path: root/chromium/services/network/public/mojom/network_context.mojom

// Copyright 2018 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

module network.mojom;

import "mojo/public/mojom/base/big_buffer.mojom";
import "mojo/public/mojom/base/file_path.mojom";
import "mojo/public/mojom/base/read_only_file.mojom";
import "mojo/public/mojom/base/time.mojom";
import "mojo/public/mojom/base/unguessable_token.mojom";
import "mojo/public/mojom/base/values.mojom";
import "services/network/public/mojom/address_list.mojom";
import "services/network/public/mojom/url_loader_network_service_observer.mojom";
import "services/network/public/mojom/cert_verifier_service.mojom";
import "services/network/public/mojom/client_security_state.mojom";
import "services/network/public/mojom/cookie_access_observer.mojom";
import "services/network/public/mojom/cookie_manager.mojom";
import "services/network/public/mojom/cors_origin_pattern.mojom";
import "services/network/public/mojom/cross_origin_embedder_policy.mojom";
import "services/network/public/mojom/default_credentials.mojom";
import "services/network/public/mojom/devtools_observer.mojom";
import "services/network/public/mojom/host_resolver.mojom";
import "services/network/public/mojom/http_cache_backend_file_operations.mojom";
import "services/network/public/mojom/http_request_headers.mojom";
import "services/network/public/mojom/ip_address.mojom";
import "services/network/public/mojom/ip_endpoint.mojom";
import "services/network/public/mojom/ip_address_space.mojom";
import "services/network/public/mojom/mdns_responder.mojom";
import "services/network/public/mojom/mutable_network_traffic_annotation_tag.mojom";
import "services/network/public/mojom/net_log.mojom";
import "services/network/public/mojom/network_isolation_key.mojom";
import "services/network/public/mojom/isolation_info.mojom";
import "services/network/public/mojom/network_param.mojom";
import "services/network/public/mojom/origin_policy_manager.mojom";
import "services/network/public/mojom/parsed_headers.mojom";
import "services/network/public/mojom/proxy_config.mojom";
import "services/network/public/mojom/proxy_config_with_annotation.mojom";
import "services/network/public/mojom/proxy_lookup_client.mojom";
import "services/network/public/mojom/proxy_resolving_socket.mojom";
import "services/network/public/mojom/reporting_service.mojom";
import "services/network/public/mojom/restricted_cookie_manager.mojom";
import "services/network/public/mojom/site_for_cookies.mojom";
import "services/network/public/mojom/ssl_config.mojom";
import "services/network/public/mojom/tcp_socket.mojom";
import "services/network/public/mojom/transferable_directory.mojom";
import "services/network/public/mojom/trust_tokens.mojom";
import "services/network/public/mojom/udp_socket.mojom";
import "services/network/public/mojom/url_loader.mojom";
import "services/network/public/mojom/url_loader_factory.mojom";
import "services/network/public/mojom/url_request.mojom";
import "services/network/public/mojom/url_response_head.mojom";
import "services/network/public/mojom/websocket.mojom";
import "services/network/public/mojom/web_transport.mojom";
import "services/proxy_resolver/public/mojom/proxy_resolver.mojom";
import "url/mojom/origin.mojom";
import "url/mojom/url.mojom";

[EnableIf=is_chromeos_ash]
import "services/network/public/mojom/dhcp_wpad_url_client.mojom";

[EnableIf=is_p2p_enabled]
import "services/network/public/mojom/p2p.mojom";

[EnableIf=is_p2p_enabled]
import "services/network/public/mojom/p2p_trusted.mojom";

[EnableIf=is_win]
import "services/proxy_resolver_win/public/mojom/proxy_resolver_win.mojom";

const uint32 kWebSocketOptionNone = 0;
// Disallow the request from sending cookies. Disallow the response from writing
// cookies.
const uint32 kWebSocketOptionBlockAllCookies = 1;
// Similar to |kWebSocketOptionBlockAllCookies|, but only for third party
// cookies.
const uint32 kWebSocketOptionBlockThirdPartyCookies = 2;

// Indicates that execution is blocking on the completion of the request.
// The browser can provide a CustomProxyConfig to a CustomProxyConfigClient
// running in the network service. The network service will use the given proxy
// configuration if a request matches the proxy rules and all the other
// criteria contained within it.
struct CustomProxyConfig {
  // The custom proxy rules to use. Note that ftp:// requests are not
  // supported.
  ProxyRules rules;

  // Whether the custom proxy config should override other sources of proxy
  // configuration. If false, the custom config is ignored if a proxy is set in
  // the operating system, for example.
  bool should_override_existing_config = false;

  // Whether the custom proxy config should apply to requests using
  // non-idempotent methods. Can be true if the proxy is known to handle this
  // case properly.
  bool allow_non_idempotent_methods = false;

  // For tunneled requests (https://, ws://, wss://), these headers are added
  // to the CONNECT request. Headers here will overwrite matching headers on
  // the CONNECT request if a custom proxy is used.
  HttpRequestHeaders connect_tunnel_headers;
};

// Observer of custom proxy connections, especially for when errors occur.
interface CustomProxyConnectionObserver {
  // Called when use of |bad_proxy| fails due to |net_error|. |net_error| is the
  // network error encountered, if any, and OK if the fallback was for a reason
  // other than a network error (e.g. the proxy service was explicitly directed
  // to skip a proxy).
  OnFallback(proxy_resolver.mojom.ProxyServer bad_proxy, int32 net_error);

  // Called when the response headers for the proxy tunnel request have been
  // received.
  OnTunnelHeadersReceived(
      proxy_resolver.mojom.ProxyServer proxy_server,
      HttpResponseHeaders response_headers);
};

// Includes a pipe to a CertVerifierService for usage by the
// NetworkContext.
struct CertVerifierServiceRemoteParams {
  // A pipe to the CertVerifierService.
  pending_remote<cert_verifier.mojom.CertVerifierService>?
      cert_verifier_service;
};

// Client to update the custom proxy config.
interface CustomProxyConfigClient {
  OnCustomProxyConfigUpdated(CustomProxyConfig proxy_config) => ();

  // Marks the custom proxies in |bad_proxies| as temporarily bad, so they are
  // not layered onto the proxy resolution results for subsequent requests.
  MarkProxiesAsBad(mojo_base.mojom.TimeDelta bypass_duration,
                   ProxyList bad_proxies) => ();

  // Clears the list of bad proxy servers that has been cached in the proxy
  // resolution service.
  ClearBadProxiesCache();
};

[EnableIf=is_chromeos]
struct AdditionalCertificates {
  // List of all additional certificates.
  array<X509Certificate> all_certificates;

  // List of additional trust anchors.
  array<X509Certificate> trust_anchors;
};

// Sent by TrustedURLLoaderHeaderClient to perform modifications for a request.
interface TrustedHeaderClient {
  // Allows modifying request headers before the request is sent.
  OnBeforeSendHeaders(HttpRequestHeaders headers) =>
      (int32 result, HttpRequestHeaders? headers);

  // Allows modifying response headers, including sensitive headers such as
  // set-cookie. This should only be used from a trusted process.
  // If |preserve_fragment_on_redirect_url| is null, then when the headers
  // indicate a redirect, URL fragments will be handled the standard way: the
  // fragment of the original URL will be copied to the new URL, unless the
  // new URL has a fragment, in which case the new URL's fragment will be
  // used. If |preserve_fragment_on_redirect_url| is populated, and the
  // request is redirected to exactly that URL, then the fragment of the
  // original URL will not be copied to the redirect target URL.
  OnHeadersReceived(string headers, IPEndPoint remote_endpoint) =>
      (int32 result,
       string? headers,
       url.mojom.Url? preserve_fragment_on_redirect_url);
};

// Interface to allow modifying the full request and response headers. This
// interface exposes sensitive headers such as set-cookie, so should only be
// sent to trusted processes.
interface TrustedURLLoaderHeaderClient {
  // When a new URLLoader is created, this will be called to pass a
  // corresponding |header_client|.
  OnLoaderCreated(int32 request_id,
                  pending_receiver<TrustedHeaderClient> header_client);

