegrity);
   }
 };
 
@@ -467,7 +469,8 @@ class AndroidEnvironmentIntegrityServiceDisabledFeatureTest
  public:
   void SetUp() override {
     BaseAndroidEnvironmentIntegrityServiceTest::SetUp();
-    feature_list_.InitAndDisableFeature(features::kWebEnvironmentIntegrity);
+    feature_list_.InitAndDisableFeature(
+        blink::features::kWebEnvironmentIntegrity);
   }
 };
 

content/browser/browser_interface_binders.cc

@@ -1139,7 +1139,7 @@ void PopulateBinderMapWithContext(
     map->Add<blink::mojom::BrowsingTopicsDocumentService>(
         base::BindRepeating(&BrowsingTopicsDocumentHost::CreateMojoService));
   }
-  if (base::FeatureList::IsEnabled(features::kWebEnvironmentIntegrity)) {
+  if (base::FeatureList::IsEnabled(blink::features::kWebEnvironmentIntegrity)) {
     map->Add<blink::mojom::EnvironmentIntegrityService>(base::BindRepeating(
         &EmptyBinderForFrame<blink::mojom::EnvironmentIntegrityService>));
   }

content/child/runtime_features.cc

@@ -392,7 +392,6 @@ void SetRuntimeFeaturesFromChromiumFeatures() {
     {"WebAppTabStrip", raw_ref(features::kDesktopPWAsTabStrip)},
     {"WebAppTabStripCustomizations",
      raw_ref(blink::features::kDesktopPWAsTabStripCustomizations)},
-    {"WebEnvironmentIntegrity", raw_ref(features::kWebEnvironmentIntegrity)},
     {"WebSerialBluetooth",
      raw_ref(features::kEnableBluetoothSerialPortProfileInSerialApi)},
     {"WGIGamepadTriggerRumble",

content/public/common/content_features.cc

@@ -1418,11 +1418,6 @@ BASE_FEATURE(kWebBluetoothNewPermissionsBackend,
              "WebBluetoothNewPermissionsBackend",
              base::FEATURE_DISABLED_BY_DEFAULT);
 
-// Enables the Web Environment Integrity API.
-BASE_FEATURE(kWebEnvironmentIntegrity,
-             "WebEnvironmentIntegrity",
-             base::FEATURE_DISABLED_BY_DEFAULT);
-
 // If WebGL Image Chromium is allowed, this feature controls whether it is
 // enabled.
 BASE_FEATURE(kWebGLImageChromium,

content/public/common/content_features.h

@@ -318,7 +318,6 @@ CONTENT_EXPORT BASE_DECLARE_FEATURE(kWebAssemblyTrapHandler);
 CONTENT_EXPORT BASE_DECLARE_FEATURE(kWebAuthnTouchToFillCredentialSelection);
 CONTENT_EXPORT BASE_DECLARE_FEATURE(kWebBluetooth);
 CONTENT_EXPORT BASE_DECLARE_FEATURE(kWebBluetoothNewPermissionsBackend);
-CONTENT_EXPORT BASE_DECLARE_FEATURE(kWebEnvironmentIntegrity);
 CONTENT_EXPORT BASE_DECLARE_FEATURE(kWebGLImageChromium);
 CONTENT_EXPORT BASE_DECLARE_FEATURE(kWebMidi);
 CONTENT_EXPORT BASE_DECLARE_FEATURE(kWebOtpBackendAuto);

third_party/blink/renderer/core/origin_trials/origin_trial_context.cc

@@ -548,6 +548,10 @@ bool OriginTrialContext::CanEnableTrialFromName(const StringView& trial_name) {
     return base::FeatureList::IsEnabled(features::kComputePressure);
   }
 
+  if (trial_name == "WebEnvironmentIntegrity") {
+    return base::FeatureList::IsEnabled(features::kWebEnvironmentIntegrity);
+  }
+
   return true;
 }
 

third_party/blink/renderer/platform/runtime_enabled_features.json5

@@ -3906,8 +3906,13 @@
     {
       name: "WebEnvironmentIntegrity",
       status: "experimental",
-      base_feature: "none",
       origin_trial_feature_name: "WebEnvironmentIntegrity",
+      // base_feature is meant as kill-switch. The RuntimeFeature should follow
+      // the `status` field or Origin Trial unless explicitly overriden by
+      // Finch / command line flags.
+      base_feature_status: "enabled",
+      copied_from_base_feature_if: "overridden",
+      origin_trial_allows_third_party: true,
     },
     {
       name: "WebFontResizeLCP",