WIP: Move 'Upgrade-Insecure-Requests' to the browser process.

content/browser/net/insecure_request_interceptor.cc

Index: content/browser/net/insecure_request_interceptor.cc
diff --git a/content/browser/net/insecure_request_interceptor.cc b/content/browser/net/insecure_request_interceptor.cc
new file mode 100644
index 0000000000000000000000000000000000000000..4f0580327669027ee625b42fad08fe0887575e9b
--- /dev/null
+++ b/content/browser/net/insecure_request_interceptor.cc
@@ -0,0 +1,76 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "content/browser/net/insecure_request_interceptor.h"
+
+#include "net/base/network_delegate.h"
+#include "net/url_request/url_request.h"
+#include "net/url_request/url_request_redirect_job.h"
+#include "url/gurl.h"
+#include "url/url_constants.h"
+
+namespace content {
+
+namespace {
+
+const char* kUpgradeReason = "Upgrade";
+
+}  // namespace
+
+InsecureRequestInterceptor::InsecureRequestInterceptor() {}
+
+InsecureRequestInterceptor::~InsecureRequestInterceptor() {}
+
+net::URLRequestJob* InsecureRequestInterceptor::MaybeInterceptRequest(
+    net::URLRequest* request,
+    net::NetworkDelegate* delegate) const {
+  //  printf("\n\nMaybeInterceptRequest: %s\n", request->url().spec().c_str());
+  return MaybeUpgradeRequest(request, delegate, request->url());
+}
+
+net::URLRequestJob* InsecureRequestInterceptor::MaybeInterceptRedirect(
+    net::URLRequest* request,
+    net::NetworkDelegate* delegate,
+    const GURL& url) const {
+  //  printf("\n\nMaybeInterceptRedirect: %s => %s\n",
+  //  request->url().spec().c_str(), url.spec().c_str());
+  return MaybeUpgradeRequest(request, delegate, url);
+}
+
+net::URLRequestJob* InsecureRequestInterceptor::MaybeUpgradeRequest(
+    net::URLRequest* request,
+    net::NetworkDelegate* delegate,
+    const GURL& url) {
+  // TODO(mkwst): This is only a light modification of the logic in
+  // 'URLRequest::GetHSTSRedirect'. We could fairly simply move HSTS
+  // here as well to do all of our insecure request interception in
+  // one place. Until then, we're only looking at UIR, so quit early
+  // if it doesn't apply:
+  //  printf("- Policy: %d, Initiator: %s\n",
+  //  request->insecure_request_policy(),
+  //  request->initiator().Serialize().c_str());
+  if (request->insecure_request_policy() ==
+          net::URLRequest::DO_NOT_UPGRADE_INSECURE_REQUESTS ||
+      (request->insecure_request_policy() ==
+           net::URLRequest::UPGRADE_SAME_HOST_INSECURE_REQUESTS &&
+       url.host() != request->initiator().host())) {
+    return nullptr;
+  }
+  bool scheme_is_http = url.SchemeIs(url::kHttpScheme);
+  if (scheme_is_http || url.SchemeIs(url::kWsScheme)) {

[mmenke, 2016/06/14 18:49:31]

I'm not all that familiar with websocket requests, but I don't believe they go
through the RDH, though they do go through the interceptors (I think?), so they
won't have UPGRADE_SAME_HOST_INSECURE_REQUESTS set.

In summary...Need tests.

+    GURL::Replacements replacements;
+    replacements.SetSchemeStr(scheme_is_http ? url::kHttpsScheme
+                                             : url::kWssScheme);
+    GURL redirect_to(url.ReplaceComponents(replacements));
+
+    return new net::URLRequestRedirectJob(
+        request, delegate, redirect_to,
+        net::URLRequestRedirectJob::REDIRECT_307_TEMPORARY_REDIRECT,
+        kUpgradeReason);
+  }
+
+  return nullptr;
+}
+
+}  // namespace content