AI Chat becomes a trusted WebUI with an UntrustedWebUI frame for LLM-generated responses

[petemill]

Issues

• Resolves AI Chat conversation entries should be isolated in an untrusted frame brave-browser#42818
• Resolves Change AI Chat url to chrome://leo-ai brave-browser#42817
• Resolves AI Chat omnibox entry should open full page brave-browser#42844

Description

• changes Leo Url to chrome://leo-ai
• untrusted frame content Url is chrome-untrusted://leo-ai-conversation-entries/[conversation-uuid]

This was requested by the security team in order to make sure the API footprint exposed to a renderer which is renderering LLM-generated content is as small as possible.

The two frames use the same JS build to optimize bundle size, but do not share the same allowed mojom interfaces. The untrusted frame is limited to UntrustedConversationHandler to send calls to the browser and UntrustedUI to receive calls from the browser.

The frames need to communicate with each other in order to solve the main hassle of using an iframe: layout. An iframe is always a fixed width and height, decided by its host and will not expand to the child body size.

Since the iframed content is just part of the scroll area of a Conversation, we must tell the parent whenever the body size changes. Further complicating the situation is continuously knowing when the latest part of a conversation response is rendered, so that we can scroll the container to show it.

The inter-frame communication is done via mojom directly, initially facilitated by the C++ WebUI handlers.

TODO:

• ratings
• storybook fix to not use iframe
• nice fade to avoid content jumping in height as iframe works out how big it needs to be
• scroll to bottom still not working
• organize mojom file, split some interfaces to a new file
  • Will do more of this in a follow-up as it would end up making review more difficult

Resolves

Submitter Checklist:

• I confirm that no security/privacy review is needed and no other type of reviews are needed, or that I have requested them
• There is a ticket for my issue
• Used Github auto-closing keywords in the PR description above
• Wrote a good PR/commit description
• Squashed any review feedback or "fixup" commits before merge, so that history is a record of what happened in the repo, not your PR
• Added appropriate labels (QA/Yes or QA/No; release-notes/include or release-notes/exclude; OS/...) to the associated issue
• Checked the PR locally:
  • npm run test -- brave_browser_tests, npm run test -- brave_unit_tests wiki
  • npm run presubmit wiki, npm run gn_check, npm run tslint
• Ran git rebase master (if needed)

Reviewer Checklist:

• A security review is not needed, or a link to one is included in the PR description
• New files have MPL-2.0 license header
• Adequate test coverage exists to prevent regressions
• Major classes, functions and non-trivial code blocks are well-commented
• Changes in component dependencies are properly reflected in gn
• Code follows the style guide
• Test plan is specified in PR before merging

After-merge Checklist:

• The associated issue milestone is set to the smallest version that the
  changes has landed on
• All relevant documentation has been updated, for instance:
  • https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)
  • https://github.com/brave/brave-browser/wiki/Proxy-redirected-URLs
  • https://github.com/brave/brave-browser/wiki/Fingerprinting-Protections
  • https://github.com/brave/brave-browser/wiki/Brave%E2%80%99s-Use-of-Referral-Codes
  • https://github.com/brave/brave-browser/wiki/Web-Compatibility-Exceptions-in-Brave
  • https://github.com/brave/brave-browser/wiki/QA-Guide
  • https://github.com/brave/brave-browser/wiki/P3A

Test Plan:

[fallaciousreasoning]

nit:

Suggested change

	this.eventTarget.addEventListener('uistatechange', callback)
	this.eventTarget.addEventListener('statechange', callback)

[fallaciousreasoning]

👍 this looks great, I am 100% on board

[fallaciousreasoning]

Maybe worth

Suggested change

	export default function useAPIState<T, Y>(api: API<Y>, defaultState: T) {
	export default function useAPIState<T extends Y, Y>(api: API<Y>, defaultState: T) {

[petemill]

Actually, can't this just be:

export default function useAPIState<T>(api: API<T>, defaultState: T) {

[petemill]

Issue and Security review incoming...

[petemill]

This is the API exposed to the untrusted frame from the Conversation

[bridiver]

not sure if it's a good idea to mix them in the same mojom file? Are there other examples of doing this?

[petemill]

These are the API calls that the Untrusted frame can make to the C++ UI class and the Javascript parent frame

[petemill]

This is the data, in addition to the conversation history itself, that the untrusted frame receives

[petemill]

CSP for the untrusted frame

[petemill]

CSP changes for the trusted parent frame

[petemill]

new URLs

[petemill]

This file can be split up further. I started doing it but stashed the changes for now because I didn't want to further bloat this PR.

[petemill]

ConversationHandler has to manage receiver and remote for each parent trusted webui and child untrusted webui

[github-actions]

[puLL-Merge] - brave/brave-core@26855

Description

This PR introduces significant changes to the AI Chat feature in the Brave browser. It restructures the UI components, adds new functionality, and improves the overall architecture of the AI Chat system. The changes include splitting the UI into trusted and untrusted parts, implementing a new conversation entries frame, and updating the API and state management for both the main UI and the conversation entries.

Changes

Changes

1. browser/ai_chat/:

   • Added new files ai_chat_urls.cc and ai_chat_urls.h to handle URL-related functions for AI Chat.
   • Updated ai_chat_throttle_unittest.cc to use new URL constants.

2. browser/ui/webui/ai_chat/:

   • Added ai_chat_untrusted_conversation_ui.cc and ai_chat_untrusted_conversation_ui.h to implement the untrusted conversation UI.
   • Updated ai_chat_ui.cc and ai_chat_ui.h to accommodate new changes and integrate with the untrusted conversation UI.

3. components/ai_chat/:

   • Significant updates to conversation_handler.cc and conversation_handler.h to support new functionality and integrate with the untrusted conversation UI.
   • Updates to associated_content_driver.cc and associated_content_driver.h to handle title changes.
   • Changes to features.cc and features.h to add new feature flags.

4. components/ai_chat/resources/:

   • Restructured the resources directory, moving common components and adding new files for the untrusted conversation frame.
   • Added new React components and updated existing ones to support the new UI structure.

5. ios/:

   • Updated iOS-specific files to align with the new API changes, particularly in handling conversation ratings.

sequenceDiagram
    participant User
    participant TrustedUI
    participant UntrustedUI
    participant ConversationHandler
    participant AIService

    User->>TrustedUI: Interact with AI Chat
    TrustedUI->>UntrustedUI: Load conversation entries
    UntrustedUI->>ConversationHandler: Request conversation history
    ConversationHandler->>AIService: Get conversation data
    AIService-->>ConversationHandler: Return conversation data
    ConversationHandler-->>UntrustedUI: Send conversation history
    UntrustedUI-->>TrustedUI: Update UI with conversation entries
    User->>UntrustedUI: Rate a message
    UntrustedUI->>TrustedUI: Notify of rating
    TrustedUI->>ConversationHandler: Submit rating
    ConversationHandler->>AIService: Process rating
    AIService-->>ConversationHandler: Confirm rating
    ConversationHandler-->>TrustedUI: Update UI with rating result

Loading

Possible Issues

1. The separation of trusted and untrusted UI components may introduce complexity in state management and communication between different parts of the application.
2. The new URL structure and handling might require updates in other parts of the codebase that are not covered in this PR.

Security Hotspots

1. The introduction of an untrusted conversation frame (ai_chat_untrusted_conversation_ui) requires careful review to ensure proper isolation and security measures are in place.
2. The new message rating system in conversation_handler.cc should be reviewed to ensure it doesn't introduce any vulnerabilities in handling user input.

[brave-builds]

Released in v1.75.93