feat: add experimental cookie encryption support (#27524)
* feat: add experimental cookie encryption support on macOS * chore: fix TODO * update patches * feat: make cookie encryption work on windows * chore: update cookie encryption support comments * fix: only call OSCrypt::Init on windows * chore: make cookie encryption work on linux * Update shell/browser/net/system_network_context_manager.cc Co-authored-by: Jeremy Rose <jeremya@chromium.org> * chore: fix lint * chore: update patches * chore: update patches to upstreamed variants * chore: use chrome ::switches constants * chore: remove bad patch * build: disable cookie encryption by default * chore: update patches * fix: provide std::string to NoDestructor * chore: fix macos, nodestructor syntax * build: fix macOS build due to mismatch in DEFINE Co-authored-by: Electron Bot <electron@github.com> Co-authored-by: Jeremy Rose <jeremya@chromium.org>
This commit is contained in:
parent
f01e35f4ea
commit
7984933e9c
11 changed files with 389 additions and 11 deletions
8
BUILD.gn
8
BUILD.gn
|
@ -1,6 +1,7 @@
|
|||
import("//build/config/locales.gni")
|
||||
import("//build/config/ui.gni")
|
||||
import("//build/config/win/manifest.gni")
|
||||
import("//components/os_crypt/features.gni")
|
||||
import("//components/spellcheck/spellcheck_build_features.gni")
|
||||
import("//content/public/app/mac_helpers.gni")
|
||||
import("//extensions/buildflags/buildflags.gni")
|
||||
|
@ -296,7 +297,7 @@ templated_file("electron_version_header") {
|
|||
action("electron_fuses") {
|
||||
script = "build/fuses/build.py"
|
||||
|
||||
inputs = [ "build/fuses/fuses.json" ]
|
||||
inputs = [ "build/fuses/fuses.json5" ]
|
||||
|
||||
outputs = [
|
||||
"$target_gen_dir/fuses.h",
|
||||
|
@ -335,6 +336,7 @@ source_set("electron_lib") {
|
|||
"//components/network_hints/common:mojo_bindings",
|
||||
"//components/network_hints/renderer",
|
||||
"//components/network_session_configurator/common",
|
||||
"//components/os_crypt",
|
||||
"//components/pref_registry",
|
||||
"//components/prefs",
|
||||
"//components/security_state/content",
|
||||
|
@ -684,6 +686,10 @@ source_set("electron_lib") {
|
|||
]
|
||||
libs += [ "uxtheme.lib" ]
|
||||
}
|
||||
|
||||
if (allow_runtime_configurable_key_storage) {
|
||||
defines += [ "ALLOW_RUNTIME_CONFIGURABLE_KEY_STORAGE" ]
|
||||
}
|
||||
}
|
||||
|
||||
electron_paks("packed_resources") {
|
||||
|
|
|
@ -30,3 +30,6 @@ enable_pseudolocales = false
|
|||
is_cfi = false
|
||||
|
||||
enable_pak_file_integrity_checks = false
|
||||
|
||||
# Make application name configurable at runtime for cookie crypto
|
||||
allow_runtime_configurable_key_storage = true
|
||||
|
|
|
@ -49,8 +49,8 @@ const volatile char kFuseWire[] = { /* sentinel */ {sentinel}, /* fuse_version *
|
|||
}
|
||||
"""
|
||||
|
||||
with open(os.path.join(dir_path, "fuses.json"), 'r') as f:
|
||||
fuse_defaults = json.load(f)
|
||||
with open(os.path.join(dir_path, "fuses.json5"), 'r') as f:
|
||||
fuse_defaults = json.loads(''.join(line for line in f.readlines() if not line.strip()[0] == "/"))
|
||||
|
||||
fuse_version = fuse_defaults['_version']
|
||||
del fuse_defaults['_version']
|
||||
|
|
|
@ -2,5 +2,6 @@
|
|||
"_comment": "Modifying the fuse schema in any breaking way should result in the _version prop being incremented. NEVER remove a fuse or change its meaning, instead mark it as removed with 'r'",
|
||||
"_schema": "0 == off, 1 == on, r == removed fuse",
|
||||
"_version": 1,
|
||||
"run_as_node": "1"
|
||||
"run_as_node": "1",
|
||||
"cookie_encryption": "0"
|
||||
}
|
|
@ -51,4 +51,4 @@ Somewhere in the Electron binary there will be a sequence of bytes that look lik
|
|||
|
||||
To flip a fuse you find its position in the fuse wire and change it to "0" or "1" depending on the state you'd like.
