[3PSP Enterprise Policies] (1) Global policy

This policy imposes a general block on enabling third-party storage partitioning for a given profile. It will last from M113 until at least M123. The new VTS last until the stable release of M123. This CL is part of a series: (1) Global policy (2) Per-Origin Policy Bug: 1422357 Change-Id: I0ea821558508567432978f16c166a6d0714fbc8c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4319467 Reviewed-by: Alexander Hendrich <hendrich@chromium.org> Reviewed-by: Avi Drissman <avi@chromium.org> Auto-Submit: Ari Chivukula <arichiv@chromium.org> Commit-Queue: Avi Drissman <avi@chromium.org> Commit-Queue: Ari Chivukula <arichiv@chromium.org> Cr-Commit-Position: refs/heads/main@{#1115864}
chromium · Mar 10, 2023 · e5a5768 · e5a5768
1 parent d17438b
commit e5a5768
Show file tree

Hide file tree

Showing 20 changed files with 204 additions and 11 deletions.
diff --git a/...avatests/src/org/chromium/chrome/browser/site_settings/WebsitePermissionsFetcherTest.java b/...avatests/src/org/chromium/chrome/browser/site_settings/WebsitePermissionsFetcherTest.java
@@ -513,7 +513,7 @@ public void testFetchAllPreferencesForSingleOrigin() {
         // If the ContentSettingsType.NUM_TYPES value changes *and* a new value has been exposed on
         // Android, then please update this code block to include a test for your new type.
         // Otherwise, just update count in the assert.
-        Assert.assertEquals(86, ContentSettingsType.NUM_TYPES);
+        Assert.assertEquals(87, ContentSettingsType.NUM_TYPES);
         websitePreferenceBridge.addContentSettingException(
                 new ContentSettingException(ContentSettingsType.COOKIES, googleOrigin,
                         ContentSettingValues.DEFAULT, preferenceSource, /*isEmbargoed=*/false));

diff --git a/chrome/browser/chrome_content_browser_client.cc b/chrome/browser/chrome_content_browser_client.cc
@@ -7510,6 +7510,21 @@ bool ChromeContentBrowserClient::AreIsolatedWebAppsEnabled(
   return base::FeatureList::IsEnabled(features::kIsolatedWebApps);
 }
 
+bool ChromeContentBrowserClient::IsThirdPartyStoragePartitioningAllowed(
+    content::BrowserContext* browser_context) {
+  const HostContentSettingsMap* const content_settings =
+      HostContentSettingsMapFactory::GetForProfile(
+          Profile::FromBrowserContext(browser_context));
+  if (!content_settings) {
+    // We fail permissive as this function is used to check whether partitioning
+    // should be blocked, but isn't the final word on if it's allowed.
+    return true;
+  }
+  return content_settings->GetDefaultContentSetting(
+             ContentSettingsType::THIRD_PARTY_STORAGE_PARTITIONING, nullptr) ==
+         CONTENT_SETTING_ALLOW;
+}
+
 #if BUILDFLAG(IS_MAC)
 base::FilePath ChromeContentBrowserClient::GetChildProcessPath(
     int child_flags,

diff --git a/chrome/browser/chrome_content_browser_client.h b/chrome/browser/chrome_content_browser_client.h
@@ -862,6 +862,9 @@ class ChromeContentBrowserClient : public content::ContentBrowserClient {
   bool AreIsolatedWebAppsEnabled(
       content::BrowserContext* browser_context) override;
 
+  bool IsThirdPartyStoragePartitioningAllowed(
+      content::BrowserContext* browser_context) override;
+
  protected:
   static bool HandleWebUI(GURL* url, content::BrowserContext* browser_context);
   static bool HandleWebUIReverse(GURL* url,

diff --git a/chrome/browser/policy/configuration_policy_handler_list_factory.cc b/chrome/browser/policy/configuration_policy_handler_list_factory.cc
@@ -302,6 +302,9 @@ const PolicyToPreferenceMapEntry kSimplePolicyMap[] = {
   { key::kHttpsUpgradesEnabled,
     prefs::kHttpsUpgradesEnabled,
     base::Value::Type::BOOLEAN },
+  { key::kDefaultThirdPartyStoragePartitioningSetting,
+    prefs::kManagedDefaultThirdPartyStoragePartitioningSetting,
+    base::Value::Type::INTEGER },
 // Policies for all platforms - End
 #if BUILDFLAG(IS_ANDROID)
   { key::kAuthAndroidNegotiateAccountType,

