// Copyright 2011 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CHROME_BROWSER_EXTERNAL_PROTOCOL_EXTERNAL_PROTOCOL_HANDLER_H_
#define CHROME_BROWSER_EXTERNAL_PROTOCOL_EXTERNAL_PROTOCOL_HANDLER_H_
#include <optional>
#include <string>
#include "build/build_config.h"
#include "chrome/browser/shell_integration.h"
#include "content/public/browser/web_contents.h"
#include "mojo/public/cpp/bindings/pending_remote.h"
#include "services/network/public/mojom/url_loader_factory.mojom-forward.h"
#include "ui/base/page_transition_types.h"
namespace content {
class WeakDocumentPtr;
}
namespace url {
class Origin;
}
class GURL;
class PrefRegistrySimple;
class Profile;
class ExternalProtocolHandler {
public:
enum BlockState {
DONT_BLOCK,
BLOCK,
UNKNOWN,
};
// This is used to back a UMA histogram, so it should be treated as
// append-only.
// This metric is related to BlockState but is only used for metrics
// reporting, and it differentiates multiple possible states that map to
// BlockState.
enum class BlockStateMetric {
kDeniedDefault,
kAllowedDefaultMail,
kAllowedDefaultNews_Deprecated, // No longer emitted.
kNewsNotDefault_Deprecated, // No longer emitted.
kAllowedByEnterprisePolicy,
kAllowedByPreference,
kPrompt,
// Insert new metric values above this line and update kMaxValue.
kMaxValue = kPrompt,
};
// This is used to back a UMA histogram, so it should be treated as
// append-only. Any new values should be inserted immediately prior to
// HANDLE_STATE_LAST.
enum HandleState {
LAUNCH,
CHECKED_LAUNCH,
DONT_LAUNCH,
CHECKED_DONT_LAUNCH_DEPRECATED,
HANDLE_STATE_LAST
};
// Delegate to allow unit testing to provide different behavior.
class Delegate {
public:
virtual scoped_refptr<shell_integration::DefaultSchemeClientWorker>
CreateShellWorker(const GURL& url) = 0;
virtual BlockState GetBlockState(const std::string& scheme,
Profile* profile) = 0;
virtual void BlockRequest() = 0;
virtual void RunExternalProtocolDialog(
const GURL& url,
content::WebContents* web_contents,
ui::PageTransition page_transition,
bool has_user_gesture,
const std::optional<url::Origin>& initiating_origin,
const std::u16string& program_name) = 0;
virtual void LaunchUrlWithoutSecurityCheck(
const GURL& url,
content::WebContents* web_contents) = 0;
virtual void FinishedProcessingCheck() = 0;
virtual void OnSetBlockState(const std::string& scheme,
const url::Origin& initiating_origin,
ExternalProtocolHandler::BlockState state) {}
virtual void ReportExternalAppRedirectToSafeBrowsing(
const GURL& url,
content::WebContents* web_contents) {}
virtual ~Delegate() = default;
};
// UMA histogram metric names.
static const char kBlockStateMetric[];
static const char kHandleStateMetric[];
ExternalProtocolHandler(const ExternalProtocolHandler&) = delete;
ExternalProtocolHandler& operator=(const ExternalProtocolHandler&) = delete;
// Called on the UI thread. Allows switching out the
// ExternalProtocolHandler::Delegate for testing code.
static void SetDelegateForTesting(Delegate* delegate);
// True if |initiating_origin| is not nullptr and is considered
// potentially trustworthy.
static bool MayRememberAllowDecisionsForThisOrigin(
const url::Origin* initiating_origin);
// Returns whether we should block a given scheme.
// |initiating_origin| can be nullptr if the user is performing a
// browser initiated top frame navigation, for example by typing in the
// address bar or right-clicking a link and selecting 'Open In New Tab'.
