OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/url_request/url_request_http_job.h" | 5 #include "net/url_request/url_request_http_job.h" |
6 | 6 |
7 #include "base/base_switches.h" | 7 #include "base/base_switches.h" |
8 #include "base/bind.h" | 8 #include "base/bind.h" |
9 #include "base/bind_helpers.h" | 9 #include "base/bind_helpers.h" |
10 #include "base/command_line.h" | 10 #include "base/command_line.h" |
(...skipping 777 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
788 TransportSecurityState* security_state = | 788 TransportSecurityState* security_state = |
789 request_->context()->transport_security_state(); | 789 request_->context()->transport_security_state(); |
790 const SSLInfo& ssl_info = response_info_->ssl_info; | 790 const SSLInfo& ssl_info = response_info_->ssl_info; |
791 | 791 |
792 // Only accept HSTS headers on HTTPS connections that have no | 792 // Only accept HSTS headers on HTTPS connections that have no |
793 // certificate errors. | 793 // certificate errors. |
794 if (!ssl_info.is_valid() || IsCertStatusError(ssl_info.cert_status) || | 794 if (!ssl_info.is_valid() || IsCertStatusError(ssl_info.cert_status) || |
795 !security_state) | 795 !security_state) |
796 return; | 796 return; |
797 | 797 |
798 CookieOptions options; | |
799 options.set_include_httponly(); | |
800 options.set_server_time(response_date_); | |
801 // Don't persist HSTS if cookies are not saved to avoid tracking. | |
802 if ((request_info_.load_flags & LOAD_DO_NOT_SAVE_COOKIES) || | |
803 !CanSetCookie("", &options)) | |
804 return; | |
805 // http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec: | 798 // http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec: |
806 // | 799 // |
807 // If a UA receives more than one STS header field in a HTTP response | 800 // If a UA receives more than one STS header field in a HTTP response |
808 // message over secure transport, then the UA MUST process only the | 801 // message over secure transport, then the UA MUST process only the |
809 // first such header field. | 802 // first such header field. |
810 HttpResponseHeaders* headers = GetResponseHeaders(); | 803 HttpResponseHeaders* headers = GetResponseHeaders(); |
811 std::string value; | 804 std::string value; |
812 if (headers->EnumerateHeader(NULL, "Strict-Transport-Security", &value)) | 805 if (headers->EnumerateHeader(NULL, "Strict-Transport-Security", &value)) |
813 security_state->AddHSTSHeader(request_info_.url.host(), value); | 806 security_state->AddHSTSHeader(request_info_.url.host(), value); |
814 } | 807 } |
815 | 808 |
816 void URLRequestHttpJob::ProcessPublicKeyPinsHeader() { | 809 void URLRequestHttpJob::ProcessPublicKeyPinsHeader() { |
817 DCHECK(response_info_); | 810 DCHECK(response_info_); |
818 TransportSecurityState* security_state = | 811 TransportSecurityState* security_state = |
819 request_->context()->transport_security_state(); | 812 request_->context()->transport_security_state(); |
820 const SSLInfo& ssl_info = response_info_->ssl_info; | 813 const SSLInfo& ssl_info = response_info_->ssl_info; |
821 | 814 |
822 // Only accept HPKP headers on HTTPS connections that have no | 815 // Only accept HPKP headers on HTTPS connections that have no |
823 // certificate errors. | 816 // certificate errors. |
824 if (!ssl_info.is_valid() || IsCertStatusError(ssl_info.cert_status) || | 817 if (!ssl_info.is_valid() || IsCertStatusError(ssl_info.cert_status) || |
825 !security_state) | 818 !security_state) |
826 return; | 819 return; |
827 | 820 |
828 CookieOptions options; | |
829 options.set_include_httponly(); | |
830 options.set_server_time(response_date_); | |
831 // Don't persist HPKP if cookies are not saved to avoid tracking. | |
832 if ((request_info_.load_flags & LOAD_DO_NOT_SAVE_COOKIES) || | |
833 !CanSetCookie("", &options)) | |
834 return; | |
835 | |
