Add Expect-CT header parsing

net/http/http_security_headers.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <limits>
 
 #include "base/base64.h"
 #include "base/strings/string_piece.h"
 #include "base/strings/string_tokenizer.h"
 #include "base/strings/string_util.h"
@@ skipping 347 matching lines @@
 bool ParseHPKPReportOnlyHeader(const std::string& value,
                                bool* include_subdomains,
                                HashValueVector* hashes,
                                GURL* report_uri) {
   // max-age is irrelevant for Report-Only headers.
   base::TimeDelta unused_max_age;
   return ParseHPKPHeaderImpl(value, DO_NOT_REQUIRE_MAX_AGE, &unused_max_age,
                              include_subdomains, hashes, report_uri);
 }
 
+// "Expect-CT" ":"
+//     "max-age" "=" delta-seconds
+//     [ "," "enforce" ]
+//     [ "," "report-uri" "=" uri-reference ]
+bool ParseExpectCTHeader(const std::string& value,
+                         base::TimeDelta* max_age,
+                         bool* enforce,
+                         GURL* report_uri) {
+  bool parsed_max_age = false;
+  bool enforce_candidate = false;
+  bool has_report_uri = false;
+  uint32_t max_age_candidate = 0;
+  GURL parsed_report_uri;
+
+  HttpUtil::NameValuePairsIterator name_value_pairs(
+      value.begin(), value.end(), ',',
+      HttpUtil::NameValuePairsIterator::Values::NOT_REQUIRED,
+      // Use STRICT_QUOTES because "UAs must not attempt to fix malformed header
+      // fields."
+      HttpUtil::NameValuePairsIterator::Quotes::STRICT_QUOTES);
+
+  while (name_value_pairs.GetNext()) {
+    base::StringPiece name(name_value_pairs.name_begin(),
+                           name_value_pairs.name_end());
+    if (base::LowerCaseEqualsASCII(name, "max-age")) {
+      // "A given directive MUST NOT appear more than once in a given header
+      // field."
+      if (parsed_max_age)
+        return false;
+      if (!MaxAgeToLimitedInt(name_value_pairs.value_begin(),
+                              name_value_pairs.value_end(), kMaxExpectCTAgeSecs,
+                              &max_age_candidate)) {
+        return false;
+      }
+      parsed_max_age = true;
+    } else if (base::LowerCaseEqualsASCII(name, "enforce")) {
+      // "A given directive MUST NOT appear more than once in a given header
+      // field."
+      if (enforce_candidate)
+        return false;
+      if (!name_value_pairs.value().empty()) {

[mattm, 2017/04/21 05:15:53]

nit: don't need the braces on this one

[estark, 2017/04/21 16:37:31]

Done.

+        return false;
+      }
+      enforce_candidate = true;
+    } else if (base::LowerCaseEqualsASCII(name, "report-uri")) {
+      // "A given directive MUST NOT appear more than once in a given header
+      // field."
+      if (has_report_uri)
+        return false;
+      // report-uris are always quoted.
+      if (!name_value_pairs.value_is_quoted())
+        return false;
+
+      has_report_uri = true;
+      parsed_report_uri = GURL(base::StringPiece(name_value_pairs.value_begin(),
+                                                 name_value_pairs.value_end()));
+      if (parsed_report_uri.is_empty() || !parsed_report_uri.is_valid())
+        return false;
+    } else {
+      // Silently ignore unknown directives for forward compatibility.
+    }
+  }
+
+  if (!name_value_pairs.valid())
+    return false;
+
+  if (!parsed_max_age)
+    return false;
+
+  *max_age = base::TimeDelta::FromSeconds(max_age_candidate);
+  *enforce = enforce_candidate;
+  *report_uri = parsed_report_uri;
+  return true;
+}
+
 }  // namespace net