1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef CONTENT_PUBLIC_BROWSER_CONTENT_BROWSER_CLIENT_H_
6#define CONTENT_PUBLIC_BROWSER_CONTENT_BROWSER_CLIENT_H_
7
8#include <stddef.h>
9
10#include <map>
11#include <memory>
12#include <set>
13#include <string>
14#include <utility>
15#include <vector>
16
17#include "base/callback.h"
18#include "base/containers/flat_map.h"
19#include "base/containers/flat_set.h"
20#include "base/optional.h"
21#include "base/task/thread_pool/thread_pool.h"
22#include "base/time/time.h"
23#include "base/values.h"
24#include "build/build_config.h"
25#include "content/common/buildflags.h"
26#include "content/public/browser/browser_or_resource_context.h"
27#include "content/public/browser/certificate_request_result_type.h"
28#include "content/public/browser/generated_code_cache_settings.h"
29#include "content/public/browser/global_request_id.h"
30#include "content/public/browser/global_routing_id.h"
31#include "content/public/browser/navigation_throttle.h"
32#include "content/public/browser/overlay_window.h"
33#include "content/public/browser/page_visibility_state.h"
34#include "content/public/browser/quota_permission_context.h"
35#include "content/public/browser/resource_request_info.h"
36#include "content/public/common/content_client.h"
37#include "content/public/common/previews_state.h"
38#include "content/public/common/resource_type.h"
39#include "content/public/common/socket_permission_request.h"
40#include "content/public/common/window_container_type.mojom-forward.h"
41#include "media/base/video_codecs.h"
42#include "media/cdm/cdm_proxy.h"
43#include "media/media_buildflags.h"
44#include "media/mojo/interfaces/remoting.mojom.h"
45#include "net/base/mime_util.h"
46#include "net/cookies/canonical_cookie.h"
47#include "net/url_request/url_request_context_getter.h"
48#include "services/network/public/mojom/network_context.mojom.h"
49#include "services/network/public/mojom/websocket.mojom-forward.h"
50#include "services/service_manager/public/cpp/binder_registry.h"
51#include "services/service_manager/public/cpp/manifest.h"
52#include "services/service_manager/public/mojom/service.mojom-forward.h"
53#include "services/service_manager/sandbox/sandbox_type.h"
54#include "storage/browser/fileapi/file_system_context.h"
55#include "storage/browser/quota/quota_manager.h"
56#include "third_party/blink/public/common/associated_interfaces/associated_interface_registry.h"
57#include "third_party/blink/public/common/mediastream/media_stream_request.h"
58#include "third_party/blink/public/common/user_agent/user_agent_metadata.h"
59#include "third_party/blink/public/mojom/credentialmanager/credential_manager.mojom-forward.h"
60#include "third_party/blink/public/mojom/renderer_preference_watcher.mojom-forward.h"
61#include "third_party/blink/public/mojom/web_feature/web_feature.mojom-forward.h"
62#include "third_party/blink/public/mojom/window_features/window_features.mojom-forward.h"
63#include "ui/accessibility/ax_mode.h"
64#include "ui/base/page_transition_types.h"
65#include "ui/base/window_open_disposition.h"
66
67#if (defined(OS_POSIX) && !defined(OS_MACOSX)) || defined(OS_FUCHSIA)
68#include "base/posix/global_descriptors.h"
69#endif
70
71#if defined(OS_POSIX) || defined(OS_FUCHSIA)
72#include "content/public/browser/posix_file_descriptor_info.h"
73#endif
74
75class GURL;
76using LoginAuthRequiredCallback =
77 base::OnceCallback<void(const base::Optional<net::AuthCredentials>&)>;
78
79namespace base {
80class CommandLine;
81class FilePath;
82}
83
84namespace blink {
85namespace mojom {
86class RendererPreferences;
87class WebUsbService;
88}
89} // namespace blink
90
91namespace device {
92class LocationProvider;
93}
94
95namespace gfx {
96class ImageSkia;
97}
98
99namespace gl {
100class GLShareGroup;
101}
102
103namespace media {
104class AudioLogFactory;
105class AudioManager;
106enum class EncryptionMode;
107}
108
109namespace mojo {
110class ScopedInterfaceEndpointHandle;
111}
112
113namespace network {
114class SharedURLLoaderFactory;
115}
116
117namespace service_manager {
118class Identity;
119class Service;
120struct BindSourceInfo;
121}
122
123namespace net {
124class AuthChallengeInfo;
125class AuthCredentials;
126class ClientCertIdentity;
127using ClientCertIdentityList = std::vector<std::unique_ptr<ClientCertIdentity>>;
128class ClientCertStore;
129class CookieStore;
130class HttpRequestHeaders;
131class NetLog;
132class SSLCertRequestInfo;
133class SSLInfo;
134class URLRequest;
135} // namespace net
136
137namespace network {
138namespace mojom {
139class NetworkService;
140}
141struct ResourceRequest;
142} // namespace network
143
144namespace rappor {
145class RapporService;
146}
147
148namespace sandbox {
149class TargetPolicy;
150}
151
152namespace ui {
153class SelectFilePolicy;
154}
155
156namespace url {
157class Origin;
158}
159
160namespace storage {
161class FileSystemBackend;
162}
163
164namespace content {
165enum class PermissionType;
166class AuthenticatorRequestClientDelegate;
167class BrowserChildProcessHost;
168class BrowserContext;
169class BrowserMainParts;
170class BrowserPpapiHost;
171class BrowserURLHandler;
172class ClientCertificateDelegate;
173class ControllerPresentationServiceDelegate;
174class DevToolsManagerDelegate;
175class LoginDelegate;
176class MediaObserver;
177class NavigationHandle;
178class NavigationUIData;
179class PlatformNotificationService;
180class QuotaPermissionContext;
181class ReceiverPresentationServiceDelegate;
182class RenderFrameHost;
183class RenderProcessHost;
184class RenderViewHost;
185class ResourceContext;
186class SerialDelegate;
187class ServiceManagerConnection;
188class SiteInstance;
189class SpeechRecognitionManagerDelegate;
190class StoragePartition;
191class TracingDelegate;
192class TtsControllerDelegate;
193class TtsPlatform;
194class URLLoaderRequestInterceptor;
195class URLLoaderThrottle;
196class VpnServiceProxy;
197class WebContents;
198class WebContentsViewDelegate;
199enum class OriginPolicyErrorReason;
200struct MainFunctionParams;
201struct OpenURLParams;
202struct Referrer;
203struct WebPreferences;
204
205CONTENT_EXPORT void OverrideOnBindInterface(
206 const service_manager::BindSourceInfo& remote_info,
207 const std::string& name,
208 mojo::ScopedMessagePipeHandle* handle);
209
210// Embedder API (or SPI) for participating in browser logic, to be implemented
211// by the client of the content browser. See ChromeContentBrowserClient for the
212// principal implementation. The methods are assumed to be called on the UI
213// thread unless otherwise specified. Use this "escape hatch" sparingly, to
214// avoid the embedder interface ballooning and becoming very specific to Chrome.
215// (Often, the call out to the client can happen in a different part of the code
216// that either already has a hook out to the embedder, or calls out to one of
217// the observer interfaces.)
218class CONTENT_EXPORT ContentBrowserClient {
219 public:
220 virtual ~ContentBrowserClient() {}
221
222 // Allows the embedder to set any number of custom BrowserMainParts
223 // implementations for the browser startup code. See comments in
224 // browser_main_parts.h.
225 virtual BrowserMainParts* CreateBrowserMainParts(
226 const MainFunctionParams& parameters);
227
228 // Allows the embedder to change the default behavior of
229 // BrowserThread::PostAfterStartupTask to better match whatever
230 // definition of "startup" the embedder has in mind. This may be
231 // called on any thread.
232 // Note: see related BrowserThread::PostAfterStartupTask.
233 virtual void PostAfterStartupTask(
234 const base::Location& from_here,
235 const scoped_refptr<base::TaskRunner>& task_runner,
236 base::OnceClosure task);
237
238 // Allows the embedder to indicate whether it considers startup to be
239 // complete. May be called on any thread. This should be called on a one-off
240 // basis; if you need to poll this function constantly, use the above
241 // PostAfterStartupTask() API instead.
242 virtual bool IsBrowserStartupComplete();
243
244 // Allows the embedder to handle a request from unit tests running in the
245 // content layer to consider startup complete (for the sake of
246 // PostAfterStartupTask()).
247 virtual void SetBrowserStartupIsCompleteForTesting();
248
249 // Returns true if the embedder is in the process of shutting down, whether
250 // because of the user closing the browser or the OS is shutting down.
251 virtual bool IsShuttingDown();
252
253 // If content creates the WebContentsView implementation, it will ask the
254 // embedder to return an (optional) delegate to customize it. The view will
255 // own the delegate.
256 virtual WebContentsViewDelegate* GetWebContentsViewDelegate(
257 WebContents* web_contents);
258
259 // Allow embedder control GPU process launch retry on failure behavior.
