Add a build flag to configure bundling of HSTS preload list

Add a build flag to configure bundling of HSTS preload list

This CL adds a build flag (INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST) 
for //net embedders to configure whether to include the preload list 
(~258KiB) in their binary.

BUG=603597
Review-Url: https://codereview.chromium.org/2906633003
Cr-Commit-Position: refs/heads/master@{#487486}
Committed: https://chromium.googlesource.com/chromium/src/+/815ad5ba47f22bdfa7ac523048285e873a74aaac

[xunjieli, 2017-05-25 14:30:02]

The CQ bit was checked by xunjieli@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-05-25 14:30:14]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[xunjieli, 2017-05-25 14:34:11]

Description was changed from

==========
temp

BUG=
==========

to

==========
Add a build flag to exclude HSTS preload list

This CL adds a build flag (EXCLUDE_HSTS_PRELOAD_LIST) for //net
embedders who would like to exclude the preload list (~100KB)
from their binary.

BUG=603597
==========

[xunjieli, 2017-05-25 14:39:33]

Description was changed from

==========
Add a build flag to exclude HSTS preload list

This CL adds a build flag (EXCLUDE_HSTS_PRELOAD_LIST) for //net
embedders who would like to exclude the preload list (~100KB)
from their binary.

BUG=603597
==========

to

==========
Add a build flag to exclude HSTS preload list

This CL adds a build flag (EXCLUDE_HSTS_PRELOAD_LIST) for //net
embedders who would like to exclude the preload list (~258KiB)
from their binary.

BUG=603597
==========

[xunjieli, 2017-05-25 14:40:08]

The CQ bit was checked by xunjieli@chromium.org to run a CQ dry run

[xunjieli, 2017-05-25 14:40:17]

Patchset #1 (id:1) has been deleted

[commit-bot: I haz the power, 2017-05-25 14:40:24]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[xunjieli, 2017-06-13 22:12:15]

Patchset #3 (id:60001) has been deleted

[xunjieli, 2017-06-13 23:52:27]

The CQ bit was checked by xunjieli@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-06-13 23:52:56]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[xunjieli, 2017-06-13 23:53:29]

Patchset #4 (id:100001) has been deleted

[xunjieli, 2017-06-13 23:53:37]

Patchset #3 (id:80001) has been deleted

[xunjieli, 2017-06-14 00:00:51]

Patchset #2 (id:40001) has been deleted

[xunjieli, 2017-06-14 00:01:02]

Patchset #1 (id:20001) has been deleted

[xunjieli, 2017-06-14 00:02:23]

Description was changed from

==========
Add a build flag to exclude HSTS preload list

This CL adds a build flag (EXCLUDE_HSTS_PRELOAD_LIST) for //net
embedders who would like to exclude the preload list (~258KiB)
from their binary.

BUG=603597
==========

to

==========
Add a build flag to exclude HSTS preload list

This CL adds a build flag (EXCLUDE_HSTS_PRELOAD_LIST) for //net
embedders who would like to exclude the preload list (~258KiB)
from their binary.

This is based on martijn's patch at
https://codereview.chromium.org/2901393005/patch/20001/30003 

BUG=603597
==========

[xunjieli, 2017-06-14 00:02:36]

Description was changed from

==========
Add a build flag to exclude HSTS preload list

This CL adds a build flag (EXCLUDE_HSTS_PRELOAD_LIST) for //net
embedders who would like to exclude the preload list (~258KiB)
from their binary.

This is based on martijn's patch at
https://codereview.chromium.org/2901393005/patch/20001/30003 

BUG=603597
==========

to

==========
Add a build flag to exclude HSTS preload list

This CL adds a build flag (EXCLUDE_HSTS_PRELOAD_LIST) for //net
embedders who would like to exclude the preload list (~258KiB)
from their binary.

This is based on martijn's patch at 
https://codereview.chromium.org/2901393005/patch/20001/30003 

BUG=603597
==========

[commit-bot: I haz the power, 2017-06-14 01:39:07]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-06-14 01:39:09]

Dry run: This issue passed the CQ dry run.

[xunjieli, 2017-06-14 12:40:01]

xunjieli@chromium.org changed reviewers:
+ davidben@chromium.org, lgarron@chromium.org

[xunjieli, 2017-06-14 12:40:02]

Hi davidben@ and lgarron@: This is based on martijn's CL. I copied out the hsts
entries that tests depend on to a different json file. I disabled tests which
depend on preload pinsets if the new build flag is on. Not sure if there's a
better way. PTAL. Thank you.

[xunjieli, 2017-06-14 19:33:44]

cc-ing rsleevi@ and mef@: Please let me know if you have any concerns. Thank
you.

[lgarron, 2017-06-14 19:35:45]

On 2017/06/14 at 19:33:44, xunjieli wrote:
> cc-ing rsleevi@ and mef@: Please let me know if you have any concerns. Thank
you.

Negative flags can become confusing. Could we make this
INCLUDE_HSTS_PRELOAD_LIST and default to true?

