0
代码
代码
Issues
Pull Requests
讨论
Wiki
分析
0
jiujiaoxiaogulajiujiaoxiaogula2026.03.30 arkweb_144代码蓝黄同步
326eaf60创建于 3月30日历史提交
// Copyright 2012 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "net/url_request/url_request_http_job.h"

#include <algorithm>
#include <iterator>
#include <memory>
#include <optional>
#include <string_view>
#include <utility>
#include <vector>

#include "arkweb/ohos_adapter_ndk/interfaces/ohos_adapter_helper.h"
#include "arkweb/chromium_ext/net/url_request/url_request_context_ext.h"
#include "base/base_switches.h"
#include "base/check_op.h"
#include "base/command_line.h"
#include "base/compiler_specific.h"
#include "base/feature_list.h"
#include "base/file_version_info.h"
#include "base/functional/bind.h"
#include "base/functional/callback_helpers.h"
#include "base/location.h"
#include "base/memory/ptr_util.h"
#include "base/metrics/field_trial.h"
#include "base/metrics/histogram_functions.h"
#include "base/metrics/histogram_macros.h"
#include "base/notreached.h"
#include "base/numerics/safe_conversions.h"
#include "base/rand_util.h"
#include "base/strings/string_number_conversions.h"
#include "base/strings/string_util.h"
#include "base/strings/stringprintf.h"
#include "base/task/single_thread_task_runner.h"
#include "base/time/time.h"
#include "base/trace_event/trace_event.h"
#include "base/types/optional_util.h"
#include "base/values.h"
#include "build/build_config.h"
#include "net/base/features.h"
#include "net/base/hash_value.h"
#include "net/base/host_port_pair.h"
#include "net/base/http_user_agent_settings.h"
#include "net/base/load_flags.h"
#include "net/base/net_errors.h"
#include "net/base/network_anonymization_key.h"
#include "net/base/network_delegate.h"
#include "net/base/network_isolation_key.h"
#include "net/base/privacy_mode.h"
#include "net/base/registry_controlled_domains/registry_controlled_domain.h"
#include "net/base/schemeful_site.h"
#include "net/base/task/task_runner.h"
#include "net/base/trace_constants.h"
#include "net/base/url_util.h"
#include "net/cert/cert_status_flags.h"
#include "net/cert/ct_policy_status.h"
#include "net/cert/known_roots.h"
#include "net/cookies/canonical_cookie.h"
#include "net/cookies/cookie_access_delegate.h"
#include "net/cookies/cookie_constants.h"
#include "net/cookies/cookie_partition_key.h"
#include "net/cookies/cookie_setting_override.h"
#include "net/cookies/cookie_store.h"
#include "net/cookies/cookie_util.h"
#include "net/cookies/parsed_cookie.h"
#include "net/filter/filter_source_stream.h"
#include "net/filter/source_stream.h"
#include "net/filter/source_stream_type.h"
#include "net/first_party_sets/first_party_set_entry.h"
#include "net/first_party_sets/first_party_set_metadata.h"
#include "net/first_party_sets/first_party_sets_cache_filter.h"
#include "net/http/http_content_disposition.h"
#include "net/http/http_log_util.h"
#include "net/http/http_network_session.h"
#include "net/http/http_request_headers.h"
#include "net/http/http_response_headers.h"
#include "net/http/http_response_info.h"
#include "net/http/http_status_code.h"
#include "net/http/http_transaction.h"
#include "net/http/http_transaction_factory.h"
#include "net/http/http_util.h"
#include "net/http/transport_security_state.h"
#include "net/log/net_log.h"
#include "net/log/net_log_event_type.h"
#include "net/log/net_log_values.h"
#include "net/log/net_log_with_source.h"
#include "net/nqe/network_quality_estimator.h"
#include "net/proxy_resolution/proxy_info.h"
#include "net/proxy_resolution/proxy_resolution_service.h"
#include "net/proxy_resolution/proxy_retry_info.h"
#include "net/ssl/ssl_cert_request_info.h"
#include "net/ssl/ssl_config_service.h"
#include "net/ssl/ssl_connection_status_flags.h"
#include "net/ssl/ssl_info.h"
#include "net/storage_access_api/status.h"
#include "net/url_request/clear_site_data.h"
#include "net/url_request/redirect_util.h"
#include "net/url_request/url_request.h"
#include "net/url_request/url_request_context.h"
#include "net/url_request/url_request_error_job.h"
#include "net/url_request/url_request_job_factory.h"
#include "net/url_request/url_request_redirect_job.h"
#include "net/url_request/websocket_handshake_userdata_key.h"
#include "url/gurl.h"
#include "url/origin.h"
#include "url/url_constants.h"

#if BUILDFLAG(IS_ANDROID)
#include "net/android/network_library.h"
#endif

#if BUILDFLAG(ARKWEB_EXT_HTTP_DNS_FALLBACK)
#include "base/command_line.h"
#include "arkweb/chromium_ext/content/public/common/content_switches_ext.h"
#endif

#if BUILDFLAG(ARKWEB_PRP_PRELOAD)
#include "arkweb/chromium_ext/net/base/page_res_request_info.h"
#endif

#if BUILDFLAG(ARKWEB_NETWORK_LOAD)
#include "arkweb/chromium_ext/base/ohos/sys_info_utils_ext.h"
#endif

#if BUILDFLAG(ARKWEB_EX_FALLBACK_PROXY)
#include "arkweb/chromium_ext/content/public/common/content_switches_ext.h"
#endif

#if BUILDFLAG(ENABLE_DEVICE_BOUND_SESSIONS)
#include "net/device_bound_sessions/registration_fetcher_param.h"
#include "net/device_bound_sessions/session_challenge_param.h"
#include "net/device_bound_sessions/session_service.h"
#endif  // BUILDFLAG(ENABLE_DEVICE_BOUND_SESSIONS)


#include "arkweb/chromium_ext/net/url_request/net/url_request/url_request_http_job_for_include.cc"

namespace net {

namespace {

const size_t kDelayRetryThreshold = 10;

base::Value::Dict FirstPartySetMetadataNetLogParams(
    const FirstPartySetMetadata& first_party_set_metadata,
    const int64_t* const fps_cache_filter) {
  base::Value::Dict dict;
  auto entry_or_empty =
      [](const std::optional<FirstPartySetEntry>& entry) -> std::string {
    return entry.has_value() ? entry->GetDebugString() : "none";
  };

  dict.Set("cache_filter",
           fps_cache_filter ? base::NumberToString(*fps_cache_filter) : "none");
  dict.Set("frame_entry",
           entry_or_empty(first_party_set_metadata.frame_entry()));
  dict.Set("top_frame_primary",
           entry_or_empty(first_party_set_metadata.top_frame_entry()));
  return dict;
}

base::Value::Dict CookieInclusionStatusNetLogParams(
    const std::string& operation,
    const std::string& cookie_name,
    const std::string& cookie_domain,
    const std::string& cookie_path,
    const std::optional<CookiePartitionKey>& partition_key,
    const CookieInclusionStatus& status,
    NetLogCaptureMode capture_mode) {
  base::Value::Dict dict;
  dict.Set("operation", operation);
  dict.Set("status", status.GetDebugString());
  if (NetLogCaptureIncludesSensitive(capture_mode)) {
    if (!cookie_name.empty()) {
      dict.Set("name", cookie_name);
    }
    if (!cookie_domain.empty()) {
      dict.Set("domain", cookie_domain);
    }
    if (!cookie_path.empty()) {
      dict.Set("path", cookie_path);
    }
  }
  // The partition key is not sensitive, since it is fully determined by the
  // structure of the page. The cookie may either be partitioned or not, but
  // does not have the ability to influence the key's value.
  std::string partition_key_str;
  if (partition_key.has_value()) {
    base::expected<CookiePartitionKey::SerializedCookiePartitionKey,
                   std::string>
        serialized = CookiePartitionKey::Serialize(partition_key);
    partition_key_str = serialized.has_value()
                            ? serialized.value().GetDebugString()
                            : serialized.error();
  } else {
    partition_key_str = "(none)";
  }
  dict.Set("partition_key", std::move(partition_key_str));
  return dict;
}

// Records details about the most-specific trust anchor in |spki_hashes|,
// which is expected to be ordered with the leaf cert first and the root cert
// last. This complements the per-verification histogram
// Net.Certificate.TrustAnchor.Verify
void LogTrustAnchor(const std::vector<SHA256HashValue>& spki_hashes) {
  // Don't record metrics if there are no hashes; this is true if the HTTP
  // load did not come from an active network connection, such as the disk
  // cache or a synthesized response.
  if (spki_hashes.empty()) {
    return;
  }

  int32_t id = 0;
  for (const auto& hash : spki_hashes) {
    id = GetNetTrustAnchorHistogramIdForSPKI(hash);
    if (id != 0) {
      break;
    }
  }
  base::UmaHistogramSparse("Net.Certificate.TrustAnchor.Request", id);
}

CookieOptions CreateCookieOptions(
    CookieOptions::SameSiteCookieContext same_site_context) {
  CookieOptions options;
  options.set_return_excluded_cookies();
  options.set_include_httponly();
  options.set_same_site_cookie_context(same_site_context);
  return options;
}

bool IsTLS13OverTCP(const HttpResponseInfo& response_info) {
  // Although IETF QUIC also uses TLS 1.3, our QUIC connections report
  // SSL_CONNECTION_VERSION_QUIC.
  return SSLConnectionStatusToVersion(
             response_info.ssl_info.connection_status) ==
         SSL_CONNECTION_VERSION_TLS1_3;
}

GURL UpgradeSchemeToCryptographic(const GURL& insecure_url) {
  DCHECK(!insecure_url.SchemeIsCryptographic());
  DCHECK(insecure_url.SchemeIs(url::kHttpScheme) ||
         insecure_url.SchemeIs(url::kWsScheme));

  GURL::Replacements replacements;
  replacements.SetSchemeStr(insecure_url.SchemeIs(url::kHttpScheme)
                                ? url::kHttpsScheme
                                : url::kWssScheme);

  GURL secure_url = insecure_url.ReplaceComponents(replacements);
  DCHECK(secure_url.SchemeIsCryptographic());

  return secure_url;
}

// These values are persisted to logs. Entries should not be renumbered and
// numeric values should never be reused.
enum class ContentEncodingType {
  kUnknown = 0,
  kBrotli = 1,
  kGZip = 2,
  kDeflate = 3,
  kZstd = 4,
  kMaxValue = kZstd,
};

ContentEncodingType ToContentEncodingType(SourceStreamType type) {
  switch (type) {
    case SourceStreamType::kBrotli:
      return ContentEncodingType::kBrotli;
    case SourceStreamType::kDeflate:
      return ContentEncodingType::kDeflate;
    case SourceStreamType::kGzip:
      return ContentEncodingType::kGZip;
    case SourceStreamType::kZstd:
      return ContentEncodingType::kZstd;
    case SourceStreamType::kUnknown:
      return ContentEncodingType::kUnknown;
    case SourceStreamType::kNone:
      return ContentEncodingType::kUnknown;
  }
}

// These values are persisted to logs. Entries should not be renumbered and
// numeric values should never be reused.
enum class HttpRequestStsState {
  kUnknown = 0,
  kUnprotectedHttps = 1,
  kProtectedHttps = 2,
  kUnprotectedHttp = 3,
  kProtectedHttp = 4,
  kMaxValue = kProtectedHttp,
};

// These values are persisted to logs. Entries should not be renumbered and
// numeric values should never be reused.
// LINT.IfChange(HttpRequestSSLUpgradeDecision)
enum class HttpRequestSSLUpgradeDecision {
  // The request was insecure and was not upgraded to use SSL.
  kInsecureNoUpgrade = 0,
  // The request used SSL. It would not have been upgraded if it was insecure.
  kSSLNoUpgrade = 1,
  // The request was insecure but upgraded to use SSL using static data.
  kInsecureStaticUpgrade = 2,
  // The request used SSL. If was insecure, it would have been upgraded using
  // static data.
  kSSLStaticUpgrade = 3,
  // The request was insecure but upgraded to use SSL using dynamic data. It
  // would not have been upgraded using only static data.
  kInsecureDynamicUpgrade = 4,
  // The request used SSL. If it was insecure, it would have been upgraded using
  // dynamic data but not with only static data.
  kSSLDynamicUpgrade = 5,
  kMaxValue = kSSLDynamicUpgrade,
};
// LINT.ThenChange(//tools/metrics/histograms/metadata/enums.xml:HttpRequestSSLUpgradeDecision)

