Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(242)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/base/transport_security_state_static.json

Issue 9863001: net: move HSTS preloaded and pinning info out of code. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: ... Created 8 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/base/transport_security_state_static.certs ('k') | net/base/transport_security_state_static_generate.go » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 // This file contains the HSTS preloaded list in a machine readable format.
6
7 // The top-level element is a dictionary with two keys: "pinsets" maps details
8 // of certificate pinning to a name and "entries" contains the HSTS details for
9 // each host.
10 //
11 // "pinsets" is a list of objects. Each object has the following members:
12 // name: (string) the name of the pinset
13 // static_spki_hashes: (list of strings) the set of allowed SPKIs hashes
14 // bad_static_spki_hashes: (optional list of strings) the set of forbidden SPK Is hashes
15 //
16 // For a given pinset, a certifiacte is accepted if at least one of the
17 // "static_spki_hashes" SPKIs is found in the chain and none of the "bad_static_ spki_hashes" SPKIs are.
18 // SPKIs are specified as names, which must match up with the file of
19 // certificates.
20 //
21 // "entries" is a list of objects. Each object has the following members:
22 // name: (string) the DNS name of the host in question
23 // include_subdomains: (optional bool) whether subdomains of |name| are also c overed
24 // mode: (optional string) "force-https" iff covered names should require HTTP S
25 // pins: (optional string) the |name| member of an object in |pinsets|
26
27 {
28 "pinsets": [
29 {
30 "name": "test",
31 "static_spki_hashes": [
32 "TestSPKI"
33 ]
34 },
35 {
36 "name": "google",
37 "static_spki_hashes": [
38 "VeriSignClass3",
39 "VeriSignClass3_G3",
40 "Google1024",
41 "Google2048",
42 "EquifaxSecureCA"
43 ],
44 "bad_static_spki_hashes": [
45 "Aetna",
46 "Intel",
47 "TCTrustCenter",
48 "Vodafone"
49 ]
50 },
51 {
52 "name": "tor",
53 "static_spki_hashes": [
54 "RapidSSL",
55 "DigiCertEVRoot",
56 "Tor1",
57 "Tor2",
58 "Tor3"
59 ]
60 },
61 {
62 "name": "twitterCom",
63 "static_spki_hashes": [
64 "VeriSignClass1",
65 "VeriSignClass3",
66 "VeriSignClass3_G4",
67 "VeriSignClass4_G3",
68 "VeriSignClass3_G3",
69 "VeriSignClass1_G3",
70 "VeriSignClass2_G3",
71 "VeriSignClass3_G2",
72 "VeriSignClass2_G2",
73 "VeriSignClass3_G5",
74 "VeriSignUniversal",
75 "GeoTrustGlobal",
76 "GeoTrustGlobal2",
77 "GeoTrustUniversal",
78 "GeoTrustUniversal2",
79 "GeoTrustPrimary",
80 "GeoTrustPrimary_G2",
81 "GeoTrustPrimary_G3",
82 "Twitter1"
83 ]
84 },
85 {
86 "name": "twitterCDN",
87 "static_spki_hashes": [
88 "VeriSignClass1",
89 "VeriSignClass3",
90 "VeriSignClass3_G4",
91 "VeriSignClass4_G3",
92 "VeriSignClass3_G3",
93 "VeriSignClass1_G3",
94 "VeriSignClass2_G3",
95 "VeriSignClass3_G2",
96 "VeriSignClass2_G2",
97 "VeriSignClass3_G5",
98 "VeriSignUniversal",
99 "GeoTrustGlobal",
100 "GeoTrustGlobal2",
101 "GeoTrustUniversal",
102 "GeoTrustUniversal2",
103 "GeoTrustPrimary",
104 "GeoTrustPrimary_G2",
105 "GeoTrustPrimary_G3",
106 "Twitter1",
107
108 "Entrust_2048",
109 "Entrust_EV",
110 "Entrust_G2",
111 "Entrust_SSL",
112 "AAACertificateServices",
113 "AddTrustClass1CARoot",
114 "AddTrustExternalCARoot",
115 "AddTrustPublicCARoot",
116 "AddTrustQualifiedCARoot",
117 "COMODOCertificationAuthority",
118 "SecureCertificateServices",
119 "TrustedCertificateServices",
120 "UTNDATACorpSGC",
121 "UTNUSERFirstClientAuthenticationandEmail",
122 "UTNUSERFirstHardware",
123 "UTNUSERFirstObject",
124 "GTECyberTrustGlobalRoot"
125 ]
126 }
127 ],
128
129 "entries": [
130 // Dummy entry to test certificate pinning.
131 { "name": "pinningtest.appspot.com", "include_subdomains": true, "pins": "te st" },
132
133 // (*.)google.com, iff using SSL, must use an acceptable certificate.
134 { "name": "google.com", "include_subdomains": true, "pins": "google" },
135
136 // Now we force HTTPS for subtrees of google.com.
137 { "name": "health.google.com", "include_subdomains": true, "mode": "force-ht tps", "pins": "google" },
138 { "name": "checkout.google.com", "include_subdomains": true, "mode": "force- https", "pins": "google" },
139 { "name": "chrome.google.com", "include_subdomains": true, "mode": "force-ht tps", "pins": "google" },
140 { "name": "docs.google.com", "include_subdomains": true, "mode": "force-http s", "pins": "google" },
141 { "name": "sites.google.com", "include_subdomains": true, "mode": "force-htt ps", "pins": "google" },
142 { "name": "spreadsheets.google.com", "include_subdomains": true, "mode": "fo rce-https", "pins": "google" },
143 { "name": "appengine.google.com", "mode": "force-https", "pins": "google" },
144 { "name": "encrypted.google.com", "include_subdomains": true, "mode": "force -https", "pins": "google" },
145 { "name": "accounts.google.com", "include_subdomains": true, "mode": "force- https", "pins": "google" },
146 { "name": "profiles.google.com", "include_subdomains": true, "mode": "force- https", "pins": "google" },
147 { "name": "mail.google.com", "include_subdomains": true, "mode": "force-http s", "pins": "google" },
148 { "name": "talkgadget.google.com", "include_subdomains": true, "mode": "forc e-https", "pins": "google" },
149 { "name": "talk.google.com", "include_subdomains": true, "mode": "force-http s", "pins": "google" },
150 { "name": "hostedtalkgadget.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
151 { "name": "plus.google.com", "include_subdomains": true, "mode": "force-http s", "pins": "google" },
152
153 // Other Google related domain that must use HTTPS.
154 { "name": "market.android.com", "include_subdomains": true, "mode": "force-h ttps", "pins": "google" },
155 { "name": "ssl.google-analytics.com", "include_subdomains": true, "mode": "f orce-https", "pins": "google" },
156 { "name": "drive.google.com", "include_subdomains": true, "mode": "force-htt ps", "pins": "google" },
157 { "name": "googleplex.com", "include_subdomains": true, "mode": "force-https ", "pins": "google" },
158 { "name": "groups.google.com", "include_subdomains": true, "mode": "force-ht tps", "pins": "google" },
159 { "name": "apis.google.com", "include_subdomains": true, "mode": "force-http s", "pins": "google" },
160
161 // chart.apis.google.com is *not* HSTS because the certificate doesn't match
162 // and there are lots of links out there that still use the name. The correc t
163 // hostname for this is chart.googleapis.com.
164 { "name": "chart.apis.google.com", "include_subdomains": true, "pins": "goog le" },
165
166 // Other Google-related domains that must use an acceptable certificate
167 // iff using SSL.
168 { "name": "ytimg.com", "include_subdomains": true, "pins": "google" },
169 { "name": "googleusercontent.com", "include_subdomains": true, "pins": "goog le" },
170 { "name": "youtube.com", "include_subdomains": true, "pins": "google" },
171 { "name": "googleapis.com", "include_subdomains": true, "pins": "google" },
172 { "name": "googleadservices.com", "include_subdomains": true, "pins": "googl e" },
173 { "name": "googlecode.com", "include_subdomains": true, "pins": "google" },
174 { "name": "appspot.com", "include_subdomains": true, "pins": "google" },
175 { "name": "googlesyndication.com", "include_subdomains": true, "pins": "goog le" },
176 { "name": "doubleclick.net", "include_subdomains": true, "pins": "google" },
177 { "name": "ssl.gstatic.com", "include_subdomains": true, "pins": "google" },
178 // Exclude the learn.doubleclick.net subdomain because it uses a different
179 // CA.
180 { "name": "learn.doubleclick.net", "include_subdomains": true },
181
182 // Force HTTPS for sites that have requested it.
183 { "name": "www.paypal.com", "mode": "force-https" },
184 { "name": "www.elanex.biz", "mode": "force-https" },
185 { "name": "jottit.com", "include_subdomains": true, "mode": "force-https" },
186 { "name": "sunshinepress.org", "include_subdomains": true, "mode": "force-ht tps" },
187 { "name": "www.noisebridge.net", "mode": "force-https" },
188 { "name": "neg9.org", "mode": "force-https" },
189 { "name": "riseup.net", "include_subdomains": true, "mode": "force-https" },
190 { "name": "factor.cc", "mode": "force-https" },
191 { "name": "members.mayfirst.org", "mode": "force-https" },
192 { "name": "support.mayfirst.org", "mode": "force-https" },
193 { "name": "id.mayfirst.org", "mode": "force-https" },
194 { "name": "lists.mayfirst.org", "mode": "force-https" },
195 { "name": "splendidbacon.com", "include_subdomains": true, "mode": "force-ht tps" },
196 { "name": "aladdinschools.appspot.com", "mode": "force-https" },
197 { "name": "ottospora.nl", "include_subdomains": true, "mode": "force-https" },
198 { "name": "www.paycheckrecords.com", "mode": "force-https" },
199 { "name": "lastpass.com", "mode": "force-https" },
200 { "name": "www.lastpass.com", "mode": "force-https" },
201 { "name": "keyerror.com", "include_subdomains": true, "mode": "force-https" },
202 { "name": "entropia.de", "mode": "force-https" },
203 { "name": "www.entropia.de", "mode": "force-https" },
204 { "name": "romab.com", "include_subdomains": true, "mode": "force-https" },
205 { "name": "logentries.com", "mode": "force-https" },
206 { "name": "www.logentries.com", "mode": "force-https" },
207 { "name": "stripe.com", "include_subdomains": true, "mode": "force-https" },
208 { "name": "cloudsecurityalliance.org", "include_subdomains": true, "mode": " force-https" },
209 { "name": "login.sapo.pt", "include_subdomains": true, "mode": "force-https" },
210 { "name": "mattmccutchen.net", "include_subdomains": true, "mode": "force-ht tps" },
211 { "name": "betnet.fr", "include_subdomains": true, "mode": "force-https" },
212 { "name": "uprotect.it", "include_subdomains": true, "mode": "force-https" } ,
213 { "name": "squareup.com", "mode": "force-https" },
214 { "name": "cert.se", "include_subdomains": true, "mode": "force-https" },
215 { "name": "crypto.is", "include_subdomains": true, "mode": "force-https" },
216 { "name": "simon.butcher.name", "include_subdomains": true, "mode": "force-h ttps" },
217 { "name": "linx.net", "include_subdomains": true, "mode": "force-https" },
218 { "name": "dropcam.com", "mode": "force-https" },
219 { "name": "www.dropcam.com", "mode": "force-https" },
220 { "name": "ebanking.indovinabank.com.vn", "include_subdomains": true, "mode" : "force-https" },