diff --git a/chrome/browser/storage_access_api/api_browsertest.cc b/chrome/browser/storage_access_api/api_browsertest.cc
@@ -14,6 +14,7 @@
 #include "chrome/browser/content_settings/cookie_settings_factory.h"
 #include "chrome/browser/content_settings/host_content_settings_map_factory.h"
 #include "chrome/browser/net/storage_test_utils.h"
+#include "chrome/browser/policy/policy_test_utils.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/storage_access_api/storage_access_grant_permission_context.h"
 #include "chrome/browser/ui/browser.h"
@@ -27,6 +28,7 @@
 #include "components/content_settings/core/common/features.h"
 #include "components/content_settings/core/common/pref_names.h"
 #include "components/metrics/content/subprocess_metrics_provider.h"
+#include "components/policy/policy_constants.h"
 #include "components/prefs/pref_service.h"
 #include "content/public/browser/browser_context.h"
 #include "content/public/browser/storage_partition.h"
@@ -128,7 +130,7 @@ HandleEchoCookiesWithCorsRequest(const net::test_server::HttpRequest& request) {
   return http_response;
 }
 
-class StorageAccessAPIBaseBrowserTest : public InProcessBrowserTest {
+class StorageAccessAPIBaseBrowserTest : public policy::PolicyTest {
  protected:
   explicit StorageAccessAPIBaseBrowserTest(bool is_storage_partitioned)
       : https_server_(net::EmbeddedTestServer::TYPE_HTTPS),
@@ -231,6 +233,11 @@ class StorageAccessAPIBaseBrowserTest : public InProcessBrowserTest {
                   : content_settings::CookieControlsMode::kOff));
   }
 
+  void NavigateToPage(const std::string& host, const std::string& path) {
+    GURL main_url(https_server_.GetURL(host, path));
+    ASSERT_TRUE(ui_test_utils::NavigateToURL(browser(), main_url));
+  }
+
   void NavigateToPageWithFrame(const std::string& host) {
     GURL main_url(https_server_.GetURL(host, "/iframe.html"));
     ASSERT_TRUE(ui_test_utils::NavigateToURL(browser(), main_url));
@@ -1254,4 +1261,57 @@ IN_PROC_BROWSER_TEST_F(StorageAccessAPIWithCHIPSBrowserTest,
             CookieBundle("cross-site=b.test; cross-site=b.test(partitioned)"));
 }
 
+class StorageAccessAPIEnterprisePolicyBrowserTest
+    : public StorageAccessAPIBaseBrowserTest,
+      public testing::WithParamInterface<std::tuple<ContentSetting, bool>> {
+ public:
+  StorageAccessAPIEnterprisePolicyBrowserTest()
+      : StorageAccessAPIBaseBrowserTest(std::get<1>(GetParam())) {}
+
+  void SetUpInProcessBrowserTestFixture() override {
+    policy::PolicyTest::SetUpInProcessBrowserTestFixture();
+    policy::PolicyMap policies;
+    SetPolicy(&policies,
+              policy::key::kDefaultThirdPartyStoragePartitioningSetting,
+              base::Value(GetContentSetting()));
+    UpdateProviderPolicy(policies);
+  }
+
+  bool ExpectPartitionedStorage() const {
+    return IsStoragePartitioned() &&
+           GetContentSetting() != CONTENT_SETTING_BLOCK;
+  }
+
+ private:
+  ContentSetting GetContentSetting() const { return std::get<0>(GetParam()); }
+};
+
+INSTANTIATE_TEST_SUITE_P(
+    /*no prefix*/,
+    StorageAccessAPIEnterprisePolicyBrowserTest,
+    testing::Combine(testing::Values(CONTENT_SETTING_DEFAULT,
+                                     CONTENT_SETTING_ALLOW,
+                                     CONTENT_SETTING_BLOCK),
+                     testing::Bool()));
+
+IN_PROC_BROWSER_TEST_P(StorageAccessAPIEnterprisePolicyBrowserTest,
+                       PartitionedStorage) {
+  // Navigate to Origin B, setup storage, and expect storage.
+  NavigateToPage(kHostB, "/browsing_data/site_data.html");
+  storage::test::ExpectStorageForFrame(GetPrimaryMainFrame(),
+                                       /*include_cookies=*/false,
+                                       /*expected=*/false);
+  storage::test::SetStorageForFrame(GetPrimaryMainFrame(),
+                                    /*include_cookies=*/false);
+  storage::test::ExpectStorageForFrame(GetPrimaryMainFrame(),
+                                       /*include_cookies=*/false,
+                                       /*expected=*/true);
+
+  // Navigate to Origin A w/ Frame B and expect storage if not partitioned.
+  NavigateToPageWithFrame(kHostA);
+  NavigateFrameTo(kHostB, "/browsing_data/site_data.html");
+  storage::test::ExpectStorageForFrame(GetFrame(), /*include_cookies=*/false,
+                                       !ExpectPartitionedStorage());
+}
+
 }  // namespace
diff --git a/chrome/browser/ui/webui/settings/site_settings_helper.cc b/chrome/browser/ui/webui/settings/site_settings_helper.cc
@@ -184,6 +184,7 @@ const ContentSettingsTypeNameEntry kContentSettingsTypeGroupNames[] = {
     {ContentSettingsType::FEDERATED_IDENTITY_AUTO_REAUTHN_PERMISSION, nullptr},
     {ContentSettingsType::FEDERATED_IDENTITY_IDENTITY_PROVIDER_REGISTRATION,
      nullptr},
+    {ContentSettingsType::THIRD_PARTY_STORAGE_PARTITIONING, nullptr},
 };
 