|
||||
|
||||
You can view the current schema [here](https://github.com/electron/electron/blob/master/build/fuses/fuses.json).
|
||||
You can view the current schema [here](https://github.com/electron/electron/blob/master/build/fuses/fuses.json5).
|
||||
|
|
|
@ -102,3 +102,4 @@ add_setter_for_browsermainloop_result_code.patch
|
|||
chore_allow_overriding_of_enable_pak_file_integrity_checks.patch
|
||||
make_include_of_stack_trace_h_unconditional.patch
|
||||
build_libc_as_static_library.patch
|
||||
support_runtime_configurable_key_storage_on_linux_os_crypto.patch
|
||||
|
|
|
@ -0,0 +1,288 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Attard <samuel.r.attard@gmail.com>
|
||||
Date: Mon, 10 May 2021 17:10:25 -0700
|
||||
Subject: support runtime configurable key storage on linux (os_crypto)
|
||||
|
||||
This modifies the OsCrypt::Config struct used on linux to support
|
||||
runtime configurable application names which are used in the Keyring and
|
||||
LibSecret implementations of os_crypt on linux.
|
||||
|
||||
Change-Id: Ifc287b589f118da8fcd5afaf39e5ba7ffe46f5fd
|
||||
|
||||
diff --git a/components/os_crypt/key_storage_config_linux.h b/components/os_crypt/key_storage_config_linux.h
|
||||
index a856604756aa65c52171a9eff84ba2b316d8609c..72c16682e5df615ab84f67af66cc36c2b76c30e3 100644
|
||||
--- a/components/os_crypt/key_storage_config_linux.h
|
||||
+++ b/components/os_crypt/key_storage_config_linux.h
|
||||
@@ -26,6 +26,12 @@ struct COMPONENT_EXPORT(OS_CRYPT) Config {
|
||||
std::string store;
|
||||
// The product name to use for permission prompts.
|
||||
std::string product_name;
|
||||
+ // The application name to store the key under. For Chromium/Chrome builds
|
||||
+ // leave this unset and it will default correctly. This config option is
|
||||
+ // for embedders to provide their application name in place of "Chromium".
|
||||
+ // Only used when the allow_runtime_configurable_key_storage feature is
|
||||
+ // enabled.
|
||||
+ std::string application_name;
|
||||
// A runner on the main thread for gnome-keyring to be called from.
|
||||
// TODO(crbug/466975): Libsecret and KWallet don't need this. We can remove
|
||||
// this when we stop supporting keyring.
|
||||
diff --git a/components/os_crypt/key_storage_keyring.cc b/components/os_crypt/key_storage_keyring.cc
|
||||
index 29720b8e8ff81791970e054050b37bbc5f338eb3..3ad654cf4a893f497ac4567aea77f8d1f2e1525f 100644
|
||||
--- a/components/os_crypt/key_storage_keyring.cc
|
||||
+++ b/components/os_crypt/key_storage_keyring.cc
|
||||
@@ -15,12 +15,6 @@
|
||||
|
||||
namespace {
|
||||
|
||||
-#if BUILDFLAG(GOOGLE_CHROME_BRANDING)
|
||||
-const char kApplicationName[] = "chrome";
|
||||
-#else
|
||||
-const char kApplicationName[] = "chromium";
|
||||
-#endif
|
||||
-
|
||||
const GnomeKeyringPasswordSchema kSchema = {
|
||||
GNOME_KEYRING_ITEM_GENERIC_SECRET,
|
||||
{{"application", GNOME_KEYRING_ATTRIBUTE_TYPE_STRING}, {nullptr}}};
|
||||
@@ -28,8 +22,10 @@ const GnomeKeyringPasswordSchema kSchema = {
