Chromium Code Reviews Chromium Code Reviews
Issue 460135:
STS: add chrome.google.com to the built in STS list. (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2009 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2009 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/transport_security_state.h" | 5 #include "net/base/transport_security_state.h" |
| 6 | 6 |
| 7 #include "base/base64.h" | 7 #include "base/base64.h" |
| 8 #include "base/json/json_reader.h" | 8 #include "base/json/json_reader.h" |
| 9 #include "base/json/json_writer.h" | 9 #include "base/json/json_writer.h" |
| 10 #include "base/logging.h" | 10 #include "base/logging.h" |
| 11 #include "base/scoped_ptr.h" | 11 #include "base/scoped_ptr.h" |
| 12 #include "base/sha2.h" | 12 #include "base/sha2.h" |
| 13 #include "base/string_tokenizer.h" | 13 #include "base/string_tokenizer.h" |
| 14 #include "base/string_util.h" | 14 #include "base/string_util.h" |
| 15 #include "base/values.h" | 15 #include "base/values.h" |
| 16 #include "googleurl/src/gurl.h" | 16 #include "googleurl/src/gurl.h" |
| 17 #include "net/base/dns_util.h" | 17 #include "net/base/dns_util.h" |
| 18 | 18 |
| 19 namespace net { | 19 namespace net { |
| 20 | 20 |
| 21 TransportSecurityState::TransportSecurityState() | 21 TransportSecurityState::TransportSecurityState() |
| 22 : delegate_(NULL) { | 22 : delegate_(NULL) { |
| 23 } | 23 } |
| 24 | 24 |
| 25 void TransportSecurityState::EnableHost(const std::string& host, | 25 void TransportSecurityState::EnableHost(const std::string& host, |
| 26 const DomainState& state) { | 26 const DomainState& state) { |
| 27 if (GetBuiltin(NULL, host)) { | |
| 28 // You cannot override the settings of a builtin record. | |
| 29 return; | |
| 30 } | |
| 31 | |
| 27 const std::string canonicalised_host = CanonicaliseHost(host); | 32 const std::string canonicalised_host = CanonicaliseHost(host); |
| 28 if (canonicalised_host.empty()) | 33 if (canonicalised_host.empty()) |
| 29 return; | 34 return; |
| 30 char hashed[base::SHA256_LENGTH]; | 35 char hashed[base::SHA256_LENGTH]; |
| 31 base::SHA256HashString(canonicalised_host, hashed, sizeof(hashed)); | 36 base::SHA256HashString(canonicalised_host, hashed, sizeof(hashed)); |
| 32 | 37 |
| 33 AutoLock lock(lock_); | 38 AutoLock lock(lock_); |
| 34 | 39 |
| 35 enabled_hosts_[std::string(hashed, sizeof(hashed))] = state; | 40 enabled_hosts_[std::string(hashed, sizeof(hashed))] = state; |
| 36 DirtyNotify(); | 41 DirtyNotify(); |
| 37 } | 42 } |
| 38 | 43 |
| 39 bool TransportSecurityState::IsEnabledForHost(DomainState* result, | 44 bool TransportSecurityState::IsEnabledForHost(DomainState* result, |
| 40 const std::string& host) { | 45 const std::string& host) { |
| 41 const std::string canonicalised_host = CanonicaliseHost(host); | 46 const std::string canonicalised_host = CanonicaliseHost(host); |
| 42 if (canonicalised_host.empty()) | 47 if (canonicalised_host.empty()) |
| 43 return false; | 48 return false; |
| 44 | 49 |
| 45 base::Time current_time(base::Time::Now()); | 50 base::Time current_time(base::Time::Now()); |
| 46 AutoLock lock(lock_); | 51 AutoLock lock(lock_); |
| 47 | 52 |
| 48 for (size_t i = 0; canonicalised_host[i]; i += canonicalised_host[i] + 1) { | 53 for (size_t i = 0; canonicalised_host[i]; i += canonicalised_host[i] + 1) { |
| 49 char hashed_domain[base::SHA256_LENGTH]; | 54 char hashed_domain[base::SHA256_LENGTH]; |