HttpRequestSSLUpgradeDecision GetMetricForSSLUpgradeDecision(
    SSLUpgradeDecision upgrade_decision,
    bool is_secure) {
  switch (upgrade_decision) {
    case SSLUpgradeDecision::kNoUpgrade:
      return is_secure ? HttpRequestSSLUpgradeDecision::kSSLNoUpgrade
                       : HttpRequestSSLUpgradeDecision::kInsecureNoUpgrade;
    case SSLUpgradeDecision::kStaticUpgrade:
      return is_secure ? HttpRequestSSLUpgradeDecision::kSSLStaticUpgrade
                       : HttpRequestSSLUpgradeDecision::kInsecureStaticUpgrade;
    case SSLUpgradeDecision::kDynamicUpgrade:
      return is_secure ? HttpRequestSSLUpgradeDecision::kSSLDynamicUpgrade
                       : HttpRequestSSLUpgradeDecision::kInsecureDynamicUpgrade;
  }
  NOTREACHED();
}

void RecordSTSHistograms(SSLUpgradeDecision upgrade_decision,
                         bool is_secure,
                         int load_flags) {
  // Embrace the layering violation and only record the histogram for main frame
  // navigations. It's possible to record this outside of net/, but the code is
  // a lot more complicated, and while this flag is deprecated, there are no
  // current plans to remove it. See crbug.com/516499 .
  if (!(load_flags & LOAD_MAIN_FRAME_DEPRECATED)) {
    return;
  }
  const bool sts_enabled = upgrade_decision != SSLUpgradeDecision::kNoUpgrade;
  HttpRequestStsState sts_state = HttpRequestStsState::kUnknown;
  if (is_secure) {
    sts_state = (sts_enabled ? HttpRequestStsState::kProtectedHttps
                             : HttpRequestStsState::kUnprotectedHttps);
  } else {
    sts_state = (sts_enabled ? HttpRequestStsState::kProtectedHttp
                             : HttpRequestStsState::kUnprotectedHttp);
  }
  UMA_HISTOGRAM_ENUMERATION("Net.HttpRequestStsState", sts_state);

  UMA_HISTOGRAM_ENUMERATION(
      "Net.HttpRequestSSLUpgradeDecision",
      GetMetricForSSLUpgradeDecision(upgrade_decision, is_secure));
}

bool ClearSiteDataHeaderContainsCookiesOrWildcard(
    const HttpResponseHeaders* headers) {
  size_t iter = 0;
  while (auto maybe_token =
             headers->EnumerateHeader(&iter, kClearSiteDataHeader)) {
    if (maybe_token == kDatatypeCookies || maybe_token == kDatatypeWildcard) {
      return true;
    }
  }
  return false;
}

const scoped_refptr<base::SingleThreadTaskRunner>& TaskRunner(
    net::RequestPriority priority) {
  if (features::kNetTaskSchedulerURLRequestHttpJob.Get()) {
    return net::GetTaskRunner(priority);
  }
  return base::SingleThreadTaskRunner::GetCurrentDefault();
}

}  // namespace

std::unique_ptr<URLRequestJob> URLRequestHttpJob::Create(URLRequest* request) {
  const GURL& url = request->url();

  // URLRequestContext must have been initialized.
  DCHECK(request->context()->http_transaction_factory());
  DCHECK(url.SchemeIsHTTPOrHTTPS() || url.SchemeIsWSOrWSS());

  SSLUpgradeDecision upgrade_decision = SSLUpgradeDecision::kNoUpgrade;
  if (TransportSecurityState* hsts =
          request->context()->transport_security_state()) {
    upgrade_decision = hsts->GetSSLUpgradeDecision(
        url.GetHost(),
        /*is_top_level_nav=*/
        request->isolation_info().IsOutermostMainFrameRequest(),
        request->net_log());
  }

  // Check for reasons not to return a URLRequestHttpJob. These don't apply to
  // https and wss requests.
  if (!url.SchemeIsCryptographic()) {
    // If the request explicitly has been marked to bypass HSTS, ensure that
    // the request is in no-credential mode so that the http site can't read
    // or set cookies which are shared across http/https, then skip the
    // upgrade.
    if (((request->load_flags() & LOAD_SHOULD_BYPASS_HSTS) ==
         LOAD_SHOULD_BYPASS_HSTS)) {
      CHECK(request->allow_credentials() == false);
    } else {
      // Check for HSTS upgrade.
      if (upgrade_decision != SSLUpgradeDecision::kNoUpgrade) {
        RecordSTSHistograms(upgrade_decision,
                            /*is_secure=*/false, request->load_flags());
        return std::make_unique<URLRequestRedirectJob>(
            request, UpgradeSchemeToCryptographic(url),
            // Use status code 307 to preserve the method, so POST requests
            // work.
            RedirectUtil::ResponseCode::REDIRECT_307_TEMPORARY_REDIRECT,
            "HSTS");
      }
    }

#if BUILDFLAG(IS_ANDROID)
    // Check whether the app allows cleartext traffic to this host, and return
    // ERR_CLEARTEXT_NOT_PERMITTED if not.
    if (request->context()->check_cleartext_permitted() &&
        !android::IsCleartextPermitted(url.host())) {
      RecordSTSHistograms(SSLUpgradeDecision::kNoUpgrade,
                          /*is_secure=*/false, request->load_flags());
      return std::make_unique<URLRequestErrorJob>(request,
                                                  ERR_CLEARTEXT_NOT_PERMITTED);
    }
#endif

#if BUILDFLAG(ARKWEB_NETWORK_LOAD)
    if (base::ohos::ApplicationApiVersion() >= APP_API_LEVEL_20) {
      auto NetConfigAdapter =
          OHOS::NWeb::OhosAdapterHelper::GetInstance().GetNetConfigAdapter();
      if (!NetConfigAdapter) {
        LOG(ERROR) << "get netconfig adapter failed";
      } else if (NetConfigAdapter->GetIsCleartextCfgByComponent(base::ohos::ComponentName()) &&
                 !NetConfigAdapter->GetIsCleartextPermittedByHostName(url.host())) {
        return std::make_unique<URLRequestErrorJob>(request, ERR_CLEARTEXT_NOT_PERMITTED);
      }
    }
#endif
  }

  RecordSTSHistograms(upgrade_decision, url.SchemeIsCryptographic(),
                      request->load_flags());
  return base::WrapUnique<URLRequestJob>(new URLRequestHttpJob(
      request, request->context()->http_user_agent_settings()));
}

URLRequestHttpJob::URLRequestHttpJob(
    URLRequest* request,
    const HttpUserAgentSettings* http_user_agent_settings)
    : URLRequestJob(request),
      http_user_agent_settings_(http_user_agent_settings) {
  ResetTimer();
}

URLRequestHttpJob::~URLRequestHttpJob() {
  CHECK(!awaiting_callback_);

  DoneWithRequest(ABORTED);
}

void URLRequestHttpJob::SetPriority(RequestPriority priority) {
  priority_ = priority;
  if (transaction_) {
    transaction_->SetPriority(priority_);
  }
}

void URLRequestHttpJob::Start() {
  DCHECK(!transaction_.get());

  request_info_.url = request_->url();
  request_info_.method = request_->method();

  request_info_.network_isolation_key =
      request_->isolation_info().network_isolation_key();
  request_info_.network_anonymization_key =
      request_->isolation_info().network_anonymization_key();
  request_info_.possibly_top_frame_origin =
      request_->isolation_info().top_frame_origin();
  request_info_.frame_origin = request_->isolation_info().frame_origin();
  request_info_.is_subframe_document_resource =
      request_->isolation_info().request_type() ==
      IsolationInfo::RequestType::kSubFrame;
  request_info_.is_main_frame_navigation =
      request_->isolation_info().IsMainFrameRequest();
  request_info_.initiator = request_->initiator();
  request_info_.load_flags = request_->load_flags();
  request_info_.priority_incremental = request_->priority_incremental();
  request_info_.secure_dns_policy = request_->secure_dns_policy();
  request_info_.traffic_annotation =
      MutableNetworkTrafficAnnotationTag(request_->traffic_annotation());
  request_info_.socket_tag = request_->socket_tag();
  request_info_.idempotency = request_->GetIdempotency();
#if BUILDFLAG(ENABLE_REPORTING)
  request_info_.reporting_upload_depth = request_->reporting_upload_depth();
#endif

#if BUILDFLAG(ARKWEB_EX_FALLBACK_PROXY)
  if (base::CommandLine::ForCurrentProcess()->HasSwitch(
          ::switches::kEnableNwebEx) &&
      request_->IsRetryingWithFallbackProxy()) {
    request_info_.retry_with_fallback_proxy = true;
    did_use_fallback_proxy_ = true;
    LOG(DEBUG) << "This request will use fallback proxy, url "
               << url::LogUtils::ConvertUrlWithMask(request_->url().spec());
  }
#endif

#if BUILDFLAG(ARKWEB_LOGGER_REPORT)
  if (base::CommandLine::ForCurrentProcess()->HasSwitch(
          switches::kEnableLoggerReport)) {
    request_info_.usage_scenario_ = request_->usage_scenario();
  }
#endif
#if BUILDFLAG(ARKWEB_PRP_PRELOAD)
  request_info_.allow_preload_record = request_->allow_preload_record();
  request_info_.main_url = request_->main_url();
#endif
  request_info_.is_shared_resource = request_->is_shared_resource();

  CookieStore* cookie_store = request()->context()->cookie_store();
  const CookieAccessDelegate* delegate =
      cookie_store ? cookie_store->cookie_access_delegate() : nullptr;

  request_->net_log().BeginEvent(NetLogEventType::FIRST_PARTY_SETS_METADATA);

  std::optional<
      std::pair<FirstPartySetMetadata, FirstPartySetsCacheFilter::MatchInfo>>
      maybe_metadata = cookie_util::ComputeFirstPartySetMetadataMaybeAsync(
          SchemefulSite(request()->url()), request()->isolation_info(),
          delegate,
          base::BindOnce(&URLRequestHttpJob::OnGotFirstPartySetMetadata,
                         weak_factory_.GetWeakPtr()));

  if (maybe_metadata.has_value()) {
    auto [metadata, match_info] = std::move(maybe_metadata).value();
    OnGotFirstPartySetMetadata(std::move(metadata), std::move(match_info));
  }
}

namespace {

bool ShouldBlockAllCookies(PrivacyMode privacy_mode) {
  return privacy_mode == PRIVACY_MODE_ENABLED ||
         privacy_mode == PRIVACY_MODE_ENABLED_WITHOUT_CLIENT_CERTS;
}

}  // namespace

void URLRequestHttpJob::OnGotFirstPartySetMetadata(
    FirstPartySetMetadata first_party_set_metadata,
    FirstPartySetsCacheFilter::MatchInfo match_info) {
  first_party_set_metadata_ = std::move(first_party_set_metadata);
  request_info_.fps_cache_filter = match_info.clear_at_run_id;
  request_info_.browser_run_id = match_info.browser_run_id;

  request_->net_log().EndEvent(
      NetLogEventType::FIRST_PARTY_SETS_METADATA, [&]() {
        return FirstPartySetMetadataNetLogParams(
            first_party_set_metadata_,
            base::OptionalToPtr(request_info_.fps_cache_filter));
      });

  // Privacy mode could still be disabled in SetCookieHeaderAndStart if we are
  // going to send previously saved cookies.
  request_info_.privacy_mode = DeterminePrivacyMode();
  request()->net_log().AddEventWithStringParams(
      NetLogEventType::COMPUTED_PRIVACY_MODE, "privacy_mode",
      PrivacyModeToDebugString(request_info_.privacy_mode));

  // Strip Referer from request_info_.extra_headers to prevent, e.g., plugins
  // from overriding headers that are controlled using other means. Otherwise a
  // plugin could set a referrer although sending the referrer is inhibited.
  request_info_.extra_headers.RemoveHeader(HttpRequestHeaders::kReferer);

  // URLRequest::SetReferrer ensures that we do not send username and password
  // fields in the referrer.
  GURL referrer(request_->referrer());

