net/http/transport_security_state_static.json

Index: net/http/transport_security_state_static.json
diff --git a/net/http/transport_security_state_static.json b/net/http/transport_security_state_static.json
index 1686e856141f25c19c43facde22f7c03303d79ef..4d3281382c2d19bcc8a9da1324f91cec4daaf3db 100644
--- a/net/http/transport_security_state_static.json
+++ b/net/http/transport_security_state_static.json
@@ -23,21 +23,29 @@
 //
 // "entries" is a list of objects. Each object has the following members:
 //   name: (string) the DNS name of the host in question
-//   include_subdomains: (optional bool) For backwards compatibility, this
+//   include_subdomains: (optional boolean) For backwards compatibility, this
 //       means:
 //       - If mode == "force-https", then apply force-https to subdomains
 //       - If "pins" is set, then apply the pinset to subdomains
-//   include_subdomains_for_pinning: (optional bool) whether subdomains
+//   include_subdomains_for_pinning: (optional boolean) whether subdomains
 //       of |name| are also covered for pinning. As noted above,
 //       |include_subdomains| also has the same effect on pinning.
 //   mode: (optional string) "force-https" iff covered names should require
 //       HTTPS
 //   pins: (optional string) the |name| member of an object in |pinsets|
+//
 //   expect_ct: (optional boolean) true if the site expects Certificate
 //       Transparency information to be present on requests to |name|
 //   expect_ct_report_uri: (optional string) if expect_ct is true, the
 //       URI to which reports should be sent when valid Certificate
 //       Transparency information is not present
+//
+//   expect_staple: (optional boolean) true if the site expects responses to
+//       contain stapled OCSP repsponses
+//   expect_staple_report_uri: (optional string) if expect_staple is true, the
+//       URI to which expect_staple reports should be sent
+//   include_subdomains_for_expect_staple: (optional boolean) whether subdomains
+//       of |name| are also covered for |expect_stable|
 
 {
   "pinsets": [
@@ -290,6 +298,7 @@
     { "name": "googlecode.com", "include_subdomains": true, "pins": "google" },
     { "name": "googlemail.com", "mode": "force-https", "pins": "google" },
     { "name": "googleplex.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
+    { "name": "googlesource.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
     { "name": "groups.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
     { "name": "gvt2.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
     { "name": "gvt3.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
@@ -894,9 +903,9 @@
     { "name": "z.ai", "include_subdomains": true, "mode": "force-https" },
     { "name": "wildbee.org", "include_subdomains": true, "mode": "force-https" },
     { "name": "portal.tirol.gv.at", "include_subdomains": true, "mode": "force-https" },
-    { "name": "dropbox.com", "mode": "force-https", "include_subdomains": true, "pins": "dropbox" },
-    { "name": "dropboxstatic.com", "include_subdomains_for_pinning": true, "pins": "dropbox" },
-    { "name": "dropboxusercontent.com", "include_subdomains_for_pinning": true, "pins": "dropbox" },
+    { "name": "dropbox.com", "mode": "force-https", "include_subdomains": true, "pins": "dropbox", "expect_staple": true, "expect_staple_report_uri": "https://www.dropbox.com/log/ocsp_expect_staple", "include_subdomains_for_expect_staple": true },

[devd, 2016/08/18 22:39:56]

can we only do expect_staple for www.dropbox.com ? (and its subdomains if that's
easier)

[davidcadrian, 2016/08/21 18:58:03]

Same problem here: report_uri would cause infinite loop of reports.

+    { "name": "dropboxstatic.com", "include_subdomains_for_pinning": true, "pins": "dropbox"},
+    { "name": "dropboxusercontent.com", "include_subdomains_for_pinning": true, "pins": "dropbox"},
     { "name": "code-poets.co.uk", "include_subdomains": true, "mode": "force-https" },
     { "name": "jackyyf.com", "mode": "force-https" },
     { "name": "flynn.io", "include_subdomains": true, "mode": "force-https" },
@@ -13096,7 +13105,6 @@
     { "name": "goalbookapp.com", "include_subdomains": true, "mode": "force-https" },
     { "name": "goldenhost.ca", "include_subdomains": true, "mode": "force-https" },
     { "name": "golfburn.com", "include_subdomains": true, "mode": "force-https" },
-    { "name": "googlesource.com", "include_subdomains": true, "mode": "force-https" },
     { "name": "goudenharynck.be", "include_subdomains": true, "mode": "force-https" },
     { "name": "grandpadusercontent.com", "include_subdomains": true, "mode": "force-https" },
     { "name": "grasshoppervape.com", "include_subdomains": true, "mode": "force-https" },
@@ -13657,6 +13665,8 @@
     { "name": "sogravatas.com.br", "include_subdomains": true, "mode": "force-https" },
     { "name": "xn--neb-tma3u8u.xyz", "include_subdomains": true, "mode": "force-https" },
     { "name": "swehack.org", "include_subdomains": true, "mode": "force-https", "pins": "swehackCom" },
+    { "name": "crt.sh", "expect_ct": true, "expect_ct_report_uri": "https://clients3.google.com/ct_upload" },
+    { "name": "caddyserver.com", "expect_ct": true, "expect_ct_report_uri": "https://caddyserver.com/reporting/expect-staple" },

[estark, 2016/08/18 22:45:54]

This one should be Expect-Staple, not Expect-CT.

I really should not have picked such similar names for these things. :(

[davidcadrian, 2016/08/19 21:22:45]

I'm a little worried that both of these report URI's are at the same domain
being reported on, possibly causing an infinite report loop.

     // END OF MANUAL ADDITIONS
 
     // To avoid trailing comma changes from showing up in diffs, we place a