Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(168)

Issue 1059303002: Don't process HSTS/HPKP headers when host is an IP address (Closed)

Created:
5 years, 8 months ago by estark
Modified:
5 years, 8 months ago
Reviewers:
palmer, Ryan Sleevi
CC:
chromium-reviews, cbentzel+watch_chromium.org
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Don't process HSTS/HPKP headers when host is an IP address HSTS/HPKP headers should only be parsed when the host is not an IP address. This change requires fixing the HSTS/HPKP tests to use localhost test server URLs instead of 127.0.0.1, with a corresponding cert. BUG=456712 Committed: https://crrev.com/8488b5886ccec4820578905acd42f95cf42f5b17 Cr-Commit-Position: refs/heads/master@{#323913} Committed: https://crrev.com/a5da7670ab3e46bfc6c0bc0e3d73c9d7eb835ed9 Cr-Commit-Position: refs/heads/master@{#324359}

Patch Set 1 #

Patch Set 2 : remove stray semicolons #

Patch Set 3 : add tests for HPKP/HSTS headers on IPs #

Total comments: 4

Patch Set 4 : unify try and quiet_try #

Patch Set 5 : tweak comment #

Patch Set 6 : tweak |try| to retain exit code #

Total comments: 18

Patch Set 7 : add localhost SAN #

Patch Set 8 : make |try| consistent in all cert generation scripts #

Patch Set 9 : style fixes and other tweaks #

Patch Set 10 : rebase #

Patch Set 11 : ugly workaround for mac 10.6 getaddrinfo bug #

Unified diffs Side-by-side diffs Delta from patch set Stats (+287 lines, -54 lines) Patch
M chrome/browser/net/websocket_browsertest.cc View 9 2 chunks +14 lines, -9 lines 0 comments Download
A net/data/ssl/certificates/localhost_cert.pem View 1 2 3 4 5 6 1 chunk +111 lines, -0 lines 0 comments Download
M net/data/ssl/scripts/ee.cnf View 1 2 3 4 5 6 1 chunk +10 lines, -0 lines 0 comments Download
M net/data/ssl/scripts/generate-aia-certs.sh View 1 2 3 4 5 6 7 1 chunk +1 line, -2 lines 0 comments Download
M net/data/ssl/scripts/generate-cross-signed-certs.sh View 1 2 3 4 5 6 7 2 chunks +4 lines, -9 lines 0 comments Download
M net/data/ssl/scripts/generate-policy-certs.sh View 1 2 3 4 5 6 7 1 chunk +1 line, -2 lines 0 comments Download
M net/data/ssl/scripts/generate-test-certs.sh View 1 2 3 4 5 6 7 5 chunks +22 lines, -5 lines 0 comments Download
M net/data/url_request_unittest/hpkp-headers.html.mock-http-headers View 1 2 3 4 5 6 1 chunk +1 line, -1 line 0 comments Download
M net/data/url_request_unittest/hsts-and-hpkp-headers.html.mock-http-headers View 1 2 3 4 5 6 1 chunk +1 line, -1 line 0 comments Download
M net/data/url_request_unittest/hsts-and-hpkp-headers2.html.mock-http-headers View 1 2 3 4 5 6 1 chunk +2 lines, -2 lines 0 comments Download
M net/test/spawned_test_server/base_test_server.h View 1 2 3 4 5 6 7 8 9 1 chunk +4 lines, -0 lines 0 comments Download
M net/test/spawned_test_server/base_test_server.cc View 1 2 3 4 5 6 7 8 9 2 chunks +13 lines, -5 lines 0 comments Download
M net/tools/testserver/testserver.py View 1 2 3 4 5 6 7 8 9 10 2 chunks +10 lines, -0 lines 0 comments Download
M net/url_request/url_request_http_job.cc View 2 chunks +8 lines, -0 lines 0 comments Download
M net/url_request/url_request_unittest.cc View 1 2 3 4 5 6 7 8 9 11 chunks +78 lines, -15 lines 0 comments Download
M net/websockets/websocket_end_to_end_test.cc View 1 9 3 chunks +7 lines, -3 lines 0 comments Download