  // Our consumer should have made sure that this is a safe referrer (e.g. via
  // URLRequestJob::ComputeReferrerForPolicy).
  if (referrer.is_valid()) {
    std::string referer_value = referrer.spec();
    request_info_.extra_headers.SetHeader(HttpRequestHeaders::kReferer,
                                          referer_value);
  }

  request_info_.extra_headers.SetHeaderIfMissing(
      HttpRequestHeaders::kUserAgent,
      http_user_agent_settings_ ? http_user_agent_settings_->GetUserAgent()
                                : std::string());

  AddExtraHeaders();

  if (ShouldAddCookieHeader()) {
    AddCookieHeaderAndStart();
  } else {
    StartTransaction();
  }
}

void URLRequestHttpJob::Kill() {
  weak_factory_.InvalidateWeakPtrs();
  if (transaction_) {
    DestroyTransaction();
  }
  URLRequestJob::Kill();
}

ConnectionAttempts URLRequestHttpJob::GetConnectionAttempts() const {
  if (transaction_) {
    return transaction_->GetConnectionAttempts();
  }
  return {};
}

void URLRequestHttpJob::CloseConnectionOnDestruction() {
  DCHECK(transaction_);
  transaction_->CloseConnectionOnDestruction();
}

int URLRequestHttpJob::NotifyConnectedCallback(
    const TransportInfo& info,
    CompletionOnceCallback callback) {
  return URLRequestJob::NotifyConnected(info, std::move(callback));
}

PrivacyMode URLRequestHttpJob::DeterminePrivacyMode() const {
  if (!request()->allow_credentials()) {
    // |allow_credentials_| implies LOAD_DO_NOT_SAVE_COOKIES.
    DCHECK(request_->load_flags() & LOAD_DO_NOT_SAVE_COOKIES);

    // TODO(crbug.com/40089326): Client certs should always be
    // affirmatively omitted for these requests.
    return request()->send_client_certs()
               ? PRIVACY_MODE_ENABLED
               : PRIVACY_MODE_ENABLED_WITHOUT_CLIENT_CERTS;
  }

  // Otherwise, check with the delegate if present, or base it off of
  // |URLRequest::DefaultCanUseCookies()| if not.
  // TODO(mmenke): Looks like |URLRequest::DefaultCanUseCookies()| is not too
  // useful, with the network service - remove it.
  NetworkDelegate::PrivacySetting privacy_setting =
      URLRequest::DefaultCanUseCookies()
          ? NetworkDelegate::PrivacySetting::kStateAllowed
          : NetworkDelegate::PrivacySetting::kStateDisallowed;
  if (request_->network_delegate()) {
    privacy_setting =
        request()->network_delegate()->ForcePrivacyMode(*request());
  }
  switch (privacy_setting) {
    case NetworkDelegate::PrivacySetting::kStateAllowed:
      return PRIVACY_MODE_DISABLED;
    case NetworkDelegate::PrivacySetting::kPartitionedStateAllowedOnly:
      return PRIVACY_MODE_ENABLED_PARTITIONED_STATE_ALLOWED;
    case NetworkDelegate::PrivacySetting::kStateDisallowed:
      return PRIVACY_MODE_ENABLED;
  }
  NOTREACHED();
}

void URLRequestHttpJob::NotifyHeadersComplete() {
  DCHECK(!response_info_);
  DCHECK_EQ(0, num_cookie_lines_left_);
  DCHECK(request_->maybe_stored_cookies().empty());

  if (override_response_info_) {
    DCHECK(!transaction_);
    response_info_ = override_response_info_.get();
  } else {
    response_info_ = transaction_->GetResponseInfo();
  }

  ProcessStrictTransportSecurityHeader();
#if BUILDFLAG(ENABLE_DEVICE_BOUND_SESSIONS)
  ProcessDeviceBoundSessionsHeader();
#endif  // BUILDFLAG(ENABLE_DEVICE_BOUND_SESSIONS)

  // Clear |set_cookie_access_result_list_| after any processing in case
  // SaveCookiesAndNotifyHeadersComplete is called again.
  request_->set_maybe_stored_cookies(std::move(set_cookie_access_result_list_));

  // The HTTP transaction may be restarted several times for the purposes
  // of sending authorization information. Each time it restarts, we get
  // notified of the headers completion so that we can update the cookie store.
  if (transaction_ && transaction_->IsReadyToRestartForAuth()) {
    // TODO(battre): This breaks the webrequest API for
    // URLRequestTestHTTP.BasicAuthWithCookies
    // where OnBeforeStartTransaction -> OnStartTransaction ->
    // OnBeforeStartTransaction occurs.
    RestartTransactionWithAuth(AuthCredentials());
    return;
  }

  URLRequestJob::NotifyHeadersComplete();
}

void URLRequestHttpJob::DestroyTransaction() {
  DCHECK(transaction_.get());

  DoneWithRequest(ABORTED);

  total_received_bytes_from_previous_transactions_ +=
      transaction_->GetTotalReceivedBytes();
  total_sent_bytes_from_previous_transactions_ +=
      transaction_->GetTotalSentBytes();
  response_info_ = nullptr;
  transaction_.reset();
  override_response_headers_ = nullptr;
  receive_headers_end_ = base::TimeTicks();
}

void URLRequestHttpJob::StartTransaction() {
  DCHECK(!override_response_info_);

  NetworkDelegate* network_delegate = request()->network_delegate();
  if (network_delegate) {
    OnCallToDelegate(
        NetLogEventType::NETWORK_DELEGATE_BEFORE_START_TRANSACTION);
    int rv = network_delegate->NotifyBeforeStartTransaction(
        request_, request_info_.extra_headers,
        base::BindOnce(&URLRequestHttpJob::NotifyBeforeStartTransactionCallback,
                       weak_factory_.GetWeakPtr()));
    // If an extension blocks the request, we rely on the callback to
    // MaybeStartTransactionInternal().
    if (rv == ERR_IO_PENDING) {
      return;
    }
    MaybeStartTransactionInternal(rv);
    return;
  }
  StartTransactionInternal();
}

void URLRequestHttpJob::NotifyBeforeStartTransactionCallback(
    int result,
    const std::optional<HttpRequestHeaders>& headers) {
  // The request should not have been cancelled or have already completed.
  DCHECK(!is_done());

  if (headers) {
    request_info_.extra_headers = headers.value();
  }
  MaybeStartTransactionInternal(result);
}

void URLRequestHttpJob::MaybeStartTransactionInternal(int result) {
  OnCallToDelegateComplete();
  if (result == OK) {
    StartTransactionInternal();
  } else {
    request_->net_log().AddEventWithStringParams(NetLogEventType::CANCELLED,
                                                 "source", "delegate");
    // Don't call back synchronously to the delegate.
    TaskRunner(priority_)->PostTask(
        FROM_HERE, base::BindOnce(&URLRequestHttpJob::NotifyStartError,
                                  weak_factory_.GetWeakPtr(), result));
  }
}

void URLRequestHttpJob::StartTransactionInternal() {
  DCHECK(!override_response_headers_);

  // NOTE: This method assumes that request_info_ is already setup properly.

  // If we already have a transaction, then we should restart the transaction
  // with auth provided by auth_credentials_.

  int rv = OK;

  // Notify NetworkQualityEstimator.
  NetworkQualityEstimator* network_quality_estimator =
      request()->context()->network_quality_estimator();
  if (network_quality_estimator) {
    network_quality_estimator->NotifyStartTransaction(*request_);
  }

  if (transaction_.get()) {
    rv = transaction_->RestartWithAuth(
        auth_credentials_, base::BindOnce(&URLRequestHttpJob::OnStartCompleted,
                                          base::Unretained(this)));
    auth_credentials_ = AuthCredentials();
  } else {
    DCHECK(request_->context()->http_transaction_factory());
    transaction_ =
        request_->context()->http_transaction_factory()->CreateTransaction(
            priority_);
    CHECK(transaction_);

    if (request_info_.url.SchemeIsWSOrWSS()) {
      base::SupportsUserData::Data* data =
          request_->GetUserData(kWebSocketHandshakeUserDataKey);
      if (data) {
        transaction_->SetWebSocketHandshakeStreamCreateHelper(
            static_cast<WebSocketHandshakeStreamBase::CreateHelper*>(data));
      } else {
        rv = ERR_DISALLOWED_URL_SCHEME;
      }
    }

    if (rv == OK && request_info_.method == "CONNECT") {
      // CONNECT has different kinds of targets than other methods (RFC 9110,
      // section 9.3.6), which are incompatible with URLRequest.
      rv = ERR_METHOD_NOT_SUPPORTED;
    }

    if (rv == OK) {
      transaction_->SetConnectedCallback(base::BindRepeating(
          &URLRequestHttpJob::NotifyConnectedCallback, base::Unretained(this)));
      transaction_->SetRequestHeadersCallback(request_headers_callback_);
      transaction_->SetEarlyResponseHeadersCallback(
          early_response_headers_callback_);
      transaction_->SetResponseHeadersCallback(response_headers_callback_);
      if (is_shared_dictionary_read_allowed_callback_) {
        transaction_->SetIsSharedDictionaryReadAllowedCallback(
            is_shared_dictionary_read_allowed_callback_);
      }

#if BUILDFLAG(ARKWEB_PRP_PRELOAD) && BUILDFLAG(IS_OHOS)
      InitPreloadInfoAndSetToTransaction();
#endif

      rv = transaction_->Start(
          &request_info_,
          base::BindOnce(&URLRequestHttpJob::OnStartCompleted,
                         base::Unretained(this)),
          request_->net_log());
      start_time_ = base::TimeTicks::Now();
    }
  }

  if (rv == ERR_IO_PENDING) {
    return;
  }

  // The transaction started synchronously, but we need to notify the
  // URLRequest delegate via the message loop.
  TaskRunner(priority_)->PostTask(
      FROM_HERE, base::BindOnce(&URLRequestHttpJob::OnStartCompleted,
                                weak_factory_.GetWeakPtr(), rv));
}

void URLRequestHttpJob::AddExtraHeaders() {
  request_info_.extra_headers.SetAcceptEncodingIfMissing(
      request()->url(), request()->accepted_stream_types(),
      request()->context()->enable_brotli(),
      request()->context()->enable_zstd());

  if (http_user_agent_settings_) {
    // Only add default Accept-Language if the request didn't have it
    // specified.
    std::string accept_language =
        http_user_agent_settings_->GetAcceptLanguage();
    if (!accept_language.empty()) {
      request_info_.extra_headers.SetHeaderIfMissing(
          HttpRequestHeaders::kAcceptLanguage, accept_language);
    }
  }
}

void URLRequestHttpJob::AddCookieHeaderAndStart() {
  CookieStore* cookie_store = request_->context()->cookie_store();
  DCHECK(cookie_store);
  DCHECK(ShouldAddCookieHeader());
  bool force_ignore_site_for_cookies =
      request_->force_ignore_site_for_cookies();
  if (cookie_store->cookie_access_delegate() &&
      cookie_store->cookie_access_delegate()->ShouldIgnoreSameSiteRestrictions(
          request_->url(), request_->site_for_cookies())) {
    force_ignore_site_for_cookies = true;
  }
  bool is_main_frame_navigation =
      IsolationInfo::RequestType::kMainFrame ==
          request_->isolation_info().request_type() ||
      request_->force_main_frame_for_same_site_cookies();
  CookieOptions::SameSiteCookieContext same_site_context =
      cookie_util::ComputeSameSiteContextForRequest(
          request_->method(), request_->url_chain(),
          request_->site_for_cookies(), request_->initiator(),
          is_main_frame_navigation, force_ignore_site_for_cookies,
          request_->ignore_unsafe_method_for_same_site_lax());

  CookieOptions options = CreateCookieOptions(same_site_context);

  cookie_store->GetCookieListWithOptionsAsync(
      request_->url(), options,
      CookiePartitionKeyCollection(request_->cookie_partition_key()),
      base::BindOnce(&URLRequestHttpJob::SetCookieHeaderAndStart,
                     weak_factory_.GetWeakPtr(), options));
}

void URLRequestHttpJob::SetCookieHeaderAndStart(
    const CookieOptions& options,
    const CookieAccessResultList& cookies_with_access_result_list,
    const CookieAccessResultList& excluded_list) {
  DCHECK(request_->maybe_sent_cookies().empty());

