Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(34)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/url_request/url_request_http_job.cc

Issue 19269012: Don't persist HPKP if PrivacyMode is enabled. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Changed ChromeResourceDispatcherHostDelegate::OnResponseStarted to use URLRequest::GetHSTSRedirect. Created 7 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« net/socket_stream/socket_stream_job.cc ('K') | « net/url_request/url_request.cc ('k') | net/url_request/url_request_test_util.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/url_request/url_request_http_job.h" 5 #include "net/url_request/url_request_http_job.h"
6 6
7 #include "base/base_switches.h" 7 #include "base/base_switches.h"
8 #include "base/bind.h" 8 #include "base/bind.h"
9 #include "base/bind_helpers.h" 9 #include "base/bind_helpers.h"
10 #include "base/command_line.h" 10 #include "base/command_line.h"
(...skipping 765 matching lines...) Expand 10 before | Expand all | Expand 10 after
776 TransportSecurityState* security_state = 776 TransportSecurityState* security_state =
777 request_->context()->transport_security_state(); 777 request_->context()->transport_security_state();
778 const SSLInfo& ssl_info = response_info_->ssl_info; 778 const SSLInfo& ssl_info = response_info_->ssl_info;
779 779
780 // Only accept HSTS headers on HTTPS connections that have no 780 // Only accept HSTS headers on HTTPS connections that have no
781 // certificate errors. 781 // certificate errors.
782 if (!ssl_info.is_valid() || IsCertStatusError(ssl_info.cert_status) || 782 if (!ssl_info.is_valid() || IsCertStatusError(ssl_info.cert_status) ||
783 !security_state) 783 !security_state)
784 return; 784 return;
785 785
786 CookieOptions options;
787 options.set_include_httponly();
788 options.set_server_time(response_date_);
789 // Don't persist HSTS if cookies are not saved to avoid tracking.
790 if ((request_info_.load_flags & LOAD_DO_NOT_SAVE_COOKIES) ||
791 !CanSetCookie("", &options))
792 return;
786 // http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec: 793 // http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec:
787 // 794 //
788 // If a UA receives more than one STS header field in a HTTP response 795 // If a UA receives more than one STS header field in a HTTP response
789 // message over secure transport, then the UA MUST process only the 796 // message over secure transport, then the UA MUST process only the
790 // first such header field. 797 // first such header field.
791 HttpResponseHeaders* headers = GetResponseHeaders(); 798 HttpResponseHeaders* headers = GetResponseHeaders();
792 std::string value; 799 std::string value;
793 if (headers->EnumerateHeader(NULL, "Strict-Transport-Security", &value)) 800 if (headers->EnumerateHeader(NULL, "Strict-Transport-Security", &value))
794 security_state->AddHSTSHeader(request_info_.url.host(), value); 801 security_state->AddHSTSHeader(request_info_.url.host(), value);
795 } 802 }
796 803
797 void URLRequestHttpJob::ProcessPublicKeyPinsHeader() { 804 void URLRequestHttpJob::ProcessPublicKeyPinsHeader() {
798 DCHECK(response_info_); 805 DCHECK(response_info_);
799 TransportSecurityState* security_state = 806 TransportSecurityState* security_state =
800 request_->context()->transport_security_state(); 807 request_->context()->transport_security_state();
801 const SSLInfo& ssl_info = response_info_->ssl_info; 808 const SSLInfo& ssl_info = response_info_->ssl_info;
802 809
803 // Only accept HPKP headers on HTTPS connections that have no 810 // Only accept HPKP headers on HTTPS connections that have no
804 // certificate errors. 811 // certificate errors.
805 if (!ssl_info.is_valid() || IsCertStatusError(ssl_info.cert_status) || 812 if (!ssl_info.is_valid() || IsCertStatusError(ssl_info.cert_status) ||
806 !security_state) 813 !security_state)
807 return; 814 return;
808 815
816 CookieOptions options;
817 options.set_include_httponly();
818 options.set_server_time(response_date_);
819 // Don't persist HPKP if cookies are not saved to avoid tracking.
820 if ((request_info_.load_flags & LOAD_DO_NOT_SAVE_COOKIES) ||
821 !CanSetCookie("", &options))
822 return;
823
809 // http://tools.ietf.org/html/draft-ietf-websec-key-pinning: 824 // http://tools.ietf.org/html/draft-ietf-websec-key-pinning:
810 // 825 //
811 // If a UA receives more than one PKP header field in an HTTP 826 // If a UA receives more than one PKP header field in an HTTP
812 // response message over secure transport, then the UA MUST process 827 // response message over secure transport, then the UA MUST process
813 // only the first such header field. 828 // only the first such header field.
814 HttpResponseHeaders* headers = GetResponseHeaders(); 829 HttpResponseHeaders* headers = GetResponseHeaders();
815 std::string value; 830 std::string value;
816 if (headers->EnumerateHeader(NULL, "Public-Key-Pins", &value)) 831 if (headers->EnumerateHeader(NULL, "Public-Key-Pins", &value))
817 security_state->AddHPKPHeader(request_info_.url.host(), value, ssl_info); 832 security_state->AddHPKPHeader(request_info_.url.host(), value, ssl_info);
818 } 833 }
(...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after
875 return; 890 return;
876 } 891 }
877 } 892 }
878 893
879 SaveCookiesAndNotifyHeadersComplete(net::OK); 894 SaveCookiesAndNotifyHeadersComplete(net::OK);
880 } else if (IsCertificateError(result)) { 895 } else if (IsCertificateError(result)) {
881 // We encountered an SSL certificate error. Ask our delegate to decide 896 // We encountered an SSL certificate error. Ask our delegate to decide
882 // what we should do. 897 // what we should do.
883 898
884 TransportSecurityState::DomainState domain_state; 899 TransportSecurityState::DomainState domain_state;
900 bool allow_dynamic_state =
901 !(request_info_.load_flags & LOAD_DO_NOT_SEND_COOKIES) &&
902 CanGetCookies(CookieList());
885 const URLRequestContext* context = request_->context(); 903 const URLRequestContext* context = request_->context();
886 const bool fatal = context->transport_security_state() && 904 const bool fatal =
905 context->transport_security_state() &&
887 context->transport_security_state()->GetDomainState( 906 context->transport_security_state()->GetDomainState(
888 request_info_.url.host(), 907 request_info_.url.host(),
889 SSLConfigService::IsSNIAvailable(context->ssl_config_service()), 908 SSLConfigService::IsSNIAvailable(context->ssl_config_service()),
909 allow_dynamic_state,
890 &domain_state) && 910 &domain_state) &&
891 domain_state.ShouldSSLErrorsBeFatal(); 911 domain_state.ShouldSSLErrorsBeFatal();
892 NotifySSLCertificateError(transaction_->GetResponseInfo()->ssl_info, fatal); 912 NotifySSLCertificateError(transaction_->GetResponseInfo()->ssl_info, fatal);
893 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { 913 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) {
894 NotifyCertificateRequested( 914 NotifyCertificateRequested(
895 transaction_->GetResponseInfo()->cert_request_info.get()); 915 transaction_->GetResponseInfo()->cert_request_info.get());
896 } else { 916 } else {
897 NotifyStartError(URLRequestStatus(URLRequestStatus::FAILED, result)); 917 NotifyStartError(URLRequestStatus(URLRequestStatus::FAILED, result));
898 } 918 }
899 } 919 }
(...skipping 592 matching lines...) Expand 10 before | Expand all | Expand 10 after
1492 1512
1493 void URLRequestHttpJob::NotifyURLRequestDestroyed() { 1513 void URLRequestHttpJob::NotifyURLRequestDestroyed() {
1494 awaiting_callback_ = false; 1514 awaiting_callback_ = false;
1495 } 1515 }
1496 1516
1497 void URLRequestHttpJob::OnDetachRequest() { 1517 void URLRequestHttpJob::OnDetachRequest() {
1498 http_transaction_delegate_->OnDetachRequest(); 1518 http_transaction_delegate_->OnDetachRequest();
1499 } 1519 }
1500 1520
1501 } // namespace net 1521 } // namespace net
OLDNEW
« net/socket_stream/socket_stream_job.cc ('K') | « net/url_request/url_request.cc ('k') | net/url_request/url_request_test_util.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698