Block port 443 for all protocols other than HTTPS or WSS.

net/base/net_util.cc

Index: net/base/net_util.cc
diff --git a/net/base/net_util.cc b/net/base/net_util.cc
index 3b49dffb5c20d889003a09755276ddaa8e41542d..6f280683720268fe3d60bfc8feb4e753c537b35b 100644
--- a/net/base/net_util.cc
+++ b/net/base/net_util.cc
@@ -107,6 +107,7 @@ static const int kRestrictedPorts[] = {
   143,  // imap2
   179,  // BGP
   389,  // ldap
+  443,  // https / wss (see https://crbug.com/436451)
   465,  // smtp+ssl
   512,  // print / exec
   513,  // login
@@ -144,6 +145,11 @@ static const int kAllowedFtpPorts[] = {
   22,   // ssh
 };
 
+// HTTPS and WSS override the following restricted port.
+static const int kAllowedHttpsOrWssPorts[] = {
+  443,  // https / wss
+};
+
 bool IPNumberPrefixCheck(const IPAddressNumber& ip_number,
                          const unsigned char* ip_prefix,
                          size_t prefix_length_in_bits) {
@@ -320,6 +326,29 @@ bool IsPortAllowedByFtp(int port) {
   return IsPortAllowedByDefault(port);
 }
 
+bool IsPortAllowedByHttpsOrWss(int port) {
+  int array_size = arraysize(kAllowedHttpsOrWssPorts);

[PhistucK, 2014/12/05 09:02:30]

Just a drive by -
Should this (and similar cases) be size_t instead?

+  for (int i = 0; i < array_size; i++) {
+    if (kAllowedHttpsOrWssPorts[i] == port) {
+        return true;

[mmenke, 2014/12/05 21:44:40]

Indent here is wrong.

+    }
+  }
+  // Port not explicitly allowed by HTTPS or WSS, so return the default
+  // restrictions.
+  return IsPortAllowedByDefault(port);
+}
+
+bool IsEffectivePortAllowedByScheme(const GURL& url) {
+  int port = url.EffectiveIntPort();
+  if (url.SchemeIs("ftp")) {
+    return IsPortAllowedByFtp(port);
+  } else if (url.SchemeIs("https") || url.SchemeIs("wss")) {
+    return IsPortAllowedByHttpsOrWss(port);
+  } else {
+    return IsPortAllowedByDefault(port);
+  }
+}
+
 bool IsPortAllowedByOverride(int port) {
   if (g_explicitly_allowed_ports.Get().empty())
     return false;