| // Copyright (c) 2018 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #ifndef NET_BASE_FEATURES_H_ |
| #define NET_BASE_FEATURES_H_ |
| |
| #include <string> |
| |
| #include "base/feature_list.h" |
| #include "base/metrics/field_trial_params.h" |
| #include "base/strings/string_piece.h" |
| #include "base/time/time.h" |
| #include "net/base/net_export.h" |
| #include "net/net_buildflags.h" |
| |
| namespace net { |
| namespace features { |
| |
| // Toggles the `Accept-Language` HTTP request header, which |
| // https://github.com/WICG/lang-client-hint proposes that we deprecate. |
| NET_EXPORT extern const base::Feature kAcceptLanguageHeader; |
| |
| // When kCapReferrerToOriginOnCrossOrigin is enabled, HTTP referrers on cross- |
| // origin requests are restricted to contain at most the source origin. |
| NET_EXPORT extern const base::Feature kCapReferrerToOriginOnCrossOrigin; |
| |
| // Enables TLS 1.3 early data. |
| NET_EXPORT extern const base::Feature kEnableTLS13EarlyData; |
| |
| // Support for altering the parameters used for DNS transaction timeout. See |
| // ResolveContext::SecureTransactionTimeout(). |
| NET_EXPORT extern const base::Feature kDnsTransactionDynamicTimeouts; |
| // Multiplier applied to current fallback periods in determining a transaction |
| // timeout. |
| NET_EXPORT extern const base::FeatureParam<double> |
| kDnsTransactionTimeoutMultiplier; |
| NET_EXPORT extern const base::FeatureParam<base::TimeDelta> |
| kDnsMinTransactionTimeout; |
| |
| // Enables DNS queries for HTTPSSVC or INTEGRITY records, depending on feature |
| // parameters. These queries will only be made over DoH. HTTPSSVC responses may |
| // cause us to upgrade the URL to HTTPS and/or to attempt QUIC. |
| NET_EXPORT extern const base::Feature kDnsHttpssvc; |
| |
| // Disable H2 reprioritization, in order to measure its impact. |
| NET_EXPORT extern const base::Feature kAvoidH2Reprioritization; |
| |
| // Determine which kind of record should be queried: HTTPSSVC or INTEGRITY. No |
| // more than one of these feature parameters should be enabled at once. In the |
| // event that both are enabled, |kDnsHttpssvcUseIntegrity| takes priority, and |
| // |kDnsHttpssvcUseHttpssvc| will be ignored. |
| NET_EXPORT extern const base::FeatureParam<bool> kDnsHttpssvcUseHttpssvc; |
| NET_EXPORT extern const base::FeatureParam<bool> kDnsHttpssvcUseIntegrity; |
| |
| // Enable HTTPSSVC or INTEGRITY to be queried over insecure DNS. |
| NET_EXPORT extern const base::FeatureParam<bool> |
| kDnsHttpssvcEnableQueryOverInsecure; |
| |
| // If we are still waiting for an HTTPSSVC or INTEGRITY query after all the |
| // other queries in a DnsTask have completed, we will compute a timeout for the |
| // remaining query. The timeout will be the min of: |
| // (a) |kDnsHttpssvcExtraTimeMs.Get()| |
| // (b) |kDnsHttpssvcExtraTimePercent.Get() / 100 * t|, where |t| is the |
| // number of milliseconds since the first query began. |
| NET_EXPORT extern const base::FeatureParam<int> kDnsHttpssvcExtraTimeMs; |
| NET_EXPORT extern const base::FeatureParam<int> kDnsHttpssvcExtraTimePercent; |
| |
| // These parameters, respectively, are the list of experimental and control |
| // domains for which we will query HTTPSSVC or INTEGRITY records. We expect |
| // valid INTEGRITY results for experiment domains. We expect no INTEGRITY |
| // results for control domains. |
| // |
| // The format of both parameters is a comma-separated list of domains. |
| // Whitespace around domain names is permitted. Trailing comma is optional. |
| // |
| // See helper functions: |
| // |dns_httpssvc_experiment::GetDnsHttpssvcExperimentDomains| and |
| // |dns_httpssvc_experiment::GetDnsHttpssvcControlDomains|. |
| NET_EXPORT extern const base::FeatureParam<std::string> |
| kDnsHttpssvcExperimentDomains; |