[lgarron, 2017-06-14 19:37:48]

On 2017/06/14 at 19:35:45, lgarron wrote:
> On 2017/06/14 at 19:33:44, xunjieli wrote:
> > cc-ing rsleevi@ and mef@: Please let me know if you have any concerns. Thank
you.
> 
> Negative flags can become confusing. Could we make this
INCLUDE_HSTS_PRELOAD_LIST and default to true?

Also, we should probably make it clear that this is not just about HSTS.

How about one of the following (in order of specificity)?
- INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST
- INCLUDE_DOMAIN_SECURITY_PRELOAD_LIST
- INCLUDE_NET_PRELOAD_LIST

[xunjieli, 2017-06-14 20:31:51]

On 2017/06/14 19:37:48, lgarron wrote:
> On 2017/06/14 at 19:35:45, lgarron wrote:
> > On 2017/06/14 at 19:33:44, xunjieli wrote:
> > > cc-ing rsleevi@ and mef@: Please let me know if you have any concerns.
Thank
> you.
> > 
> > Negative flags can become confusing. Could we make this
> INCLUDE_HSTS_PRELOAD_LIST and default to true?
> 
> Also, we should probably make it clear that this is not just about HSTS.
> 
> How about one of the following (in order of specificity)?
> - INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST
> - INCLUDE_DOMAIN_SECURITY_PRELOAD_LIST
> - INCLUDE_NET_PRELOAD_LIST

Done. Thank you. PTAL.

[lgarron, 2017-06-14 21:11:11]

LGTM in principle, but don't own any of this code and I defer to //net owners
(and Martijn) about whether this is the best way to do this.

[Ryan Sleevi, 2017-06-15 02:50:10]

rsleevi@chromium.org changed reviewers:
+ rsleevi@chromium.org

[Ryan Sleevi, 2017-06-15 02:50:11]

I didn't see a clear decision on the bug that this was the right thing to do. I
stand by my reservations with adding build flags and gutting code - I'm not sure
what our principles here, or how we evaluate the cost of added permutations
against the binary savings cost.

[xunjieli, 2017-06-19 20:58:02]

On 2017/06/15 02:50:11, Ryan Sleevi (slow through 6-27 wrote:
> I didn't see a clear decision on the bug that this was the right thing to do.
I
> stand by my reservations with adding build flags and gutting code - I'm not
sure
> what our principles here, or how we evaluate the cost of added permutations
> against the binary savings cost.

Thanks, Ryan. I talked with Chris and Misha. The decision is to proceed with
this change. More discussion is at the linked bug. 
davidben@: PTAL. Thank you.

[lgarron, 2017-06-19 21:00:56]

On 2017/06/19 at 20:58:02, xunjieli wrote:
> On 2017/06/15 02:50:11, Ryan Sleevi (slow through 6-27 wrote:
> > I didn't see a clear decision on the bug that this was the right thing to
do. I
> > stand by my reservations with adding build flags and gutting code - I'm not
sure
> > what our principles here, or how we evaluate the cost of added permutations
> > against the binary savings cost.
> 
> Thanks, Ryan. I talked with Chris and Misha. The decision is to proceed with
this change. More discussion is at the linked bug. 
> davidben@: PTAL. Thank you.

Which Chris and Misha, and what was the conclusion?

I'd actually like to not LGTM this until I have a response to comment #41:
https://bugs.chromium.org/p/chromium/issues/detail?id=603597#c41

[xunjieli, 2017-06-19 21:04:05]

xunjieli@chromium.org changed reviewers:
+ cbentzel@chromium.org, mef@chromium.org

[xunjieli, 2017-06-19 21:05:06]

On 2017/06/19 21:00:56, lgarron wrote:
> On 2017/06/19 at 20:58:02, xunjieli wrote:
> > On 2017/06/15 02:50:11, Ryan Sleevi (slow through 6-27 wrote:
> > > I didn't see a clear decision on the bug that this was the right thing to
> do. I
> > > stand by my reservations with adding build flags and gutting code - I'm
not
> sure
> > > what our principles here, or how we evaluate the cost of added
permutations
> > > against the binary savings cost.
> > 
> > Thanks, Ryan. I talked with Chris and Misha. The decision is to proceed with
> this change. More discussion is at the linked bug. 
> > davidben@: PTAL. Thank you.
> 
> Which Chris and Misha, and what was the conclusion?
> 
> I'd actually like to not LGTM this until I have a response to comment #41:
> https://bugs.chromium.org/p/chromium/issues/detail?id=603597#c41

Is comment#41 a separate issue than the decision whether to exclude the list in
Cronet? +cbentzel@ and mef@.
I will comment on the bug too.

[xunjieli, 2017-06-29 17:38:06]

lgarron@ and rsleevi@: PTAL.
//net doesn't know about cronet. There isn't a is_cronet_build flag. 
The only solution that I find is adding a //net feature flag configurable for
all //net embedders. I know we talked about limiting this to Cronet to reduce
cognitive load. 
I am happy to take any suggestion. PTAL. Thank you.

