[webkit-changes] [275419] trunk/Source/WebKit

[wilander]

Title: [275419] trunk/Source/WebKit

Revision

275419

Author

wilan...@apple.com

Date

2021-04-02 07:01:07 -0700 (Fri, 02 Apr 2021)

Log Message

PCM: PrivateClickMeasurementManager::getTokenPublicKey() should not use PrivateClickMeasurement::PcmDataCarried::PersonallyIdentifiable when validating the token before the attribution report is sent
https://bugs.webkit.org/show_bug.cgi?id=223956
<rdar://problem/76086936>

Reviewed by Youenn Fablet.

No new tests. This just changes the NetworkLoadParameters field pcmDataCarried
for the initial public key load and for PCM Debug Mode. This network load setting
is not observable in tests.

* NetworkProcess/PrivateClickMeasurementManager.cpp:
(WebKit::PrivateClickMeasurementManager::storeUnattributed):
    Now sends PrivateClickMeasurement::PcmDataCarried::PersonallyIdentifiable
    to PrivateClickMeasurementManager::getTokenPublicKey() since it's required.
(WebKit::generateNetworkLoadParameters):
    Now takes the parameter isDebugModeEnabled and if it's true, forces
    PrivateClickMeasurement::PcmDataCarried::PersonallyIdentifiable since
    Debug Mode disables privacy measures making PCM network requests likely
    to be personally identifiable.
(WebKit::generateNetworkLoadParametersForHttpPost):
    Now forwards isDebugModeEnabled to generateNetworkLoadParameters().
(WebKit::generateNetworkLoadParametersForHttpGet):
    Now forwards isDebugModeEnabled to generateNetworkLoadParameters().
(WebKit::PrivateClickMeasurementManager::getTokenPublicKey):
    Now takes a PrivateClickMeasurement::PcmDataCarried parameter to be able
    to request the public key in either network load mode.
    Now also forwards isDebugModeEnabled to generateNetworkLoadParameters().
(WebKit::PrivateClickMeasurementManager::fireConversionRequest):
    Now sends PrivateClickMeasurement::PcmDataCarried::NonPersonallyIdentifiable
    to PrivateClickMeasurementManager::getTokenPublicKey() since it's required.
(WebKit::PrivateClickMeasurementManager::fireConversionRequestImpl):
    Now forwards isDebugModeEnabled to generateNetworkLoadParameters().
* NetworkProcess/PrivateClickMeasurementManager.h:

Modified Paths

• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/NetworkProcess/PrivateClickMeasurementManager.cpp
• trunk/Source/WebKit/NetworkProcess/PrivateClickMeasurementManager.h

Diff

Modified: trunk/Source/WebKit/ChangeLog (275418 => 275419)

--- trunk/Source/WebKit/ChangeLog	2021-04-02 13:26:00 UTC (rev 275418)
+++ trunk/Source/WebKit/ChangeLog	2021-04-02 14:01:07 UTC (rev 275419)
@@ -1,3 +1,39 @@
+2021-04-02  John Wilander  <wilan...@apple.com>
+
+        PCM: PrivateClickMeasurementManager::getTokenPublicKey() should not use PrivateClickMeasurement::PcmDataCarried::PersonallyIdentifiable when validating the token before the attribution report is sent
+        https://bugs.webkit.org/show_bug.cgi?id=223956
+        <rdar://problem/76086936>
+
+        Reviewed by Youenn Fablet.
+
+        No new tests. This just changes the NetworkLoadParameters field pcmDataCarried
+        for the initial public key load and for PCM Debug Mode. This network load setting
+        is not observable in tests.
+
+        * NetworkProcess/PrivateClickMeasurementManager.cpp:
+        (WebKit::PrivateClickMeasurementManager::storeUnattributed):
+            Now sends PrivateClickMeasurement::PcmDataCarried::PersonallyIdentifiable
+            to PrivateClickMeasurementManager::getTokenPublicKey() since it's required.
+        (WebKit::generateNetworkLoadParameters):
+            Now takes the parameter isDebugModeEnabled and if it's true, forces
+            PrivateClickMeasurement::PcmDataCarried::PersonallyIdentifiable since
+            Debug Mode disables privacy measures making PCM network requests likely
+            to be personally identifiable.
+        (WebKit::generateNetworkLoadParametersForHttpPost):
+            Now forwards isDebugModeEnabled to generateNetworkLoadParameters().
+        (WebKit::generateNetworkLoadParametersForHttpGet):
+            Now forwards isDebugModeEnabled to generateNetworkLoadParameters().
+        (WebKit::PrivateClickMeasurementManager::getTokenPublicKey):
+            Now takes a PrivateClickMeasurement::PcmDataCarried parameter to be able
+            to request the public key in either network load mode.
+            Now also forwards isDebugModeEnabled to generateNetworkLoadParameters().
+        (WebKit::PrivateClickMeasurementManager::fireConversionRequest):
+            Now sends PrivateClickMeasurement::PcmDataCarried::NonPersonallyIdentifiable
+            to PrivateClickMeasurementManager::getTokenPublicKey() since it's required.
+        (WebKit::PrivateClickMeasurementManager::fireConversionRequestImpl):
+            Now forwards isDebugModeEnabled to generateNetworkLoadParameters().
+        * NetworkProcess/PrivateClickMeasurementManager.h:
+
 2021-04-02  Youenn Fablet  <you...@apple.com>
 