| 50 | 55 |
| 51 base::SHA256HashString(&canonicalised_host[i], &hashed_domain, | 56 base::SHA256HashString(&canonicalised_host[i], &hashed_domain, |
| 52 sizeof(hashed_domain)); | 57 sizeof(hashed_domain)); |
| 53 std::map<std::string, DomainState>::iterator j = | 58 std::map<std::string, DomainState>::iterator j = |
| 54 enabled_hosts_.find(std::string(hashed_domain, sizeof(hashed_domain))); | 59 enabled_hosts_.find(std::string(hashed_domain, sizeof(hashed_domain))); |
| 55 if (j == enabled_hosts_.end()) | 60 if (j != enabled_hosts_.end()) { |
| 56 continue; | 61 if (current_time > j->second.expiry) { |
| 62 enabled_hosts_.erase(j); | |
| 63 DirtyNotify(); | |
| 64 continue; | |
| 65 } | |
| 66 *result = j->second; | |
| 57 | 67 |
| 58 if (current_time > j->second.expiry) { | 68 } else if (GetBuiltin(result, host)) { |
| 59 enabled_hosts_.erase(j); | 69 // The host has a builtin record. We don't check the expiry on these. |
| 60 DirtyNotify(); | 70 } else { |
| 71 // no record for this host. Try the next least specific domain. | |
| 61 continue; | 72 continue; |
| 62 } | 73 } |
| 63 | 74 |
| 64 *result = j->second; | |
| 65 | |
| 66 // If we matched the domain exactly, it doesn't matter what the value of | 75 // If we matched the domain exactly, it doesn't matter what the value of |
| 67 // include_subdomains is. | 76 // include_subdomains is. |
| 68 if (i == 0) | 77 if (i == 0) |
| 69 return true; | 78 return true; |
| 70 | 79 |
| 71 return j->second.include_subdomains; | 80 return result->include_subdomains; |
| 72 } | 81 } |
| 73 | 82 |
| 74 return false; | 83 return false; |
| 75 } | 84 } |
| 76 | 85 |
| 77 // "Strict-Transport-Security" ":" | 86 // "Strict-Transport-Security" ":" |
| 78 // "max-age" "=" delta-seconds [ ";" "includeSubDomains" ] | 87 // "max-age" "=" delta-seconds [ ";" "includeSubDomains" ] |
| 79 bool TransportSecurityState::ParseHeader(const std::string& value, | 88 bool TransportSecurityState::ParseHeader(const std::string& value, |
| 80 int* max_age, | 89 int* max_age, |
| 81 bool* include_subdomains) { | 90 bool* include_subdomains) { |
| (...skipping 245 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 327 // step 3(b) | 336 // step 3(b) |
| 328 if (new_host[i + 1] == '-' || | 337 if (new_host[i + 1] == '-' || |
| 329 new_host[i + label_length] == '-') { | 338 new_host[i + label_length] == '-') { |
| 330 return std::string(); | 339 return std::string(); |
| 331 } | 340 } |
| 332 } | 341 } |
| 333 | 342 |
| 334 return new_host; | 343 return new_host; |
| 335 } | 344 } |
| 336 | 345 |
| 346 bool TransportSecurityState::GetBuiltin(DomainState* result, | |
| 347 const std::string& host) { | |
| 348 // This time is somewhere around the year 2970. | |
| 349 static const double kNoExpiry = 31557600000; | |
| 350 | |
| 351 // For the moment this list is just compiled into the browser. | |
| 352 if (host == "chrome.google.com") { | |
|
abarth-chromium
2009/12/08 03:09:42
They rolled back this change because they're hosti
| |
| 353 if (result) { | |
| 354 result->mode = DomainState::MODE_STRICT; | |
| 355 result->include_subdomains = true; | |
|
abarth-chromium
2009/12/08 03:09:42
This should be false.
| |
| 356 result->expiry = base::Time::FromDoubleT(kNoExpiry); | |
| 357 } | |
| 358 return true; | |
| 359 } | |
| 360 | |
| 361 return false; | |
| 362 } | |
| 363 | |
| 337 } // namespace | 364 } // namespace |
| OLD | NEW |
