Index: net/http/http_security_headers.cc |
diff --git a/net/http/http_security_headers.cc b/net/http/http_security_headers.cc |
index d95e5878d7c4ce10e2e393d875fb254257d5b6de..5ac7eae04b224a2789f2440da390936997f4a2f2 100644 |
--- a/net/http/http_security_headers.cc |
+++ b/net/http/http_security_headers.cc |
@@ -273,14 +273,17 @@ bool ParseHSTSHeader(const std::string& value, |
} |
} |
-// "Public-Key-Pins" ":" |
+// "Public-Key-Pins[-Report-Only]" ":" |
// "max-age" "=" delta-seconds ";" |
// "pin-" algo "=" base64 [ ";" ... ] |
+// [ ";" "includeSubdomains" ] |
+// [ ";" "report-uri" "=" uri-reference ] |
bool ParseHPKPHeader(const std::string& value, |
const HashValueVector& chain_hashes, |
base::TimeDelta* max_age, |
bool* include_subdomains, |
- HashValueVector* hashes) { |
+ HashValueVector* hashes, |
+ std::string* report_uri) { |
bool parsed_max_age = false; |
bool include_subdomains_candidate = false; |
uint32 max_age_candidate = 0; |
@@ -311,6 +314,15 @@ bool ParseHPKPHeader(const std::string& value, |
return false; |
} else if (base::LowerCaseEqualsASCII(equals.first, "includesubdomains")) { |
include_subdomains_candidate = true; |
+ } else if (base::LowerCaseEqualsASCII(equals.first, "report-uri")) { |
+ // report-uris are always quoted. |
+ if (!HttpUtil::IsQuote(equals.second[0])) |
Ryan Sleevi
2015/06/26 19:41:52
SECURITY BUG: equals.second.empty() may be true, i
estark
2015/06/26 22:42:11
Done.
|
+ return false; |
+ |
+ // TODO(estark): Handle relative URLs here. |
+ *report_uri = HttpUtil::Unquote(equals.second); |
+ if (report_uri->empty()) |
+ return false; |
} else { |
// Silently ignore unknown directives for forward compatibility. |
} |