         Use webrtc GPU Process feature flag for audio capture on MacOS

Modified: trunk/Source/WebKit/NetworkProcess/PrivateClickMeasurementManager.cpp (275418 => 275419)

--- trunk/Source/WebKit/NetworkProcess/PrivateClickMeasurementManager.cpp	2021-04-02 13:26:00 UTC (rev 275418)
+++ trunk/Source/WebKit/NetworkProcess/PrivateClickMeasurementManager.cpp	2021-04-02 14:01:07 UTC (rev 275419)
@@ -76,7 +76,8 @@
 
     if (attribution.ephemeralSourceNonce()) {
         auto attributionCopy = attribution;
-        getTokenPublicKey(WTFMove(attributionCopy), PrivateClickMeasurement::AttributionReportEndpoint::Source, [weakThis = makeWeakPtr(*this), this] (PrivateClickMeasurement&& attribution, const String& publicKeyBase64URL) {
+        // This is guaranteed to be close in time to the navigational click which makes it likely to be personally identifiable.
+        getTokenPublicKey(WTFMove(attributionCopy), PrivateClickMeasurement::AttributionReportEndpoint::Source, PrivateClickMeasurement::PcmDataCarried::PersonallyIdentifiable, [weakThis = makeWeakPtr(*this), this] (PrivateClickMeasurement&& attribution, const String& publicKeyBase64URL) {
             if (!weakThis)
                 return;
 
@@ -104,7 +105,7 @@
 #endif
 }
 
-static NetworkLoadParameters generateNetworkLoadParameters(URL&& url, const String& httpMethod, RefPtr<JSON::Object>&& jsonPayload, PrivateClickMeasurement::PcmDataCarried dataTypeCarried)
+static NetworkLoadParameters generateNetworkLoadParameters(URL&& url, const String& httpMethod, RefPtr<JSON::Object>&& jsonPayload, PrivateClickMeasurement::PcmDataCarried dataTypeCarried, bool isDebugModeEnabled)
 {
     ResourceRequest request { WTFMove(url) };
     request.setHTTPMethod(httpMethod);
@@ -119,28 +120,26 @@
     loadParameters.parentPID = presentingApplicationPID();
     loadParameters.storedCredentialsPolicy = StoredCredentialsPolicy::EphemeralStateless;
     loadParameters.shouldClearReferrerOnHTTPSToHTTPRedirect = true;
-    loadParameters.pcmDataCarried = dataTypeCarried;
+    loadParameters.pcmDataCarried = UNLIKELY(isDebugModeEnabled) ? PrivateClickMeasurement::PcmDataCarried::PersonallyIdentifiable : dataTypeCarried;
 
     return loadParameters;
 }
 
-static NetworkLoadParameters generateNetworkLoadParametersForHttpPost(URL&& url, Ref<JSON::Object>&& jsonPayload, PrivateClickMeasurement::PcmDataCarried dataTypeCarried)
+static NetworkLoadParameters generateNetworkLoadParametersForHttpPost(URL&& url, Ref<JSON::Object>&& jsonPayload, PrivateClickMeasurement::PcmDataCarried dataTypeCarried, bool isDebugModeEnabled)
 {
-    return generateNetworkLoadParameters(WTFMove(url), "POST"_s, WTFMove(jsonPayload), dataTypeCarried);
+    return generateNetworkLoadParameters(WTFMove(url), "POST"_s, WTFMove(jsonPayload), dataTypeCarried, isDebugModeEnabled);
 }
 
-static NetworkLoadParameters generateNetworkLoadParametersForHttpGet(URL&& url, PrivateClickMeasurement::PcmDataCarried dataTypeCarried)
+static NetworkLoadParameters generateNetworkLoadParametersForHttpGet(URL&& url, PrivateClickMeasurement::PcmDataCarried dataTypeCarried, bool isDebugModeEnabled)
 {
-    return generateNetworkLoadParameters(WTFMove(url), "GET"_s, nullptr, dataTypeCarried);
+    return generateNetworkLoadParameters(WTFMove(url), "GET"_s, nullptr, dataTypeCarried, isDebugModeEnabled);
 }
 
-void PrivateClickMeasurementManager::getTokenPublicKey(PrivateClickMeasurement&& attribution, PrivateClickMeasurement::AttributionReportEndpoint attributionReportEndpoint, Function<void(PrivateClickMeasurement&& attribution, const String& publicKeyBase64URL)>&& callback)
+void PrivateClickMeasurementManager::getTokenPublicKey(PrivateClickMeasurement&& attribution, PrivateClickMeasurement::AttributionReportEndpoint attributionReportEndpoint, PrivateClickMeasurement::PcmDataCarried pcmDataCarried, Function<void(PrivateClickMeasurement&& attribution, const String& publicKeyBase64URL)>&& callback)
 {
     if (!featureEnabled())
         return;
 
