Created
November 23, 2021 09:10
-
-
Save uazo/9bf6292ab3678d9eee1c9a2778424d08 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| From: Your Name <you@example.com> | |
| Date: Tue, 23 Nov 2021 08:52:58 +0000 | |
| Subject: research on ct | |
| --- | |
| chrome/browser/BUILD.gn | 14 +++++++---- | |
| .../pki_metadata_component_installer.cc | 2 ++ | |
| .../net/profile_network_context_service.cc | 14 ++++++++--- | |
| .../net/profile_network_context_service.h | 3 +++ | |
| .../net/system_network_context_manager.cc | 23 +++++-------------- | |
| .../prefetch_proxy_tab_helper.cc | 10 +++++--- | |
| ...hrome_browser_main_extra_parts_profiles.cc | 3 +++ | |
| chrome/browser/ssl/sct_reporting_service.cc | 9 +++++++- | |
| .../webui/net_internals/net_internals_ui.cc | 11 +++++++++ | |
| chrome/common/chrome_features.cc | 2 +- | |
| components/certificate_transparency/BUILD.gn | 1 + | |
| net/http/transport_security_state.cc | 7 ++---- | |
| net/url_request/report_sender.cc | 4 +++- | |
| services/network/network_context.cc | 6 ++--- | |
| services/network/public/cpp/features.gni | 2 +- | |
| services/network/public/mojom/BUILD.gn | 4 ++++ | |
| .../public/mojom/network_context.mojom | 6 ++--- | |
| .../public/mojom/url_response_head.mojom | 1 + | |
| .../sct_auditing/sct_auditing_cache.cc | 5 +--- | |
| services/network/url_loader.cc | 2 ++ | |
| .../loader/fetch/url_loader/web_url_loader.cc | 2 +- | |
| 21 files changed, 84 insertions(+), 47 deletions(-) | |
| diff --git a/chrome/browser/BUILD.gn b/chrome/browser/BUILD.gn | |
| --- a/chrome/browser/BUILD.gn | |
| +++ b/chrome/browser/BUILD.gn | |
| @@ -41,6 +41,7 @@ import("//third_party/webrtc/webrtc.gni") | |
| import("//third_party/widevine/cdm/widevine.gni") | |
| import("//tools/grit/grit_rule.gni") | |
| import("//ui/base/ui_features.gni") | |
| +import("//services/network/public/cpp/features.gni") | |
| # //build/config/android/rules.gni imports //tools/grit/grit_rule.gni, which | |
| # produces a conflict for the "grit" template so we have to only include one. | |
| @@ -1659,10 +1660,6 @@ static_library("browser") { | |
| "ssl/insecure_form/insecure_form_controller_client.h", | |
| "ssl/known_interception_disclosure_infobar_delegate.cc", | |
| "ssl/known_interception_disclosure_infobar_delegate.h", | |
| - "ssl/sct_reporting_service.cc", | |
| - "ssl/sct_reporting_service.h", | |
| - "ssl/sct_reporting_service_factory.cc", | |
| - "ssl/sct_reporting_service_factory.h", | |
| "ssl/secure_origin_policy_handler.cc", | |
| "ssl/secure_origin_policy_handler.h", | |
| "ssl/secure_origin_prefs_observer.cc", | |
| @@ -1832,6 +1829,15 @@ static_library("browser") { | |
| "window_placement/window_placement_permission_context.h", | |
| ] | |
| + if (is_ct_supported) { | |
| + sources += [ | |
| + "ssl/sct_reporting_service.cc", | |
| + "ssl/sct_reporting_service.h", | |
| + "ssl/sct_reporting_service_factory.cc", | |
| + "ssl/sct_reporting_service_factory.h", | |
| + ] | |
| + } | |
| + | |
| if (is_android) { | |
| sources += [ | |
| "importer/profile_writer.cc", | |
| diff --git a/chrome/browser/component_updater/pki_metadata_component_installer.cc b/chrome/browser/component_updater/pki_metadata_component_installer.cc | |
| --- a/chrome/browser/component_updater/pki_metadata_component_installer.cc | |
| +++ b/chrome/browser/component_updater/pki_metadata_component_installer.cc | |
| @@ -34,7 +34,9 @@ using component_updater::ComponentUpdateService; | |
| namespace { | |
| +#if BUILDFLAG(IS_CT_SUPPORTED) | |
| const char kGoogleOperatorName[] = "Google"; | |
| +#endif | |
| // The SHA256 of the SubjectPublicKeyInfo used to sign the extension. | |
