Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(134)

Side by Side Diff: net/base/transport_security_state.cc

Issue 9863001: net: move HSTS preloaded and pinning info out of code. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: ... Created 8 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/base/transport_security_state.h" 5 #include "net/base/transport_security_state.h"
6 6
7 #if defined(USE_OPENSSL) 7 #if defined(USE_OPENSSL)
8 #include <openssl/ecdsa.h> 8 #include <openssl/ecdsa.h>
9 #include <openssl/ssl.h> 9 #include <openssl/ssl.h>
10 #else // !defined(USE_OPENSSL) 10 #else // !defined(USE_OPENSSL)
(...skipping 17 matching lines...) Expand all
28 #include "base/string_number_conversions.h" 28 #include "base/string_number_conversions.h"
29 #include "base/string_tokenizer.h" 29 #include "base/string_tokenizer.h"
30 #include "base/string_util.h" 30 #include "base/string_util.h"
31 #include "base/time.h" 31 #include "base/time.h"
32 #include "base/utf_string_conversions.h" 32 #include "base/utf_string_conversions.h"
33 #include "base/values.h" 33 #include "base/values.h"
34 #include "crypto/sha2.h" 34 #include "crypto/sha2.h"
35 #include "googleurl/src/gurl.h" 35 #include "googleurl/src/gurl.h"
36 #include "net/base/asn1_util.h" 36 #include "net/base/asn1_util.h"
37 #include "net/base/dns_util.h" 37 #include "net/base/dns_util.h"
38 #include "net/base/public_key_hashes.h"
39 #include "net/base/ssl_info.h" 38 #include "net/base/ssl_info.h"
40 #include "net/base/x509_certificate.h" 39 #include "net/base/x509_certificate.h"
41 #include "net/http/http_util.h" 40 #include "net/http/http_util.h"
42 41
43 #if defined(USE_OPENSSL) 42 #if defined(USE_OPENSSL)
44 #include "crypto/openssl_util.h" 43 #include "crypto/openssl_util.h"
45 #endif 44 #endif
46 45
47 namespace net { 46 namespace net {
48 47
(...skipping 1092 matching lines...) Expand 10 before | Expand all | Expand 10 after
1141 hash++; 1140 hash++;
1142 } 1141 }
1143 } 1142 }
1144 } 1143 }
1145 return true; 1144 return true;
1146 } 1145 }
1147 } 1146 }
1148 return false; 1147 return false;
1149 } 1148 }
1150 1149
1151 // kNoRejectedPublicKeys is a placeholder for when no public keys are rejected. 1150 #include "net/base/hsts_preloaded.h"
palmer 2012/03/26 23:40:21 Maybe call it tss_static.h? (It's not just HSTS pe
1152 static const char* const kNoRejectedPublicKeys[] = {
1153 NULL,
1154 };
1155
1156 static const char* const kGoogleAcceptableCerts[] = {
1157 kSPKIHash_VeriSignClass3,
1158 kSPKIHash_VeriSignClass3_G3,
1159 kSPKIHash_Google1024,
1160 kSPKIHash_Google2048,
1161 kSPKIHash_EquifaxSecureCA,
1162 NULL,
1163 };
1164 static const char* const kGoogleRejectedCerts[] = {
1165 kSPKIHash_Aetna,
1166 kSPKIHash_Intel,
1167 kSPKIHash_TCTrustCenter,
1168 kSPKIHash_Vodafone,
1169 NULL,
1170 };
1171 #define kGooglePins { \
1172 kGoogleAcceptableCerts, \
1173 kGoogleRejectedCerts, \
1174 }
1175
1176 static const char* const kTorAcceptableCerts[] = {
1177 kSPKIHash_RapidSSL,
1178 kSPKIHash_DigiCertEVRoot,
1179 kSPKIHash_Tor1,
1180 kSPKIHash_Tor2,
1181 kSPKIHash_Tor3,
1182 NULL,
1183 };
1184 #define kTorPins { \
1185 kTorAcceptableCerts, \
1186 kNoRejectedPublicKeys, \
1187 }
1188
1189 static const char* const kTwitterComAcceptableCerts[] = {
1190 kSPKIHash_VeriSignClass1,
1191 kSPKIHash_VeriSignClass3,
1192 kSPKIHash_VeriSignClass3_G4,
1193 kSPKIHash_VeriSignClass4_G3,
1194 kSPKIHash_VeriSignClass3_G3,
1195 kSPKIHash_VeriSignClass1_G3,
1196 kSPKIHash_VeriSignClass2_G3,
1197 kSPKIHash_VeriSignClass3_G2,
1198 kSPKIHash_VeriSignClass2_G2,
1199 kSPKIHash_VeriSignClass3_G5,
1200 kSPKIHash_VeriSignUniversal,
1201 kSPKIHash_GeoTrustGlobal,
1202 kSPKIHash_GeoTrustGlobal2,
1203 kSPKIHash_GeoTrustUniversal,
1204 kSPKIHash_GeoTrustUniversal2,
1205 kSPKIHash_GeoTrustPrimary,
1206 kSPKIHash_GeoTrustPrimary_G2,
1207 kSPKIHash_GeoTrustPrimary_G3,
1208 kSPKIHash_Twitter1,
1209 NULL,
1210 };
1211 #define kTwitterComPins { \
1212 kTwitterComAcceptableCerts, \
1213 kNoRejectedPublicKeys, \
1214 }
1215
1216 // kTwitterCDNAcceptableCerts are the set of public keys valid for Twitter's
1217 // CDNs, which includes all the keys from kTwitterComAcceptableCerts.
