// Copyright 2023 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CONTENT_BROWSER_LOADER_KEEP_ALIVE_URL_LOADER_SERVICE_H_
#define CONTENT_BROWSER_LOADER_KEEP_ALIVE_URL_LOADER_SERVICE_H_
#include <memory>
#include <optional>
#include "base/containers/lru_cache.h"
#include "base/memory/scoped_refptr.h"
#include "content/browser/attribution_reporting/attribution_suitable_context.h"
#include "content/browser/loader/keep_alive_url_loader.h"
#include "content/common/content_export.h"
#include "content/public/browser/weak_document_ptr.h"
#include "mojo/public/cpp/bindings/pending_associated_receiver.h"
#include "mojo/public/cpp/bindings/pending_receiver.h"
#include "services/metrics/public/cpp/ukm_source_id.h"
#include "services/network/public/mojom/url_loader_factory.mojom.h"
#include "third_party/blink/public/common/loader/url_loader_factory_bundle.h"
#include "third_party/blink/public/mojom/loader/fetch_later.mojom.h"
namespace content {
class NavigationHandle;
class PolicyContainerHost;
// A service that stores bound SharedURLLoaderFactory mojo pipes from renderers
// of the same storage partition, and the intermediate URLLoader receivers, i.e.
// KeepAliveURLLoader, they have created to load fetch keepalive requests.
//
// A fetch keepalive request is originated from a JS call to
// `fetch(..., {keepalive: true})` or `navigator.sendBeacon()`. A renderer can
// ask this service to handle such request by using a remote of
// mojom::URLLoaderFactory bound to this service by `BindFactory()`, which also
// binds RenderFrameHostImpl-specific context with every receiver.
//
// Calling the remote `CreateLoaderAndStart()` of a factory will create a
// `KeepAliveURLLoader` here in browser. The service is responsible for keeping
// these loaders in `loader_receivers_` until the corresponding request
// completes or fails.
//
// Handling keepalive requests in this service allows a request to continue even
// if a renderer unloads before completion, i.e. the request is "keepalive",
// without needing the renderer to stay extra longer than the necessary time.
//
// This service is created and stored in every `StoragePartitionImpl` instance.
// Hence, its lifetime is the same as the owner StoragePartition for a partition
// domain, which should be generally longer than any of the renderers spawned
// from the partition domain.
//
// Design Doc:
// https://docs.google.com/document/d/1ZzxMMBvpqn8VZBZKnb7Go8TWjnrGcXuLS_USwVVRUvY
class CONTENT_EXPORT KeepAliveURLLoaderService {
public:
// A context for the receiver of a `KeepAliveURLLoaderFactoriesBase`
// connection between a renderer and the browser.
//
// A FactoryContext is created whenever `BindFactory()` or
// `BindFetchLaterLoaderFactory()` is called by
// RenderFrameHostImpl::CommitNavigation(). It can also be cloned by the same
// corresponding renderer, or when new window or new child frame is created.
//
// See `mojo::ReceiverSetBase` for more details.
struct CONTENT_EXPORT FactoryContext {
FactoryContext(
scoped_refptr<network::SharedURLLoaderFactory> factory,
scoped_refptr<PolicyContainerHost> frame_policy_container_host);
// Called when a factory is cloned by URLLoaderFactory::Clone().
explicit FactoryContext(const std::unique_ptr<FactoryContext>& other);
~FactoryContext();
// Not Copyable.
FactoryContext(const FactoryContext&) = delete;
FactoryContext& operator=(const FactoryContext&) = delete;
// Updates `weak_document_ptr` and other document-related fields.
void OnDidCommitNavigation(NavigationHandle* navigation_handle);
// Updates `attribution_context` for fields relied on prerendered page
// activation, e.g. UKM source ID.
void OnDidCommitPrerenderedPageActivation();
// Called when a `KeepAliveURLLoader` is about to create.