| // The extension id is: efniojlnjndmcbiieegkicadnoecjjef | |
| diff --git a/chrome/browser/net/profile_network_context_service.cc b/chrome/browser/net/profile_network_context_service.cc | |
| --- a/chrome/browser/net/profile_network_context_service.cc | |
| +++ b/chrome/browser/net/profile_network_context_service.cc | |
| @@ -109,6 +109,7 @@ bool* g_discard_domain_reliability_uploads_for_testing = nullptr; | |
| const char kHttpCacheFinchExperimentGroups[] = | |
| "profile_network_context_service.http_cache_finch_experiment_groups"; | |
| +#if BUILDFLAG(IS_CT_SUPPORTED) | |
| std::vector<std::string> TranslateStringArray(const base::ListValue* list) { | |
| std::vector<std::string> strings; | |
| for (const base::Value& value : list->GetList()) { | |
| @@ -117,6 +118,7 @@ std::vector<std::string> TranslateStringArray(const base::ListValue* list) { | |
| } | |
| return strings; | |
| } | |
| +#endif | |
| std::string ComputeAcceptLanguageFromPref(const std::string& language_pref) { | |
| std::string accept_languages_str = | |
| @@ -243,6 +245,7 @@ ProfileNetworkContextService::ProfileNetworkContextService(Profile* profile) | |
| pref_change_registrar_.Init(profile_prefs); | |
| +#if BUILDFLAG(IS_CT_SUPPORTED) | |
| // When any of the following CT preferences change, we schedule an update | |
| // to aggregate the actual update using a |ct_policy_update_timer_|. | |
| pref_change_registrar_.Add( | |
| @@ -267,6 +270,7 @@ ProfileNetworkContextService::ProfileNetworkContextService(Profile* profile) | |
| base::BindRepeating(&ProfileNetworkContextService:: | |
| UpdateSplitAuthCacheByNetworkIsolationKey, | |
| base::Unretained(this))); | |
| +#endif | |
| } | |
| ProfileNetworkContextService::~ProfileNetworkContextService() = default; | |
| @@ -389,6 +393,7 @@ void ProfileNetworkContextService::UpdateReferrersEnabled() { | |
| enable_referrers_.GetValue())); | |
| } | |
| +#if BUILDFLAG(IS_CT_SUPPORTED) | |
| network::mojom::CTPolicyPtr ProfileNetworkContextService::GetCTPolicy() { | |
| auto* prefs = profile_->GetPrefs(); | |
| const base::ListValue* ct_required = | |
| @@ -436,6 +441,7 @@ void ProfileNetworkContextService::ScheduleUpdateCTPolicy() { | |
| this, | |
| &ProfileNetworkContextService::UpdateCTPolicy); | |
| } | |
| +#endif | |
| bool ProfileNetworkContextService::ShouldSplitAuthCacheByNetworkIsolationKey() | |
| const { | |
| @@ -735,8 +741,9 @@ void ProfileNetworkContextService::ConfigureNetworkContextParamsInternal( | |
| proxy_config_monitor_.AddToNetworkContextParams(network_context_params); | |
| - network_context_params->enable_certificate_reporting = true; | |
| - network_context_params->enable_expect_ct_reporting = true; | |
| + network_context_params->enable_certificate_reporting_bromite = true; | |
| +#if BUILDFLAG(IS_CT_SUPPORTED) | |
| + network_context_params->enable_expect_ct_reporting_bromite = true; | |
| // Initialize the network context to do SCT auditing only if the current | |
| // profile is opted in to Safe Browsing Extended Reporting. | |
| @@ -746,6 +753,7 @@ void ProfileNetworkContextService::ConfigureNetworkContextParamsInternal( | |
| } | |
| network_context_params->ct_policy = GetCTPolicy(); | |
| +#endif | |
| #if BUILDFLAG(TRIAL_COMPARISON_CERT_VERIFIER_SUPPORTED) | |
| // In order for the TrialComparisonCertVerifier to be useful, it needs to | |
| @@ -813,7 +821,7 @@ void ProfileNetworkContextService::ConfigureNetworkContextParamsInternal( | |
| if (domain_reliability::DomainReliabilityServiceFactory:: | |
| ShouldCreateService()) { | |
| - network_context_params->enable_domain_reliability = true; | |
| + network_context_params->enable_domain_reliability_bromite = false; | |
