From 18200a1075c989d08ccc3201d9b0fcc1717a1bd8 Mon Sep 17 00:00:00 2001
From: Tsuyoshi Horo <horo@chromium.org>
Date: Fri, 31 Jan 2020 01:11:05 -0800
Subject: [PATCH] Set network_isolation_key for signed exchange cert fetch

Currently network_isolation_key is not set for signed exchange cert fetch.
So, even if the signed exchange and the certificate were prefetched,
the certificate is fetched again while navigation when
SplitCacheByNetworkIsolationKey is enabled.

Bug=1047110

Change-Id: I524df1da097c6f544777f20cca5a3e53246693cf
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2029564
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Commit-Queue: Tsuyoshi Horo <horo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#737251}
---
 .../resources/generate-test-sxgs.sh           |  18 ++++++++
 .../resources/prefetch-test-cert.py           |  17 ++++++++
 .../resources/prefetch-test-sxg.py            |  19 +++++++++
 .../resources/sxg-prefetch-test.html          |   5 +++
 .../resources/sxg/sxg-prefetch-test.sxg       | Bin 0 -> 832 bytes
 .../sxg-prefetch.tentative.https.html         |  39 ++++++++++++++++++
 6 files changed, 98 insertions(+)
 create mode 100644 signed-exchange/resources/prefetch-test-cert.py
 create mode 100644 signed-exchange/resources/prefetch-test-sxg.py
 create mode 100644 signed-exchange/resources/sxg-prefetch-test.html
 create mode 100644 signed-exchange/resources/sxg/sxg-prefetch-test.sxg
 create mode 100644 signed-exchange/sxg-prefetch.tentative.https.html

diff --git a/signed-exchange/resources/generate-test-sxgs.sh b/signed-exchange/resources/generate-test-sxgs.sh
index 81a5e043469c55..7214fc148c3648 100755
--- a/signed-exchange/resources/generate-test-sxgs.sh
+++ b/signed-exchange/resources/generate-test-sxgs.sh
@@ -576,4 +576,22 @@ gen-signedexchange \
   -miRecordSize 100 \
   -responseHeader "link:<$inner_url_origin/signed-exchange/resources/sxg-subresource-script.js>;rel=allowed-alt-sxg;header-integrity=\"$header_integrity\",<$inner_url_origin/signed-exchange/resources/sxg-subresource-script.js>;rel=preload;as=script"
 
