Index: net/http/http_security_headers.cc |
diff --git a/net/http/http_security_headers.cc b/net/http/http_security_headers.cc |
index e8e3a476829b2fdeb4b2accf622df88fdb769c6d..083f856a5e8fd2796646695ed24c7adb7271a8f4 100644 |
--- a/net/http/http_security_headers.cc |
+++ b/net/http/http_security_headers.cc |
@@ -273,14 +273,17 @@ bool ParseHSTSHeader(const std::string& value, |
} |
} |
-// "Public-Key-Pins" ":" |
+// "Public-Key-Pins[-Report-Only]" ":" |
// "max-age" "=" delta-seconds ";" |
// "pin-" algo "=" base64 [ ";" ... ] |
+// [ ";" "includeSubdomains" ] |
+// [ ";" "report-uri" "=" uri-reference ] |
bool ParseHPKPHeader(const std::string& value, |
const HashValueVector& chain_hashes, |
base::TimeDelta* max_age, |
bool* include_subdomains, |
- HashValueVector* hashes) { |
+ HashValueVector* hashes, |
+ std::string* report_uri) { |
bool parsed_max_age = false; |
bool include_subdomains_candidate = false; |
uint32 max_age_candidate = 0; |
@@ -311,6 +314,14 @@ bool ParseHPKPHeader(const std::string& value, |
return false; |
} else if (base::LowerCaseEqualsASCII(equals.first, "includesubdomains")) { |
include_subdomains_candidate = true; |
+ } else if (base::LowerCaseEqualsASCII(equals.first, "report-uri")) { |
+ // report-uris are always quoted. |
+ if (!HttpUtil::IsQuote(equals.second[0])) |
+ return false; |
+ |
+ *report_uri = HttpUtil::Unquote(equals.second); |
+ if (report_uri->empty()) |
+ return false; |
} else { |
// Silently ignore unknown directives for forward compatibility. |
} |