| network_context_params->domain_reliability_upload_reporter = | |
| domain_reliability::DomainReliabilityServiceFactory:: | |
| kUploadReporterString; | |
| diff --git a/chrome/browser/net/profile_network_context_service.h b/chrome/browser/net/profile_network_context_service.h | |
| --- a/chrome/browser/net/profile_network_context_service.h | |
| +++ b/chrome/browser/net/profile_network_context_service.h | |
| @@ -28,6 +28,7 @@ | |
| #include "net/net_buildflags.h" | |
| #include "services/cert_verifier/public/mojom/cert_verifier_service_factory.mojom-forward.h" | |
| #include "services/network/public/mojom/network_context.mojom.h" | |
| +#include "services/network/public/cpp/network_service_buildflags.h" | |
| class PrefRegistrySimple; | |
| class Profile; | |
| @@ -122,6 +123,7 @@ class ProfileNetworkContextService | |
| void UpdateReferrersEnabled(); | |
| +#if BUILDFLAG(IS_CT_SUPPORTED) | |
| // Gets the current CTPolicy from preferences. | |
| network::mojom::CTPolicyPtr GetCTPolicy(); | |
| @@ -133,6 +135,7 @@ class ProfileNetworkContextService | |
| void UpdateCTPolicy(); | |
| void ScheduleUpdateCTPolicy(); | |
| +#endif | |
| bool ShouldSplitAuthCacheByNetworkIsolationKey() const; | |
| void UpdateSplitAuthCacheByNetworkIsolationKey(); | |
| diff --git a/chrome/browser/net/system_network_context_manager.cc b/chrome/browser/net/system_network_context_manager.cc | |
| --- a/chrome/browser/net/system_network_context_manager.cc | |
| +++ b/chrome/browser/net/system_network_context_manager.cc | |
| @@ -93,17 +93,8 @@ | |
| namespace { | |
| -constexpr bool kCertificateTransparencyEnabled = | |
| -#if BUILDFLAG(GOOGLE_CHROME_BRANDING) && defined(OFFICIAL_BUILD) && \ | |
| - !defined(OS_ANDROID) | |
| - // Certificate Transparency is only enabled if: | |
| - // - Desktop (!OS_ANDROID); OS_IOS does not use this file | |
| - // - base::GetBuildTime() is deterministic to the source (OFFICIAL_BUILD) | |
| - // - The build in reliably updatable (GOOGLE_CHROME_BRANDING) | |
| - true; | |
| -#else | |
| - false; | |
| -#endif | |
| +// moved to IsCertificateTransparencyEnabled() and kCertificateTransparencyAndroid | |
| +constexpr bool kCertificateTransparencyEnabled = true; | |
| bool g_enable_certificate_transparency = kCertificateTransparencyEnabled; | |
| @@ -515,7 +506,6 @@ void SystemNetworkContextManager::OnNetworkServiceCreated( | |
| CreateHttpAuthDynamicParams(local_state_)); | |
| // Configure the Certificate Transparency logs. | |
| -#if !defined(OS_ANDROID) | |
| if (g_enable_certificate_transparency) { | |
| std::vector<std::string> operated_by_google_logs = | |
| certificate_transparency::GetLogsOperatedByGoogle(); | |
| @@ -545,7 +535,6 @@ void SystemNetworkContextManager::OnNetworkServiceCreated( | |
| std::move(log_list_mojo), | |
| certificate_transparency::GetLogListTimestamp()); | |
| } | |
| -#endif | |
| int max_connections_per_proxy = | |
| local_state_->GetInteger(prefs::kMaxConnectionsPerProxy); | |
| @@ -591,11 +580,15 @@ void SystemNetworkContextManager::OnNetworkServiceCreated( | |
| } | |
| #endif | |
| +#if BUILDFLAG(IS_CT_SUPPORTED) | |
| // Asynchronously reapply the most recently received CRLSet (if any). | |
| component_updater::CRLSetPolicy::ReconfigureAfterNetworkRestart(); | |
| // Configure SCT Auditing in the NetworkService. | |
| SCTReportingService::ReconfigureAfterNetworkRestart(); | |
| +#else | |
| +xxx | |
| +#endif | |
| if (net::cookie_util::IsFirstPartySetsEnabled()) { | |
| component_updater::FirstPartySetsComponentInstallerPolicy:: | |
| @@ -693,14 +686,10 @@ void SystemNetworkContextManager::ConfigureDefaultNetworkContextParams( | |
| // point, all NetworkContexts will be destroyed as well. | |
