net: don't check revocation when fetching PAC files.

If a PAC file is configured on an HTTPS URL we get into trouble. In order to
check revocation we need to make an HTTP request to the OCSP/CRL server, which
needs the PAC script to load and so we deadlock.

With this change we don't check revocation for PAC fetches.

BUG=86219
TEST=Configure a PAC script on HTTPS.


Review URL: http://codereview.chromium.org/7170026

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@89489 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 6 insertions, 1 deletions

diff --git a/net/proxy/proxy_script_fetcher_impl.cc b/net/proxy/proxy_script_fetcher_impl.cc
index c276c30..d0b9d6a 100644
--- a/net/proxy/proxy_script_fetcher_impl.cc
+++ b/net/proxy/proxy_script_fetcher_impl.cc
@@ -145,7 +145,12 @@ int ProxyScriptFetcherImpl::Fetch(const GURL& url,
   // Also disable the use of the disk cache. The cache is disabled so that if
   // the user switches networks we don't potentially use the cached response
   // from old network when we should in fact be re-fetching on the new network.
-  cur_request_->set_load_flags(LOAD_BYPASS_PROXY | LOAD_DISABLE_CACHE);
+  // If the PAC script is hosted on an HTTPS server we bypass revocation
+  // checking in order to avoid a circular dependency when attempting to fetch
+  // the OCSP response or CRL. We could make the revocation check go direct but
+  // the proxy might be the only way to the outside world.
+  cur_request_->set_load_flags(LOAD_BYPASS_PROXY | LOAD_DISABLE_CACHE |
+                               LOAD_DISABLE_CERT_REVOCATION_CHECKING);
 
   // Save the caller's info for notification on completion.
   callback_ = callback;