diff options
| author | cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-04-09 20:28:47 +0000 |
|---|---|---|
| committer | cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-04-09 20:28:47 +0000 |
| commit | b7f9fb2e5ebe7ba2308ddf95c5c6663bfc55e86f (patch) | |
| tree | 2cbccf3277a23b65022f897a340f5ecb065b7fc2 /net/base/transport_security_state.h | |
| parent | b167c4c2512e5a9bc16dd0338bad8f4e715f52be (diff) | |
| download | chromium_src-b7f9fb2e5ebe7ba2308ddf95c5c6663bfc55e86f.zip chromium_src-b7f9fb2e5ebe7ba2308ddf95c5c6663bfc55e86f.tar.gz chromium_src-b7f9fb2e5ebe7ba2308ddf95c5c6663bfc55e86f.tar.bz2 | |
Add gmail.com and googlemail.com to the HSTS hardcoded list. These domains
are important because although they don't have any content, they often form
the start of a user navigation into Gmail. If https is used, then the chain of
redirects to login is secured (https://gmail.com -> https://mail.google.com ->
https://www.google.com/accounts). Without https, an sslstrip attack can be
fully mounted all the way to the login page (Tunisia?)
It's a tricky add because https on these domains is SNI-only and the
availability of SNI varies depending on preferences, but I added the
plumbing to take care of this easily for future additions.
TEST=TransportSecurityStateTest.Preloaded
Review URL: http://codereview.chromium.org/6812031
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@81041 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base/transport_security_state.h')
| -rw-r--r-- | net/base/transport_security_state.h | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/net/base/transport_security_state.h b/net/base/transport_security_state.h index 18bf51c..e7705f5 100644 --- a/net/base/transport_security_state.h +++ b/net/base/transport_security_state.h @@ -67,9 +67,11 @@ class TransportSecurityState : // action is taken. Returns true iff an entry was deleted. bool DeleteHost(const std::string& host); - // Returns true if |host| has TransportSecurity enabled. If that case, - // *result is filled out. - bool IsEnabledForHost(DomainState* result, const std::string& host); + // Returns true if |host| has TransportSecurity enabled, in the context of + // |sni_available|. In that case, *result is filled out. + bool IsEnabledForHost(DomainState* result, + const std::string& host, + bool sni_available); // Deletes all records created since a given time. void DeleteSince(const base::Time& time); @@ -112,6 +114,7 @@ class TransportSecurityState : static std::string CanonicalizeHost(const std::string& host); static bool IsPreloadedSTS(const std::string& canonicalized_host, + bool sni_available, bool* out_include_subdomains); // The set of hosts that have enabled TransportSecurity. The keys here |