|
||||
} // namespace
|
||||
|
||||
KeyStorageKeyring::KeyStorageKeyring(
|
||||
- scoped_refptr<base::SingleThreadTaskRunner> main_thread_runner)
|
||||
- : main_thread_runner_(main_thread_runner) {}
|
||||
+ scoped_refptr<base::SingleThreadTaskRunner> main_thread_runner,
|
||||
+ std::string application_name)
|
||||
+ : main_thread_runner_(main_thread_runner),
|
||||
+ application_name_(std::move(application_name)) {}
|
||||
|
||||
KeyStorageKeyring::~KeyStorageKeyring() {}
|
||||
|
||||
@@ -49,7 +45,8 @@ absl::optional<std::string> KeyStorageKeyring::GetKeyImpl() {
|
||||
gchar* password_c = nullptr;
|
||||
GnomeKeyringResult result =
|
||||
GnomeKeyringLoader::gnome_keyring_find_password_sync_ptr(
|
||||
- &kSchema, &password_c, "application", kApplicationName, nullptr);
|
||||
+ &kSchema, &password_c, "application", application_name_.c_str(),
|
||||
+ nullptr);
|
||||
if (result == GNOME_KEYRING_RESULT_OK) {
|
||||
password = password_c;
|
||||
GnomeKeyringLoader::gnome_keyring_free_password_ptr(password_c);
|
||||
@@ -71,7 +68,7 @@ absl::optional<std::string> KeyStorageKeyring::AddRandomPasswordInKeyring() {
|
||||
GnomeKeyringResult result =
|
||||
GnomeKeyringLoader::gnome_keyring_store_password_sync_ptr(
|
||||
&kSchema, nullptr /* default keyring */, KeyStorageLinux::kKey,
|
||||
- password.c_str(), "application", kApplicationName, nullptr);
|
||||
+ password.c_str(), "application", application_name_.c_str(), nullptr);
|
||||
if (result != GNOME_KEYRING_RESULT_OK) {
|
||||
VLOG(1) << "OSCrypt failed to store generated password to gnome-keyring";
|
||||
return absl::nullopt;
|
||||
diff --git a/components/os_crypt/key_storage_keyring.h b/components/os_crypt/key_storage_keyring.h
|
||||
index 26a3f587b49cdea3e4913ce0e08eeade6d1853a0..598c8b8ad35efa002a29dd98c9cba98453bef5ac 100644
|
||||
--- a/components/os_crypt/key_storage_keyring.h
|
||||
+++ b/components/os_crypt/key_storage_keyring.h
|
||||
@@ -20,8 +20,9 @@ class SingleThreadTaskRunner;
|
||||
// Specialisation of KeyStorageLinux that uses Libsecret.
|
||||
class COMPONENT_EXPORT(OS_CRYPT) KeyStorageKeyring : public KeyStorageLinux {
|
||||
public:
|
||||
- explicit KeyStorageKeyring(
|
||||
- scoped_refptr<base::SingleThreadTaskRunner> main_thread_runner);
|
||||
+ KeyStorageKeyring(
|
||||
+ scoped_refptr<base::SingleThreadTaskRunner> main_thread_runner,
|
||||
+ std::string application_name);
|
||||
~KeyStorageKeyring() override;
|
||||
|
||||
protected:
|
||||
@@ -37,6 +38,8 @@ class COMPONENT_EXPORT(OS_CRYPT) KeyStorageKeyring : public KeyStorageLinux {
|
||||
// Keyring calls need to originate from the main thread.
|
||||
scoped_refptr<base::SingleThreadTaskRunner> main_thread_runner_;
|
||||
|
||||
+ const std::string application_name_;
|
||||
+
|
||||
DISALLOW_COPY_AND_ASSIGN(KeyStorageKeyring);
|
||||
};
|
||||
|
||||
diff --git a/components/os_crypt/key_storage_keyring_unittest.cc b/components/os_crypt/key_storage_keyring_unittest.cc
|
||||