1218 static const char* const kTwitterCDNAcceptableCerts[] = {
1219 kSPKIHash_VeriSignClass1,
1220 kSPKIHash_VeriSignClass3,
1221 kSPKIHash_VeriSignClass3_G4,
1222 kSPKIHash_VeriSignClass4_G3,
1223 kSPKIHash_VeriSignClass3_G3,
1224 kSPKIHash_VeriSignClass1_G3,
1225 kSPKIHash_VeriSignClass2_G3,
1226 kSPKIHash_VeriSignClass3_G2,
1227 kSPKIHash_VeriSignClass2_G2,
1228 kSPKIHash_VeriSignClass3_G5,
1229 kSPKIHash_VeriSignUniversal,
1230 kSPKIHash_GeoTrustGlobal,
1231 kSPKIHash_GeoTrustGlobal2,
1232 kSPKIHash_GeoTrustUniversal,
1233 kSPKIHash_GeoTrustUniversal2,
1234 kSPKIHash_GeoTrustPrimary,
1235 kSPKIHash_GeoTrustPrimary_G2,
1236 kSPKIHash_GeoTrustPrimary_G3,
1237 kSPKIHash_Twitter1,
1238
1239 kSPKIHash_Entrust_2048,
1240 kSPKIHash_Entrust_EV,
1241 kSPKIHash_Entrust_G2,
1242 kSPKIHash_Entrust_SSL,
1243 kSPKIHash_AAACertificateServices,
1244 kSPKIHash_AddTrustClass1CARoot,
1245 kSPKIHash_AddTrustExternalCARoot,
1246 kSPKIHash_AddTrustPublicCARoot,
1247 kSPKIHash_AddTrustQualifiedCARoot,
1248 kSPKIHash_COMODOCertificationAuthority,
1249 kSPKIHash_SecureCertificateServices,
1250 kSPKIHash_TrustedCertificateServices,
1251 kSPKIHash_UTNDATACorpSGC,
1252 kSPKIHash_UTNUSERFirstClientAuthenticationandEmail,
1253 kSPKIHash_UTNUSERFirstHardware,
1254 kSPKIHash_UTNUSERFirstObject,
1255 kSPKIHash_GTECyberTrustGlobalRoot,
1256 NULL,
1257 };
1258 #define kTwitterCDNPins { \
1259 kTwitterCDNAcceptableCerts, \
1260 kNoRejectedPublicKeys, \
1261 }
1262
1263 // kTestAcceptableCerts doesn't actually match any public keys and is used
1264 // with "pinningtest.appspot.com", below, to test if pinning is active.
1265 static const char* const kTestAcceptableCerts[] = {
1266 "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=",
1267 NULL,
1268 };
1269 #define kTestPins { \
1270 kTestAcceptableCerts, \
1271 kNoRejectedPublicKeys, \
1272 }
1273
1274 #define kNoPins { \
1275 NULL, NULL, \
1276 }
1277
1278 #if defined(OS_CHROMEOS)
1279 static const bool kTwitterHSTS = true;
1280 #else
1281 static const bool kTwitterHSTS = false;
1282 #endif
1283
1284 // In the medium term this list is likely to just be hardcoded here. This
1285 // slightly odd form removes the need for additional relocations records.
