1// Copyright 2016 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5module network.mojom; 6 7import "mojo/public/mojom/base/big_buffer.mojom"; 8import "mojo/public/mojom/base/file.mojom"; 9import "mojo/public/mojom/base/file_path.mojom"; 10import "mojo/public/mojom/base/time.mojom"; 11import "mojo/public/mojom/base/unguessable_token.mojom"; 12import "services/network/public/mojom/cors.mojom"; 13import "services/network/public/mojom/chunked_data_pipe_getter.mojom"; 14import "services/network/public/mojom/data_pipe_getter.mojom"; 15import "services/network/public/mojom/fetch_api.mojom"; 16import "services/network/public/mojom/http_request_headers.mojom"; 17import "services/network/public/mojom/network_isolation_key.mojom"; 18import "services/network/public/mojom/network_param.mojom"; 19import "services/network/public/mojom/site_for_cookies.mojom"; 20import "services/network/public/mojom/trust_tokens.mojom"; 21import "services/network/public/mojom/url_response_head.mojom"; 22import "url/mojom/origin.mojom"; 23import "url/mojom/url.mojom"; 24 25[Native] 26struct URLRequestRedirectInfo; 27 28[Native] 29struct CorsErrorStatus; 30 31[Native] 32struct URLLoaderCompletionStatus; 33 34// This enum corresponds to net::RequestPriority. See its comments for details. 35enum RequestPriority { 36 kThrottled = 0, 37 kIdle, 38 kLowest, 39 kLow, 40 kMedium, 41 kHighest 42}; 43 44// This enum corresponds to net::URLRequest::ReferrerPolicy. See its comments. 45enum URLRequestReferrerPolicy { 46 kClearReferrerOnTransitionFromSecureToInsecure, 47 kReduceReferrerGranularityOnTransitionCrossOrigin, 48 kOriginOnlyOnTransitionCrossOrigin, 49 kNeverClearReferrer, 50 kOrigin, 51 kClearReferrerOnTransitionCrossOrigin, 52 kOriginClearOnTransitionFromSecureToInsecure, 53 kNoReferrer 54}; 55 56// Used for represents the type of the internal contents of 57// network::DataElement. 58enum DataElementType { 59 kUnknown = -1, 60 61 // Only used for Upload with Network Service as of now: 62 kDataPipe, 63 kChunkedDataPipe, 64 kRawFile, 65 66 // Used for Upload when Network Service is disabled: 67 kBlob, 68 kFile, 69 70 // Commonly used in every case: 71 kBytes, 72}; 73 74// Used to determine if URLRequest::trusted_network_isolation_key should be 75// updated on redirect. 76enum UpdateNetworkIsolationKeyOnRedirect { 77 kDoNotUpdate, 78 79 // The updated network isolation key will take the redirected url's origin as 80 // the top frame origin and frame origin. 81 kUpdateTopFrameAndFrameOrigin, 82 83 // The updated network isolation key will take the existing 84 // NetworkIsolationKey's top frame origin and redirected url's origin as the 85 // frame origin. 86 kUpdateFrameOrigin 87}; 88 89// Options that may only be set on URLRequests passed to a URLLoaderFactory 90// created with |is_trusted| set to true. 91struct TrustedUrlRequestParams { 92 // This resource request will be keyed using |network_isolation_key| for 93 // accessing shared network resources like the http cache. 94 NetworkIsolationKey? network_isolation_key; 95 96 // Whether or not the network isolation key needs to be recomputed on 97 // redirects. Typically this is only done for navigations. 98 UpdateNetworkIsolationKeyOnRedirect update_network_isolation_key_on_redirect; 99 100 // Whether secure DNS should be disabled for the request. 101 bool disable_secure_dns; 102 103 // Whether a navigation is triggered with a user gesture. 104 // Always true for navigations except the one triggered from a document 105 // without user gesture. Used to determine the `Sec-Fetch-User` header. 106 bool has_user_activation; 107}; 108 109// Typemapped to network::ResourceRequest. 110struct URLRequest { 111 // The request method: GET, POST, etc. 112 string method; 113 114 // The absolute requested URL encoded in ASCII per the rules of RFC-2396. 115 url.mojom.Url url; 116 117 // Represents the first-party for the request, which may be checked by 118 // the third-party cookie blocking policy or by some cookies. Leaving it empty 119 // may lead to undesired cookie blocking. Third-party cookie blocking can be 120 // bypassed by setting site_for_cookies = SiteForCookies::FromUrl(url), but 121 // this should only be done if the fetch can be reasonably said to be done by 122 // the same principal as what |url| represents. 123 SiteForCookies site_for_cookies; 124 125 // Boolean indicating whether SameSite cookies are allowed to be attached 126 // to the request. It should be used as additional input to network side 127 // checks. 128 bool attach_same_site_cookies; 129 130 // First-party URL redirect policy: During server redirects, the first-party 131 // URL for cookies normally doesn't change. However, if this is true, the 132 // the first-party URL should be updated to the URL on every redirect. 