| AddSSLConfigToNetworkContextParams(network_context_params); | |
| -#if !defined(OS_ANDROID) | |
| - | |
| if (g_enable_certificate_transparency) { | |
| network_context_params->enforce_chrome_ct_policy = true; | |
| } | |
| -#endif | |
| - | |
| #if BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED) | |
| cert_verifier_creation_params->use_builtin_cert_verifier = | |
| ShouldUseBuiltinCertVerifier(local_state_) | |
| diff --git a/chrome/browser/prefetch/prefetch_proxy/prefetch_proxy_tab_helper.cc b/chrome/browser/prefetch/prefetch_proxy/prefetch_proxy_tab_helper.cc | |
| --- a/chrome/browser/prefetch/prefetch_proxy/prefetch_proxy_tab_helper.cc | |
| +++ b/chrome/browser/prefetch/prefetch_proxy/prefetch_proxy_tab_helper.cc | |
| @@ -69,6 +69,7 @@ | |
| #include "third_party/abseil-cpp/absl/types/optional.h" | |
| #include "third_party/blink/public/common/storage_key/storage_key.h" | |
| #include "url/origin.h" | |
| +#include "services/network/public/cpp/network_service_buildflags.h" | |
| namespace { | |
| @@ -1644,9 +1645,12 @@ void PrefetchProxyTabHelper::CreateIsolatedURLLoaderFactory() { | |
| // Explicitly disallow network service features which could cause a privacy | |
| // leak. | |
| - context_params->enable_certificate_reporting = false; | |
| - context_params->enable_expect_ct_reporting = false; | |
| - context_params->enable_domain_reliability = false; | |
| + context_params->enable_certificate_reporting_bromite = false; | |
| +#if BUILDFLAG(IS_CT_SUPPORTED) | |
| + context_params->enable_expect_ct_reporting_bromite = false; | |
| +#endif | |
| + context_params->enable_domain_reliability_bromite = false; | |
| + // chrome/browser/component_updater/pki_metadata_component_installer.cc | |
| content::CreateNetworkContextInNetworkService( | |
| page_->isolated_network_context_.BindNewPipeAndPassReceiver(), | |
| diff --git a/chrome/browser/profiles/chrome_browser_main_extra_parts_profiles.cc b/chrome/browser/profiles/chrome_browser_main_extra_parts_profiles.cc | |
| --- a/chrome/browser/profiles/chrome_browser_main_extra_parts_profiles.cc | |
| +++ b/chrome/browser/profiles/chrome_browser_main_extra_parts_profiles.cc | |
| @@ -120,6 +120,7 @@ | |
| #include "media/base/media_switches.h" | |
| #include "ppapi/buildflags/buildflags.h" | |
| #include "printing/buildflags/buildflags.h" | |
| +#include "services/network/public/cpp/network_service_buildflags.h" | |
| #if defined(OS_ANDROID) | |
| #include "chrome/browser/android/explore_sites/explore_sites_service_factory.h" | |
| @@ -446,7 +447,9 @@ void ChromeBrowserMainExtraPartsProfiles:: | |
| if (screentime::IsScreenTimeEnabled()) | |
| screentime::HistoryBridgeFactory::GetInstance(); | |
| #endif | |
| +#if BUILDFLAG(IS_CT_SUPPORTED) | |
| SCTReportingServiceFactory::GetInstance(); | |
| +#endif | |
| #if defined(OS_ANDROID) | |
| SearchPermissionsService::Factory::GetInstance(); | |
| #endif | |
| diff --git a/chrome/browser/ssl/sct_reporting_service.cc b/chrome/browser/ssl/sct_reporting_service.cc | |
| --- a/chrome/browser/ssl/sct_reporting_service.cc | |
| +++ b/chrome/browser/ssl/sct_reporting_service.cc | |
| @@ -15,6 +15,7 @@ | |
| #include "net/traffic_annotation/network_traffic_annotation.h" | |
| #include "services/network/public/mojom/network_context.mojom.h" | |
| #include "services/network/public/mojom/network_service.mojom.h" | |
| +#include "services/network/public/cpp/network_service_buildflags.h" | |
| constexpr net::NetworkTrafficAnnotationTag kSCTAuditReportTrafficAnnotation = | |
| net::DefineNetworkTrafficAnnotation("sct_auditing", R"( | |
| @@ -65,6 +66,7 @@ GURL& SCTReportingService::GetReportURLInstance() { | |
| // static | |