1286 static const struct HSTSPreload kPreloadedSTS[] = {
1287 // (*.)google.com, iff using SSL must use an acceptable certificate.
1288 {12, true, "\006google\003com", false, kGooglePins,
1289 DOMAIN_GOOGLE_COM },
1290 {25, true, "\013pinningtest\007appspot\003com", false,
1291 kTestPins, DOMAIN_APPSPOT_COM },
1292 // Now we force HTTPS for subtrees of google.com.
1293 {19, true, "\006health\006google\003com", true, kGooglePins,
1294 DOMAIN_GOOGLE_COM },
1295 {21, true, "\010checkout\006google\003com", true, kGooglePins,
1296 DOMAIN_GOOGLE_COM },
1297 {19, true, "\006chrome\006google\003com", true, kGooglePins,
1298 DOMAIN_GOOGLE_COM },
1299 {17, true, "\004docs\006google\003com", true, kGooglePins,
1300 DOMAIN_GOOGLE_COM },
1301 {18, true, "\005sites\006google\003com", true, kGooglePins,
1302 DOMAIN_GOOGLE_COM },
1303 {25, true, "\014spreadsheets\006google\003com", true,
1304 kGooglePins, DOMAIN_GOOGLE_COM },
1305 {22, false, "\011appengine\006google\003com", true,
1306 kGooglePins, DOMAIN_GOOGLE_COM },
1307 {22, true, "\011encrypted\006google\003com", true, kGooglePins,
1308 DOMAIN_GOOGLE_COM },
1309 {21, true, "\010accounts\006google\003com", true, kGooglePins,
1310 DOMAIN_GOOGLE_COM },
1311 {21, true, "\010profiles\006google\003com", true, kGooglePins,
1312 DOMAIN_GOOGLE_COM },
1313 {17, true, "\004mail\006google\003com", true, kGooglePins,
1314 DOMAIN_GOOGLE_COM },
1315 {23, true, "\012talkgadget\006google\003com", true,
1316 kGooglePins, DOMAIN_GOOGLE_COM },
1317 {17, true, "\004talk\006google\003com", true, kGooglePins,
1318 DOMAIN_GOOGLE_COM },
1319 {29, true, "\020hostedtalkgadget\006google\003com", true,
1320 kGooglePins, DOMAIN_GOOGLE_COM },
1321 {17, true, "\004plus\006google\003com", true, kGooglePins,
1322 DOMAIN_GOOGLE_COM },
1323 // Other Google-related domains that must use HTTPS.
1324 {20, true, "\006market\007android\003com", true, kGooglePins,
1325 DOMAIN_ANDROID_COM },
1326 {26, true, "\003ssl\020google-analytics\003com", true,
1327 kGooglePins, DOMAIN_GOOGLE_ANALYTICS_COM },
1328 {18, true, "\005drive\006google\003com", true, kGooglePins,
1329 DOMAIN_GOOGLE_COM },
1330 {16, true, "\012googleplex\003com", true, kGooglePins,
1331 DOMAIN_GOOGLEPLEX_COM },
1332 {19, true, "\006groups\006google\003com", true, kGooglePins,
1333 DOMAIN_GOOGLE_COM },
1334 {17, true, "\004apis\006google\003com", true, kGooglePins,
1335 DOMAIN_GOOGLE_COM },
1336 // chart.apis.google.com is *not* HSTS because the certificate doesn't match
1337 // and there are lots of links out there that still use the name. The correct
1338 // hostname for this is chart.googleapis.com.
1339 {23, true, "\005chart\004apis\006google\003com", false, kGooglePins,
1340 DOMAIN_GOOGLE_COM},
1341
1342 // Other Google-related domains that must use an acceptable certificate
1343 // iff using SSL.
