Separate http_security_headers from transport_security_state

net/base/transport_security_state.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_TRANSPORT_SECURITY_STATE_H_
 #define NET_BASE_TRANSPORT_SECURITY_STATE_H_
 
 #include <map>
 #include <string>
 #include <utility>
@@ skipping 43 matching lines @@
    public:
     enum UpgradeMode {
       // These numbers must match those in hsts_view.js, function modeToString.
       MODE_FORCE_HTTPS = 0,
       MODE_DEFAULT = 1,
     };
 
     DomainState();
     ~DomainState();
 
-    // Parses |value| as a Public-Key-Pins header. If successful, returns true
-    // and updates the |dynamic_spki_hashes| and |dynamic_spki_hashes_expiry|
-    // fields; otherwise, returns false without updating any fields.
-    // Interprets the max-age directive relative to |now|.
-    bool ParsePinsHeader(const base::Time& now,
-                         const std::string& value,
-                         const SSLInfo& ssl_info);
-
-    // Parses |value| as a Strict-Transport-Security header. If successful,
-    // returns true and updates the |upgrade_mode|, |upgrade_expiry| and
-    // |include_subdomains| fields; otherwise, returns false without updating
-    // any fields. Interprets the max-age directive relative to |now|.
-    bool ParseSTSHeader(const base::Time& now, const std::string& value);
-
     // Takes a set of SubjectPublicKeyInfo |hashes| and returns true if:
     //   1) |bad_static_spki_hashes| does not intersect |hashes|; AND
     //   2) Both |static_spki_hashes| and |dynamic_spki_hashes| are empty
     //      or at least one of them intersects |hashes|.
     //
     // |{dynamic,static}_spki_hashes| contain trustworthy public key hashes,
     // any one of which is sufficient to validate the certificate chain in
     // question. The public keys could be of a root CA, intermediate CA, or
     // leaf certificate, depending on the security vs. disaster recovery
     // tradeoff selected. (Pinning only to leaf certifiates increases
@@ skipping 142 matching lines @@
   void AddOrUpdateEnabledHosts(const std::string& hashed_host,
                                const DomainState& state);
 
   // Inserts |state| into |forced_hosts_| under the key |hashed_host|.
   // |hashed_host| is already in the internal representation
   // HashHost(CanonicalizeHost(host)); thus, most callers will use
   // |EnableHost|.
   void AddOrUpdateForcedHosts(const std::string& hashed_host,
                               const DomainState& state);
 
+  // Processes an HSTS header value from the host, adding entries to
+  // dynamic state if necessary.
+  bool AddHSTSHeader(const std::string& host, const std::string& value);
+
+  // Processes an HPKP header value from the host, adding entries to
+  // dynamic state if necessary.  ssl_info is used to check that
+  // the specified pins overlap with the certificate chain.
+  bool AddHPKPHeader(const std::string& host, const std::string& value,
+                     const SSLInfo& ssl_info);
+
   // Returns true iff we have any static public key pins for the |host| and
   // iff its set of required pins is the set we expect for Google
   // properties.
   //
   // If |sni_enabled| is true, searches the static pins defined for
   // SNI-using hosts as well as the rest of the pins.
   //
   // If |host| matches both an exact entry and is a subdomain of another
   // entry, the exact match determines the return value.
   static bool IsGooglePinnedProperty(const std::string& host,
                                      bool sni_enabled);
 
-  // Decodes a pin string |value| (e.g. "sha1/hvfkN/qlp/zhXR3cuerq6jd2Z7g=").
-  // If parsing succeeded, updates |*out| and returns true; otherwise returns
-  // false without updating |*out|.
-  static bool ParsePin(const std::string& value, HashValue* out);
-
   // The maximum number of seconds for which we'll cache an HSTS request.
   static const long int kMaxHSTSAgeSecs;
 
   // Converts |hostname| from dotted form ("www.google.com") to the form
   // used in DNS: "\x03www\x06google\x03com", lowercases that, and returns
   // the result.
   static std::string CanonicalizeHost(const std::string& hostname);
 
   // Send an UMA report on pin validation failure, if the host is in a
   // statically-defined list of domains.
@@ skipping 20 matching lines @@
   std::map<std::string, DomainState> forced_hosts_;
 
   Delegate* delegate_;
 
   DISALLOW_COPY_AND_ASSIGN(TransportSecurityState);
 };
 
 }  // namespace net
 
 #endif  // NET_BASE_TRANSPORT_SECURITY_STATE_H_