  CookieAccessResultList maybe_included_cookies =
      cookies_with_access_result_list;
  CookieAccessResultList excluded_cookies = excluded_list;

  if (ShouldBlockAllCookies(request_info_.privacy_mode)) {
    // If cookies are blocked (without our needing to consult the delegate),
    // we move them to `excluded_cookies` and ensure that they have the
    // correct exclusion reason.
    excluded_cookies.insert(
        excluded_cookies.end(),
        std::make_move_iterator(maybe_included_cookies.begin()),
        std::make_move_iterator(maybe_included_cookies.end()));
    maybe_included_cookies.clear();
    for (auto& cookie : excluded_cookies) {
      cookie.access_result.status.AddExclusionReason(
          CookieInclusionStatus::ExclusionReason::EXCLUDE_USER_PREFERENCES);
    }
  } else {
    // Consult the delegate to ensure that they have the correct exclusion
    // reason.
    AnnotateAndMoveUserBlockedCookies(maybe_included_cookies, excluded_cookies);
  }

  if (!maybe_included_cookies.empty()) {
    std::string cookie_line =
        CanonicalCookie::BuildCookieLine(maybe_included_cookies);
    request_info_.extra_headers.SetHeader(HttpRequestHeaders::kCookie,
                                          cookie_line);

    size_t n_partitioned_cookies = 0;

    // TODO(crbug.com/40110557): Reduce the number of times the cookie list
    // is iterated over. Get metrics for every cookie which is included.
    for (const auto& c : maybe_included_cookies) {
      bool request_is_secure = request_->url().SchemeIsCryptographic();
      CookieSourceScheme cookie_scheme = c.cookie.SourceScheme();
      CookieRequestScheme cookie_request_schemes;

      switch (cookie_scheme) {
        case CookieSourceScheme::kSecure:
          cookie_request_schemes =
              request_is_secure
                  ? CookieRequestScheme::kSecureSetSecureRequest
                  : CookieRequestScheme::kSecureSetNonsecureRequest;
          break;

        case CookieSourceScheme::kNonSecure:
          cookie_request_schemes =
              request_is_secure
                  ? CookieRequestScheme::kNonsecureSetSecureRequest
                  : CookieRequestScheme::kNonsecureSetNonsecureRequest;
          break;

        case CookieSourceScheme::kUnset:
          cookie_request_schemes = CookieRequestScheme::kUnsetCookieScheme;
          break;
      }

      UMA_HISTOGRAM_ENUMERATION("Cookie.CookieSchemeRequestScheme",
                                cookie_request_schemes);
      if (c.cookie.IsPartitioned()) {
        ++n_partitioned_cookies;
      }
    }

    if (ShouldRecordPartitionedCookieUsage()) {
      base::UmaHistogramCounts100("Cookie.PartitionedCookiesInRequest",
                                  n_partitioned_cookies);
    }
  }

  CookieAccessResultList maybe_sent_cookies = std::move(excluded_cookies);
  maybe_sent_cookies.insert(
      maybe_sent_cookies.end(),
      std::make_move_iterator(maybe_included_cookies.begin()),
      std::make_move_iterator(maybe_included_cookies.end()));
  maybe_included_cookies.clear();

  if (request_->net_log().IsCapturing()) {
    for (const auto& cookie_with_access_result : maybe_sent_cookies) {
      request_->net_log().AddEvent(
          NetLogEventType::COOKIE_INCLUSION_STATUS,
          [&](NetLogCaptureMode capture_mode) {
            return CookieInclusionStatusNetLogParams(
                "send", cookie_with_access_result.cookie.Name(),
                cookie_with_access_result.cookie.Domain(),
                cookie_with_access_result.cookie.Path(),
                cookie_with_access_result.cookie.PartitionKey(),
                cookie_with_access_result.access_result.status, capture_mode);
          });
    }
  }

  request_->set_maybe_sent_cookies(std::move(maybe_sent_cookies));

#if BUILDFLAG(ENABLE_DEVICE_BOUND_SESSIONS)
  // Check if the right device bound cookies are set for the request, see
  // https://wicg.github.io/dbsc/ for specification.
  device_bound_sessions::SessionService* service =
      request_->context()->device_bound_session_service();
  if (service) {
    std::optional<device_bound_sessions::SessionService::DeferralParams>
        deferral = service->ShouldDefer(request_, &request_info_.extra_headers,
                                        first_party_set_metadata_);
    // If the request needs to be deferred while waiting for refresh, do not
    // start the transaction at this time. This may also kick off a refresh.
    if (deferral) {
      device_bound_session_deferral_count_++;
      if (device_bound_session_deferral_count_ == 1) {
        device_bound_session_first_deferral_ = base::TimeTicks::Now();
      }
      service->DeferRequestForRefresh(
          request_, *deferral,
          // restart with new cookies callback
          base::BindOnce(&URLRequestHttpJob::RestartTransactionForRefresh,
                         weak_factory_.GetWeakPtr(), *deferral));
      return;
    }

    base::UmaHistogramCounts100("Net.DeviceBoundSessions.RequestDeferralCount",
                                device_bound_session_deferral_count_);
    base::UmaHistogramEnumeration(
        "Net.DeviceBoundSessions.RequestDeferralDecision2",
        request_->device_bound_session_usage());
    if (device_bound_session_deferral_count_ > 0) {
      base::UmaHistogramTimes(
          "Net.DeviceBoundSessions.TotalRequestDeferredDuration",
          base::TimeTicks::Now() - device_bound_session_first_deferral_);
    }
  }
#endif  // BUILDFLAG(ENABLE_DEVICE_BOUND_SESSIONS)

  StartTransaction();
}

void URLRequestHttpJob::AnnotateAndMoveUserBlockedCookies(
    CookieAccessResultList& maybe_included_cookies,
    CookieAccessResultList& excluded_cookies) const {
  DCHECK(!ShouldBlockAllCookies(request_info_.privacy_mode))
      << request_info_.privacy_mode;

  bool can_get_cookies = URLRequest::DefaultCanUseCookies();
  if (request()->network_delegate()) {
    can_get_cookies =
        request()->network_delegate()->AnnotateAndMoveUserBlockedCookies(
            *request(), first_party_set_metadata_, maybe_included_cookies,
            excluded_cookies);
  }

  if (!can_get_cookies) {
    request()->net_log().AddEvent(
        NetLogEventType::COOKIE_GET_BLOCKED_BY_NETWORK_DELEGATE);
  }
}

void URLRequestHttpJob::SaveCookiesAndNotifyHeadersComplete(int result) {
  DCHECK(set_cookie_access_result_list_.empty());
  // TODO(crbug.com/40753971): Turn this CHECK into DCHECK once the
  // investigation is done.
  CHECK_EQ(0, num_cookie_lines_left_);

  // End of the call started in OnStartCompleted.
  OnCallToDelegateComplete();

  if (result != OK) {
    request_->net_log().AddEventWithStringParams(NetLogEventType::CANCELLED,
                                                 "source", "delegate");
    NotifyStartError(result);
    return;
  }

  CookieStore* cookie_store = request_->context()->cookie_store();

  if ((request_info_.load_flags & LOAD_DO_NOT_SAVE_COOKIES) || !cookie_store) {
    NotifyHeadersComplete();
    return;
  }

  HttpResponseHeaders* headers = GetResponseHeaders();

  // If we're clearing the cookies as part of a clear-site-data header we must
  // not also write new ones in the same response.
  bool clear_site_data_prevents_cookies_from_being_stored =
      ClearSiteDataHeaderContainsCookiesOrWildcard(headers);

  std::optional<base::Time> server_time = GetResponseHeaders()->GetDateValue();

  bool force_ignore_site_for_cookies =
      request_->force_ignore_site_for_cookies();
  if (cookie_store->cookie_access_delegate() &&
      cookie_store->cookie_access_delegate()->ShouldIgnoreSameSiteRestrictions(
          request_->url(), request_->site_for_cookies())) {
    force_ignore_site_for_cookies = true;
  }
  bool is_main_frame_navigation =
      IsolationInfo::RequestType::kMainFrame ==
          request_->isolation_info().request_type() ||
      request_->force_main_frame_for_same_site_cookies();
  CookieOptions::SameSiteCookieContext same_site_context =
      cookie_util::ComputeSameSiteContextForResponse(
          request_->url_chain(), request_->site_for_cookies(),
          request_->initiator(), is_main_frame_navigation,
          force_ignore_site_for_cookies);

  CookieOptions options = CreateCookieOptions(same_site_context);

  // Set all cookies, without waiting for them to be set. Any subsequent
  // read will see the combined result of all cookie operation.
  const std::string_view name("Set-Cookie");
  std::optional<std::string_view> cookie_string_view;
  size_t iter = 0;

  // NotifyHeadersComplete needs to be called once and only once after the
  // list has been fully processed, and it can either be called in the
  // callback or after the loop is called, depending on how the last element
  // was handled. |num_cookie_lines_left_| keeps track of how many async
  // callbacks are currently out (starting from 1 to make sure the loop runs
  // all the way through before trying to exit). If there are any callbacks
  // still waiting when the loop ends, then NotifyHeadersComplete will be
  // called when it reaches 0 in the callback itself.
  num_cookie_lines_left_ = 1;
  while ((cookie_string_view = headers->EnumerateHeader(&iter, name))) {
    // Will need a copy of the string on all paths, so go ahead and make on now.
    std::string cookie_string(*cookie_string_view);
    CookieInclusionStatus returned_status;

    num_cookie_lines_left_++;

    std::unique_ptr<CanonicalCookie> cookie = CanonicalCookie::Create(
        request_->url(), cookie_string, base::Time::Now(), server_time,
        request_->cookie_partition_key(), CookieSourceType::kHTTP,
        &returned_status);

    // Log if the resulting cookie is partitioned, if a cookie was created.
    if (cookie) {
      base::UmaHistogramBoolean("Cookie.SetCookieContainsPartitioned",
                                cookie->IsPartitioned());
    }

    std::optional<CanonicalCookie> cookie_to_return = std::nullopt;
    if (returned_status.IsInclude()) {
      DCHECK(cookie);
      // Make a copy of the cookie if we successfully made one.
      cookie_to_return = *cookie;
    }

    // Check cookie accessibility with cookie_settings.
    if (cookie && !CanSetCookie(*cookie, &options, first_party_set_metadata_,
                                &returned_status)) {
      // Cookie allowed by cookie_settings checks could be blocked explicitly,
      // e.g. via Android Webview APIs, we need to manually add exclusion reason
      // in this case.
      if (returned_status.IsInclude()) {
        returned_status.AddExclusionReason(
            CookieInclusionStatus::ExclusionReason::EXCLUDE_USER_PREFERENCES);
      }
    }
    if (clear_site_data_prevents_cookies_from_being_stored) {
      returned_status.AddExclusionReason(
          CookieInclusionStatus::ExclusionReason::EXCLUDE_FAILURE_TO_STORE);
    }
    if (!returned_status.IsInclude()) {
      OnSetCookieResult(options, cookie_to_return, std::move(cookie_string),
                        CookieAccessResult(returned_status));
      continue;
    }
    CookieAccessResult cookie_access_result(returned_status);
    cookie_store->SetCanonicalCookieAsync(
        std::move(cookie), request_->url(), options,
        base::BindOnce(&URLRequestHttpJob::OnSetCookieResult,
                       weak_factory_.GetWeakPtr(), options, cookie_to_return,
                       std::move(cookie_string)),
        std::move(cookie_access_result));
  }
  // Removing the 1 that |num_cookie_lines_left| started with, signifing that
  // loop has been exited.
  num_cookie_lines_left_--;

  if (num_cookie_lines_left_ == 0) {
    NotifyHeadersComplete();
  }
}

void URLRequestHttpJob::OnSetCookieResult(const CookieOptions& options,
                                          std::optional<CanonicalCookie> cookie,
                                          std::string cookie_string,
                                          CookieAccessResult access_result) {
  if (request_->net_log().IsCapturing()) {
    request_->net_log().AddEvent(
        NetLogEventType::COOKIE_INCLUSION_STATUS,
        [&](NetLogCaptureMode capture_mode) {
          return CookieInclusionStatusNetLogParams(
              cookie && cookie->IsExpired(base::Time::Now()) ? "expire"
                                                             : "store",
              cookie ? cookie.value().Name() : "",
              cookie ? cookie.value().Domain() : "",
              cookie ? cookie.value().Path() : "",
              cookie ? cookie.value().PartitionKey() : std::nullopt,
              access_result.status, capture_mode);
        });
  }

  set_cookie_access_result_list_.emplace_back(
      std::move(cookie), std::move(cookie_string), access_result);

  num_cookie_lines_left_--;