index aba31971dc33f4b60c2847fd037c419baf084eaa..93fc216d54168eb3fd7e9f1b23f71a77f6e6735d 100644
|
||||
--- a/components/os_crypt/key_storage_keyring_unittest.cc
|
||||
+++ b/components/os_crypt/key_storage_keyring_unittest.cc
|
||||
@@ -130,7 +130,7 @@ class GnomeKeyringTest : public testing::Test {
|
||||
};
|
||||
|
||||
GnomeKeyringTest::GnomeKeyringTest()
|
||||
- : task_runner_(new base::TestSimpleTaskRunner()), keyring_(task_runner_) {
|
||||
+ : task_runner_(new base::TestSimpleTaskRunner()), keyring_(task_runner_, "chromium") {
|
||||
MockGnomeKeyringLoader::ResetForOSCrypt();
|
||||
}
|
||||
|
||||
diff --git a/components/os_crypt/key_storage_libsecret.cc b/components/os_crypt/key_storage_libsecret.cc
|
||||
index 0857cc1874f4153541c7f21dd8cc6bdc1d59b39d..ccc60522791508f02dc759e55e781dbb9627967b 100644
|
||||
--- a/components/os_crypt/key_storage_libsecret.cc
|
||||
+++ b/components/os_crypt/key_storage_libsecret.cc
|
||||
@@ -14,12 +14,6 @@
|
||||
|
||||
namespace {
|
||||
|
||||
-#if BUILDFLAG(GOOGLE_CHROME_BRANDING)
|
||||
-const char kApplicationName[] = "chrome";
|
||||
-#else
|
||||
-const char kApplicationName[] = "chromium";
|
||||
-#endif
|
||||
-
|
||||
const SecretSchema kKeystoreSchemaV2 = {
|
||||
"chrome_libsecret_os_crypt_password_v2",
|
||||
SECRET_SCHEMA_DONT_MATCH_NAME,
|
||||
@@ -64,6 +58,9 @@ void AnalyseKeyHistory(GList* secret_items) {
|
||||
|
||||
} // namespace
|
||||
|
||||
+KeyStorageLibsecret::KeyStorageLibsecret(std::string application_name)
|
||||
+ : application_name_(std::move(application_name)) {}
|
||||
+
|
||||
absl::optional<std::string>
|
||||
KeyStorageLibsecret::AddRandomPasswordInLibsecret() {
|
||||
std::string password;
|
||||
@@ -71,7 +68,7 @@ KeyStorageLibsecret::AddRandomPasswordInLibsecret() {
|
||||
GError* error = nullptr;
|
||||
bool success = LibsecretLoader::secret_password_store_sync(
|
||||
&kKeystoreSchemaV2, nullptr, KeyStorageLinux::kKey, password.c_str(),
|
||||
- nullptr, &error, "application", kApplicationName, nullptr);
|
||||
+ nullptr, &error, "application", application_name_.c_str(), nullptr);
|
||||
if (error) {
|
||||
VLOG(1) << "Libsecret lookup failed: " << error->message;
|
||||
g_error_free(error);
|
||||
@@ -88,7 +85,7 @@ KeyStorageLibsecret::AddRandomPasswordInLibsecret() {
|
||||
|
||||
absl::optional<std::string> KeyStorageLibsecret::GetKeyImpl() {
|
||||
LibsecretAttributesBuilder attrs;
|
||||
- attrs.Append("application", kApplicationName);
|
||||
+ attrs.Append("application", application_name_);
|
||||
|
||||
LibsecretLoader::SearchHelper helper;
|
||||
helper.Search(&kKeystoreSchemaV2, attrs.Get(),
|
||||
diff --git a/components/os_crypt/key_storage_libsecret.h b/components/os_crypt/key_storage_libsecret.h
|
||||
index 4759d076ea0017a41b398491dd24dde76a61e463..5292e21b8e7e1a873591e474571adb5b4ed8fe16 100644
|
||||
--- a/components/os_crypt/key_storage_libsecret.h
|
||||
+++ b/components/os_crypt/key_storage_libsecret.h
|
||||
@@ -15,7 +15,7 @@
|
||||
// Specialisation of KeyStorageLinux that uses Libsecret.