133 bool update_first_party_url_on_redirect; 134 135 // |request_initiator| indicates the origin initiating the resource request. 136 // 137 // |request_initiator| is null for browser-initiated requests (e.g. 138 // navigations initiated via omnibox or bookmarks, internal subresource 139 // requests like fetching the SafeBrowsing data, etc.). 140 // 141 // For all requests initiated via web (both subresource requests and 142 // navigations), |request_initiator| is always set to the origin of the frame 143 // that has initiated the request. This is true even if the request might 144 // have been initiated by an isolated world (e.g. from a content script of an 145 // extension, with its own, separate origin). This needs to be true even if 146 // the request might be "proxied" in the browser process on behalf of a web 147 // origin (e.g. as is the case for PaymentRequest API). 148 // 149 // |request_initiator| is consulted in a variety of security features, 150 // including: calculating Sec-Fetch-Site request header, determining if the 151 // request should be subject to CORS, determining if CORB and/or CORP should 152 // block the response, determining if SameSite=strict cookies should be sent, 153 // etc. 154 // 155 // See also: 156 // - |isolated_world_origin| 157 // - URLLoaderFactoryParams::request_initiator_site_lock 158 url.mojom.Origin? request_initiator; 159 160 // If this is a subresource request initiated from an isolated world (e.g. 161 // from a content script of a Chrome Extension), then 162 // |isolated_world_origin| indicates the origin of the isolated world. 163 // Otherwise, |isolated_world_origin| is null. 164 // 165 // Example #1: XHR initiated from a content script of chrome-extension://foo 166 // that was injected into a https://example.com web frame: 167 // - |request_initiator| is "https://example.com" 168 // - |isolated_world_origin| is "chrome-extension://foo" 169 // 170 // Example #2: XHR initiated from a Chrome Extension frame (e.g. from an 171 // extension background page): 172 // - |request_initiator| is "chrome-extension://foo" 173 // - |isolated_world_origin| is null (this request is not associated with an 174 // isolated world) 175 // 176 // |isolated_world_origin| is consulted by OOR-CORS, to determine if this 177 // request might need to be exempt from CORS, based on OriginAccessList. 178 // 179 // TODO(lukasza): https://crbug.com/936310: Attempt to remove 180 // |isolated_world_origin| after removing the global/per-NetworkContext 181 // OriginAccessList and replacing it with per-URLLoaderFactory 182 // OriginAccessList. 183 url.mojom.Origin? isolated_world_origin; 184 185 // The referrer to use (may be empty). 186 url.mojom.Url referrer; 187 188 // The referrer policy to use. 189 URLRequestReferrerPolicy referrer_policy; 190 191 // Additional HTTP request headers. 192 HttpRequestHeaders headers; 193 194 // HTTP request headers that has been internally added. Some consumers want to 195 // set additional HTTP headers, but such internal headers must be ignored by 196 // CORS check (which run inside Network Service), so the values are stored 197 // here (rather than in |headers|) and later merged into the |headers| after 198 // CORS check. 199 // 200 // *Warning*: Adding new headers to this list is strongly discouraged. What 201 // usually you need is to update the fetch spec, and add your custom headers 202 // to the CORS-safelisted header so to pass proper CORS checks. 'Proxy-' or 203 // 'Sec-' prefixes are also available. See cors::IsCORSSafelistedHeader and 204 // cors::IsForbiddenHeader for details. 205 // 206 // You should ask Loading and CORS OWNERS when you need to add your own 207 // headers to the list. 208 HttpRequestHeaders cors_exempt_headers; // See Note above before using. 209 210 // net::URLRequest load flags. 211 int32 load_flags; 212 213 // What this resource load is for (main frame, sub-frame, sub-resource, 214 // object). 215 // Note: this is an enum of type blink::mojom::ResourceType. 216 // TODO(jam): remove this from the struct since network service shouldn't know 217 // about this. 218 int32 resource_type; 219 220 // The priority of this request determined by Blink. 221 RequestPriority priority; 222 223 // True if corresponding AppCache group should be reset. 224 bool should_reset_appcache; 225 226 // https://wicg.github.io/cors-rfc1918/#external-request 227 // TODO(toyoshim): The browser should know better than renderers do. 228 // This is used to plumb Blink decided information for legacy code path, but 229 // eventually we should remove this. 230 bool is_external_request; 231 232 // A policy to decide if CORS-preflight fetch should be performed. 