-    // This is guaranteed to be close in time to the navigational click which makes it likely to be personally identifiable.
-    auto pcmDataCarried = PrivateClickMeasurement::PcmDataCarried::PersonallyIdentifiable;
     auto tokenPublicKeyURL = attribution.tokenPublicKeyURL();
     if (m_tokenPublicKeyURLForTesting) {
         if (attributionReportEndpoint == PrivateClickMeasurement::AttributionReportEndpoint::Destination)
@@ -152,7 +151,7 @@
     if (tokenPublicKeyURL.isEmpty() || !tokenPublicKeyURL.isValid())
         return;
 
-    auto loadParameters = generateNetworkLoadParametersForHttpGet(WTFMove(tokenPublicKeyURL), pcmDataCarried);
+    auto loadParameters = generateNetworkLoadParametersForHttpGet(WTFMove(tokenPublicKeyURL), pcmDataCarried, debugModeEnabled());
 
     RELEASE_LOG_INFO(PrivateClickMeasurement, "About to fire a token public key request.");
     m_networkProcess->broadcastConsoleMessage(m_sessionID, MessageSource::PrivateClickMeasurement, MessageLevel::Log, "[Private Click Measurement] About to fire a token public key request."_s);
@@ -192,7 +191,7 @@
     if (tokenSignatureURL.isEmpty() || !tokenSignatureURL.isValid())
         return;
 
-    auto loadParameters = generateNetworkLoadParametersForHttpPost(WTFMove(tokenSignatureURL), attribution.tokenSignatureJSON(), pcmDataCarried);
+    auto loadParameters = generateNetworkLoadParametersForHttpPost(WTFMove(tokenSignatureURL), attribution.tokenSignatureJSON(), pcmDataCarried, debugModeEnabled());
 
     RELEASE_LOG_INFO(PrivateClickMeasurement, "About to fire a unlinkable token signing request.");
     m_networkProcess->broadcastConsoleMessage(m_sessionID, MessageSource::PrivateClickMeasurement, MessageLevel::Log, "[Private Click Measurement] About to fire a unlinkable token signing request."_s);
@@ -309,7 +308,8 @@
     }
 
     auto attributionCopy = attribution;
-    getTokenPublicKey(WTFMove(attributionCopy), attributionReportEndpoint, [weakThis = makeWeakPtr(*this), this, attributionReportEndpoint] (PrivateClickMeasurement&& attribution, const String& publicKeyBase64URL) {
+    // This happens out of webpage context and with a long delay and is thus unlikely to be personally identifiable.
+    getTokenPublicKey(WTFMove(attributionCopy), attributionReportEndpoint, PrivateClickMeasurement::PcmDataCarried::NonPersonallyIdentifiable, [weakThis = makeWeakPtr(*this), this, attributionReportEndpoint] (PrivateClickMeasurement&& attribution, const String& publicKeyBase64URL) {
         if (!weakThis)
             return;
 
@@ -343,7 +343,7 @@
     if (attributionURL.isEmpty() || !attributionURL.isValid())
         return;
 
-    auto loadParameters = generateNetworkLoadParametersForHttpPost(WTFMove(attributionURL), attribution.attributionReportJSON(), PrivateClickMeasurement::PcmDataCarried::NonPersonallyIdentifiable);
+    auto loadParameters = generateNetworkLoadParametersForHttpPost(WTFMove(attributionURL), attribution.attributionReportJSON(), PrivateClickMeasurement::PcmDataCarried::NonPersonallyIdentifiable, debugModeEnabled());
 
     RELEASE_LOG_INFO(PrivateClickMeasurement, "About to fire an attribution request.");
     m_networkProcess->broadcastConsoleMessage(m_sessionID, MessageSource::PrivateClickMeasurement, MessageLevel::Log, "[Private Click Measurement] About to fire an attribution request."_s);

Modified: trunk/Source/WebKit/NetworkProcess/PrivateClickMeasurementManager.h (275418 => 275419)

--- trunk/Source/WebKit/NetworkProcess/PrivateClickMeasurementManager.h	2021-04-02 13:26:00 UTC (rev 275418)
+++ trunk/Source/WebKit/NetworkProcess/PrivateClickMeasurementManager.h	2021-04-02 14:01:07 UTC (rev 275419)
@@ -70,7 +70,7 @@
     void startTimer(Seconds);
 
 private:
-    void getTokenPublicKey(PrivateClickMeasurement&&, PrivateClickMeasurement::AttributionReportEndpoint, Function<void(PrivateClickMeasurement&& attribution, const String& publicKeyBase64URL)>&&);
+    void getTokenPublicKey(PrivateClickMeasurement&&, PrivateClickMeasurement::AttributionReportEndpoint, PrivateClickMeasurement::PcmDataCarried, Function<void(PrivateClickMeasurement&& attribution, const String& publicKeyBase64URL)>&&);
     void getSignedUnlinkableToken(PrivateClickMeasurement&&);
     void clearSentAttribution(PrivateClickMeasurement&&, PrivateClickMeasurement::AttributionReportEndpoint);
     void attribute(const SourceSite&, const AttributionDestinationSite&, AttributionTriggerData&&);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes