diff options
| author | tkent@chromium.org <tkent@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-09-20 03:54:03 +0000 |
|---|---|---|
| committer | tkent@chromium.org <tkent@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-09-20 03:54:03 +0000 |
| commit | 22e045faa6bc1faa16b5664aa896e9c107851761 (patch) | |
| tree | 2051918751d9053de984b61b8ac3ed2d2ee92006 /net | |
| parent | d9343b3e87b143d3438eddabc3a9eeec65d39bd0 (diff) | |
| download | chromium_src-22e045faa6bc1faa16b5664aa896e9c107851761.zip chromium_src-22e045faa6bc1faa16b5664aa896e9c107851761.tar.gz chromium_src-22e045faa6bc1faa16b5664aa896e9c107851761.tar.bz2 | |
Revert 224269 "Don't persist HPKP if PrivacyMode is enabled."
It broke Google Chrome ChromeOS bot.
http://build.chromium.org/p/chromium.chrome/builders/Google%20Chrome%20ChromeOS/builds/58548/steps/compile/logs/stdio#error1
FAILED: g++ ... -c ../../net/socket/ssl_client_socket_nss.cc -o obj/net/socket/net.ssl_client_socket_nss.o
../../net/socket/ssl_client_socket_nss.cc: In member function 'int net::SSLClientSocketNSS::DoVerifyCertComplete(int)':
../../net/socket/ssl_client_socket_nss.cc:3445:64:error: no matching function for call to 'net::TransportSecurityState::GetDomainState(const string&, bool&, net::TransportSecurityState::DomainState*)'
../../net/socket/ssl_client_socket_nss.cc:3445:64: note: candidate is:
../../net/http/transport_security_state.h:212:8: note: bool net::TransportSecurityState::GetDomainState(const string&, bool, bool, net::TransportSecurityState::DomainState*)
../../net/http/transport_security_state.h:212:8: note: candidate expects 4 arguments, 3 provided
> Don't persist HPKP if PrivacyMode is enabled.
>
> BUG=258667
>
> Review URL: https://chromiumcodereview.appspot.com/19269012
TBR=mef@chromium.org
Review URL: https://codereview.chromium.org/24251011
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@224275 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/http/http_security_headers_unittest.cc | 4 | ||||
| -rw-r--r-- | net/http/transport_security_state.cc | 10 | ||||
| -rw-r--r-- | net/http/transport_security_state.h | 4 | ||||
| -rw-r--r-- | net/http/transport_security_state_unittest.cc | 107 | ||||
| -rw-r--r-- | net/socket_stream/socket_stream.cc | 15 | ||||
| -rw-r--r-- | net/socket_stream/socket_stream.h | 7 | ||||
| -rw-r--r-- | net/socket_stream/socket_stream_job.cc | 8 | ||||
| -rw-r--r-- | net/url_request/url_request.cc | 17 | ||||
| -rw-r--r-- | net/url_request/url_request_http_job.cc | 22 | ||||
| -rw-r--r-- | net/url_request/url_request_test_util.h | 3 | ||||
| -rw-r--r-- | net/url_request/url_request_unittest.cc | 58 | ||||
| -rw-r--r-- | net/websockets/websocket_job.cc | 17 | ||||
| -rw-r--r-- | net/websockets/websocket_job.h | 2 |
13 files changed, 90 insertions, 184 deletions
diff --git a/net/http/http_security_headers_unittest.cc b/net/http/http_security_headers_unittest.cc index e679b31..0cc81b5 100644 --- a/net/http/http_security_headers_unittest.cc +++ b/net/http/http_security_headers_unittest.cc @@ -440,7 +440,7 @@ TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) { // docs.google.com has preloaded pins. std::string domain = "docs.google.com"; - EXPECT_TRUE(state.GetDomainState(domain, true, true, &domain_state)); + EXPECT_TRUE(state.GetDomainState(domain, true, &domain_state)); EXPECT_GT(domain_state.static_spki_hashes.size(), 1UL); HashValueVector saved_hashes = domain_state.static_spki_hashes; @@ -487,7 +487,7 @@ TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) { EXPECT_NE(dynamic_domain_state.dynamic_spki_hashes.end(), hash); // Expect the overall state to reflect the header, too. - EXPECT_TRUE(state.GetDomainState(domain, true, true, &domain_state)); + EXPECT_TRUE(state.GetDomainState(domain, true, &domain_state)); EXPECT_EQ(2UL, domain_state.dynamic_spki_hashes.size()); hash = std::find_if(domain_state.dynamic_spki_hashes.begin(), diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc index 9f12ba0..d238e99 100644 --- a/net/http/transport_security_state.cc +++ b/net/http/transport_security_state.cc @@ -137,7 +137,6 @@ bool TransportSecurityState::DeleteDynamicDataForHost(const std::string& host) { bool TransportSecurityState::GetDomainState(const std::string& host, bool sni_enabled, - bool allow_dynamic, DomainState* result) { DCHECK(CalledOnValidThread()); @@ -148,12 +147,6 @@ bool TransportSecurityState::GetDomainState(const std::string& host, bool has_preload = GetStaticDomainState(canonicalized_host, sni_enabled, &state); - // If |allow_dynamic| is false, then return static state to the caller. - if (!allow_dynamic) { - if (has_preload) - *result = state; - return has_preload; - } std::string canonicalized_preload = CanonicalizeHost(state.domain); GetDynamicDomainState(host, &state); @@ -843,7 +836,8 @@ TransportSecurityState::DomainState::DomainState() : upgrade_mode(MODE_DEFAULT), created(base::Time::Now()), sts_include_subdomains(false), - pkp_include_subdomains(false) {} + pkp_include_subdomains(false) { +} TransportSecurityState::DomainState::~DomainState() { } diff --git a/net/http/transport_security_state.h b/net/http/transport_security_state.h index 17b8b75..ccbc53a 100644 --- a/net/http/transport_security_state.h +++ b/net/http/transport_security_state.h @@ -201,9 +201,6 @@ class NET_EXPORT TransportSecurityState // If |sni_enabled| is true, searches the static pins defined for // SNI-using hosts as well as the rest of the pins. // - // If |allow_dynamic| is true, then dynamic state is returned if present, - // otherwise only static state is used.. - // // If |host| matches both an exact entry and is a subdomain of another // entry, the exact match determines the return value. // @@ -211,7 +208,6 @@ class NET_EXPORT TransportSecurityState // entries that have expired. bool GetDomainState(const std::string& host, bool sni_enabled, - bool allow_dynamic, DomainState* result); // Processes an HSTS header value from the host, adding entries to diff --git a/net/http/transport_security_state_unittest.cc b/net/http/transport_security_state_unittest.cc index 4c78f26..936d562 100644 --- a/net/http/transport_security_state_unittest.cc +++ b/net/http/transport_security_state_unittest.cc @@ -70,10 +70,10 @@ TEST_F(TransportSecurityStateTest, SimpleMatches) { const base::Time current_time(base::Time::Now()); const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); - EXPECT_FALSE(state.GetDomainState("yahoo.com", true, true, &domain_state)); + EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); bool include_subdomains = false; state.AddHSTS("yahoo.com", expiry, include_subdomains); - EXPECT_TRUE(state.GetDomainState("yahoo.com", true, true, &domain_state)); + EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); } TEST_F(TransportSecurityStateTest, MatchesCase1) { @@ -82,10 +82,10 @@ TEST_F(TransportSecurityStateTest, MatchesCase1) { const base::Time current_time(base::Time::Now()); const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); - EXPECT_FALSE(state.GetDomainState("yahoo.com", true, true, &domain_state)); + EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); bool include_subdomains = false; state.AddHSTS("YAhoo.coM", expiry, include_subdomains); - EXPECT_TRUE(state.GetDomainState("yahoo.com", true, true, &domain_state)); + EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); } TEST_F(TransportSecurityStateTest, MatchesCase2) { @@ -94,10 +94,10 @@ TEST_F(TransportSecurityStateTest, MatchesCase2) { const base::Time current_time(base::Time::Now()); const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); - EXPECT_FALSE(state.GetDomainState("YAhoo.coM", true, true, &domain_state)); + EXPECT_FALSE(state.GetDomainState("YAhoo.coM", true, &domain_state)); bool include_subdomains = false; state.AddHSTS("yahoo.com", expiry, include_subdomains); - EXPECT_TRUE(state.GetDomainState("YAhoo.coM", true, true, &domain_state)); + EXPECT_TRUE(state.GetDomainState("YAhoo.coM", true, &domain_state)); } TEST_F(TransportSecurityStateTest, SubdomainMatches) { @@ -106,16 +106,15 @@ TEST_F(TransportSecurityStateTest, SubdomainMatches) { const base::Time current_time(base::Time::Now()); const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); - EXPECT_FALSE(state.GetDomainState("yahoo.com", true, true, &domain_state)); + EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); bool