Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(510)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/http/transport_security_persister.cc

Issue 103803012: Make HSTS headers not clobber preloaded pins. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Rebase and updated comment. Created 6 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/http/http_security_headers_unittest.cc ('K') | « net/http/http_security_headers_unittest.cc ('k') | net/http/transport_security_persister_unittest.cc » ('j') | net/http/transport_security_state.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/http/transport_security_persister.cc
diff --git a/net/http/transport_security_persister.cc b/net/http/transport_security_persister.cc
index d93291f4e7e29742e13e8004e646e42716a5c9bc..876bb7a90ac4a812f590815663142d07e088c478 100644
--- a/net/http/transport_security_persister.cc
+++ b/net/http/transport_security_persister.cc
@@ -148,16 +148,18 @@ bool TransportSecurityPersister::SerializeData(std::string* output) {
base::DictionaryValue* serialized = new base::DictionaryValue;
serialized->SetBoolean(kStsIncludeSubdomains,
- domain_state.sts_include_subdomains);
+ domain_state.dynamic_sts.include_subdomains);
serialized->SetBoolean(kPkpIncludeSubdomains,
- domain_state.pkp_include_subdomains);
- serialized->SetDouble(kStsObserved, domain_state.sts_observed.ToDoubleT());
- serialized->SetDouble(kPkpObserved, domain_state.pkp_observed.ToDoubleT());
- serialized->SetDouble(kExpiry, domain_state.upgrade_expiry.ToDoubleT());
+ domain_state.dynamic_pkp.include_subdomains);
+ serialized->SetDouble(kStsObserved,
+ domain_state.dynamic_sts.last_observed.ToDoubleT());
+ serialized->SetDouble(kPkpObserved,
+ domain_state.dynamic_pkp.last_observed.ToDoubleT());
+ serialized->SetDouble(kExpiry, domain_state.dynamic_sts.expiry.ToDoubleT());
serialized->SetDouble(kDynamicSPKIHashesExpiry,
- domain_state.dynamic_spki_hashes_expiry.ToDoubleT());
+ domain_state.dynamic_pkp.expiry.ToDoubleT());
- switch (domain_state.upgrade_mode) {
+ switch (domain_state.dynamic_sts.upgrade_mode) {
case TransportSecurityState::DomainState::MODE_FORCE_HTTPS:
serialized->SetString(kMode, kForceHTTPS);
break;
@@ -171,11 +173,11 @@ bool TransportSecurityPersister::SerializeData(std::string* output) {
}
serialized->Set(kStaticSPKIHashes,
- SPKIHashesToListValue(domain_state.static_spki_hashes));
+ SPKIHashesToListValue(domain_state.static_pkp.spki_hashes));
- if (now < domain_state.dynamic_spki_hashes_expiry) {
+ if (now < domain_state.dynamic_pkp.expiry) {
serialized->Set(kDynamicSPKIHashes,
- SPKIHashesToListValue(domain_state.dynamic_spki_hashes));
+ SPKIHashesToListValue(domain_state.dynamic_pkp.spki_hashes));
}
toplevel.Set(HashedDomainToExternalString(hostname), serialized);
@@ -226,14 +228,14 @@ bool TransportSecurityPersister::Deserialize(const std::string& serialized,
bool include_subdomains = false;
bool parsed_include_subdomains = parsed->GetBoolean(kIncludeSubdomains,
&include_subdomains);
- domain_state.sts_include_subdomains = include_subdomains;
- domain_state.pkp_include_subdomains = include_subdomains;
+ domain_state.dynamic_sts.include_subdomains = include_subdomains;
+ domain_state.dynamic_pkp.include_subdomains = include_subdomains;
if (parsed->GetBoolean(kStsIncludeSubdomains, &include_subdomains)) {
- domain_state.sts_include_subdomains = include_subdomains;
+ domain_state.dynamic_sts.include_subdomains = include_subdomains;
parsed_include_subdomains = true;
}
if (parsed->GetBoolean(kPkpIncludeSubdomains, &include_subdomains)) {
- domain_state.pkp_include_subdomains = include_subdomains;
+ domain_state.dynamic_pkp.include_subdomains = include_subdomains;
parsed_include_subdomains = true;
}
@@ -250,20 +252,25 @@ bool TransportSecurityPersister::Deserialize(const std::string& serialized,
&dynamic_spki_hashes_expiry);
const base::ListValue* pins_list = NULL;
+ // TODO(palmer): crbug.com/339907: We should stop deserializing into the
+ // static set.
+ //
Ryan Sleevi 2014/03/07 01:39:19 comment nit: // TODO(palmer): http://crbug.com/33
palmer 2014/03/14 21:33:39 Done.
// preloaded_spki_hashes is a legacy synonym for static_spki_hashes.
if (parsed->GetList(kStaticSPKIHashes, &pins_list))
- SPKIHashesFromListValue(*pins_list, &domain_state.static_spki_hashes);
+ SPKIHashesFromListValue(*pins_list, &domain_state.static_pkp.spki_hashes);
else if (parsed->GetList(kPreloadedSPKIHashes, &pins_list))
- SPKIHashesFromListValue(*pins_list, &domain_state.static_spki_hashes);
+ SPKIHashesFromListValue(*pins_list, &domain_state.static_pkp.spki_hashes);
- if (parsed->GetList(kDynamicSPKIHashes, &pins_list))
- SPKIHashesFromListValue(*pins_list, &domain_state.dynamic_spki_hashes);
+ if (parsed->GetList(kDynamicSPKIHashes, &pins_list)) {
+ SPKIHashesFromListValue(*pins_list,
+ &domain_state.dynamic_pkp.spki_hashes);
+ }
if (mode_string == kForceHTTPS || mode_string == kStrict) {
- domain_state.upgrade_mode =
+ domain_state.dynamic_sts.upgrade_mode =
TransportSecurityState::DomainState::MODE_FORCE_HTTPS;
} else if (mode_string == kDefault || mode_string == kPinningOnly) {
- domain_state.upgrade_mode =
+ domain_state.dynamic_sts.upgrade_mode =
TransportSecurityState::DomainState::MODE_DEFAULT;
} else {
LOG(WARNING) << "Unknown TransportSecurityState mode string "
@@ -272,34 +279,38 @@ bool TransportSecurityPersister::Deserialize(const std::string& serialized,
continue;
}
- domain_state.upgrade_expiry = base::Time::FromDoubleT(expiry);
- domain_state.dynamic_spki_hashes_expiry =
+ domain_state.dynamic_sts.expiry = base::Time::FromDoubleT(expiry);
+ domain_state.dynamic_pkp.expiry =
base::Time::FromDoubleT(dynamic_spki_hashes_expiry);
double sts_observed;
double pkp_observed;
if (parsed->GetDouble(kStsObserved, &sts_observed)) {
- domain_state.sts_observed = base::Time::FromDoubleT(sts_observed);
+ domain_state.dynamic_sts.last_observed =
+ base::Time::FromDoubleT(sts_observed);
} else if (parsed->GetDouble(kCreated, &sts_observed)) {
// kCreated is a legacy synonym for both kStsObserved and kPkpObserved.
- domain_state.sts_observed = base::Time::FromDoubleT(sts_observed);
+ domain_state.dynamic_sts.last_observed =
+ base::Time::FromDoubleT(sts_observed);
} else {
// We're migrating an old entry with no observation date. Make sure we
// write the new date back in a reasonable time frame.
dirtied = true;
- domain_state.sts_observed = base::Time::Now();
+ domain_state.dynamic_sts.last_observed = base::Time::Now();
}
if (parsed->GetDouble(kPkpObserved, &pkp_observed)) {
- domain_state.pkp_observed = base::Time::FromDoubleT(pkp_observed);
+ domain_state.dynamic_pkp.last_observed =
+ base::Time::FromDoubleT(pkp_observed);
} else if (parsed->GetDouble(kCreated, &pkp_observed)) {
- domain_state.pkp_observed = base::Time::FromDoubleT(pkp_observed);
+ domain_state.dynamic_pkp.last_observed =
+ base::Time::FromDoubleT(pkp_observed);
} else {
dirtied = true;
- domain_state.pkp_observed = base::Time::Now();
+ domain_state.dynamic_pkp.last_observed = base::Time::Now();
}
- if (domain_state.upgrade_expiry <= current_time &&
- domain_state.dynamic_spki_hashes_expiry <= current_time) {
+ if (domain_state.dynamic_sts.expiry <= current_time &&
+ domain_state.dynamic_pkp.expiry <= current_time) {
// Make sure we dirty the state if we drop an entry.
dirtied = true;
continue;
« net/http/http_security_headers_unittest.cc ('K') | « net/http/http_security_headers_unittest.cc ('k') | net/http/transport_security_persister_unittest.cc » ('j') | net/http/transport_security_state.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698