[Ryan Sleevi, 2017-06-29 20:47:41]

https://codereview.chromium.org/2906633003/diff/140001/net/features.gni
File net/features.gni (right):

https://codereview.chromium.org/2906633003/diff/140001/net/features.gni#newco...
net/features.gni:31: # Whether transport security preload list should be
included.
Can we provide any better documentation here about the risks/tradeoffs and/or
general advice not to change this?

https://codereview.chromium.org/2906633003/diff/140001/net/http/http_security...
File net/http/http_security_headers_unittest.cc (right):

https://codereview.chromium.org/2906633003/diff/140001/net/http/http_security...
net/http/http_security_headers_unittest.cc:658: #endif
To better allow the compiler to optimize this out, shouldn't this be an #if /
#else - so that it doesn't have to compile this code?

Alternatively, using the DISABLED_ conditional macro for the test based on the
build flag (which forces compilation, but uses our more idiomatic approach to
disabling tests)

https://codereview.chromium.org/2906633003/diff/140001/net/tools/transport_se...
File net/tools/transport_security_state_generator/pinsets.h (right):

https://codereview.chromium.org/2906633003/diff/140001/net/tools/transport_se...
net/tools/transport_security_state_generator/pinsets.h:38: void
FilterPinsets(const std::set<std::string>& except_these);
This API seems pretty heavy weight - both from performance, and from a 'hard to
use'.

From looking at the overall CL, it seems like it's just meant to ensure the
generator can generate a file, but is that something we can fix with the .gn, so
that we don't have to introduce this API at all?

https://codereview.chromium.org/2906633003/diff/140001/net/tools/transport_se...
File
net/tools/transport_security_state_generator/transport_security_state_generator.cc
(right):

https://codereview.chromium.org/2906633003/diff/140001/net/tools/transport_se...
net/tools/transport_security_state_generator/transport_security_state_generator.cc:30:
// the first entry to allow the generator to generate a valid file.
This seems a bit suboptimal - that is, wouldn't it be better not to generate the
file / call the generator? Could you explain more why this approach?

[xunjieli, 2017-06-30 18:13:53]

The CQ bit was checked by xunjieli@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-06-30 18:14:17]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[xunjieli, 2017-06-30 18:20:04]

Description was changed from

==========
Add a build flag to exclude HSTS preload list

This CL adds a build flag (EXCLUDE_HSTS_PRELOAD_LIST) for //net
embedders who would like to exclude the preload list (~258KiB)
from their binary.

This is based on martijn's patch at 
https://codereview.chromium.org/2901393005/patch/20001/30003 

BUG=603597
==========

to

==========
Add a build flag to configure bundling of HSTS preload list

This CL adds a build flag (INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST) 
for //net embedders to configure whether to include the preload list 
(~258KiB) in their binary.


BUG=603597
==========

[xunjieli, 2017-06-30 18:50:22]

The CQ bit was checked by xunjieli@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-06-30 18:50:48]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[xunjieli, 2017-06-30 18:57:22]

Patchset #4 (id:180001) has been deleted

[xunjieli, 2017-06-30 18:57:42]

Patchset #5 (id:220001) has been deleted

[xunjieli, 2017-06-30 18:57:48]

Patchset #4 (id:200001) has been deleted

[xunjieli, 2017-06-30 18:58:16]

The CQ bit was checked by xunjieli@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-06-30 18:58:33]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[xunjieli, 2017-06-30 19:02:43]

Description was changed from

==========
Add a build flag to configure bundling of HSTS preload list

This CL adds a build flag (INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST) 
for //net embedders to configure whether to include the preload list 
(~258KiB) in their binary.


BUG=603597
==========

to

==========
Add a build flag to configure bundling of HSTS preload list

This CL adds a build flag (INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST) 
for //net embedders to configure whether to include the preload list 
(~258KiB) in their binary.

BUG=603597
==========

[xunjieli, 2017-06-30 19:12:18]

Thank you. PTAL.

https://codereview.chromium.org/2906633003/diff/140001/net/features.gni
File net/features.gni (right):

https://codereview.chromium.org/2906633003/diff/140001/net/features.gni#newco...
net/features.gni:31: # Whether transport security preload list should be
included.
On 2017/06/29 20:47:40, Ryan Sleevi (slow through 6-27 wrote:
> Can we provide any better documentation here about the risks/tradeoffs and/or
> general advice not to change this?

Done.

https://codereview.chromium.org/2906633003/diff/140001/net/http/http_security...
File net/http/http_security_headers_unittest.cc (right):

https://codereview.chromium.org/2906633003/diff/140001/net/http/http_security...
net/http/http_security_headers_unittest.cc:658: #endif
On 2017/06/29 20:47:40, Ryan Sleevi (slow through 6-27 wrote:
> To better allow the compiler to optimize this out, shouldn't this be an #if /
> #else - so that it doesn't have to compile this code?
> 
> Alternatively, using the DISABLED_ conditional macro for the test based on the
> build flag (which forces compilation, but uses our more idiomatic approach to
> disabling tests)

Done.

https://codereview.chromium.org/2906633003/diff/140001/net/tools/transport_se...
File net/tools/transport_security_state_generator/pinsets.h (right):

https://codereview.chromium.org/2906633003/diff/140001/net/tools/transport_se...
net/tools/transport_security_state_generator/pinsets.h:38: void
FilterPinsets(const std::set<std::string>& except_these);
On 2017/06/29 20:47:40, Ryan Sleevi (slow through 6-27 wrote:
> This API seems pretty heavy weight - both from performance, and from a 'hard
to
> use'.
> 
> From looking at the overall CL, it seems like it's just meant to ensure the
> generator can generate a file, but is that something we can fix with the .gn,
so
> that we don't have to introduce this API at all?