233 CorsPreflightPolicy cors_preflight_policy; 234 235 // True if the request originated from a Service Worker, e.g. due to a 236 // fetch() in the Service Worker script. 237 bool originated_from_service_worker; 238 239 // The service worker mode that indicates which service workers should get 240 // events for this request. 241 // TODO(jam): remove this from the struct since network service shouldn't know 242 // about this. 243 bool skip_service_worker; 244 245 // If true then the request continues even if it's blocked by CORB. 246 bool corb_detachable = false; 247 248 // TODO(lukasza): https://crbug.com/846339: Remove the field below and instead 249 // make plugins use a separate URLoaderFactory. Note requests of this type are 250 // only excluded if mode is kNoCors. 251 bool corb_excluded = false; 252 253 // https://fetch.spec.whatwg.org/#concept-request-mode 254 // Used mainly by CORS handling (out-of-blink CORS), CORB, Service Worker. 255 // CORS handling needs a proper origin (including a unique opaque origin). 256 // Hence a request with kSameOrigin, kCors, or kCorsWithForcedPreflight should 257 // have a non-null request_initiator. 258 RequestMode mode; 259 260 // https://fetch.spec.whatwg.org/#concept-request-credentials-mode 261 // Controls whether credentials are attached to this request. 262 // |kSameOrigin| credentials mode requires a non-null |request_initiator|. 263 // When |mode| is |kNavigate|, this needs to be |kInclude|. 264 CredentialsMode credentials_mode; 265 266 // https://fetch.spec.whatwg.org/#concept-request-redirect-mode 267 // Used mainly by CORS handling (out-of-blink CORS), Service Worker. 268 // This member must be kFollow as long as |mode| is kNoCors. 269 RedirectMode redirect_mode; 270 271 // The integrity used in Fetch API. 272 string fetch_integrity; 273 274 // The request context passed to the ServiceWorker. 275 // Note: this is an enum of type content::RequestContextType. 276 // TODO(jam): remove this from the struct since network service shouldn't know 277 // about this. 278 int32 fetch_request_context_type; 279 280 // https://fetch.spec.whatwg.org/#concept-request-destiantion 281 RequestDestination destination; 282 283 // Optional resource request body. 284 URLRequestBody? request_body; 285 286 // True if the request can work after the fetch group is terminated. 287 // https://fetch.spec.whatwg.org/#request-keepalive-flag 288 bool keepalive; 289 290 // True if the request was user initiated. 291 bool has_user_gesture; 292 293 // TODO(mmenke): Investigate if enable_load_timing is safe to remove. 294 // 295 // True if load timing data should be collected for request. 296 bool enable_load_timing; 297 298 // True if upload progress should be available for request. 299 bool enable_upload_progress; 300 301 // True if login prompts for this request should be suppressed. Cached 302 // credentials or default credentials may still be used for authentication. 303 bool do_not_prompt_for_login; 304 305 // The id of the RenderFrame. This may be: 306 // - The render frame id for a) subresource requests from a document, b) the 307 // main resource request for a dedicated/shared worker if that worker was 308 // created by a frame. 309 // - MSG_ROUTING_NONE for nested dedicated workers. 310 // - MSG_ROUTING_NONE for subresource requests from a dedicated/shared worker. 311 // - service_worker_route_id from EmbeddedWorkerStartParams for service worker 312 // main script requests and subresource requests. 313 // - The frame tree node ID for navigation requests only. Please do not use 314 // frame tree node ID for other requests. 315 int32 render_frame_id; 316 317 // True if |frame_id| is the main frame of a RenderView. 318 bool is_main_frame; 319 320 // Note: this is an enum of type ui::PageTransition. 321 // TODO(jam): remove this from the struct since network service shouldn't know 322 // about this. 323 int32 transition_type; 324 325 // Whether to intercept headers to pass back to the renderer. 326 // This also enables reporting of SSLInfo in URLLoaderClient's 327 // OnResponseReceived and OnComplete, as well as invocation of 328 // OnTransferSizeUpdated(). 329 bool report_raw_headers; 330 331 // Whether or not to request a Preview version of the resource or let the 332 // browser decide. 333 // Note: this is an enum of type PreviewsState. 334 // TODO(jam): remove this from the struct since network service shouldn't know 335 // about this. 336 int32 previews_state; 337 338 // Whether or not this request (including redirects) should be upgraded to 339 // HTTPS due to an Upgrade-Insecure-Requests requirement. 