// Renderer-initiated navigations will set |initiating_origin| to the origin
// of the content requesting the navigation.
static BlockState GetBlockState(const std::string& scheme,
const url::Origin* initiating_origin,
Profile* profile);
// Sets whether we should block a given scheme + origin.
static void SetBlockState(const std::string& scheme,
const url::Origin& initiating_origin,
BlockState state,
Profile* profile);
// Checks to see if the protocol is allowed, if it is allowlisted,
// the application associated with the protocol is launched on the io thread,
// if it is denylisted, returns silently. Otherwise, an
// ExternalProtocolDialog is created asking the user. If the user accepts,
// LaunchUrlWithoutSecurityCheck is called on the io thread and the
// application is launched.
// If possible, |initiator_document| identifies the document that requested
// the external protocol launch.
// Must run on the UI thread.
static void LaunchUrl(
const GURL& url,
content::WebContents::Getter web_contents_getter,
ui::PageTransition page_transition,
bool has_user_gesture,
bool is_in_fenced_frame_tree,
const std::optional<url::Origin>& initiating_origin,
content::WeakDocumentPtr initiator_document
#if BUILDFLAG(IS_ANDROID)
,
mojo::PendingRemote<network::mojom::URLLoaderFactory>* out_factory
#endif
);
// Starts a url using the external protocol handler with the help
// of shellexecute. Should only be called if the protocol is allowlisted
// (checked in LaunchUrl) or if the user explicitly allows it. (By selecting
// "Open Application" in an ExternalProtocolDialog.) |url| might be escaped
// already when calling into this function but e.g. from LaunchUrl but it
// doesn't have to be because is also escaped in it.
// NOTE: You should NOT call this function directly unless you are sure the
// url you have has been checked against the denylist.
// All calls to this function should originate in some way from LaunchUrl.
static void LaunchUrlWithoutSecurityCheck(
const GURL& url,
content::WebContents* web_contents,
content::WeakDocumentPtr initiator_document);
// Allows LaunchUrl to proceed with launching an external protocol handler.
// This is typically triggered by a user gesture, but is also called for
// each extension API function. Note that each call to LaunchUrl resets
// the state to false (not allowed).
static void PermitLaunchUrl();
// Records an UMA metric for the external protocol HandleState selected, based
// on if the check box is selected / not and block / Dont block is picked.
static void RecordHandleStateMetrics(bool checkbox_selected,
BlockState state);
// Register the ExcludedSchemes preference.
static void RegisterPrefs(PrefRegistrySimple* registry);
#if !BUILDFLAG(IS_ANDROID)
// Creates and runs a External Protocol dialog box.
// |url| - The url of the request.
// |render_process_host_id| and |routing_id| are used by
// tab_util::GetWebContentsByID to aquire the tab contents associated with
// this dialog.
// NOTE: There is a race between the Time of Check and the Time Of Use for
// the command line. Since the caller (web page) does not have access
// to change the command line by itself, we do not do anything special
// to protect against this scenario.
// This is implemented separately on each platform.
// TODO(davidsac): Consider refactoring this to take a WebContents directly.
// crbug.com/668289
//
// The dialog displays |initiating_origin| to the user so that they can
// attribute the external protocol request to a site that initiated it. If an
// opaque origin (for example, an origin inside a sandboxed iframe) initiated
// the request, then |initiating_origin| should be set to the precursor origin
// (that is, the origin that created the opaque origin).
static void RunExternalProtocolDialog(
const GURL& url,
content::WebContents* web_contents,
ui::PageTransition page_transition,
bool has_user_gesture,
bool is_in_fenced_frame_tree,
const std::optional<url::Origin>& initiating_origin,
content::WeakDocumentPtr initiator_document,
const std::u16string& program_name);
#endif
// Clears the external protocol handling data.
static void ClearData(Profile* profile);
};
#endif // CHROME_BROWSER_EXTERNAL_PROTOCOL_EXTERNAL_PROTOCOL_HANDLER_H_