Resolve style nits and clean up Strict-Transport-Security header handling code.

Per wtc. Note that we purposefully do not set MODE_STRICT when processing Public-Key-Pins headers, because it is possible (and desirable by some) to note and validate pins when using HTTPS, but not to require HTTPS. The dynamic key pinning spec requires this behavior, although my first draft and instincts were also to have pinning imply MODE_STRICT. BUG=78369, 109772 TEST=net_unittests TransportSecurityStateTest.*, browser_tests NetInternalsTest.* Review URL: http://codereview.chromium.org/9167024 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@117175 0039d316-1c4b-4281-b951-d872f2087c98
author: palmer@chromium.org <palmer@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2012-01-11 06:15:07 +0000
committer: palmer@chromium.org <palmer@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2012-01-11 06:15:07 +0000
commit: e88006f1a0aaee7d6abd93162be1231cf43ecf97 (patch)
tree: 3a218e7341e67d4c385d44e90e2ba98bbef6134d /net
parent: d40be4ddd79916ed59e89cd27bab3d74e377809b (diff)
download: chromium_src-e88006f1a0aaee7d6abd93162be1231cf43ecf97.zip
chromium_src-e88006f1a0aaee7d6abd93162be1231cf43ecf97.tar.gz
chromium_src-e88006f1a0aaee7d6abd93162be1231cf43ecf97.tar.bz2
3 files changed, 13 insertions, 13 deletions
diff --git a/net/base/transport_security_state.h b/net/base/transport_security_state.h
index 5bf4ace..74bdf65 100644
--- a/net/base/transport_security_state.h
+++ b/net/base/transport_security_state.h
@@ -199,7 +199,8 @@ class NET_EXPORT TransportSecurityState
   void DeleteSince(const base::Time& time);
 
   // Parses |value| as a Public-Key-Pins header. If successful, returns |true|
-  // and updates |state|; otherwise, returns |false| without updating |state|.
+  // and updates the |dynamic_spki_hashes| and |dynamic_spki_hashes_expiry|
+  // fields of |*state|; otherwise, returns |false| without updating |*state|.
   static bool ParsePinsHeader(const std::string& value,
                               const SSLInfo& ssl_info,
                               DomainState* state);
diff --git a/net/url_request/url_request_http_job.cc b/net/url_request/url_request_http_job.cc
index 4ebd104..70e8257 100644
--- a/net/url_request/url_request_http_job.cc
+++ b/net/url_request/url_request_http_job.cc
@@ -602,12 +602,14 @@ void URLRequestHttpJob::ProcessStrictTransportSecurityHeader() {
   DCHECK(response_info_);
 
   const URLRequestContext* ctx = request_->context();
-  if (!ctx || !ctx->transport_security_state())
-    return;
+  const SSLInfo& ssl_info = response_info_->ssl_info;
 
-  const bool https = response_info_->ssl_info.is_valid();
-  const bool valid_https =
-      https && !IsCertStatusError(response_info_->ssl_info.cert_status);
+  // Only accept strict transport security headers on HTTPS connections that
+  // have no certificate errors.
+  if (!ssl_info.is_valid() || IsCertStatusError(ssl_info.cert_status) ||
+      !ctx || !ctx->transport_security_state()) {
+    return;
+  }
 
   const std::string name = "Strict-Transport-Security";
   std::string value;
@@ -623,10 +625,6 @@ void URLRequestHttpJob::ProcessStrictTransportSecurityHeader() {
         value, &max_age, &include_subdomains);
     if (!ok)
       continue;
-    // We will only accept strict mode if we saw the header from an HTTPS
-    // connection with no certificate problems.
-    if (!valid_https)
-      continue;
     base::Time current_time(base::Time::Now());
     base::TimeDelta max_age_delta = base::TimeDelta::FromSeconds(max_age);
 
@@ -646,7 +644,8 @@ void URLRequestHttpJob::ProcessPublicKeyPinsHeader() {
   const URLRequestContext* ctx = request_->context();
   const SSLInfo& ssl_info = response_info_->ssl_info;
 
-  // Only accept pins on connections that have no errors.
+  // Only accept public key pins headers on HTTPS connections that have no
+  // certificate errors.
   if (!ssl_info.is_valid() || IsCertStatusError(ssl_info.cert_status) ||
       !ctx || !ctx->transport_security_state()) {
     return;
diff --git a/net/url_request/url_request_http_job.h b/net/url_request/url_request_http_job.h
index eebca14..11a82b5 100644
--- a/net/url_request/url_request_http_job.h
+++ b/net/url_request/url_request_http_job.h
@@ -51,10 +51,10 @@ class URLRequestHttpJob : public URLRequestJob {
   void SaveNextCookie();
   void FetchResponseCookies(std::vector<std::string>* cookies);
 
-  // Process the Strict-Transport-Security header, if one exists.
+  // Processes the Strict-Transport-Security header, if one exists.
   void ProcessStrictTransportSecurityHeader();
 
-  // Process the Public-Key-Pins header, if one exists.
+  // Processes the Public-Key-Pins header, if one exists.
   void ProcessPublicKeyPinsHeader();
 
   // |result| should be net::OK, or the request is canceled.
author	palmer@chromium.org <palmer@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2012-01-11 06:15:07 +0000
committer	palmer@chromium.org <palmer@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2012-01-11 06:15:07 +0000
commit	e88006f1a0aaee7d6abd93162be1231cf43ecf97 (patch)
tree	3a218e7341e67d4c385d44e90e2ba98bbef6134d /net
parent	d40be4ddd79916ed59e89cd27bab3d74e377809b (diff)
download	chromium_src-e88006f1a0aaee7d6abd93162be1231cf43ecf97.zip chromium_src-e88006f1a0aaee7d6abd93162be1231cf43ecf97.tar.gz chromium_src-e88006f1a0aaee7d6abd93162be1231cf43ecf97.tar.bz2