260 virtual bool AllowGpuLaunchRetryOnIOThread();
261
262 // Notifies that a render process will be created. This is called before
263 // the content layer adds its own BrowserMessageFilters, so that the
264 // embedder's IPC filters have priority.
265 //
266 // If the client provides a service request, the content layer will ask the
267 // corresponding embedder renderer-side component to bind it to an
268 // implementation at the appropriate moment during initialization.
269 virtual void RenderProcessWillLaunch(
270 RenderProcessHost* host,
271 service_manager::mojom::ServiceRequest* service_request) {}
272
273 // Notifies that a BrowserChildProcessHost has been created.
274 virtual void BrowserChildProcessHostCreated(BrowserChildProcessHost* host) {}
275
276 // Get the effective URL for the given actual URL, to allow an embedder to
277 // group different url schemes in the same SiteInstance.
278 virtual GURL GetEffectiveURL(BrowserContext* browser_context,
279 const GURL& url);
280
281 // Returns true if effective URLs should be compared when choosing a
282 // SiteInstance for a navigation to |destination_url|.
283 // |is_main_frame| is true if the navigation will take place in a main frame.
284 virtual bool ShouldCompareEffectiveURLsForSiteInstanceSelection(
285 BrowserContext* browser_context,
286 content::SiteInstance* candidate_site_instance,
287 bool is_main_frame,
288 const GURL& candidate_url,
289 const GURL& destination_url);
290
291 // Returns whether gesture fling events should use the mobile-behavior gesture
292 // curve for scrolling.
293 virtual bool ShouldUseMobileFlingCurve() const;
294
295 // Returns whether all instances of the specified effective URL should be
296 // rendered by the same process, rather than using process-per-site-instance.
297 virtual bool ShouldUseProcessPerSite(BrowserContext* browser_context,
298 const GURL& effective_url);
299
300 // Returns whether a spare RenderProcessHost should be used for navigating to
301 // the specified site URL.
302 //
303 // Using the spare RenderProcessHost is advisable, because it can improve
304 // performance of a navigation that requires a new process. On the other
305 // hand, sometimes the spare RenderProcessHost cannot be used - for example
306 // some embedders might override
307 // ContentBrowserClient::AppendExtraCommandLineSwitches and add some cmdline
308 // switches at navigation time (and this won't work for the spare, because the
309 // spare RenderProcessHost is launched ahead of time).
310 virtual bool ShouldUseSpareRenderProcessHost(BrowserContext* browser_context,
311 const GURL& site_url);
312
313 // Returns true if site isolation should be enabled for |effective_site_url|.
314 // This call allows the embedder to supplement the site isolation policy
315 // enforced by the content layer. Will only be called if the content layer
316 // didn't decide to isolate |effective_site_url| according to its internal
317 // policy (e.g. because of --site-per-process).
318 virtual bool DoesSiteRequireDedicatedProcess(
319 BrowserOrResourceContext browser_or_resource_context,
320 const GURL& effective_site_url);
321
322 // Returns true unless the effective URL is part of a site that cannot live in
323 // a process restricted to just that site. This is only called if site
324 // isolation is enabled for this URL, and is a bug workaround.
325 //
326 // TODO(nick): Remove this function once https://crbug.com/160576 is fixed,
327 // and origin lock can be applied to all URLs.
328 virtual bool ShouldLockToOrigin(BrowserContext* browser_context,
329 const GURL& effective_url);
330
331 // Returns the scheme of request initiator that should be ignored by
332 // cross-origin read blocking. nullptr can be returned to indicate that no
333 // exceptions should be granted based on initiator's scheme.
334 virtual const char* GetInitiatorSchemeBypassingDocumentBlocking();
335
336 // Gives the embedder a chance to log that CORB would have blocked a response
337 // if it wasn't for GetInitatorSchemeBypassingDocumentBlocking above. Called
338 // only after all the other CORB checks (potentially including sniffing) have
339 // been already run / right before blocking would have otherwise happened (and
340 // only for non-empty, non-4xx responses).
341 // TODO(lukasza): Remove once we gather enough data.
342 virtual void LogInitiatorSchemeBypassingDocumentBlocking(
343 const url::Origin& initiator_origin,
344 int render_process_id,
345 ResourceType resource_type);
346
347 // Called to create a URLLoaderFactory for network requests in the following
348 // cases:
349 // - The default factory to be used by a frame. In this case
350 // |request_initiator| is the origin being committed in the frame (or the
351 // last origin committed in the frame).
352 // - The initiator-specific factory to be used by a frame. This happens for
353 // origins covered via
354 // RenderFrameHost::MarkInitiatorAsRequiringSeparateURLLoaderFactory.
355 //
356 // This method allows the //content embedder to provide a URLLoaderFactory
357 // with |request_initiator|-specific properties (e.g. with relaxed
358 // Cross-Origin Read Blocking enforcement as needed by some extensions).
359 //
360 // If the embedder doesn't want to override the URLLoaderFactory for the given
361 // |request_initiator|, then it should return an invalid
362 // mojo::InterfacePtrInfo.
363 virtual network::mojom::URLLoaderFactoryPtrInfo
364 CreateURLLoaderFactoryForNetworkRequests(
365 RenderProcessHost* process,
366 network::mojom::NetworkContext* network_context,
367 network::mojom::TrustedURLLoaderHeaderClientPtrInfo* header_client,
368 const url::Origin& request_initiator);
369
370 // Returns a list additional WebUI schemes, if any. These additional schemes
371 // act as aliases to the chrome: scheme. The additional schemes may or may
372 // not serve specific WebUI pages depending on the particular URLDataSource
373 // and its override of URLDataSource::ShouldServiceRequest.
374 virtual void GetAdditionalWebUISchemes(
375 std::vector<std::string>* additional_schemes) {}
376
377 // Returns a list of additional schemes allowed for view-source. Defaults to
378 // the list of WebUI schemes returned by GetAdditionalWebUISchemes.
379 virtual void GetAdditionalViewSourceSchemes(
380 std::vector<std::string>* additional_schemes);
381
382 // Called when WebUI objects are created to get aggregate usage data (i.e. is
383 // chrome://downloads used more than chrome://bookmarks?). Only internal (e.g.
384 // chrome://) URLs are logged. Returns whether the URL was actually logged.
385 virtual bool LogWebUIUrl(const GURL& web_ui_url) const;
386
387 // http://crbug.com/829412
388 // Renderers with WebUI bindings shouldn't make http(s) requests for security
389 // reasons (e.g. to avoid malicious responses being able to run code in
390 // priviliged renderers). Fix these webui's to make requests through C++
391 // code instead.
392 virtual bool IsWebUIAllowedToMakeNetworkRequests(const url::Origin& origin);
393
394 // Returns whether a specified URL is handled by the embedder's internal
395 // protocol handlers.
396 virtual bool IsHandledURL(const GURL& url);
397
398 // Returns whether the given process is allowed to commit |url|. This is a
399 // more conservative check than IsSuitableHost, since it is used after a
400 // navigation has committed to ensure that the process did not exceed its
401 // authority.
402 // This is called on the UI thread.
403 virtual bool CanCommitURL(RenderProcessHost* process_host, const GURL& url);
404
405 // Returns whether |url| should be allowed to open from the context indicated
406 // by |site_instance|.
407 // This also applies in cases where the new URL will open in another process.
408 virtual bool ShouldAllowOpenURL(SiteInstance* site_instance, const GURL& url);
409
410 // Returns whether a URL can be displayed within a WebUI for a given
411 // BrowserContext. Temporary workaround while crbug.com/768526 is resolved.
412 // Note: This is used by an internal Cast implementation of this class.
413 virtual bool IsURLAcceptableForWebUI(BrowserContext* browser_context,
414 const GURL& url);
415
416 // Allows the embedder to override parameters when navigating. Called for both
417 // opening new URLs and when transferring URLs across processes.
418 virtual void OverrideNavigationParams(SiteInstance* site_instance,
419 ui::PageTransition* transition,
420 bool* is_renderer_initiated,
421 content::Referrer* referrer) {}
422
423 // Temporary hack to determine whether to skip OOPIFs on the new tab page.
424 // TODO(creis): Remove when https://crbug.com/566091 is fixed.
425 virtual bool ShouldStayInParentProcessForNTP(
426 const GURL& url,
427 SiteInstance* parent_site_instance);
428
429 // Returns whether a new view for a given |site_url| can be launched in a
430 // given |process_host|.
431 virtual bool IsSuitableHost(RenderProcessHost* process_host,
432 const GURL& site_url);
433
434 // Returns whether a new view for a new site instance can be added to a
435 // given |process_host|.
436 virtual bool MayReuseHost(RenderProcessHost* process_host);
437
438 // Returns whether a new process should be created or an existing one should
439 // be reused based on the URL we want to load. This should return false,
440 // unless there is a good reason otherwise.