  // If all the cookie lines have been handled, |set_cookie_access_result_list_|
  // now reflects the result of all Set-Cookie lines, and the request can be
  // continued.
  if (num_cookie_lines_left_ == 0) {
    NotifyHeadersComplete();
  }
}

#if BUILDFLAG(ENABLE_DEVICE_BOUND_SESSIONS)
void URLRequestHttpJob::ProcessDeviceBoundSessionsHeader() {
  device_bound_sessions::SessionService* service =
      request_->context()->device_bound_session_service();
  if (!service) {
    return;
  }

  const auto& request_url = request_->url();
  auto* headers = GetResponseHeaders();

  // If response header Sec-Session-Registration is present and configured
  // appropriately, trigger a registration request per header value to attempt
  // to create a new session.
  if (request_->allows_device_bound_session_registration() ||
      !features::kDeviceBoundSessionsRequireOriginTrialTokens.Get()) {
    std::vector<device_bound_sessions::RegistrationFetcherParam> params =
        device_bound_sessions::RegistrationFetcherParam::CreateIfValid(
            request_url, headers);
    for (auto& param : params) {
      service->RegisterBoundSession(
          request_->device_bound_session_access_callback(), std::move(param),
          request_->isolation_info(), request_->net_log(),
          request_->initiator());
    }
  }

  // If response header Sec-Session-Challenge is present and configured
  // appropriately, for each header value, store the challenge in advance for
  // the next relevant refresh request that gets triggered. This is to help
  // avoid a round-trip for when the next refresh request is required.
  std::vector<device_bound_sessions::SessionChallengeParam> challenge_params =
      device_bound_sessions::SessionChallengeParam::CreateIfValid(request_url,
                                                                  headers);
  for (auto& param : challenge_params) {
    service->SetChallengeForBoundSession(
        request_->device_bound_session_access_callback(), *request_,
        first_party_set_metadata_, std::move(param));
  }
}
#endif  // BUILDFLAG(ENABLE_DEVICE_BOUND_SESSIONS)

void URLRequestHttpJob::ProcessStrictTransportSecurityHeader() {
  DCHECK(response_info_);
  TransportSecurityState* security_state =
      request_->context()->transport_security_state();
  const SSLInfo& ssl_info = response_info_->ssl_info;

  // Only accept HSTS headers on HTTPS connections that have no
  // certificate errors.
  if (!ssl_info.is_valid() || IsCertStatusError(ssl_info.cert_status) ||
      !security_state) {
    return;
  }

  // Don't accept HSTS headers when the hostname is an IP address.
  if (request_info_.url.HostIsIPAddress()) {
    return;
  }

  // Don't accept HSTS headers for localhost. (crbug.com/41251622)
  if (IsLocalHostname(request_info_.url.GetHost()) &&
      base::FeatureList::IsEnabled(features::kIgnoreHSTSForLocalhost)) {
    return;
  }

  // http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec:
  //
  //   If a UA receives more than one STS header field in a HTTP response
  //   message over secure transport, then the UA MUST process only the
  //   first such header field.
  HttpResponseHeaders* headers = GetResponseHeaders();
  std::optional<std::string_view> value;
  if ((value =
           headers->EnumerateHeader(nullptr, "Strict-Transport-Security"))) {
    security_state->AddHSTSHeader(request_info_.url.GetHost(), *value);
  }
}

#if BUILDFLAG(ARKWEB_EXT_HTTP_DNS_FALLBACK)
bool URLRequestHttpJob::CanRetryWithSecureDnsOnly(int net_error) {
  if (!base::CommandLine::ForCurrentProcess()->HasSwitch(
          switches::kEnableNwebExHttpDnsFallback)) {
    return false;
  }

  if (net_error == net::OK) {
    return false;
  }

  if (request_->isolation_info().request_type() !=
      IsolationInfo::RequestType::kMainFrame) {
    LOG(INFO) << "DOH-Fallback request is not mainframe";
#if BUILDFLAG(ARKWEB_LOGGER_REPORT)
    LOG_FEEDBACK(INFO) << "DOH-Fallback request is not mainframe";
#endif
    return false;
  }

  if (transaction_ && transaction_->GetResponseInfo() &&
      transaction_->GetResponseInfo()
          ->resolve_error_info.is_secure_network_error) {
    LOG(INFO) << "DOH-Fallback won't retry for is_secure_network_error is "
                 "true";
#if BUILDFLAG(ARKWEB_LOGGER_REPORT)
    LOG_FEEDBACK(INFO)
        << "DOH-Fallback won't retry for is_secure_network_error is "
           "true";
#endif
    return false;
  }

  if (!const_cast<URLRequestContext*>(request_->context())->AsURLRequestContextExt()->CanUseSecureDnsFallback()) {
    LOG(INFO) << "DOH-Fallback can't use secure dns fallback";
#if BUILDFLAG(ARKWEB_LOGGER_REPORT)
    LOG_FEEDBACK(INFO) << "DOH-Fallback can't use secure dns fallback";
#endif
    return false;
  }

  if (request_->url().HostIsIPAddress()) {
    return false;
  }

// HTTPDNS retry will be performed for neterror and url that meet cloud control
// configuration.
#if BUILDFLAG(ARKWEB_EXT_HTTP_DNS_FALLBACK_ON_DNS_HIJACKING)
  std::string error_code = base::NumberToString(net_error);
  if (const_cast<URLRequestContext*>(request_->context())
          ->AsURLRequestContextExt()
          ->NeedRetryDnsOnDnsHijack(request_->url(), error_code)) {
    is_retry_dns_on_dns_hijacking_ = true;
    return true;
  }
#endif

  // The following net errors will retry to use httpdns to resolve the ip
  // in the connect phase, and connect again.
  if (net_error == net::ERR_TIMED_OUT ||
      net_error == net::ERR_CONNECTION_CLOSED ||
      net_error == net::ERR_CONNECTION_RESET ||
      net_error == net::ERR_CONNECTION_REFUSED ||
      net_error == net::ERR_CONNECTION_ABORTED ||
      net_error == net::ERR_CONNECTION_FAILED ||
      net_error == net::ERR_NAME_NOT_RESOLVED ||
      net_error == net::ERR_ADDRESS_INVALID ||
      net_error == net::ERR_ADDRESS_UNREACHABLE ||
      net_error == net::ERR_TUNNEL_CONNECTION_FAILED ||
      net_error == net::ERR_CONNECTION_TIMED_OUT ||
      net_error == net::ERR_SOCKS_CONNECTION_FAILED ||
      net_error == net::ERR_SOCKS_CONNECTION_HOST_UNREACHABLE ||
      net_error == net::ERR_PROXY_CONNECTION_FAILED ||
      net_error == net::ERR_NAME_RESOLUTION_FAILED ||
      net_error == net::ERR_NETWORK_ACCESS_DENIED ||
      net_error == net::ERR_ADDRESS_IN_USE ||
      net_error == net::ERR_UNABLE_TO_REUSE_CONNECTION_FOR_PROXY_AUTH) {
    net::NetErrorDetails details;
    PopulateNetErrorDetails(&details);
    // 如果stream已经创建成功。证明dns阶段没有发生问题,所以我们不需要重试.
    if (details.stream_created) {
      LOG(INFO) << "DOH-Fallback cann't retry with secure dns since the stream "
                   "is created.";
#if BUILDFLAG(ARKWEB_LOGGER_REPORT)
      LOG_FEEDBACK(INFO)
          << "DOH-Fallback cann't retry with secure dns since the stream "
             "is created.";
#endif
      return false;
    }
    return true;
  }
  return false;
}

void URLRequestHttpJob::RetryWithSecureDnsOnly() {
  // If the transaction was destroyed, then the job was cancelled.
  if (!transaction_.get()) {
    return;
  }

  response_info_ = nullptr;
  override_response_headers_ = nullptr;  // See https://crbug.com/801237.
  receive_headers_end_ = base::TimeTicks();

  ResetTimer();

  LOG(INFO) << "DOH-Fallback will retry with secure dns only";

#if BUILDFLAG(ARKWEB_LOGGER_REPORT)
  LOG_FEEDBACK(INFO) << "DOH-Fallback will retry with secure dns only";
#endif

  request_info_.secure_dns_only = true;
  int rv = transaction_->RestartWithSecureDnsOnly(base::BindOnce(
      &URLRequestHttpJob::OnStartCompleted, base::Unretained(this)));
  if (rv == ERR_IO_PENDING) {
    return;
  }

  // The transaction started synchronously, but we need to notify the
  // URLRequest delegate via the message loop.
  base::SingleThreadTaskRunner::GetCurrentDefault()->PostTask(
      FROM_HERE, base::BindOnce(&URLRequestHttpJob::OnStartCompleted,
                                weak_factory_.GetWeakPtr(), rv));
}

void URLRequestHttpJob::MaybeRetryWithSecureDnsOnly(int result) {
  state_ = RetryState::DOH_FALLBACK;
  if (CanRetryWithSecureDnsOnly(result)) {
    is_retrying_secure_dns_only_ = true;
    original_net_error_ = result;
    RetryWithSecureDnsOnly();
    return;
  }
  OnStartCompleted(result);
}
#endif  // BUILDFLAG(ARKWEB_EXT_HTTP_DNS_FALLBACK)

void URLRequestHttpJob::OnStartCompleted(int result) {
  TRACE_EVENT0(NetTracingCategory(), "URLRequestHttpJob::OnStartCompleted");

#if BUILDFLAG(ARKWEB_NETWORK_LOAD)
  if (!request_->IsRetryingWithFallbackProxy() && !wait_for_sb_threat_type_) {
#if BUILDFLAG(ARKWEB_EXT_HTTP_DNS_FALLBACK)
  switch (state_) {
    case RetryState::INIT:
      MaybeRetryWithSecureDnsOnly(result);
      return;

    case RetryState::DOH_FALLBACK:
#if BUILDFLAG(ARKWEB_EXT_HTTP_DNS_FALLBACK_ON_DNS_HIJACKING)
      if (is_retrying_secure_dns_only_) {
        if (is_retry_dns_on_dns_hijacking_) {
          ReportDnsFallbackOnDnsHijacking(std::string(request_->url().host()),
                                          original_net_error_, result);
          is_retry_dns_on_dns_hijacking_ = false;
        }
        // HTTPDNS retry can be triggered only once per request.
        is_retrying_secure_dns_only_ = false;
        state_ = RetryState::MAX;
      }
#endif
      if (result == net::ERR_NAME_NOT_RESOLVED && original_net_error_) {
        if (transaction_ && transaction_->GetResponseInfo() &&
            transaction_->GetResponseInfo()->resolve_error_info.error !=
                net::ERR_NAME_NOT_RESOLVED) {
          result = original_net_error_;
        }
      }
      break;

    case RetryState::MAX:
      // do nothing
      break;
  }
#endif  // BUILDFLAG(ARKWEB_EXT_HTTP_DNS_FALLBACK)
  }
#endif  // BUILDFLAG(ARKWEB_NETWORK_LOAD)

#if BUILDFLAG(ARKWEB_EX_FALLBACK_PROXY)
  if (base::CommandLine::ForCurrentProcess()->HasSwitch(
          ::switches::kEnableNwebEx) &&
      MaybeRetryWithFallbackProxy(result)) {
    // re-execute OnStartCompleted later
    return;
  }
#endif

  RecordTimer();

  // If the job is done (due to cancellation), can just ignore this
  // notification.
  if (done_) {
    return;
  }

  receive_headers_end_ = base::TimeTicks::Now();

  const URLRequestContext* context = request_->context();

  if (transaction_ && transaction_->GetResponseInfo()) {
    const SSLInfo& ssl_info = transaction_->GetResponseInfo()->ssl_info;
    if (!IsCertificateError(result)) {
      LogTrustAnchor(ssl_info.public_key_hashes);
    }
  }

  if (transaction_ && transaction_->GetResponseInfo()) {
    SetProxyChain(transaction_->GetResponseInfo()->proxy_chain);
  }

  if (result == OK) {
    scoped_refptr<HttpResponseHeaders> headers = GetResponseHeaders();