  // When a new URLLoader is created for a CORS preflight request, this will
  // be called to pass a corresponding |header_client|.
  OnLoaderForCorsPreflightCreated(
      URLRequest request,
      pending_receiver<TrustedHeaderClient> header_client);
};

struct HttpAuthStaticNetworkContextParams {
  // Whether authentication APIs that support fallback to the default account
  // on the system can be used without specifying an account.
  DefaultCredentials allow_default_credentials
     = DefaultCredentials.ALLOW_DEFAULT_CREDENTIALS;
};

[EnableIf=is_ct_supported]
struct CTPolicy {
  array<string> required_hosts;
  array<string> excluded_hosts;
  array<string> excluded_spkis;
  array<string> excluded_legacy_spkis;
};

struct NetworkContextFilePaths {
  // Points to a path that contains all the network service files and databases
  // as listed below. If this network context is running inside a sandboxed
  // network service, then this path should contain no other sensitive data
  // since the sandboxed network service will have full access to this path.
  // This should be a different path for each different network context running
  // inside the network service.
  TransferableDirectory data_directory;

  // Points to a path that might contain existing network service data files and
  // databases from network contexts created with the same `data_directory`.
  // This parameter must be specified if `perform_migration` is set to true.
  // Once migration has been successful (see below), data is no longer read from
  // this path. Data could continue to be read from this path if migration
  // fails, or if `trigger_migration` has never been set to true.
  // If this parameter is specified then the sandbox will be granted access to
  // the `data_directory` specified above.
  // This parameter, along with `trigger_migration` parameter below will be
  // removed in the future, once migration of network context data to the new
  // `data_directory` has been completed. At this point the sandbox will be
  // granted access to `data_directory` unconditionally.
  mojo_base.mojom.FilePath? unsandboxed_data_path;

  // Points to the cookie database file name inside `data_directory`. An
  // in-memory cookie store is used if it's empty, or if `data_directory` is
  // empty.
  mojo_base.mojom.FilePath? cookie_database_name;

  // Points to the Trust Token database file name inside `data_directory`. An
  // in-memory trust token store is used if it's empty, or if `data_directory`
  // is empty, or (through a fallback in the initialization logic; see
  // SQLiteTrustTokenPersister's comments) if initialization fails.
  //
  // Initializing the on-disk database takes place asynchronously, so requests
  // near startup may not support Trust Tokens protocol operations.
  mojo_base.mojom.FilePath? trust_token_database_name;

  // The name of the file to store cached server properties (Like HTTP2 and QUIC
  // support) inside `data_directory`. This information is used as a performance
  // optimization in connection logic. If empty, or if `data_directory` is
  // empty, an in-memory cache will be used instead.
  mojo_base.mojom.FilePath? http_server_properties_file_name;

  // The name of the file to store cached transport security properties (like
  // HSTS) inside `data_directory`. If empty, or `data_directory` is empty, or
  // the file can't be opened, an in-memory store will be used instead.
  mojo_base.mojom.FilePath? transport_security_persister_file_name;

  // Points to a sqlite database contained within `data_directory` containing
  // persisted Reporting clients and NEL policies. If Reporting and NEL
  // persistence is disabled, then this field is ignored. If this field is
  // empty, or `data_directory` is empty, then persistence will be disabled
  // regardless. This field should not be used if the ENABLE_REPORTING build
  // flag is false.
  mojo_base.mojom.FilePath? reporting_and_nel_store_database_name;

  // The name of the file to store pending SCT auditing reports inside
  // `data_directory`. If empty, or `data_directory` is empty, or the file can't
  // be opened, pending reports will instead be stored in-memory only.
  mojo_base.mojom.FilePath? sct_auditing_pending_reports_file_name;

  // Specifies whether or not a migration of existing data should occur from
  // `unsandboxed_data_path` to `data_directory`. It is not valid to set this
  // to true if an `unsandboxed_data_path` is not specified.
  // If the migration is successful then network context data will operate from
  // `data_directory`, and the old data will be removed from
  // `unsandboxed_data_path`.
  // If migration is unsuccessful then data will continue to operate from
  // `unsandboxed_data_path` and migration will be re-attempted the next time
  // `trigger_migration` is set to true.
  // Since migration is a one-way operation, setting `trigger_migration` to
  // false does not move the data back to `unsandboxed_data_path`. The network
  // context data will be read from `data_directory` or `unsandboxed_data_path`
  // depending on whether a migration has successfully occurred previously.
  // This parameter, along with `unsandboxed_data_path` parameter above will be
  // removed in the future, once migration of network context data to the new
  // `data_directory` has been completed. At this point the sandbox will be
  // granted access to `data_directory` unconditionally.
  bool trigger_migration = false;
};

// Parameters for constructing a network context.
struct NetworkContextParams {
  // The user agent string.
  string user_agent;

  // String to send as the Accept-Language header. This can be changed later
  // by calling SetAcceptLanguage on the NetworkContext. If empty, the header
  // will not be added.
  string accept_language;

  // Whether Brotli content-encoding should be enabled for HTTPS responses.
  bool enable_brotli = true;

  // QUIC user agent.
  string quic_user_agent_id;

  // If false, the referrer of requests is never populated.
  bool enable_referrers = true;

  // If true, requests initiated with referrers that don't match their referrer
  // policy will fail.
  bool validate_referrer_policy_on_initial_request = true;

  // Handles PAC script execution. If not populated, will attempt to use
  // platform implementation to execute PAC scripts, if available (Only
  // available on Windows and Mac).
  pending_remote<proxy_resolver.mojom.ProxyResolverFactory>?
      proxy_resolver_factory;

  // Handles all proxy resolution logic if the current proxy config comes from
  // the operating system. Otherwise, or if this is not populated, proxy
  // resolution is handled by Chrome as normal.
  [EnableIf=is_win]
  pending_remote<proxy_resolver_win.mojom.WindowsSystemProxyResolver>?
      windows_system_proxy_resolver;

  // Retrieves the PAC script URL set via DHCP from the browser process. Only
  // used if |proxy_resolver_factory| is set. Note: optional because some tests
  // build their own NetworkContextParams and don't need a DHCP WPAD client.
  [EnableIf=is_chromeos_ash]
  pending_remote<DhcpWpadUrlClient>? dhcp_wpad_url_client;

  // If true, cookies will be stored encrypted.
  bool enable_encrypted_cookies = true;

  // If the cookie file is given, this controls whether previously written
  // session cookies are restored. Otherwise it should be false.
  bool restore_old_session_cookies = false;

  // If the cookie file is given, this controls whether to persist session
  // cookies. Otherwise it should be false.
  bool persist_session_cookies = false;

  // True if an HTTP cache should be used.
  bool http_cache_enabled = true;
  // Maximum size of the HTTP cache. 0 means to use the default size.
  // Ignored if the cache is disabled.
  int32 http_cache_max_size = 0;
  // Points to the HTTP cache directory. Ignored if the cache is disabled.
  // If null and the cache is enabled, an in-memory database is used.
  TransferableDirectory? http_cache_directory;

  // A factory to broker file operations needed for the HTTP cache on some
  // platforms (depending on the sandboxing mechanism the platform provides).
  pending_remote<HttpCacheBackendFileOperationsFactory>?
      http_cache_file_operations_factory;

  // Enabled protocols. Note that these apply to all fetches, including those
  // used to fetch PAC scripts. Note that currently data URLs are always enabled
  // and file URLs are always disabled.

