Index: net/url_request/url_request_http_job.cc |
=================================================================== |
--- net/url_request/url_request_http_job.cc (revision 80114) |
+++ net/url_request/url_request_http_job.cc (working copy) |
@@ -667,6 +667,17 @@ |
// Clear the IO_PENDING status |
SetStatus(URLRequestStatus()); |
+ // Take care of any mandates for certificate locking. |
+ const SSLInfo& ssl_info = transaction_->GetResponseInfo()->ssl_info; |
+ if (result == OK && |
+ ssl_info.is_valid() && |
+ context_->transport_security_state()) { |
+ scoped_refptr<X509Certificate> cert(ssl_info.cert); |
+ if (!context_->transport_security_state()->IsAcceptableCertificate( |
+ request_->url().host(), cert.get())) |
+ result = ERR_CERT_INVALID; |
+ } |
+ |
if (result == OK) { |
SaveCookiesAndNotifyHeadersComplete(); |
} else if (ShouldTreatAsCertificateError(result)) { |
@@ -709,6 +720,10 @@ |
return true; |
// Check whether our context is using Strict-Transport-Security. |
+ // TODO(cevans) -- this gives an error that makes it look more like the |
+ // network connection is faulty than a certificate error. It would be better |
+ // to simply use the normal browser "bad cert" UI but force |
+ // SSLBlockingPage::ERROR_FATAL. |
if (!context_->transport_security_state()) |
return true; |