Pass ShieldsSettings to renderer via mojo.

[goodov]

This PR introduces a mojo structure to pass Shields settings to the renderer. This is part of the work to support per-site farbling.

Resolves brave/brave-browser#41023

Submitter Checklist:

• I confirm that no security/privacy review is needed and no other type of reviews are needed, or that I have requested them
• There is a ticket for my issue
• Used Github auto-closing keywords in the PR description above
• Wrote a good PR/commit description
• Squashed any review feedback or "fixup" commits before merge, so that history is a record of what happened in the repo, not your PR
• Added appropriate labels (QA/Yes or QA/No; release-notes/include or release-notes/exclude; OS/...) to the associated issue
• Checked the PR locally:
  • npm run test -- brave_browser_tests, npm run test -- brave_unit_tests wiki
  • npm run presubmit wiki, npm run gn_check, npm run tslint
• Ran git rebase master (if needed)

Reviewer Checklist:

• A security review is not needed, or a link to one is included in the PR description
• New files have MPL-2.0 license header
• Adequate test coverage exists to prevent regressions
• Major classes, functions and non-trivial code blocks are well-commented
• Changes in component dependencies are properly reflected in gn
• Code follows the style guide
• Test plan is specified in PR before merging

After-merge Checklist:

• The associated issue milestone is set to the smallest version that the
  changes has landed on
• All relevant documentation has been updated, for instance:
  • https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)
  • https://github.com/brave/brave-browser/wiki/Proxy-redirected-URLs
  • https://github.com/brave/brave-browser/wiki/Fingerprinting-Protections
  • https://github.com/brave/brave-browser/wiki/Brave%E2%80%99s-Use-of-Referral-Codes
  • https://github.com/brave/brave-browser/wiki/Web-Compatibility-Exceptions-in-Brave
  • https://github.com/brave/brave-browser/wiki/QA-Guide
  • https://github.com/brave/brave-browser/wiki/P3A

Test Plan:

[cdesouza-chromium]

LGTM % questions

[cdesouza-chromium]

Shouldn't we be using a switch here to exhaust all possible options of this control type, and catch any potential cases slipping trough if a new key is added to ControlType.

[cdesouza-chromium]

ditto

[atuchin-m]

Looks like navigation_handle->HasCommitted() and !navigation_handle->IsSameDocument() should be checked

[goodov]

added navigation_handle->IsSameDocument() check.

navigation_handle->HasCommitted() doesn't make sense in ReadyToCommitNavigation

[atuchin-m]

Do we really need this taking into account we handle ReadyToCommitNavigation() ?

[atuchin-m]

P.S. there is per-RFH structure called DocumentUserData that allows to avoid manual frame tracking.

[goodov]

Do we really need this taking into account we handle ReadyToCommitNavigation() ?

I wanted to keep most things without changes and then do a separate cleanup, but I guess it's fine to cleanup some obvious things right now.

[bridiver]

why isn't shields_settings part of RendererContentSettingRules?

[bridiver]

I'm also a bit confused about why we'd have things in ContentSettingsAgent that aren't content settings like reduce langage and origins to allow scripts and then take something that is a content setting (farbling level) and treat it differently.

[bridiver]

I'm in favor of something that gets the "effective" setting, but I'm not sure that ContentSettingsAgent is the right place for this and maybe we should create something new. There are a lot of problems with the farbling content setting (like using CONTENT_SETTINGS_DEFAULT as a distinct value) and the current issue for most settings that we always have to check shields in addition to the content setting. I've been thinking that similar to cookies we should have a real content setting (BRAVE_COOKIES) and an effective content setting (COOKIES) that gives you the value after applying shields.

[bridiver]

These settings do make sense as part of WebContentSettingsClient, but I'm not a fan of adding this to ContentSettingsAgent/RendererContentSettingRules by adding a new mojo type for shield settings. If we were going to do something like this (instead of having an effective content setting) then I think it makes more sense to be a new mojo interface

[goodov]

why isn't shields_settings part of RendererContentSettingRules?

mainly because of the patches. This is not the usual ContentSettingsForOneType list that's just prefilled with values from HostContentSettingsMap. To support this as a part of RendererContentSettingRules we will need to add some patches into PageSpecificContentSettings, which we can avoid entirely.

