Implement net/ support for Android's NetworkSecurityPolicy

net/url_request/url_request_http_job.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/url_request/url_request_http_job.h"
 
 #include <vector>
 
 #include "base/base_switches.h"
 #include "base/bind.h"
@@ skipping 49 matching lines @@
 #include "net/url_request/http_user_agent_settings.h"
 #include "net/url_request/url_request.h"
 #include "net/url_request/url_request_context.h"
 #include "net/url_request/url_request_error_job.h"
 #include "net/url_request/url_request_job_factory.h"
 #include "net/url_request/url_request_redirect_job.h"
 #include "net/url_request/url_request_throttler_manager.h"
 #include "net/websockets/websocket_handshake_stream_base.h"
 #include "url/origin.h"
 
+#if defined(OS_ANDROID)
+#include "net/android/network_library.h"
+#endif
+
 static const char kAvailDictionaryHeader[] = "Avail-Dictionary";
 
 namespace {
 
 const char kDeflate[] = "deflate";
 const char kGZip[] = "gzip";
 const char kSdch[] = "sdch";
 const char kXGZip[] = "x-gzip";
 const char kBrotli[] = "br";
 
@@ skipping 81 matching lines @@
              params->channel_id_service->GetUniqueID()) {
     ephemerality = PERSISTENT_MATCH;
   } else {
     NOTREACHED();
     ephemerality = PERSISTENT_MISMATCH;
   }
   UMA_HISTOGRAM_ENUMERATION("Net.TokenBinding.StoreEphemerality", ephemerality,
                             EPHEMERALITY_MAX);
 }
 
-net::URLRequestRedirectJob* MaybeInternallyRedirect(
+// Checks for reasons not to return a URLRequestHttpJob, and if one is found,
+// returns a URLRequestRedirectJob or URLRequestErrorJob as necessary.
+net::URLRequestJob* MaybeInternallyRedirectOrFail(

[mmenke, 2016/12/13 18:39:14]

I think this does enough weird stuff that we should just inline it in
URLRequestHttpJob::Factory (Switch url.SchemeIsCryptographic() to
!url.SchemeIsCryptographic(), and do all the extra stuff in the if below)

[mgersh, 2016/12/13 19:01:58]

Done.

     net::URLRequest* request,
     net::NetworkDelegate* network_delegate) {
   const GURL& url = request->url();
+
+  // Neither check applies to https and wss requests

[mmenke, 2016/12/13 18:39:14]

nit: End these comments with periods.

[mgersh, 2016/12/13 19:01:58]

Done.

   if (url.SchemeIsCryptographic())
     return nullptr;
 
+  // Check for HSTS upgrade
   net::TransportSecurityState* hsts =
       request->context()->transport_security_state();
-  if (!hsts || !hsts->ShouldUpgradeToSSL(url.host()))
-    return nullptr;
+  if (hsts && hsts->ShouldUpgradeToSSL(url.host())) {
+    GURL::Replacements replacements;
+    replacements.SetSchemeStr(url.SchemeIs(url::kHttpScheme) ? url::kHttpsScheme
+                                                             : url::kWssScheme);
+    return new net::URLRequestRedirectJob(
+        request, network_delegate, url.ReplaceComponents(replacements),
+        // Use status code 307 to preserve the method, so POST requests work.
+        net::URLRequestRedirectJob::REDIRECT_307_TEMPORARY_REDIRECT, "HSTS");
+  }
 
-  GURL::Replacements replacements;
-  replacements.SetSchemeStr(url.SchemeIs(url::kHttpScheme) ? url::kHttpsScheme
-                                                           : url::kWssScheme);
-  return new net::URLRequestRedirectJob(
-      request, network_delegate, url.ReplaceComponents(replacements),
-      // Use status code 307 to preserve the method, so POST requests work.
-      net::URLRequestRedirectJob::REDIRECT_307_TEMPORARY_REDIRECT, "HSTS");
+#if defined(OS_ANDROID)
+  // Check whether the app allows cleartext traffic to this host, and return
+  // ERR_BLOCKED_BY_CLIENT if not
+  if (request->context()->check_cleartext_permitted() &&
+      !net::android::IsCleartextPermitted(url.host())) {
+    return new net::URLRequestErrorJob(request, network_delegate,
+                                       net::ERR_BLOCKED_BY_CLIENT);
+  }
+#endif
+
+  return nullptr;
 }
 
 }  // namespace
 
 namespace net {
 
 // TODO(darin): make sure the port blocking code is not lost
 // static
 URLRequestJob* URLRequestHttpJob::Factory(URLRequest* request,
                                           NetworkDelegate* network_delegate,
                                           const std::string& scheme) {
   DCHECK(scheme == "http" || scheme == "https" || scheme == "ws" ||
          scheme == "wss");
 
   if (!request->context()->http_transaction_factory()) {
     NOTREACHED() << "requires a valid context";
     return new URLRequestErrorJob(
         request, network_delegate, ERR_INVALID_ARGUMENT);
   }
 
-  URLRequestRedirectJob* redirect =
-      MaybeInternallyRedirect(request, network_delegate);
-  if (redirect)
-    return redirect;
+  URLRequestJob* redirect_or_error =
+      MaybeInternallyRedirectOrFail(request, network_delegate);
+  if (redirect_or_error)
+    return redirect_or_error;
 
   return new URLRequestHttpJob(request,
                                network_delegate,
                                request->context()->http_user_agent_settings());
 }
 
 URLRequestHttpJob::URLRequestHttpJob(
     URLRequest* request,
     NetworkDelegate* network_delegate,
     const HttpUserAgentSettings* http_user_agent_settings)
@@ skipping 1317 matching lines @@
   awaiting_callback_ = false;
 
   // Notify NetworkQualityEstimator.
   NetworkQualityEstimator* network_quality_estimator =
       request()->context()->network_quality_estimator();
   if (network_quality_estimator)
     network_quality_estimator->NotifyURLRequestDestroyed(*request());
 }
 
 }  // namespace net