Done.

https://codereview.chromium.org/2906633003/diff/140001/net/tools/transport_se...
File
net/tools/transport_security_state_generator/transport_security_state_generator.cc
(right):

https://codereview.chromium.org/2906633003/diff/140001/net/tools/transport_se...
net/tools/transport_security_state_generator/transport_security_state_generator.cc:30:
// the first entry to allow the generator to generate a valid file.
On 2017/06/29 20:47:41, Ryan Sleevi (slow through 6-27 wrote:
> This seems a bit suboptimal - that is, wouldn't it be better not to generate
the
> file / call the generator? Could you explain more why this approach?

Done. The Huffman tree decoding code expects at least one entry. I have reverted
this and modified transport_security_state.cc.

https://codereview.chromium.org/2906633003/diff/240001/net/http/transport_sec...
File net/http/transport_security_state.cc (right):

https://codereview.chromium.org/2906633003/diff/240001/net/http/transport_sec...
net/http/transport_security_state.cc:643: // false, in which can
BitReader.seek(0) will return false.
Ryan, I had to update the code to not DCHECK(false) here.

[Ryan Sleevi, 2017-07-07 16:45:14]

I'm not sure this is the right approach, but I may have missed something, so I
added questions and context below.

I think our desired state should be that
- Unused code is not compiled if the build flag is (not) set
- Unnecessary build steps are not run if the build flag is (not) set
- We have a clean(ish) API contract and separation. For example, for tests that
expect a baked-in preload list, one approach is the MAYBE_ (or variations
thereof), but another is actually to make a static method on the
TransportSecurityState, such as HasStaticState() (if we see this being
all/nothing, and not per-feature), and having the tests check that, without all
the #ifdefs

Since we're adding this for Cronet, we're effectively making it Supported API,
so I suppose we should try to make that as explicit and integrated as possible.

https://codereview.chromium.org/2906633003/diff/260001/net/features.gni
File net/features.gni (right):

https://codereview.chromium.org/2906633003/diff/260001/net/features.gni#newco...
net/features.gni:41: include_transport_security_state_preload_list = true
In looking at the flags, I see a mix between positive and negative flags.

Given we want this to be the 'default' state, do you think it makes sense to
rewrite this to be a negative (e.g. "exclude"), which may signal more clearly
the assumptions being made?

It's not a very strong argument, and if there's existing documentation that says
to prefer positive over negative (e.g. to avoid the double-negative of "exclude
= false"), do so - but just a thought.

https://codereview.chromium.org/2906633003/diff/260001/net/http/http_security...
File net/http/http_security_headers_unittest.cc (right):

https://codereview.chromium.org/2906633003/diff/260001/net/http/http_security...
net/http/http_security_headers_unittest.cc:659: #endif
Ah, apologies for not providing a clearer example.

We generally try to use a MAYBE_ preprocessor macro to handle these tests, to
avoid wrapping the TEST_F() within an #ifdef

That is

#if !BUILDFLAG(...)
#define MAYBE_UpdateDynamicPKPOnly DISABLED_...
#else
#define MAYBE_UpdateDynamicPKPOnly UpdateDynamicPKPOnly
#endif

TEST_F(HttpSecurityHeadersTest, MAYBE_UpdateDynamicPKPOnly)

(Example:
https://cs.chromium.org/chromium/src/net/nqe/network_quality_estimator_unitte...
or
https://cs.chromium.org/chromium/src/net/socket/udp_socket_unittest.cc?rcl=a2...
- in general, search for MAYBE_)


A lesser used pattern, which it applies to things like OS-wide behaviours or
build-flag behaviours, is an extra macro, such as

#if !BUILDFLAG(FOO)
#define DISABLED_IF_NOT_FOO(test) DISABLED_##test
#else
#define DISABLED_IF_NOT_FOO(test) test
#endif

(Example:
https://cs.chromium.org/chromium/src/net/websockets/websocket_end_to_end_test...
)

Finally, there's one last pattern - one which involves some process startup
overhead, but also works, which is to use a static function to hide the various
build flags, and then a helper method in tests which involve that.

(Example:
https://cs.chromium.org/chromium/src/net/url_request/url_request_unittest.cc?...
and
https://cs.chromium.org/chromium/src/net/url_request/url_request_unittest.cc?...
)

https://codereview.chromium.org/2906633003/diff/260001/net/http/transport_sec...
File net/http/transport_security_state.cc (right):

https://codereview.chromium.org/2906633003/diff/260001/net/http/transport_sec...
net/http/transport_security_state.cc:643: // false, in which case
BitReader.seek(0) will return false.
Could you explain the rationale for doing this change, versus using the build
flag?

That is, one option is

#if !BUILDFLAG(...)
  return false;
#else
  bool found;
  if (...) {
  }
  return found;
#endif

- that forces the linker to optimize out DecodeHSTSPreloadRaw (and all the
supporting code), which it should be capable of doing.

Alternatively, you could do

#if !BUILDFLAG(...)
bool DecodeHSTSPreloadRaw(const std::string& search_hostname, bool* out_found,
PreloadResult* out) {
  *out_found = false;
  return true;
}
#else
....

#endif

Which would explicitly compile that code out.

From my reading, this would fully allow you to compile out both the
HuffmanDecoder and the BitReader, which this current approach - removing the
DCHECK - doesn't do.

By removing the DCHECK, you're removing a guard for when
INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST is true - thus weakening the
preconditions. That seems undesirable, but I was curious if there was a reason
for that which I missed.

https://codereview.chromium.org/2906633003/diff/260001/net/http/transport_sec...
File net/http/transport_security_state_static.template (right):

https://codereview.chromium.org/2906633003/diff/260001/net/http/transport_sec...
net/http/transport_security_state_static.template:61: static const
net::TransportSecurityStateSource kHSTSSource = {
I'm not sure it makes sense to force the BUILDFLAG into the template - it seems
cleaner to remove this dependency entirely if the build flag is not set.

Could you explain more the reasoning?

[xunjieli, 2017-07-10 21:43:45]

The CQ bit was checked by xunjieli@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-07-10 21:43:56]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[xunjieli, 2017-07-10 21:52:11]

The CQ bit was checked by xunjieli@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-07-10 21:52:27]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[xunjieli, 2017-07-10 22:20:40]

Thanks Ryan for the very helpful review. PTAL.

> - We have a clean(ish) API contract and separation. For example, for tests
that
> expect a baked-in preload list, one approach is the MAYBE_ (or variations
> thereof), but another is actually to make a static method on the
> TransportSecurityState, such as HasStaticState() (if we see this being
> all/nothing, and not per-feature), and having the tests check that, without
all
> the #ifdefs

I ended up using MAYBE_ instead of adding a HasStaticState() method. Some tests
in transport_security_state_unittest.cc can supply a test-only static state
(e.g. *_unittest{1,2,3}.json). The HasStaticState() method doesn't indicate
clearly which static state that it checks. I could have a more specific method,
e.g HasRealStaticState(), but I am not sure if it's clearer than checking the
BUILDFLAG directly.

https://codereview.chromium.org/2906633003/diff/260001/net/features.gni
File net/features.gni (right):

https://codereview.chromium.org/2906633003/diff/260001/net/features.gni#newco...
net/features.gni:41: include_transport_security_state_preload_list = true
On 2017/07/07 16:45:13, Ryan Sleevi wrote:
> In looking at the flags, I see a mix between positive and negative flags.
> 
> Given we want this to be the 'default' state, do you think it makes sense to
> rewrite this to be a negative (e.g. "exclude"), which may signal more clearly
> the assumptions being made?
> 
> It's not a very strong argument, and if there's existing documentation that
says
> to prefer positive over negative (e.g. to avoid the double-negative of
"exclude
> = false"), do so - but just a thought.

I slightly prefer the exclude_* version because (as you said) it signals that
that including the list is the default state. I used that in the original patch
but changed to include_* as lgarron@ doesn't like double negatives
(https://codereview.chromium.org/2906633003/#msg22).

lgarron@: Do you feel strongly about keeping this as a positive flag?

https://codereview.chromium.org/2906633003/diff/260001/net/http/http_security...
File net/http/http_security_headers_unittest.cc (right):

https://codereview.chromium.org/2906633003/diff/260001/net/http/http_security...
net/http/http_security_headers_unittest.cc:659: #endif
On 2017/07/07 16:45:13, Ryan Sleevi wrote:
> Ah, apologies for not providing a clearer example.
> 
> We generally try to use a MAYBE_ preprocessor macro to handle these tests, to
> avoid wrapping the TEST_F() within an #ifdef
> 
> That is
> 
> #if !BUILDFLAG(...)
> #define MAYBE_UpdateDynamicPKPOnly DISABLED_...
> #else
> #define MAYBE_UpdateDynamicPKPOnly UpdateDynamicPKPOnly
> #endif
> 
> TEST_F(HttpSecurityHeadersTest, MAYBE_UpdateDynamicPKPOnly)
> 
> (Example:
>
https://cs.chromium.org/chromium/src/net/nqe/network_quality_estimator_unitte...
> or
>
https://cs.chromium.org/chromium/src/net/socket/udp_socket_unittest.cc?rcl=a2...
> - in general, search for MAYBE_)
> 
> 
> A lesser used pattern, which it applies to things like OS-wide behaviours or
> build-flag behaviours, is an extra macro, such as
> 
> #if !BUILDFLAG(FOO)
> #define DISABLED_IF_NOT_FOO(test) DISABLED_##test
> #else
> #define DISABLED_IF_NOT_FOO(test) test
> #endif
> 
> (Example:
>
https://cs.chromium.org/chromium/src/net/websockets/websocket_end_to_end_test...
> )
> 
> Finally, there's one last pattern - one which involves some process startup
> overhead, but also works, which is to use a static function to hide the
various
> build flags, and then a helper method in tests which involve that.
> 
> (Example:
>
https://cs.chromium.org/chromium/src/net/url_request/url_request_unittest.cc?...
> and
>
https://cs.chromium.org/chromium/src/net/url_request/url_request_unittest.cc?...
> )
> 