 static_assert(std::size(kContentSettingsTypeGroupNames) ==

diff --git a/components/content_settings/core/browser/content_settings_policy_provider.cc b/components/content_settings/core/browser/content_settings_policy_provider.cc
@@ -178,6 +178,7 @@ constexpr const char* kManagedDefaultPrefs[] = {
     prefs::kManagedDefaultWebHidGuardSetting,
     prefs::kManagedDefaultWindowManagementSetting,
     prefs::kManagedDefaultLocalFontsSetting,
+    prefs::kManagedDefaultThirdPartyStoragePartitioningSetting,
 };
 
 }  // namespace
@@ -233,6 +234,8 @@ const PolicyProvider::PrefsForManagedDefaultMapEntry
          prefs::kManagedDefaultWindowManagementSetting},
         {ContentSettingsType::LOCAL_FONTS,
          prefs::kManagedDefaultLocalFontsSetting},
+        {ContentSettingsType::THIRD_PARTY_STORAGE_PARTITIONING,
+         prefs::kManagedDefaultThirdPartyStoragePartitioningSetting},
 };
 
 // static

diff --git a/components/content_settings/core/browser/content_settings_registry.cc b/components/content_settings/core/browser/content_settings_registry.cc
@@ -583,6 +583,15 @@ void ContentSettingsRegistry::Init() {
                WebsiteSettingsRegistry::PLATFORM_ANDROID,
            ContentSettingsInfo::INHERIT_IN_INCOGNITO,
            ContentSettingsInfo::EXCEPTIONS_ON_SECURE_ORIGINS_ONLY);
+
+  Register(ContentSettingsType::THIRD_PARTY_STORAGE_PARTITIONING,
+           "third-party-storage-partitioning", CONTENT_SETTING_ALLOW,
+           WebsiteSettingsInfo::UNSYNCABLE, /*allowlisted_schemes=*/{},
+           /*valid_settings=*/{CONTENT_SETTING_ALLOW, CONTENT_SETTING_BLOCK},
+           WebsiteSettingsInfo::TOP_ORIGIN_ONLY_SCOPE,
+           WebsiteSettingsRegistry::ALL_PLATFORMS,
+           ContentSettingsInfo::INHERIT_IN_INCOGNITO,
+           ContentSettingsInfo::EXCEPTIONS_ON_SECURE_AND_INSECURE_ORIGINS);
 }
 
 void ContentSettingsRegistry::Register(

diff --git a/components/content_settings/core/common/content_settings.cc b/components/content_settings/core/common/content_settings.cc
@@ -117,6 +117,7 @@ constexpr HistogramValue kHistogramValue[] = {
     {ContentSettingsType::FEDERATED_IDENTITY_IDENTITY_PROVIDER_REGISTRATION,
      95},
     {ContentSettingsType::ANTI_ABUSE, 96},
+    {ContentSettingsType::THIRD_PARTY_STORAGE_PARTITIONING, 97},
 };
 
 void FilterRulesForType(ContentSettingsForOneType& settings,

diff --git a/components/content_settings/core/common/content_settings_types.h b/components/content_settings/core/common/content_settings_types.h
@@ -323,6 +323,10 @@ enum class ContentSettingsType : int32_t {
   // should be enabled.
   ANTI_ABUSE,
 
+  // Content setting used to indicate whether third-party storage partitioning
+  // should be enabled.
+  THIRD_PARTY_STORAGE_PARTITIONING,
+
   NUM_TYPES,
 };
 

diff --git a/components/content_settings/core/common/pref_names.cc b/components/content_settings/core/common/pref_names.cc
@@ -65,6 +65,8 @@ const char kManagedDefaultWindowManagementSetting[] =
     "profile.managed_default_content_settings.window_management";
 const char kManagedDefaultLocalFontsSetting[] =
     "profile.managed_default_content_settings.local_fonts";
+const char kManagedDefaultThirdPartyStoragePartitioningSetting[] =
+    "profile.managed_default_content_settings.third_party_storage_partitioning";
 