441 virtual bool ShouldTryToUseExistingProcessHost(
442 BrowserContext* browser_context, const GURL& url);
443
444 // Returns whether or not subframes of |main_frame| should try to
445 // aggressively reuse existing processes, even when below process limit.
446 // This gets called when navigating a subframe to a URL that requires a
447 // dedicated process and defaults to true, which minimizes the process count.
448 // The embedder can choose to override this if there is a reason to avoid the
449 // reuse.
450 virtual bool ShouldSubframesTryToReuseExistingProcess(
451 RenderFrameHost* main_frame);
452
453 // Called when a site instance is first associated with a process.
454 virtual void SiteInstanceGotProcess(SiteInstance* site_instance) {}
455
456 // Called from a site instance's destructor.
457 virtual void SiteInstanceDeleting(SiteInstance* site_instance) {}
458
459 // Returns true if for the navigation from |current_url| to |new_url|
460 // in |site_instance|, a new SiteInstance and BrowsingInstance should be
461 // created (even if we are in a process model that doesn't usually swap.)
462 // This forces a process swap and severs script connections with existing
463 // tabs.
464 virtual bool ShouldSwapBrowsingInstancesForNavigation(
465 SiteInstance* site_instance,
466 const GURL& current_url,
467 const GURL& new_url);
468
469 // Returns true if error page should be isolated in its own process.
470 virtual bool ShouldIsolateErrorPage(bool in_main_frame);
471
472 // Returns true if the passed in URL should be assigned as the site of the
473 // current SiteInstance, if it does not yet have a site.
474 virtual bool ShouldAssignSiteForURL(const GURL& url);
475
476 // Allows the embedder to programmatically provide some origins that should be
477 // opted into --isolate-origins mode of Site Isolation.
478 virtual std::vector<url::Origin> GetOriginsRequiringDedicatedProcess();
479
480 // Allows the embedder to programmatically control whether the
481 // --site-per-process mode of Site Isolation should be used.
482 //
483 // Note that for correctness, the same value should be consistently returned.
484 // See also https://crbug.com/825369
485 virtual bool ShouldEnableStrictSiteIsolation();
486
487 // Allows the embedder to programmatically control whether Site Isolation
488 // should be disabled.
489 //
490 // Note that for correctness, the same value should be consistently returned.
491 virtual bool ShouldDisableSiteIsolation();
492
493 // Retrieves names of any additional site isolation modes from the embedder.
494 virtual std::vector<std::string> GetAdditionalSiteIsolationModes();
495
496 // Called when a new dynamic isolated origin was added in |context|, and the
497 // origin desires to be persisted across restarts, to give the embedder an
498 // opportunity to save this isolated origin to disk.
499 virtual void PersistIsolatedOrigin(BrowserContext* context,
500 const url::Origin& origin) {}
501
502 // Indicates whether a file path should be accessible via file URL given a
503 // request from a browser context which lives within |profile_path|.
504 virtual bool IsFileAccessAllowed(const base::FilePath& path,
505 const base::FilePath& absolute_path,
506 const base::FilePath& profile_path);
507
508 // Indicates whether to force the MIME sniffer to sniff file URLs for HTML.
509 // By default, disabled. May be called on either the UI or IO threads.
510 // See https://crbug.com/777737
511 virtual bool ForceSniffingFileUrlsForHtml();
512
513 // Allows the embedder to pass extra command line flags.
514 // switches::kProcessType will already be set at this point.
515 virtual void AppendExtraCommandLineSwitches(base::CommandLine* command_line,
516 int child_process_id) {}
517
518 // Allows the content embedder to adjust the command line arguments for
519 // a utility process started to run a service. This is called on a background
520 // thread.
521 virtual void AdjustUtilityServiceProcessCommandLine(
522 const service_manager::Identity& identity,
523 base::CommandLine* command_line) {}
524
525 // Returns the locale used by the application.
526 // This is called on the UI and IO threads.
527 virtual std::string GetApplicationLocale();
528
529 // Returns the languages used in the Accept-Languages HTTP header.
530 // (Not called GetAcceptLanguages so it doesn't clash with win32).
531 virtual std::string GetAcceptLangs(BrowserContext* context);
532
533 // Returns the default favicon. The callee doesn't own the given bitmap.
534 virtual const gfx::ImageSkia* GetDefaultFavicon();
535
536 // Returns the fully qualified path to the log file name, or an empty path.
537 // This function is used by the sandbox to allow write access to the log.
538 virtual base::FilePath GetLoggingFileName(
539 const base::CommandLine& command_line);
540
541 // Allow the embedder to control if an AppCache can be used for the given url.
542 // This is called on the IO thread.
543 virtual bool AllowAppCache(const GURL& manifest_url,
544 const GURL& first_party,
545 ResourceContext* context);
546
547 // Allow the embedder to control if a Service Worker can be associated
548 // with the given scope.
549 // A null |wc_getter| callback indicates this is for starting a service
550 // worker, which is not necessarily associated with a particular tab.
551 // This is called on the IO thread.
552 virtual bool AllowServiceWorker(
553 const GURL& scope,
554 const GURL& first_party,
555 ResourceContext* context,
556 base::RepeatingCallback<WebContents*()> wc_getter);
557
558 // Allow the embedder to control if a Shared Worker can be connected from a
559 // given tab.
560 // This is called on the UI thread.
561 virtual bool AllowSharedWorker(const GURL& worker_url,
562 const GURL& main_frame_url,
563 const std::string& name,
564 const url::Origin& constructor_origin,
565 BrowserContext* context,
566 int render_process_id,
567 int render_frame_id);
568
569 // Allows the embedder to control whether Signed HTTP Exchanges (SXG) can be
570 // loaded. This is called on the IO thread.
571 // Relying on ResourceContext to access preferences on IO thread until we move
572 // the call sites out of the IO thread. See crbug.com/908955 for more context.
573 virtual bool AllowSignedExchange(ResourceContext* context);
574
575 virtual bool IsDataSaverEnabled(BrowserContext* context);
576
577 // Updates the given prefs for Service Worker and Shared Worker. The prefs
578 // are to be sent to the renderer process when a worker is created. Note that
579 // We don't use this method for Dedicated Workers as they inherit preferences
580 // from their closest ancestor frame.
581 virtual void UpdateRendererPreferencesForWorker(
582 BrowserContext* browser_context,
583 blink::mojom::RendererPreferences* out_prefs);
584
585 // Allow the embedder to control if the given cookie can be read.
586 // This is called on the IO thread.
587 virtual bool AllowGetCookie(const GURL& url,
588 const GURL& first_party,
589 const net::CookieList& cookie_list,
590 ResourceContext* context,
591 int render_process_id,
592 int render_frame_id);
593
594 // Allow the embedder to control if the given cookie can be set.
595 // This is called on the IO thread.
596 virtual bool AllowSetCookie(const GURL& url,
597 const GURL& first_party,
598 const net::CanonicalCookie& cookie,
599 ResourceContext* context,
600 int render_process_id,
601 int render_frame_id);
602
603 // Notifies the embedder that an attempt has been made to read the cookies in
604 // |cookie_list|.
605 virtual void OnCookiesRead(int process_id,
606 int routing_id,
607 const GURL& url,
608 const GURL& first_party_url,
609 const net::CookieList& cookie_list,
610 bool blocked_by_policy);
611
612 // Notifies the embedder that an attempt has been made to set |cookie|.
613 virtual void OnCookieChange(int process_id,
614 int routing_id,
615 const GURL& url,
616 const GURL& first_party_url,
617 const net::CanonicalCookie& cookie,
618 bool blocked_by_policy);
619
620 // Allow the embedder to control if access to file system by a shared worker
621 // is allowed.
622 // This is called on the IO thread.
623 virtual void AllowWorkerFileSystem(
624 const GURL& url,
625 ResourceContext* context,
626 const std::vector<GlobalFrameRoutingId>& render_frames,
627 base::Callback<void(bool)> callback);
628
629 // Allow the embedder to control if access to IndexedDB by a shared worker
630 // is allowed.
631 // This is called on the IO thread.
632 virtual bool AllowWorkerIndexedDB(
633 const GURL& url,
634 ResourceContext* context,
635 const std::vector<GlobalFrameRoutingId>& render_frames);
636
637 // Allow the embedder to control if access to CacheStorage by a shared worker
638 // is allowed.
639 // This is called on the IO thread.
640 virtual bool AllowWorkerCacheStorage(
641 const GURL& url,
642 ResourceContext* context,
643 const std::vector<GlobalFrameRoutingId>& render_frames);
644
645 // Allow the embedder to control whether we can use Web Bluetooth.
646 // TODO(crbug.com/589228): Replace this with a use of the permission system.
647 enum class AllowWebBluetoothResult {
648 ALLOW,
649 BLOCK_POLICY,
650 BLOCK_GLOBALLY_DISABLED,
651 };
652 virtual AllowWebBluetoothResult AllowWebBluetooth(
653 content::BrowserContext* browser_context,
654 const url::Origin& requesting_origin,
655 const url::Origin& embedding_origin);
656
657 // Returns a blocklist of UUIDs that have restrictions when accessed
658 // via Web Bluetooth. Parsed by BluetoothBlocklist::Add().
659 //
660 // The blocklist string must be a comma-separated list of UUID:exclusion
661 // pairs. The pairs may be separated by whitespace. Pair components are
662 // colon-separated and must not have whitespace around the colon.
663 //
664 // UUIDs are a string that BluetoothUUID can parse (See BluetoothUUID
665 // constructor comment). Exclusion values are a single lower case character
666 // string "e", "r", or "w" for EXCLUDE, EXCLUDE_READS, or EXCLUDE_WRITES.
667 //
668 // Example:
669 // "1812:e, 00001800-0000-1000-8000-00805f9b34fb:w, ignored:1, alsoignored."
670 virtual std::string GetWebBluetoothBlocklist();
671
672 // Allow the embedder to override the cookie store for a particular URL.
673 // Returns nullptr to indicate the regular cookie store should be used.
674 // This is called on the IO thread.
675 virtual net::CookieStore* OverrideCookieStoreForURL(const GURL& url,
676 ResourceContext* context);
677
678#if defined(OS_CHROMEOS)
679 // Notification that a trust anchor was used by the given user.
680 virtual void OnTrustAnchorUsed(const std::string& username_hash) {}
681#endif
682
683 // Allows the embedder to override the LocationProvider implementation.
684 // Return nullptr to indicate the default one for the platform should be
685 // created.
686 virtual std::unique_ptr<device::LocationProvider>
687 OverrideSystemLocationProvider();
688
689 // Returns a SharedURLLoaderFactory attached to the system network context.
690 // Must be called on the UI thread. The default implementation returns
691 // nullptr.
692 virtual scoped_refptr<network::SharedURLLoaderFactory>
693 GetSystemSharedURLLoaderFactory();
694
695 // Returns the system network context. This shouldn't be used to create a
696 // URLLoaderFactory, instead use GetSystemSharedURLLoaderFactory(). Must be
697 // called on the UI thread. The default implementation returns nullptr.
698 virtual network::mojom::NetworkContext* GetSystemNetworkContext();
699
700 // Allows an embedder to provide a Google API Key to use for network
701 // geolocation queries.
702 // * May be called from any thread.
703 // * Default implementation returns empty string, meaning send no API key.
704 virtual std::string GetGeolocationApiKey();
705
706#if defined(OS_ANDROID)
707 // Allows an embedder to decide whether to use the GmsCoreLocationProvider.
708 virtual bool ShouldUseGmsCoreGeolocationProvider();
709#endif
710
711 // Allow the embedder to specify a string version of the storage partition
712 // config with a site.
713 virtual std::string GetStoragePartitionIdForSite(
714 BrowserContext* browser_context,
715 const GURL& site);
716
717 // Allows the embedder to provide a validation check for |partition_id|s.
718 // This domain of valid entries should match the range of outputs for
719 // GetStoragePartitionIdForChildProcess().
720 virtual bool IsValidStoragePartitionId(BrowserContext* browser_context,
721 const std::string& partition_id);
722
723 // Allows the embedder to provide a storage parititon configuration for a
724 // site. A storage partition configuration includes a domain of the embedder's
725 // choice, an optional name within that domain, and whether the partition is
726 // in-memory only.
727 //
728 // If |can_be_default| is false, the caller is telling the embedder that the
729 // |site| is known to not be in the default partition. This is useful in
730 // some shutdown situations where the bookkeeping logic that maps sites to
731 // their partition configuration are no longer valid.
732 //
733 // The |partition_domain| is [a-z]* UTF-8 string, specifying the domain in
734 // which partitions live (similar to namespace). Within a domain, partitions
735 // can be uniquely identified by the combination of |partition_name| and
736 // |in_memory| values. When a partition is not to be persisted, the
737 // |in_memory| value must be set to true.
738 virtual void GetStoragePartitionConfigForSite(
739 BrowserContext* browser_context,
740 const GURL& site,
741 bool can_be_default,
742 std::string* partition_domain,
743 std::string* partition_name,
744 bool* in_memory);
745
746 // Create and return a new quota permission context.
747 virtual scoped_refptr<QuotaPermissionContext> CreateQuotaPermissionContext();
748
749 // Allows the embedder to provide settings that determine the amount
750 // of disk space that may be used by content facing storage apis like
751 // IndexedDatabase and ServiceWorker::CacheStorage and others.
752 virtual void GetQuotaSettings(
753 content::BrowserContext* context,
754 content::StoragePartition* partition,
755 storage::OptionalQuotaSettingsCallback callback);
756
757 // Allows the embedder to provide settings that determine if generated code
758 // can be cached and the amount of disk space used for caching generated code.
759 virtual GeneratedCodeCacheSettings GetGeneratedCodeCacheSettings(
760 BrowserContext* context);
761
762 // Informs the embedder that a certificate error has occured. If
763 // |overridable| is true and if |strict_enforcement| is false, the user
764 // can ignore the error and continue. The embedder can call the callback
765 // asynchronously.
766 virtual void AllowCertificateError(
767 WebContents* web_contents,
768 int cert_error,
769 const net::SSLInfo& ssl_info,
770 const GURL& request_url,
771 ResourceType resource_type,
772 bool strict_enforcement,
773 bool expired_previous_decision,
774 const base::Callback<void(CertificateRequestResultType)>& callback);
775
776 // Selects a SSL client certificate and returns it to the |delegate|. Note:
777 // |delegate| may be called synchronously or asynchronously.
778 //
779 // TODO(davidben): Move this hook to WebContentsDelegate.
780 virtual void SelectClientCertificate(
781 WebContents* web_contents,
782 net::SSLCertRequestInfo* cert_request_info,
783 net::ClientCertIdentityList client_certs,
784 std::unique_ptr<ClientCertificateDelegate> delegate);
785
786 // Returns a class to get notifications about media event. The embedder can
787 // return nullptr if they're not interested.
788 virtual MediaObserver* GetMediaObserver();
789
790 // Returns the platform notification service, capable of displaying Web
791 // Notifications to the user. The embedder can return a nullptr if they don't
792 // support this functionality. Must be called on the UI thread.
793 // TODO(knollr): move this to the BrowserContext.
794 virtual PlatformNotificationService* GetPlatformNotificationService(
795 BrowserContext* browser_context);
796
797 // Returns true if the given page is allowed to open a window of the given
798 // type. If true is returned, |no_javascript_access| will indicate whether
799 // the window that is created should be scriptable/in the same process.
800 // This is called on the UI thread.
801 virtual bool CanCreateWindow(
802 RenderFrameHost* opener,
803 const GURL& opener_url,
804 const GURL& opener_top_level_frame_url,
805 const url::Origin& source_origin,
806 content::mojom::WindowContainerType container_type,
807 const GURL& target_url,
808 const Referrer& referrer,
809 const std::string& frame_name,
810 WindowOpenDisposition disposition,
811 const blink::mojom::WindowFeatures& features,
812 bool user_gesture,
813 bool opener_suppressed,
814 bool* no_javascript_access);
815
816 // Notifies the embedder that the ResourceDispatcherHost has been created.
817 // This is when it can optionally add a delegate.
818 virtual void ResourceDispatcherHostCreated() {}
819
820 // Allows the embedder to return a delegate for the SpeechRecognitionManager.
821 // The delegate will be owned by the manager. It's valid to return nullptr.
822 virtual SpeechRecognitionManagerDelegate*
823 CreateSpeechRecognitionManagerDelegate();
824
825 // Allows the embedder to return a delegate for the TtsController.
826 virtual TtsControllerDelegate* GetTtsControllerDelegate();
827
828 // Allows the embedder to return a TTS platform implementation.
829 virtual TtsPlatform* GetTtsPlatform();
830
831 // Getter for the net logging object. This can be called on any thread.
832 virtual net::NetLog* GetNetLog();
833
834 // Called by WebContents to override the WebKit preferences that are used by
835 // the renderer. The content layer will add its own settings, and then it's up
836 // to the embedder to update it if it wants.
837 virtual void OverrideWebkitPrefs(RenderViewHost* render_view_host,
838 WebPreferences* prefs) {}
839
840 // Notifies that BrowserURLHandler has been created, so that the embedder can
841 // optionally add their own handlers.
842 virtual void BrowserURLHandlerCreated(BrowserURLHandler* handler) {}
843
844 // Returns the default download directory.
845 // This can be called on any thread.
846 virtual base::FilePath GetDefaultDownloadDirectory();
847
848 // Returns the default filename used in downloads when we have no idea what
849 // else we should do with the file.
850 virtual std::string GetDefaultDownloadName();
851
852 // Returns the path to the font lookup table cache directory in which - on
853 // Windows 7 & 8 - we cache font name meta information to perform @font-face {
854 // src: local() } lookups.
855 virtual base::FilePath GetFontLookupTableCacheDir();
856
857 // Returns the path to the browser shader disk cache root.
858 virtual base::FilePath GetShaderDiskCacheDirectory();
859
860 // Returns the path to the shader disk cache root for shaders generated by
861 // skia.
862 virtual base::FilePath GetGrShaderDiskCacheDirectory();
863
864 // Notification that a pepper plugin has just been spawned. This allows the
865 // embedder to add filters onto the host to implement interfaces.
866 // This is called on the IO thread.
867 virtual void DidCreatePpapiPlugin(BrowserPpapiHost* browser_host) {}
868
869 // Gets the host for an external out-of-process plugin.
870 virtual BrowserPpapiHost* GetExternalBrowserPpapiHost(
871 int plugin_child_id);
872
873 // Returns true if the socket operation specified by |params| is allowed from
874 // the given |browser_context| and |url|. If |params| is nullptr, this method
875 // checks the basic "socket" permission, which is for those operations that
876 // don't require a specific socket permission rule.
877 // |private_api| indicates whether this permission check is for the private
878 // Pepper socket API or the public one.
879 virtual bool AllowPepperSocketAPI(BrowserContext* browser_context,
880 const GURL& url,
881 bool private_api,
882 const SocketPermissionRequest* params);
883
884 // Returns true if the "vpnProvider" permission is allowed from the given
885 // |browser_context| and |url|.
886 virtual bool IsPepperVpnProviderAPIAllowed(BrowserContext* browser_context,
887 const GURL& url);
888
889 // Creates a new VpnServiceProxy. The caller owns the returned value. It's
890 // valid to return nullptr.
891 virtual std::unique_ptr<VpnServiceProxy> GetVpnServiceProxy(
892 BrowserContext* browser_context);
893
894 // Returns an implementation of a file selecition policy. Can return null.
895 virtual std::unique_ptr<ui::SelectFilePolicy> CreateSelectFilePolicy(
896 WebContents* web_contents);
897
898 // Returns additional allowed scheme set which can access files in
899 // FileSystem API.
900 virtual void GetAdditionalAllowedSchemesForFileSystem(
901 std::vector<std::string>* additional_schemes) {}
902
903 // |schemes| is a return value parameter that gets a whitelist of schemes that
904 // should bypass the Is Privileged Context check.
905 // See http://www.w3.org/TR/powerful-features/#settings-privileged
906 virtual void GetSchemesBypassingSecureContextCheckWhitelist(
907 std::set<std::string>* schemes) {}
908
909 // Returns auto mount handlers for URL requests for FileSystem APIs.
910 virtual void GetURLRequestAutoMountHandlers(
911 std::vector<storage::URLRequestAutoMountHandler>* handlers) {}
912
913 // Returns additional file system backends for FileSystem API.
914 // |browser_context| is needed in the additional FileSystemBackends.
915 // It has mount points to create objects returned by additional
916 // FileSystemBackends, and SpecialStoragePolicy for permission granting.
917 virtual void GetAdditionalFileSystemBackends(
918 BrowserContext* browser_context,
919 const base::FilePath& storage_partition_path,
920 std::vector<std::unique_ptr<storage::FileSystemBackend>>*
921 additional_backends) {}
922
923 // Allow an embedder to provide a share group reimplementation to connect renderer
924 // GL contexts with the root compositor.
925 virtual gl::GLShareGroup* GetInProcessGpuShareGroup() { return 0; }
926
927 // Creates a new DevToolsManagerDelegate. The caller owns the returned value.
928 // It's valid to return nullptr.
929 virtual DevToolsManagerDelegate* GetDevToolsManagerDelegate();
930
931 // Stores the new expiration time up until which events related to |service|
932 // can still be logged. |service| is the int value of the
933 // DevToolsBackgroundService enum. |expiration_time| can be null, denoting
934 // that nothing should be recorded any more.
935 virtual void UpdateDevToolsBackgroundServiceExpiration(
936 BrowserContext* browser_context,
937 int service,
938 base::Time expiration_time);
939
940 // Returns a mapping from a background service to the time up until which
941 // recording the background service's events is still allowed.
942 virtual base::flat_map<int, base::Time>
943 GetDevToolsBackgroundServiceExpirations(BrowserContext* browser_context);
944
945 // Creates a new TracingDelegate. The caller owns the returned value.
946 // It's valid to return nullptr.
947 virtual TracingDelegate* GetTracingDelegate();
948
949 // Returns true if plugin referred to by the url can use
950 // pp::FileIO::RequestOSFileHandle.
951 virtual bool IsPluginAllowedToCallRequestOSFileHandle(
952 BrowserContext* browser_context,
953 const GURL& url);
954
955 // Returns true if dev channel APIs are available for plugins.
956 virtual bool IsPluginAllowedToUseDevChannelAPIs(
957 BrowserContext* browser_context,
958 const GURL& url);
959
960 // Allows to register browser interfaces exposed through the
961 // RenderProcessHost. Note that interface factory callbacks added to
962 // |registry| will by default be run immediately on the IO thread, unless a
963 // task runner is provided.
964 virtual void ExposeInterfacesToRenderer(
965 service_manager::BinderRegistry* registry,
966 blink::AssociatedInterfaceRegistry* associated_registry,
967 RenderProcessHost* render_process_host) {}
968
969 // Called when RenderFrameHostImpl connects to the Media service. Expose
970 // interfaces to the service using |registry|.
971 virtual void ExposeInterfacesToMediaService(
972 service_manager::BinderRegistry* registry,
973 RenderFrameHost* render_frame_host) {}
974
975 // Content was unable to bind a request for this interface, so the embedder
976 // should try.
977 virtual void BindInterfaceRequestFromFrame(
978 RenderFrameHost* render_frame_host,
979 const std::string& interface_name,
980 mojo::ScopedMessagePipeHandle interface_pipe) {}
981
982 // Content was unable to bind a CredentialManager request, so the embedder
983 // should try.
984 virtual void BindCredentialManagerRequest(
985 RenderFrameHost* render_frame_host,
986 blink::mojom::CredentialManagerRequest request) {}
987
988 // Content was unable to bind a request for this associated interface, so the
989 // embedder should try. Returns true if the |handle| was actually taken and
990 // bound; false otherwise.
991 virtual bool BindAssociatedInterfaceRequestFromFrame(
992 RenderFrameHost* render_frame_host,
993 const std::string& interface_name,
994 mojo::ScopedInterfaceEndpointHandle* handle);
995
996 // Content was unable to bind a request for this interface, so the embedder
997 // should try. This is called for interface requests from dedicated, shared
998 // and service workers.
999 virtual void BindInterfaceRequestFromWorker(
1000 RenderProcessHost* render_process_host,
1001 const url::Origin& origin,
1002 const std::string& interface_name,
1003 mojo::ScopedMessagePipeHandle interface_pipe) {}
1004
1005 // (Currently called only from GPUProcessHost, move somewhere more central).
1006 // Called when a request to bind |interface_name| on |interface_pipe| is
1007 // received from |source_info.identity|. If the request is bound,
1008 // |interface_pipe| will become invalid (taken by the client).
1009 virtual void BindInterfaceRequest(
1010 const service_manager::BindSourceInfo& source_info,
1011 const std::string& interface_name,
1012 mojo::ScopedMessagePipeHandle* interface_pipe) {}
1013
1014 // Registers services to be run in the browser process. |connection| is the
1015 // ServiceManagerConnection service are registered with. Use
1016 // |ServiceManagerConnection::AddServiceRequestHandler| to register each
1017 // service.
1018 //
1019 // NOTE: This should ONLY be overridden to register services which MUST run on
1020 // the IO thread. For other in-process services, use |HandleServiceRequest|
1021 // below.
1022 virtual void RegisterIOThreadServiceHandlers(
1023 ServiceManagerConnection* connection) {}
1024
1025 virtual void OverrideOnBindInterface(
1026 const service_manager::BindSourceInfo& remote_info,
1027 const std::string& name,
1028 mojo::ScopedMessagePipeHandle* handle) {}
1029
1030 using ProcessNameCallback = base::RepeatingCallback<base::string16()>;
1031
1032 struct CONTENT_EXPORT OutOfProcessServiceInfo {
1033 OutOfProcessServiceInfo();
1034 OutOfProcessServiceInfo(const ProcessNameCallback& process_name_callback);
1035 OutOfProcessServiceInfo(const ProcessNameCallback& process_name_callback,
1036 const std::string& process_group);
1037 ~OutOfProcessServiceInfo();
1038
1039 // The callback function to get the display name of the service process
1040 // launched for the service.
1041 ProcessNameCallback process_name_callback;
1042
1043 // If provided, a string which groups this service into a process shared
1044 // by other services using the same string.
1045 base::Optional<std::string> process_group;
1046 };
1047
1048 using OutOfProcessServiceMap = std::map<std::string, OutOfProcessServiceInfo>;
1049
1050 // Registers services to be loaded out of the browser process in an
1051 // utility process. The value of each map entry should be a process name,
1052 // to use for the service's host process when launched.
1053 virtual void RegisterOutOfProcessServices(OutOfProcessServiceMap* services) {}
1054
1055 // Handles a Service request for the service named |service_name|. If the
1056 // client knows how to run |service_name|, it should bind |request|
1057 // accordingly. Note that this runs on the main thread, so if a service may
1058 // need to start and run on the IO thread while the main thread is blocking on
1059 // something, the service should instead by registered in
1060 // |RegisterIOThreadServiceHandlers| above.
1061 virtual void HandleServiceRequest(
1062 const std::string& service_name,
1063 service_manager::mojom::ServiceRequest request);
1064
1065 // Allows the embedder to terminate the browser if a specific service instance
1066 // quits or crashes.
1067 virtual bool ShouldTerminateOnServiceQuit(
1068 const service_manager::Identity& id);
1069
1070 // Allows the embedder to amend service manifests for existing services.
1071 // Specifically, the sets of exposed and required capabilities, interface
1072 // filter capabilities (deprecated), packaged services, and preloaded files
1073 // will be taken from the returned Manifest and appended to those of the
1074 // existing Manifest for the service named |name|.
1075 //
1076 // If no overlay is provided for the service, this returns |base::nullopt|.
1077 virtual base::Optional<service_manager::Manifest> GetServiceManifestOverlay(
1078 base::StringPiece name);
1079
1080 // Allows the embedder to provide extra service manifests to be registered
1081 // with the service manager context.
1082 virtual std::vector<service_manager::Manifest> GetExtraServiceManifests();
1083
1084 // Allows the embedder to have a list of services started after the
1085 // in-process Service Manager has been initialized.
1086 virtual std::vector<std::string> GetStartupServices();
1087
1088 // Allows to override the visibility state of a RenderFrameHost.
1089 // |visibility_state| should not be null. It will only be set if needed.
1090 virtual void OverridePageVisibilityState(
1091 RenderFrameHost* render_frame_host,
1092 PageVisibilityState* visibility_state) {}
1093
1094 // Allows an embedder to provide its own ControllerPresentationServiceDelegate
1095 // implementation. Returns nullptr if unavailable.
1096 virtual ControllerPresentationServiceDelegate*
1097 GetControllerPresentationServiceDelegate(WebContents* web_contents);
1098
1099 // Allows an embedder to provide its own ReceiverPresentationServiceDelegate
1100 // implementation. Returns nullptr if unavailable. Only WebContents created
1101 // for offscreen presentations should be passed to this API. The WebContents
1102 // must belong to an incognito profile.
1103 virtual ReceiverPresentationServiceDelegate*
1104 GetReceiverPresentationServiceDelegate(WebContents* web_contents);
1105
1106 // Allows programmatic opening of a new tab/window without going through
1107 // another WebContents. For example, from a Worker. |site_instance|
1108 // describes the context initiating the navigation. |callback| will be
1109 // invoked with the appropriate WebContents* when available.
1110 virtual void OpenURL(SiteInstance* site_instance,
1111 const OpenURLParams& params,
1112 const base::Callback<void(WebContents*)>& callback);
1113
1114 // Allows the embedder to record |metric| for a specific |url|.
1115 virtual void RecordURLMetric(const std::string& metric, const GURL& url) {}
1116
1117 // Allows the embedder to map URLs to strings, intended to be used as suffixes
1118 // for metric names. For example, the embedder can map
1119 // "my-special-site-with-a-complicated-name.example.com/and-complicated-path"
1120 // to the string "MySpecialSite", which will cause some UMA involving that URL
1121 // to be logged as "UmaName.MySpecialSite".
1122 virtual std::string GetMetricSuffixForURL(const GURL& url);
1123
1124 // Allows the embedder to register one or more NavigationThrottles for the
1125 // navigation indicated by |navigation_handle|. A NavigationThrottle is used
1126 // to control the flow of a navigation on the UI thread. The embedder is
1127 // guaranteed that the throttles will be executed in the order they were
1128 // provided.
1129 virtual std::vector<std::unique_ptr<NavigationThrottle>>
1130 CreateThrottlesForNavigation(NavigationHandle* navigation_handle);
1131
1132 // PlzNavigate
1133 // Called at the start of the navigation to get opaque data the embedder
1134 // wants to see passed to the corresponding URLRequest on the IO thread.
1135 virtual std::unique_ptr<NavigationUIData> GetNavigationUIData(
1136 NavigationHandle* navigation_handle);
1137
1138 // Allows the embedder to provide its own AudioManager implementation.
1139 // If this function returns nullptr, a default platform implementation
1140 // will be used.
1141 virtual std::unique_ptr<media::AudioManager> CreateAudioManager(
1142 media::AudioLogFactory* audio_log_factory);
1143
1144 // Returns true if (and only if) CreateAudioManager() is implemented and
1145 // returns a non-null value.
1146 virtual bool OverridesAudioManager();
1147
1148 // Gets supported hardware secure |video_codecs| and |encryption_schemes| for
1149 // the purpose of decrypting encrypted media using a Content Decryption Module
1150 // (CDM) and a CdmProxy associated with |key_system|. The CDM supports all
1151 // protocols in |cdm_proxy_protocols|, but only one CdmProxy protocol will be
1152 // supported by the CdmProxy on the system, for which the capabilities will
1153 // be returned.
1154 virtual void GetHardwareSecureDecryptionCaps(
1155 const std::string& key_system,
1156 const base::flat_set<media::CdmProxy::Protocol>& cdm_proxy_protocols,
1157 base::flat_set<media::VideoCodec>* video_codecs,
1158 base::flat_set<media::EncryptionMode>* encryption_schemes);
1159
1160 // Populates |mappings| with all files that need to be mapped before launching
1161 // a child process.
1162#if (defined(OS_POSIX) && !defined(OS_MACOSX)) || defined(OS_FUCHSIA)
1163 virtual void GetAdditionalMappedFilesForChildProcess(
1164 const base::CommandLine& command_line,
1165 int child_process_id,
1166 content::PosixFileDescriptorInfo* mappings) {}
1167#endif // defined(OS_POSIX) && !defined(OS_MACOSX) || defined(OS_FUCHSIA)
1168
1169#if defined(OS_WIN)
1170 // This is called on the PROCESS_LAUNCHER thread before the renderer process
1171 // is launched. It gives the embedder a chance to add loosen the sandbox
1172 // policy.
1173 virtual bool PreSpawnRenderer(sandbox::TargetPolicy* policy);
1174
1175 // Returns the AppContainer SID for the specified sandboxed process type, or
1176 // empty string if this sandboxed process type does not support living inside
1177 // an AppContainer.
1178 virtual base::string16 GetAppContainerSidForSandboxType(
1179 int sandbox_type) const;
1180#endif
1181
1182 // Binds a new media remoter service to |request|, if supported by the
1183 // embedder, for the |source| that lives in the render frame represented
1184 // by |render_frame_host|. This may be called multiple times if there is more
1185 // than one source candidate in the same render frame.
1186 virtual void CreateMediaRemoter(RenderFrameHost* render_frame_host,
1187 media::mojom::RemotingSourcePtr source,
1188 media::mojom::RemoterRequest request) {}
1189
1190 // Returns the RapporService from the browser process.
1191 virtual ::rappor::RapporService* GetRapporService();
1192
1193 // Provides parameters for initializing the global thread pool. Default
1194 // params are used if this returns nullptr.
1195 virtual std::unique_ptr<base::ThreadPool::InitParams>
1196 GetThreadPoolInitParams();
1197
1198 // Allows the embedder to register one or more URLLoaderThrottles for a
1199 // navigation request.
1200 // This is called both when the network service is enabled and disabled.
1201 // This is called on the IO thread.
1202 virtual std::vector<std::unique_ptr<URLLoaderThrottle>>
1203 CreateURLLoaderThrottles(
1204 const network::ResourceRequest& request,
1205 ResourceContext* resource_context,
1206 const base::RepeatingCallback<WebContents*()>& wc_getter,
1207 NavigationUIData* navigation_ui_data,
1208 int frame_tree_node_id);
1209
1210 // Allows the embedder to register per-scheme URLLoaderFactory implementations
1211 // to handle navigation URL requests for schemes not handled by the Network
1212 // Service. Only called when the Network Service is enabled.
1213 // Note that a RenderFrameHost or RenderProcessHost aren't passed in because
1214 // these can change during a navigation (e.g. depending on redirects).
1215 using NonNetworkURLLoaderFactoryMap =
1216 std::map<std::string, std::unique_ptr<network::mojom::URLLoaderFactory>>;
1217 virtual void RegisterNonNetworkNavigationURLLoaderFactories(
1218 int frame_tree_node_id,
1219 NonNetworkURLLoaderFactoryMap* factories);
1220
1221 // Allows the embedder to register per-scheme URLLoaderFactory implementations
1222 // to handle subresource URL requests for schemes not handled by the Network
1223 // Service. This function can also be used to make a factory for other
1224 // non-subresource requests, such as:
1225 // -downloads
1226 // -service worker script when starting a service worker. In that case, the
1227 // frame id will be MSG_ROUTING_NONE
1228 virtual void RegisterNonNetworkSubresourceURLLoaderFactories(
1229 int render_process_id,
1230 int render_frame_id,
1231 NonNetworkURLLoaderFactoryMap* factories);
1232
1233 // Allows the embedder to intercept URLLoaderFactory interfaces used for
1234 // navigation or being brokered on behalf of a renderer fetching subresources.
1235 //
1236 // |frame| could be nullptr when the caller is creating URLLoaderFactory
1237 // for a service worker.
1238 //
1239 // |render_process_id| is the id of a render process host in which the
1240 // URLLoaderFactory will be used.
1241 //
1242 // |is_navigation| is true when it's a request used for navigation.
1243 //
1244 // |request_initiator| indicates which origin will be the initiator of
1245 // requests that will use the URLLoaderFactory (see also
1246 // |network::ResourceRequest::requests|). |request_initiator| is set when
1247 // it's a request for a renderer fetching subresources. It's not set when
1248 // creating a factory for navigation requests, because navigation requests are
1249 // made on behalf of the browser, rather than on behalf of any particular
1250 // origin.
1251 //
1252 // |*factory_request| is always valid upon entry and MUST be valid upon
1253 // return. The embedder may swap out the value of |*factory_request| for its
1254 // own, in which case it must return |true| to indicate that it's proxying
1255 // requests for the URLLoaderFactory. Otherwise |*factory_request| is left
1256 // unmodified and this must return |false|.
1257 //
1258 // |header_client| may be bound within this call. This can be used in
1259 // URLLoaderFactoryParams when creating the factory.
1260 //
1261 // |bypass_redirect_checks| will be set to true when the embedder will be
1262 // handling redirect security checks.
1263 //
1264 // Always called on the UI thread and only when the Network Service is
1265 // enabled.
1266 virtual bool WillCreateURLLoaderFactory(
1267 BrowserContext* browser_context,
1268 RenderFrameHost* frame,
1269 int render_process_id,
1270 bool is_navigation,
1271 bool is_download,
1272 const url::Origin& request_initiator,
1273 network::mojom::URLLoaderFactoryRequest* factory_request,
1274 network::mojom::TrustedURLLoaderHeaderClientPtrInfo* header_client,
1275 bool* bypass_redirect_checks);
1276
1277 // Allows the embedder to intercept a WebSocket connection. |*request|
1278 // is always valid upon entry and MUST be valid upon return. The embedder
1279 // may swap out the value of |*request| for its own.
1280 //
1281 // Always called on the UI thread and only when the Network Service is
1282 // enabled.
1283 virtual void WillCreateWebSocket(
1284 RenderFrameHost* frame,
1285 network::mojom::WebSocketRequest* request,
1286 network::mojom::AuthenticationHandlerPtr* authentication_handler,
1287 network::mojom::TrustedHeaderClientPtr* header_client,
1288 uint32_t* options);
1289
1290 // Allows the embedder to returns a list of request interceptors that can
1291 // intercept a navigation request.
1292 //
1293 // Always called on the IO thread and only when the Network Service is
1294 // enabled.
1295 virtual std::vector<std::unique_ptr<URLLoaderRequestInterceptor>>
1296 WillCreateURLLoaderRequestInterceptors(
1297 content::NavigationUIData* navigation_ui_data,
1298 int frame_tree_node_id,
1299 const scoped_refptr<network::SharedURLLoaderFactory>&
1300 network_loader_factory);
1301
1302 // Called when the NetworkService, accessible through
1303 // content::GetNetworkService(), is created. Implementations should avoid
1304 // calling into GetNetworkService() again to avoid re-entrancy if the service
1305 // fails to start.
1306 virtual void OnNetworkServiceCreated(
1307 network::mojom::NetworkService* network_service);
1308
1309 // Creates a NetworkContext for a BrowserContext's StoragePartition. If the
1310 // network service is enabled, it must return a NetworkContext using the
1311 // network service. If the network service is disabled, the embedder may
1312 // return a NetworkContext, or it may return nullptr, in which case the
1313 // StoragePartition will create one wrapping the URLRequestContext obtained
1314 // from the BrowserContext.
1315 //
1316 // Called before the corresonding BrowserContext::CreateRequestContext method
1317 // is called.
1318 //
1319 // If |in_memory| is true, |relative_partition_path| is still a path that
1320 // uniquely identifies the storage partition, though nothing should be written
1321 // to it.
1322 //
1323 // If |relative_partition_path| is the empty string, it means this needs to
1324 // create the default NetworkContext for the BrowserContext.
1325 //
1326 // For NetworkContexts returned from the Network Service, some requirements:
1327 // -enable data URL support (or else data URLs will fail)
1328 // -disable file URL support (for security)
1329 virtual network::mojom::NetworkContextPtr CreateNetworkContext(
1330 BrowserContext* context,
1331 bool in_memory,
1332 const base::FilePath& relative_partition_path);
1333
1334 // Returns the parent paths that contain all the network service's
1335 // BrowserContexts' storage. Multiple paths can be returned, e.g. in case the
1336 // persistent storage location differs from the cache storage location.
1337 virtual std::vector<base::FilePath> GetNetworkContextsParentDirectory();
1338
1339#if defined(OS_ANDROID)
1340 // Only used by Android WebView.
1341 // Returns:
1342 // true - The check was successfully performed without throwing a
1343 // Java exception. |*ignore_navigation| is set to the
1344 // result of the check in this case.
1345 // false - A Java exception was thrown. It is no longer safe to
1346 // make JNI calls, because of the uncleared exception.
1347 // Callers should return to the message loop as soon as
1348 // possible, so that the exception can be rethrown.
1349 virtual bool ShouldOverrideUrlLoading(int frame_tree_node_id,
1350 bool browser_initiated,
1351 const GURL& gurl,
1352 const std::string& request_method,
1353 bool has_user_gesture,
1354 bool is_redirect,
1355 bool is_main_frame,
1356 ui::PageTransition transition,
1357 bool* ignore_navigation);
1358#endif
1359
1360 // Called on IO or UI thread to determine whether or not to allow load and
1361 // render MHTML page from http/https URLs.
1362 virtual bool AllowRenderingMhtmlOverHttp(
1363 NavigationUIData* navigation_ui_data);
1364
1365 // Called on IO or UI thread to determine whether or not to allow load and
1366 // render MHTML page from http/https URLs.
1367 virtual bool ShouldForceDownloadResource(const GURL& url,
1368 const std::string& mime_type);
1369
1370 virtual void CreateWebUsbService(
1371 RenderFrameHost* render_frame_host,
1372 mojo::InterfaceRequest<blink::mojom::WebUsbService> request);
1373
1374#if !defined(OS_ANDROID)
1375 // Allows the embedder to provide an implementation of the Serial API.
1376 virtual SerialDelegate* GetSerialDelegate();
1377#endif
1378
1379 // Attempt to open the Payment Handler window inside its corresponding
1380 // PaymentRequest UI surface. Returns true if the ContentBrowserClient
1381 // implementation supports this operation (desktop Chrome) or false otherwise.
1382 // |callback| is invoked with true if the window opened successfully, false if
1383 // the attempt failed. Both the render process and frame IDs are also passed
1384 // to |callback|.
1385 virtual bool ShowPaymentHandlerWindow(
1386 content::BrowserContext* browser_context,
1387 const GURL& url,
1388 base::OnceCallback<void(bool /* success */,
1389 int /* render_process_id */,
1390 int /* render_frame_id */)> callback);
1391
1392 // Returns whether a base::ThreadPool should be created when
1393 // BrowserMainLoop starts.
1394 // If false, a thread pool has been created by the embedder, and
1395 // BrowserMainLoop should skip creating a second one.
1396 // Note: the embedder should *not* start the ThreadPool for
1397 // BrowserMainLoop, BrowserMainLoop itself is responsible for that.
1398 virtual bool ShouldCreateThreadPool();
1399
1400 // Returns an AuthenticatorRequestClientDelegate subclass instance to provide
1401 // embedder-specific configuration for a single Web Authentication API request
1402 // being serviced in a given RenderFrame. The instance is guaranteed to be
1403 // destroyed before the RenderFrame goes out of scope. The embedder may choose
1404 // to return nullptr to indicate that the request cannot be serviced right
1405 // now. |relying_party_id| is the RP ID from Webauthn, essentially a domain
1406 // name.
1407#if BUILDFLAG(ENABLE_WEB_AUTH)
1408 virtual std::unique_ptr<AuthenticatorRequestClientDelegate>
1409 GetWebAuthenticationRequestDelegate(RenderFrameHost* render_frame_host,
1410 const std::string& relying_party_id);
1411#endif
1412
1413#if defined(OS_MACOSX)
1414 // Returns whether WebAuthn supports the built-in Touch ID platform
1415 // authenticator. If true, the embedder must supply a configuration in
1416 // |AuthenticatorRequestClientDelegate::GetTouchIdAuthenticatorConfig|.
1417 virtual bool IsWebAuthenticationTouchIdAuthenticatorSupported();
1418#endif
1419
1420 // Get platform ClientCertStore. May return nullptr.
1421 virtual std::unique_ptr<net::ClientCertStore> CreateClientCertStore(
1422 ResourceContext* resource_context);
1423
1424 // Creates a LoginDelegate that asks the user for a username and password.
1425 // |web_contents| should not be null when CreateLoginDelegate is called.
1426 // |first_auth_attempt| is needed by AwHttpAuthHandler constructor.
1427 // |auth_required_callback| is used to transfer auth credentials to
1428 // URLRequest::SetAuth(). The credentials parameter of the callback
1429 // is base::nullopt if the request should be cancelled; otherwise
1430 // the credentials will be used to respond to the auth challenge.
1431 // This method is called on the UI thread. The callback must be
1432 // called on the UI thread as well. If the LoginDelegate is destroyed
1433 // before the callback, the request has been canceled and the callback
1434 // should not be called.
1435 //
1436 // |auth_required_callback| may not be called reentrantly. If the request may
1437 // be handled synchronously, CreateLoginDelegate must post the callback to a
1438 // separate event loop iteration, taking care not to call it if the
1439 // LoginDelegate is destroyed in the meantime.
1440 //
1441 // There is no guarantee that |web_contents| will outlive the
1442 // LoginDelegate. The LoginDelegate implementation can use WebContentsObserver
1443 // to be notified when the WebContents is destroyed.
1444 //
1445 // TODO(davidben): This should be guaranteed. It isn't due to asynchronous
1446 // destruction between the network logic and the owning WebContents, but that
1447 // should be hidden from the embedder. Ideally this method would be on
1448 // WebContentsDelegate, where the lifetime ordering is more
1449 // obvious. https://crbug.com/456255
1450 virtual std::unique_ptr<LoginDelegate> CreateLoginDelegate(
1451 const net::AuthChallengeInfo& auth_info,
1452 WebContents* web_contents,
1453 const GlobalRequestID& request_id,
1454 bool is_request_for_main_frame,
1455 const GURL& url,
1456 scoped_refptr<net::HttpResponseHeaders> response_headers,
1457 bool first_auth_attempt,
1458 LoginAuthRequiredCallback auth_required_callback);
1459
1460 // Launches the url for the given tab. Returns true if an attempt to handle
1461 // the url was made, e.g. by launching an app. Note that this does not
1462 // guarantee that the app successfully handled it.
1463 // If this is a navigation request, then |child_id| will be
1464 // ChildProcessHost::kInvalidUniqueID and |navigation_ui_data| will valid.
1465 // Otherwise child_id will be the process id and |navigation_ui_data| will be
1466 // nullptr.
1467 virtual bool HandleExternalProtocol(
1468 const GURL& url,
1469 ResourceRequestInfo::WebContentsGetter web_contents_getter,
1470 int child_id,
1471 NavigationUIData* navigation_data,
1472 bool is_main_frame,
1473 ui::PageTransition page_transition,
1474 bool has_user_gesture,
1475 const std::string& method,
1476 const net::HttpRequestHeaders& headers,
1477 network::mojom::URLLoaderFactoryRequest* factory_request,
1478 network::mojom::URLLoaderFactory*& out_factory);
1479
1480 // Creates an OverlayWindow to be used for Picture-in-Picture. This window
1481 // will house the content shown when in Picture-in-Picture mode. This will
1482 // return a new OverlayWindow.
1483 // May return nullptr if embedder does not support this functionality. The
1484 // default implementation provides nullptr OverlayWindow.
1485 virtual std::unique_ptr<OverlayWindow> CreateWindowForPictureInPicture(
1486 PictureInPictureWindowController* controller);
1487
1488 // Returns true if it is safe to redirect to |url|, otherwise returns false.
1489 // This is called on the IO thread.
1490 virtual bool IsSafeRedirectTarget(const GURL& url, ResourceContext* context);
1491
1492 // Registers the watcher to observe updates in RendererPreferences.
1493 virtual void RegisterRendererPreferenceWatcher(
1494 BrowserContext* browser_context,
1495 blink::mojom::RendererPreferenceWatcherPtr watcher);
1496
1497 // Returns the HTML content of the error page for Origin Policy related
1498 // errors.
1499 virtual base::Optional<std::string> GetOriginPolicyErrorPage(
1500 OriginPolicyErrorReason error_reason,
1501 content::NavigationHandle* navigation_handle);
1502
1503 // Returns true if it is OK to ignore errors for certificates specified by the
1504 // --ignore-certificate-errors-spki-list command line flag. The embedder may
1505 // perform additional checks, such as requiring --user-data-dir flag too to
1506 // make sure that insecure contents will not persist accidentally.
1507 virtual bool CanIgnoreCertificateErrorIfNeeded();
1508
1509 // Called on every request completion to update the data use when network
1510 // service is enabled.
1511 virtual void OnNetworkServiceDataUseUpdate(
1512 int32_t network_traffic_annotation_id_hash,
1513 int64_t recv_bytes,
1514 int64_t sent_bytes);
1515
1516 // Asks the embedder for the PreviewsState which says which previews should
1517 // be enabled for the given navigation. The PreviewsState is a bitmask of
1518 // potentially several Previews optimizations. |initial_state| is used to
1519 // keep sub-frame navigation state consistent with main frame state.
1520 // |current_navigation_url| is the URL that is currently being navigated to,
1521 // and can differ from GetURL() in |navigation_handle| on redirects.
1522 virtual content::PreviewsState DetermineAllowedPreviews(
1523 content::PreviewsState initial_state,
1524 content::NavigationHandle* navigation_handle,
1525 const GURL& current_navigation_url);
1526
1527 // Asks the embedder for the preview state that should be committed to the
1528 // renderer. |initial_state| was pre-determined by |DetermineAllowedPreviews|.
1529 // |navigation_handle| is the corresponding navigation object.
1530 // |response_headers| are the response headers related to this navigation.
1531 virtual content::PreviewsState DetermineCommittedPreviews(
1532 content::PreviewsState initial_state,
1533 content::NavigationHandle* navigation_handle,
1534 const net::HttpResponseHeaders* response_headers);
1535
1536 // Browser-side API to log blink UseCounters for events that don't occur in
1537 // the renderer.
1538 virtual void LogWebFeatureForCurrentPage(
1539 content::RenderFrameHost* render_frame_host,
1540 blink::mojom::WebFeature feature) {}
1541
1542 // Returns a string describing the embedder product name and version,
1543 // of the form "productname/version", with no other slashes.
1544 // Used as part of the user agent string.
1545 virtual std::string GetProduct() const;
1546
1547 // Returns the user agent. Content may cache this value.
1548 virtual std::string GetUserAgent() const;
1549
1550 // Returns user agent metadata. Content may cache this value.
1551 virtual blink::UserAgentMetadata GetUserAgentMetadata() const;
1552
1553 // Returns whether |origin| should be considered a integral component similar
1554 // to native code, and as such whether its log messages should be recorded.
1555 virtual bool IsBuiltinComponent(BrowserContext* browser_context,
1556 const url::Origin& origin);
1557
1558 // Returns whether given |url| has to be blocked. It's used only for renderer
1559 // debug URLs, as other requests are handled via NavigationThrottlers and
1560 // blacklist policies are applied there.
1561 virtual bool IsRendererDebugURLBlacklisted(const GURL& url,
1562 BrowserContext* context);
1563
1564 // Returns the default accessibility mode for the given browser context.
1565 virtual ui::AXMode GetAXModeForBrowserContext(
1566 BrowserContext* browser_context);
1567
1568#if defined(OS_ANDROID)
1569 // Defines the heuristics we can use to enable wide color gamut (WCG).
1570 enum class WideColorGamutHeuristic {
1571 kUseDisplay, // Use WCG if display supports it.
1572 kUseWindow, // Use WCG if window is WCG.
1573 kNone, // Never use WCG.
1574 };
1575
1576 // Returns kNone by default.
1577 virtual WideColorGamutHeuristic GetWideColorGamutHeuristic() const;
1578#endif
1579
1580 // Obtains the list of MIME types that are handled by a MimeHandlerView.
1581 virtual base::flat_set<std::string> GetMimeHandlerViewMimeTypes(
1582 ResourceContext* resource_context);
1583};
1584
1585} // namespace content
1586
1587#endif // CONTENT_PUBLIC_BROWSER_CONTENT_BROWSER_CLIENT_H_
1588