| NET_EXPORT extern const base::FeatureParam<std::string> |
| kDnsHttpssvcControlDomains; |
| |
| // This param controls how we determine whether a domain is an experimental or |
| // control domain. When false, domains must be in |kDnsHttpssvcControlDomains| |
| // to be considered a control. When true, we ignore |kDnsHttpssvcControlDomains| |
| // and any non-experiment domain (not in |kDnsHttpssvcExperimentDomains|) is |
| // considered a control domain. |
| NET_EXPORT extern const base::FeatureParam<bool> |
| kDnsHttpssvcControlDomainWildcard; |
| |
| namespace dns_httpssvc_experiment { |
| // Get the value of |kDnsHttpssvcExtraTimeMs|. |
| NET_EXPORT base::TimeDelta GetExtraTimeAbsolute(); |
| } // namespace dns_httpssvc_experiment |
| |
| // Enables optimizing the network quality estimation algorithms in network |
| // quality estimator (NQE). |
| NET_EXPORT extern const base::Feature kNetworkQualityEstimator; |
| |
| // Splits cache entries by the request's NetworkIsolationKey if one is |
| // available. |
| NET_EXPORT extern const base::Feature kSplitCacheByNetworkIsolationKey; |
| |
| // Splits host cache entries by the DNS request's NetworkIsolationKey if one is |
| // available. Also prevents merging live DNS lookups when there is a NIK |
| // mismatch. |
| NET_EXPORT extern const base::Feature kSplitHostCacheByNetworkIsolationKey; |
| |
| // Partitions connections based on the NetworkIsolationKey associated with a |
| // request. |
| NET_EXPORT extern const base::Feature |
| kPartitionConnectionsByNetworkIsolationKey; |
| |
| // Partitions HttpServerProperties based on the NetworkIsolationKey associated |
| // with a request. |
| NET_EXPORT extern const base::Feature |
| kPartitionHttpServerPropertiesByNetworkIsolationKey; |
| |
| // Partitions TLS sessions and QUIC server configs based on the |
| // NetworkIsolationKey associated with a request. |
| // |
| // This feature requires kPartitionConnectionsByNetworkIsolationKey to be |
| // enabled to work. |
| NET_EXPORT extern const base::Feature |
| kPartitionSSLSessionsByNetworkIsolationKey; |
| |
| // Partitions Expect-CT data by NetworkIsolationKey. This only affects the |
| // Expect-CT data itself. Regardless of this value, reports will be uploaded |
| // using the associated NetworkIsolationKey, when one's available. |
| // |
| // This feature requires kPartitionConnectionsByNetworkIsolationKey, |
| // kPartitionHttpServerPropertiesByNetworkIsolationKey, and |
| // kPartitionConnectionsByNetworkIsolationKey to all be enabled to work. |
| NET_EXPORT extern const base::Feature |
| kPartitionExpectCTStateByNetworkIsolationKey; |
| |
| // Partitions Network Error Logging and Reporting API data by |
| // NetworkIsolationKey. Also partitions all reports generated by other consumers |
| // of the reporting API. Applies the NetworkIsolationKey to reports uploads as |
| // well. |
| // |
| // When disabled, the main entry points of the reporting and NEL services ignore |
| // NetworkIsolationKey parameters, and they're cleared while loading from the |
| // cache, but internal objects can be created with them (e.g., endpoints), for |
| // testing. |
| NET_EXPORT extern const base::Feature |
| kPartitionNelAndReportingByNetworkIsolationKey; |
| |
| // Enables limiting the size of Expect-CT table. |
| NET_EXPORT extern const base::Feature kExpectCTPruning; |
| |
| // FeatureParams associated with kExpectCTPruning. |
| |
| // Expect-CT pruning runs when this many entries are hit. |
| NET_EXPORT extern const base::FeatureParam<int> kExpectCTPruneMax; |
| // The Expect-CT pruning logic attempts to reduce entries to at most this many. |
| NET_EXPORT extern const base::FeatureParam<int> kExpectCTPruneMin; |
| // Non-transient entries with |enforce| set are safe from being pruned if |
