net: make HSTS hosts use the normal SSL interstitials

net/url_request/url_request_http_job.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/url_request/url_request_http_job.h"
 
 #include "base/bind.h"
 #include "base/base_switches.h"
 #include "base/command_line.h"
 #include "base/compiler_specific.h"
@@ skipping 668 matching lines @@
         UMA_HISTOGRAM_BOOLEAN("Net.CertificatePinSuccess", false);
       } else {
         UMA_HISTOGRAM_BOOLEAN("Net.CertificatePinSuccess", true);
       }
     }
   }
 #endif
 
   if (result == OK) {
     SaveCookiesAndNotifyHeadersComplete();
-  } else if (ShouldTreatAsCertificateError(result)) {
+  } else if (IsCertificateError(result)) {
     // We encountered an SSL certificate error.  Ask our delegate to decide
     // what we should do.
-    // TODO(wtc): also pass ssl_info.cert_status, or just pass the whole
-    // ssl_info.
-    NotifySSLCertificateError(
-        result, transaction_->GetResponseInfo()->ssl_info.cert);
+
+    TransportSecurityState::DomainState domain_state;
+    const bool is_hsts_host =
+        context_->transport_security_state() &&
+        context_->transport_security_state()->IsEnabledForHost(
+            &domain_state, request_info_.url.host(),
+            SSLConfigService::IsSNIAvailable(context_->ssl_config_service()));
+    NotifySSLCertificateError(transaction_->GetResponseInfo()->ssl_info,
+                              is_hsts_host);

[wtc, 2011/09/26 19:15:10]

We can consider making is_hsts_host a bit flag in
ssl_info.cert_status.  But that requires making
context_->transport_security_state() available to the
lower layers (at least the HttpCache layer, which saves
ssl_info in the HTTP cache).  So I am not sure if it is
worth doing.

   } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) {
     NotifyCertificateRequested(
         transaction_->GetResponseInfo()->cert_request_info);
   } else {
     NotifyStartError(URLRequestStatus(URLRequestStatus::FAILED, result));
   }
 }
 
 void URLRequestHttpJob::OnReadCompleted(int result) {
   read_in_progress_ = false;
 
   if (ShouldFixMismatchedContentLength(result))
     result = 0;
 
   if (result == 0) {
     NotifyDone(URLRequestStatus());
   } else if (result < 0) {
     NotifyDone(URLRequestStatus(URLRequestStatus::FAILED, result));
   } else {
     // Clear the IO_PENDING status
     SetStatus(URLRequestStatus());
   }
 
   NotifyReadComplete(result);
 }
 
-bool URLRequestHttpJob::ShouldTreatAsCertificateError(int result) {
-  if (!IsCertificateError(result))
-    return false;
-
-  // Revocation check failures are always certificate errors, even if the host
-  // is using Strict-Transport-Security.
-  if (result == ERR_CERT_UNABLE_TO_CHECK_REVOCATION)
-    return true;
-
-  // Check whether our context is using Strict-Transport-Security.
-  if (!context_->transport_security_state())
-    return true;
-
-  TransportSecurityState::DomainState domain_state;
-  const bool r = context_->transport_security_state()->IsEnabledForHost(
-      &domain_state, request_info_.url.host(),
-      SSLConfigService::IsSNIAvailable(context_->ssl_config_service()));
-
-  return !r;
-}
-
 void URLRequestHttpJob::RestartTransactionWithAuth(
     const string16& username,
     const string16& password) {
   username_ = username;
   password_ = password;
 
   // These will be reset in OnStartCompleted.
   response_info_ = NULL;
   response_cookies_.clear();
 
@@ skipping 635 matching lines @@
   if (done_)
     return;
   done_ = true;
 
   RecordPerfHistograms(reason);
   if (reason == FINISHED)
     RecordCompressionHistograms();
 }
 
 }  // namespace net