+
+# A Signed Exchange for testing prefetch.
+# The id query value "XXX..." of prefetch-test-cert.py will be replaced with
+# UUID for stash token by prefetch-test-sxg.py.
+gen-signedexchange \
+  -version $sxg_version \
+  -uri $inner_url_origin/signed-exchange/resources/inner-url.html \
+  -status 200 \
+  -content sxg-prefetch-test.html \
+  -certificate $certfile \
+  -certUrl $wpt_test_remote_origin/signed-exchange/resources/prefetch-test-cert.py?id=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX \
+  -validityUrl $inner_url_origin/signed-exchange/resources/resource.validity.msg \
+  -privateKey $keyfile \
+  -date 2020-01-29T00:00:00Z \
+  -expire 168h \
+  -o sxg/sxg-prefetch-test.sxg \
+  -miRecordSize 100
+
 rm -fr $tmpdir
diff --git a/signed-exchange/resources/prefetch-test-cert.py b/signed-exchange/resources/prefetch-test-cert.py
new file mode 100644
index 00000000000000..7aec0aace55108
--- /dev/null
+++ b/signed-exchange/resources/prefetch-test-cert.py
@@ -0,0 +1,17 @@
+import os
+
+
+def main(request, response):
+    stash_id = request.GET.first("id")
+    if request.server.stash.take(stash_id) is not None:
+        response.status = (404, "Not Found")
+        response.headers.set("Content-Type", "text/plain")
+        return "not found"
+    request.server.stash.put(stash_id, True)
+
+    path = os.path.join(os.path.dirname(__file__), "127.0.0.1.sxg.pem.cbor")
+    body = open(path, "rb").read()
+
+    response.headers.set("Content-Type", "application/cert-chain+cbor")
+    response.headers.set("Cache-Control", "public, max-age=600")
+    return body
diff --git a/signed-exchange/resources/prefetch-test-sxg.py b/signed-exchange/resources/prefetch-test-sxg.py
new file mode 100644
index 00000000000000..822273ec6919ff
--- /dev/null
+++ b/signed-exchange/resources/prefetch-test-sxg.py
@@ -0,0 +1,19 @@
+import os
+
+
+def main(request, response):
+    stash_id = request.GET.first("id")
+    if request.server.stash.take(stash_id) is not None:
+        response.status = (404, "Not Found")
+        response.headers.set("Content-Type", "text/plain")
+        return "not found"
+    request.server.stash.put(stash_id, True)
+
+    path = os.path.join(os.path.dirname(__file__), "sxg", "sxg-prefetch-test.sxg")
+    body = open(path, "rb").read()
+
+    response.headers.set("Content-Type", "application/signed-exchange;v=b3")
+    response.headers.set("X-Content-Type-Options", "nosniff")
+    response.headers.set("Cache-Control", "public, max-age=600")
+
+    return body.replace('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', stash_id)
diff --git a/signed-exchange/resources/sxg-prefetch-test.html b/signed-exchange/resources/sxg-prefetch-test.html
new file mode 100644
index 00000000000000..5383a4a56100c9
--- /dev/null
+++ b/signed-exchange/resources/sxg-prefetch-test.html
@@ -0,0 +1,5 @@
+<!DOCTYPE html>
+<title>Prefetch test SXG</title>
+<script>
+window.opener.postMessage('loaded', '*');
+</script>
diff --git a/signed-exchange/resources/sxg/sxg-prefetch-test.sxg b/signed-exchange/resources/sxg/sxg-prefetch-test.sxg
new file mode 100644
index 0000000000000000000000000000000000000000..f452270c5bc827f3cd93e985d3a171744f2268aa
GIT binary patch
literal 832
zcma)4&2rLE6sB9Az$ImaQu6~%D=nm*Kp~|RftIw?U6Ol}+>$?XPa0sxE?l_kj2nFe
zcWxa=XS#Rc1Nam!oN?_Kq>SC!dw1ua`<?ISu&G_*jLl4D-$4x7t{{}k&v-GtrQM1o
zNdlv`4}^oM>FB-<LIf;`BNLcFeIFt&j$GbB&&{lT&1BxXx&dz0ga|q2=;f_#xfq^m
zJMqXOTkiRZJAUD9%)!x*rz7j!sT*xLQu{6Cs=Kk{w3u96eoZmu{EAPKBqcrpg9}|9
ztswGv1cv`37e-(Knhv*U<`#tbaJEm0JbJ*%SBZ`wm$oWmDnS&*DojI~D*s!mY>Sn&
zM12H1qBxWDgxcv8!J~JgIdL;zO^uU_-KN%PANIUSw>Rk-DkJT#amF;OsZ%m-k3CV7
zf`NABl`jWsPwQ9;Z7LW`gCnhDOnfOBH|i%7(=SU0gN`~xNEAc4Xser0R}PpGq=sGT
zE+r|8MG*f?dvJ)WIQbP0?=d_7zO|Gz+PSYuo|`ad?(^A@^>ADFB=zue*g7qle!U4D
z8z#ayjF~@>&TK_icNyv!vqo7IkIf)8%SR4pA&ed&Oi@_uOf{D-Rm1@07%i^SU$ud6
z288<d@%`zU<sr58gI;5J(QoD!5PR7gQgmUje;0Ue5qR!&q}GJxL$=1uh=#bAO{h<T
zgbzYU7nctMhFxGxx8ZTY4Rive@HAH_7M@hIH@7d_UxqiYf4&hveEe~J{ri)B`woJ&
Q&+}j3*I#|xuL&#6KbRgLFaQ7m

literal 0
HcmV?d00001

diff --git a/signed-exchange/sxg-prefetch.tentative.https.html b/signed-exchange/sxg-prefetch.tentative.https.html
new file mode 100644
index 00000000000000..a6e55567e0db49
--- /dev/null
+++ b/signed-exchange/sxg-prefetch.tentative.https.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<title>Prefetched signed exchange and certificate must not be fetched again</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="./resources/sxg-util.js"></script>
+<body>
+<script>
+promise_test(async (t) => {
+  const id = token();
+  const sxgUrl = get_host_info().HTTPS_REMOTE_ORIGIN + '/signed-exchange/resources/prefetch-test-sxg.py?id=' + id;
+
+  await new Promise(resolve => {
+    const link = document.createElement('link');
+    link.rel = 'prefetch';
+    link.href = sxgUrl;
+    link.as = 'document';
+    link.addEventListener('error', t.step_func(() => {
+        assert_unreached('Prefetch should not fail');
+    }));
+    link.addEventListener('load', t.step_func(() => {
+        resolve();
+    }));
+    document.body.appendChild(link);
+  });
+  const message_promise = new Promise((resolve) => {
+    window.addEventListener('message', (event) => {
+      resolve(event.data);
+    }, false);
+  });
+  const win = window.open(sxgUrl, "_blank");
+  const message = await message_promise;
+  win.close();
+  assert_equals(message, 'loaded');
+}, 'Prefetched signed exchange and certificate must not be fetched again.');
+
+</script>
+</body>