// This updates RenderFrameHostImpl via `weak_document_ptr` about the
// creation of a keepalive request.
void OnBeforeKeepAliveURLLoaderCreated(
const network::ResourceRequest& resource_request);
// Updates `factory` using the given `new_factory`.
//
// Only called either
// (1) when DevTools tries to intercept every URLLoaderFactory
// (2) after network service crashes
//
// The default subresources loading, including non-keepalive fetch requests,
// don't go through browser. Hence, their intercepted URLLoaderFactory are
// updated via SubresourceLoaderUpdater::UpdateSubresourceLoaderFactories().
// On the other hand, calling this method can update the fetch keepalive
// factory directly in-browser.
void UpdateFactory(
scoped_refptr<network::SharedURLLoaderFactory> new_factory);
// The factory to use for the requests initiated from this context.
scoped_refptr<network::SharedURLLoaderFactory> factory;
// Upon NavigationRequest::DidCommitNavigation(), `weak_document_ptr` will
// be set to the document that this `BindContext` is associated with. It
// will become null whenever the document navigates away.
WeakDocumentPtr weak_document_ptr;
// Upon NavigationRequest::DidCommitNavigation(), `ukm_source_id` will
// be set to the PageUkmSourceId of the document that this `BindContext` is
// associated with. This includes UkmSourceId for prerendered page
// activation.
//
// It will never be reset even if the document has navigated away from the
// original page.
std::optional<ukm::SourceId> ukm_source_id;
// The `PolicyContainerHost` of the document connecting to an implementation
// of `KeepAliveURLLoaderFactoriesBase` using this context.
//
// This field keeps the pointed object alive such that any pending keepalive
// redirect requests can still be verified against these same policies.
//
// When `this` is constructed, this field is set to the PolicyContainerHost
// of the requesting RenderFrameHostImpl, which may be inherited from its
// creator (See `RenderFrameHostImpl::InitializePolicyContainerHost()`):
// when a factory is cloned due to creating new window/new child frame,
// this field will initially inherit the same value; if the new window/new
// child frame commits a new document after that, this field will be updated
// by `OnDidCommitNavigation()`.
scoped_refptr<PolicyContainerHost> policy_container_host;
// Attribution responses might be processed from keep alive requests. For
// them to be processed, the request must have been sent from a suitable
// context and information from that context is needed. Upon
// NavigationRequest::DidCommitNavigation(), if the context is suitable,
// the `attribution_context` is created.
std::optional<AttributionSuitableContext> attribution_context;
// On NavigationRequest::DidCommitNavigation(), this field is set to the
// network isolation key of the committed RenderFrameHostImpl.
net::NetworkIsolationKey network_isolation_key;
// This must be the last member.
base::WeakPtrFactory<FactoryContext> weak_ptr_factory{this};
};
// `storage_partition` creates and owns the instance of this service. It
// must not be null and surpass the lifetime of this service.
explicit KeepAliveURLLoaderService(StoragePartitionImpl* storage_partition);
~KeepAliveURLLoaderService();
// Not Copyable.
KeepAliveURLLoaderService(const KeepAliveURLLoaderService&) = delete;
KeepAliveURLLoaderService& operator=(const KeepAliveURLLoaderService&) =
delete;
// Binds the pending `receiver` with this service, using
// `subresource_proxying_factory_bundle`.
//
// The remote of `receiver` can be passed to another process, i.e. renderer,
// from which to create new fetch keepalive requests.
//
// `policy_container_host` is the policy host of the requester frame going to
// use the remote of `receiver` to load requests. It must not be null.
//
// Returns a `FactoryContext` bound to the new factory connecting with
// `receiver`. The caller can update the context when necessary.
base::WeakPtr<FactoryContext> BindFactory(
mojo::PendingReceiver<network::mojom::URLLoaderFactory> receiver,
scoped_refptr<network::SharedURLLoaderFactory>
subresource_proxying_factory_bundle,
scoped_refptr<PolicyContainerHost> policy_container_host);
// Binds the pending FetchLaterLoaderFactory `receiver` with this service,
// which uses `factory` to load FetchLater URL requests.