| void SCTReportingService::ReconfigureAfterNetworkRestart() { | |
| +#if BUILDFLAG(IS_CT_SUPPORTED) | |
| bool is_sct_auditing_enabled = | |
| base::FeatureList::IsEnabled(features::kSCTAuditing); | |
| double sct_sampling_rate = features::kSCTAuditingSamplingRate.Get(); | |
| @@ -76,6 +78,7 @@ void SCTReportingService::ReconfigureAfterNetworkRestart() { | |
| SCTReportingService::GetReportURLInstance(), | |
| net::MutableNetworkTrafficAnnotationTag(kSCTAuditReportTrafficAnnotation), | |
| std::move(factory_remote)); | |
| +#endif | |
| } | |
| SCTReportingService::SCTReportingService( | |
| @@ -104,7 +107,9 @@ namespace { | |
| void SetSCTAuditingEnabledForStoragePartition( | |
| bool enabled, | |
| content::StoragePartition* storage_partition) { | |
| +#if BUILDFLAG(IS_CT_SUPPORTED) | |
| storage_partition->GetNetworkContext()->SetSCTAuditingEnabled(enabled); | |
| +#endif | |
| } | |
| } // namespace | |
| @@ -112,10 +117,12 @@ void SCTReportingService::SetReportingEnabled(bool enabled) { | |
| // Iterate over StoragePartitions for this Profile, and for each get the | |
| // NetworkContext and enable or disable SCT auditing. | |
| profile_->ForEachStoragePartition( | |
| - base::BindRepeating(&SetSCTAuditingEnabledForStoragePartition, enabled)); | |
| + base::BindRepeating(&SetSCTAuditingEnabledForStoragePartition, false)); | |
| +#if BUILDFLAG(IS_CT_SUPPORTED) | |
| if (!enabled) | |
| content::GetNetworkService()->ClearSCTAuditingCache(); | |
| +#endif | |
| } | |
| void SCTReportingService::OnPreferenceChanged() { | |
| diff --git a/chrome/browser/ui/webui/net_internals/net_internals_ui.cc b/chrome/browser/ui/webui/net_internals/net_internals_ui.cc | |
| --- a/chrome/browser/ui/webui/net_internals/net_internals_ui.cc | |
| +++ b/chrome/browser/ui/webui/net_internals/net_internals_ui.cc | |
| @@ -27,6 +27,7 @@ | |
| #include "services/network/public/mojom/content_security_policy.mojom.h" | |
| #include "services/network/public/mojom/network_context.mojom.h" | |
| #include "ui/resources/grit/webui_generated_resources.h" | |
| +#include "services/network/public/cpp/network_service_buildflags.h" | |
| using content::BrowserThread; | |
| @@ -229,15 +230,20 @@ void NetInternalsMessageHandler::OnExpectCTQuery(const base::ListValue* list) { | |
| url::Origin origin = url::Origin::Create(GURL("https://" + domain)); | |
| AllowJavascript(); | |
| +#if BUILDFLAG(IS_CT_SUPPORTED) | |
| GetNetworkContext()->GetExpectCTState( | |
| domain, | |
| net::NetworkIsolationKey(origin /* top_frame_site */, | |
| origin /* frame_site */), | |
| base::BindOnce(&NetInternalsMessageHandler::ResolveCallbackWithResult, | |
| weak_factory_.GetWeakPtr(), callback_id)); | |
| +#else | |
| + ResolveCallbackWithResult(callback_id, base::Value("not supported")); | |
| +#endif | |
| } | |
| void NetInternalsMessageHandler::OnExpectCTAdd(const base::ListValue* list) { | |
| +#if BUILDFLAG(IS_CT_SUPPORTED) | |
| // |list| should be: [<domain to add>, <report URI>, <enforce>]. | |
| std::string domain; | |
| bool result = list->GetString(0, &domain); | |
| @@ -263,6 +269,7 @@ void NetInternalsMessageHandler::OnExpectCTAdd(const base::ListValue* list) { | |
| net::NetworkIsolationKey(origin /* top_frame_site */, | |
| origin /* frame_site */), | |
| base::DoNothing()); | |
| +#endif | |
| } | |
| void NetInternalsMessageHandler::OnExpectCTTestReport( | |
| @@ -279,10 +286,14 @@ void NetInternalsMessageHandler::OnExpectCTTestReport( | |
| return; | |
| } | |
| +#if BUILDFLAG(IS_CT_SUPPORTED) | |
| GetNetworkContext()->SetExpectCTTestReport( | |
| report_uri, | |
| base::BindOnce(&NetInternalsMessageHandler::OnExpectCTTestReportCallback, | |