836 // http://tools.ietf.org/html/draft-ietf-websec-key-pinning: | 821 // http://tools.ietf.org/html/draft-ietf-websec-key-pinning: |
837 // | 822 // |
838 // If a UA receives more than one PKP header field in an HTTP | 823 // If a UA receives more than one PKP header field in an HTTP |
839 // response message over secure transport, then the UA MUST process | 824 // response message over secure transport, then the UA MUST process |
840 // only the first such header field. | 825 // only the first such header field. |
841 HttpResponseHeaders* headers = GetResponseHeaders(); | 826 HttpResponseHeaders* headers = GetResponseHeaders(); |
842 std::string value; | 827 std::string value; |
843 if (headers->EnumerateHeader(NULL, "Public-Key-Pins", &value)) | 828 if (headers->EnumerateHeader(NULL, "Public-Key-Pins", &value)) |
844 security_state->AddHPKPHeader(request_info_.url.host(), value, ssl_info); | 829 security_state->AddHPKPHeader(request_info_.url.host(), value, ssl_info); |
845 } | 830 } |
(...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
902 return; | 887 return; |
903 } | 888 } |
904 } | 889 } |
905 | 890 |
906 SaveCookiesAndNotifyHeadersComplete(net::OK); | 891 SaveCookiesAndNotifyHeadersComplete(net::OK); |
907 } else if (IsCertificateError(result)) { | 892 } else if (IsCertificateError(result)) { |
908 // We encountered an SSL certificate error. Ask our delegate to decide | 893 // We encountered an SSL certificate error. Ask our delegate to decide |
909 // what we should do. | 894 // what we should do. |
910 | 895 |
911 TransportSecurityState::DomainState domain_state; | 896 TransportSecurityState::DomainState domain_state; |
912 bool allow_dynamic_state = | |
913 !(request_info_.load_flags & LOAD_DO_NOT_SEND_COOKIES) && | |
914 CanGetCookies(CookieList()); | |
915 const URLRequestContext* context = request_->context(); | 897 const URLRequestContext* context = request_->context(); |
916 const bool fatal = | 898 const bool fatal = context->transport_security_state() && |
917 context->transport_security_state() && | |
918 context->transport_security_state()->GetDomainState( | 899 context->transport_security_state()->GetDomainState( |
919 request_info_.url.host(), | 900 request_info_.url.host(), |
920 SSLConfigService::IsSNIAvailable(context->ssl_config_service()), | 901 SSLConfigService::IsSNIAvailable(context->ssl_config_service()), |
921 allow_dynamic_state, | |
922 &domain_state) && | 902 &domain_state) && |
923 domain_state.ShouldSSLErrorsBeFatal(); | 903 domain_state.ShouldSSLErrorsBeFatal(); |
924 NotifySSLCertificateError(transaction_->GetResponseInfo()->ssl_info, fatal); | 904 NotifySSLCertificateError(transaction_->GetResponseInfo()->ssl_info, fatal); |
925 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { | 905 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { |
926 NotifyCertificateRequested( | 906 NotifyCertificateRequested( |
927 transaction_->GetResponseInfo()->cert_request_info.get()); | 907 transaction_->GetResponseInfo()->cert_request_info.get()); |
928 } else { | 908 } else { |
929 NotifyStartError(URLRequestStatus(URLRequestStatus::FAILED, result)); | 909 NotifyStartError(URLRequestStatus(URLRequestStatus::FAILED, result)); |
930 } | 910 } |
931 } | 911 } |
(...skipping 592 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1524 | 1504 |
1525 void URLRequestHttpJob::NotifyURLRequestDestroyed() { | 1505 void URLRequestHttpJob::NotifyURLRequestDestroyed() { |
1526 awaiting_callback_ = false; | 1506 awaiting_callback_ = false; |
1527 } | 1507 } |
1528 | 1508 |
1529 void URLRequestHttpJob::OnDetachRequest() { | 1509 void URLRequestHttpJob::OnDetachRequest() { |
1530 http_transaction_delegate_->OnDetachRequest(); | 1510 http_transaction_delegate_->OnDetachRequest(); |
1531 } | 1511 } |
1532 | 1512 |
1533 } // namespace net | 1513 } // namespace net |
OLD | NEW |