Parse HPKP report-uri and persist in TransportSecurityPersister

net/http/http_security_headers.cc

Index: net/http/http_security_headers.cc
diff --git a/net/http/http_security_headers.cc b/net/http/http_security_headers.cc
index d95e5878d7c4ce10e2e393d875fb254257d5b6de..5ac7eae04b224a2789f2440da390936997f4a2f2 100644
--- a/net/http/http_security_headers.cc
+++ b/net/http/http_security_headers.cc
@@ -273,14 +273,17 @@ bool ParseHSTSHeader(const std::string& value,
   }
 }
 
-// "Public-Key-Pins" ":"
+// "Public-Key-Pins[-Report-Only]" ":"
 //     "max-age" "=" delta-seconds ";"
 //     "pin-" algo "=" base64 [ ";" ... ]
+//     [ ";" "includeSubdomains" ]
+//     [ ";" "report-uri" "=" uri-reference ]
 bool ParseHPKPHeader(const std::string& value,
                      const HashValueVector& chain_hashes,
                      base::TimeDelta* max_age,
                      bool* include_subdomains,
-                     HashValueVector* hashes) {
+                     HashValueVector* hashes,
+                     std::string* report_uri) {
   bool parsed_max_age = false;
   bool include_subdomains_candidate = false;
   uint32 max_age_candidate = 0;
@@ -311,6 +314,15 @@ bool ParseHPKPHeader(const std::string& value,
         return false;
     } else if (base::LowerCaseEqualsASCII(equals.first, "includesubdomains")) {
       include_subdomains_candidate = true;
+    } else if (base::LowerCaseEqualsASCII(equals.first, "report-uri")) {
+      // report-uris are always quoted.
+      if (!HttpUtil::IsQuote(equals.second[0]))

[Ryan Sleevi, 2015/06/26 19:41:52]

SECURITY BUG: equals.second.empty() may be true, in which case, [0] is an
invalid access.

(See line 300)

[estark, 2015/06/26 22:42:11]

Done.

+        return false;
+
+      // TODO(estark): Handle relative URLs here.
+      *report_uri = HttpUtil::Unquote(equals.second);
+      if (report_uri->empty())
+        return false;
     } else {
       // Silently ignore unknown directives for forward compatibility.
     }