net: make interstitials fatal for pinned sites

BUG=105582 TEST=net_unittests Review URL: http://codereview.chromium.org/8727003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@112003 0039d316-1c4b-4281-b951-d872f2087c98
author: agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-11-29 20:00:49 +0000
committer: agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-11-29 20:00:49 +0000
commit: dc694c3f130f849774acdad09b5e2b8420d0ae9f (patch)
tree: ec2fe082c324e419fe0db917d1d9a611f0dae906 /net/url_request
parent: 22c830d776888b5c42110447ae7759f457482571 (diff)
download: chromium_src-dc694c3f130f849774acdad09b5e2b8420d0ae9f.zip
chromium_src-dc694c3f130f849774acdad09b5e2b8420d0ae9f.tar.gz
chromium_src-dc694c3f130f849774acdad09b5e2b8420d0ae9f.tar.bz2
4 files changed, 59 insertions, 14 deletions
diff --git a/net/url_request/url_request_http_job.cc b/net/url_request/url_request_http_job.cc
index 5f405cd..b5ef12d 100644
--- a/net/url_request/url_request_http_job.cc
+++ b/net/url_request/url_request_http_job.cc
@@ -179,21 +179,19 @@ URLRequestJob* URLRequestHttpJob::Factory(URLRequest* request,
   TransportSecurityState::DomainState domain_state;
   if (scheme == "http" &&
       request->context()->transport_security_state() &&
-      request->context()->transport_security_state()->IsEnabledForHost(
+      request->context()->transport_security_state()->GetDomainState(
           &domain_state,
           request->url().host(),
           SSLConfigService::IsSNIAvailable(
-              request->context()->ssl_config_service()))) {
-    if (domain_state.mode ==
-         TransportSecurityState::DomainState::MODE_STRICT) {
-      DCHECK_EQ(request->url().scheme(), "http");
-      url_canon::Replacements<char> replacements;
-      static const char kNewScheme[] = "https";
-      replacements.SetScheme(kNewScheme,
-                             url_parse::Component(0, strlen(kNewScheme)));
-      GURL new_location = request->url().ReplaceComponents(replacements);
-      return new URLRequestRedirectJob(request, new_location);
-    }
+              request->context()->ssl_config_service())) &&
+      domain_state.ShouldRedirectHTTPToHTTPS()) {
+    DCHECK_EQ(request->url().scheme(), "http");
+    url_canon::Replacements<char> replacements;
+    static const char kNewScheme[] = "https";
+    replacements.SetScheme(kNewScheme,
+                           url_parse::Component(0, strlen(kNewScheme)));
+    GURL new_location = request->url().ReplaceComponents(replacements);
+    return new URLRequestRedirectJob(request, new_location);
   }
 
   return new URLRequestHttpJob(request);
@@ -741,9 +739,10 @@ void URLRequestHttpJob::OnStartCompleted(int result) {
     TransportSecurityState::DomainState domain_state;
     const bool is_hsts_host =
         context_->transport_security_state() &&
-        context_->transport_security_state()->IsEnabledForHost(
+        context_->transport_security_state()->GetDomainState(
             &domain_state, request_info_.url.host(),
-            SSLConfigService::IsSNIAvailable(context_->ssl_config_service()));
+            SSLConfigService::IsSNIAvailable(context_->ssl_config_service())) &&
+        domain_state.ShouldCertificateErrorsBeFatal();
     NotifySSLCertificateError(transaction_->GetResponseInfo()->ssl_info,
                               is_hsts_host);
   } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) {
diff --git a/net/url_request/url_request_test_util.cc b/net/url_request/url_request_test_util.cc
index 3a75332..11d9e01 100644
--- a/net/url_request/url_request_test_util.cc
+++ b/net/url_request/url_request_test_util.cc
@@ -174,6 +174,7 @@ TestDelegate::TestDelegate()
       received_data_before_response_(false),
       request_failed_(false),
       have_certificate_errors_(false),
+      is_hsts_host_(false),
       auth_required_(false),
       buf_(new net::IOBuffer(kBufferSize)) {
 }
@@ -209,6 +210,7 @@ void TestDelegate::OnSSLCertificateError(net::URLRequest* request,
   // independent of any possible errors, or whether it wants SSL errors to
   // cancel the request.
   have_certificate_errors_ = true;
+  is_hsts_host_ = is_hsts_host;
   if (allow_certificate_errors_)
     request->ContinueDespiteLastError();
   else
diff --git a/net/url_request/url_request_test_util.h b/net/url_request/url_request_test_util.h
index 3407e12..11ab2b6 100644
--- a/net/url_request/url_request_test_util.h
+++ b/net/url_request/url_request_test_util.h
@@ -120,6 +120,7 @@ class TestDelegate : public net::URLRequest::Delegate {
   }
   bool request_failed() const { return request_failed_; }
   bool have_certificate_errors() const { return have_certificate_errors_; }
+  bool is_hsts_host() const { return is_hsts_host_; }
   bool auth_required_called() const { return auth_required_; }
 