 // Preferences that are exclusively used to store managed
 // content settings patterns.

diff --git a/components/content_settings/core/common/pref_names.h b/components/content_settings/core/common/pref_names.h
@@ -39,6 +39,7 @@ extern const char kManagedDefaultJavaScriptJitSetting[];
 extern const char kManagedDefaultWebHidGuardSetting[];
 extern const char kManagedDefaultWindowManagementSetting[];
 extern const char kManagedDefaultLocalFontsSetting[];
+extern const char kManagedDefaultThirdPartyStoragePartitioningSetting[];
 
 extern const char kManagedClipboardAllowedForUrls[];
 extern const char kManagedClipboardBlockedForUrls[];

diff --git a/components/policy/resources/templates/policies.yaml b/components/policy/resources/templates/policies.yaml
@@ -1088,7 +1088,7 @@ policies:
   1087: RemoteAccessHostAllowEnterpriseRemoteSupportConnections
   1088: ClientSidePhishingProtectionAllowed
   1089: UserAvatarCustomizationSelectorsEnabled
-
+  1090: DefaultThirdPartyStoragePartitioningSetting
 atomic_groups:
   1: Homepage
   2: RemoteAccess

diff --git a/...lates/policy_definitions/ContentSettings/DefaultThirdPartyStoragePartitioningSetting.yaml b/...lates/policy_definitions/ContentSettings/DefaultThirdPartyStoragePartitioningSetting.yaml
@@ -0,0 +1,34 @@
+caption: Default third-party storage partitioning setting
+default: null
+desc: |-
+  Third-party storage partitioning is on by default for some users as of M113, but can be disabled via Chrome flag.
+            If this policy is set to <ph name="ALLOW_PARTITIONING_VALUE">AllowPartitioning</ph> or unset, third-party storage partitioning may be enabled.
+            If this policy is set to <ph name="BLOCK_PARTITIONING_VALUE">BlockPartitioning</ph>, third-party storage partitioning cannot be enabled.
+example_value: 1
+features:
+  dynamic_refresh: true
+  per_profile: true
+future_on:
+- fuchsia
+items:
+- caption: Allow third-party storage partitioning to be enabled.
+  name: AllowPartitioning
+  value: 1
+- caption: Block third-party storage partitioning from being enabled.
+  name: BlockPartitioning
+  value: 2
+owners:
+- arichiv@chromium.org
+- potassium-katabolism@google.com
+schema:
+  enum:
+  - 1
+  - 2
+  type: integer
+supported_on:
+# TODO(crbug.com/1422357): Deprecate this when origin trial ends (likely M123)
+- android:113-
+- chrome.*:113-
+- chrome_os:113-
+tags: []
+type: int-enum
diff --git a/components/policy/test/data/policy_test_cases.json b/components/policy/test/data/policy_test_cases.json
@@ -22529,5 +22529,46 @@
   },
   "UserAvatarCustomizationSelectorsEnabled": {
     "reason_for_missing_test": "TODO(b/271606439): Feature not yet implemented"
+  },
+  "DefaultThirdPartyStoragePartitioningSetting": {
+    "os": [
+      "win",
+      "linux",
+      "mac",
+      "chromeos_ash",
+      "chromeos_lacros",
+      "android",
+      "fuchsia"
+    ],
+    "policy_pref_mapping_tests": [
+      {
+        "policies": {},
+        "prefs": {
+          "profile.managed_default_content_settings.third_party_storage_partitioning": {
+            "default_value": 0
+          }
+        }
+      },
+      {
+        "policies": {
+          "DefaultThirdPartyStoragePartitioningSetting": 1
+        },
+        "prefs": {
+          "profile.managed_default_content_settings.third_party_storage_partitioning": {
+            "value": 1
+          }
+        }
+      },
+      {
+        "policies": {
+          "DefaultThirdPartyStoragePartitioningSetting": 2
+        },
+        "prefs": {
+          "profile.managed_default_content_settings.third_party_storage_partitioning": {
+            "value": 2
+          }
+        }
+      }
+    ]
   }
 }
diff --git a/content/browser/renderer_host/render_frame_host_impl.cc b/content/browser/renderer_host/render_frame_host_impl.cc
@@ -4038,9 +4038,13 @@ bool RenderFrameHostImpl::IsMainFrameThirdPartyStoragePartitioningEnabled() {
           .IsDisableThirdPartyStoragePartitioningEnabled()) {
     return false;
   }
-  // Otherwise, return whatever the browser-side feature flag value is:
-  return base::FeatureList::IsEnabled(
-      net::features::kThirdPartyStoragePartitioning);
+  // If the enterprise policy blocks, we have directive to override the
+  // current value of net::features::ThirdPartyStoragePartitioning.
+  if (!GetContentClient()->browser()->IsThirdPartyStoragePartitioningAllowed(
+          GetBrowserContext())) {
+    return false;
+  }
+  return blink::StorageKey::IsThirdPartyStoragePartitioningEnabled();
 }
 