| weak_factory_.GetWeakPtr(), callback_id)); | |
| +#else | |
| + ResolveCallbackWithResult(callback_id, base::Value("not supported")); | |
| +#endif | |
| } | |
| void NetInternalsMessageHandler::OnExpectCTTestReportCallback( | |
| diff --git a/chrome/common/chrome_features.cc b/chrome/common/chrome_features.cc | |
| --- a/chrome/common/chrome_features.cc | |
| +++ b/chrome/common/chrome_features.cc | |
| @@ -847,7 +847,7 @@ const base::Feature kScrollCapture{"ScrollCapture", | |
| // Controls whether SCT audit reports are queued and the rate at which they | |
| // should be sampled. | |
| const base::Feature kSCTAuditing{"SCTAuditing", | |
| - base::FEATURE_DISABLED_BY_DEFAULT}; | |
| + base::FEATURE_DISABLED_BY_DEFAULT}; // guard this | |
| constexpr base::FeatureParam<double> kSCTAuditingSamplingRate{ | |
| &kSCTAuditing, "sampling_rate", 0.0}; | |
| diff --git a/components/certificate_transparency/BUILD.gn b/components/certificate_transparency/BUILD.gn | |
| --- a/components/certificate_transparency/BUILD.gn | |
| +++ b/components/certificate_transparency/BUILD.gn | |
| @@ -12,6 +12,7 @@ proto_library("proto") { | |
| ] | |
| } | |
| +# | |
| static_library("certificate_transparency") { | |
| sources = [ | |
| "chrome_ct_policy_enforcer.cc", | |
| diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc | |
| --- a/net/http/transport_security_state.cc | |
| +++ b/net/http/transport_security_state.cc | |
| @@ -342,6 +342,7 @@ bool DecodeHSTSPreload(const std::string& search_hostname, PreloadResult* out) { | |
| #if !BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST) | |
| if (g_hsts_source == nullptr) | |
| return false; | |
| + #error "BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST) must be enabled" | |
| #endif | |
| bool found = false; | |
| @@ -385,7 +386,7 @@ bool DecodeHSTSPreload(const std::string& search_hostname, PreloadResult* out) { | |
| // static | |
| const base::Feature TransportSecurityState::kDynamicExpectCTFeature{ | |
| - "DynamicExpectCT", base::FEATURE_ENABLED_BY_DEFAULT}; | |
| + "DynamicExpectCT", base::FEATURE_DISABLED_BY_DEFAULT}; | |
| void SetTransportSecurityStateSourceForTesting( | |
| const TransportSecurityStateSource* source) { | |
| @@ -411,10 +412,6 @@ TransportSecurityState::TransportSecurityState( | |
| features::kPartitionExpectCTStateByNetworkIsolationKey)) { | |
| // Static pinning is only enabled for official builds to make sure that | |
| // others don't end up with pins that cannot be easily updated. | |
| -#if !BUILDFLAG(GOOGLE_CHROME_BRANDING) || defined(OS_ANDROID) || defined(OS_IOS) | |
| - enable_static_pins_ = false; | |
| - enable_static_expect_ct_ = false; | |
| -#endif | |
| // Check that there no invalid entries in the static HSTS bypass list. | |
| for (auto& host : hsts_host_bypass_list) { | |
| DCHECK(host.find('.') == std::string::npos); | |
| diff --git a/net/url_request/report_sender.cc b/net/url_request/report_sender.cc | |
| --- a/net/url_request/report_sender.cc | |
| +++ b/net/url_request/report_sender.cc | |
| @@ -63,6 +63,7 @@ void ReportSender::Send(const GURL& report_uri, | |
| SuccessCallback success_callback, | |
| ErrorCallback error_callback) { | |
| DCHECK(!content_type.empty()); | |
| + LOG(INFO) << "---ReportSender::Send"; | |
| std::unique_ptr<URLRequest> url_request = request_context_->CreateRequest( | |
| report_uri, DEFAULT_PRIORITY, this, traffic_annotation_); | |
| url_request->SetUserData( | |
| @@ -87,7 +88,8 @@ void ReportSender::Send(const GURL& report_uri, | |
| URLRequest* raw_url_request = url_request.get(); | |
| inflight_requests_[raw_url_request] = std::move(url_request); | |
| - raw_url_request->Start(); | |
| + //raw_url_request->Start(); | |