   // net::URLRequest::Delegate:
@@ -165,6 +166,7 @@ class TestDelegate : public net::URLRequest::Delegate {
   bool received_data_before_response_;
   bool request_failed_;
   bool have_certificate_errors_;
+  bool is_hsts_host_;
   bool auth_required_;
   std::string data_received_;
 
diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc
index 86da221..e02c3fc 100644
--- a/net/url_request/url_request_unittest.cc
+++ b/net/url_request/url_request_unittest.cc
@@ -1079,6 +1079,48 @@ TEST_F(HTTPSRequestTest, HTTPSExpiredTest) {
   }
 }
 
+// This tests that a load of www.google.com with a certificate error sets the
+// is_hsts_host flag correctly. This flag will cause the interstitial to be
+// fatal.
+TEST_F(HTTPSRequestTest, HTTPSPreloadedHSTSTest) {
+  TestServer::HTTPSOptions https_options(
+      TestServer::HTTPSOptions::CERT_MISMATCHED_NAME);
+  TestServer test_server(https_options,
+                         FilePath(FILE_PATH_LITERAL("net/data/ssl")));
+  ASSERT_TRUE(test_server.Start());
+
+  // We require that the URL be www.google.com in order to pick up the
+  // preloaded HSTS entries in the TransportSecurityState. This means that we
+  // have to use a MockHostResolver in order to direct www.google.com to the
+  // testserver.
+
+  MockHostResolver host_resolver;
+  host_resolver.rules()->AddRule("www.google.com", "127.0.0.1");
+  TestNetworkDelegate network_delegate;  // must outlive URLRequest
+  scoped_refptr<TestURLRequestContext> context(new TestURLRequestContext(true));
+  context->set_network_delegate(&network_delegate);
+  context->set_host_resolver(&host_resolver);
+  TransportSecurityState transport_security_state("");
+  context->set_transport_security_state(&transport_security_state);
+  context->Init();
+
+  TestDelegate d;
+  TestURLRequest r(GURL(StringPrintf("https://www.google.com:%d",
+                                     test_server.host_port_pair().port())),
+                   &d);
+  r.set_context(context);
+
+  r.Start();
+  EXPECT_TRUE(r.is_pending());
+
+  MessageLoop::current()->Run();
+
+  EXPECT_EQ(1, d.response_started_count());
+  EXPECT_FALSE(d.received_data_before_response());
+  EXPECT_TRUE(d.have_certificate_errors());
+  EXPECT_TRUE(d.is_hsts_host());
+}
+
 namespace {
 
 class SSLClientAuthTestDelegate : public TestDelegate {
author	agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-11-29 20:00:49 +0000
committer	agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-11-29 20:00:49 +0000
commit	dc694c3f130f849774acdad09b5e2b8420d0ae9f (patch)
tree	ec2fe082c324e419fe0db917d1d9a611f0dae906 /net/url_request
parent	22c830d776888b5c42110447ae7759f457482571 (diff)
download	chromium_src-dc694c3f130f849774acdad09b5e2b8420d0ae9f.zip chromium_src-dc694c3f130f849774acdad09b5e2b8420d0ae9f.tar.gz chromium_src-dc694c3f130f849774acdad09b5e2b8420d0ae9f.tar.bz2