| Index: net/url_request/url_request_unittest.cc
|
| diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc
|
| index 01af382db0f8cb435b2c19f1d6b7f6f85b7fc763..94b40582910c220d2e96daf319f055b9ba9a439f 100644
|
| --- a/net/url_request/url_request_unittest.cc
|
| +++ b/net/url_request/url_request_unittest.cc
|
| @@ -4959,14 +4959,13 @@ TEST_F(URLRequestTestHTTP, ProcessSTS) {
|
|
|
| TransportSecurityState* security_state =
|
| default_context_.transport_security_state();
|
| - bool sni_available = true;
|
| TransportSecurityState::DomainState domain_state;
|
| - EXPECT_TRUE(security_state->GetDomainState(
|
| - SpawnedTestServer::kLocalhost, sni_available, &domain_state));
|
| + EXPECT_TRUE(security_state->GetDynamicDomainState(
|
| + SpawnedTestServer::kLocalhost, &domain_state));
|
| EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS,
|
| - domain_state.upgrade_mode);
|
| - EXPECT_TRUE(domain_state.sts_include_subdomains);
|
| - EXPECT_FALSE(domain_state.pkp_include_subdomains);
|
| + domain_state.sts.upgrade_mode);
|
| + EXPECT_TRUE(domain_state.sts.include_subdomains);
|
| + EXPECT_FALSE(domain_state.pkp.include_subdomains);
|
| #if defined(OS_ANDROID)
|
| // Android's CertVerifyProc does not (yet) handle pins.
|
| #else
|
| @@ -5003,17 +5002,15 @@ TEST_F(URLRequestTestHTTP, MAYBE_ProcessPKP) {
|
|
|
| TransportSecurityState* security_state =
|
| default_context_.transport_security_state();
|
| - bool sni_available = true;
|
| TransportSecurityState::DomainState domain_state;
|
| - EXPECT_TRUE(security_state->GetDomainState(
|
| - SpawnedTestServer::kLocalhost, sni_available, &domain_state));
|
| + EXPECT_TRUE(security_state->GetDynamicDomainState(
|
| + SpawnedTestServer::kLocalhost, &domain_state));
|
| EXPECT_EQ(TransportSecurityState::DomainState::MODE_DEFAULT,
|
| - domain_state.upgrade_mode);
|
| - EXPECT_FALSE(domain_state.sts_include_subdomains);
|
| - EXPECT_FALSE(domain_state.pkp_include_subdomains);
|
| + domain_state.sts.upgrade_mode);
|
| + EXPECT_FALSE(domain_state.sts.include_subdomains);
|
| + EXPECT_FALSE(domain_state.pkp.include_subdomains);
|
| EXPECT_TRUE(domain_state.HasPublicKeyPins());
|
| - EXPECT_NE(domain_state.upgrade_expiry,
|
| - domain_state.dynamic_spki_hashes_expiry);
|
| + EXPECT_NE(domain_state.sts.expiry, domain_state.pkp.expiry);
|
| }
|
|
|
| TEST_F(URLRequestTestHTTP, ProcessSTSOnce) {
|
| @@ -5036,14 +5033,13 @@ TEST_F(URLRequestTestHTTP, ProcessSTSOnce) {
|
| // We should have set parameters from the first header, not the second.
|
| TransportSecurityState* security_state =
|
| default_context_.transport_security_state();
|
| - bool sni_available = true;
|
| TransportSecurityState::DomainState domain_state;
|
| - EXPECT_TRUE(security_state->GetDomainState(
|
| - SpawnedTestServer::kLocalhost, sni_available, &domain_state));
|
| + EXPECT_TRUE(security_state->GetDynamicDomainState(
|
| + SpawnedTestServer::kLocalhost, &domain_state));
|
| EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS,
|
| - domain_state.upgrade_mode);
|
| - EXPECT_FALSE(domain_state.sts_include_subdomains);
|
| - EXPECT_FALSE(domain_state.pkp_include_subdomains);
|
| + domain_state.sts.upgrade_mode);
|
| + EXPECT_FALSE(domain_state.sts.include_subdomains);
|
| + EXPECT_FALSE(domain_state.pkp.include_subdomains);
|
| }
|
|
|
| TEST_F(URLRequestTestHTTP, ProcessSTSAndPKP) {
|
| @@ -5066,25 +5062,23 @@ TEST_F(URLRequestTestHTTP, ProcessSTSAndPKP) {
|
| // We should have set parameters from the first header, not the second.
|
| TransportSecurityState* security_state =
|
| default_context_.transport_security_state();
|
| - bool sni_available = true;
|
| TransportSecurityState::DomainState domain_state;
|
| - EXPECT_TRUE(security_state->GetDomainState(
|
| - SpawnedTestServer::kLocalhost, sni_available, &domain_state));
|
| + EXPECT_TRUE(security_state->GetDynamicDomainState(
|
| + SpawnedTestServer::kLocalhost, &domain_state));
|
| EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS,
|
| - domain_state.upgrade_mode);
|
| + domain_state.sts.upgrade_mode);
|
| #if defined(OS_ANDROID)
|
| // Android's CertVerifyProc does not (yet) handle pins.
|
| #else
|
| EXPECT_TRUE(domain_state.HasPublicKeyPins());
|
| #endif
|
| - EXPECT_NE(domain_state.upgrade_expiry,
|
| - domain_state.dynamic_spki_hashes_expiry);
|
| + EXPECT_NE(domain_state.sts.expiry, domain_state.pkp.expiry);
|
|
|
| // Even though there is an HSTS header asserting includeSubdomains, it is
|
| // the *second* such header, and we MUST process only the first.
|
| - EXPECT_FALSE(domain_state.sts_include_subdomains);
|
| + EXPECT_FALSE(domain_state.sts.include_subdomains);
|
| // includeSubdomains does not occur in the test HPKP header.