1344 {11, true, "\005ytimg\003com", false, kGooglePins,
1345 DOMAIN_YTIMG_COM },
1346 {23, true, "\021googleusercontent\003com", false, kGooglePins,
1347 DOMAIN_GOOGLEUSERCONTENT_COM },
1348 {13, true, "\007youtube\003com", false, kGooglePins,
1349 DOMAIN_YOUTUBE_COM },
1350 {16, true, "\012googleapis\003com", false, kGooglePins,
1351 DOMAIN_GOOGLEAPIS_COM },
1352 {22, true, "\020googleadservices\003com", false, kGooglePins,
1353 DOMAIN_GOOGLEADSERVICES_COM },
1354 {16, true, "\012googlecode\003com", false, kGooglePins,
1355 DOMAIN_GOOGLECODE_COM },
1356 {13, true, "\007appspot\003com", false, kGooglePins,
1357 DOMAIN_APPSPOT_COM },
1358 {23, true, "\021googlesyndication\003com", false, kGooglePins,
1359 DOMAIN_GOOGLESYNDICATION_COM },
1360 {17, true, "\013doubleclick\003net", false, kGooglePins,
1361 DOMAIN_DOUBLECLICK_NET },
1362 {17, true, "\003ssl\007gstatic\003com", false, kGooglePins,
1363 DOMAIN_GSTATIC_COM },
1364 // Exclude the learn.doubleclick.net subdomain because it uses a different
1365 // CA.
1366 {23, true, "\005learn\013doubleclick\003net", false, kNoPins, DOMAIN_NOT_PINNE D },
1367 // Now we force HTTPS for other sites that have requested it.
1368 {16, false, "\003www\006paypal\003com", true, kNoPins, DOMAIN_NOT_PINNED },
1369 {16, false, "\003www\006elanex\003biz", true, kNoPins, DOMAIN_NOT_PINNED },
1370 {12, true, "\006jottit\003com", true, kNoPins, DOMAIN_NOT_PINNED },
1371 {19, true, "\015sunshinepress\003org", true, kNoPins, DOMAIN_NOT_PINNED },
1372 {21, false, "\003www\013noisebridge\003net", true, kNoPins,
1373 DOMAIN_NOT_PINNED },
1374 {10, false, "\004neg9\003org", true, kNoPins, DOMAIN_NOT_PINNED },
1375 {12, true, "\006riseup\003net", true, kNoPins, DOMAIN_NOT_PINNED },
1376 {11, false, "\006factor\002cc", true, kNoPins, DOMAIN_NOT_PINNED },
1377 {22, false, "\007members\010mayfirst\003org", true, kNoPins, DOMAIN_NOT_PINNED },
1378 {22, false, "\007support\010mayfirst\003org", true, kNoPins, DOMAIN_NOT_PINNED },
1379 {17, false, "\002id\010mayfirst\003org", true, kNoPins, DOMAIN_NOT_PINNED },
1380 {20, false, "\005lists\010mayfirst\003org", true, kNoPins, DOMAIN_NOT_PINNED } ,
1381 {19, true, "\015splendidbacon\003com", true, kNoPins, DOMAIN_NOT_PINNED },
1382 {28, false, "\016aladdinschools\007appspot\003com", true, kNoPins,
1383 DOMAIN_NOT_PINNED },
1384 {14, true, "\011ottospora\002nl", true, kNoPins, DOMAIN_NOT_PINNED },
1385 {25, false, "\003www\017paycheckrecords\003com", true, kNoPins,
1386 DOMAIN_NOT_PINNED },
1387 {14, false, "\010lastpass\003com", true, kNoPins, DOMAIN_NOT_PINNED },
1388 {18, false, "\003www\010lastpass\003com", true, kNoPins, DOMAIN_NOT_PINNED },
1389 {14, true, "\010keyerror\003com", true, kNoPins, DOMAIN_NOT_PINNED },
1390 {13, false, "\010entropia\002de", true, kNoPins, DOMAIN_NOT_PINNED },
1391 {17, false, "\003www\010entropia\002de", true, kNoPins, DOMAIN_NOT_PINNED },
1392 {11, true, "\005romab\003com", true, kNoPins, DOMAIN_NOT_PINNED },
1393 {16, false, "\012logentries\003com", true, kNoPins, DOMAIN_NOT_PINNED },
1394 {20, false, "\003www\012logentries\003com", true, kNoPins, DOMAIN_NOT_PINNED } ,
1395 {12, true, "\006stripe\003com", true, kNoPins, DOMAIN_NOT_PINNED },
1396 {27, true, "\025cloudsecurityalliance\003org", true, kNoPins,
1397 DOMAIN_NOT_PINNED },
1398 {15, true, "\005login\004sapo\002pt", true, kNoPins, DOMAIN_NOT_PINNED },
1399 {19, true, "\015mattmccutchen\003net", true, kNoPins, DOMAIN_NOT_PINNED },
1400 {11, true, "\006betnet\002fr", true, kNoPins, DOMAIN_NOT_PINNED },
1401 {13, true, "\010uprotect\002it", true, kNoPins, DOMAIN_NOT_PINNED },
1402 {14, false, "\010squareup\003com", true, kNoPins, DOMAIN_NOT_PINNED },
1403 {9, true, "\004cert\002se", true, kNoPins, DOMAIN_NOT_PINNED },
1404 {11, true, "\006crypto\002is", true, kNoPins, DOMAIN_NOT_PINNED },
1405 {20, true, "\005simon\007butcher\004name", true, kNoPins, DOMAIN_NOT_PINNED },
1406 {10, true, "\004linx\003net", true, kNoPins, DOMAIN_NOT_PINNED },
1407 {13, false, "\007dropcam\003com", true, kNoPins, DOMAIN_NOT_PINNED },
1408 {17, false, "\003www\007dropcam\003com", true, kNoPins, DOMAIN_NOT_PINNED },
1409 {30, true, "\010ebanking\014indovinabank\003com\002vn", true, kNoPins,
1410 DOMAIN_NOT_PINNED },
1411 {13, false, "\007epoxate\003com", true, kNoPins, DOMAIN_NOT_PINNED },
1412 {16, false, "\012torproject\003org", true, kTorPins,
1413 DOMAIN_TORPROJECT_ORG },
1414 {21, true, "\004blog\012torproject\003org", true, kTorPins,
1415 DOMAIN_TORPROJECT_ORG },
1416 {22, true, "\005check\012torproject\003org", true, kTorPins,
1417 DOMAIN_TORPROJECT_ORG },
1418 {20, true, "\003www\012torproject\003org", true, kTorPins,
1419 DOMAIN_TORPROJECT_ORG },
1420 {22, true, "\003www\014moneybookers\003com", true, kNoPins,
1421 DOMAIN_NOT_PINNED },
1422 {17, false, "\013ledgerscope\003net", true, kNoPins, DOMAIN_NOT_PINNED },
1423 {21, false, "\003www\013ledgerscope\003net", true, kNoPins,
1424 DOMAIN_NOT_PINNED },
1425 {10, false, "\004kyps\003net", true, kNoPins, DOMAIN_NOT_PINNED },
1426 {14, false, "\003www\004kyps\003net", true, kNoPins, DOMAIN_NOT_PINNED },
1427 {17, true, "\003app\007recurly\003com", true, kNoPins, DOMAIN_NOT_PINNED },
1428 {17, true, "\003api\007recurly\003com", true, kNoPins, DOMAIN_NOT_PINNED },
1429 {13, false, "\007greplin\003com", true, kNoPins, DOMAIN_NOT_PINNED },
1430 {17, false, "\003www\007greplin\003com", true, kNoPins, DOMAIN_NOT_PINNED },
1431 {27, true, "\006luneta\016nearbuysystems\003com", true, kNoPins,
1432 DOMAIN_NOT_PINNED },
1433 {12, true, "\006ubertt\003org", true, kNoPins, DOMAIN_NOT_PINNED },
1434 {9, true, "\004pixi\002me", true, kNoPins, DOMAIN_NOT_PINNED },
1435 {14, true, "\010grepular\003com", true, kNoPins, DOMAIN_NOT_PINNED },
1436 {16, false , "\012mydigipass\003com", true, kNoPins, DOMAIN_NOT_PINNED },
1437 {20, false , "\003www\012mydigipass\003com", true, kNoPins,
1438 DOMAIN_NOT_PINNED },
1439 {26, false , "\011developer\012mydigipass\003com", true, kNoPins,
1440 DOMAIN_NOT_PINNED },
1441 {30, false , "\003www\011developer\012mydigipass\003com", true, kNoPins,
1442 DOMAIN_NOT_PINNED },
1443 {24, false , "\007sandbox\012mydigipass\003com", true, kNoPins,
1444 DOMAIN_NOT_PINNED },
1445 {28, false , "\003www\007sandbox\012mydigipass\003com", true, kNoPins,
1446 DOMAIN_NOT_PINNED },
1447 {12, true, "\006crypto\003cat", true, kNoPins, DOMAIN_NOT_PINNED },
1448 {25, true, "\014bigshinylock\006minazo\003net", true, kNoPins,
1449 DOMAIN_NOT_PINNED },
1450 {10, true, "\005crate\002io", true, kNoPins, DOMAIN_NOT_PINNED },
1451
1452 {13, false, "\007twitter\003com", kTwitterHSTS,
1453 kTwitterComPins, DOMAIN_TWITTER_COM },