| + OnResponseStarted(raw_url_request, OK); | |
| } | |
| void ReportSender::OnResponseStarted(URLRequest* request, int net_error) { | |
| diff --git a/services/network/network_context.cc b/services/network/network_context.cc | |
| --- a/services/network/network_context.cc | |
| +++ b/services/network/network_context.cc | |
| @@ -2372,7 +2372,7 @@ URLRequestContextOwner NetworkContext::MakeURLRequestContext( | |
| // TransportSecurityState. Since no requests have been made yet, safe to do | |
| // this even after the call to Build(). | |
| - if (params_->enable_certificate_reporting) { | |
| + if ((false /*params_->enable_certificate_reporting*/)) { | |
| net::NetworkTrafficAnnotationTag traffic_annotation = | |
| net::DefineNetworkTrafficAnnotation("domain_security_policy", R"( | |
| semantics { | |
| @@ -2413,7 +2413,7 @@ URLRequestContextOwner NetworkContext::MakeURLRequestContext( | |
| #endif // defined(OS_ANDROID) | |
| #if BUILDFLAG(IS_CT_SUPPORTED) | |
| - if (params_->enable_expect_ct_reporting) { | |
| + if ((false)/*params_->enable_expect_ct_reporting*/) { | |
| LazyCreateExpectCTReporter(result.url_request_context.get()); | |
| result.url_request_context->transport_security_state()->SetExpectCTReporter( | |
| expect_ct_reporter_.get()); | |
| @@ -2427,7 +2427,7 @@ URLRequestContextOwner NetworkContext::MakeURLRequestContext( | |
| } | |
| #endif // BUILDFLAG(IS_CT_SUPPORTED) | |
| - if (params_->enable_domain_reliability) { | |
| + if ((false)/*params_->enable_domain_reliability*/) { | |
| domain_reliability_monitor_ = | |
| std::make_unique<domain_reliability::DomainReliabilityMonitor>( | |
| result.url_request_context.get(), | |
| diff --git a/services/network/public/cpp/features.gni b/services/network/public/cpp/features.gni | |
| --- a/services/network/public/cpp/features.gni | |
| +++ b/services/network/public/cpp/features.gni | |
| @@ -7,5 +7,5 @@ import("//build/config/features.gni") | |
| declare_args() { | |
| # Certificate transparency is not supported on iOS. | |
| # TODO(mmenke): It's actually not supported on Android, either. | |
| - is_ct_supported = !is_ios | |
| + is_ct_supported = true | |
| } | |
| diff --git a/services/network/public/mojom/BUILD.gn b/services/network/public/mojom/BUILD.gn | |
| --- a/services/network/public/mojom/BUILD.gn | |
| +++ b/services/network/public/mojom/BUILD.gn | |
| @@ -300,6 +300,10 @@ mojom("url_loader_base") { | |
| enabled_features += [ "network_change_notifier_in_browser" ] | |
| } | |
| + if (is_ct_supported) { | |
| + enabled_features += [ "is_ct_supported" ] | |
| + } | |
| + | |
| if (!is_ios) { | |
| export_class_attribute_blink = "BLINK_PLATFORM_EXPORT" | |
| export_define_blink = "BLINK_PLATFORM_IMPLEMENTATION=1" | |
| diff --git a/services/network/public/mojom/network_context.mojom b/services/network/public/mojom/network_context.mojom | |
| --- a/services/network/public/mojom/network_context.mojom | |
| +++ b/services/network/public/mojom/network_context.mojom | |
| @@ -371,7 +371,7 @@ struct NetworkContextParams { | |
| // Enables reporting certain SSL errors, such as HTTP Public Key Pinning, to | |
| // servers, so they can discover misconfigurations. | |
| - bool enable_certificate_reporting = false; | |
| + bool enable_certificate_reporting_bromite = false; | |
| // True if the "Certificate Transparency in Chrome" policy (see | |
| // https://github.com/chromium/ct-policy/blob/master/ct_policy.md) should | |
| @@ -385,7 +385,7 @@ struct NetworkContextParams { | |
| // Enables Expect CT reporting, which sends reports for opted-in sites that | |
| // don't serve sufficient Certificate Transparency information. | |
| [EnableIf=is_ct_supported] | |
