Process only the first Strict-Transport-Security header.

net/url_request/url_request_unittest.cc

Index: net/url_request/url_request_unittest.cc
===================================================================
--- net/url_request/url_request_unittest.cc	(revision 161880)
+++ net/url_request/url_request_unittest.cc	(working copy)
@@ -3060,6 +3060,33 @@
   EXPECT_EQ("a, b", header);
 }
 
+TEST_F(URLRequestTest, ProcessSTSOnce) {

[Ryan Sleevi, 2012/10/18 19:45:34]

nit: name this URLRequestTestHTTP

[palmer, 2012/10/18 21:01:58]

Done.

+  TestServer https_test_server(
+      TestServer::TYPE_HTTPS,
+      TestServer::kLocalhost,
+      FilePath(FILE_PATH_LITERAL("net/data/url_request_unittest")));
+  ASSERT_TRUE(https_test_server.Start());
+
+  TestDelegate d;
+  URLRequest request(
+      https_test_server.GetURL("files/hsts-headers.html"),
+      &d,
+      &default_context_);
+  request.Start();
+  MessageLoop::current()->Run();
+
+  // We should have set parameters from the first header, not the second.
+  TransportSecurityState* security_state =
+      default_context_.transport_security_state();
+  bool sni_available = true;
+  TransportSecurityState::DomainState domain_state;
+  EXPECT_TRUE(security_state->GetDomainState(
+      TestServer::kLocalhost, sni_available, &domain_state));
+  EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS,
+            domain_state.upgrade_mode);
+  EXPECT_FALSE(domain_state.include_subdomains);

[Ryan Sleevi, 2012/10/18 19:45:34]

test nit: I would suggest adding a positive test that ensures a single STS
header, WITH include_subdomains, IS processed correctly.

Without the positive test, this test isn't fully covering the expected
behaviour, since it could be hidden by failing to handle include_subdomains
properly

[palmer, 2012/10/18 21:01:58]

Done.

+}
+
 TEST_F(URLRequestTestHTTP, ContentTypeNormalizationTest) {
   ASSERT_TRUE(test_server_.Start());