Index: chrome/browser/io_thread.cc |
diff --git a/chrome/browser/io_thread.cc b/chrome/browser/io_thread.cc |
index 11a0084276f89521e4aac2d0632c93fdf5ad31ba..ee77a4691a23036f7b95913db0eb64f2d448ba7f 100644 |
--- a/chrome/browser/io_thread.cc |
+++ b/chrome/browser/io_thread.cc |
@@ -75,6 +75,7 @@ |
#include "net/cert/ct_log_verifier.h" |
#include "net/cert/ct_policy_enforcer.h" |
#include "net/cert/ct_verifier.h" |
+#include "net/cert/ignore_errors_cert_verifier.h" |
#include "net/cert/multi_log_ct_verifier.h" |
#include "net/cert/multi_threaded_cert_verifier.h" |
#include "net/cert/sth_distributor.h" |
@@ -581,7 +582,20 @@ void IOThread::Init() { |
base::MakeUnique<net::MultiThreadedCertVerifier>( |
new chromeos::CertVerifyProcChromeOS())); |
#else |
- globals_->cert_verifier = net::CertVerifier::CreateDefault(); |
+ if (command_line.HasSwitch(switches::kIgnoreCertificateErrorsSPKIList)) { |
Ryan Sleevi
2017/04/07 16:08:05
I wasn't sure, but I thought you were thinking --u
martinkr
2017/04/07 21:40:57
Yup, forgot about this. Done (and updated the flag
|
+ auto spki_list = |
+ base::SplitString(command_line.GetSwitchValueASCII( |
+ switches::kIgnoreCertificateErrorsSPKIList), |
+ ",", base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL); |
+ globals_->cert_verifier = base::MakeUnique<net::IgnoreErrorsCertVerifier>( |
+ net::CertVerifier::CreateDefault(), |
+ net::IgnoreErrorsCertVerifier::MakeWhitelist(spki_list)); |
Ryan Sleevi
2017/04/07 16:08:05
This removes the command-line validation aspect, r
martinkr
2017/04/07 21:40:57
MakeWhitelist has the same "validation" as before,
|
+ } else { |
+ globals_->cert_verifier = net::CertVerifier::CreateDefault(); |
+ } |
+ UMA_HISTOGRAM_BOOLEAN( |
+ "Net.Certificate.kIgnoreCertificateErrorsSPKIList", |
+ command_line.HasSwitch(switches::kIgnoreCertificateErrorsSPKIList)); |
#endif |
globals_->transport_security_state.reset(new net::TransportSecurityState()); |