Implement net/ support for Android's NetworkSecurityPolicy

net/url_request/url_request_http_job.cc

Index: net/url_request/url_request_http_job.cc
diff --git a/net/url_request/url_request_http_job.cc b/net/url_request/url_request_http_job.cc
index 5f2fd91d6cc266ec923c49e6dad4e3191c255d51..c4230fa8c8c24f9e58234c725d84369f9cebf7d6 100644
--- a/net/url_request/url_request_http_job.cc
+++ b/net/url_request/url_request_http_job.cc
@@ -67,6 +67,10 @@
 #include "net/websockets/websocket_handshake_stream_base.h"
 #include "url/origin.h"
 
+#if defined(OS_ANDROID)
+#include "net/android/network_library.h"
+#endif
+
 static const char kAvailDictionaryHeader[] = "Avail-Dictionary";
 
 namespace {
@@ -168,25 +172,41 @@ void LogChannelIDAndCookieStores(const GURL& url,
                             EPHEMERALITY_MAX);
 }
 
-net::URLRequestRedirectJob* MaybeInternallyRedirect(
+// Checks for reasons not to return a URLRequestHttpJob, and if one is found,
+// returns a URLRequestRedirectJob or URLRequestErrorJob as necessary.
+net::URLRequestJob* MaybeInternallyRedirectOrFail(

[mmenke, 2016/12/13 18:39:14]

I think this does enough weird stuff that we should just inline it in
URLRequestHttpJob::Factory (Switch url.SchemeIsCryptographic() to
!url.SchemeIsCryptographic(), and do all the extra stuff in the if below)

[mgersh, 2016/12/13 19:01:58]

Done.

     net::URLRequest* request,
     net::NetworkDelegate* network_delegate) {
   const GURL& url = request->url();
+
+  // Neither check applies to https and wss requests

[mmenke, 2016/12/13 18:39:14]

nit: End these comments with periods.

[mgersh, 2016/12/13 19:01:58]

Done.

   if (url.SchemeIsCryptographic())
     return nullptr;
 
+  // Check for HSTS upgrade
   net::TransportSecurityState* hsts =
       request->context()->transport_security_state();
-  if (!hsts || !hsts->ShouldUpgradeToSSL(url.host()))
-    return nullptr;
+  if (hsts && hsts->ShouldUpgradeToSSL(url.host())) {
+    GURL::Replacements replacements;
+    replacements.SetSchemeStr(url.SchemeIs(url::kHttpScheme) ? url::kHttpsScheme
+                                                             : url::kWssScheme);
+    return new net::URLRequestRedirectJob(
+        request, network_delegate, url.ReplaceComponents(replacements),
+        // Use status code 307 to preserve the method, so POST requests work.
+        net::URLRequestRedirectJob::REDIRECT_307_TEMPORARY_REDIRECT, "HSTS");
+  }
+
+#if defined(OS_ANDROID)
+  // Check whether the app allows cleartext traffic to this host, and return
+  // ERR_BLOCKED_BY_CLIENT if not
+  if (request->context()->check_cleartext_permitted() &&
+      !net::android::IsCleartextPermitted(url.host())) {
+    return new net::URLRequestErrorJob(request, network_delegate,
+                                       net::ERR_BLOCKED_BY_CLIENT);
+  }
+#endif
 
-  GURL::Replacements replacements;
-  replacements.SetSchemeStr(url.SchemeIs(url::kHttpScheme) ? url::kHttpsScheme
-                                                           : url::kWssScheme);
-  return new net::URLRequestRedirectJob(
-      request, network_delegate, url.ReplaceComponents(replacements),
-      // Use status code 307 to preserve the method, so POST requests work.
-      net::URLRequestRedirectJob::REDIRECT_307_TEMPORARY_REDIRECT, "HSTS");
+  return nullptr;
 }
 
 }  // namespace
@@ -207,10 +227,10 @@ URLRequestJob* URLRequestHttpJob::Factory(URLRequest* request,
         request, network_delegate, ERR_INVALID_ARGUMENT);
   }
 
-  URLRequestRedirectJob* redirect =
-      MaybeInternallyRedirect(request, network_delegate);
-  if (redirect)
-    return redirect;
+  URLRequestJob* redirect_or_error =
+      MaybeInternallyRedirectOrFail(request, network_delegate);
+  if (redirect_or_error)
+    return redirect_or_error;
 
   return new URLRequestHttpJob(request,
                                network_delegate,