Done. Changed to MAYBE_ prefix. Thank you for the detailed list of examples.
This is very helpful.

https://codereview.chromium.org/2906633003/diff/260001/net/http/transport_sec...
File net/http/transport_security_state.cc (right):

https://codereview.chromium.org/2906633003/diff/260001/net/http/transport_sec...
net/http/transport_security_state.cc:643: // false, in which case
BitReader.seek(0) will return false.
On 2017/07/07 16:45:13, Ryan Sleevi wrote:
> Could you explain the rationale for doing this change, versus using the build
> flag?
> 
> That is, one option is
> 
> #if !BUILDFLAG(...)
>   return false;
> #else
>   bool found;
>   if (...) {
>   }
>   return found;
> #endif
> 
> - that forces the linker to optimize out DecodeHSTSPreloadRaw (and all the
> supporting code), which it should be capable of doing.
> 
> Alternatively, you could do
> 
> #if !BUILDFLAG(...)
> bool DecodeHSTSPreloadRaw(const std::string& search_hostname, bool* out_found,
> PreloadResult* out) {
>   *out_found = false;
>   return true;
> }
> #else
> ....
> 
> #endif
> 
> Which would explicitly compile that code out.
> 
> From my reading, this would fully allow you to compile out both the
> HuffmanDecoder and the BitReader, which this current approach - removing the
> DCHECK - doesn't do.
> 
> By removing the DCHECK, you're removing a guard for when
> INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST is true - thus weakening the
> preconditions. That seems undesirable, but I was curious if there was a reason
> for that which I missed.

Done. That's very neat. Thank you for the suggestion.

https://codereview.chromium.org/2906633003/diff/260001/net/http/transport_sec...
File net/http/transport_security_state_static.template (right):

https://codereview.chromium.org/2906633003/diff/260001/net/http/transport_sec...
net/http/transport_security_state_static.template:61: static const
net::TransportSecurityStateSource kHSTSSource = {
On 2017/07/07 16:45:13, Ryan Sleevi wrote:
> I'm not sure it makes sense to force the BUILDFLAG into the template - it
seems
> cleaner to remove this dependency entirely if the build flag is not set.
> 
> Could you explain more the reasoning?

Done. Not compiling this when the build flag is turned off is definitely much
cleaner. Thanks for the suggestion.

https://codereview.chromium.org/2906633003/diff/320001/net/http/transport_sec...
File net/http/transport_security_state.cc (right):

https://codereview.chromium.org/2906633003/diff/320001/net/http/transport_sec...
net/http/transport_security_state.cc:49: const TransportSecurityStateSource*
g_hsts_source = nullptr;
(This is needed now that |kHSTSSource| is not defined when the flag is turned
off.)

https://codereview.chromium.org/2906633003/diff/320001/net/http/transport_sec...
net/http/transport_security_state.cc:645: if (g_hsts_source == nullptr)
(transport_security_state_unittest.cc can choose to use a test-only static
source, so I returned false only when the test did not provide a |g_hsts_source|
and the flag is false.)

https://codereview.chromium.org/2906633003/diff/320001/net/http/transport_sec...
File net/http/transport_security_state_source.h (right):

https://codereview.chromium.org/2906633003/diff/320001/net/http/transport_sec...
net/http/transport_security_state_source.h:11: static const char kNoReportURI[]
= "";
(I moved this constant from the template file here because this constant is used
in transport_security_state.cc, and the template file is no longer compiled when
the build flag is false)

[Ryan Sleevi, 2017-07-11 15:29:40]

LGTM % one nit :)

Thanks, it looks much cleaner :)

https://codereview.chromium.org/2906633003/diff/320001/net/http/transport_sec...
File net/http/transport_security_state.cc (right):

https://codereview.chromium.org/2906633003/diff/320001/net/http/transport_sec...
net/http/transport_security_state.cc:49: const TransportSecurityStateSource*
g_hsts_source = nullptr;
On 2017/07/10 22:20:40, xunjieli wrote:
> (This is needed now that |kHSTSSource| is not defined when the flag is turned
> off.)

So you could probably abstract this a little, and thus avoid the whole need to
expose the GetTSSForTesting

#if BUILDFLAG(...)
#include
const TransportSecurityState* const kDefaultHSTSSource = &kHSTSSource;
#else
const TransportSecurityState* const kDefaultHSTSSource = nullptr;
#endif

const TransportSecurityState* g_hsts_source = kDefaultHSTSSource;

https://codereview.chromium.org/2906633003/diff/320001/net/http/transport_sec...
net/http/transport_security_state.cc:746: g_hsts_source = source;
And then here

g_hsts_source = source ? source : kDefaultHSTSSource;

https://codereview.chromium.org/2906633003/diff/320001/net/http/transport_sec...
File net/http/transport_security_state_source.h (right):

https://codereview.chromium.org/2906633003/diff/320001/net/http/transport_sec...
net/http/transport_security_state_source.h:11: static const char kNoReportURI[]
= "";
On 2017/07/10 22:20:40, xunjieli wrote:
> (I moved this constant from the template file here because this constant is
used
> in transport_security_state.cc, and the template file is no longer compiled
when
> the build flag is false)

Because this is static, doesn't the actual value need to be moved to the .cc?