include_subdomains = true; state.AddHSTS("yahoo.com", expiry, include_subdomains); - EXPECT_TRUE(state.GetDomainState("yahoo.com", true, true, &domain_state)); - EXPECT_TRUE(state.GetDomainState("foo.yahoo.com", true, true, &domain_state)); - EXPECT_TRUE( - state.GetDomainState("foo.bar.yahoo.com", true, true, &domain_state)); - EXPECT_TRUE( - state.GetDomainState("foo.bar.baz.yahoo.com", true, true, &domain_state)); - EXPECT_FALSE(state.GetDomainState("com", true, true, &domain_state)); + EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); + EXPECT_TRUE(state.GetDomainState("foo.yahoo.com", true, &domain_state)); + EXPECT_TRUE(state.GetDomainState("foo.bar.yahoo.com", true, &domain_state)); + EXPECT_TRUE(state.GetDomainState("foo.bar.baz.yahoo.com", true, + &domain_state)); + EXPECT_FALSE(state.GetDomainState("com", true, &domain_state)); } TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { @@ -125,14 +124,14 @@ TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); - EXPECT_FALSE(state.GetDomainState("yahoo.com", true, true, &domain_state)); + EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); bool include_subdomains = false; state.AddHSTS("yahoo.com", expiry, include_subdomains); state.DeleteAllDynamicDataSince(expiry); - EXPECT_TRUE(state.GetDomainState("yahoo.com", true, true, &domain_state)); + EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); state.DeleteAllDynamicDataSince(older); - EXPECT_FALSE(state.GetDomainState("yahoo.com", true, true, &domain_state)); + EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); } TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { @@ -143,10 +142,10 @@ TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { bool include_subdomains = false; state.AddHSTS("yahoo.com", expiry, include_subdomains); - EXPECT_TRUE(state.GetDomainState("yahoo.com", true, true, &domain_state)); - EXPECT_FALSE(state.GetDomainState("example.com", true, true, &domain_state)); + EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); + EXPECT_FALSE(state.GetDomainState("example.com", true, &domain_state)); EXPECT_TRUE(state.DeleteDynamicDataForHost("yahoo.com")); - EXPECT_FALSE(state.GetDomainState("yahoo.com", true, true, &domain_state)); + EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); } TEST_F(TransportSecurityStateTest, IsPreloaded) { @@ -177,32 +176,30 @@ TEST_F(TransportSecurityStateTest, PreloadedDomainSet) { // The domain wasn't being set, leading to a blank string in the // chrome://net-internals/#hsts UI. So test that. - EXPECT_TRUE( - state.GetDomainState("market.android.com", true, true, &domain_state)); + EXPECT_TRUE(state.GetDomainState("market.android.com", true, &domain_state)); EXPECT_EQ(domain_state.domain, "market.android.com"); - EXPECT_TRUE(state.GetDomainState( - "sub.market.android.com", true, true, &domain_state)); + EXPECT_TRUE(state.GetDomainState("sub.market.android.com", true, + &domain_state)); EXPECT_EQ(domain_state.domain, "market.android.com"); } static bool ShouldRedirect(const char* hostname) { TransportSecurityState state; TransportSecurityState::DomainState domain_state; - return state.GetDomainState( - hostname, true /* SNI ok */, true, &domain_state) && + return state.GetDomainState(hostname, true /* SNI ok */, &domain_state) && domain_state.ShouldUpgradeToSSL(); } static bool HasState(const char* hostname) { TransportSecurityState state; TransportSecurityState::DomainState domain_state; - return state.GetDomainState(hostname, true /* SNI ok */, true, &domain_state); + return state.GetDomainState(hostname, true /* SNI ok */, &domain_state); } static bool HasPublicKeyPins(const char* hostname, bool sni_enabled) { TransportSecurityState state; TransportSecurityState::DomainState domain_state; - if (!state.GetDomainState(hostname, sni_enabled, true, &domain_state)) + if (!state.GetDomainState(hostname, sni_enabled, &domain_state)) return false; return domain_state.HasPublicKeyPins(); @@ -215,7 +212,7 @@ static bool HasPublicKeyPins(const char* hostname) { static bool OnlyPinning(const char *hostname) { TransportSecurityState state; TransportSecurityState::DomainState domain_state; - if (!state.GetDomainState(hostname, true /* SNI ok */, true, &domain_state)) + if (!state.GetDomainState(hostname, true /* SNI ok */, &domain_state)) return false; return (domain_state.static_spki_hashes.size() > 0 || @@ -229,8 +226,7 @@ TEST_F(TransportSecurityStateTest, Preloaded) { TransportSecurityState::DomainState domain_state; // We do more extensive checks for the first domain. - EXPECT_TRUE( - state.GetDomainState("www.paypal.com", true, true, &domain_state)); + EXPECT_TRUE(state.GetDomainState("www.paypal.com", true, &domain_state)); EXPECT_EQ(domain_state.upgrade_mode, TransportSecurityState::DomainState::MODE_FORCE_HTTPS); EXPECT_FALSE(domain_state.sts_include_subdomains); @@ -292,16 +288,13 @@ TEST_F(TransportSecurityStateTest, Preloaded) { EXPECT_TRUE(OnlyPinning("googlegroups.com")); // Tests for domains that don't work without SNI. - EXPECT_FALSE(state.GetDomainState("gmail.com", false, true, &domain_state)); - EXPECT_FALSE( - state.GetDomainState("www.gmail.com", false, true, &domain_state)); - EXPECT_FALSE(state.GetDomainState("m.gmail.com", false, true, &domain_state)); - EXPECT_FALSE( - state.GetDomainState("googlemail.com", false, true, &domain_state)); - EXPECT_FALSE( - state.GetDomainState("www.googlemail.com", false, true, &domain_state)); - EXPECT_FALSE( - state.GetDomainState("m.googlemail.com", false, true, &domain_state)); + EXPECT_FALSE(state.GetDomainState("gmail.com", false, &domain_state)); + EXPECT_FALSE(state.GetDomainState("www.gmail.com", false, &domain_state)); + EXPECT_FALSE(state.GetDomainState("m.gmail.com", false, &domain_state)); + EXPECT_FALSE(state.GetDomainState("googlemail.com", false, &domain_state)); + EXPECT_FALSE(state.GetDomainState("www.googlemail.com", false, + &domain_state)); + EXPECT_FALSE(state.GetDomainState("m.googlemail.com", false, &domain_state)); // Other hosts: @@ -395,17 +388,16 @@ TEST_F(TransportSecurityStateTest, Preloaded) { EXPECT_TRUE(ShouldRedirect("www.dropcam.com")); EXPECT_FALSE(HasState("foo.dropcam.com")); - EXPECT_TRUE( - state.GetDomainState("torproject.org", false, true, &domain_state)); + EXPECT_TRUE(state.GetDomainState("torproject.org", false, &domain_state)); EXPECT_FALSE(domain_state.static_spki_hashes.empty()); - EXPECT_TRUE( - state.GetDomainState("www.torproject.org", false, true, &domain_state)); + EXPECT_TRUE(state.GetDomainState("www.torproject.org", false, + &domain_state)); EXPECT_FALSE(domain_state.static_spki_hashes.empty()); - EXPECT_TRUE( - state.GetDomainState("check.torproject.org", false, true, &domain_state)); + EXPECT_TRUE(state.GetDomainState("check.torproject.org", false, + &domain_state)); EXPECT_FALSE(domain_state.static_spki_hashes.empty()); - EXPECT_TRUE( - state.GetDomainState("blog.torproject.org", false, true, &domain_state)); + EXPECT_TRUE(state.GetDomainState("blog.torproject.org", false, + &domain_state)); EXPECT_FALSE(domain_state.static_spki_hashes.empty()); EXPECT_TRUE(ShouldRedirect("ebanking.indovinabank.com.vn")); EXPECT_TRUE(ShouldRedirect("foo.ebanking.indovinabank.com.vn")); @@ -477,15 +469,14 @@ TEST_F(TransportSecurityStateTest, LongNames) { "WaveletIdDomainAndBlipBlipid"; TransportSecurityState::DomainState domain_state; // Just checks that we don't hit a NOTREACHED. - EXPECT_FALSE(state.GetDomainState(kLongName, true, true, &domain_state)); + EXPECT_FALSE(state.GetDomainState(kLongName, true, &domain_state)); } TEST_F(TransportSecurityStateTest, BuiltinCertPins) { TransportSecurityState state; TransportSecurityState::DomainState domain_state; - EXPECT_TRUE( - state.GetDomainState("chrome.google.com", true, true, &domain_state)); + EXPECT_TRUE(state.GetDomainState("chrome.google.com", true, &domain_state)); EXPECT_TRUE(HasPublicKeyPins("chrome.google.com")); HashValueVector hashes; @@ -573,8 +564,7 @@ TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCerts) { TransportSecurityState state; TransportSecurityState::DomainState domain_state; - EXPECT_TRUE( - state.GetDomainState("plus.google.com", true, true, &domain_state)); + EXPECT_TRUE(state.GetDomainState("plus.google.com", true, &domain_state)); EXPECT_TRUE(domain_state.HasPublicKeyPins()); EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes)); @@ -610,8 +600,7 @@ TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) { TransportSecurityState state; TransportSecurityState::DomainState domain_state; - EXPECT_TRUE( - state.GetDomainState("blog.torproject.org", true, true, &domain_state)); + EXPECT_TRUE(state.GetDomainState("blog.torproject.org", true, &domain_state)); EXPECT_TRUE(domain_state.HasPublicKeyPins()); EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes)); @@ -640,8 +629,7 @@ TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCertsMixedHashes) { TransportSecurityState state; TransportSecurityState::DomainState domain_state; - EXPECT_TRUE( - state.GetDomainState("plus.google.com", true, true, &domain_state)); + EXPECT_TRUE(state.GetDomainState("plus.google.com", true, &domain_state)); EXPECT_TRUE(domain_state.HasPublicKeyPins()); // The statically-defined pins are all SHA-1, so we add some SHA-256 pins @@ -753,8 +741,7 @@ TEST_F(TransportSecurityStateTest, OverrideBuiltins) { domain_state.upgrade_expiry = expiry; EnableHost(&state, "www.google.com", domain_state); - EXPECT_TRUE( - state.GetDomainState("www.google.com", true, true, &domain_state)); + EXPECT_TRUE(state.GetDomainState("www.google.com", true, &domain_state)); } static const uint8 kSidePinLeafSPKI[] = { diff --git a/net/socket_stream/socket_stream.cc b/net/socket_stream/socket_stream.cc index e50d09c..699c820 100644 --- a/net/socket_stream/socket_stream.cc +++ b/net/socket_stream/socket_stream.cc @@ -132,14 +132,6 @@ bool SocketStream::is_secure() const { return url_.SchemeIs("wss"); } -GURL SocketStream::GetURLForCookies(const GURL& url) { - std::string scheme = url.SchemeIs("wss") ? "https" : "http"; - url_canon::Replacements<char> replacements; - replacements.SetScheme(scheme.c_str(), - url_parse::Component(0, scheme.length())); - return url.ReplaceComponents(replacements); -} - void SocketStream::set_context(URLRequestContext* context) { const URLRequestContext* prev_context = context_; @@ -1335,12 +1327,9 @@ int SocketStream::HandleCertificateError(int result) { ssl_socket->GetSSLInfo(&ssl_info); TransportSecurityState::DomainState domain_state; - const bool fatal = - context_->transport_security_state() && - context_->transport_security_state()->GetDomainState( - url_.host(), + const bool fatal = context_->transport_security_state() && + context_->transport_security_state()->GetDomainState(url_.host(), SSLConfigService::IsSNIAvailable(context_->ssl_config_service()), - delegate_->CanGetCookies(this, url_for_cookies()), &domain_state) && domain_state.ShouldSSLErrorsBeFatal(); diff --git a/net/socket_stream/socket_stream.h b/net/socket_stream/socket_stream.h index 76c132e..90aeb8c 100644 --- a/net/socket_stream/socket_stream.h +++ b/net/socket_stream/socket_stream.h @@ -124,7 +124,6 @@ class NET_EXPORT SocketStream void SetUserData(const void* key, UserData* data); const GURL& url() const { return url_; } - GURL url_for_cookies() const { return GetURLForCookies(url_); } bool is_secure() const; const AddressList& address_list() const { return addresses_; } Delegate* delegate() const { return delegate_; } @@ -181,12 +180,6 @@ class NET_EXPORT SocketStream // actions on alert dialog or browser cached such kinds of user actions. void ContinueDespiteError(); - // Returns the URL to be used for cookie policy checking. Note that - // this may be different than |url|; for example, the cookie policy - // for a ws:// URL is based upon the http:// scheme for that - // host:port pair. - static GURL GetURLForCookies(const GURL& url); - protected: friend class base::RefCountedThreadSafe<SocketStream>; virtual ~SocketStream(); diff --git a/net/socket_stream/socket_stream_job.cc b/net/socket_stream/socket_stream_job.cc index 7c12cc8..9c13a8f 100644 --- a/net/socket_stream/socket_stream_job.cc +++ b/net/socket_stream/socket_stream_job.cc @@ -27,12 +27,8 @@ SocketStreamJob* SocketStreamJob::CreateSocketStreamJob( SSLConfigService* ssl) { GURL socket_url(url); TransportSecurityState::DomainState domain_state; - if (url.scheme() == "ws" && sts && - sts->GetDomainState( - url.host(), - SSLConfigService::IsSNIAvailable(ssl), - delegate->CanGetCookies(NULL, SocketStream::GetURLForCookies(url)), - &domain_state) && + if (url.scheme() == "ws" && sts && sts->GetDomainState( + url.host(), SSLConfigService::IsSNIAvailable(ssl), &domain_state) && domain_state.ShouldUpgradeToSSL()) { url_canon::Replacements<char> replacements; static const char kNewScheme[] = "wss"; diff --git a/net/url_request/url_request.cc b/net/url_request/url_request.cc index b984fbd..bf031c8 100644 --- a/net/url_request/url_request.cc +++ b/net/url_request/url_request.cc @@ -919,25 +919,20 @@ void URLRequest::SetPriority(RequestPriority priority) { bool URLRequest::GetHSTSRedirect(GURL* redirect_url) const { const GURL& url = this->url(); - if (redirect_url && !url.SchemeIs("http")) + if (!url.SchemeIs("http")) return false; TransportSecurityState::DomainState domain_state; - bool allow_dynamic_state = - !(load_flags_ & LOAD_DO_NOT_SEND_COOKIES) && CanGetCookies(CookieList()); if (context()->transport_security_state() && context()->transport_security_state()->GetDomainState( url.host(), SSLConfigService::IsSNIAvailable(context()->ssl_config_service()), - allow_dynamic_state, &domain_state) && domain_state.ShouldUpgradeToSSL()) { - if (redirect_url) { - url_canon::Replacements<char> replacements; - const char kNewScheme[] = "https"; - replacements.SetScheme(kNewScheme, - url_parse::Component(0, strlen(kNewScheme))); - *redirect_url = url.ReplaceComponents(replacements); - } + url_canon::Replacements<char> replacements; + const char kNewScheme[] = "https"; + replacements.SetScheme(kNewScheme, + url_parse::Component(0, strlen(kNewScheme))); + *redirect_url = url.ReplaceComponents(replacements); return true; } return false; diff --git a/net/url_request/url_request_http_job.cc b/net/url_request/url_request_http_job.cc index 6bfb5d2..dd11a1b 100644 --- a/net/url_request/url_request_http_job.cc +++ b/net/url_request/url_request_http_job.cc @@ -795,13 +795,6 @@ void URLRequestHttpJob::ProcessStrictTransportSecurityHeader() { !security_state) return; - CookieOptions options; - options.set_include_httponly(); - options.set_server_time(response_date_); - // Don't persist HSTS if cookies are not saved to avoid tracking. - if ((request_info_.load_flags & LOAD_DO_NOT_SAVE_COOKIES) || - !CanSetCookie("", &options)) - return; // http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec: // // If a UA receives more than one STS header field in a HTTP response @@ -825,14 +818,6 @@ void URLRequestHttpJob::ProcessPublicKeyPinsHeader() { !security_state) return; - CookieOptions options; - options.set_include_httponly(); - options.set_server_time(response_date_); - // Don't persist HPKP if cookies are not saved to avoid tracking. - if ((request_info_.load_flags & LOAD_DO_NOT_SAVE_COOKIES) || - !CanSetCookie("", &options)) - return; - // http://tools.ietf.org/html/draft-ietf-websec-key-pinning: // // If a UA receives more than one PKP header field in an HTTP @@ -909,16 +894,11 @@ void URLRequestHttpJob::OnStartCompleted(int result) { // what we should do. TransportSecurityState::DomainState domain_state; - bool allow_dynamic_state = - !(request_info_.load_flags & LOAD_DO_NOT_SEND_COOKIES) && - CanGetCookies(CookieList()); const URLRequestContext* context = request_->context(); - const bool fatal = - context->transport_security_state() && + const bool fatal = context->transport_security_state() && context->transport_security_state()->GetDomainState( request_info_.url.host(), SSLConfigService::IsSNIAvailable(context->ssl_config_service()), - allow_dynamic_state, &domain_state) && domain_state.ShouldSSLErrorsBeFatal(); NotifySSLCertificateError(transaction_->GetResponseInfo()->ssl_info, fatal); diff --git a/net/url_request/url_request_test_util.h b/net/url_request/url_request_test_util.h index 06d8d92..796b913 100644 --- a/net/url_request/url_request_test_util.h +++ b/net/url_request/url_request_test_util.h @@ -270,7 +270,8 @@ class TestNetworkDelegate : public NetworkDelegate { CookieOptions* options) OVERRIDE; virtual bool OnCanAccessFile(const URLRequest& request, const base::FilePath& path) const OVERRIDE; - virtual bool OnCanThrottleRequest(const URLRequest& request) const