|
||||
class COMPONENT_EXPORT(OS_CRYPT) KeyStorageLibsecret : public KeyStorageLinux {
|
||||
public:
|
||||
- KeyStorageLibsecret() = default;
|
||||
+ explicit KeyStorageLibsecret(std::string application_name);
|
||||
~KeyStorageLibsecret() override = default;
|
||||
|
||||
protected:
|
||||
@@ -26,6 +26,8 @@ class COMPONENT_EXPORT(OS_CRYPT) KeyStorageLibsecret : public KeyStorageLinux {
|
||||
private:
|
||||
absl::optional<std::string> AddRandomPasswordInLibsecret();
|
||||
|
||||
+ const std::string application_name_;
|
||||
+
|
||||
DISALLOW_COPY_AND_ASSIGN(KeyStorageLibsecret);
|
||||
};
|
||||
|
||||
diff --git a/components/os_crypt/key_storage_libsecret_unittest.cc b/components/os_crypt/key_storage_libsecret_unittest.cc
|
||||
index ebe9a6b4bcbf748cd7f7e5fcf941b78ab1835749..a17bbc1f8061b33d55444919f546256d63bc809b 100644
|
||||
--- a/components/os_crypt/key_storage_libsecret_unittest.cc
|
||||
+++ b/components/os_crypt/key_storage_libsecret_unittest.cc
|
||||
@@ -236,7 +236,7 @@ class LibsecretTest : public testing::Test {
|
||||
};
|
||||
|
||||
TEST_F(LibsecretTest, LibsecretRepeats) {
|
||||
- KeyStorageLibsecret libsecret;
|
||||
+ KeyStorageLibsecret libsecret("chromium");
|
||||
MockLibsecretLoader::ResetForOSCrypt();
|
||||
g_password_store.Pointer()->SetPassword("initial password");
|
||||
absl::optional<std::string> password = libsecret.GetKey();
|
||||
@@ -248,7 +248,7 @@ TEST_F(LibsecretTest, LibsecretRepeats) {
|
||||
}
|
||||
|
||||
TEST_F(LibsecretTest, LibsecretCreatesRandomised) {
|
||||
- KeyStorageLibsecret libsecret;
|
||||
+ KeyStorageLibsecret libsecret("chromium");
|
||||
MockLibsecretLoader::ResetForOSCrypt();
|
||||
absl::optional<std::string> password = libsecret.GetKey();
|
||||
MockLibsecretLoader::ResetForOSCrypt();
|
||||
diff --git a/components/os_crypt/key_storage_linux.cc b/components/os_crypt/key_storage_linux.cc
|
||||
index 8feb147c96baa2f853a647eb648297b4b747f515..53b1903ff04043e2d058deda086e116a0e00fdca 100644
|
||||
--- a/components/os_crypt/key_storage_linux.cc
|
||||
+++ b/components/os_crypt/key_storage_linux.cc
|
||||
@@ -11,6 +11,7 @@
|
||||
#include "base/logging.h"
|
||||
#include "base/metrics/histogram_macros.h"
|
||||
#include "base/nix/xdg_util.h"
|
||||
+#include "base/no_destructor.h"
|
||||
#include "base/sequenced_task_runner.h"
|
||||
#include "base/synchronization/waitable_event.h"
|
||||
#include "base/task_runner_util.h"
|
||||
@@ -147,12 +148,29 @@ std::unique_ptr<KeyStorageLinux> KeyStorageLinux::CreateService(
|
||||
std::unique_ptr<KeyStorageLinux> KeyStorageLinux::CreateServiceInternal(
|
||||
os_crypt::SelectedLinuxBackend selected_backend,
|
||||
const os_crypt::Config& config) {
|
||||
+#if BUILDFLAG(GOOGLE_CHROME_BRANDING)
|
||||
+ static const base::NoDestructor<std::string> kDefaultApplicationName("chrome");
|
||||
+#else
|
||||
+ static const base::NoDestructor<std::string> kDefaultApplicationName("chromium");
|
||||
+#endif
|
||||
+
|
||||
std::unique_ptr<KeyStorageLinux> key_storage;
|
||||
|
||||
+#if defined(USE_LIBSECRET) || defined(USE_KEYRING)
|
||||
+#if defined(ALLOW_RUNTIME_CONFIGURABLE_KEY_STORAGE)
|
||||
+ std::string application_name = config.application_name;
|
||||
+ if (application_name.empty()) {
|
||||
+ application_name = *kDefaultApplicationName;
|
||||
+ }
|
||||
+#else
|
||||
+ std::string application_name = *kDefaultApplicationName;
|
||||
+#endif
|
||||
+#endif
|
||||
+
|
||||
#if defined(USE_LIBSECRET)
|
||||
if (selected_backend == os_crypt::SelectedLinuxBackend::GNOME_ANY ||
|
||||
selected_backend == os_crypt::SelectedLinuxBackend::GNOME_LIBSECRET) {
|
||||
- key_storage = std::make_unique<KeyStorageLibsecret>();
|
||||
+ key_storage = std::make_unique<KeyStorageLibsecret>(std::move(application_name));
|
||||
if (key_storage->WaitForInitOnTaskRunner()) {
|
||||
