| Index: net/base/sdch_manager.cc
|
| diff --git a/net/base/sdch_manager.cc b/net/base/sdch_manager.cc
|
| index 17883b11613e339f557e588729916cdaa65311fa..b5d64a23ee1bd5f23d6a86e92f9b578f9090bedd 100644
|
| --- a/net/base/sdch_manager.cc
|
| +++ b/net/base/sdch_manager.cc
|
| @@ -28,6 +28,9 @@ SdchManager* SdchManager::global_ = NULL;
|
| // static
|
| bool SdchManager::g_sdch_enabled_ = true;
|
|
|
| +// static
|
| +bool SdchManager::g_sdch_over_secure_enabled_ = false;
|
| +
|
| //------------------------------------------------------------------------------
|
| SdchManager::Dictionary::Dictionary(const std::string& dictionary_text,
|
| size_t offset,
|
| @@ -70,7 +73,9 @@ bool SdchManager::Dictionary::CanAdvertise(const GURL& target_url) {
|
| return false;
|
| if (path_.size() && !PathMatch(target_url.path(), path_))
|
| return false;
|
| - if (target_url.SchemeIsSecure())
|
| + if (!SdchManager::sdch_over_secure_enabled() && target_url.SchemeIsSecure())
|
| + return false;
|
| + if (target_url.SchemeIsSecure() && !url_.SchemeIsSecure())
|
| return false;
|
| if (base::Time::Now() > expiration_)
|
| return false;
|
| @@ -166,14 +171,19 @@ bool SdchManager::Dictionary::CanUse(const GURL& referring_url) {
|
| SdchErrorRecovery(DICTIONARY_FOUND_HAS_WRONG_PATH);
|
| return false;
|
| }
|
| - if (referring_url.SchemeIsSecure()) {
|
| + if (!SdchManager::sdch_over_secure_enabled() &&
|
| + referring_url.SchemeIsSecure()) {
|
| + SdchErrorRecovery(DICTIONARY_FOUND_HAS_WRONG_SCHEME);
|
| + return false;
|
| + }
|
| + if (referring_url.SchemeIsSecure() && !url_.SchemeIsSecure()) {
|
| SdchErrorRecovery(DICTIONARY_FOUND_HAS_WRONG_SCHEME);
|
| return false;
|
| }
|
|
|
| // TODO(jar): Remove overly restrictive failsafe test (added per security
|
| // review) when we have a need to be more general.
|
| - if (!referring_url.SchemeIs("http")) {
|
| + if (!referring_url.SchemeIsHTTPOrHTTPS()) {
|
| SdchErrorRecovery(ATTEMPT_TO_DECODE_NON_HTTP_DATA);
|
| return false;
|
| }
|
| @@ -252,6 +262,11 @@ void SdchManager::EnableSdchSupport(bool enabled) {
|
| }
|
|
|
| // static
|
| +void SdchManager::EnableSdchOverSecureSupport(bool enabled) {
|
| + g_sdch_over_secure_enabled_ = enabled;
|
| +}
|
| +
|
| +// static
|
| void SdchManager::BlacklistDomain(const GURL& url) {
|
| if (!global_ )
|
| return;
|
| @@ -344,7 +359,8 @@ bool SdchManager::CanFetchDictionary(const GURL& referring_url,
|
| DCHECK(CalledOnValidThread());
|
| /* The user agent may retrieve a dictionary from the dictionary URL if all of
|
| the following are true:
|
| - 1 The dictionary URL host name matches the referrer URL host name
|
| + 1 The dictionary URL host name matches the referrer URL host name and
|
| + scheme.
|
| 2 The dictionary URL host name domain matches the parent domain of the
|
| referrer URL host name
|
| 3 The parent domain of the referrer URL host name is not a top level
|
| @@ -353,18 +369,19 @@ bool SdchManager::CanFetchDictionary(const GURL& referring_url,
|
| */
|
| // Item (1) above implies item (2). Spec should be updated.
|
| // I take "host name match" to be "is identical to"
|
| - if (referring_url.host() != dictionary_url.host()) {
|
| + if (referring_url.host() != dictionary_url.host() ||
|
| + referring_url.scheme() != dictionary_url.scheme()) {
|
| SdchErrorRecovery(DICTIONARY_LOAD_ATTEMPT_FROM_DIFFERENT_HOST);
|
| return false;
|
| }
|
| - if (referring_url.SchemeIs("https")) {
|
| + if (!sdch_over_secure_enabled() && referring_url.SchemeIsSecure()) {
|
| SdchErrorRecovery(DICTIONARY_SELECTED_FOR_SSL);
|
| return false;
|
| }
|
|
|
| // TODO(jar): Remove this failsafe conservative hack which is more restrictive
|
| // than current SDCH spec when needed, and justified by security audit.
|
| - if (!referring_url.SchemeIs("http")) {
|
| + if (!referring_url.SchemeIsHTTPOrHTTPS()) {
|
| SdchErrorRecovery(DICTIONARY_SELECTED_FROM_NON_HTTP);
|
| return false;
|
| }
|
|
|
Chromium Code Reviews
Issue 123383002:
Enable SDCH support over HTTPS. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src