  // Whether or not to check the Android platform's cleartext policy for
  // requests. Under some conditions, Android may advise us to block cleartext
  // traffic.
  [EnableIf=is_android]
  bool check_clear_text_permitted = false;

  // If true, idle sockets won't be closed when memory pressure happens.
  bool disable_idle_sockets_close_on_memory_pressure = false;

  // SSL configuration. |initial_proxy_config| is the initial SSL configuration
  // to use. If nullptr, uses the default configuration. Updated SSL
  // configurations can be passed in via |ssl_config_client_receiver|.
  SSLConfig? initial_ssl_config;
  pending_receiver<SSLConfigClient>? ssl_config_client_receiver;

  // Proxy configuration. If |initial_proxy_config| is set, it's the initial
  // proxy configuration. Updated proxy configuration can be passed in via
  // |proxy_config_client_request|. If |initial_proxy_config| is not set,
  // proxy lookups will be deferred until a configuration is received via
  // |proxy_config_client_request|.
  //
  // If both are null, the NetworkContext will not use a proxy.
  ProxyConfigWithAnnotation? initial_proxy_config;
  pending_receiver<ProxyConfigClient>? proxy_config_client_receiver;

  // If |custom_proxy_config_client_receiver| is set, this context will listen
  // for updates to the custom proxy config, and use it if applicable for
  // requests which would otherwise be made direct.
  // |initial_custom_proxy_config| is the initial config settings.
  CustomProxyConfig? initial_custom_proxy_config;
  pending_receiver<CustomProxyConfigClient>?
      custom_proxy_config_client_receiver;

  // If |initial_custom_proxy_config| or |custom_proxy_config_client_receiver|
  // is set, information about custom proxy connections will be reported to this
  // observer.
  pending_remote<CustomProxyConnectionObserver>?
      custom_proxy_connection_observer_remote;

  // If |proxy_config_client_request| is non-null, this is called during
  // periods of network activity, and can be used as a signal for polling-based
  // logic to determine the proxy config.
  //
  // TODO(mmenke): Can the consumer piggy back on other network events through
  // other channels (navigation, issuing requests, etc)? Or can
  // ProxyConfigServices be modified not to need this notification?
  pending_remote<ProxyConfigPollerClient>? proxy_config_poller_client;

  // Optional client that will be notified of errors related to the proxy
  // settings.
  pending_remote<ProxyErrorClient>? proxy_error_client;

  // When PAC quick checking is enabled, DNS lookups for PAC script's host are
  // timed out aggressively. This prevents hanging all network request on DNS
  // lookups that are slow or are blockholed, at the cost of making it more
  // likely that the network service erroneously fails to fetch a PAC file.
  bool pac_quick_check_enabled = true;

  // Enables reporting certain SSL errors, such as HTTP Public Key Pinning, to
  // servers, so they can discover misconfigurations.
  bool enable_certificate_reporting = false;

  // True if the "Certificate Transparency in Chrome" policy (see
  // https://github.com/chromium/ct-policy/blob/master/ct_policy.md) should
  // be enforced for certificates and connections.
  //
  // See //net/docs/certificate-transparency.md before setting this flag to
  // true.
  [EnableIf=is_ct_supported]
  bool enforce_chrome_ct_policy = false;

  // Enables Expect CT reporting, which sends reports for opted-in sites that
  // don't serve sufficient Certificate Transparency information.
  [EnableIf=is_ct_supported]
  bool enable_expect_ct_reporting = false;

  // The SCT auditing mode. SCT auditing sends reports for SCTs found in
  // connections made by this network context. Can also be dynamically
  // configured via NetworkContext::SetSCTAuditingMode().
  [EnableIf=is_ct_supported]
  SCTAuditingMode sct_auditing_mode = SCTAuditingMode.kDisabled;

  // The initial CT policy to be used for requests. See
  // NetworkContext.SetCTPolicy() for more.
  [EnableIf=is_ct_supported]
  CTPolicy? ct_policy;

  // Contains a pipe to a CertVerifierService.
  CertVerifierServiceRemoteParams cert_verifier_params;

  // Initial additional certificates that will be used for certificate
  // validation.
  [EnableIf=is_chromeos]
  AdditionalCertificates? initial_additional_certificates;

  // Parameters for constructing the cookie manager.
  CookieManagerParams? cookie_manager_params;

  // Binds to the cookie manager associated with this network context, which
  // should only be handed out to trusted processes.
  [EnableIf=is_android]
  pending_receiver<CookieManager>? cookie_manager;

  // Whether to enable Domain Reliability.
  bool enable_domain_reliability = false;

  // The uploader reporter name to use for Domain Reliability uploads.
  string domain_reliability_upload_reporter;

  // Whether to discard Domain Reliability uploads.
  bool discard_domain_reliablity_uploads = false;

  // When reporting is enabled, this sets the delay between sending reports.
  // When omitted a default value is used.
  mojo_base.mojom.TimeDelta? reporting_delivery_interval;

  // Whether to bypass the ordinary permission checks for sending reports,
  // rather than calling NetworkContextClient.OnCanSendReportingReports() to
  // decide. This should only be used by tests.
  bool skip_reporting_send_permission_check = false;

  // Specifies the initial set of allowed and blocked origins for the
  // URLLoaderFactory consumers to access beyond the same-origin-policy.
  array<CorsOriginAccessPatterns> cors_origin_access_list;

  // Specifies header keys that are allowed to be used in
  // network::url_request.cors_exempt_headers.
  array<string> cors_exempt_header_list;

  // If true, no checking of cors exempt headers (from the browser) are done.
  // If false, cors_exempt_headers are checked against
  // |cors_exempt_header_list|.
  bool allow_any_cors_exempt_header_for_browser = false;

  // List of single-label hostnames that are exempted from the HSTS upgrade
  // policy.
  array<string> hsts_policy_bypass_list;

  // The params are network context specific which will be merged with
  // the dynamic preference from NetworkService side, to populate
  // HttpAuthPreference.
  HttpAuthStaticNetworkContextParams? http_auth_static_network_context_params;

  // Indicates that the HttpCache back-end should be reset (e.g. when a Finch
  // experiment changes the cache key representation via NetworkIsolationKey).
  // A reset throws out all existing cache content when loading the cache,
  // effectively starting with an empty cache.
  bool reset_http_cache_backend = false;

  // See comments on NetworkContext.SetSplitAuthCacheByNetworkIsolationKey.
  bool split_auth_cache_by_network_isolation_key = false;

  // If true, all requests that can take a NetworkIsolationKey or IsolationInfo
  // must be given a non-empty one.
  bool require_network_isolation_key = false;

  // If true, then the correct permissions have been set on the network service
  // files and sandbox can be enabled for this network context.
  [EnableIf=win_permissions_validation]
  bool win_permissions_set = false;

  // The paths to data files used by this network context, except for the disk
  // cache which is specified by the `http_cache_directory` parameter.
  // If empty then persistent storage for all of the files within this
  // parameter will be disabled for the network context and some data may be
  // stored in memory or disabled. See the above definition of each inner field
  // for details of these behaviors.
  NetworkContextFilePaths? file_paths;

  // Is true, Trust Token operations should be blocked.
  bool block_trust_tokens;
};

struct NetworkConditions {
  // If set, the offline state is simulated and other fields are ignored.
  bool offline;

  // Channel round-trip latency, i.e. minimum time between request sent and
  // response received.
  mojo_base.mojom.TimeDelta latency;

  // Maximal aggregated download throughput (bytes/sec). 0 disables download
  // throttling.
  double download_throughput;

  // Maximal aggregated upload throughput (bytes/sec). 0 disables upload
  // throttling.
  double upload_throughput;
};

// Used in some clearing methods of URL-keyed data to specify the resources to
// keep/delete.
struct ClearDataFilter {
  enum Type {DELETE_MATCHES, KEEP_MATCHES};

  Type type;

  // A list of registrable domains (e.g. google.com), internal hostnames
  // (e.g. localhost), or IP addresses (e.g. 127.0.0.1). Other domains, such as
  // third and lower level domains (e.g. www.google.com) are not accepted.
  // Formally, it must hold that GetDomainAndRegistry(|domain|, _) is |domain|
  // itself or an empty string.
  array<string> domains;

  // List of URL origins.
  array<url.mojom.Origin> origins;
};

// Represents a signed exchange report.
// Spec: https://wicg.github.io/webpackage/loading.html#queue-report
struct SignedExchangeReport {
  bool success;
  string type;
  url.mojom.Url outer_url;
  url.mojom.Url inner_url;
  url.mojom.Url cert_url;
  string referrer;
  IPAddress server_ip_address;
  string protocol;
  string method;
  int32 status_code;
  mojo_base.mojom.TimeDelta elapsed_time;
};

const int32 kBrowserProcessId = 0;
const int32 kInvalidProcessId = -1;

