Google Git
Sign in
chromium / chromium / src / b180b4c7af9108c7d9657f35ceb72c3624e30cfe
commitb180b4c7af9108c7d9657f35ceb72c3624e30cfe[log] [tgz]
authorCeleste Pan <celestepan@microsoft.com>Wed Oct 18 18:46:35 2023
committerChromium LUCI CQ <chromium-scoped@luci-project-accounts.iam.gserviceaccount.com>Wed Oct 18 18:46:35 2023
tree6ea00e11bfddc8235a77f3766788cff27949d64d
parentc23f99b74b4f738fe1f5a3e04cca8c9d2f17aaed [diff]
Add flag to bypass HSTS and use for AIA, CRL, and OCSP requests.

We were previously hitting an issue where AIA, CRL, and OCSP requests
were being upgraded to HTTPS, as the URLs were hosted by domains
that had HSTS applied. These requests should not ever be upgraded,
in order to avoid circular dependencies when verifying certificates.

We solve this by adding a new load_flag "should_bypass_hsts" which we
set to true whenever making AIA, CRL, or OCSP requests. We then check
for this flag when deciding whether or not to upgrade an HTTP request.


Added tests to ensure HSTS was bypassed even if a domain is set to
have HSTS and also tested round-tripping of setting load_flags in
a URL Request.

Bug: 1432246
Change-Id: I685298383c46c681a8f98c4852b2b4c3caa67304
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4863980
Reviewed-by: Brandon Maslen <brandm@microsoft.com>
Commit-Queue: Celeste Pan <celestepan@microsoft.com>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Matt Mueller <mattm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1211650}
7 files changed
tree: 6ea00e11bfddc8235a77f3766788cff27949d64d
  1. android_webview/
  2. apps/
  3. ash/
  4. base/
  5. build/
  6. build_overrides/
  7. buildtools/
  8. cc/
  9. chrome/
  10. chromecast/
  11. chromeos/
  12. codelabs/
  13. components/
  14. content/
  15. courgette/
  16. crypto/
  17. dbus/
  18. device/
  19. docs/
  20. extensions/
  21. fuchsia_web/
  22. gin/
  23. google_apis/
  24. google_update/
  25. gpu/
  26. headless/
  27. infra/
  28. ios/
  29. ipc/
  30. media/
  31. mojo/
  32. native_client_sdk/
  33. net/
  34. pdf/
  35. ppapi/
  36. printing/
  37. remoting/
  38. rlz/
  39. sandbox/
  40. services/
  41. skia/
  42. sql/
  43. storage/
  44. styleguide/
  45. testing/
  46. third_party/
  47. tools/
  48. ui/
  49. url/
  50. webkit/
  51. clank
  52. internal
  53. ios_internal
  54. native_client
  55. signing_keys
  56. v8
  57. .clang-format
  58. .clang-tidy
  59. .eslintrc.js
  60. .git-blame-ignore-revs
  61. .gitattributes
  62. .gitignore
  63. .gitmodules
  64. .gn
  65. .mailmap
  66. .rustfmt.toml
  67. .vpython3
  68. .yapfignore
  69. ATL_OWNERS
  70. AUTHORS
  71. BUILD.gn
  72. CODE_OF_CONDUCT.md
  73. codereview.settings
  74. DEPS
  75. DIR_METADATA
  76. LICENSE
  77. LICENSE.chromium_os
  78. OWNERS
  79. PRESUBMIT.py
  80. PRESUBMIT_test.py
  81. PRESUBMIT_test_mocks.py
  82. README.md
  83. WATCHLISTS
README.md

Logo Chromium

Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.

The project's web site is https://www.chromium.org.

To check out the source code locally, don't use git clone! Instead, follow the instructions on how to get the code.

Documentation in the source is rooted in docs/README.md.

Learn how to Get Around the Chromium Source Code Directory Structure .

For historical reasons, there are some small top level directories. Now the guidance is that new top level directories are for product (e.g. Chrome, Android WebView, Ash). Even if these products have multiple executables, the code should be in subdirectories of the product.

If you found a bug, please file it at https://crbug.com/new.