net/http/http_security_headers_unittest.cc - Issue 103803012: Make HSTS headers not clobber preloaded pins.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: net/http/http_security_headers_unittest.cc

Issue 103803012: Make HSTS headers not clobber preloaded pins. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Remove spurious debugging junk. Sigh. Created 7 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/http/http_security_headers_unittest.cc

diff --git a/net/http/http_security_headers_unittest.cc b/net/http/http_security_headers_unittest.cc

index 42a5ee9896062504e21575f23519983d5caa9652..ae3d0a0e9a567a95f3a9e01330712ae388d9415a 100644

--- a/net/http/http_security_headers_unittest.cc

+++ b/net/http/http_security_headers_unittest.cc

@@ -516,4 +516,44 @@ TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) {

EXPECT_NE(domain_state.dynamic_spki_hashes.end(), hash);

}

+TEST_F(HttpSecurityHeadersTest, NoClobberPins) {

+ TransportSecurityState state;

+ TransportSecurityState::DomainState domain_state;

+ std::string domain("accounts.google.com");

+ // Retrieve the DomainState as it is by default, including its known good

+ // pins. Assert sanity.

+ EXPECT_TRUE(state.GetDomainState(domain, true, &domain_state));

+ HashValueVector saved_hashes = domain_state.static_spki_hashes;

+ EXPECT_TRUE(domain_state.ShouldUpgradeToSSL());

+ EXPECT_TRUE(domain_state.HasPublicKeyPins());

+ // Add a dynamic header. Due to bug crbug.com/29386, this will mask the

+ // static pins. However, we temporarily work around that in

+ // CheckPublicKeyPins (invoked below). CheckPublicKeyPins should still

+ // pass when given the original |saved_hashes|.

+ EXPECT_TRUE(state.AddHSTSHeader(domain, "includesubdomains; max-age=10000"));

+ EXPECT_TRUE(domain_state.ShouldUpgradeToSSL());

+ EXPECT_TRUE(state.GetDomainState(domain, true, &domain_state));

+ EXPECT_TRUE(domain_state.CheckPublicKeyPins(saved_hashes));

+ // Add a header, which should only update the dynamic state.

+ HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1);

+ std::string good_pin = GetTestPin(1, HASH_VALUE_SHA1);

+ std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA1);

+ std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin;

+ // Construct a fake SSLInfo that will pass AddHPKPHeader's checks.

+ SSLInfo ssl_info;

+ ssl_info.public_key_hashes.push_back(good_hash);

+ ssl_info.public_key_hashes.push_back(saved_hashes[0]);

+ EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info));

+ EXPECT_TRUE(domain_state.ShouldUpgradeToSSL());

+ EXPECT_TRUE(state.GetDomainState(domain, true, &domain_state));

+ EXPECT_TRUE(domain_state.CheckPublicKeyPins(saved_hashes));

}; // namespace net

« no previous file with comments | « no previous file | net/http/transport_security_state.cc » ('j') | net/http/transport_security_state.cc » ('J')