I also need to use this structure for the proper workers farbling. Right now we only have this:

brave-core/chromium_src/third_party/blink/public/mojom/worker/worker_content_settings_proxy.mojom

Lines 9 to 14 in 0955815

	interface WorkerContentSettingsProxy {
	// Returns whether the worker is allowed access to privileged functions that
	// could be used for fingerprinting.
	[Sync]
	GetBraveFarblingLevel() => (uint8 result);
	};

I'm also a bit confused about why we'd have things in ContentSettingsAgent that aren't content settings like reduce langage and origins to allow scripts and then take something that is a content setting (farbling level) and treat it differently.

we may look into creating a separate BraveShieldsSettings class on the blink side, but for now I think it's acceptable to keep it as part of ContentSettingsAgent. It seems like too much plumbing will be required to introduce something like ContentSettingsAgent and wire it will all users in the renderer.

I'm in favor of something that gets the "effective" setting

yep, one of the end goals is to calculate the effective shields configuration before passing it to the renderer, but this is out of the scope of this PR currently.

[bridiver]

It seems like too much plumbing will be required to introduce something like ContentSettingsAgent and wire it will all users in the renderer.

Supplement<ExecutionContext> should make it available anywhere that ContentSettingsAgent is available just like we have done in other places like BraveSessionCache? I'm fine following up with something like this and also #25505 (comment) but I think it's something we should do because this seems a bit out of place to me.

[bridiver]

IsReduceLanguageEnabledForProfile seems like it belongs in BraveRendererUpdater ?

[goodov]

data passed by BraveRendererUpdater is not accessible by blink internals.

[bridiver]

not directly, but it could be exposed through our own class just like we have done in other places

[github-actions]

[puLL-Merge] - brave/brave-core@25505

Description

This PR modifies the handling of Brave Shields settings, particularly for worker contexts. It introduces a new ShieldsSettings struct to encapsulate various Brave Shields settings and updates the interfaces and implementations to use this new structure. The changes aim to improve the management and propagation of Brave Shields settings across different parts of the browser.

Changes

Changes

1. browser/brave_content_browser_client.cc & .h:

   • Updated WorkerGetBraveFarblingLevel to WorkerGetBraveShieldSettings
   • Now returns a ShieldsSettingsPtr instead of just a farbling level

2. browser/brave_shields/brave_shields_web_contents_observer.cc & .h:

   • Removed individual setting methods like SetAllowScriptsFromOriginsOnce
   • Introduced SendShieldsSettings method to send all settings at once
   • Simplified navigation handling and removed per-frame remotes

3. chromium_src/chrome/renderer/worker_content_settings_client.cc & .h:

   • Updated to use the new ShieldsSettings structure
   • Implemented WorkerContentSettingsClient_BraveImpl to handle Brave-specific behavior

4. components/brave_shields/content/browser/brave_shields_util.cc & .h:

   • Added GetFarblingLevel function to determine farbling level based on shields settings

5. components/brave_shields/core/common/:

   • Added new shields_settings.mojom file defining FarblingLevel enum and ShieldsSettings struct
   • Updated brave_shields.mojom to use the new ShieldsSettings

6. components/content_settings/renderer/brave_content_settings_agent_impl.cc & .h:

   • Updated to use ShieldsSettings instead of individual settings
   • Replaced SetAllowScriptsFromOriginsOnce and SetReduceLanguageEnabled with SetShieldsSettings

7. Various other files:

   • Updated to accommodate the new ShieldsSettings structure and related changes

Possible Issues

1. The changes to worker content settings might affect the behavior of web workers in unexpected ways, especially regarding script execution permissions.
2. The transition to using ShieldsSettings could potentially introduce synchronization issues if not all parts of the codebase are updated consistently.

Security Hotspots

1. The handling of ShieldsSettings in WorkerContentSettingsClient_BraveImpl should be carefully reviewed to ensure it doesn't introduce any security vulnerabilities, especially regarding script execution permissions.
2. The GetBraveShieldsSettings method in BraveContentSettingsAgentImpl falls back to default settings when HasContentSettingsRules() is false. This fallback behavior should be verified to ensure it doesn't accidentally disable important security features.