diff options
| -rw-r--r-- | net/base/transport_security_state.cc | 8 | ||||
| -rw-r--r-- | net/url_request/url_request_http_job.cc | 6 |
2 files changed, 14 insertions, 0 deletions
diff --git a/net/base/transport_security_state.cc b/net/base/transport_security_state.cc index e82734d..a35325a 100644 --- a/net/base/transport_security_state.cc +++ b/net/base/transport_security_state.cc @@ -569,11 +569,19 @@ bool TransportSecurityState::IsPreloadedSTS( 0, }; + // kTestAcceptableCerts doesn't actually match any public keys and is used + // with "pinningtest.appspot.com", below, to test if pinning is active. + static const char* kTestAcceptableCerts[] = { + "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=", + }; + // In the medium term this list is likely to just be hardcoded here. This, // slightly odd, form removes the need for additional relocations records. static const struct HSTSPreload kPreloadedSTS[] = { // (*.)google.com, iff using SSL must use an acceptable certificate. {12, true, "\006google\003com", false, kGoogleAcceptableCerts }, + {25, true, "\013pinningtest\007appspot\003com", false, + kTestAcceptableCerts }, // Now we force HTTPS for subtrees of google.com. {19, true, "\006health\006google\003com", true, kGoogleAcceptableCerts }, {21, true, "\010checkout\006google\003com", true, kGoogleAcceptableCerts }, diff --git a/net/url_request/url_request_http_job.cc b/net/url_request/url_request_http_job.cc index 23e7367..5f30e55 100644 --- a/net/url_request/url_request_http_job.cc +++ b/net/url_request/url_request_http_job.cc @@ -738,7 +738,12 @@ void URLRequestHttpJob::OnStartCompleted(int result) { // Clear the IO_PENDING status SetStatus(URLRequestStatus()); +#if defined(OFFICIAL_BUILD) && !defined(ANDROID) // Take care of any mandates for public key pinning. + // + // Pinning is only enabled for official builds to make sure that others don't + // end up with pins that cannot be easily updated. + // // TODO(agl): we might have an issue here where a request for foo.example.com // merges into a SPDY connection to www.example.com, and gets a different // certificate. @@ -762,6 +767,7 @@ void URLRequestHttpJob::OnStartCompleted(int result) { } } } +#endif if (result == OK) { SaveCookiesAndNotifyHeadersComplete(); |