OVERRIDE; + virtual bool OnCanThrottleRequest( + const URLRequest& request) const OVERRIDE; virtual int OnBeforeSocketStreamConnect( SocketStream* stream, const CompletionCallback& callback) OVERRIDE; diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc index ec46b20..c1178fe 100644 --- a/net/url_request/url_request_unittest.cc +++ b/net/url_request/url_request_unittest.cc @@ -2031,7 +2031,7 @@ TEST_F(URLRequestTest, DoNotSendCookies_ViaPolicy) { EXPECT_TRUE(d.data_received().find("Cookie: CookieToNotSend=1") == std::string::npos); - EXPECT_EQ(2, network_delegate.blocked_get_cookies_count()); + EXPECT_EQ(1, network_delegate.blocked_get_cookies_count()); EXPECT_EQ(0, network_delegate.blocked_set_cookie_count()); } } @@ -2162,7 +2162,7 @@ TEST_F(URLRequestTest, DoNotSendCookies_ViaPolicy_Async) { EXPECT_TRUE(d.data_received().find("Cookie: CookieToNotSend=1") == std::string::npos); - EXPECT_EQ(2, network_delegate.blocked_get_cookies_count()); + EXPECT_EQ(1, network_delegate.blocked_get_cookies_count()); EXPECT_EQ(0, network_delegate.blocked_set_cookie_count()); } } @@ -3930,10 +3930,11 @@ TEST_F(URLRequestTestHTTP, ProcessSTS) { bool sni_available = true; TransportSecurityState::DomainState domain_state; EXPECT_TRUE(security_state->GetDomainState( - SpawnedTestServer::kLocalhost, sni_available, true, &domain_state)); + SpawnedTestServer::kLocalhost, sni_available, &domain_state)); EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS, domain_state.upgrade_mode); EXPECT_TRUE(domain_state.sts_include_subdomains); + EXPECT_FALSE(domain_state.pkp_include_subdomains); #if defined(OS_ANDROID) // Android's CertVerifyProc does not (yet) handle pins. #else @@ -3973,51 +3974,16 @@ TEST_F(URLRequestTestHTTP, MAYBE_ProcessPKP) { bool sni_available = true; TransportSecurityState::DomainState domain_state; EXPECT_TRUE(security_state->GetDomainState( - SpawnedTestServer::kLocalhost, sni_available, true, &domain_state)); + SpawnedTestServer::kLocalhost, sni_available, &domain_state)); EXPECT_EQ(TransportSecurityState::DomainState::MODE_DEFAULT, domain_state.upgrade_mode); EXPECT_FALSE(domain_state.sts_include_subdomains); EXPECT_FALSE(domain_state.pkp_include_subdomains); EXPECT_TRUE(domain_state.HasPublicKeyPins()); - EXPECT_NE(domain_state.upgrade_expiry, domain_state.dynamic_spki_hashes_expiry); } -// Android's CertVerifyProc does not (yet) handle pins. Therefore, it will -// reject HPKP headers, and a test setting only HPKP headers will fail (no -// DomainState present because header rejected). -#if defined(OS_ANDROID) -#define MAYBE_ProcessPKP_PrivacyMode DISABLED_ProcessPKP_PrivacyMode -#else -#define MAYBE_ProcessPKP_PrivacyMode ProcessPKP_PrivacyMode -#endif -// Tests that DynamicDomainState is not added if cookies are not set. -TEST_F(URLRequestTestHTTP, ProcessPKP_PrivacyMode) { - SpawnedTestServer::SSLOptions ssl_options; - SpawnedTestServer https_test_server( - SpawnedTestServer::TYPE_HTTPS, - ssl_options, - base::FilePath(FILE_PATH_LITERAL("net/data/url_request_unittest"))); - ASSERT_TRUE(https_test_server.Start()); - - default_network_delegate_.set_cookie_options( - TestNetworkDelegate::NO_SET_COOKIE); - TestDelegate d; - URLRequest request(https_test_server.GetURL("files/hpkp-headers.html"), - &d, - &default_context_); - request.Start(); - base::MessageLoop::current()->Run(); - - TransportSecurityState* security_state = - default_context_.transport_security_state(); - bool sni_available = true; - TransportSecurityState::DomainState domain_state; - EXPECT_FALSE(security_state->GetDomainState( - SpawnedTestServer::kLocalhost, sni_available, true, &domain_state)); -} - TEST_F(URLRequestTestHTTP, ProcessSTSOnce) { SpawnedTestServer::SSLOptions ssl_options; SpawnedTestServer https_test_server( @@ -4040,7 +4006,7 @@ TEST_F(URLRequestTestHTTP, ProcessSTSOnce) { bool sni_available = true; TransportSecurityState::DomainState domain_state; EXPECT_TRUE(security_state->GetDomainState( - SpawnedTestServer::kLocalhost, sni_available, true, &domain_state)); + SpawnedTestServer::kLocalhost, sni_available, &domain_state)); EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS, domain_state.upgrade_mode); EXPECT_FALSE(domain_state.sts_include_subdomains); @@ -4069,7 +4035,7 @@ TEST_F(URLRequestTestHTTP, ProcessSTSAndPKP) { bool sni_available = true; TransportSecurityState::DomainState domain_state; EXPECT_TRUE(security_state->GetDomainState( - SpawnedTestServer::kLocalhost, sni_available, true, &domain_state)); + SpawnedTestServer::kLocalhost, sni_available, &domain_state)); EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS, domain_state.upgrade_mode); #if defined(OS_ANDROID) @@ -4110,7 +4076,7 @@ TEST_F(URLRequestTestHTTP, ProcessSTSAndPKP2) { bool sni_available = true; TransportSecurityState::DomainState domain_state; EXPECT_TRUE(security_state->GetDomainState( - SpawnedTestServer::kLocalhost, sni_available, true, &domain_state)); + SpawnedTestServer::kLocalhost, sni_available, &domain_state)); EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS, domain_state.upgrade_mode); #if defined(OS_ANDROID) @@ -5119,8 +5085,8 @@ TEST_F(HTTPSRequestTest, HTTPSErrorsNoClobberTSSTest) { context.set_host_resolver(&host_resolver); TransportSecurityState transport_security_state; TransportSecurityState::DomainState domain_state; - EXPECT_TRUE(transport_security_state.GetDomainState( - "www.google.com", true, true, &domain_state)); + EXPECT_TRUE(transport_security_state.GetDomainState("www.google.com", true, + &domain_state)); context.set_transport_security_state(&transport_security_state); context.Init(); @@ -5142,8 +5108,8 @@ TEST_F(HTTPSRequestTest, HTTPSErrorsNoClobberTSSTest) { // Get a fresh copy of the state, and check that it hasn't been updated. TransportSecurityState::DomainState new_domain_state; - EXPECT_TRUE(transport_security_state.GetDomainState( - "www.google.com", true, true, &new_domain_state)); + EXPECT_TRUE(transport_security_state.GetDomainState("www.google.com", true, + &new_domain_state)); EXPECT_EQ(new_domain_state.upgrade_mode, domain_state.upgrade_mode); EXPECT_EQ(new_domain_state.sts_include_subdomains, domain_state.sts_include_subdomains); diff --git a/net/websockets/websocket_job.cc b/net/websockets/websocket_job.cc index 34adb31..50d1218 100644 --- a/net/websockets/websocket_job.cc +++ b/net/websockets/websocket_job.cc @@ -367,8 +367,7 @@ bool WebSocketJob::SendHandshakeRequest(const char* data, int len) { void WebSocketJob::AddCookieHeaderAndSend() { bool allow = true; - GURL url_for_cookies(socket_->url_for_cookies()); - if (delegate_ && !delegate_->CanGetCookies(socket_.get(), url_for_cookies)) + if (delegate_ && !delegate_->CanGetCookies(socket_.get(), GetURLForCookies())) allow = false; if (socket_.get() && delegate_ && state_ == CONNECTING) { @@ -379,8 +378,7 @@ void WebSocketJob::AddCookieHeaderAndSend() { CookieOptions cookie_options; cookie_options.set_include_httponly(); socket_->context()->cookie_store()->GetCookiesWithOptionsAsync( - url_for_cookies, - cookie_options, + GetURLForCookies(), cookie_options, base::Bind(&WebSocketJob::LoadCookieCallback, weak_ptr_factory_.GetWeakPtr())); } else { @@ -511,7 +509,7 @@ void WebSocketJob::SaveNextCookie() { save_next_cookie_running_ = true; if (socket_->context()->cookie_store()) { - GURL url_for_cookies(socket_->url_for_cookies()); + GURL url_for_cookies = GetURLForCookies(); CookieOptions options; options.set_include_httponly(); @@ -565,6 +563,15 @@ void WebSocketJob::OnCookieSaved(bool cookie_status) { SaveNextCookie(); } +GURL WebSocketJob::GetURLForCookies() const { + GURL url = socket_->url(); + std::string scheme = socket_->is_secure() ? "https" : "http"; + url_canon::Replacements<char> replacements; + replacements.SetScheme(scheme.c_str(), + url_parse::Component(0, scheme.length())); + return url.ReplaceComponents(replacements); +} + const AddressList& WebSocketJob::address_list() const { return addresses_; } diff --git a/net/websockets/websocket_job.h b/net/websockets/websocket_job.h index 4a9bf39..119c4dc 100644 --- a/net/websockets/websocket_job.h +++ b/net/websockets/websocket_job.h @@ -110,6 +110,8 @@ class NET_EXPORT WebSocketJob void NotifyHeadersComplete(); void DoSendData(); + GURL GetURLForCookies() const; + const AddressList& address_list() const; int TrySpdyStream(); void SetWaiting(); |