| - bool enable_expect_ct_reporting = false; | |
| + bool enable_expect_ct_reporting_bromite = false; | |
| // Enables SCT auditing, which sends reports for SCTs found in connections | |
| // made by this network context. Can also be dynamically configured via | |
| @@ -417,7 +417,7 @@ struct NetworkContextParams { | |
| pending_receiver<CookieManager>? cookie_manager; | |
| // Whether to enable Domain Reliability. | |
| - bool enable_domain_reliability = false; | |
| + bool enable_domain_reliability_bromite = false; | |
| // The uploader reporter name to use for Domain Reliability uploads. | |
| string domain_reliability_upload_reporter; | |
| diff --git a/services/network/public/mojom/url_response_head.mojom b/services/network/public/mojom/url_response_head.mojom | |
| --- a/services/network/public/mojom/url_response_head.mojom | |
| +++ b/services/network/public/mojom/url_response_head.mojom | |
| @@ -36,6 +36,7 @@ struct URLResponseHead { | |
| string charset; | |
| // The resource's compliance with the Certificate Transparency policy. | |
| + [EnableIf=is_ct_supported] | |
| CTPolicyCompliance ct_policy_compliance; | |
| // Content length if available. -1 if not available | |
| diff --git a/services/network/sct_auditing/sct_auditing_cache.cc b/services/network/sct_auditing/sct_auditing_cache.cc | |
| --- a/services/network/sct_auditing/sct_auditing_cache.cc | |
| +++ b/services/network/sct_auditing/sct_auditing_cache.cc | |
| @@ -214,10 +214,7 @@ void SCTAuditingReporter::SendReport() { | |
| // with no response body, so this uses DownloadHeadersOnly for simplicity. | |
| // If the loader is destroyed, the callback will be canceled, so using | |
| // base::Unretained here is safe. | |
| - url_loader_->DownloadHeadersOnly( | |
| - url_loader_factory_remote_.get(), | |
| - base::BindOnce(&SCTAuditingReporter::OnSendReportComplete, | |
| - base::Unretained(this))); | |
| + std::move(done_callback_).Run(reporter_key_); | |
| } | |
| void SCTAuditingReporter::OnSendReportComplete( | |
| diff --git a/services/network/url_loader.cc b/services/network/url_loader.cc | |
| --- a/services/network/url_loader.cc | |
| +++ b/services/network/url_loader.cc | |
| @@ -147,7 +147,9 @@ void PopulateResourceResponse(net::URLRequest* request, | |
| request->GetLoadTimingInfo(&response->load_timing); | |
| if (request->ssl_info().cert.get()) { | |
| +#if BUILDFLAG(IS_CT_SUPPORTED) | |
| response->ct_policy_compliance = request->ssl_info().ct_policy_compliance; | |
| +#endif | |
| response->cert_status = request->ssl_info().cert_status; | |
| net::SSLVersion ssl_version = net::SSLConnectionStatusToVersion( | |
| request->ssl_info().connection_status); | |
| diff --git a/third_party/blink/renderer/platform/loader/fetch/url_loader/web_url_loader.cc b/third_party/blink/renderer/platform/loader/fetch/url_loader/web_url_loader.cc | |
| --- a/third_party/blink/renderer/platform/loader/fetch/url_loader/web_url_loader.cc | |
| +++ b/third_party/blink/renderer/platform/loader/fetch/url_loader/web_url_loader.cc | |
| @@ -778,7 +778,7 @@ void WebURLLoader::PopulateURLResponse( | |
| response->SetExpectedContentLength(head.content_length); | |
| response->SetHasMajorCertificateErrors( | |
| net::IsCertStatusError(head.cert_status)); | |
| - response->SetCTPolicyCompliance(head.ct_policy_compliance); | |
| + response->SetCTPolicyCompliance(head.ct_policy_compliance); // | |
| response->SetIsLegacyTLSVersion(head.is_legacy_tls_version); | |
| response->SetHasRangeRequested(head.has_range_requested); | |
| response->SetTimingAllowPassed(head.timing_allow_passed); | |
| -- | |
| 2.20.1 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment