Block port 443 for all protocols other than HTTPS or WSS.

net/base/net_util.cc

Index: net/base/net_util.cc
diff --git a/net/base/net_util.cc b/net/base/net_util.cc
index 3b49dffb5c20d889003a09755276ddaa8e41542d..5d773e62b705fcc580e099d4ce2b4df6f8476dc3 100644
--- a/net/base/net_util.cc
+++ b/net/base/net_util.cc
@@ -107,6 +107,7 @@ static const int kRestrictedPorts[] = {
   143,  // imap2
   179,  // BGP
   389,  // ldap
+  443,  // https / wss
   465,  // smtp+ssl
   512,  // print / exec
   513,  // login
@@ -144,6 +145,11 @@ static const int kAllowedFtpPorts[] = {
   22,   // ssh
 };
 
+// HTTPS and WSS override the following restricted port.
+static const int kAllowedHttpsOrWssPorts[] = {
+  443,  // https / wss
+};
+
 bool IPNumberPrefixCheck(const IPAddressNumber& ip_number,
                          const unsigned char* ip_prefix,
                          size_t prefix_length_in_bits) {
@@ -320,6 +326,18 @@ bool IsPortAllowedByFtp(int port) {
   return IsPortAllowedByDefault(port);
 }
 
+bool IsPortAllowedByHttpsOrWss(int port) {
+  int array_size = arraysize(kAllowedHttpsOrWssPorts);
+  for (int i = 0; i < array_size; i++) {
+    if (kAllowedHttpsOrWssPorts[i] == port) {
+        return true;
+    }
+  }
+  // Port not explicitly allowed by HTTPS or WSS, so return the default
+  // restrictions.
+  return IsPortAllowedByDefault(port);
+}
+
 bool IsPortAllowedByOverride(int port) {
   if (g_explicitly_allowed_ports.Get().empty())
     return false;