340 bool upgrade_if_insecure; 341 342 // True when the request is revalidating. 343 // Some users, notably blink, has its own cache. This flag is set to exempt 344 // some CORS logic for a revalidating request. 345 bool is_revalidating; 346 347 // The profile ID of network conditions to throttle the network request. 348 mojo_base.mojom.UnguessableToken? throttling_profile_id; 349 350 // See https://fetch.spec.whatwg.org/#concept-request-window 351 // 352 // This is an opaque id of the original requestor of the resource, which might 353 // be different to the current requestor which is |render_frame_id|. For 354 // example, if a navigation for window "abc" is intercepted by a service 355 // worker, which re-issues the request via fetch, the re-issued request has 356 // |render_frame_id| of MSG_ROUTING_NONE (the service worker) and |window_id| 357 // of "abc". This is used for, e.g., client certificate selection. It's 358 // important that this id be unguessable so renderers cannot impersonate 359 // other renderers. 360 // 361 // This may be empty when the original requestor is the current requestor or 362 // is not a window. When it's empty, use |render_frame_id| instead. In 363 // practical terms, it's empty for requests that didn't go through a service 364 // worker, or if the original requestor is not a window. When the request 365 // goes through a service worker, the id is 366 // ServiceWorkerProviderHost::fetch_request_window_id. 367 mojo_base.mojom.UnguessableToken? fetch_window_id; 368 369 // The ID that DevTools uses to track network requests. It is generated in the 370 // renderer process and is only present when DevTools is enabled in the 371 // renderer. 372 string? devtools_request_id; 373 374 // True for prefetch requests when SignedExchangePrefetchCacheForNavigations 375 // feature is enabled by flags or SignedExchangeSubresourcePrefetch feature is 376 // enabled by flags, or OriginTrial. TODO(horo): Remove this when these 377 // features are enabled by default. 378 bool is_signed_exchange_prefetch_cache_enabled; 379 380 // If set, the network service will attempt to retrieve the appropriate origin 381 // policy, if necessary, and attach it to the ResourceResponseHead. 382 // Spec: https://wicg.github.io/origin-policy/ 383 bool obey_origin_policy; 384 385 // Setting these from an untrusted URLLoader will cause the request to fail. 386 TrustedUrlRequestParams? trusted_params; 387 388 // Set for recursive prefetch requests originating from cross-origin 389 // prefetches. These requests take the form of `Link: rel=preload` HTTP 390 // response headers. For more information on these requests see 391 // https://github.com/w3c/resource-hints/issues/77. 392 mojo_base.mojom.UnguessableToken? recursive_prefetch_token; 393 394 // Set when Trust Tokens (https://github.com/wicg/trust-token-api) is enabled 395 // and the request has set the trustToken Fetch parameter, denoting that it 396 // wishes to execute a Trust Tokens protocol operation. 397 TrustTokenParams? trust_token_params; 398}; 399 400// URLRequestBody represents body (i.e. upload data) of a HTTP request. 401// Typemapped to network::ResourceRequestBody 402struct URLRequestBody { 403 // Store upload bodies 404 array<DataElement> elements; 405 406 // Identifies a particular upload instance, which is used by the cache to 407 // formulate a cache key. 408 uint64 identifier; 409 410 // Indicates whether the post data contains sensitive information like 411 // passwords. 412 bool contains_sensitive_info; 413}; 414 415// Represents part of an upload body. This could be either one of bytes, file or 416// a data pipe. 417// Typemapped to network::DataElement 418struct DataElement { 419 DataElementType type; 420 421 // For kBytes. 422 array<uint8> buf; 423 // For kFile and kRawFile 424 mojo_base.mojom.FilePath path; 425 // For kRawFile 426 mojo_base.mojom.File? file; 427 // For kBlob 428 // TODO(richard.li): Deprecate this once NetworkService is fully shipped. 429 string? blob_uuid; 430 // For kDataPipe 431 pending_remote<network.mojom.DataPipeGetter>? data_pipe_getter; 432 // For kChunkedDataPipe 433 pending_remote<network.mojom.ChunkedDataPipeGetter>? chunked_data_pipe_getter; 434 435 uint64 offset; 436 uint64 length; 437 mojo_base.mojom.Time expected_modification_time; 438}; 439 440// Destroying a URLLoader will cancel the associated request. 441interface URLLoader { 442 // If a disconnection is initiated by the client side, it may send the 443 // following disconnection reason, along with an application-defined string 444 // description, to notify the service side. 445 const uint32 kClientDisconnectReason = 1; 446 447 // If the associated request has |auto_follow_redirects| set to false, then 448 // upon receiving an URLResponse with a non-NULL |redirect_url| field, 449 // |FollowRedirect| may be called to load the URL indicated by the redirect. 