 blink::StorageKey RenderFrameHostImpl::CalculateStorageKey(

diff --git a/content/browser/renderer_host/render_frame_host_impl.h b/content/browser/renderer_host/render_frame_host_impl.h
@@ -187,7 +187,6 @@
 namespace blink {
 class AssociatedInterfaceRegistry;
 class DocumentPolicy;
-class RuntimeFeatureStateReadContext;
 struct FramePolicy;
 struct TransferableMessage;
 struct UntrustworthyContextMenuParams;
@@ -2674,9 +2673,9 @@ class CONTENT_EXPORT RenderFrameHostImpl
   // opaque origin instead).
   void SetOriginDependentStateOfNewFrame(RenderFrameHostImpl* creator_frame);
 
-  // Returns the value of `this`'s main frame's
-  // RuntimeFeatureStateReadContext::
-  // IsDisableThirdPartyStoragePartitioningEnabled()
+  // Indicates whether `this` main frame has third-party storage partitioning
+  // enabled. This depends on the deprecation trial (which can block), content
+  // browser client (which can block), and base feature (which can allow).
   bool IsMainFrameThirdPartyStoragePartitioningEnabled();
 
   // Calculates the storage key for this RenderFrameHostImpl using the passed

diff --git a/content/public/browser/content_browser_client.cc b/content/public/browser/content_browser_client.cc
@@ -1441,4 +1441,9 @@ bool ContentBrowserClient::AreIsolatedWebAppsEnabled(
   return false;
 }
 
+bool ContentBrowserClient::IsThirdPartyStoragePartitioningAllowed(
+    content::BrowserContext* browser_context) {
+  return true;
+}
+
 }  // namespace content
diff --git a/content/public/browser/content_browser_client.h b/content/public/browser/content_browser_client.h
@@ -2392,6 +2392,12 @@ class CONTENT_EXPORT ContentBrowserClient {
   // Checks if Isolated Web Apps are enabled, e.g. by feature flag
   // or in any other way.
   virtual bool AreIsolatedWebAppsEnabled(BrowserContext* browser_context);
+
+  // This function can serve to block third-party storage partitioning
+  // from being enabled if it returns false. If it returns true, then
+  // we fallback on the base feature to determine if partitioning is on.
+  virtual bool IsThirdPartyStoragePartitioningAllowed(
+      content::BrowserContext* browser_context);
 };
 
 }  // namespace content

diff --git a/tools/metrics/histograms/enums.xml b/tools/metrics/histograms/enums.xml
@@ -18825,6 +18825,7 @@ Called by update_net_error_codes.py.-->
   <int value="94" label="Federated identity auto re-authn"/>
   <int value="95" label="Federated identity IdP Registration API"/>
   <int value="96" label="Anti-abuse"/>
+  <int value="97" label="Third-Party Storage Partitioning"/>
 </enum>
 
 <enum name="ContentTypeParseableResult">
@@ -32925,14 +32926,15 @@ Called by update_document_policy_enum.py.-->
   <int value="1080" label="ShowTouchpadScrollScreenEnabled"/>
   <int value="1081" label="DeviceSystemAecEnabled"/>
   <int value="1082" label="HttpAllowlist"/>
-  <int value="1083" label="HttpsUpgradeEnabled"/>
+  <int value="1083" label="HttpsUpgradesEnabled"/>
   <int value="1084" label="RealTimeDownloadProtectionRequestAllowed"/>
   <int value="1085" label="MandatoryExtensionsForIncognitoNavigation"/>
   <int value="1086" label="CredentialProviderPromoEnabled"/>
   <int value="1087"
       label="RemoteAccessHostAllowEnterpriseRemoteSupportConnections"/>
   <int value="1088" label="ClientSidePhishingProtectionAllowed"/>
   <int value="1089" label="UserAvatarCustomizationSelectorsEnabled"/>
+  <int value="1090" label="DefaultThirdPartyStoragePartitioningSetting"/>
 </enum>
 
 <enum name="EnterprisePoliciesSources">