VLOG(1) << "OSCrypt using Libsecret as backend.";
|
||||
return key_storage;
|
||||
@@ -164,8 +182,8 @@ std::unique_ptr<KeyStorageLinux> KeyStorageLinux::CreateServiceInternal(
|
||||
#if defined(USE_KEYRING)
|
||||
if (selected_backend == os_crypt::SelectedLinuxBackend::GNOME_ANY ||
|
||||
selected_backend == os_crypt::SelectedLinuxBackend::GNOME_KEYRING) {
|
||||
- key_storage =
|
||||
- std::make_unique<KeyStorageKeyring>(config.main_thread_runner);
|
||||
+ key_storage = std::make_unique<KeyStorageKeyring>(config.main_thread_runner,
|
||||
+ std::move(application_name));
|
||||
if (key_storage->WaitForInitOnTaskRunner()) {
|
||||
VLOG(1) << "OSCrypt using Keyring as backend.";
|
||||
return key_storage;
|
||||
diff --git a/services/network/network_service.cc b/services/network/network_service.cc
|
||||
index 02c8af43258f6a31f3cc667e73f55f8f67330b51..bea06f626cc2b302ca8a25c753c37cea0d4c9e8c 100644
|
||||
--- a/services/network/network_service.cc
|
||||
+++ b/services/network/network_service.cc
|
||||
@@ -622,6 +622,7 @@ void NetworkService::SetCryptConfig(mojom::CryptConfigPtr crypt_config) {
|
||||
auto config = std::make_unique<os_crypt::Config>();
|
||||
config->store = crypt_config->store;
|
||||
config->product_name = crypt_config->product_name;
|
||||
+ config->application_name = crypt_config->application_name;
|
||||
config->main_thread_runner = base::ThreadTaskRunnerHandle::Get();
|
||||
config->should_use_preference = crypt_config->should_use_preference;
|
||||
config->user_data_path = crypt_config->user_data_path;
|
||||
diff --git a/services/network/public/mojom/network_service.mojom b/services/network/public/mojom/network_service.mojom
|
||||
index 3a1abc4d1b64ad9480f5218cd1de8fd61a064f34..0edbe59d3a70b5bca759cd8a726baded6b81ea71 100644
|
||||
--- a/services/network/public/mojom/network_service.mojom
|
||||
+++ b/services/network/public/mojom/network_service.mojom
|
||||
@@ -99,6 +99,13 @@ struct CryptConfig {
|
||||
// The product name to use for permission prompts.
|
||||
string product_name;
|
||||
|
||||
+ // The application name to store the crypto key against. For Chromium/Chrome
|
||||
+ // builds leave this unset and it will default correctly. This config option
|
||||
+ // is for embedders to provide their application name in place of "Chromium".
|
||||
+ // Only used when the allow_runtime_configurable_key_storage feature is
|
||||
+ // enabled
|
||||
+ string application_name;
|
||||
+
|
||||
// Controls whether preference on using or ignoring backends is used.
|
||||
bool should_use_preference;
|
||||
|
|
@ -9,8 +9,12 @@
|
|||
#include <utility>
|
||||
|
||||
#include "base/command_line.h"
|
||||
#include "base/files/file_path.h"
|
||||
#include "base/path_service.h"
|
||||
#include "chrome/common/chrome_switches.h"
|
||||
#include "components/os_crypt/os_crypt.h"
|
||||
#include "components/prefs/in_memory_pref_store.h"
|
||||
#include "components/prefs/json_pref_store.h"
|
||||
#include "components/prefs/overlay_user_pref_store.h"
|
||||
#include "components/prefs/pref_registry.h"
|
||||
#include "components/prefs/pref_registry_simple.h"
|
||||
|
@ -20,11 +24,13 @@
|
|||
#include "components/proxy_config/proxy_config_pref_names.h"
|
||||
#include "content/public/browser/child_process_security_policy.h"
|
||||
#include "content/public/common/content_switches.h"
|
||||
#include "electron/fuses.h"
|
||||
#include "extensions/common/constants.h"
|
||||
#include "net/proxy_resolution/proxy_config.h"
|
||||
#include "net/proxy_resolution/proxy_config_service.h"
|
||||
#include "net/proxy_resolution/proxy_config_with_annotation.h"
|
||||
#include "services/network/public/cpp/network_switches.h"
|
||||
#include "shell/common/electron_paths.h"
|
||||
|
||||
#if BUILDFLAG(ENABLE_PRINTING)
|
||||
#include "chrome/browser/printing/print_job_manager.h"
|
||||
|