450 // |removed_headers| can be used to remove existing headers for the redirect. 451 // This parameter is before |modified_headers| since removing headers is 452 // applied first in the URLLoader::FollowRedirect(). |modified_headers| can 453 // be used to add or override existing headers for the redirect. If |new_url| 454 // is specified, then the request will be made to it instead of the redirected 455 // URL. Note: it has to be in the same origin as the redirected URL, and this 456 // is only supported when the network service is enabled. 457 FollowRedirect(array<string> removed_headers, 458 network.mojom.HttpRequestHeaders modified_headers, 459 url.mojom.Url? new_url); 460 461 // Sets the request priority. 462 // |intra_priority_value| is a lesser priority which is used to prioritize 463 // requests within a given priority level. If -1 is passed, the existing 464 // intra priority value is maintained. 465 SetPriority(RequestPriority priority, int32 intra_priority_value); 466 467 // If the resource is being fetched from the network, 468 // PauseReadingBodyFromNet() pauses fetching the response body. It is okay to 469 // call this method before fetching the body starts, too. 470 // ResumeReadingBodyFromNet() resumes fetching the body if it has been paused. 471 // 472 // Note that PauseReadingBodyFromNet() is asynchronous and only gurantees to 473 // pause if the response body is fetched from the network. This means: 474 // - any data in flight before PauseReadingBodyFromNet() is processed will 475 // still be passed to the client data pipe. 476 // - a response body not from the network, e.g. from blob, may not be paused 477 // at all. 478 // 479 // Redundant calls to these methods are ingored. It is not required to match 480 // pause and resume calls. It is not an error to resume a non-paused request, 481 // or pause a request multiple times. 482 PauseReadingBodyFromNet(); 483 ResumeReadingBodyFromNet(); 484}; 485 486interface URLLoaderClient { 487 // Called when the response head is received. 488 OnReceiveResponse(URLResponseHead head); 489 490 // Called when the request has been redirected. The receiver is expected to 491 // call FollowRedirect or cancel the request. 492 OnReceiveRedirect(URLRequestRedirectInfo redirect_info, URLResponseHead head); 493 494 // Called when the service made some progress on the file upload. This is 495 // called only when the request has an upload data. 496 // The implementation should call the response closure when the client is 497 // ready to receive the next upload progress. 498 OnUploadProgress(int64 current_position, int64 total_size) => (); 499 500 // Called when cached metadata from a resource request is ready. 501 OnReceiveCachedMetadata(mojo_base.mojom.BigBuffer data); 502 503 // Called when the transfer size is updated. This is only called if 504 // |report_raw_headers| is set or the renderer has permission to read the 505 // request. The transfer size is the length of the response (including both 506 // headers and the body) over the network. |transfer_size_diff| is the 507 // difference from the value previously reported one (including the one in 508 // OnReceiveResponse and OnReceiveRedirect). It must be positive. 509 // TODO(yhirano): Dispatch this notification even when |download_to_file| is 510 // set. 511 // TODO(yhirano): Consider using an unsigned type. 512 // TODO(rajendrant): Consider reporting the transfer size directly to browser 513 // process from net service, and not pass it via renderer process. This can be 514 // done after the upcoming network servicification work. 515 OnTransferSizeUpdated(int32 transfer_size_diff); 516 517 // Called when the loader starts loading response body. This is called after 518 // OnReceiveResponse is called. 519 OnStartLoadingResponseBody(handle<data_pipe_consumer> body); 520 521 // Called when the loading completes. No notification will be dispatched for 522 // this client after this message arrives. |status| has its |ssl_info| field 523 // set only when |kURLLoadOptionsSendSSLInfoForCertificateError| was set. 524 OnComplete(URLLoaderCompletionStatus status); 525}; 526 527// Convenient struct that groups the two communication endpoints most 528// implementations of URLLoaderClient use to communicate with their URLLoader. 529struct URLLoaderClientEndpoints { 530 pending_remote<URLLoader> url_loader; 531 pending_receiver<URLLoaderClient> url_loader_client; 532}; 533