| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/url_request/url_request_http_job.h" | 5 #include "net/url_request/url_request_http_job.h" |
| 6 | 6 |
| 7 #include "base/base_switches.h" | 7 #include "base/base_switches.h" |
| 8 #include "base/command_line.h" | 8 #include "base/command_line.h" |
| 9 #include "base/compiler_specific.h" | 9 #include "base/compiler_specific.h" |
| 10 #include "base/file_util.h" | 10 #include "base/file_util.h" |
| (...skipping 649 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 660 return; | 660 return; |
| 661 | 661 |
| 662 // If the transaction was destroyed, then the job was cancelled, and | 662 // If the transaction was destroyed, then the job was cancelled, and |
| 663 // we can just ignore this notification. | 663 // we can just ignore this notification. |
| 664 if (!transaction_.get()) | 664 if (!transaction_.get()) |
| 665 return; | 665 return; |
| 666 | 666 |
| 667 // Clear the IO_PENDING status | 667 // Clear the IO_PENDING status |
| 668 SetStatus(URLRequestStatus()); | 668 SetStatus(URLRequestStatus()); |
| 669 | 669 |
| 670 // Take care of any mandates for certificate locking. |
| 671 const SSLInfo& ssl_info = transaction_->GetResponseInfo()->ssl_info; |
| 672 if (result == OK && |
| 673 ssl_info.is_valid() && |
| 674 context_->transport_security_state()) { |
| 675 scoped_refptr<X509Certificate> cert(ssl_info.cert); |
| 676 if (!context_->transport_security_state()->IsAcceptableCertificate( |
| 677 request_->url().host(), cert.get())) |
| 678 result = ERR_CERT_INVALID; |
| 679 } |
| 680 |
| 670 if (result == OK) { | 681 if (result == OK) { |
| 671 SaveCookiesAndNotifyHeadersComplete(); | 682 SaveCookiesAndNotifyHeadersComplete(); |
| 672 } else if (ShouldTreatAsCertificateError(result)) { | 683 } else if (ShouldTreatAsCertificateError(result)) { |
| 673 // We encountered an SSL certificate error. Ask our delegate to decide | 684 // We encountered an SSL certificate error. Ask our delegate to decide |
| 674 // what we should do. | 685 // what we should do. |
| 675 // TODO(wtc): also pass ssl_info.cert_status, or just pass the whole | 686 // TODO(wtc): also pass ssl_info.cert_status, or just pass the whole |
| 676 // ssl_info. | 687 // ssl_info. |
| 677 request_->delegate()->OnSSLCertificateError( | 688 request_->delegate()->OnSSLCertificateError( |
| 678 request_, result, transaction_->GetResponseInfo()->ssl_info.cert); | 689 request_, result, transaction_->GetResponseInfo()->ssl_info.cert); |
| 679 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { | 690 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { |
| (...skipping 22 matching lines...) Expand all Loading... |
| 702 bool URLRequestHttpJob::ShouldTreatAsCertificateError(int result) { | 713 bool URLRequestHttpJob::ShouldTreatAsCertificateError(int result) { |
| 703 if (!IsCertificateError(result)) | 714 if (!IsCertificateError(result)) |
| 704 return false; | 715 return false; |
| 705 | 716 |
| 706 // Revocation check failures are always certificate errors, even if the host | 717 // Revocation check failures are always certificate errors, even if the host |
| 707 // is using Strict-Transport-Security. | 718 // is using Strict-Transport-Security. |
| 708 if (result == ERR_CERT_UNABLE_TO_CHECK_REVOCATION) | 719 if (result == ERR_CERT_UNABLE_TO_CHECK_REVOCATION) |
| 709 return true; | 720 return true; |
| 710 | 721 |
| 711 // Check whether our context is using Strict-Transport-Security. | 722 // Check whether our context is using Strict-Transport-Security. |
| 723 // TODO(cevans) -- this gives an error that makes it look more like the |
| 724 // network connection is faulty than a certificate error. It would be better |
| 725 // to simply use the normal browser "bad cert" UI but force |
| 726 // SSLBlockingPage::ERROR_FATAL. |
| 712 if (!context_->transport_security_state()) | 727 if (!context_->transport_security_state()) |
| 713 return true; | 728 return true; |
| 714 | 729 |
| 715 TransportSecurityState::DomainState domain_state; | 730 TransportSecurityState::DomainState domain_state; |
| 716 // TODO(agl): don't ignore opportunistic mode. | 731 // TODO(agl): don't ignore opportunistic mode. |
| 717 const bool r = context_->transport_security_state()->IsEnabledForHost( | 732 const bool r = context_->transport_security_state()->IsEnabledForHost( |
| 718 &domain_state, request_info_.url.host()); | 733 &domain_state, request_info_.url.host()); |
| 719 | 734 |
| 720 return !r || domain_state.mode == | 735 return !r || domain_state.mode == |
| 721 TransportSecurityState::DomainState::MODE_OPPORTUNISTIC; | 736 TransportSecurityState::DomainState::MODE_OPPORTUNISTIC; |
| (...skipping 637 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1359 } | 1374 } |
| 1360 | 1375 |
| 1361 bool URLRequestHttpJob::IsCompressibleContent() const { | 1376 bool URLRequestHttpJob::IsCompressibleContent() const { |
| 1362 std::string mime_type; | 1377 std::string mime_type; |
| 1363 return GetMimeType(&mime_type) && | 1378 return GetMimeType(&mime_type) && |
| 1364 (IsSupportedJavascriptMimeType(mime_type.c_str()) || | 1379 (IsSupportedJavascriptMimeType(mime_type.c_str()) || |
| 1365 IsSupportedNonImageMimeType(mime_type.c_str())); | 1380 IsSupportedNonImageMimeType(mime_type.c_str())); |
| 1366 } | 1381 } |
| 1367 | 1382 |
| 1368 } // namespace net | 1383 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 6793026:
Initial support for HSTS certificate locking. This isn't a finished work, but (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/