| // they're less than this many days old, unless the number of entries exceeds |
| // |kExpectCTMaxEntriesPerNik|. |
| NET_EXPORT extern const base::FeatureParam<int> kExpectCTSafeFromPruneDays; |
| // If, after pruning transient, non-enforced, old Expect-CT entries, |
| // kExpectCTPruneMin is still exceeded, then all NetworkIsolationKeys will be |
| // capped to this many entries, based on last observation date. |
| NET_EXPORT extern const base::FeatureParam<int> kExpectCTMaxEntriesPerNik; |
| // Minimum delay between successive prunings of Expect-CT entries, in seconds. |
| NET_EXPORT extern const base::FeatureParam<int> kExpectCTPruneDelaySecs; |
| |
| // Enables sending TLS 1.3 Key Update messages on TLS 1.3 connections in order |
| // to ensure that this corner of the spec is exercised. This is currently |
| // disabled by default because we discovered incompatibilities with some |
| // servers. |
| NET_EXPORT extern const base::Feature kTLS13KeyUpdate; |
| |
| // Enables CECPQ2, a post-quantum key-agreement, in TLS 1.3 connections. |
| NET_EXPORT extern const base::Feature kPostQuantumCECPQ2; |
| |
| // Changes the timeout after which unused sockets idle sockets are cleaned up. |
| NET_EXPORT extern const base::Feature kNetUnusedIdleSocketTimeout; |
| |
| // When enabled, makes cookies without a SameSite attribute behave like |
| // SameSite=Lax cookies by default, and requires SameSite=None to be specified |
| // in order to make cookies available in a third-party context. When disabled, |
| // the default behavior for cookies without a SameSite attribute specified is no |
| // restriction, i.e., available in a third-party context. |
| // The "Lax-allow-unsafe" mitigation allows these cookies to be sent on |
| // top-level cross-site requests with an unsafe (e.g. POST) HTTP method, if the |
| // cookie is no more than 2 minutes old. |
| NET_EXPORT extern const base::Feature kSameSiteByDefaultCookies; |
| |
| // When enabled, cookies without SameSite restrictions that don't specify the |
| // Secure attribute will be rejected if set from an insecure context, or treated |
| // as secure if set from a secure context. This ONLY has an effect if |
| // SameSiteByDefaultCookies is also enabled. |
| NET_EXPORT extern const base::Feature kCookiesWithoutSameSiteMustBeSecure; |
| |
| // When enabled, the time threshold for Lax-allow-unsafe cookies will be lowered |
| // from 2 minutes to 10 seconds. This time threshold refers to the age cutoff |
| // for which cookies that default into SameSite=Lax, which are newer than the |
| // threshold, will be sent with any top-level cross-site navigation regardless |
| // of HTTP method (i.e. allowing unsafe methods). This is a convenience for |
| // integration tests which may want to test behavior of cookies older than the |
| // threshold, but which would not be practical to run for 2 minutes. |
| NET_EXPORT extern const base::Feature kShortLaxAllowUnsafeThreshold; |
| |
| // When enabled, the SameSite by default feature does not add the |
| // "Lax-allow-unsafe" behavior. Any cookies that do not specify a SameSite |
| // attribute will be treated as Lax only, i.e. POST and other unsafe HTTP |
| // methods will not be allowed at all for top-level cross-site navigations. |
| // This only has an effect if the cookie defaults to SameSite=Lax. |
| NET_EXPORT extern const base::Feature kSameSiteDefaultChecksMethodRigorously; |
| |
| #if BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED) |
| // When enabled, use the builtin cert verifier instead of the platform verifier. |
| NET_EXPORT extern const base::Feature kCertVerifierBuiltinFeature; |
| #endif |
| |
| NET_EXPORT extern const base::Feature kAppendFrameOriginToNetworkIsolationKey; |
| |
| // Turns off streaming media caching to disk when on battery power. |