1454 {17, true, "\003www\007twitter\003com", kTwitterHSTS,
1455 kTwitterComPins, DOMAIN_TWITTER_COM },
1456 {17, true, "\003api\007twitter\003com", kTwitterHSTS,
1457 kTwitterCDNPins, DOMAIN_TWITTER_COM },
1458 {19, true, "\005oauth\007twitter\003com", kTwitterHSTS,
1459 kTwitterComPins, DOMAIN_TWITTER_COM },
1460 {20, true, "\006mobile\007twitter\003com", kTwitterHSTS,
1461 kTwitterComPins, DOMAIN_TWITTER_COM },
1462 {17, true, "\003dev\007twitter\003com", kTwitterHSTS,
1463 kTwitterComPins, DOMAIN_TWITTER_COM },
1464 {22, true, "\010business\007twitter\003com", kTwitterHSTS,
1465 kTwitterComPins, DOMAIN_TWITTER_COM },
1466 {22, true, "\010platform\007twitter\003com", false,
1467 kTwitterCDNPins, DOMAIN_TWITTER_COM },
1468 {15, true, "\003si0\005twimg\003com", false, kTwitterCDNPins,
1469 DOMAIN_TWIMG_COM },
1470 {23, true, "\010twimg0-a\010akamaihd\003net", false,
1471 kTwitterCDNPins, DOMAIN_AKAMAIHD_NET },
1472 };
1473 static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS);
1474
1475 static const struct HSTSPreload kPreloadedSNISTS[] = {
1476 // These SNI-only domains must always use HTTPS.
1477 {11, false, "\005gmail\003com", true, kGooglePins,
1478 DOMAIN_GMAIL_COM },
1479 {16, false, "\012googlemail\003com", true, kGooglePins,
1480 DOMAIN_GOOGLEMAIL_COM },
1481 {15, false, "\003www\005gmail\003com", true, kGooglePins,
1482 DOMAIN_GMAIL_COM },
1483 {20, false, "\003www\012googlemail\003com", true, kGooglePins,
1484 DOMAIN_GOOGLEMAIL_COM },
1485 // These SNI-only domains must use an acceptable certificate iff using
1486 // HTTPS.
1487 {22, true, "\020google-analytics\003com", false, kGooglePins,
1488 DOMAIN_GOOGLE_ANALYTICS_COM },
1489 // www. requires SNI.
1490 {18, true, "\014googlegroups\003com", false, kGooglePins,
1491 DOMAIN_GOOGLEGROUPS_COM },
1492 };
1493 static const size_t kNumPreloadedSNISTS = ARRAYSIZE_UNSAFE(kPreloadedSNISTS);
1494 1151
1495 // Returns the HSTSPreload entry for the |canonicalized_host| in |entries|, 1152 // Returns the HSTSPreload entry for the |canonicalized_host| in |entries|,
1496 // or NULL if there is none. Prefers exact hostname matches to those that 1153 // or NULL if there is none. Prefers exact hostname matches to those that
1497 // match only because HSTSPreload.include_subdomains is true. 1154 // match only because HSTSPreload.include_subdomains is true.
1498 // 1155 //
1499 // |canonicalized_host| should be the hostname as canonicalized by 1156 // |canonicalized_host| should be the hostname as canonicalized by
1500 // CanonicalizeHost. 1157 // CanonicalizeHost.
1501 static const struct HSTSPreload* GetHSTSPreload( 1158 static const struct HSTSPreload* GetHSTSPreload(
1502 const std::string& canonicalized_host, 1159 const std::string& canonicalized_host,
1503 const struct HSTSPreload* entries, 1160 const struct HSTSPreload* entries,
(...skipping 153 matching lines...) Expand 10 before | Expand all | Expand 10 after
1657 1314
1658 return true; 1315 return true;
1659 } 1316 }
1660 1317
1661 bool TransportSecurityState::DomainState::ShouldRedirectHTTPToHTTPS() 1318 bool TransportSecurityState::DomainState::ShouldRedirectHTTPToHTTPS()
1662 const { 1319 const {
1663 return mode == MODE_STRICT; 1320 return mode == MODE_STRICT;
1664 } 1321 }
1665 1322
1666 } // namespace 1323 } // namespace
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698