221 { "name": "epoxate.com", "mode": "force-https" },
222 { "name": "torproject.org", "mode": "force-https", "pins": "tor" },
223 { "name": "blog.torproject.org", "include_subdomains": true, "mode": "force- https", "pins": "tor" },
224 { "name": "check.torproject.org", "include_subdomains": true, "mode": "force -https", "pins": "tor" },
225 { "name": "www.torproject.org", "include_subdomains": true, "mode": "force-h ttps", "pins": "tor" },
226 { "name": "www.moneybookers.com", "include_subdomains": true, "mode": "force -https" },
227 { "name": "ledgerscope.net", "mode": "force-https" },
228 { "name": "www.ledgerscope.net", "mode": "force-https" },
229 { "name": "kyps.net", "mode": "force-https" },
230 { "name": "www.kyps.net", "mode": "force-https" },
231 { "name": "app.recurly.com", "include_subdomains": true, "mode": "force-http s" },
232 { "name": "api.recurly.com", "include_subdomains": true, "mode": "force-http s" },
233 { "name": "greplin.com", "mode": "force-https" },
234 { "name": "www.greplin.com", "mode": "force-https" },
235 { "name": "luneta.nearbuysystems.com", "include_subdomains": true, "mode": " force-https" },
236 { "name": "ubertt.org", "include_subdomains": true, "mode": "force-https" },
237 { "name": "pixi.me", "include_subdomains": true, "mode": "force-https" },
238 { "name": "grepular.com", "include_subdomains": true, "mode": "force-https" },
239 { "name": "mydigipass.com", "mode": "force-https" },
240 { "name": "www.mydigipass.com", "mode": "force-https" },
241 { "name": "developer.mydigipass.com", "mode": "force-https" },
242 { "name": "www.developer.mydigipass.com", "mode": "force-https" },
243 { "name": "sandbox.mydigipass.com", "mode": "force-https" },
244 { "name": "www.sandbox.mydigipass.com", "mode": "force-https" },
245 { "name": "crypto.cat", "include_subdomains": true, "mode": "force-https" },
246 { "name": "bigshinylock.minazo.net", "include_subdomains": true, "mode": "fo rce-https" },
247 { "name": "crate.io", "include_subdomains": true, "mode": "force-https" },
248 { "name": "twitter.com", "pins": "twitterCom" },
249 { "name": "www.twitter.com", "include_subdomains": true, "pins": "twitterCom " },
250 { "name": "api.twitter.com", "include_subdomains": true, "pins": "twitterCDN " },
251 { "name": "oauth.twitter.com", "include_subdomains": true, "pins": "twitterC om" },
252 { "name": "mobile.twitter.com", "include_subdomains": true, "pins": "twitter Com" },
253 { "name": "dev.twitter.com", "include_subdomains": true, "pins": "twitterCom " },
254 { "name": "business.twitter.com", "include_subdomains": true, "pins": "twitt erCom" },
255 { "name": "platform.twitter.com", "include_subdomains": true, "pins": "twitt erCDN" },
256 { "name": "si0.twimg.com", "include_subdomains": true, "pins": "twitterCDN" },
257 { "name": "twimg0-a.akamaihd.net", "include_subdomains": true, "pins": "twit terCDN" },
258
259 // Entries that are only valid if the client supports SNI.
260 { "name": "gmail.com", "mode": "force-https", "pins": "google", "snionly": t rue },
261 { "name": "googlemail.com", "mode": "force-https", "pins": "google", "snionl y": true },
262 { "name": "www.gmail.com", "mode": "force-https", "pins": "google", "snionly ": true },
263 { "name": "www.googlemail.com", "mode": "force-https", "pins": "google", "sn ionly": true },
264 { "name": "google-analytics.com", "include_subdomains": true, "pins": "googl e", "snionly": true },
265 { "name": "googlegroups.com", "include_subdomains": true, "pins": "google", "snionly": true }
266 ]
267 }
OLDNEW
« no previous file with comments | « net/base/transport_security_state_static.certs ('k') | net/base/transport_security_state_static_generate.go » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698