Chromium Code Reviews Chromium Code Reviews
Issue 2970913002:
Implement CORS preflights for Expect-CT reports (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/ssl/chrome_expect_ct_reporter.h" | 5 #include "chrome/browser/ssl/chrome_expect_ct_reporter.h" |
| 6 | 6 |
| 7 #include <set> | |
| 7 #include <string> | 8 #include <string> |
| 8 | 9 |
| 9 #include "base/base64.h" | 10 #include "base/base64.h" |
| 10 #include "base/command_line.h" | 11 #include "base/command_line.h" |
| 11 #include "base/feature_list.h" | 12 #include "base/feature_list.h" |
| 12 #include "base/json/json_writer.h" | 13 #include "base/json/json_writer.h" |
| 13 #include "base/memory/ptr_util.h" | 14 #include "base/memory/ptr_util.h" |
| 14 #include "base/metrics/histogram_macros.h" | 15 #include "base/metrics/histogram_macros.h" |
| 15 #include "base/metrics/sparse_histogram.h" | 16 #include "base/metrics/sparse_histogram.h" |
| 16 #include "base/strings/string_number_conversions.h" | 17 #include "base/strings/string_number_conversions.h" |
| 18 #include "base/strings/string_split.h" | |
| 19 #include "base/strings/string_util.h" | |
| 17 #include "base/strings/stringprintf.h" | 20 #include "base/strings/stringprintf.h" |
| 18 #include "base/values.h" | 21 #include "base/values.h" |
| 19 #include "chrome/common/chrome_features.h" | 22 #include "chrome/common/chrome_features.h" |
| 23 #include "net/base/load_flags.h" | |
| 20 #include "net/cert/ct_serialization.h" | 24 #include "net/cert/ct_serialization.h" |
| 21 #include "net/traffic_annotation/network_traffic_annotation.h" | 25 #include "net/traffic_annotation/network_traffic_annotation.h" |
| 22 #include "net/url_request/report_sender.h" | 26 #include "net/url_request/report_sender.h" |
| 27 #include "net/url_request/url_request_context.h" | |
| 23 | 28 |
| 24 namespace { | 29 namespace { |
| 25 | 30 |
| 31 // Returns true if |request| contains any of the |allowed_values| in a response | |
| 32 // header field named |header|. |allowed_values| are expected to be lower-case | |
| 33 // and the check is case-insensitive. | |
| 34 bool HasHeaderValues(net::URLRequest* request, | |
| 35 const std::string& header, | |
| 36 const std::set<std::string>& allowed_values) { | |
| 37 std::string response_headers; | |
| 38 request->GetResponseHeaderByName(header, &response_headers); | |
| 39 const std::vector<std::string> response_values = base::SplitString( | |
| 40 response_headers, ",", base::KEEP_WHITESPACE, base::SPLIT_WANT_NONEMPTY); | |
| 41 for (const auto& value : response_values) { | |
| 42 for (const auto& allowed : allowed_values) { | |
| 43 if (base::ToLowerASCII(allowed) == base::ToLowerASCII(value)) { | |
| 44 return true; | |
| 45 } | |
| 46 } | |
| 47 } | |
| 48 return false; | |
| 49 } | |
| 50 | |
| 26 std::string TimeToISO8601(const base::Time& t) { | 51 std::string TimeToISO8601(const base::Time& t) { |
| 27 base::Time::Exploded exploded; | 52 base::Time::Exploded exploded; |
| 28 t.UTCExplode(&exploded); | 53 t.UTCExplode(&exploded); |
| 29 return base::StringPrintf( | 54 return base::StringPrintf( |
| 30 "%04d-%02d-%02dT%02d:%02d:%02d.%03dZ", exploded.year, exploded.month, | 55 "%04d-%02d-%02dT%02d:%02d:%02d.%03dZ", exploded.year, exploded.month, |
| 31 exploded.day_of_month, exploded.hour, exploded.minute, exploded.second, | 56 exploded.day_of_month, exploded.hour, exploded.minute, exploded.second, |
| 32 exploded.millisecond); | 57 exploded.millisecond); |
| 33 } | 58 } |
| 34 | 59 |
| 35 std::unique_ptr<base::ListValue> GetPEMEncodedChainAsList( | 60 std::unique_ptr<base::ListValue> GetPEMEncodedChainAsList( |
