OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/http_auth_controller.h" | 5 #include "net/http/http_auth_controller.h" |
6 | 6 |
7 #include "base/bind.h" | 7 #include "base/bind.h" |
8 #include "base/bind_helpers.h" | 8 #include "base/bind_helpers.h" |
9 #include "base/metrics/histogram.h" | 9 #include "base/metrics/histogram.h" |
10 #include "base/string_util.h" | 10 #include "base/string_util.h" |
(...skipping 432 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
443 // since the entry in the cache may be newer than what we used last time. | 443 // since the entry in the cache may be newer than what we used last time. |
444 http_auth_cache_->Remove(auth_origin_, handler_->realm(), | 444 http_auth_cache_->Remove(auth_origin_, handler_->realm(), |
445 handler_->auth_scheme(), identity_.credentials); | 445 handler_->auth_scheme(), identity_.credentials); |
446 } | 446 } |
447 | 447 |
448 bool HttpAuthController::SelectNextAuthIdentityToTry() { | 448 bool HttpAuthController::SelectNextAuthIdentityToTry() { |
449 DCHECK(CalledOnValidThread()); | 449 DCHECK(CalledOnValidThread()); |
450 DCHECK(handler_.get()); | 450 DCHECK(handler_.get()); |
451 DCHECK(identity_.invalid); | 451 DCHECK(identity_.invalid); |
452 | 452 |
453 // Do not try to use the username:password encoded into the URL. At worst, | 453 // Try to use the username:password encoded into the URL first. |
454 // this represents a session fixation attack against basic auth, and as it | |
455 // turns out, IE hasn't supported this for years. If a caller really wants | |
456 // to use embedded identities, the can add an URLRequest::Delegate that | |
457 // inspects the URL and supplies the username/password at OnAuthRequired() | |
458 // time. Past data shows this is used extremely infrequently in web pages, | |
459 // but continue to collect this data. | |
460 if (target_ == HttpAuth::AUTH_SERVER && auth_url_.has_username() && | 454 if (target_ == HttpAuth::AUTH_SERVER && auth_url_.has_username() && |
461 !embedded_identity_used_) { | 455 !embedded_identity_used_) { |
| 456 identity_.source = HttpAuth::IDENT_SRC_URL; |
| 457 identity_.invalid = false; |
| 458 // Extract the username:password from the URL. |
| 459 string16 username; |
| 460 string16 password; |
| 461 GetIdentityFromURL(auth_url_, &username, &password); |
| 462 identity_.credentials.Set(username, password); |
462 embedded_identity_used_ = true; | 463 embedded_identity_used_ = true; |
| 464 // TODO(eroman): If the password is blank, should we also try combining |
| 465 // with a password from the cache? |
463 UMA_HISTOGRAM_BOOLEAN("net.HttpIdentSrcURL", true); | 466 UMA_HISTOGRAM_BOOLEAN("net.HttpIdentSrcURL", true); |
| 467 return true; |
464 } | 468 } |
465 | 469 |
466 // Check the auth cache for a realm entry. | 470 // Check the auth cache for a realm entry. |
467 HttpAuthCache::Entry* entry = | 471 HttpAuthCache::Entry* entry = |
468 http_auth_cache_->Lookup(auth_origin_, handler_->realm(), | 472 http_auth_cache_->Lookup(auth_origin_, handler_->realm(), |
469 handler_->auth_scheme()); | 473 handler_->auth_scheme()); |
470 | 474 |
471 if (entry) { | 475 if (entry) { |
472 identity_.source = HttpAuth::IDENT_SRC_REALM_LOOKUP; | 476 identity_.source = HttpAuth::IDENT_SRC_REALM_LOOKUP; |
473 identity_.invalid = false; | 477 identity_.invalid = false; |
(...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
553 DCHECK(CalledOnValidThread()); | 557 DCHECK(CalledOnValidThread()); |
554 return disabled_schemes_.find(scheme) != disabled_schemes_.end(); | 558 return disabled_schemes_.find(scheme) != disabled_schemes_.end(); |
555 } | 559 } |
556 | 560 |
557 void HttpAuthController::DisableAuthScheme(HttpAuth::Scheme scheme) { | 561 void HttpAuthController::DisableAuthScheme(HttpAuth::Scheme scheme) { |
558 DCHECK(CalledOnValidThread()); | 562 DCHECK(CalledOnValidThread()); |
559 disabled_schemes_.insert(scheme); | 563 disabled_schemes_.insert(scheme); |
560 } | 564 } |
561 | 565 |
562 } // namespace net | 566 } // namespace net |
OLD | NEW |