Set trusted SPDY proxy dynamically on per-profile basis

net/spdy/spdy_session.cc

Index: net/spdy/spdy_session.cc
diff --git a/net/spdy/spdy_session.cc b/net/spdy/spdy_session.cc
index cf8c226c9389a522e94d1122748817c776e5aa7f..80dfb8f21f2830e181fc37ca86ce45b2084bc7cf 100644
--- a/net/spdy/spdy_session.cc
+++ b/net/spdy/spdy_session.cc
@@ -30,6 +30,7 @@
 #include "crypto/ec_signature_creator.h"
 #include "net/base/connection_type_histograms.h"
 #include "net/base/net_util.h"
+#include "net/base/proxy_delegate.h"
 #include "net/cert/asn1_util.h"
 #include "net/cert/cert_verify_result.h"
 #include "net/http/http_log_util.h"
@@ -38,6 +39,7 @@
 #include "net/http/http_util.h"
 #include "net/http/transport_security_state.h"
 #include "net/log/net_log.h"
+#include "net/proxy/proxy_server.h"
 #include "net/socket/ssl_client_socket.h"
 #include "net/spdy/spdy_buffer_producer.h"
 #include "net/spdy/spdy_frame_builder.h"
@@ -658,7 +660,7 @@ SpdySession::SpdySession(
     size_t stream_max_recv_window_size,
     size_t initial_max_concurrent_streams,
     TimeFunc time_func,
-    const HostPortPair& trusted_spdy_proxy,
+    const ProxyDelegate* proxy_delegate,
     NetLog* net_log)
     : in_io_loop_(false),
       spdy_session_key_(spdy_session_key),
@@ -713,7 +715,7 @@ SpdySession::SpdySession(
       connection_at_risk_of_loss_time_(
           base::TimeDelta::FromSeconds(kDefaultConnectionAtRiskOfLossSeconds)),
       hung_interval_(base::TimeDelta::FromSeconds(kHungIntervalSeconds)),
-      trusted_spdy_proxy_(trusted_spdy_proxy),
+      proxy_delegate_(proxy_delegate),
       time_func_(time_func),
       send_priority_dependency_(priority_dependency_enabled_default),
       weak_factory_(this) {
@@ -2702,8 +2704,10 @@ bool SpdySession::TryCreatePushStream(SpdyStreamId stream_id,
 
   // Check that the pushed stream advertises the same origin as its associated
   // stream. Bypass this check if and only if this session is with a SPDY proxy
-  // that is trusted explicitly via the --trusted-spdy-proxy switch.
-  if (trusted_spdy_proxy_.Equals(host_port_pair())) {
+  // that is trusted explicitly as determined by the proxy_delegate_.
+  if (proxy_delegate_ &&
+      proxy_delegate_->IsTrustedSpdyProxy(
+          ProxyServer(ProxyServer::SCHEME_HTTPS, host_port_pair()))) {

[mmenke, 2016/02/02 16:51:26]

I'm assuming this isn't done for non-proxy SpdySessions, but I don't see why
not.

[tbansal1, 2016/02/02 18:18:44]

Right, it isn't done for non-proxy sessions because they are not the
authoritative source of the resource -- if the client had fetched the resource
by itself, it would have fetched from a different server.

For proxies (especially data reduction proxy), the proxy is from where the
client would have fetched the resource anyways.

[mmenke, 2016/02/02 18:45:02]

I'm sorry, I meant I don't see in the code why this code isn't run.  There's no
check in this method that this is a proxy / the non-authoritative source of the
resource.

[tbansal1, 2016/02/02 19:34:32]

Yeah, SPDY Session is shared for proxied and non-proxied resources. e.g., I can
use proxy.googlezip.net (Flywheel proxy) to download proxy resources, and the
same SPDY session will be used to download proxy.googlezip.net/index.html.

Conceptually, it seems that it should be the responsibility of ProxyDelegate to
handle this. At some level, this CL does that. e.g., it checks if DRP is
enabled, and if the specified proxy is an HTTPS DRP proxy or not.

[mmenke, 2016/02/02 19:50:45]

Wait...Does that mean this check prevents a trusted HTTPS SPDY proxy from
pushing its own resources?

[tbansal1, 2016/02/02 20:02:00]

Right, trusted HTTPS SPDY proxy cannot push its own resources. I will send
another CL to fix  that.

     // Disallow pushing of HTTPS content.
     if (gurl.SchemeIs("https")) {
       EnqueueResetStreamFrame(