Addition of Certificate Transparency details to Security panel of DevTools

third_party/WebKit/public/platform/WebURLResponse.h

 /*
  * Copyright (C) 2009 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 44 matching lines @@
         HTTPVersion_1_1,
         HTTPVersion_2_0 };
     enum SecurityStyle {
         SecurityStyleUnknown,
         SecurityStyleUnauthenticated,
         SecurityStyleAuthenticationBroken,
         SecurityStyleWarning,
         SecurityStyleAuthenticated
     };
 
+    struct SignedCertificateTimestamp {
+        SignedCertificateTimestamp() {}
+        SignedCertificateTimestamp(
+            WebString status,
+            WebString origin,
+            WebString logDescription,
+            WebString logId,
+            int64_t timestamp,
+            WebString hashAlgorithm,
+            WebString signatureAlgorithm,
+            WebString signatureData)
+            : status(status)
+            , origin(origin)
+            , logDescription(logDescription)
+            , logId(logId)
+            , timestamp(timestamp)
+            , hashAlgorithm(hashAlgorithm)
+            , signatureAlgorithm(signatureAlgorithm)
+            , signatureData(signatureData)
+        {
+        }
+        WebString status;
+        WebString origin;
+        WebString logDescription;
+        WebString logId;
+        int64_t timestamp;
+        WebString hashAlgorithm;
+        WebString signatureAlgorithm;
+        WebString signatureData;
+    };
+
+    using SignedCertificateTimestampList = WebVector<SignedCertificateTimestamp>;
+
     struct WebSecurityDetails {
-        WebSecurityDetails(const WebString& protocol, const WebString& keyExchange, const WebString& cipher, const WebString& mac, int certId, size_t numUnknownScts, size_t numInvalidScts, size_t numValidScts)
+        WebSecurityDetails(const WebString& protocol,
+            const WebString& keyExchange,
+            const WebString& cipher,
+            const WebString& mac,
+            int certId,
+            size_t numUnknownScts,
+            size_t numInvalidScts,
+            size_t numValidScts,
+            const SignedCertificateTimestampList& sctList)
             : protocol(protocol)
             , keyExchange(keyExchange)
             , cipher(cipher)
             , mac(mac)
             , certId(certId)
             , numUnknownScts(numUnknownScts)
             , numInvalidScts(numInvalidScts)
             , numValidScts(numValidScts)
+            , sctList(sctList)
         {
         }
         // All strings are human-readable values.
         WebString protocol;
         WebString keyExchange;
         WebString cipher;
         // mac is the empty string when the connection cipher suite does not
         // have a separate MAC value (i.e. if the cipher suite is AEAD).
         WebString mac;
         int certId;
         size_t numUnknownScts;
         size_t numInvalidScts;
         size_t numValidScts;
+        SignedCertificateTimestampList sctList;

[Mike West, 2016/06/23 06:48:01]

This seems like a lot of data to add for something that only a very few people
will ever see. Will an SCT list be appended to every response, or only the
document? The bug discusses "Main Origin", but it's not clear if that's the
extent of the feature, or whether other origins in that section would have
similar data.

Do we keep a copy of this data in the browser process as well? If so, could we
request it when needed (or only append it if devtools is open), as opposed to
pushing it down proactively?

[dwaxweiler, 2016/06/23 11:53:02]

A list of SCTs could be appended to every response authenticated with a
certificate with SCTs, so not only the "Main Origin" but every origin is
affected. However, the method ResourceResponse::setSecurityDetails() appending
the data is only called when the DevTools are open. I do not think that a copy
of this data is kept in the browser process. Correct me if I am wrong!

[Mike West, 2016/06/23 16:32:30]

Ok, I think you're right: `WebURLLoaderImpl::PopulateURLResponse()` takes a
`report_security_info` boolean, which boils down to the
`ResourceRequest::reportRawHeaders()` value set in `InspectorNetworkAgent`.
Thanks for the pointer. I'm much less concerned about the memory overhead if
we're only incurring it when devtools tells us to.

     };
 
     class ExtraData {
     public:
         virtual ~ExtraData() { }
     };
 
     ~WebURLResponse() { reset(); }
 
     WebURLResponse() : m_private(0) { }
@@ skipping 166 matching lines @@
 protected:
     BLINK_PLATFORM_EXPORT void assign(WebURLResponsePrivate*);
 
 private:
     WebURLResponsePrivate* m_private;
 };
 
 } // namespace blink
 
 #endif