OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/url_request/url_request_http_job.h" | 5 #include "net/url_request/url_request_http_job.h" |
6 | 6 |
7 #include "base/base_switches.h" | 7 #include "base/base_switches.h" |
8 #include "base/bind.h" | 8 #include "base/bind.h" |
9 #include "base/bind_helpers.h" | 9 #include "base/bind_helpers.h" |
10 #include "base/command_line.h" | 10 #include "base/command_line.h" |
(...skipping 648 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
659 void* iter = NULL; | 659 void* iter = NULL; |
660 HttpResponseHeaders* headers = GetResponseHeaders(); | 660 HttpResponseHeaders* headers = GetResponseHeaders(); |
661 while (headers->EnumerateHeader(&iter, name, &value)) { | 661 while (headers->EnumerateHeader(&iter, name, &value)) { |
662 if (!value.empty()) | 662 if (!value.empty()) |
663 cookies->push_back(value); | 663 cookies->push_back(value); |
664 } | 664 } |
665 } | 665 } |
666 | 666 |
667 // NOTE: |ProcessStrictTransportSecurityHeader| and | 667 // NOTE: |ProcessStrictTransportSecurityHeader| and |
668 // |ProcessPublicKeyPinsHeader| have very similar structures, by design. | 668 // |ProcessPublicKeyPinsHeader| have very similar structures, by design. |
669 // They manipulate different parts of |TransportSecurityState::DomainState|, | |
670 // and they must remain complementary. If, in future changes here, there is | |
671 // any conflict between their policies (such as in |domain_state.mode|), you | |
672 // should resolve the conflict in favor of the more strict policy. | |
673 void URLRequestHttpJob::ProcessStrictTransportSecurityHeader() { | 669 void URLRequestHttpJob::ProcessStrictTransportSecurityHeader() { |
674 DCHECK(response_info_); | 670 DCHECK(response_info_); |
675 | 671 TransportSecurityState* security_state = \ |
676 const URLRequestContext* ctx = request_->context(); | 672 request_->context()->transport_security_state(); |
Ryan Sleevi
2012/10/25 01:59:09
style: do not use \ for continuation - not necessa
unsafe
2012/10/25 06:59:54
Done.
| |
677 const SSLInfo& ssl_info = response_info_->ssl_info; | 673 const SSLInfo& ssl_info = response_info_->ssl_info; |
678 | 674 |
679 // Only accept strict transport security headers on HTTPS connections that | 675 // Only accept HSTS headers on HTTPS connections that have no |
680 // have no certificate errors. | 676 // certificate errors. |
681 if (!ssl_info.is_valid() || IsCertStatusError(ssl_info.cert_status) || | 677 if (!ssl_info.is_valid() || IsCertStatusError(ssl_info.cert_status) || |
682 !ctx->transport_security_state()) { | 678 !security_state) |
683 return; | 679 return; |
684 } | |
685 | |
686 TransportSecurityState* security_state = ctx->transport_security_state(); | |
687 TransportSecurityState::DomainState domain_state; | |
688 const std::string& host = request_info_.url.host(); | |
689 | |
690 bool sni_available = | |
691 SSLConfigService::IsSNIAvailable(ctx->ssl_config_service()); | |
692 if (!security_state->GetDomainState(host, sni_available, &domain_state)) | |
693 // |GetDomainState| may have altered |domain_state| while searching. If | |
694 // not found, start with a fresh state. | |
695 domain_state.upgrade_mode = | |
696 TransportSecurityState::DomainState::MODE_FORCE_HTTPS; | |
697 | 680 |
698 HttpResponseHeaders* headers = GetResponseHeaders(); | 681 HttpResponseHeaders* headers = GetResponseHeaders(); |
699 std::string value; | 682 std::string value; |
700 void* iter = NULL; | 683 if (headers->EnumerateHeader(NULL, "Strict-Transport-Security", &value)) |
701 base::Time now = base::Time::Now(); | 684 security_state->AddHSTSHeader(request_info_.url.host(), value); |
702 | |
703 while (headers->EnumerateHeader(&iter, "Strict-Transport-Security", &value)) { | |
704 TransportSecurityState::DomainState domain_state; | |
705 if (domain_state.ParseSTSHeader(now, value)) | |
706 security_state->EnableHost(host, domain_state); | |
707 } | |
708 } | 685 } |
709 | 686 |
710 void URLRequestHttpJob::ProcessPublicKeyPinsHeader() { | 687 void URLRequestHttpJob::ProcessPublicKeyPinsHeader() { |
711 DCHECK(response_info_); | 688 DCHECK(response_info_); |
712 | 689 TransportSecurityState* security_state = \ |
713 const URLRequestContext* ctx = request_->context(); | 690 request_->context()->transport_security_state(); |
714 const SSLInfo& ssl_info = response_info_->ssl_info; | 691 const SSLInfo& ssl_info = response_info_->ssl_info; |
715 | 692 |
716 // Only accept public key pins headers on HTTPS connections that have no | 693 // Only accept HPKP headers on HTTPS connections that have no |
717 // certificate errors. | 694 // certificate errors. |
718 if (!ssl_info.is_valid() || IsCertStatusError(ssl_info.cert_status) || | 695 if (!ssl_info.is_valid() || IsCertStatusError(ssl_info.cert_status) || |
719 !ctx->transport_security_state()) { | 696 !security_state) |
720 return; | 697 return; |
721 } | |
722 | |
723 TransportSecurityState* security_state = ctx->transport_security_state(); | |
724 TransportSecurityState::DomainState domain_state; | |
725 const std::string& host = request_info_.url.host(); | |
726 | |
727 bool sni_available = | |
728 SSLConfigService::IsSNIAvailable(ctx->ssl_config_service()); | |
729 if (!security_state->GetDomainState(host, sni_available, &domain_state)) | |
730 // |GetDomainState| may have altered |domain_state| while searching. If | |
731 // not found, start with a fresh state. | |
732 domain_state.upgrade_mode = | |
733 TransportSecurityState::DomainState::MODE_DEFAULT; | |
734 | 698 |
735 HttpResponseHeaders* headers = GetResponseHeaders(); | 699 HttpResponseHeaders* headers = GetResponseHeaders(); |
736 void* iter = NULL; | |
737 std::string value; | 700 std::string value; |
738 base::Time now = base::Time::Now(); | 701 if (headers->EnumerateHeader(NULL, "Public-Key-Pins", &value)) |
739 | 702 security_state->AddHPKPHeader(request_info_.url.host(), value, ssl_info); |
740 while (headers->EnumerateHeader(&iter, "Public-Key-Pins", &value)) { | |
741 // Note that ParsePinsHeader updates |domain_state| (iff the header parses | |
742 // correctly), but does not completely overwrite it. It just updates the | |
743 // dynamic pinning metadata. | |
744 if (domain_state.ParsePinsHeader(now, value, ssl_info)) | |
745 security_state->EnableHost(host, domain_state); | |
746 } | |
747 } | 703 } |
748 | 704 |
749 void URLRequestHttpJob::OnStartCompleted(int result) { | 705 void URLRequestHttpJob::OnStartCompleted(int result) { |
750 RecordTimer(); | 706 RecordTimer(); |
751 | 707 |
752 // If the request was destroyed, then there is no more work to do. | 708 // If the request was destroyed, then there is no more work to do. |
753 if (!request_) | 709 if (!request_) |
754 return; | 710 return; |
755 | 711 |
756 // If the transaction was destroyed, then the job was cancelled, and | 712 // If the transaction was destroyed, then the job was cancelled, and |
(...skipping 747 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1504 | 1460 |
1505 void URLRequestHttpJob::NotifyURLRequestDestroyed() { | 1461 void URLRequestHttpJob::NotifyURLRequestDestroyed() { |
1506 awaiting_callback_ = false; | 1462 awaiting_callback_ = false; |
1507 } | 1463 } |
1508 | 1464 |
1509 void URLRequestHttpJob::OnDetachRequest() { | 1465 void URLRequestHttpJob::OnDetachRequest() { |
1510 http_transaction_delegate_->OnDetachRequest(); | 1466 http_transaction_delegate_->OnDetachRequest(); |
1511 } | 1467 } |
1512 | 1468 |
1513 } // namespace net | 1469 } // namespace net |
OLD | NEW |