// URLLoaderFactory made by the network service consists of two layers of
// factories, the "internal" one that directly talks to the //net layer, and
// the "outer" one (which is also called CorsURLLoader) that enforces necessary
// security features such as CORS.
//
// This struct can be used to specify an alternative "internal"
// URLLoaderFactory so that the requests can still go through the "outer" one
// for security features, but then they are routed to the alternative
// |overriding_factory| rather than the one that talks to //net, which is also
// exposed to the consumer as |overridden_factory_receiver|.
//
// |overridden_factory_receiver| is useful when the receiver of
// |overriding_factory|| wants to decide which (of the "internal", or the
// "alternative" one) URLLoaderFactory to use on a per-request basis.
struct URLLoaderFactoryOverride {
  // This factory replaces the "internal" factory.
  pending_remote<URLLoaderFactory> overriding_factory;

  // A receiver for the replaced "internal" URLLoaderFactory.
  pending_receiver<URLLoaderFactory>? overridden_factory_receiver;

  // Specifies if we should accept unknown schemes for CORS-enabled requests
  // so that the |overriding_factory| can provide content for custom schemes.
  bool skip_cors_enabled_scheme_check = false;
};

// Whether to forbid all Trust Tokens redemption and signing operations
// (https://github.com/wicg/trust-token-api).
enum TrustTokenRedemptionPolicy {
  kForbid,
  kPotentiallyPermit,
};

[EnableIf=is_ct_supported]
enum SCTAuditingMode {
  // SCT auditing is completely disabled.
  kDisabled,

  // The user has opted-in to ESBR, so sampled SCTs are sent to Google.
  kEnhancedSafeBrowsingReporting,

  // The user is not opted-in to ESBR, and hashdance auditing is enabled.
  // Perform a k-anonymous prefix query for sampled SCTs, and upload only if the
  // SCT is not present in a log.
  kHashdance,
};

struct URLLoaderFactoryParams {
  // Process that will be using the URLLoaderFactory to initiate HTTP requests.
  // (This is *not* necessarily the same process that creates the factory,
  // since only the Browser process should be able to call
  // NetworkContext::CreateURLLoaderFactory.)
  //
  // Set to kBrowserProcessId to indicate the browser process.
  // SECURITY NOTE: Factories with kBrowserProcessId should not be sent
  // to untrustworthy processes.
  //
  // Set to RenderProcessHost::GetID() to indicate a renderer process.
  // SECURITY NOTE: Factories should not be shared among multiple renderer
  // processes (e.g. |request_initiator_origin_lock| is specific to a single
  // renderer process).
  int32 process_id = kInvalidProcessId;

  // If specified, then |request_initiator_origin_lock| locks
  // |ResourceRequest::request_initiator| to the specified origin.
  //
  // SECURITY NOTE: |request_initiator_origin_lock| should be present in all
  // factories that may be vended to a Renderer process.
  // |request_initiator_origin_lock| may be missing only in factories used by
  // the Browser process.
  url.mojom.Origin? request_initiator_origin_lock;

  // Cross-origin read blocking (CORB) configuration.
  bool is_corb_enabled = true;

  // Whether |isolated_world_origin| from network::ResourceRequest should be
  // ignored.  Set |ignore_isolated_world_origin| to |false| to allow isolated
  // worlds to bypass CORS security checks via OriginAccessList.
  //
  // TODO(https://crbug.com/1098410): Remove the `ignore_isolated_world_origin`
  // field once Chrome Platform Apps are gone.
  bool ignore_isolated_world_origin = true;

  // Indicate whether a request is not from web page ( probably from chrome
  // extension background page ).
  bool unsafe_non_webby_initiator = false;

  // If `true`, this factory is being created for a context that isn't
  // considered to be of the web. "Site"-based features, like Fetch
  // Metadata's `Sec-Fetch-Site` header will treat all requests from
  // this factory as initiated by the user agent itself, not from any
  // particular page.
  bool disable_web_security = false;

  // If this is set, requests with the kURLLoadOptionUseHeaderClient option will
  // callback to the |header_client|, allowing the Cookie/Referrer request
  // headers and Cookie response headers to be modified. This has a performance
  // impact because of the extra process hops, so use should be minimized.
  pending_remote<TrustedURLLoaderHeaderClient>? header_client;

  // Information used restrict access to identity information (like SameSite
  // cookies) and to shard network resources, like the cache. If set, takes
  // precedence over ResourceRequest::TrustedParams::IsolationInfo field
  // of individual requests.
  IsolationInfo isolation_info;

  // Whether secure DNS should be disabled for requests.
  bool disable_secure_dns = false;

  // True if this is for exclusive use by a trusted consumer. Only trusted
  // consumers can issue requests with ResourceRequest::trusted_params
  // populated.
  bool is_trusted = false;

  // If true, a cookie-less IsolationInfo is automatically assigned to
  // URLLoaders based on the URL being requested. The IsolaitonInfo will
  // have an empty SiteForCookies. If this is true, |isolation_info| must be
  // null. ResourceRequest::TrustedParams::IsolationInfo, if non-empty, will
  // take precedence over automatically assigning an IsolationInfo.
  bool automatically_assign_isolation_info = false;

  // Whether URLLoaders created by this factory need to call
  // URLLoaderNetworkServiceObserver::OnLoadingStateUpdate.
  bool provide_loading_state_updates = false;

  // An identifier for toplevel frame. This is used for resource accounting
  // for keepalive requests. When this factory is for a dedicated worker,
  // the identifier for the toplevel frame of the ancestor's frame is given.
  // When this factory is for a shared/service worker, null is given.
  mojo_base.mojom.UnguessableToken? top_frame_id;

  // Replaces the "internal" factory used by security features such as CORS.
  URLLoaderFactoryOverride? factory_override;

  // Used to enforce security properties on the requests loaded by the
  // URLLoader based on the Fetch client state.
  ClientSecurityState? client_security_state;

  // Used to report CORP violations caused by COEP.
  pending_remote<CrossOriginEmbedderPolicyReporter>? coep_reporter;

  // Used to notify clients about cookie reads or writes.
  pending_remote<CookieAccessObserver>? cookie_observer;

  // Used to notify clients about authentication and certificate events.
  pending_remote<URLLoaderNetworkServiceObserver>? url_loader_network_observer;

  // Used to notify devtools about events.
  pending_remote<DevToolsObserver>? devtools_observer;

  // If this equals kForbid, the context to which this loader is bound does not
  // allow any Trust Tokens (https://github.com/wicg/trust-token-api)
  // redemption or signing operations.
  //
  // This is set to kForbid for requests from subframes with the
  // `trust-token-redemption` Permissions Policy feature disabled by (1)
  // policies inherited from their parents, or (2) the frames' iframe tag
  // attributes.
  //
  // Note: Response headers can also disable this Permissions Policy feature.
  // This will not necessarily be reflected in the the enum's value. The
  // response headers' value is only available from an untrusted source.
  // - If the renderer behaves correctly, renderer-side checks guarantee that
  // these operations will not be executed in frames with the policy disabled
  // via response headers.
  // - If the renderer doesn't behave correctly, there's no point in
  // propagating the renderer's untrusted report about the response headers'
  // value.
  //
  // TODO(crbug.com/1071848): Once Permissions Policy headers are available from
  // a trusted source, it would be good to set this depending on the headers'
  // values, too.
  TrustTokenRedemptionPolicy trust_token_redemption_policy = kPotentiallyPermit;

  // TODO(lukasza): https://crbug.com/1151008: Consider removing this
  // diagnostic aid once the bug is understood.
  string debug_tag = "";
};

// Callback interface for NetworkContext when routing identifiers aren't
// available. Otherwise generally callbacks from the network service go on
// NetworkServiceClient.
//
// Implemented by the browser process.
interface NetworkContextClient {
  // Called when file uploading was requested.
  // If the process that requested the uploads has permission to read all of
  // the files referenced by |file_paths|, the callback arguments will be
  // net::OK, along with an array of open file handles. The array will contain
  // exactly one handle for each path in |file_paths|, in the same order.
  // If any files referenced by |file_paths| cannot be read, a net::ERROR will
  // be returned, and |files| will be an empty list. If the |async| parameter
  // is true, the files will be opened with FLAG_ASYNC.
  OnFileUploadRequested(int32 process_id,
                        bool async,
                        array<mojo_base.mojom.FilePath> file_paths) =>
      (int32 net_error, array<mojo_base.mojom.ReadOnlyFile> files);

  // Checks if network error reports could be sent for the given origins.
  // Replies with the origins that are allowed.
  OnCanSendReportingReports(array<url.mojom.Origin> origins) =>
      (array<url.mojom.Origin> origins);

  // Checks if a Domain Reliability report can be uploaded for the given origin.
  OnCanSendDomainReliabilityUpload(url.mojom.Url origin) => (bool allowed);

  // Called to generate an auth token for SPNEGO authentication on Android.
  [EnableIf=is_android]
  OnGenerateHttpNegotiateAuthToken(string server_auth_token, bool can_delegate,
                                   string auth_negotiate_android_account_type,
                                   string spn) =>
                                   (int32 result, string auth_token);

  // Notification that a trust anchor was used for the given user.
  [EnableIf=is_chromeos]
  OnTrustAnchorUsed();

  // If it's supported by the implementation, attempts to provide a response to
  // the given Trust Tokens issuance request through some kind of local
  // mediation---i.e., probably by a method other than sending a web request
  // directly to the issuer's server. In situations where it's not possible to
  // answer the request, returns a status of kNotFound (see the request and
  // response structs' comments for more information).
  OnTrustTokenIssuanceDivertedToSystem(FulfillTrustTokenIssuanceRequest request)
    => (FulfillTrustTokenIssuanceAnswer response);

  // Checks if a new SCT Auditing report can be sent. The browser maintains a
  // maximum report count cap for Hashdance clients -- this returns whether the
  // cap has been exceeded or not (i.e., whether another report can be sent from
  // this client). Only used for SCT auditing "hashdance" clients; no report cap
  // is applied for SBER clients.
  [EnableIf=is_ct_supported]
  OnCanSendSCTAuditingReport() => (bool allowed);

  // Signal that a new SCT auditing report has been sent, so that the browser
  // can update its report count. Only used for SCT auditing "hashdance"
  // clients.
  [EnableIf=is_ct_supported]
  OnNewSCTAuditingReportSent();
};

// Represents a distinct context for making network requests, with its own
// storage (e.g. cookies and cache).
//
// NetworkContext is implemented by the network service. It is a trusted
// interface that must not be sent to an untrusted process like a renderer
// process. Only the browser process should have access to it.
interface NetworkContext {
  // Sets a client for this network context.
  SetClient(pending_remote<NetworkContextClient> client);

  // Creates a new URLLoaderFactory with the given |params|.
  CreateURLLoaderFactory(pending_receiver<URLLoaderFactory> url_loader_factory,
                         URLLoaderFactoryParams params);

  // Destroys all URLLoaderFactory bindings, which should then be regenerated.
  // This should be called if there is a change to the proxies which should be
  // used on URLLoaders.
  ResetURLLoaderFactories();

  // Gets the CookieManager associated with this network context.
  //
  // The CookieManager must only be passed to trusted processes. Whenever
  // possible, a RestrictedCookieManager should be handed out instead.
  GetCookieManager(pending_receiver<CookieManager> cookie_manager);

  // Gets a RestrictedCookieManager scoped to a given origin, and applying
  // settings configured on the CookieManager associated with this domain.
  //
  // |origin| represents the domain for which the RestrictedCookieManager can
  // access cookies. It could either be a frame origin when |role| is
  // RestrictedCookieManagerRole::SCRIPT (a script scoped to a particular
  // document's frame)), or a request origin when |role| is
  // RestrictedCookieManagerRole::NETWORK (a network request).
  //
  // |isolation_info| contains info for SameSite and SameParty cookie queries.
  // Must be fully populated.
  //
  // If |role| == SCRIPT, this interface can be safely handed out to a process
  // that is known to represent the given origin, such as a renderer process.
  GetRestrictedCookieManager(
      pending_receiver<RestrictedCookieManager> restricted_cookie_manager,
      RestrictedCookieManagerRole role,
      url.mojom.Origin origin,
      IsolationInfo isolation_info,
      pending_remote<CookieAccessObserver>? cookie_observer);

  // Provides a HasTrustTokensAnswerer scoped to the given top-frame origin
  // (subsequent calls to its HasTrustTokens(issuer) method will attempt to
  // associate |issuer| with |top_frame_origin|, in the sense of
  // TrustTokenStore::SetAssociation, and reject if |top_frame_origin| is
  // already at its number-of-associated-issuers limit).
  //
  // The caller must ensure (enforced by ReportBadMessage) that
  // |top_frame_origin| is both
  // (1) potentially trustworthy and
  // (2) either HTTP or HTTPS.
  //
  // The first is a general security requirement; the second is in order to
  // ensure that the origin has a unique serialization (and, consequently, is
  // suitable for keying persistent Trust Tokens state).
  GetHasTrustTokensAnswerer(
      pending_receiver<HasTrustTokensAnswerer> has_trust_tokens_answerer,
      url.mojom.Origin top_frame_origin);

  // Clears persistent Trust Tokens data keyed by the origins in |filter|, and
  // by origins corresponding to the domains in |filter|.
  //
  // A null |filter| indicates that all Trust Tokens data should be cleared.
  ClearTrustTokenData(ClearDataFilter? filter) => ();

  // Returns the number of signed-but-not-spent Trust Tokens.
  GetStoredTrustTokenCounts()
      => (array<StoredTrustTokensForIssuer> tokens);

  // Deletes all Trust Tokens issued by |issuer|.
  //
  // This method is narrower as ClearTrustTokenData. ClearTrustTokenData
  // also clears out Redemption Records.
  DeleteStoredTrustTokens(url.mojom.Origin issuer)
      => (DeleteStoredTrustTokensStatus status);

  // Set Trust Token blocking to |block|.
  SetBlockTrustTokens(bool block);

  // Clears network objects with implicit URL history information. Data related
  // to events that happened prior to |start_time| and after |end_time| may be
  // retained. Only applies to network objects without more specific methods
  // (Cookies, and the cache have, or will have, their own clearing APIs). This
  // currently only covers server properties and transport security state.
  //
  // The callback will be invoked once the data has been deleted.
  ClearNetworkingHistoryBetween(mojo_base.mojom.Time start_time,
                                mojo_base.mojom.Time end_time) => ();

  // Clears content from the HTTP cache. A specific range of time can be
  // specified with |start_time| and |end_time|. This supports unbounded deletes
  // in either direction by using null Time values for either argument.
  // If a non-null |filter| is specified, will clear only entries matching the
  // filter.
  ClearHttpCache(mojo_base.mojom.Time start_time,
                 mojo_base.mojom.Time end_time,
                 ClearDataFilter? filter) => ();

  // Computes the size of cache objects last accessed between |start_time| and
  // |end_time|.
  //
  // If you don't want a lower bound, pass base::Time() for |start_time|.
  // If you don't want an upper bound, pass base::Time::Max()
  //
  // |upper_bound| will be returned as true if the implementation had to
  // overestimate; this may be as bad as giving the size of the entire cache.
  //
  // |size_or_error|, if non-negative, is the result in bytes; and a net error
  // code if negative.
  ComputeHttpCacheSize(mojo_base.mojom.Time start_time,
                       mojo_base.mojom.Time end_time)
      => (bool is_upper_bound, int64 size_or_error);

  // Notifies the HttpCache of a renderer-level cache hit with |url|
  // and |http_method|, with the network isolation key |key| and
  // |is_subframe_document_resource| is true if this is a subframe navigation
  // resource.
  //
  // This is being proxied by the browser because the renderer is unable to
  // directly interact with NetworkContext.
  NotifyExternalCacheHit(url.mojom.Url url, string http_method,
                         NetworkIsolationKey key,
                         bool is_subframe_document_resource,
                         bool include_credentials);

  // Clears the host cache. This will affect all NetworkContexts that share the
  // same HostResolved as the NetworkContext this is called on.
  //
  // If a non-null |filter| is specified, will clear only entries for domains
  // matching the filter. Filtering by origins is not supported. If |filter| is
  // non-null, |filter.origins| must be empty.
  ClearHostCache(ClearDataFilter? filter) => ();

  // Clears all entries from the HTTP Auth cache that were between |start_time|
  // and |end_time|, with |start_time| being inclusive and |end_time| exclusive.
  ClearHttpAuthCache(mojo_base.mojom.Time start_time,
                     mojo_base.mojom.Time end_time) => ();

  // Clears all report entries from the reporting cache. This has no effect if
  // the ENABLE_REPORTING build flag is false.
  //
  // If a non-null |filter| is specified, will clear only entries matching the
  // filter.
  ClearReportingCacheReports(ClearDataFilter? filter) => ();

  // Clears all client entries from the reporting cache. This has no effect if
  // the ENABLE_REPORTING build flag is false.
  //
  // If a non-null |filter| is specified, will clear only entries matching the
  // filter.
  ClearReportingCacheClients(ClearDataFilter? filter) => ();

  // Clears policy entries from the NetworkErrorLoggingService. This has no
  // effect if the ENABLE_REPORTING build flag is false.
  //
  // If a non-null |filter| is specified, will clear only entries matching the
  // filter.
  ClearNetworkErrorLogging(ClearDataFilter? filter) => ();

  // Mirror of domain_reliability::DomainReliabilityClearMode.
  enum DomainReliabilityClearMode {CLEAR_CONTEXTS, CLEAR_BEACONS};
  // Clears Domain Reliability entries, specified by |mode|.
  ClearDomainReliability(ClearDataFilter? filter,
                         DomainReliabilityClearMode mode) => ();

  // Returns a JSON value containing data for displaying on a debugging page.
  GetDomainReliabilityJSON() => (mojo_base.mojom.Value data);

  // Configures per-resource reporting endpoints set with the
  // Reporting-Endpoints header.
  // |reporting_source| is a token which identifies the document or worker with
  // which the header was received. The endpoints configured by this method are
  // only used to deliver reports which are queued by that same source.
  // |isolation_info| is used when creating the endpoints in the ReportingCache
  // and when determining which credentials to send with uploaded reports. Its
  // network isolation key will need to match the key sent when reports are
  // queued, in order for these reporting endpoints to be considered for
  // delivery, although this should always be the case when reports are queued
  // by the same source which configured the endpoints.
  // |endpoints| is a mapping of endpoint name to URL (URLs here are represented
  // as strings, and will be rejected if they fail to parse or are not secure).
  //
  // Spec: https://w3c.github.io/reporting/#header
  SetDocumentReportingEndpoints(
      mojo_base.mojom.UnguessableToken reporting_source,
      url.mojom.Origin origin, IsolationInfo isolation_info,
      map<string,string> endpoints);

  // Queues any outstanding reports for a single |reporting_source| (which
  // must not be empty), and removes the reporting endpoint configuration for
  // that source. This is called when the reporting source (document or worker)
  // is destroyed.
  SendReportsAndRemoveSource(
      mojo_base.mojom.UnguessableToken reporting_source);

  // Queues a report via the Reporting API. |type| describes the type of report
  // (as well as what data will contained in |body|). |group| specifies the
  // endpoint group that the report will be delivered to. |url| indicates the
  // URL of the resource that the report describes. |user_agent| may be
  // provided, or will be automatically generated if omitted; |body| holds the
  // contents of the report.
  //
  // |reporting_source| and |network_isolation_key| are used both for looking
  // up the appropriately scoped reporting information and for sending the
  // report. |network_isolation_key| indicates the NetworkIsolationKey
  // associated with the request, while |reporting_source|, if not empty,
  // identifies the specific document or worker instance causing the report to
  // be queued. If |reporting_source| is not empty, then it will be used to
  // look up reporting endpoints set with the SetDocumentReportingEndpoints
  // method first, and if no matching endpoint is found, it will fall back to
  // looking up a matching endpoint group configured for the origin and
  // |network_isolation_key|.
  //
  // Note that this queued report will never be delivered if no reporting
  // endpoint is registered for this |url| or |reporting_source| with the
  // provided |network_isolation_key|.
  //
  // Spec: https://w3c.github.io/reporting/#concept-reports
  QueueReport(string type,
              string group,
              url.mojom.Url url,
              mojo_base.mojom.UnguessableToken? reporting_source,
              NetworkIsolationKey network_isolation_key,
              string? user_agent,
              mojo_base.mojom.DeprecatedDictionaryValue body);

  // Queues a signed exchange report.
  //
  // Note that this queued report will never be delivered if no reporting
  // endpoint matching is registered for with the provided
  // |network_isolation_key|.
  QueueSignedExchangeReport(SignedExchangeReport report,
                            NetworkIsolationKey network_isolation_key);

  // Closes all open connections within this context.
  CloseAllConnections() => ();

  // Close all idle connections for the HTTP network session used by
  // this context.
  CloseIdleConnections() => ();

  // Configures network conditions for the specified throttling profile.
  // The throttling will be applied only to requests that have matching
  // throttling_profile_id.
  // Passing null NetworkConditions disables the throttling.
  SetNetworkConditions(mojo_base.mojom.UnguessableToken throttling_profile_id,
                       NetworkConditions? conditions);

  // Updates the Accept-Language header to be used for requests.
  SetAcceptLanguage(string new_accept_language);

  // If false, the referrer of requests is never populated.
  SetEnableReferrers(bool enable_referrers);

  // Updates the additional trust anchors for certificate verification.
  [EnableIf=is_chromeos]
  UpdateAdditionalCertificates(AdditionalCertificates? additional_certificates);

  // Updates the CT policy to be used for requests. Only applies if the
  // NetworkContextParams set enforce_chrome_ct_policy to true.
  // TODO(rsleevi): Remove this once Chrome-specific policies are moved out
  // of the network service.
  [EnableIf=is_ct_supported]
  SetCTPolicy(CTPolicy ct_policy);

  // Adds explicitly-specified data as if it was processed from an Expect-CT
  // header.
  [EnableIf=is_ct_supported]
  AddExpectCT(string host, mojo_base.mojom.Time expiry,
              bool enforce, url.mojom.Url report_uri,
              NetworkIsolationKey network_isolation_key) => (bool success);

  // Send a test CT report with dummy data for test purposes.
  [EnableIf=is_ct_supported]
  SetExpectCTTestReport(url.mojom.Url report_uri) => (bool success);

  // Retrieves the expect CT state from the associated network context
  // transport security state.
  [EnableIf=is_ct_supported]
  GetExpectCTState(string domain,
                   NetworkIsolationKey network_isolation_key)
                   => (mojo_base.mojom.DeprecatedDictionaryValue state);

  // Creates a UDP socket. Caller can supply a |listener| interface pointer
  // to listen for incoming datagrams. A null |listener| is acceptable if caller
  // is not interested in incoming data.
  // Any sockets that are created but are yet to be destroyed will be destroyed
  // when NetworkContext goes away.
  CreateUDPSocket(pending_receiver<UDPSocket> receiver,
                  pending_remote<UDPSocketListener>? listener);

  // Creates a TCP server socket that listens on |local_addr|. The socket
  // created can only be used for the purpose specified in |traffic_annotation|,
  // and cannot be re-used for other purposes. Caller must specify an address
  // family in |local_addr| to be either IPv4 or IPv6. If port in |local_addr|
  // is 0, the OS will pick an available port. If address bytes are 0, the OS
  // will pick a local address of the specified address family. |backlog| will
  // be passed to the OS to set the size of accept queue.
  // On success, the resulting local address will be written to |local_addr_out|
  // and |result| is net::OK. On failure, |result| is a network error code.
  //
  // Any sockets that are created but are yet to be destroyed will be destroyed
  // when NetworkContext goes away.
  CreateTCPServerSocket(IPEndPoint local_addr,
                        uint32 backlog,
                        MutableNetworkTrafficAnnotationTag traffic_annotation,
                        pending_receiver<TCPServerSocket> socket)
      => (int32 result, IPEndPoint? local_addr_out);

  // Creates a TCP socket connected to |remote_addr|. |observer| if non-null
  // will be used to listen for any network connection error on the newly
  // established connection. The socket created can only be used for the purpose
  // specified in |traffic_annotation|, and cannot be re-used for other
  // purposes. |local_addr| should be set to null unless the caller wants to
  // bind the socket to a specific address and port. On success, |result| is
  // net::OK. Caller is to use |send_stream| to send data and |receive_stream|
  // to receive data over the connection. On failure, |result| is a network
  // error code.
  //
  // If the client closes |socket| before this completes, the callback will be
  // invoked with net::ERR_ABORTED.
  //
  // Any sockets that are created but are yet to be destroyed will be destroyed
  // when NetworkContext goes away.
  CreateTCPConnectedSocket(
      IPEndPoint? local_addr,
      AddressList remote_addr_list,
      TCPConnectedSocketOptions? tcp_connected_socket_options,
      MutableNetworkTrafficAnnotationTag traffic_annotation,
      pending_receiver<TCPConnectedSocket> socket,
      pending_remote<SocketObserver>? observer)
      => (int32 result,
          IPEndPoint? local_addr,
          IPEndPoint? peer_addr,
          handle<data_pipe_consumer>? receive_stream,
          handle<data_pipe_producer>? send_stream);

  // Creates a TCPSocket bound to |local_addr|. The socket created can only be
  // used for the purpose specified in |traffic_annotation|, and cannot be
  // re-used for other purposes. |local_addr| is treated the same as in
  // CreateTCPServerSocket().
  //
  // On success, the resulting local address will be written to |local_addr_out|
  // and |result| is net::OK. On failure, |result| is a network error code.
  //
  // It's recommended consumers use CreateTCPServerSocket() or
  // CreateTCPConnectedSocket(). This method is just provided so legacy
  // consumers can mimic Berkeley sockets semantics.
  CreateTCPBoundSocket(IPEndPoint local_addr,
                       MutableNetworkTrafficAnnotationTag traffic_annotation,
                       pending_receiver<TCPBoundSocket> socket)
      => (int32 result, IPEndPoint? local_addr);

  // Creates a ProxyResolvingSocketFactory that shares some configuration params
  // with this NetworkContext, but uses separate socket pools.
  //
  // Any sockets that are created but are yet to be destroyed will be destroyed
  // when NetworkContext goes away.
  CreateProxyResolvingSocketFactory(
      pending_receiver<ProxyResolvingSocketFactory> factory);

  // Looks up what proxy to use for a particular URL. |network_isolation_key|
  // is used to partition the DNS cache in the case a PAC script is used, and
  // should match the NIK of the frame the lookup is for use with.
  LookUpProxyForURL(url.mojom.Url url,
                    NetworkIsolationKey network_isolation_key,
                    pending_remote<ProxyLookupClient> proxy_lookup_client);

  // Forces refetching the proxy configuration, and applying it.
  ForceReloadProxyConfig() => ();

  // Clears the list of bad proxy servers that has been cached.
  ClearBadProxiesCache() => ();

  // Creates a WebSocket connection to |url|. |requested_protocols| is a
  // list of tokens identifying sub-protocols the renderer would like to use,
  // as described in RFC6455 "Subprotocols Using the WebSocket Protocol".
  // |additional_headers| are miscellaneous HTTP headers to be added to the
  // request. Headers semantically relevant to the WebSocket handshake such
  // as "sec-websocket-protocol" and "origin" are handled separately, (e.g.,
  // "sec-websocket-protocol" is constructed from  |requested_protocols| in
  // this message). |site_for_cookies| represents the first-party origin for
  // the request. |options| may be a combination of the kWebSocketOption* flags.
  // |isolation_info| includes SiteForCookies, top frame origin, and current
  // frame origin, and is used to isolate shared network stack resources based
  // on the context. It must have RediredMode::kUpdateNothing. Currently,
  // |isolation_info|'s SiteForCookies field is ignored, but it will eventually
  // replace the |site_for_cookies| parameter.
  //
  // If |header_client| is set, requests with the kURLLoadOptionUseHeaderClient
  // option will callback to the |header_client|, allowing the Cookie/Referrer
  // request headers and Cookie response headers to be modified. This has a
  // performance impact because of the extra process hops, so use should be
  // minimized.
  //
  // Requests from a system context should set |process_id| to
  // |kBrowserProcessId|. In that case |render_frame_id| MUST be zero. These
  // values will still be passed to |OnSSLCertificateError| as needed but no
  // throttling will be performed for such WebSockets.
  //
  // Detect mojo connection errors on |handshake_client| until the connection
  // is established.
  // Do *NOT* interpret mojo connection errors on |auth_handler| and
  // |header_client| as WebSocket connection errors. They are disconnected when
  // the connection is established, and due to message ordering uncertainty we
  // cannot know what happened.
  //
  // |throttling_profile_id| can be provided to allow network conditions
  // emulation for this web socket connection. Emulated network conditions
  // can be set by calling SetNetworkConditions with a matching throttling
  // profile id.
  CreateWebSocket(
      url.mojom.Url url,
      array<string> requested_protocols,
      SiteForCookies site_for_cookies,
      IsolationInfo isolation_info,
      array<HttpHeader> additional_headers,
      int32 process_id,
      url.mojom.Origin origin,
      uint32 options,
      MutableNetworkTrafficAnnotationTag traffic_annotation,
      pending_remote<WebSocketHandshakeClient> handshake_client,
      pending_remote<URLLoaderNetworkServiceObserver>? url_loader_network_observer,
      pending_remote<WebSocketAuthenticationHandler>? auth_handler,
      pending_remote<TrustedHeaderClient>? header_client,
      mojo_base.mojom.UnguessableToken? throttling_profile_id);

  // Creates a WebTransport connection to |url|. |origin| is used for the
  // client indication - see
  // https://tools.ietf.org/html/draft-vvv-webtransport-quic-01#section-3.2 .
  // When |fingerprints| is not empty, it is used to verify the certificate.
  // https://wicg.github.io/web-transport/#dom-quictransportconfiguration-server_certificate_fingerprints
  //
  // It is recommended to detect mojo connection errors on |handshake_client|.
  CreateWebTransport(
        url.mojom.Url url,
        url.mojom.Origin origin,
        NetworkIsolationKey network_isolation_key,
        array<WebTransportCertificateFingerprint> fingerprints,
        pending_remote<WebTransportHandshakeClient> handshake_client);

  // Create a NetLogExporter, which helps export NetLog to an existing file.
  // Note that the log is generally global, including all NetworkContexts
  // managed by the same NetworkService. The particular NetworkContext this is
  // called on will determine which NetworkContext gets its information and
  // configuration summary written out at the end of the log.
  CreateNetLogExporter(pending_receiver<NetLogExporter> receiver);

  // Tries to preconnect to |url|. |num_streams| may be used to request more
  // than one connection be established in parallel.
  // |allow_credentials| is true if the connection is to be pooled with
  // credentialed requests and false otherwise.
  // |network_isolation_key| specifies the NetworkIsolationKey to associate
  // with the preconnected sockets. The sockets will only be used for requests
  // associated with the same key.
  PreconnectSockets(uint32 num_streams,
                    url.mojom.Url url,
                    bool allow_credentials,
                    NetworkIsolationKey network_isolation_key);

  // Creates a P2PSocketManager instance, used for WebRTC.
  // |network_isolation_key| is the network cache shard to associate with the
  // P2PSocketManager instance, and affects DNS cache shard used and proxy
  // connection sharing.
  [EnableIf=is_p2p_enabled]
  CreateP2PSocketManager(
      NetworkIsolationKey network_isolation_key,
      pending_remote<P2PTrustedSocketManagerClient> client,
      pending_receiver<P2PTrustedSocketManager> trusted_socket_manager,
      pending_receiver<P2PSocketManager> socket_manager);

  // Creates an MdnsResponder instance.
  CreateMdnsResponder(pending_receiver<MdnsResponder> responder_receiver);

  // Resolves the given hostname (or IP address literal). See documentation at
  // HostResolver::ResolveHost.
  //
  // All outstanding requests are cancelled if the NetworkContext is destroyed.
  // Such requests will receive ERR_FAILED via |response_client|.
  ResolveHost(HostPortPair host,
              NetworkIsolationKey network_isolation_key,
              ResolveHostParameters? optional_parameters,
              pending_remote<ResolveHostClient> response_client);

  // Creates a HostResolver interface that can be passed to code/processes
  // without direct access to NetworkContext to make ResolveHost requests.
  //
  // If set, |config_overrides| will override configuration read from the system
  // DNS configuration when resolution is performed using the built-in resolver
  // (which can be forced using ResolveHostParameters::source = Source.DNS).
  //
  // If this NetworkContext is destroyed, all outstanding requests from child
  // HostResolvers will be cancelled. Such requests will receive ERR_FAILED via
  // |response_client|.
  //
  // TODO(crbug.com/821021): If necessary as usage and functionality is added to
  // the contained ResolveHost method, consider adding the ability for this to
  // be a restricted resolver with some functionality disabled (eg maybe MDNS).
  CreateHostResolver(DnsConfigOverrides? config_overrides,
                     pending_receiver<HostResolver> host_resolver);

  // Checks the given certificate against the CertVerifier and CTVerifier. This
  // implementation is currently specific for use by Signed Exchange.
  //
  // |network_isolation_key| must be the NetworkIsolationKey associated with the
  // underlying resource load, and is used foy any reports generated as a result
  // of verifying the cert.
  VerifyCertForSignedExchange(X509Certificate certificate,
                              url.mojom.Url url,
                              NetworkIsolationKey network_isolation_key,
                              string ocsp_response,
                              string sct_list) => (int32 error_code,
                                                   CertVerifyResult cv_result,
                                                   bool pkp_bypassed,
                                                   string pinning_failure_log);

  // Adds explicitly-specified data as if it was processed from an
  // HSTS header. Used by tests and implementation of chrome://net-internals.
  AddHSTS(string host, mojo_base.mojom.Time expiry,
          bool include_subdomains) => ();

  // Returns true if it is known that |host| has requested to always be
  // accessed via HTTPS.
  IsHSTSActiveForHost(string host) => (bool result);

  // Retrieve values from the HSTS state from the associated contexts
  // transport security state.
  GetHSTSState(string domain)
      => (mojo_base.mojom.DeprecatedDictionaryValue state);

  // Sets allowed and blocked origins respectively for the URLLoaderFactory
  // consumers to access beyond the same-origin policy. The list is managed per
  // each |source_origin|, and each call will flash old set lists for the
  // |source_origin|. The passed |patterns| will be set instead. If an empty
  // array is given for |allow_patterns| and/or |block_patterns|, the
  // |source_origin|'s origin list for each is set to empty respectively.
  // TODO(crbug.com/936310): Eventually, we want to stop using per-context
  // access lists, and use only per-factory access lists, or stop managing the
  // list in the NetworkService completely.
  SetCorsOriginAccessListsForOrigin(
      url.mojom.Origin source_origin, array<CorsOriginPattern> allow_patterns,
      array<CorsOriginPattern> block_patterns) => ();

  // Deletes any dynamic data stored for |host| from the transport
  // security state. Returns true iff an entry was deleted.
  // See net::TransportSecurityState::DeleteDynamicDataForHost for more detail.
  DeleteDynamicDataForHost(string host) => (bool result);

  // Sets whether the HTTP auth cache will be split the NetworkIsolationKey.
  // Only affects server (not proxy) credentials. Whenever the effective value
  // is changed, all cached server auth credentials will be cleared.
  SetSplitAuthCacheByNetworkIsolationKey(
      bool split_auth_cache_by_network_isolation_key);

  // Copies the proxy entries of this NetworkContext's auth cache and
  // returns a key that can be used by LoadHttpAuthCache to load them into
  // another NetworkContext's auth cache. The data referenced by the
  // returned key is not associated with this NetworkContext, so will outlast
  // its destruction. If there is no corresponding LoadHttpAuthCache call, the
  // saved HttpAuthCache data will leak.
  //
  // TODO(crbug.com/914082): Return a scoped handle that can automatically free
  // the cache when it goes out of scope.
  SaveHttpAuthCacheProxyEntries()
      => (mojo_base.mojom.UnguessableToken cache_key);

  // Loads auth cache entries previously saved by SaveHttpAuthCacheProxyEntries,
  // and copies them into this NetworkContext's HttpAuthCache. This may only be
  // called once for each token returned by SaveHttpAuthCacheProxyEntries().
  LoadHttpAuthCacheProxyEntries(mojo_base.mojom.UnguessableToken cache_key)
      => ();

  // Adds an entry to the HttpAuthCache. |network_isolation_key| is the
  // NetworkIsolationKey to restrict the credentials to, and is only respected
  // for server (not proxy) HTTP auth and only when the NetworkService was
  // configured to split the auth cache by NetworkIsolationKey. |challenge|
  // may not necessarily contain a stateful challenge that requires a persistent
  // connection, allowing the cache to be pre-populated.
  AddAuthCacheEntry(AuthChallengeInfo challenge,
                    NetworkIsolationKey network_isolation_key,
                    AuthCredentials credentials) => ();

  // Sets whether
  // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name is
  // supported in this network context.
  SetCorsNonWildcardRequestHeadersSupport(bool value);

  // Looks up credentials in the HttpAuthCache using the origin and path from
  // |url|. Only supports basic auth scheme. Only looks up server (not proxy)
  // auth credentials, and only those that are usable in the scope of
  // |network_isolation_key|.
  LookupServerBasicAuthCredentials(url.mojom.Url url,
      NetworkIsolationKey network_isolation_key)
      => (AuthCredentials? credentials);

  // Looks up the proxy authentication credentials associated with
  // |proxy_server|, |auth_scheme| and |realm| in the HttpAuthCache.
  // |auth_scheme| is the authentication scheme of the challenge and it's
  // specified as a case-insensitive string. Unlike server credentials, proxy
  // credentials are not keyed on NetworkIsolationKey.
  [EnableIf=is_chromeos_ash]
  LookupProxyAuthCredentials(proxy_resolver.mojom.ProxyServer proxy_server,
      string auth_scheme, string realm)
      => (AuthCredentials? credentials);

  [Sync]
  // Enables the checking of static PKP records.
  EnableStaticKeyPinningForTesting() => ();

  // Verifies the given certificate using the context's CertVerifier.
  VerifyCertificateForTesting(X509Certificate certificate,
                              string hostname,
                              string ocsp_response,
                              string sct_list) => (int32 error_code);

  [Sync]
  // Adds a Domain Reliability Context.
  AddDomainReliabilityContextForTesting(
    url.mojom.Url origin, url.mojom.Url upload_url) => ();

  [Sync]
  // Forces all pending Domain Reliability uploads to run now, even if their
  // minimum delay has not yet passed.
  ForceDomainReliabilityUploadsForTesting() => ();

  // Gets the OriginPolicyManager associated with this network context.
  GetOriginPolicyManager(
      pending_receiver<OriginPolicyManager> origin_policy_manager);

  // If called, the CT log list will be considered always timely.
  [EnableIf=is_ct_supported]
  SetCTLogListAlwaysTimelyForTesting();

  // Set the SCT auditing mode for this NetworkContext.
  [EnableIf=is_ct_supported]
  SetSCTAuditingMode(SCTAuditingMode mode);

  // Adds an observer that will receive Reporting Service callbacks. Generates
  // events for Reporting API reports currently stored in the reporting service.
  [EnableIf=enable_reporting]
  AddReportingApiObserver(pending_remote<ReportingApiObserver> observer);
};