OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/url_request/url_request_http_job.h" | 5 #include "net/url_request/url_request_http_job.h" |
6 | 6 |
7 #include "base/base_switches.h" | 7 #include "base/base_switches.h" |
8 #include "base/bind.h" | 8 #include "base/bind.h" |
9 #include "base/bind_helpers.h" | 9 #include "base/bind_helpers.h" |
10 #include "base/command_line.h" | 10 #include "base/command_line.h" |
(...skipping 649 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
660 void* iter = NULL; | 660 void* iter = NULL; |
661 HttpResponseHeaders* headers = GetResponseHeaders(); | 661 HttpResponseHeaders* headers = GetResponseHeaders(); |
662 while (headers->EnumerateHeader(&iter, name, &value)) { | 662 while (headers->EnumerateHeader(&iter, name, &value)) { |
663 if (!value.empty()) | 663 if (!value.empty()) |
664 cookies->push_back(value); | 664 cookies->push_back(value); |
665 } | 665 } |
666 } | 666 } |
667 | 667 |
668 // NOTE: |ProcessStrictTransportSecurityHeader| and | 668 // NOTE: |ProcessStrictTransportSecurityHeader| and |
669 // |ProcessPublicKeyPinsHeader| have very similar structures, by design. | 669 // |ProcessPublicKeyPinsHeader| have very similar structures, by design. |
670 // They manipulate different parts of |TransportSecurityState::DomainState|, | |
671 // and they must remain complementary. If, in future changes here, there is | |
672 // any conflict between their policies (such as in |domain_state.mode|), you | |
673 // should resolve the conflict in favor of the more strict policy. | |
674 void URLRequestHttpJob::ProcessStrictTransportSecurityHeader() { | 670 void URLRequestHttpJob::ProcessStrictTransportSecurityHeader() { |
675 DCHECK(response_info_); | 671 DCHECK(response_info_); |
676 | 672 TransportSecurityState* security_state = |
677 const URLRequestContext* ctx = request_->context(); | 673 request_->context()->transport_security_state(); |
678 const SSLInfo& ssl_info = response_info_->ssl_info; | 674 const SSLInfo& ssl_info = response_info_->ssl_info; |
679 | 675 |
680 // Only accept strict transport security headers on HTTPS connections that | 676 // Only accept HSTS headers on HTTPS connections that have no |
681 // have no certificate errors. | 677 // certificate errors. |
682 if (!ssl_info.is_valid() || IsCertStatusError(ssl_info.cert_status) || | 678 if (!ssl_info.is_valid() || IsCertStatusError(ssl_info.cert_status) || |
683 !ctx->transport_security_state()) { | 679 !security_state) |
684 return; | 680 return; |
685 } | |
686 | |
687 TransportSecurityState* security_state = ctx->transport_security_state(); | |
688 TransportSecurityState::DomainState domain_state; | |
689 const std::string& host = request_info_.url.host(); | |
690 | |
691 bool sni_available = | |
692 SSLConfigService::IsSNIAvailable(ctx->ssl_config_service()); | |
693 if (!security_state->GetDomainState(host, sni_available, &domain_state)) | |
694 // |GetDomainState| may have altered |domain_state| while searching. If | |
695 // not found, start with a fresh state. | |
696 domain_state.upgrade_mode = | |
697 TransportSecurityState::DomainState::MODE_FORCE_HTTPS; | |
698 | 681 |
699 HttpResponseHeaders* headers = GetResponseHeaders(); | 682 HttpResponseHeaders* headers = GetResponseHeaders(); |
700 std::string value; | 683 std::string value; |
701 void* iter = NULL; | 684 if (headers->EnumerateHeader(NULL, "Strict-Transport-Security", &value)) |
702 base::Time now = base::Time::Now(); | 685 security_state->AddHSTSHeader(request_info_.url.host(), value); |
703 | |
704 while (headers->EnumerateHeader(&iter, "Strict-Transport-Security", &value)) { | |
705 TransportSecurityState::DomainState domain_state; | |