|
| - EXPECT_FALSE(domain_state.pkp_include_subdomains);
|
| + EXPECT_FALSE(domain_state.pkp.include_subdomains);
|
| }
|
|
|
| // Tests that when multiple HPKP headers are present, asserting different
|
| @@ -5108,22 +5102,20 @@ TEST_F(URLRequestTestHTTP, ProcessSTSAndPKP2) {
|
|
|
| TransportSecurityState* security_state =
|
| default_context_.transport_security_state();
|
| - bool sni_available = true;
|
| TransportSecurityState::DomainState domain_state;
|
| - EXPECT_TRUE(security_state->GetDomainState(
|
| - SpawnedTestServer::kLocalhost, sni_available, &domain_state));
|
| + EXPECT_TRUE(security_state->GetDynamicDomainState(
|
| + SpawnedTestServer::kLocalhost, &domain_state));
|
| EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS,
|
| - domain_state.upgrade_mode);
|
| + domain_state.sts.upgrade_mode);
|
| #if defined(OS_ANDROID)
|
| // Android's CertVerifyProc does not (yet) handle pins.
|
| #else
|
| EXPECT_TRUE(domain_state.HasPublicKeyPins());
|
| #endif
|
| - EXPECT_NE(domain_state.upgrade_expiry,
|
| - domain_state.dynamic_spki_hashes_expiry);
|
| + EXPECT_NE(domain_state.sts.expiry, domain_state.pkp.expiry);
|
|
|
| - EXPECT_TRUE(domain_state.sts_include_subdomains);
|
| - EXPECT_FALSE(domain_state.pkp_include_subdomains);
|
| + EXPECT_TRUE(domain_state.sts.include_subdomains);
|
| + EXPECT_FALSE(domain_state.pkp.include_subdomains);
|
| }
|
|
|
| TEST_F(URLRequestTestHTTP, ContentTypeNormalizationTest) {
|
| @@ -6644,8 +6636,8 @@ TEST_F(HTTPSRequestTest, HTTPSErrorsNoClobberTSSTest) {
|
| context.set_host_resolver(&host_resolver);
|
| TransportSecurityState transport_security_state;
|
| TransportSecurityState::DomainState domain_state;
|
| - EXPECT_TRUE(transport_security_state.GetDomainState("www.google.com", true,
|
| - &domain_state));
|
| + EXPECT_TRUE(transport_security_state.GetStaticDomainState(
|
| + "www.google.com", true, &domain_state));
|
| context.set_transport_security_state(&transport_security_state);
|
| context.Init();
|
|
|
| @@ -6667,20 +6659,28 @@ TEST_F(HTTPSRequestTest, HTTPSErrorsNoClobberTSSTest) {
|
| EXPECT_TRUE(d.certificate_errors_are_fatal());
|
|
|
| // Get a fresh copy of the state, and check that it hasn't been updated.
|
| - TransportSecurityState::DomainState new_domain_state;
|
| - EXPECT_TRUE(transport_security_state.GetDomainState("www.google.com", true,
|
| - &new_domain_state));
|
| - EXPECT_EQ(new_domain_state.upgrade_mode, domain_state.upgrade_mode);
|
| - EXPECT_EQ(new_domain_state.sts_include_subdomains,
|
| - domain_state.sts_include_subdomains);
|
| - EXPECT_EQ(new_domain_state.pkp_include_subdomains,
|
| - domain_state.pkp_include_subdomains);
|
| - EXPECT_TRUE(FingerprintsEqual(new_domain_state.static_spki_hashes,
|
| - domain_state.static_spki_hashes));
|
| - EXPECT_TRUE(FingerprintsEqual(new_domain_state.dynamic_spki_hashes,
|
| - domain_state.dynamic_spki_hashes));
|
| - EXPECT_TRUE(FingerprintsEqual(new_domain_state.bad_static_spki_hashes,
|
| - domain_state.bad_static_spki_hashes));
|
| + TransportSecurityState::DomainState new_static_domain_state;
|
| + EXPECT_TRUE(transport_security_state.GetStaticDomainState(
|
| + "www.google.com", true, &new_static_domain_state));
|
| + TransportSecurityState::DomainState new_dynamic_domain_state;
|
| + EXPECT_TRUE(transport_security_state.GetDynamicDomainState(
|
| + "www.google.com", &new_dynamic_domain_state));
|
| +
|
| + // TODO(palmer): domain_state should be static_domain_state and
|
| + // dynamic_domain_state. Test that both static and dynamic are NOT
|
| + // updated.
|
| + EXPECT_EQ(new_dynamic_domain_state.sts.upgrade_mode,
|
| + domain_state.sts.upgrade_mode);
|
| + EXPECT_EQ(new_dynamic_domain_state.sts.include_subdomains,
|
| + domain_state.sts.include_subdomains);
|
| + EXPECT_EQ(new_dynamic_domain_state.pkp.include_subdomains,
|
| + domain_state.pkp.include_subdomains);
|
| + EXPECT_TRUE(FingerprintsEqual(new_static_domain_state.pkp.spki_hashes,
|
| + domain_state.pkp.spki_hashes));
|
| + EXPECT_TRUE(FingerprintsEqual(new_dynamic_domain_state.pkp.spki_hashes,
|
| + domain_state.pkp.spki_hashes));
|
| + EXPECT_TRUE(FingerprintsEqual(new_static_domain_state.pkp.bad_spki_hashes,
|
| + domain_state.pkp.bad_spki_hashes));
|
| }
|
|
|
| // Make sure HSTS preserves a POST request's method and body.
|
|
|
Chromium Code Reviews
Issue 103803012:
Make HSTS headers not clobber preloaded pins. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src