[xunjieli, 2017-07-11 16:45:21]

Thank you for the review.

lgarron@: PTAL.

https://codereview.chromium.org/2906633003/diff/320001/net/http/transport_sec...
File net/http/transport_security_state.cc (right):

https://codereview.chromium.org/2906633003/diff/320001/net/http/transport_sec...
net/http/transport_security_state.cc:49: const TransportSecurityStateSource*
g_hsts_source = nullptr;
On 2017/07/11 15:29:40, Ryan Sleevi wrote:
> On 2017/07/10 22:20:40, xunjieli wrote:
> > (This is needed now that |kHSTSSource| is not defined when the flag is
turned
> > off.)
> 
> So you could probably abstract this a little, and thus avoid the whole need to
> expose the GetTSSForTesting
> 
> #if BUILDFLAG(...)
> #include
> const TransportSecurityState* const kDefaultHSTSSource = &kHSTSSource;
> #else
> const TransportSecurityState* const kDefaultHSTSSource = nullptr;
> #endif
> 
> const TransportSecurityState* g_hsts_source = kDefaultHSTSSource;

Done. Good idea. Thanks!

https://codereview.chromium.org/2906633003/diff/320001/net/http/transport_sec...
net/http/transport_security_state.cc:746: g_hsts_source = source;
On 2017/07/11 15:29:40, Ryan Sleevi wrote:
> And then here
> 
> g_hsts_source = source ? source : kDefaultHSTSSource;

Done.

https://codereview.chromium.org/2906633003/diff/320001/net/http/transport_sec...
File net/http/transport_security_state_source.h (right):

https://codereview.chromium.org/2906633003/diff/320001/net/http/transport_sec...
net/http/transport_security_state_source.h:11: static const char kNoReportURI[]
= "";
On 2017/07/11 15:29:40, Ryan Sleevi wrote:
> On 2017/07/10 22:20:40, xunjieli wrote:
> > (I moved this constant from the template file here because this constant is
> used
> > in transport_security_state.cc, and the template file is no longer compiled
> when
> > the build flag is false)
> 
> Because this is static, doesn't the actual value need to be moved to the .cc?

Done.

[xunjieli, 2017-07-11 16:46:16]

The CQ bit was checked by xunjieli@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-07-11 16:46:36]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-07-11 16:51:18]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-07-11 16:51:20]

Dry run: Try jobs failed on following builders:
  linux_android_rel_ng on master.tryserver.chromium.android (JOB_FAILED,
https://build.chromium.org/p/tryserver.chromium.android/builders/linux_androi...)
  linux_chromium_headless_rel on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[lgarron, 2017-07-11 19:29:04]

https://codereview.chromium.org/2906633003/diff/360001/net/features.gni
File net/features.gni (right):

https://codereview.chromium.org/2906633003/diff/360001/net/features.gni#newco...
net/features.gni:34: # Whether transport security preload list should be
included. This flag should
Nit: "Whether the transport security preload list..."

I would prefer to be more direct rather than mentioning general "tradeoffs" and
a spec. Also, the preload list includes more than HSTS.

How about this?

----------------------------

Include the transport security preload list. This list includes mechanisms (e.g.
HSTS, HPKP) to enforce trusted connections to a significant set of hardcoded
domains. It should not be disabled unless building a subset of the codebase
where several hundred KB of binary size are a large burden, and the application
is willing to take responsibility to make sure that all important connections
use HTTPS.

https://codereview.chromium.org/2906633003/diff/360001/net/http/transport_sec...
File net/http/transport_security_state_static_unittest0.json (right):

https://codereview.chromium.org/2906633003/diff/360001/net/http/transport_sec...
net/http/transport_security_state_static_unittest0.json:1: // Copyright 2017 The
Chromium Authors. All rights reserved.
Could you add a comment about why such a large test is needed?

Also, is it possible to shorten it?

[xunjieli, 2017-07-11 20:27:35]

Thank you. PTAL.

https://codereview.chromium.org/2906633003/diff/360001/net/features.gni
File net/features.gni (right):

https://codereview.chromium.org/2906633003/diff/360001/net/features.gni#newco...
net/features.gni:34: # Whether transport security preload list should be
included. This flag should
On 2017/07/11 19:29:04, lgarron wrote:
> Nit: "Whether the transport security preload list..."
> 
> I would prefer to be more direct rather than mentioning general "tradeoffs"
and
> a spec. Also, the preload list includes more than HSTS.
> 
> How about this?
> 
> ----------------------------
> 
> Include the transport security preload list. This list includes mechanisms
(e.g.
> HSTS, HPKP) to enforce trusted connections to a significant set of hardcoded
> domains. It should not be disabled unless building a subset of the codebase
> where several hundred KB of binary size are a large burden, and the
application
> is willing to take responsibility to make sure that all important connections
> use HTTPS.