@ -83,15 +89,32 @@ BuildState* BrowserProcessImpl::GetBuildState() {
|
|||
}
|
||||
|
||||
void BrowserProcessImpl::PostEarlyInitialization() {
|
||||
// Mock user prefs, as we only need to track changes for a
|
||||
// in memory pref store. There are no persistent preferences
|
||||
PrefServiceFactory prefs_factory;
|
||||
auto pref_registry = base::MakeRefCounted<PrefRegistrySimple>();
|
||||
PrefProxyConfigTrackerImpl::RegisterPrefs(pref_registry.get());
|
||||
#if defined(OS_WIN)
|
||||
OSCrypt::RegisterLocalPrefs(pref_registry.get());
|
||||
#endif
|
||||
|
||||
auto pref_store = base::MakeRefCounted<ValueMapPrefStore>();
|
||||
ApplyProxyModeFromCommandLine(pref_store.get());
|
||||
prefs_factory.set_command_line_prefs(std::move(pref_store));
|
||||
prefs_factory.set_user_prefs(new OverlayUserPrefStore(new InMemoryPrefStore));
|
||||
|
||||
// Only use a persistent prefs store when cookie encryption is enabled as that
|
||||
// is the only key that needs it
|
||||
if (electron::fuses::IsCookieEncryptionEnabled()) {
|
||||
base::FilePath prefs_path;
|
||||
CHECK(base::PathService::Get(electron::DIR_USER_DATA, &prefs_path));
|
||||
prefs_path = prefs_path.Append(FILE_PATH_LITERAL("Local State"));
|
||||
base::ThreadRestrictions::ScopedAllowIO allow_io;
|
||||
scoped_refptr<JsonPrefStore> user_pref_store =
|
||||
base::MakeRefCounted<JsonPrefStore>(prefs_path);
|
||||
user_pref_store->ReadPrefs();
|
||||
prefs_factory.set_user_prefs(user_pref_store);
|
||||
} else {
|
||||
prefs_factory.set_user_prefs(
|
||||
new OverlayUserPrefStore(new InMemoryPrefStore));
|
||||
}
|
||||
local_state_ = prefs_factory.Create(std::move(pref_registry));
|
||||
}
|
||||
|
||||
|
|
|
@ -17,6 +17,7 @@
|
|||
#include "base/strings/string_number_conversions.h"
|
||||
#include "base/strings/utf_string_conversions.h"
|
||||
#include "chrome/browser/icon_manager.h"
|
||||
#include "components/os_crypt/os_crypt.h"
|
||||
#include "content/browser/browser_main_loop.h" // nogncheck
|
||||
#include "content/public/browser/browser_thread.h"
|
||||
#include "content/public/browser/child_process_security_policy.h"
|
||||
|
@ -26,6 +27,7 @@
|
|||
#include "content/public/common/content_switches.h"
|
||||
#include "content/public/common/result_codes.h"
|
||||
#include "electron/buildflags/buildflags.h"
|
||||
#include "electron/fuses.h"
|
||||
#include "media/base/localized_strings.h"
|
||||
#include "services/network/public/cpp/features.h"
|
||||
#include "services/tracing/public/cpp/stack_sampling/tracing_sampler_profiler.h"
|
||||
|
@ -538,6 +540,16 @@ void ElectronBrowserMainParts::PreCreateMainMessageLoopCommon() {
|
|||
RegisterURLHandler();
|
||||
#endif
|
||||
media::SetLocalizedStringProvider(MediaStringProvider);
|
||||
|
||||
#if defined(OS_WIN)
|
||||
if (electron::fuses::IsCookieEncryptionEnabled()) {
|
||||
auto* local_state = g_browser_process->local_state();
|
||||
DCHECK(local_state);
|
||||
|
||||
bool os_crypt_init = OSCrypt::Init(local_state);
|
||||
DCHECK(os_crypt_init);
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
device::mojom::GeolocationControl*
|
||||
|
|
|
@ -9,6 +9,7 @@
|
|||
#include "chrome/common/chrome_constants.h"
|
||||
#include "content/public/browser/network_service_instance.h"
|
||||
#include "content/public/browser/shared_cors_origin_access_list.h"
|
||||
#include "electron/fuses.h"
|
||||
#include "net/net_buildflags.h"
|
||||
#include "services/network/network_service.h"
|
||||
#include "services/network/public/cpp/cors/origin_access_list.h"
|
||||
|
@ -77,9 +78,8 @@ void NetworkContextService::ConfigureNetworkContextParams(
|
|||
network_context_params->restore_old_session_cookies = false;
|
||||
network_context_params->persist_session_cookies = false;
|
||||
|
||||
// TODO(deepak1556): Matches the existing behavior https://git.io/fxHMl,
|
||||
// enable encryption as a followup.