706 if (domain_state.ParseSTSHeader(now, value)) | |
707 security_state->EnableHost(host, domain_state); | |
708 } | |
709 } | 686 } |
710 | 687 |
711 void URLRequestHttpJob::ProcessPublicKeyPinsHeader() { | 688 void URLRequestHttpJob::ProcessPublicKeyPinsHeader() { |
712 DCHECK(response_info_); | 689 DCHECK(response_info_); |
713 | 690 TransportSecurityState* security_state = |
714 const URLRequestContext* ctx = request_->context(); | 691 request_->context()->transport_security_state(); |
715 const SSLInfo& ssl_info = response_info_->ssl_info; | 692 const SSLInfo& ssl_info = response_info_->ssl_info; |
716 | 693 |
717 // Only accept public key pins headers on HTTPS connections that have no | 694 // Only accept HPKP headers on HTTPS connections that have no |
718 // certificate errors. | 695 // certificate errors. |
719 if (!ssl_info.is_valid() || IsCertStatusError(ssl_info.cert_status) || | 696 if (!ssl_info.is_valid() || IsCertStatusError(ssl_info.cert_status) || |
720 !ctx->transport_security_state()) { | 697 !security_state) |
721 return; | 698 return; |
722 } | |
723 | |
724 TransportSecurityState* security_state = ctx->transport_security_state(); | |
725 TransportSecurityState::DomainState domain_state; | |
726 const std::string& host = request_info_.url.host(); | |
727 | |
728 bool sni_available = | |
729 SSLConfigService::IsSNIAvailable(ctx->ssl_config_service()); | |
730 if (!security_state->GetDomainState(host, sni_available, &domain_state)) | |
731 // |GetDomainState| may have altered |domain_state| while searching. If | |
732 // not found, start with a fresh state. | |
733 domain_state.upgrade_mode = | |
734 TransportSecurityState::DomainState::MODE_DEFAULT; | |
735 | 699 |
736 HttpResponseHeaders* headers = GetResponseHeaders(); | 700 HttpResponseHeaders* headers = GetResponseHeaders(); |
737 void* iter = NULL; | |
738 std::string value; | 701 std::string value; |
739 base::Time now = base::Time::Now(); | 702 if (headers->EnumerateHeader(NULL, "Public-Key-Pins", &value)) |
740 | 703 security_state->AddHPKPHeader(request_info_.url.host(), value, ssl_info); |
741 while (headers->EnumerateHeader(&iter, "Public-Key-Pins", &value)) { | |
742 // Note that ParsePinsHeader updates |domain_state| (iff the header parses | |
743 // correctly), but does not completely overwrite it. It just updates the | |
744 // dynamic pinning metadata. | |
745 if (domain_state.ParsePinsHeader(now, value, ssl_info)) | |
746 security_state->EnableHost(host, domain_state); | |
747 } | |
748 } | 704 } |
749 | 705 |
750 void URLRequestHttpJob::OnStartCompleted(int result) { | 706 void URLRequestHttpJob::OnStartCompleted(int result) { |
751 RecordTimer(); | 707 RecordTimer(); |
752 | 708 |
753 // If the request was destroyed, then there is no more work to do. | 709 // If the request was destroyed, then there is no more work to do. |
754 if (!request_) | 710 if (!request_) |
755 return; | 711 return; |
756 | 712 |
757 // If the transaction was destroyed, then the job was cancelled, and | 713 // If the transaction was destroyed, then the job was cancelled, and |
(...skipping 748 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1506 | 1462 |
1507 void URLRequestHttpJob::NotifyURLRequestDestroyed() { | 1463 void URLRequestHttpJob::NotifyURLRequestDestroyed() { |
1508 awaiting_callback_ = false; | 1464 awaiting_callback_ = false; |
1509 } | 1465 } |
1510 | 1466 |
1511 void URLRequestHttpJob::OnDetachRequest() { | 1467 void URLRequestHttpJob::OnDetachRequest() { |
1512 http_transaction_delegate_->OnDetachRequest(); | 1468 http_transaction_delegate_->OnDetachRequest(); |
1513 } | 1469 } |
1514 | 1470 |
1515 } // namespace net | 1471 } // namespace net |
OLD | NEW |