    NetworkDelegate* network_delegate = request()->network_delegate();
    if (network_delegate) {
      // Note that |this| may not be deleted until
      // |URLRequestHttpJob::OnHeadersReceivedCallback()| or
      // |NetworkDelegate::URLRequestDestroyed()| has been called.
      OnCallToDelegate(NetLogEventType::NETWORK_DELEGATE_HEADERS_RECEIVED);
      preserve_fragment_on_redirect_url_ = std::nullopt;
      IPEndPoint endpoint;
      if (transaction_) {
        transaction_->GetRemoteEndpoint(&endpoint);
      }

      // ssl_info is not a reference because there's no way of avoiding copy
      // when constructing optional without move.
      std::optional<net::SSLInfo> ssl_info;
      if (transaction_ && transaction_->GetResponseInfo()) {
        ssl_info = transaction_->GetResponseInfo()->ssl_info;
      }
      // The NetworkDelegate must watch for OnRequestDestroyed and not modify
      // any of the arguments after it's called.
      // TODO(mattm): change the API to remove the out-params and take the
      // results as params of the callback.
      int error = network_delegate->NotifyHeadersReceived(
          request_,
          base::BindOnce(&URLRequestHttpJob::OnHeadersReceivedCallback,
                         weak_factory_.GetWeakPtr()),
          headers.get(), &override_response_headers_, endpoint,
          &preserve_fragment_on_redirect_url_, ssl_info);
      if (error != OK) {
        if (error == ERR_IO_PENDING) {
          awaiting_callback_ = true;
        } else {
          request_->net_log().AddEventWithStringParams(
              NetLogEventType::CANCELLED, "source", "delegate");
          OnCallToDelegateComplete();
          NotifyStartError(error);
        }
        return;
      }
    }

    SaveCookiesAndNotifyHeadersComplete(OK);
  } else if (IsCertificateError(result)) {
    // We encountered an SSL certificate error.
    // Maybe overridable, maybe not. Ask the delegate to decide.
    TransportSecurityState* state = context->transport_security_state();
    NotifySSLCertificateError(
        result, transaction_->GetResponseInfo()->ssl_info,
        state->ShouldSSLErrorsBeFatal(request_info_.url.GetHost()) &&
            result != ERR_CERT_KNOWN_INTERCEPTION_BLOCKED);
  } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) {
    NotifyCertificateRequested(
        transaction_->GetResponseInfo()->cert_request_info.get());
  } else if (result == ERR_DNS_NAME_HTTPS_ONLY) {
    // If DNS indicated the name is HTTPS-only, synthesize a redirect to either
    // HTTPS or WSS.
    DCHECK(!request_->url().SchemeIsCryptographic());

    base::Time request_time =
        transaction_ && transaction_->GetResponseInfo()
            ? transaction_->GetResponseInfo()->request_time
            : base::Time::Now();
    DestroyTransaction();
    override_response_info_ = std::make_unique<HttpResponseInfo>();
    override_response_info_->request_time = request_time;

    override_response_info_->headers = RedirectUtil::SynthesizeRedirectHeaders(
        UpgradeSchemeToCryptographic(request_->url()),
        RedirectUtil::ResponseCode::REDIRECT_307_TEMPORARY_REDIRECT, "DNS",
        request_->extra_request_headers());
    NetLogResponseHeaders(
        request_->net_log(),
        NetLogEventType::URL_REQUEST_FAKE_RESPONSE_HEADERS_CREATED,
        override_response_info_->headers.get());

    NotifyHeadersComplete();
  } else {
    // Even on an error, there may be useful information in the response
    // info (e.g. whether there's a cached copy).
    if (transaction_.get()) {
      response_info_ = transaction_->GetResponseInfo();
    }
    NotifyStartError(result);
  }
}

void URLRequestHttpJob::OnHeadersReceivedCallback(int result) {
  // The request should not have been cancelled or have already completed.
  DCHECK(!is_done());

  awaiting_callback_ = false;

  SaveCookiesAndNotifyHeadersComplete(result);
}

void URLRequestHttpJob::OnReadCompleted(int result) {
  TRACE_EVENT0(NetTracingCategory(), "URLRequestHttpJob::OnReadCompleted");
  read_in_progress_ = false;

  DCHECK_NE(ERR_IO_PENDING, result);

  if (ShouldFixMismatchedContentLength(result)) {
    result = OK;
  }

  // EOF or error, done with this job.
  if (result <= 0) {
    DoneWithRequest(FINISHED);
  }

  ReadRawDataComplete(result);
}

void URLRequestHttpJob::RestartTransaction() {
  DCHECK(!override_response_info_);

  // These will be reset in OnStartCompleted.
  response_info_ = nullptr;
  override_response_headers_ = nullptr;  // See https://crbug.com/801237.
  receive_headers_end_ = base::TimeTicks();

  // Update the cookies, since the cookie store may have been updated from the
  // headers in the 401/407. Since cookies were already appended to
  // extra_headers, we need to strip them out before adding them again.
  request_info_.extra_headers.RemoveHeader(HttpRequestHeaders::kCookie);

  // TODO(https://crbug.com/968327/): This is weird, as all other clearing is at
  // the URLRequest layer. Should this call into URLRequest so it can share
  // logic at that layer with SetAuth()?
  request_->set_maybe_sent_cookies({});
  request_->set_maybe_stored_cookies({});

  if (ShouldAddCookieHeader()) {
    // Since `request_->isolation_info()` hasn't changed, we don't need to
    // recompute the cookie partition key.
    AddCookieHeaderAndStart();
  } else {
    StartTransaction();
  }
}

#if BUILDFLAG(ENABLE_DEVICE_BOUND_SESSIONS)
void URLRequestHttpJob::RestartTransactionForRefresh(
    const device_bound_sessions::SessionService::DeferralParams&
        deferral_params,
    device_bound_sessions::SessionService::RefreshResult result) {
  // Some deferrals are not associated with a particular session
  // (e.g. session service initialization).
  if (deferral_params.session_id.has_value()) {
    request_->AddDeviceBoundSessionDeferral(
        device_bound_sessions::SessionKey{SchemefulSite(request_->url()),
                                          *deferral_params.session_id},
        result);
  }

  RestartTransaction();
}
#endif

void URLRequestHttpJob::RestartTransactionWithAuth(
    const AuthCredentials& credentials) {
  auth_credentials_ = credentials;
  ResetTimer();
  RestartTransaction();
}

void URLRequestHttpJob::SetUpload(UploadDataStream* upload) {
  DCHECK(!transaction_.get() && !override_response_info_)
      << "cannot change once started";
  request_info_.upload_data_stream = upload;
}

void URLRequestHttpJob::SetExtraRequestHeaders(
    const HttpRequestHeaders& headers) {
  DCHECK(!transaction_.get() && !override_response_info_)
      << "cannot change once started";
  request_info_.extra_headers = headers;
}

LoadState URLRequestHttpJob::GetLoadState() const {
  return transaction_.get() ? transaction_->GetLoadState() : LOAD_STATE_IDLE;
}

bool URLRequestHttpJob::GetMimeType(std::string* mime_type) const {
  DCHECK(transaction_.get() || override_response_info_);

  if (!response_info_) {
    return false;
  }

  HttpResponseHeaders* headers = GetResponseHeaders();
  if (!headers) {
    return false;
  }
  return headers->GetMimeType(mime_type);
}

bool URLRequestHttpJob::GetCharset(std::string* charset) {
  DCHECK(transaction_.get() || override_response_info_);

  if (!response_info_) {
    return false;
  }

  return GetResponseHeaders()->GetCharset(charset);
}

void URLRequestHttpJob::GetClientSideContentDecodingTypes(
    std::vector<SourceStreamType>* types) const {
  CHECK(types);
  *types = client_side_content_decoding_types_;
}

void URLRequestHttpJob::GetResponseInfo(HttpResponseInfo* info) {
  if (override_response_info_) {
    DCHECK(!transaction_.get());
    *info = *override_response_info_;
    return;
  }

  if (response_info_) {
    DCHECK(transaction_.get());

    *info = *response_info_;
    if (override_response_headers_.get()) {
      info->headers = override_response_headers_;
    }
  }
}

void URLRequestHttpJob::GetLoadTimingInfo(
    LoadTimingInfo* load_timing_info) const {
  // If haven't made it far enough to receive any headers, don't return
  // anything. This makes for more consistent behavior in the case of errors.
  if (!transaction_ || receive_headers_end_.is_null()) {
    return;
  }
  if (transaction_->GetLoadTimingInfo(load_timing_info)) {
    load_timing_info->receive_headers_end = receive_headers_end_;
  }
}

void URLRequestHttpJob::PopulateLoadTimingInternalInfo(
    LoadTimingInternalInfo* load_timing_internal_info) const {
  if (transaction_) {
    transaction_->PopulateLoadTimingInternalInfo(load_timing_internal_info);
  }
}

bool URLRequestHttpJob::GetTransactionRemoteEndpoint(
    IPEndPoint* endpoint) const {
  if (!transaction_) {
    return false;
  }

  return transaction_->GetRemoteEndpoint(endpoint);
}

int URLRequestHttpJob::GetResponseCode() const {
  DCHECK(transaction_.get());

  if (!response_info_) {
    return -1;
  }

  return GetResponseHeaders()->response_code();
}

void URLRequestHttpJob::PopulateNetErrorDetails(
    NetErrorDetails* details) const {
  if (!transaction_) {
    return;
  }
  return transaction_->PopulateNetErrorDetails(details);
}

std::unique_ptr<SourceStream> URLRequestHttpJob::SetUpSourceStream() {
  DCHECK(transaction_.get());
  if (!response_info_) {
    return nullptr;
  }

  std::unique_ptr<SourceStream> upstream = URLRequestJob::SetUpSourceStream();

  HttpResponseHeaders* headers = GetResponseHeaders();
  std::vector<SourceStreamType> types =
      FilterSourceStream::GetContentEncodingTypes(
          request_->accepted_stream_types(), *headers);

  if (request()->client_side_content_decoding_enabled() &&
      !headers->HasHeader("use-as-dictionary")) {
    // When client side content encoding is enabled, the client will decode the
    // body. So returns the original stream.
    //
    // Currently, the write logic for SharedDictionary assumes that the
    // dictionary itself is not compressed when it reaches
    // network::CorsURLLoader::OnReceiveResponse. Therefore, if there is a
    // possibility that the response will be used as a dictionary, meaning the
    // use-as-dictionary header is set, we will decode it within
    // URLRequestHttpJob.
    client_side_content_decoding_types_ = std::move(types);
    return upstream;
  }
  // Note: If multiple encoding types were specified, this only records the last
  // encoding type.
  UMA_HISTOGRAM_ENUMERATION(
      "Net.ContentEncodingType2",
      ToContentEncodingType(types.empty() ? SourceStreamType::kNone
                                          : types[0]));
  return FilterSourceStream::CreateDecodingSourceStream(std::move(upstream),
                                                        types);
}

bool URLRequestHttpJob::CopyFragmentOnRedirect(const GURL& location) const {
  // Allow modification of reference fragments by default, unless
  // |preserve_fragment_on_redirect_url_| is set and equal to the redirect URL.
  return !preserve_fragment_on_redirect_url_.has_value() ||
         preserve_fragment_on_redirect_url_ != location;
}

bool URLRequestHttpJob::IsSafeRedirect(const GURL& location) {
  // HTTP is always safe.
  // TODO(pauljensen): Remove once crbug.com/146591 is fixed.
  if (location.is_valid() &&
      (location.GetScheme() == "http" || location.GetScheme() == "https")) {
    return true;
  }
  // Query URLRequestJobFactory as to whether |location| would be safe to
  // redirect to.
  return request_->context()->job_factory() &&
         request_->context()->job_factory()->IsSafeRedirectTarget(location);
}

bool URLRequestHttpJob::NeedsAuth() {
  if (!transaction_.get()) {
    // If we synthesized a redirect (for `DNS_NAME_HTTPS_ONLY`, e.g.), we aren't
    // guaranteed to have a transaction here.
    return false;
  }
  int code = GetResponseCode();
  if (code == -1) {
    return false;
  }

