OLD | NEW |
---|---|
1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef CHROME_BROWSER_SSL_CHROME_EXPECT_CT_REPORTER_H_ | 5 #ifndef CHROME_BROWSER_SSL_CHROME_EXPECT_CT_REPORTER_H_ |
6 #define CHROME_BROWSER_SSL_CHROME_EXPECT_CT_REPORTER_H_ | 6 #define CHROME_BROWSER_SSL_CHROME_EXPECT_CT_REPORTER_H_ |
7 | 7 |
8 #include <map> | |
8 #include <memory> | 9 #include <memory> |
9 | 10 |
10 #include "base/macros.h" | 11 #include "base/macros.h" |
11 #include "net/http/transport_security_state.h" | 12 #include "net/http/transport_security_state.h" |
13 #include "net/url_request/url_request.h" | |
12 | 14 |
13 namespace net { | 15 namespace net { |
14 class ReportSender; | 16 class ReportSender; |
15 class URLRequestContext; | 17 class URLRequestContext; |
16 } // namespace net | 18 } // namespace net |
17 | 19 |
18 // This class monitors for violations of CT policy and sends reports | 20 // This class monitors for violations of CT policy and sends reports |
19 // about failures for sites that have opted in. Must be deleted before | 21 // about failures for sites that have opted in. Must be deleted before |
20 // the URLRequestContext that is passed to the constructor, so that it | 22 // the URLRequestContext that is passed to the constructor, so that it |
21 // can cancel its requests. | 23 // can cancel its requests. |
24 // | |
25 // Since reports are sent with a non-CORS-whitelisted Content-Type, this class | |
26 // sends CORS preflight requests before sending reports. Expect-CT is not | |
27 // evaluated with a particular frame or request as context, so the preflight | |
28 // request contains an `Origin: null` header instead of a particular origin. | |
22 class ChromeExpectCTReporter | 29 class ChromeExpectCTReporter |
23 : public net::TransportSecurityState::ExpectCTReporter { | 30 : public net::TransportSecurityState::ExpectCTReporter, |
31 net::URLRequest::Delegate { | |
24 public: | 32 public: |
25 explicit ChromeExpectCTReporter(net::URLRequestContext* request_context); | 33 explicit ChromeExpectCTReporter(net::URLRequestContext* request_context); |
26 ~ChromeExpectCTReporter() override; | 34 ~ChromeExpectCTReporter() override; |
27 | 35 |
28 // net::ExpectCTReporter: | 36 // net::ExpectCTReporter: |
29 void OnExpectCTFailed(const net::HostPortPair& host_port_pair, | 37 void OnExpectCTFailed(const net::HostPortPair& host_port_pair, |
30 const GURL& report_uri, | 38 const GURL& report_uri, |
31 base::Time expiration, | 39 base::Time expiration, |
32 const net::X509Certificate* validated_certificate_chain, | 40 const net::X509Certificate* validated_certificate_chain, |
33 const net::X509Certificate* served_certificate_chain, | 41 const net::X509Certificate* served_certificate_chain, |
34 const net::SignedCertificateTimestampAndStatusList& | 42 const net::SignedCertificateTimestampAndStatusList& |
35 signed_certificate_timestamps) override; | 43 signed_certificate_timestamps) override; |
36 | 44 |
45 // net::URLRequest::Delegate: | |
46 void OnResponseStarted(net::URLRequest* request, int net_error) override; | |
47 void OnReadCompleted(net::URLRequest* request, int bytes_read) override; | |
48 | |
37 private: | 49 private: |
50 // Used to keep track of in-flight CORS preflight requests. When |request| | |
51 // completes successfully and the CORS check passes, |serialized_report| will | |
52 // be sent to |report_uri| using |report_sender_|. | |
53 struct InFlightPreflight { | |
meacer
2017/07/05 23:48:59
nit: I think the name is a tad confusing but unfor
estark
2017/07/06 06:39:43
Renamed to PreflightInProgress
| |
54 InFlightPreflight(); | |
55 ~InFlightPreflight(); | |
56 // The preflight request. | |
57 std::unique_ptr<net::URLRequest> request; | |
58 // |serialized_report| should be sent to |report_uri| if the preflight | |
59 // succeeds. | |
60 std::string serialized_report; | |
61 GURL report_uri; | |
62 }; | |
63 | |
38 FRIEND_TEST_ALL_PREFIXES(ChromeExpectCTReporterTest, FeatureDisabled); | 64 FRIEND_TEST_ALL_PREFIXES(ChromeExpectCTReporterTest, FeatureDisabled); |
39 FRIEND_TEST_ALL_PREFIXES(ChromeExpectCTReporterTest, EmptyReportURI); | 65 FRIEND_TEST_ALL_PREFIXES(ChromeExpectCTReporterTest, EmptyReportURI); |
40 FRIEND_TEST_ALL_PREFIXES(ChromeExpectCTReporterTest, SendReport); | 66 FRIEND_TEST_ALL_PREFIXES(ChromeExpectCTReporterTest, SendReport); |
67 FRIEND_TEST_ALL_PREFIXES(ChromeExpectCTReporterTest, | |
68 BadCORSPreflightResponseOrigin); | |
69 FRIEND_TEST_ALL_PREFIXES(ChromeExpectCTReporterTest, | |
70 BadCORSPreflightResponseMethods); | |
71 FRIEND_TEST_ALL_PREFIXES(ChromeExpectCTReporterTest, | |
72 BadCORSPreflightResponseHeaders); | |
73 | |
74 // Starts a CORS preflight request to obtain permission from the server to | |
75 // send a report with Content-Type: application/expect-ct-report+json. The | |
76 // preflight result is checked in OnResponseStarted(), and an actual report is | |
77 // sent with |report_sender_| if the preflight succeeds. | |
78 void SendPreflight(const GURL& report_uri, | |
79 const std::string& serialized_report); | |
41 | 80 |
42 std::unique_ptr<net::ReportSender> report_sender_; | 81 std::unique_ptr<net::ReportSender> report_sender_; |
43 | 82 |
83 net::URLRequestContext* request_context_; | |
84 | |
85 // The CORS preflight requests, with corresponding report information, that | |
86 // are currently in-flight. Entries in this map are deleted when the | |
87 // preflight's OnResponseStarted() is called. | |
88 std::map<net::URLRequest*, InFlightPreflight> inflight_preflights_; | |
89 | |
44 DISALLOW_COPY_AND_ASSIGN(ChromeExpectCTReporter); | 90 DISALLOW_COPY_AND_ASSIGN(ChromeExpectCTReporter); |
45 }; | 91 }; |
46 | 92 |
47 #endif // CHROME_BROWSER_SSL_CHROME_EXPECT_CT_REPORTER_H_ | 93 #endif // CHROME_BROWSER_SSL_CHROME_EXPECT_CT_REPORTER_H_ |
OLD | NEW |