| (...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 122 policy_exception_justification: | 147 policy_exception_justification: |
| 123 "Not implemented, this is a feature that websites can opt into and " | 148 "Not implemented, this is a feature that websites can opt into and " |
| 124 "thus there is no Chrome-wide policy to disable it." | 149 "thus there is no Chrome-wide policy to disable it." |
| 125 })"); | 150 })"); |
| 126 | 151 |
| 127 } // namespace | 152 } // namespace |
| 128 | 153 |
| 129 ChromeExpectCTReporter::ChromeExpectCTReporter( | 154 ChromeExpectCTReporter::ChromeExpectCTReporter( |
| 130 net::URLRequestContext* request_context) | 155 net::URLRequestContext* request_context) |
| 131 : report_sender_( | 156 : report_sender_( |
| 132 new net::ReportSender(request_context, kTrafficAnnotation)) {} | 157 new net::ReportSender(request_context, kTrafficAnnotation)), |
| 158 request_context_(request_context) {} | |
| 133 | 159 |
| 134 ChromeExpectCTReporter::~ChromeExpectCTReporter() {} | 160 ChromeExpectCTReporter::~ChromeExpectCTReporter() {} |
| 135 | 161 |
| 136 void ChromeExpectCTReporter::OnExpectCTFailed( | 162 void ChromeExpectCTReporter::OnExpectCTFailed( |
| 137 const net::HostPortPair& host_port_pair, | 163 const net::HostPortPair& host_port_pair, |
| 138 const GURL& report_uri, | 164 const GURL& report_uri, |
| 139 base::Time expiration, | 165 base::Time expiration, |
| 140 const net::X509Certificate* validated_certificate_chain, | 166 const net::X509Certificate* validated_certificate_chain, |
| 141 const net::X509Certificate* served_certificate_chain, | 167 const net::X509Certificate* served_certificate_chain, |
| 142 const net::SignedCertificateTimestampAndStatusList& | 168 const net::SignedCertificateTimestampAndStatusList& |
| (...skipping 23 matching lines...) Expand all Loading... | |
| 166 report->Set("scts", std::move(scts)); | 192 report->Set("scts", std::move(scts)); |
| 167 | 193 |
| 168 std::string serialized_report; | 194 std::string serialized_report; |
| 169 if (!base::JSONWriter::Write(outer_report, &serialized_report)) { | 195 if (!base::JSONWriter::Write(outer_report, &serialized_report)) { |
| 170 LOG(ERROR) << "Failed to serialize Expect CT report"; | 196 LOG(ERROR) << "Failed to serialize Expect CT report"; |
| 171 return; | 197 return; |
| 172 } | 198 } |
| 173 | 199 |
| 174 UMA_HISTOGRAM_BOOLEAN("SSL.ExpectCTReportSendingAttempt", true); | 200 UMA_HISTOGRAM_BOOLEAN("SSL.ExpectCTReportSendingAttempt", true); |
| 175 | 201 |
| 176 report_sender_->Send(report_uri, "application/json; charset=utf-8", | 202 SendPreflight(report_uri, serialized_report); |
| 177 serialized_report, base::Callback<void()>(), | 203 } |
| 204 | |
| 205 void ChromeExpectCTReporter::OnResponseStarted(net::URLRequest* request, | |
| 206 int net_error) { | |
| 207 auto preflight_it = inflight_preflights_.find(request); | |
| 208 DCHECK(inflight_preflights_.end() != inflight_preflights_.find(request)); | |
| 209 PreflightInProgress* preflight = preflight_it->second.get(); | |
| 210 | |
| 211 const int response_code = request->GetResponseCode(); | |
| 212 | |
| 213 // Check that the preflight succeeded: it must have an HTTP OK status code, | |
| 214 // with the following headers: | |
| 215 // - Access-Control-Allow-Origin: * or null | |
| 216 // - Access-Control-Allow-Methods: POST | |
| 217 // - Access-Control-Allow-Headers: Content-Type | |
| 218 | |
| 219 if (!request->status().is_success() || | |
| 220 (response_code < 200 || response_code > 299)) { | |
|
meacer
2017/07/06 22:03:45
tiny nit: Extra parans not necessary since it's al
estark
2017/07/07 06:07:21
Done.