  // Check if we need either Proxy or WWW Authentication. This could happen
  // because we either provided no auth info, or provided incorrect info.
  switch (code) {
    case 407:
      if (proxy_auth_state_ == AUTH_STATE_CANCELED) {
        return false;
      }
      proxy_auth_state_ = AUTH_STATE_NEED_AUTH;
      return true;
    case 401:
      if (server_auth_state_ == AUTH_STATE_CANCELED) {
        return false;
      }
      server_auth_state_ = AUTH_STATE_NEED_AUTH;
      return true;
  }
  return false;
}

bool URLRequestHttpJob::NeedsRetryWithStorageAccess() {
  // We use the Origin header's value directly, rather than
  // `request_.initiator()`, because the header may be "null" in some cases.
  if (!request_->response_headers() ||
      !request_->response_headers()->HasStorageAccessRetryHeader(
          base::OptionalToPtr(request_info_.extra_headers.GetHeader(
              HttpRequestHeaders::kOrigin)))) {
    return false;
  }

  auto determine_storage_access_retry_outcome =
      [&]() -> cookie_util::ActivateStorageAccessRetryOutcome {
    using enum cookie_util::ActivateStorageAccessRetryOutcome;
    if (!ShouldAddCookieHeader() ||
        request_->storage_access_status() !=
            cookie_util::StorageAccessStatus::kInactive ||
        request_->cookie_setting_overrides().Has(
            CookieSettingOverride::kStorageAccessGrantEligible) ||
        request_->cookie_setting_overrides().Has(
            CookieSettingOverride::kStorageAccessGrantEligibleViaHeader)) {
      // We're not allowed to read cookies for this request, or this request
      // already had all the relevant settings overrides, so retrying it
      // wouldn't change anything.
      return kFailureIneffectiveRetry;
    }
    return kSuccess;
  };

  auto outcome = determine_storage_access_retry_outcome();

  base::UmaHistogramEnumeration(
      "API.StorageAccessHeader.ActivateStorageAccessRetryOutcome", outcome);
  return outcome == cookie_util::ActivateStorageAccessRetryOutcome::kSuccess;
}

void URLRequestHttpJob::SetSharedDictionaryGetter(
    SharedDictionaryGetter dictionary_getter) {
  CHECK(!request_info_.dictionary_getter);
  request_info_.dictionary_getter = std::move(dictionary_getter);
}

std::unique_ptr<AuthChallengeInfo> URLRequestHttpJob::GetAuthChallengeInfo() {
  DCHECK(transaction_.get());
  DCHECK(response_info_);

  // sanity checks:
  DCHECK(proxy_auth_state_ == AUTH_STATE_NEED_AUTH ||
         server_auth_state_ == AUTH_STATE_NEED_AUTH);
  DCHECK((GetResponseHeaders()->response_code() == HTTP_UNAUTHORIZED) ||
         (GetResponseHeaders()->response_code() ==
          HTTP_PROXY_AUTHENTICATION_REQUIRED));

  if (!response_info_->auth_challenge.has_value()) {
    return nullptr;
  }
  return std::make_unique<AuthChallengeInfo>(
      response_info_->auth_challenge.value());
}

void URLRequestHttpJob::SetAuth(const AuthCredentials& credentials) {
  DCHECK(transaction_.get());

  // Proxy gets set first, then WWW.
  if (proxy_auth_state_ == AUTH_STATE_NEED_AUTH) {
    proxy_auth_state_ = AUTH_STATE_HAVE_AUTH;
  } else {
    DCHECK_EQ(server_auth_state_, AUTH_STATE_NEED_AUTH);
    server_auth_state_ = AUTH_STATE_HAVE_AUTH;
  }

  RestartTransactionWithAuth(credentials);
}

void URLRequestHttpJob::CancelAuth() {
  if (proxy_auth_state_ == AUTH_STATE_NEED_AUTH) {
    proxy_auth_state_ = AUTH_STATE_CANCELED;
  } else {
    DCHECK_EQ(server_auth_state_, AUTH_STATE_NEED_AUTH);
    server_auth_state_ = AUTH_STATE_CANCELED;
  }

  // The above lines should ensure this is the case.
  DCHECK(!NeedsAuth());

  // Let the consumer read the HTTP error page. NeedsAuth() should now return
  // false, so NotifyHeadersComplete() should not request auth from the client
  // again.
  //
  // Have to do this via PostTask to avoid re-entrantly calling into the
  // consumer.
  TaskRunner(priority_)->PostTask(
      FROM_HERE, base::BindOnce(&URLRequestHttpJob::NotifyFinalHeadersReceived,
                                weak_factory_.GetWeakPtr()));
}

void URLRequestHttpJob::ContinueWithCertificate(
    scoped_refptr<X509Certificate> client_cert,
    scoped_refptr<SSLPrivateKey> client_private_key) {
  DCHECK(transaction_);

  DCHECK(!response_info_) << "should not have a response yet";
  DCHECK(!override_response_headers_);

#if BUILDFLAG(ARKWEB_NETWORK_LOAD)
  restarted_++;
  if (restarted_ > kDelayRetryThreshold && ssl_error_) {
    base::SingleThreadTaskRunner::GetCurrentDefault()->PostDelayedTask(
      FROM_HERE, base::BindOnce(&URLRequestHttpJob::ContinueDespiteLastErrorInternal,
                                weak_factory_.GetWeakPtr(), client_cert, client_private_key), base::Milliseconds(100));
    ssl_error_ = false;
    return;
  }
  ContinueDespiteLastErrorInternal(client_cert, client_private_key);
}

void URLRequestHttpJob::ContinueDespiteLastErrorInternal(
    scoped_refptr<X509Certificate> client_cert,
    scoped_refptr<SSLPrivateKey> client_private_key) {
#endif
  receive_headers_end_ = base::TimeTicks();

  ResetTimer();

  int rv = transaction_->RestartWithCertificate(
      std::move(client_cert), std::move(client_private_key),
      base::BindOnce(&URLRequestHttpJob::OnStartCompleted,
                     base::Unretained(this)));
  if (rv == ERR_IO_PENDING) {
    return;
  }

  // The transaction started synchronously, but we need to notify the
  // URLRequest delegate via the message loop.
  TaskRunner(priority_)->PostTask(
      FROM_HERE, base::BindOnce(&URLRequestHttpJob::OnStartCompleted,
                                weak_factory_.GetWeakPtr(), rv));
}

void URLRequestHttpJob::ContinueDespiteLastError() {
  // If the transaction was destroyed, then the job was cancelled.
  if (!transaction_.get()) {
    return;
  }

  DCHECK(!response_info_) << "should not have a response yet";
  DCHECK(!override_response_headers_);
  receive_headers_end_ = base::TimeTicks();

  ResetTimer();

  int rv = transaction_->RestartIgnoringLastError(base::BindOnce(
      &URLRequestHttpJob::OnStartCompleted, base::Unretained(this)));
  if (rv == ERR_IO_PENDING) {
    return;
  }

  // The transaction started synchronously, but we need to notify the
  // URLRequest delegate via the message loop.
  TaskRunner(priority_)->PostTask(
      FROM_HERE, base::BindOnce(&URLRequestHttpJob::OnStartCompleted,
                                weak_factory_.GetWeakPtr(), rv));
}

bool URLRequestHttpJob::ShouldFixMismatchedContentLength(int rv) const {
  // Some servers send the body compressed, but specify the content length as
  // the uncompressed size. Although this violates the HTTP spec we want to
  // support it (as IE and FireFox do), but *only* for an exact match.
  // See http://crbug.com/79694.
  if (rv == ERR_CONTENT_LENGTH_MISMATCH ||
      rv == ERR_INCOMPLETE_CHUNKED_ENCODING) {
    if (request_->response_headers()) {
      std::optional<base::ByteCount> content_length =
          request_->response_headers()->GetContentLength();
      int expected_length = content_length ? content_length->InBytes() : -1;
      VLOG(1) << __func__ << "() \"" << request_->url().spec() << "\""
              << " content-length = " << expected_length
              << " pre total = " << prefilter_bytes_read()
              << " post total = " << postfilter_bytes_read();
      if (postfilter_bytes_read() == expected_length) {
        // Clear the error.
        return true;
      }
    }
  }
  return false;
}

int URLRequestHttpJob::ReadRawData(IOBuffer* buf, int buf_size) {
  DCHECK_NE(buf_size, 0);
  DCHECK(!read_in_progress_);

  int rv =
      transaction_->Read(buf, buf_size,
                         base::BindOnce(&URLRequestHttpJob::OnReadCompleted,
                                        base::Unretained(this)));

  if (ShouldFixMismatchedContentLength(rv)) {
    rv = OK;
  }

  if (rv == 0 || (rv < 0 && rv != ERR_IO_PENDING)) {
    DoneWithRequest(FINISHED);
  }

  if (rv == ERR_IO_PENDING) {
    read_in_progress_ = true;
  }

  return rv;
}

int64_t URLRequestHttpJob::GetTotalReceivedBytes() const {
  int64_t total_received_bytes =
      total_received_bytes_from_previous_transactions_;
  if (transaction_) {
    total_received_bytes += transaction_->GetTotalReceivedBytes();
  }
  return total_received_bytes;
}

int64_t URLRequestHttpJob::GetTotalSentBytes() const {
  int64_t total_sent_bytes = total_sent_bytes_from_previous_transactions_;
  if (transaction_) {
    total_sent_bytes += transaction_->GetTotalSentBytes();
  }
  return total_sent_bytes;
}

int64_t URLRequestHttpJob::GetReceivedBodyBytes() const {
  if (transaction_) {
    return transaction_->GetReceivedBodyBytes();
  }
  return 0;
}

void URLRequestHttpJob::DoneReading() {
  if (transaction_) {
    transaction_->DoneReading();
  }
  DoneWithRequest(FINISHED);
}

void URLRequestHttpJob::DoneReadingRedirectResponse() {
  if (transaction_) {
    DCHECK(!override_response_info_);
    if (transaction_->GetResponseInfo()->headers->IsRedirect(nullptr)) {
      // If the original headers indicate a redirect, go ahead and cache the
      // response, even if the |override_response_headers_| are a redirect to
      // another location.
      transaction_->DoneReading();
    } else {
      // Otherwise, |override_response_headers_| must be non-NULL and contain
      // bogus headers indicating a redirect.
      DCHECK(override_response_headers_.get());
      DCHECK(override_response_headers_->IsRedirect(nullptr));
      transaction_->StopCaching();
    }
  }
  DoneWithRequest(FINISHED);
}

void URLRequestHttpJob::DoneReadingRetryResponse() {
  // We don't bother calling `transaction_->DoneReading()` here, since that
  // marks the cache entry as valid but we know that we're about to retry the
  // request and bypass the cache regardless.
  DoneWithRequest(FINISHED);
}

IPEndPoint URLRequestHttpJob::GetResponseRemoteEndpoint() const {
  return response_info_ ? response_info_->remote_endpoint : IPEndPoint();
}

void URLRequestHttpJob::RecordTimer() {
  if (request_creation_time_.is_null()) {
    NOTREACHED()
        << "The same transaction shouldn't start twice without new timing.";
  }

  base::TimeDelta to_start = base::Time::Now() - request_creation_time_;
  request_creation_time_ = base::Time();

  DEPRECATED_UMA_HISTOGRAM_MEDIUM_TIMES("Net.HttpTimeToFirstByte", to_start);