|
||||
network_context_params->enable_encrypted_cookies = false;
|
||||
network_context_params->enable_encrypted_cookies =
|
||||
electron::fuses::IsCookieEncryptionEnabled();
|
||||
|
||||
network_context_params->transport_security_persister_path = path;
|
||||
}
|
||||
|
|
|
@ -8,11 +8,16 @@
|
|||
#include <utility>
|
||||
|
||||
#include "base/command_line.h"
|
||||
#include "base/path_service.h"
|
||||
#include "chrome/browser/browser_process.h"
|
||||
#include "chrome/browser/net/chrome_mojo_proxy_resolver_factory.h"
|
||||
#include "chrome/common/chrome_switches.h"
|
||||
#include "components/os_crypt/os_crypt.h"
|
||||
#include "content/public/browser/browser_thread.h"
|
||||
#include "content/public/browser/network_service_instance.h"
|
||||
#include "content/public/common/content_features.h"
|
||||
#include "content/public/common/network_service_util.h"
|
||||
#include "electron/fuses.h"
|
||||
#include "mojo/public/cpp/bindings/pending_receiver.h"
|
||||
#include "net/net_buildflags.h"
|
||||
#include "services/cert_verifier/public/mojom/cert_verifier_service_factory.mojom.h"
|
||||
|
@ -21,11 +26,17 @@
|
|||
#include "services/network/public/cpp/features.h"
|
||||
#include "services/network/public/cpp/shared_url_loader_factory.h"
|
||||
#include "services/network/public/mojom/network_context.mojom.h"
|
||||
#include "shell/browser/browser.h"
|
||||
#include "shell/browser/electron_browser_client.h"
|
||||
#include "shell/common/application_info.h"
|
||||
#include "shell/common/electron_paths.h"
|
||||
#include "shell/common/options_switches.h"
|
||||
#include "url/gurl.h"
|
||||
|
||||
#if defined(OS_MAC)
|
||||
#include "components/os_crypt/keychain_password_mac.h"
|
||||
#endif
|
||||
|
||||
namespace {
|
||||
|
||||
// The global instance of the SystemNetworkContextmanager.
|
||||
|
@ -218,6 +229,39 @@ void SystemNetworkContextManager::OnNetworkServiceCreated(
|
|||
network_service->CreateNetworkContext(
|
||||
network_context_.BindNewPipeAndPassReceiver(),
|
||||
CreateNetworkContextParams());
|
||||
|
||||
if (electron::fuses::IsCookieEncryptionEnabled()) {
|
||||
std::string app_name = electron::Browser::Get()->GetName();
|
||||
#if defined(OS_MAC)
|
||||
*KeychainPassword::service_name = app_name + " Safe Storage";
|
||||
*KeychainPassword::account_name = app_name;
|
||||
#endif
|
||||
// The OSCrypt keys are process bound, so if network service is out of
|
||||
// process, send it the required key.
|
||||
if (content::IsOutOfProcessNetworkService()) {
|
||||
#if defined(OS_LINUX)
|
||||
// c.f.
|
||||
// https://source.chromium.org/chromium/chromium/src/+/master:chrome/browser/net/system_network_context_manager.cc;l=515;drc=9d82515060b9b75fa941986f5db7390299669ef1;bpv=1;bpt=1
|
||||
const base::CommandLine& command_line =
|
||||
*base::CommandLine::ForCurrentProcess();
|
||||
|
||||
network::mojom::CryptConfigPtr config =
|
||||
network::mojom::CryptConfig::New();
|
||||
config->application_name = app_name;
|
||||
config->product_name = app_name;
|
||||
// c.f.
|
||||
// https://source.chromium.org/chromium/chromium/src/+/master:chrome/common/chrome_switches.cc;l=689;drc=9d82515060b9b75fa941986f5db7390299669ef1
|
||||
config->store =
|
||||
command_line.GetSwitchValueASCII(::switches::kPasswordStore);
|
||||
config->should_use_preference =
|
||||
command_line.HasSwitch(::switches::kEnableEncryptionSelection);
|
||||
base::PathService::Get(electron::DIR_USER_DATA, &config->user_data_path);
|
||||
network_service->SetCryptConfig(std::move(config));
|
||||
#else
|
||||
network_service->SetEncryptionKey(OSCrypt::GetRawEncryptionKey());
|
||||
#endif
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
network::mojom::NetworkContextParamsPtr
|
||||
|
|
Loading…
Reference in a new issue