Messages

Total messages: 27 (6 generated)
estark
Chris, Ryan, could you please take a look? This is the simplified approach to crbug.com/456712 ...
5 years, 8 months ago (2015-04-03 19:41:16 UTC) #2
palmer
LGTM. Thanks! https://codereview.chromium.org/1059303002/diff/40001/net/data/ssl/scripts/generate-test-certs.sh File net/data/ssl/scripts/generate-test-certs.sh (right): https://codereview.chromium.org/1059303002/diff/40001/net/data/ssl/scripts/generate-test-certs.sh#newcode16 net/data/ssl/scripts/generate-test-certs.sh:16: "$@" || exit 1 Idea (take it ...
5 years, 8 months ago (2015-04-03 21:04:51 UTC) #3
estark
Thanks Chris. https://codereview.chromium.org/1059303002/diff/40001/net/data/ssl/scripts/generate-test-certs.sh File net/data/ssl/scripts/generate-test-certs.sh (right): https://codereview.chromium.org/1059303002/diff/40001/net/data/ssl/scripts/generate-test-certs.sh#newcode16 net/data/ssl/scripts/generate-test-certs.sh:16: "$@" || exit 1 On 2015/04/03 21:04:51, ...
5 years, 8 months ago (2015-04-03 21:22:31 UTC) #4
estark
suggestion from Chris to retain exit code of a failed command in |try|
5 years, 8 months ago (2015-04-03 21:27:36 UTC) #5
Ryan Sleevi
Mostly LGTM, but it wouldn't be a review w/o nits. https://codereview.chromium.org/1059303002/diff/100001/net/data/ssl/scripts/ee.cnf File net/data/ssl/scripts/ee.cnf (right): https://codereview.chromium.org/1059303002/diff/100001/net/data/ssl/scripts/ee.cnf#newcode41 ...
5 years, 8 months ago (2015-04-04 00:35:24 UTC) #6
estark
Thanks rsleevi, quick question inline before I address your nits. https://codereview.chromium.org/1059303002/diff/100001/net/data/ssl/scripts/generate-cross-signed-certs.sh File net/data/ssl/scripts/generate-cross-signed-certs.sh (right): https://codereview.chromium.org/1059303002/diff/100001/net/data/ssl/scripts/generate-cross-signed-certs.sh#newcode22 ...
5 years, 8 months ago (2015-04-04 00:40:18 UTC) #7
Ryan Sleevi
https://codereview.chromium.org/1059303002/diff/100001/net/data/ssl/scripts/generate-cross-signed-certs.sh File net/data/ssl/scripts/generate-cross-signed-certs.sh (right): https://codereview.chromium.org/1059303002/diff/100001/net/data/ssl/scripts/generate-cross-signed-certs.sh#newcode22 net/data/ssl/scripts/generate-cross-signed-certs.sh:22: "$@" || (e=$?; echo "$@" > /dev/stderr && exit ...
5 years, 8 months ago (2015-04-04 00:46:43 UTC) #8
palmer
https://codereview.chromium.org/1059303002/diff/100001/net/data/ssl/scripts/generate-cross-signed-certs.sh File net/data/ssl/scripts/generate-cross-signed-certs.sh (right): https://codereview.chromium.org/1059303002/diff/100001/net/data/ssl/scripts/generate-cross-signed-certs.sh#newcode22 net/data/ssl/scripts/generate-cross-signed-certs.sh:22: "$@" || (e=$?; echo "$@" > /dev/stderr && exit ...
5 years, 8 months ago (2015-04-04 01:48:56 UTC) #9
estark
https://codereview.chromium.org/1059303002/diff/100001/net/data/ssl/scripts/ee.cnf File net/data/ssl/scripts/ee.cnf (right): https://codereview.chromium.org/1059303002/diff/100001/net/data/ssl/scripts/ee.cnf#newcode41 net/data/ssl/scripts/ee.cnf:41: [req_extensions_none] On 2015/04/04 00:35:24, Ryan Sleevi wrote: > Nah, ...
5 years, 8 months ago (2015-04-06 16:41:13 UTC) #10
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1059303002/160001
5 years, 8 months ago (2015-04-06 16:41:50 UTC) #13
commit-bot: I haz the power
Committed patchset #9 (id:160001)
5 years, 8 months ago (2015-04-06 17:31:54 UTC) #14
commit-bot: I haz the power
Patchset 9 (id:??) landed as https://crrev.com/8488b5886ccec4820578905acd42f95cf42f5b17 Cr-Commit-Position: refs/heads/master@{#323913}
5 years, 8 months ago (2015-04-06 17:36:29 UTC) #15
estark
A revert of this CL (patchset #9 id:160001) has been created in https://codereview.chromium.org/1066613002/ by estark@chromium.org. ...
5 years, 8 months ago (2015-04-06 19:54:56 UTC) #16
estark
rsleevi, palmer: is the cause of this test failure obvious to either of you? https://build.chromium.org/p/chromium.mac/builders/Mac10.6%20Tests/builds/758 ...
5 years, 8 months ago (2015-04-06 20:15:59 UTC) #17
estark
Okay, so it turns out this test failure is probably due to a Mac 10.6 ...
5 years, 8 months ago (2015-04-07 00:50:46 UTC) #19
estark
On 2015/04/07 00:50:46, emily wrote: > Okay, so it turns out this test failure is ...
5 years, 8 months ago (2015-04-08 22:19:54 UTC) #20
palmer
Your workaround seems OK to me.
5 years, 8 months ago (2015-04-08 23:01:49 UTC) #21
Ryan Sleevi
On 2015/04/08 23:01:49, palmer wrote: > Your workaround seems OK to me. Sorry for the ...
5 years, 8 months ago (2015-04-09 00:35:43 UTC) #22
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1059303002/220001
5 years, 8 months ago (2015-04-09 00:39:45 UTC) #25
commit-bot: I haz the power
Committed patchset #11 (id:220001)
5 years, 8 months ago (2015-04-09 04:00:23 UTC) #26
commit-bot: I haz the power
5 years, 8 months ago (2015-04-09 04:01:20 UTC) #27
Message was sent while issue was closed.
Patchset 11 (id:??) landed as
https://crrev.com/a5da7670ab3e46bfc6c0bc0e3d73c9d7eb835ed9
Cr-Commit-Position: refs/heads/master@{#324359}

Powered by Google App Engine
This is Rietveld 408576698