| NET_EXPORT extern const base::Feature kTurnOffStreamingMediaCachingOnBattery; |
| |
| // Turns off streaming media caching to disk always. |
| NET_EXPORT extern const base::Feature kTurnOffStreamingMediaCachingAlways; |
| |
| // When enabled, sites that use TLS versions below the |version_min_warn| |
| // threshold are marked with the LEGACY_TLS CertStatus and return an |
| // ERR_SSL_OBSOLETE_VERSION error. This is used to trigger an interstitial |
| // warning for these pages. |
| NET_EXPORT extern const base::Feature kLegacyTLSEnforced; |
| |
| // When enabled this feature will cause same-site calculations to take into |
| // account the scheme of the site-for-cookies and the request/response url. |
| NET_EXPORT extern const base::Feature kSchemefulSameSite; |
| |
| // When enabled, TLS connections will initially not offer 3DES and SHA-1 but |
| // enable them on fallback. This is used to improve metrics around usage of |
| // those algorithms. If disabled, the algorithms will always be offered. |
| NET_EXPORT extern const base::Feature kTLSLegacyCryptoFallbackForMetrics; |
| |
| // When enabled, DNS_PROBE_FINISHED_NXDOMAIN error pages may show |
| // locally-generated suggestions to visit similar domains. |
| NET_EXPORT extern const base::Feature kUseLookalikesForNavigationSuggestions; |
| |
| // When enabled, the Network Quality Estimator (NQE) will notify the operating |
| // system whenever it detects that the current default network may have |
| // significantly degraded connectivity. Currently only effective on Android. |
| NET_EXPORT extern const base::Feature kReportPoorConnectivity; |
| |
| // When enabled, the NQE may preemptively request that the OS activate a mobile |
| // network when requests on the active Wi-Fi connection are stalled. This can be |
| // used to warm the radio for a faster transition if/when the OS chooses to drop |
| // the Wi-Fi connection. |
| NET_EXPORT extern const base::Feature kPreemptiveMobileNetworkActivation; |
| |
| // Enables a process-wide limit on "open" UDP sockets. See |
| // udp_socket_global_limits.h for details on what constitutes an "open" socket. |
| NET_EXPORT extern const base::Feature kLimitOpenUDPSockets; |
| |
| // FeatureParams associated with kLimitOpenUDPSockets. |
| |
| // Sets the maximum allowed open UDP sockets. Provisioning more sockets than |
| // this will result in a failure (ERR_INSUFFICIENT_RESOURCES). |
| NET_EXPORT extern const base::FeatureParam<int> kLimitOpenUDPSocketsMax; |
| |
| // Enables a timeout on individual TCP connect attempts, based on |
| // the parameter values. |
| NET_EXPORT extern const base::Feature kTimeoutTcpConnectAttempt; |
| |
| // FeatureParams associated with kTimeoutTcpConnectAttempt. |
| |
| // When there is an estimated RTT available, the experimental TCP connect |
| // attempt timeout is calculated as: |
| // |
| // clamp(kTimeoutTcpConnectAttemptMin, |
| // kTimeoutTcpConnectAttemptMax, |
| // <Estimated RTT> * kTimeoutTcpConnectAttemptRTTMultiplier); |
| // |
| // Otherwise the TCP connect attempt timeout is set to |
| // kTimeoutTcpConnectAttemptMax. |
| NET_EXPORT extern const base::FeatureParam<double> |
| kTimeoutTcpConnectAttemptRTTMultiplier; |
| NET_EXPORT extern const base::FeatureParam<base::TimeDelta> |
| kTimeoutTcpConnectAttemptMin; |
| NET_EXPORT extern const base::FeatureParam<base::TimeDelta> |
| kTimeoutTcpConnectAttemptMax; |
| |
| // Enables usage of First Party Sets to determine cookie availability. |
| NET_EXPORT extern const base::Feature kFirstPartySets; |
| |
| // Controls whether the client is considered a dogfooder for the FirstPartySets |
| // feature. |
| NET_EXPORT extern const base::FeatureParam<bool> kFirstPartySetsIsDogfooder; |
| |
| } // namespace features |
| } // namespace net |
| |
| #endif // NET_BASE_FEATURES_H_ |