Chromium Code Reviews Chromium Code Reviews
Issue 9415040:
Refactor TransportSecurityState. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/| Index: net/url_request/url_request_http_job.cc |
| =================================================================== |
| --- net/url_request/url_request_http_job.cc (revision 133741) |
| +++ net/url_request/url_request_http_job.cc (working copy) |
| @@ -144,10 +144,10 @@ |
| if (scheme == "http" && |
| request->context()->transport_security_state() && |
| request->context()->transport_security_state()->GetDomainState( |
| - &domain_state, |
| request->url().host(), |
| SSLConfigService::IsSNIAvailable( |
| - request->context()->ssl_config_service())) && |
| + request->context()->ssl_config_service()), |
| + &domain_state) && |
| domain_state.ShouldRedirectHTTPToHTTPS()) { |
| DCHECK_EQ(request->url().scheme(), "http"); |
| url_canon::Replacements<char> replacements; |
| @@ -599,30 +599,19 @@ |
| bool sni_available = |
| SSLConfigService::IsSNIAvailable(ctx->ssl_config_service()); |
| - if (!security_state->HasMetadata(&domain_state, host, sni_available)) { |
| - // |HasMetadata| may have altered |domain_state| while searching. If not |
| - // found, start with a fresh state. |
| - domain_state = TransportSecurityState::DomainState(); |
| - domain_state.mode = TransportSecurityState::DomainState::MODE_STRICT; |
| - } |
| + if (!security_state->GetDomainState(host, sni_available, &domain_state)) |
| + domain_state.upgrade_mode = |
| + TransportSecurityState::DomainState::MODE_FORCE_HTTPS; |
|
Ryan Sleevi
2012/04/26 19:21:12
I found the original comment was very helpful in e
palmer
2012/04/27 23:52:34
Done.
|
| HttpResponseHeaders* headers = GetResponseHeaders(); |
| std::string value; |
| void* iter = NULL; |
| + base::Time now = base::Time::Now(); |
| while (headers->EnumerateHeader(&iter, "Strict-Transport-Security", &value)) { |
| - int max_age; |
| - bool include_subdomains; |
| - if (TransportSecurityState::ParseHeader(value, &max_age, |
| - &include_subdomains)) { |
| - base::Time current_time(base::Time::Now()); |
| - base::TimeDelta max_age_delta = base::TimeDelta::FromSeconds(max_age); |
| - |
| - domain_state.expiry = current_time + max_age_delta; |
| - domain_state.include_subdomains = include_subdomains; |
| - |
| + TransportSecurityState::DomainState domain_state; |
| + if (domain_state.ParseSTSHeader(now, value)) |
| security_state->EnableHost(host, domain_state); |
| - } |
| } |
| } |
| @@ -645,25 +634,21 @@ |
| bool sni_available = |
| SSLConfigService::IsSNIAvailable(ctx->ssl_config_service()); |
| - if (!security_state->HasMetadata(&domain_state, host, sni_available)) { |
| - // |HasMetadata| may have altered |domain_state| while searching. If not |
| - // found, start with a fresh state. |
| - domain_state = TransportSecurityState::DomainState(); |
| - domain_state.mode = TransportSecurityState::DomainState::MODE_PINNING_ONLY; |
| - } |
| + if (!security_state->GetDomainState(host, sni_available, &domain_state)) |
| + domain_state.upgrade_mode = |
| + TransportSecurityState::DomainState::MODE_DEFAULT; |
| HttpResponseHeaders* headers = GetResponseHeaders(); |
| void* iter = NULL; |
| std::string value; |
| + base::Time now = base::Time::Now(); |
| while (headers->EnumerateHeader(&iter, "Public-Key-Pins", &value)) { |
| // Note that ParsePinsHeader updates |domain_state| (iff the header parses |
| // correctly), but does not completely overwrite it. It just updates the |
| // dynamic pinning metadata. |
| - if (TransportSecurityState::ParsePinsHeader(value, ssl_info, |
| - &domain_state)) { |
| + if (domain_state.ParsePinsHeader(now, value, ssl_info)) |
| security_state->EnableHost(host, domain_state); |
| - } |
| } |
| } |
| @@ -729,8 +714,9 @@ |
| const bool fatal = |
| context_->transport_security_state() && |
| context_->transport_security_state()->GetDomainState( |
| - &domain_state, request_info_.url.host(), |
| - SSLConfigService::IsSNIAvailable(context_->ssl_config_service())); |
| + request_info_.url.host(), |
| + SSLConfigService::IsSNIAvailable(context_->ssl_config_service()), |
| + &domain_state); |
| NotifySSLCertificateError(transaction_->GetResponseInfo()->ssl_info, fatal); |
| } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { |
| NotifyCertificateRequested( |
