Index: net/http/http_security_headers.cc |
diff --git a/net/http/http_security_headers.cc b/net/http/http_security_headers.cc |
index d95e5878d7c4ce10e2e393d875fb254257d5b6de..7d61e05987e31173961b1ae14a35c85e7e8450af 100644 |
--- a/net/http/http_security_headers.cc |
+++ b/net/http/http_security_headers.cc |
@@ -106,10 +106,11 @@ typedef std::pair<std::string, std::string> StringPair; |
StringPair Split(const std::string& source, char delimiter) { |
StringPair pair; |
- size_t point = source.find(delimiter); |
+ size_t point = HttpUtil::FindDelimiter(source, 0, delimiter); |
Ryan Sleevi
2015/06/27 12:13:59
Hrm, this was previously dead code, and nothing us
davidben
2015/06/29 22:38:43
That sounds reasonable to me, assuming you mean th
|
pair.first = source.substr(0, point); |
- if (std::string::npos != point) |
+ |
+ if (source.size() != point) |
pair.second = source.substr(point + 1); |
return pair; |
@@ -273,14 +274,17 @@ bool ParseHSTSHeader(const std::string& value, |
} |
} |
-// "Public-Key-Pins" ":" |
+// "Public-Key-Pins[-Report-Only]" ":" |
// "max-age" "=" delta-seconds ";" |
// "pin-" algo "=" base64 [ ";" ... ] |
+// [ ";" "includeSubdomains" ] |
+// [ ";" "report-uri" "=" uri-reference ] |
bool ParseHPKPHeader(const std::string& value, |
const HashValueVector& chain_hashes, |
base::TimeDelta* max_age, |
bool* include_subdomains, |
- HashValueVector* hashes) { |
+ HashValueVector* hashes, |
+ std::string* report_uri) { |
bool parsed_max_age = false; |
bool include_subdomains_candidate = false; |
uint32 max_age_candidate = 0; |
@@ -311,6 +315,15 @@ bool ParseHPKPHeader(const std::string& value, |
return false; |
} else if (base::LowerCaseEqualsASCII(equals.first, "includesubdomains")) { |
include_subdomains_candidate = true; |
+ } else if (base::LowerCaseEqualsASCII(equals.first, "report-uri")) { |
+ // report-uris are always quoted. |
davidben
2015/06/29 22:38:43
Not quoting would be insane, but I don't actually
|
+ if (equals.second.empty() || !HttpUtil::IsQuote(equals.second[0]) || |
+ equals.second[0] != *equals.second.rbegin()) |
+ return false; |
+ |
+ *report_uri = HttpUtil::Unquote(equals.second); |
+ if (report_uri->empty()) |
+ return false; |
} else { |
// Silently ignore unknown directives for forward compatibility. |
} |