Implement net/ support for Android's NetworkSecurityPolicy

net/url_request/url_request_http_job.cc

Index: net/url_request/url_request_http_job.cc
diff --git a/net/url_request/url_request_http_job.cc b/net/url_request/url_request_http_job.cc
index 5f2fd91d6cc266ec923c49e6dad4e3191c255d51..b6c5bbb28f00973c431ddee2b067bd6c2bf8f268 100644
--- a/net/url_request/url_request_http_job.cc
+++ b/net/url_request/url_request_http_job.cc
@@ -67,6 +67,10 @@
 #include "net/websockets/websocket_handshake_stream_base.h"
 #include "url/origin.h"
 
+#if defined(OS_ANDROID)
+#include "net/android/network_library.h"
+#endif
+
 static const char kAvailDictionaryHeader[] = "Avail-Dictionary";
 
 namespace {
@@ -168,7 +172,7 @@ void LogChannelIDAndCookieStores(const GURL& url,
                             EPHEMERALITY_MAX);
 }
 
-net::URLRequestRedirectJob* MaybeInternallyRedirect(
+net::URLRequestJob* MaybeInternallyRedirectOrFail(

[pauljensen, 2016/12/07 13:20:28]

needs a comment

[mgersh, 2016/12/13 17:02:58]

Done.

     net::URLRequest* request,
     net::NetworkDelegate* network_delegate) {
   const GURL& url = request->url();
@@ -177,16 +181,24 @@ net::URLRequestRedirectJob* MaybeInternallyRedirect(
 
   net::TransportSecurityState* hsts =
       request->context()->transport_security_state();
-  if (!hsts || !hsts->ShouldUpgradeToSSL(url.host()))
-    return nullptr;
+  if (hsts && hsts->ShouldUpgradeToSSL(url.host())) {
+    GURL::Replacements replacements;
+    replacements.SetSchemeStr(url.SchemeIs(url::kHttpScheme) ? url::kHttpsScheme
+                                                             : url::kWssScheme);
+    return new net::URLRequestRedirectJob(
+        request, network_delegate, url.ReplaceComponents(replacements),
+        // Use status code 307 to preserve the method, so POST requests work.
+        net::URLRequestRedirectJob::REDIRECT_307_TEMPORARY_REDIRECT, "HSTS");
+  }
+
+#if defined(OS_ANDROID)
+  if (request->context()->check_cleartext_permitted() &&
+      !net::android::IsCleartextPermitted(url.host()))

[pauljensen, 2016/12/07 13:20:28]

I don't see a check for https...this really needs some tests

[mgersh, 2016/12/13 17:02:58]

It's there, just not visible in the diff. I added a comment on it.

+    return new net::URLRequestErrorJob(request, network_delegate,
+                                       net::ERR_BLOCKED_BY_CLIENT);

[pauljensen, 2016/12/07 13:20:28]

multi-line if clauses should have curly braces

[mgersh, 2016/12/13 17:02:58]

Done.

+#endif
 
-  GURL::Replacements replacements;
-  replacements.SetSchemeStr(url.SchemeIs(url::kHttpScheme) ? url::kHttpsScheme
-                                                           : url::kWssScheme);
-  return new net::URLRequestRedirectJob(
-      request, network_delegate, url.ReplaceComponents(replacements),
-      // Use status code 307 to preserve the method, so POST requests work.
-      net::URLRequestRedirectJob::REDIRECT_307_TEMPORARY_REDIRECT, "HSTS");
+  return nullptr;
 }
 
 }  // namespace
@@ -207,10 +219,10 @@ URLRequestJob* URLRequestHttpJob::Factory(URLRequest* request,
         request, network_delegate, ERR_INVALID_ARGUMENT);
   }
 
-  URLRequestRedirectJob* redirect =
-      MaybeInternallyRedirect(request, network_delegate);
-  if (redirect)
-    return redirect;
+  URLRequestJob* redirect_or_error =
+      MaybeInternallyRedirectOrFail(request, network_delegate);
+  if (redirect_or_error)
+    return redirect_or_error;
 
   return new URLRequestHttpJob(request,
                                network_delegate,