// See also `BindFactory()` for other parameters. Note that the returned
// `FactoryContext` here is different from the one of `BindFactory()`.
base::WeakPtr<FactoryContext> BindFetchLaterLoaderFactory(
mojo::PendingAssociatedReceiver<blink::mojom::FetchLaterLoaderFactory>
receiver,
scoped_refptr<network::SharedURLLoaderFactory>
subresource_proxying_factory_bundle,
scoped_refptr<PolicyContainerHost> policy_container_host);
// Called when the `browser_context_` that owns this instance is shutting
// down.
void Shutdown();
// Called when user data is cleared that requires clearing pending retry
// loads as well.
void ClearKeepAliveURLLoadersAttemptingRetry();
// Called when a new document with the given NetworkIsolationKey became
// active, allowing potentially pending retry attempts with the same NIK
// that are waiting for a same-document NIK to continue.
void DidObserveNewlyActiveDocumentWithNIK(
const net::NetworkIsolationKey& nik);
// For testing only:
base::WeakPtr<KeepAliveURLLoader> GetLoaderWithRequestIdForTesting(
int32_t request_id) const;
size_t NumLoadersForTesting() const;
size_t NumDisconnectedLoadersForTesting() const;
size_t NumLoadersAttemptingRetryForTesting(bool include_failed_retry) const;
void SetLoaderObserverForTesting(
scoped_refptr<KeepAliveURLLoader::TestObserver> observer);
void SetURLLoaderThrottlesGetterForTesting(
KeepAliveURLLoader::URLLoaderThrottlesGetter
url_loader_throttles_getter_for_testing);
private:
template <typename Interface,
template <typename>
class PendingReceiverType,
template <typename, typename>
class ReceiverSetType>
class KeepAliveURLLoaderFactoriesBase;
class KeepAliveURLLoaderFactories;
class FetchLaterLoaderFactories;
// Handles every disconnection notification for `loader_receivers_`.
void OnLoaderDisconnected();
// Removes the KeepAliveURLLoader kept by this service, either from
// `loader_receivers_` or `disconnected_loaders_`.
void RemoveLoader(mojo::ReceiverId loader_receiver_id);
// Called when a loader with the given NetworkIsolationKey wants to attempt a
// retry. This function checks the limit of retries for the given factory /
// NetworkIsolationKey and returns whether a retry is allowed or not.
bool CheckRetryEligibility(const net::NetworkIsolationKey&);
// The continuation of the call above. This is called after we've determined
// that the retry is allowed, to update the global retry limit tracker.
void OnRetryScheduled(const net::NetworkIsolationKey&);
// The StoragePartition that owns this instance of the service. raw_ptr is OK
// since it must outlive this service.
const raw_ptr<StoragePartitionImpl> storage_partition_;
// Many-to-one mojo receiver of URLLoaderFactory for Fetch keepalive requests.
std::unique_ptr<KeepAliveURLLoaderFactories> url_loader_factories_;
// Many-to-one mojo receiver of FetchLaterLoaderFactory for FetchLater
// keepalive requests.
std::unique_ptr<FetchLaterLoaderFactories> fetch_later_loader_factories_;
// Map for NetworkIsolationKey -> total retry attempt done for fetches
// initiated by a document with the given NetworkIsolationKey. This is used to
// limit the amount of retries that can be attempted per browsing session for
// a given NetworkIsolationKey.
base::LRUCache<net::NetworkIsolationKey, size_t> retry_counts_;
// For testing only:
// Not owned.
scoped_refptr<KeepAliveURLLoader::TestObserver> loader_test_observer_ =
nullptr;
KeepAliveURLLoader::URLLoaderThrottlesGetter
url_loader_throttles_getter_for_testing_ = base::NullCallback();
};
} // namespace content
#endif // CONTENT_BROWSER_LOADER_KEEP_ALIVE_URL_LOADER_SERVICE_H_