| |
| 221 RecordUMAOnFailure(preflight->report_uri, request->status().error(), | |
| 222 request->status().is_success() ? response_code : -1); | |
| 223 inflight_preflights_.erase(request); | |
| 224 // Do not use |preflight| after this point, since it has been erased above. | |
| 225 return; | |
| 226 } | |
| 227 | |
| 228 if (!HasHeaderValues(request, "Access-Control-Allow-Origin", {"*", "null"}) || | |
| 229 !HasHeaderValues(request, "Access-Control-Allow-Methods", {"post"}) || | |
| 230 !HasHeaderValues(request, "Access-Control-Allow-Headers", | |
| 231 {"content-type"})) { | |
| 232 RecordUMAOnFailure(preflight->report_uri, request->status().error(), | |
| 233 response_code); | |
| 234 inflight_preflights_.erase(request); | |
| 235 // Do not use |preflight| after this point, since it has been erased above. | |
| 236 return; | |
| 237 } | |
| 238 | |
| 239 report_sender_->Send(preflight->report_uri, | |
| 240 "application/expect-ct-report+json; charset=utf-8", | |
| 241 preflight->serialized_report, base::Callback<void()>(), | |
| 178 base::Bind(RecordUMAOnFailure)); | 242 base::Bind(RecordUMAOnFailure)); |
| 243 inflight_preflights_.erase(request); | |
| 179 } | 244 } |
| 245 | |
| 246 void ChromeExpectCTReporter::OnReadCompleted(net::URLRequest* request, | |
| 247 int bytes_read) { | |
| 248 NOTREACHED(); | |
| 249 } | |
| 250 | |
| 251 ChromeExpectCTReporter::PreflightInProgress::PreflightInProgress( | |
| 252 std::unique_ptr<net::URLRequest> request, | |
| 253 const std::string& serialized_report, | |
| 254 const GURL& report_uri) | |
| 255 : request(std::move(request)), | |
| 256 serialized_report(serialized_report), | |
| 257 report_uri(report_uri) {} | |
| 258 ChromeExpectCTReporter::PreflightInProgress::~PreflightInProgress() {} | |
|
meacer
2017/07/06 22:03:45
nit: blank line before this
estark
2017/07/07 06:07:21
Done.
| |
| 259 | |
| 260 void ChromeExpectCTReporter::SendPreflight( | |
| 261 const GURL& report_uri, | |
| 262 const std::string& serialized_report) { | |
| 263 std::unique_ptr<net::URLRequest> url_request = | |
| 264 request_context_->CreateRequest(report_uri, net::DEFAULT_PRIORITY, this, | |
| 265 kTrafficAnnotation); | |
| 266 url_request->SetLoadFlags(net::LOAD_BYPASS_CACHE | net::LOAD_DISABLE_CACHE | | |
| 267 net::LOAD_DO_NOT_SEND_AUTH_DATA | | |
| 268 net::LOAD_DO_NOT_SEND_COOKIES | | |
| 269 net::LOAD_DO_NOT_SAVE_COOKIES); | |
| 270 url_request->set_method("OPTIONS"); | |
| 271 | |
| 272 net::HttpRequestHeaders extra_headers; | |
| 273 extra_headers.SetHeader("Origin", "null"); | |
| 274 extra_headers.SetHeader("Access-Control-Request-Method", "POST"); | |
| 275 extra_headers.SetHeader("Access-Control-Request-Headers", "content-type"); | |
| 276 url_request->SetExtraRequestHeaders(extra_headers); | |
| 277 | |
| 278 net::URLRequest* raw_request = url_request.get(); | |
| 279 inflight_preflights_[raw_request] = base::MakeUnique<PreflightInProgress>( | |
| 280 std::move(url_request), serialized_report, report_uri); | |
| 281 raw_request->Start(); | |
| 282 } | |
| OLD | NEW |
