Re-apply CL's to force store-hosted extension update checks to use SSL

chrome/browser/extensions/updater/extension_downloader.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/extensions/updater/extension_downloader.h"
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/command_line.h"
@@ skipping 169 matching lines @@
   fetches_preparing_.clear();
 }
 
 void ExtensionDownloader::StartBlacklistUpdate(
     const std::string& version,
    const ManifestFetchData::PingData& ping_data) {
   // Note: it is very important that we use the https version of the update
   // url here to avoid DNS hijacking of the blacklist, which is not validated
   // by a public key signature like .crx files are.
   ManifestFetchData* blacklist_fetch =
-      new ManifestFetchData(extension_urls::GetWebstoreUpdateUrl(true));
+      new ManifestFetchData(extension_urls::GetWebstoreUpdateUrl());
+  DCHECK(blacklist_fetch->base_url().SchemeIsSecure());
   blacklist_fetch->AddExtension(kBlacklistAppID, version, &ping_data, "",
                                 kDefaultInstallSource);
   StartUpdateCheck(blacklist_fetch);
 }
 
 bool ExtensionDownloader::AddExtensionData(const std::string& id,
                                            const Version& version,
                                            Extension::Type extension_type,
                                            GURL update_url,
                                            const std::string& update_url_data) {
   // Skip extensions with non-empty invalid update URLs.
   if (!update_url.is_empty() && !update_url.is_valid()) {
     LOG(WARNING) << "Extension " << id << " has invalid update url "
                  << update_url;
     return false;
   }
 
+  // Make sure we use SSL for store-hosted extensions.
+  if (extension_urls::IsWebstoreUpdateUrl(update_url) &&
+      !update_url.SchemeIsSecure())
+    update_url = extension_urls::GetWebstoreUpdateUrl();
+
   // Skip extensions with empty IDs.
   if (id.empty()) {
     LOG(WARNING) << "Found extension with empty ID";
     return false;
   }
 
   if (update_url.DomainIs("google.com")) {
     url_stats_.google_url_count++;
   } else if (update_url.is_empty()) {
     url_stats_.no_url_count++;
     // Fill in default update URL.
-    //
-    // TODO(akalin): Figure out if we should use the HTTPS version.
-    update_url = extension_urls::GetWebstoreUpdateUrl(false);
+    update_url = extension_urls::GetWebstoreUpdateUrl();
   } else {
     url_stats_.other_url_count++;
   }
 
   switch (extension_type) {
     case Extension::TYPE_THEME:
       ++url_stats_.theme_count;
       break;
     case Extension::TYPE_EXTENSION:
     case Extension::TYPE_USER_SCRIPT:
       ++url_stats_.extension_count;
       break;
     case Extension::TYPE_HOSTED_APP:
     case Extension::TYPE_PACKAGED_APP:
       ++url_stats_.app_count;
       break;
     case Extension::TYPE_UNKNOWN:
     default:
       ++url_stats_.pending_count;
       break;
   }
 
   std::vector<GURL> update_urls;
   update_urls.push_back(update_url);
   // If UMA is enabled, also add to ManifestFetchData for the
   // webstore update URL.
   if (!extension_urls::IsWebstoreUpdateUrl(update_url) &&
       MetricsServiceHelper::IsMetricsReportingEnabled()) {
-    update_urls.push_back(extension_urls::GetWebstoreUpdateUrl(false));
+    update_urls.push_back(extension_urls::GetWebstoreUpdateUrl());
   }
 
   for (size_t i = 0; i < update_urls.size(); ++i) {
     DCHECK(!update_urls[i].is_empty());
     DCHECK(update_urls[i].is_valid());
 
     std::string install_source = i == 0 ?
         kDefaultInstallSource : kNotFromWebstoreInstallSource;
 
     ManifestFetchData::PingData ping_data;
@@ skipping 164 matching lines @@
     return;
   }
 
   // Examine the parsed manifest and kick off fetches of any new crx files.
   std::vector<int> updates;
   DetermineUpdates(fetch_data, *results, &updates);
   for (size_t i = 0; i < updates.size(); i++) {
     const UpdateManifest::Result* update = &(results->list.at(updates[i]));
     const std::string& id = update->extension_id;
     not_updated.erase(id);
+
+    GURL crx_url = update->crx_url;
     if (id != kBlacklistAppID) {
       NotifyUpdateFound(update->extension_id);
     } else {
       // The URL of the blacklist file is returned by the server and we need to
       // be sure that we continue to be able to reliably detect whether a URL
       // references a blacklist file.
-      DCHECK(extension_urls::IsBlacklistUpdateUrl(update->crx_url))
-          << update->crx_url;
+      DCHECK(extension_urls::IsBlacklistUpdateUrl(crx_url)) << crx_url;
+
+      // Force https (crbug.com/129587).
+      if (!crx_url.SchemeIsSecure()) {
+        url_canon::Replacements<char> replacements;
+        std::string scheme("https");
+        replacements.SetScheme(scheme.c_str(),
+                               url_parse::Component(0, scheme.size()));
+        crx_url = crx_url.ReplaceComponents(replacements);
+      }
     }
-    FetchUpdatedExtension(update->extension_id, update->crx_url,
-                          update->package_hash, update->version);
+    FetchUpdatedExtension(update->extension_id, crx_url, update->package_hash,
+                          update->version);
   }
 
   // If the manifest response included a <daystart> element, we want to save
   // that value for any extensions which had sent a ping in the request.
   if (fetch_data.base_url().DomainIs("google.com") &&
       results->daystart_elapsed_seconds >= 0) {
     Time day_start =
         Time::Now() - TimeDelta::FromSeconds(results->daystart_elapsed_seconds);
 
     const std::set<std::string>& extension_ids = fetch_data.extension_ids();
@@ skipping 193 matching lines @@
 }
 
 void ExtensionDownloader::NotifyUpdateFound(const std::string& id) {
   content::NotificationService::current()->Notify(
       chrome::NOTIFICATION_EXTENSION_UPDATE_FOUND,
       content::NotificationService::AllBrowserContextsAndSources(),
       content::Details<const std::string>(&id));
 }
 
 }  // namespace extensions