  // Record additional metrics for TLS 1.3 servers for Google hosts. Most
  // Google hosts are known to implement 0-RTT, so this gives more targeted
  // metrics as we initially roll out client support. This is to help measure
  // the impact of enabling 0-RTT. The effects of 0-RTT will be muted because
  // not all TLS 1.3 servers enable 0-RTT, and only the first round-trip on a
  // connection makes use of 0-RTT. However, 0-RTT can affect how requests are
  // bound to connections and which connections offer resumption. We look at
  // all TLS 1.3 responses for an apples-to-apples comparison.
  // TODO(crbug.com/41272059): Remove these metrics after launching 0-RTT.
  if (transaction_ && transaction_->GetResponseInfo() &&
      IsTLS13OverTCP(*transaction_->GetResponseInfo()) &&
      HasGoogleHost(request()->url())) {
    base::UmaHistogramMediumTimes("Net.HttpTimeToFirstByte.TLS13.Google",
                                  to_start);
  }
}

void URLRequestHttpJob::ResetTimer() {
#if BUILDFLAG(ARKWEB_EXT_HTTP_DNS_FALLBACK)
  // Allowing ResetTimer to be reset repeatedly when HTTPDNS retry occurs.
  if (state_ == RetryState::INIT && !request_creation_time_.is_null()) {
#else
  if (!request_creation_time_.is_null()) {
#endif
    NOTREACHED() << "The timer was reset before it was recorded.";
  }
  request_creation_time_ = base::Time::Now();
}

void URLRequestHttpJob::SetRequestHeadersCallback(
    RequestHeadersCallback callback) {
  DCHECK(!transaction_);
  DCHECK(!request_headers_callback_);
  request_headers_callback_ = std::move(callback);
}

void URLRequestHttpJob::SetEarlyResponseHeadersCallback(
    ResponseHeadersCallback callback) {
  DCHECK(!transaction_);
  DCHECK(!early_response_headers_callback_);
  early_response_headers_callback_ = std::move(callback);
}

void URLRequestHttpJob::SetIsSharedDictionaryReadAllowedCallback(
    base::RepeatingCallback<bool()> callback) {
  DCHECK(!transaction_);
  DCHECK(!is_shared_dictionary_read_allowed_callback_);
  is_shared_dictionary_read_allowed_callback_ = std::move(callback);
}

void URLRequestHttpJob::SetResponseHeadersCallback(
    ResponseHeadersCallback callback) {
  DCHECK(!transaction_);
  DCHECK(!response_headers_callback_);
  response_headers_callback_ = std::move(callback);
}

void URLRequestHttpJob::RecordCompletionHistograms(CompletionCause reason) {
  if (start_time_.is_null()) {
    return;
  }

  base::TimeDelta total_time = base::TimeTicks::Now() - start_time_;
  base::UmaHistogramTimes("Net.HttpJob.TotalTime", total_time);

  if (reason == FINISHED) {
    base::UmaHistogramTimes(
        base::StringPrintf("Net.HttpJob.TotalTimeSuccess.Priority%d",
                           request()->priority()),
        total_time);
    base::UmaHistogramTimes("Net.HttpJob.TotalTimeSuccess", total_time);
  } else {
    base::UmaHistogramTimes("Net.HttpJob.TotalTimeCancel", total_time);
  }

  // These metrics are intended to replace some of the later IP
  // Protection-focused metrics below which require response_info_. These
  // metrics are only concerned with data that actually hits or perhaps should
  // have hit the network.
  //
  // We count towards these metrics even if the job has been aborted. Jobs
  // aborted before an end-to-end connection is established will have both
  // sent and received equal to zero.
  //
  // In addition, we don't want to ignore jobs where response_info_->was_cached
  // is true but the network was used to trigger cache usage as part of a 304
  // Not Modified response. However, cache hits which bypass the network
  // entirely should not be counted.
  //
  // GetTotalReceivedBytes measures HTTP stream bytes, which is more
  // comprehensive than PrefilterBytesRead, which measures (possibly compressed)
  // content's length only.
  const bool bypassedNetwork = response_info_ && response_info_->was_cached &&
                               !response_info_->network_accessed &&
                               GetTotalSentBytes() == 0 &&
                               GetTotalReceivedBytes() == 0;
  if (!bypassedNetwork) {
    base::UmaHistogramCustomCounts("Net.HttpJob.BytesSent2",
                                   GetTotalSentBytes(), 1, 50000000, 50);
    base::UmaHistogramCustomCounts("Net.HttpJob.BytesReceived2",
                                   GetTotalReceivedBytes(), 1, 50000000, 50);
    // Having a transaction_ does not imply having a response_info_. This is
    // particularly the case in some aborted/cancelled jobs. The transaction is
    // the primary source of MDL match information.
    if ((transaction_ && transaction_->IsMdlMatchForMetrics()) ||
        (response_info_ && response_info_->was_mdl_match)) {
      base::UmaHistogramCustomCounts(
          "Net.HttpJob.IpProtection.AllowListMatch.BytesSent2",
          GetTotalSentBytes(), 1, 50000000, 50);
      base::UmaHistogramCustomCounts(
          "Net.HttpJob.IpProtection.AllowListMatch.BytesReceived2",
          GetTotalReceivedBytes(), 1, 50000000, 50);
    }
  }

  if (response_info_) {
    // QUIC (by default) supports https scheme only, thus track https URLs only
    // for QUIC.
    bool is_https_google = request() && request()->url().SchemeIs("https") &&
                           HasGoogleHost(request()->url());
    bool used_quic = response_info_->DidUseQuic();
    if (is_https_google) {
      if (used_quic) {
        base::UmaHistogramMediumTimes("Net.HttpJob.TotalTime.Secure.Quic",
                                      total_time);
      }
    }

    // Record metrics for TLS 1.3 to measure the impact of 0-RTT. See comment in
    // RecordTimer().
    //
    // TODO(crbug.com/41272059): Remove these metrics after launching
    // 0-RTT.
    if (IsTLS13OverTCP(*response_info_) && is_https_google) {
      base::UmaHistogramTimes("Net.HttpJob.TotalTime.TLS13.Google", total_time);
    }

    base::UmaHistogramCustomCounts("Net.HttpJob.PrefilterBytesRead",
                                   prefilter_bytes_read(), 1, 50000000, 50);
    if (response_info_->was_cached) {
      base::UmaHistogramTimes("Net.HttpJob.TotalTimeCached", total_time);
      base::UmaHistogramCustomCounts("Net.HttpJob.PrefilterBytesRead.Cache",
                                     prefilter_bytes_read(), 1, 50000000, 50);
    } else {
      base::UmaHistogramTimes("Net.HttpJob.TotalTimeNotCached", total_time);
      if (response_info_->was_mdl_match) {
        base::UmaHistogramCustomCounts(
            "Net.HttpJob.IpProtection.AllowListMatch.PrefilterBytesRead.Net",
            prefilter_bytes_read(), 1, 50000000, 50);
      }

      auto& proxy_chain = response_info_->proxy_chain;
      bool direct_only = features::kIpPrivacyDirectOnly.Get();
      if (proxy_chain.is_for_ip_protection()) {
        base::UmaHistogramTimes("Net.HttpJob.IpProtection.TotalTimeNotCached3",
                                total_time);
        base::UmaHistogramCustomCounts("Net.HttpJob.IpProtection.BytesSent2",
                                       GetTotalSentBytes(), 1, 50000000, 50);
        base::UmaHistogramCustomCounts(
            "Net.HttpJob.IpProtection.PrefilterBytesRead.Net2",
            prefilter_bytes_read(), 1, 50000000, 50);
      }
      // To enable measuring how much traffic would be proxied (for
      // experimentation and planning purposes), treat use of the direct
      // proxy chain as success only when `kIpPrivacyDirectOnly` is
      // true. When it is false, we only care about traffic that actually went
      // through the IP Protection proxies, so a direct chain must be a
      // fallback.
      // Note that the non-chain-specific histograms don't log anything when IP
      // Protection fails and we fall back to direct. That makes them unsuitable
      // for measuring the success of experiments. Use the *2 variants above for
      // that.
      bool protection_success = proxy_chain.is_for_ip_protection() &&
                                (!proxy_chain.is_direct() || direct_only);
      if (protection_success) {
        base::UmaHistogramTimes("Net.HttpJob.IpProtection.TotalTimeNotCached",
                                total_time);
        // Log specific times for non-zero chains. The zero chain is the
        // default and is still counted in the base `TotalTimeNotCached`.
        int chain_id = proxy_chain.ip_protection_chain_id();
        if (chain_id != ProxyChain::kNotIpProtectionChainId) {
          UmaHistogramTimes(
              base::StrCat({"Net.HttpJob.IpProtection.TotalTimeNotCached.Chain",
                            base::NumberToString(chain_id)}),
              total_time);
        }

        base::UmaHistogramCustomCounts("Net.HttpJob.IpProtection.BytesSent",
                                       GetTotalSentBytes(), 1, 50000000, 50);

        base::UmaHistogramCustomCounts(
            "Net.HttpJob.IpProtection.PrefilterBytesRead.Net",
            prefilter_bytes_read(), 1, 50000000, 50);
      }
      base::UmaHistogramCustomCounts("Net.HttpJob.PrefilterBytesRead.Net",
                                     prefilter_bytes_read(), 1, 50000000, 50);

      if (request_->ad_tagged()) {
        base::UmaHistogramCustomCounts("Net.HttpJob.PrefilterBytesRead.Ads.Net",
                                       prefilter_bytes_read(), 1, 50000000, 50);
      }

      if (is_https_google && used_quic) {
        base::UmaHistogramMediumTimes(
            "Net.HttpJob.TotalTimeNotCached.Secure.Quic", total_time);
      }

      // Log the result of an IP-Protected request.
      IpProtectionJobResult ipp_result;
      if (proxy_chain.is_for_ip_protection()) {
        if (protection_success) {
          ipp_result = IpProtectionJobResult::kProtectionSuccess;
        } else {
          ipp_result = IpProtectionJobResult::kDirectFallback;
          base::UmaHistogramTimes(
              "Net.HttpJob.IpProtection.Fallback.TotalTimeNotCached2",
              total_time);
          base::UmaHistogramCustomCounts(
              "Net.HttpJob.IpProtection.Fallback.BytesSent",
              GetTotalSentBytes(), 1, 50000000, 50);
          base::UmaHistogramCustomCounts(
              "Net.HttpJob.IpProtection.Fallback.PrefilterBytesRead.Net",
              prefilter_bytes_read(), 1, 50000000, 50);
        }
        base::UmaHistogramEnumeration(
            base::StrCat(
                {"Net.HttpJob.IpProtection.JobResult.Chain",
                 base::NumberToString(proxy_chain.ip_protection_chain_id())}),
            ipp_result);
      } else {
        ipp_result = IpProtectionJobResult::kProtectionNotAttempted;
      }
      base::UmaHistogramEnumeration("Net.HttpJob.IpProtection.JobResult",
                                    ipp_result);
    }
  }

  for (const auto& [_, result] : request_->device_bound_session_deferrals()) {
    base::UmaHistogramEnumeration(
        request_->failed()
            ? "Net.DeviceBoundSessions.DeferralResultByOutcome.Failure"
            : "Net.DeviceBoundSessions.DeferralResultByOutcome.Success",
        result);
  }

  start_time_ = base::TimeTicks();
}

void URLRequestHttpJob::DoneWithRequest(CompletionCause reason) {
  if (done_) {
    return;
  }
  done_ = true;

  // Notify NetworkQualityEstimator.
  NetworkQualityEstimator* network_quality_estimator =
      request()->context()->network_quality_estimator();
  if (network_quality_estimator) {
    network_quality_estimator->NotifyRequestCompleted(*request());
  }

  RecordCompletionHistograms(reason);
  request()->set_received_response_content_length(prefilter_bytes_read());
}

HttpResponseHeaders* URLRequestHttpJob::GetResponseHeaders() const {
  if (override_response_info_) {
    DCHECK(!transaction_.get());
    return override_response_info_->headers.get();
  }

  DCHECK(transaction_.get());
  DCHECK(transaction_->GetResponseInfo());

  return override_response_headers_.get()
             ? override_response_headers_.get()
             : transaction_->GetResponseInfo()->headers.get();
}

void URLRequestHttpJob::NotifyURLRequestDestroyed() {
  awaiting_callback_ = false;

  // Notify NetworkQualityEstimator.
  NetworkQualityEstimator* network_quality_estimator =
      request()->context()->network_quality_estimator();
  if (network_quality_estimator) {
    network_quality_estimator->NotifyURLRequestDestroyed(*request());
  }
}

bool URLRequestHttpJob::ShouldAddCookieHeader() const {
  // Read cookies whenever allow_credentials() is true, even if the PrivacyMode
  // is being overridden by NetworkDelegate and will eventually block them, as
  // blocked cookies still need to be logged in that case.
  return request_->context()->cookie_store() && request_->allow_credentials() &&
         !(request_info_.load_flags & LOAD_DO_NOT_SEND_COOKIES);
}

bool URLRequestHttpJob::ShouldRecordPartitionedCookieUsage() const {
  return request_->cookie_partition_key().has_value();
}

#if BUILDFLAG(ARKWEB_PRP_PRELOAD) && BUILDFLAG(IS_OHOS)
void URLRequestHttpJob::InitPreloadInfoAndSetToTransaction()
{
  if (request_ && transaction_ &&
      !request_->update_res_request_info_callback().is_null() && request_->preload_info()) {
    request_->preload_info()->InitInfoFromUrlRequest(*request_);
    transaction_->SetUpdateResRequestInfoCallback(request_->update_res_request_info_callback());
    transaction_->SetPreloadInfo(request_->preload_info());
  }
}
#endif

}  // namespace net