Done.

https://codereview.chromium.org/2906633003/diff/360001/net/http/transport_sec...
File net/http/transport_security_state_static_unittest0.json (right):

https://codereview.chromium.org/2906633003/diff/360001/net/http/transport_sec...
net/http/transport_security_state_static_unittest0.json:1: // Copyright 2017 The
Chromium Authors. All rights reserved.
On 2017/07/11 19:29:04, lgarron wrote:
> Could you add a comment about why such a large test is needed?

Done. These are mostly for tests in transport_security_state_unittests.cc which
depend on the default preload list being available. Some tests pick entries
rather arbitrarily (see TransportSecurityStateTest.Preloaded). I think relying
on the real preload list in unit tests is not a good idea. There are also
test-only domains (e.g. first 5 of the hsts entries) in the real preload list.
Ideally, we should move off these unit tests to not test arbitrary domains. 

> 
> Also, is it possible to shorten it?

These are needed by tests in transport_security_state_unittest.cc and 3 CT/HSTS
tests in url_request_unittest.cc. I have tried it to shorten it. I think this is
the shortest list.

[xunjieli, 2017-07-11 20:27:46]

The CQ bit was checked by xunjieli@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-07-11 20:28:25]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-07-11 22:29:56]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-07-11 22:29:57]

Dry run: Try jobs failed on following builders:
  cast_shell_linux on master.tryserver.chromium.linux (JOB_TIMED_OUT, build has
not started yet; builder either lacks capacity or does not exist (misspelled?))
  chromeos_amd64-generic_chromium_compile_only_ng on
master.tryserver.chromium.linux (JOB_TIMED_OUT, build has not started yet;
builder either lacks capacity or does not exist (misspelled?))
  chromeos_daisy_chromium_compile_only_ng on master.tryserver.chromium.linux
(JOB_TIMED_OUT, build has not started yet; builder either lacks capacity or does
not exist (misspelled?))
  linux_chromium_chromeos_ozone_rel_ng on master.tryserver.chromium.linux
(JOB_TIMED_OUT, build has not started yet; builder either lacks capacity or does
not exist (misspelled?))
  linux_chromium_compile_dbg_ng on master.tryserver.chromium.linux
(JOB_TIMED_OUT, build has not started yet; builder either lacks capacity or does
not exist (misspelled?))
  linux_chromium_headless_rel on master.tryserver.chromium.linux (JOB_TIMED_OUT,
build has not started yet; builder either lacks capacity or does not exist
(misspelled?))
  linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_TIMED_OUT, build
has not started yet; builder either lacks capacity or does not exist
(misspelled?))
  linux_chromium_tsan_rel_ng on master.tryserver.chromium.linux (JOB_TIMED_OUT,
build has not started yet; builder either lacks capacity or does not exist
(misspelled?))

[xunjieli, 2017-07-14 02:25:08]

xunjieli@chromium.org changed reviewers:
- cbentzel@chromium.org, davidben@chromium.org, mef@chromium.org

[lgarron, 2017-07-18 06:24:05]

lgtm

[xunjieli, 2017-07-18 13:05:41]

(I have moved everyone else to cc. Let me know if you have any concern. Happy to
do follow-ups. Thank you.)

[xunjieli, 2017-07-18 13:05:48]

The CQ bit was checked by xunjieli@chromium.org

[xunjieli, 2017-07-18 13:05:48]

The patchset sent to the CQ was uploaded after l-g-t-m from rsleevi@chromium.org
Link to the patchset: https://codereview.chromium.org/2906633003/#ps380001
(title: "add one missing file and address lgarron comments")

[commit-bot: I haz the power, 2017-07-18 13:06:00]

CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-07-18 15:51:39]

CQ is committing da patch.

Bot data: {"patchset_id": 380001, "attempt_start_ts": 1500383148352610,
"parent_rev": "fcfcaa9965c21f1652f8616cc51ec1caa4603961", "commit_rev":
"815ad5ba47f22bdfa7ac523048285e873a74aaac"}

[commit-bot: I haz the power, 2017-07-18 15:51:54]

Description was changed from

==========
Add a build flag to configure bundling of HSTS preload list

This CL adds a build flag (INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST) 
for //net embedders to configure whether to include the preload list 
(~258KiB) in their binary.

BUG=603597
==========

to

==========
Add a build flag to configure bundling of HSTS preload list

This CL adds a build flag (INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST) 
for //net embedders to configure whether to include the preload list 
(~258KiB) in their binary.

BUG=603597

Review-Url: https://codereview.chromium.org/2906633003
Cr-Commit-Position: refs/heads/master@{#487486}
Committed:
https://chromium.googlesource.com/chromium/src/+/815ad5ba47f22bdfa7ac52304828...
==========

[commit-bot: I haz the power, 2017-07-18 15:51:56]

Committed patchset #11 (id:380001) as
https://chromium.googlesource.com/chromium/src/+/815ad5ba47f22bdfa7ac52304828...