New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 598123 link

Starred by 6 users
Status: Duplicate
Merged: issue 628819
Owner: ----
Closed: Sep 2017
Cc:
rdevlin....@chromium.org
lgar...@chromium.org
est...@chromium.org
rsleevi@chromium.org
palmer@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Feature



Sign in to add a comment

Expose TLS version for HTTP requests to extensions

Reported by alex.gay...@gmail.com, Mar 26 2016 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.108 Safari/537.36

Example URL:

Steps to reproduce the problem:
(This isn't a bug, it's a feature request)

What is the expected behavior?

What went wrong?
Currently using the webRequest entrypoint, it's possible for extensions to instrument various parts of an HTTP request, however there's no way to obtain TLS-level metadata for HTTPS requests.

This issue is requesting that metadata, specifically negotiated TLS version, be exposed, either on a per-request basis or a per-connection basis (all extensions are currently per-request, so it probably make sense to add it there, even though this is a per-connection parameter) to extensions.

One point of complexity is that there are other encrypted protocols, specifically QUIC and DTLS (used for WebRTC), so perhaps encryptedProtocolVersion with "TLS1.0", "TLS1.2", "QUIC<x>", "DTLS1.1" values would provide better flexibility.

Did this work before? No 

Chrome version: 49.0.2623.108  Channel: stable
OS Version: OS X 10.11.4
Flash Version: Shockwave Flash 21.0 r0

Comment 1 by davidben@chromium.org, Mar 26 2016

Components: -Internals>Network Platform>Extensions>API Internals>Network>SSL
Labels: -Type-Bug -OS-Mac OS-All Type-Feature
Status: Untriaged (was: Unconfirmed)

Comment 2 by rsleevi@chromium.org, Mar 26 2016

Cc: lgar...@chromium.org est...@chromium.org
There's definitely been interest in exposing HTTPS-related metadata to webRequest, as part of extending the HAR format, in the same manner that request/response headers are exposed.

Further, there's been interest in adding a distinct intermediate event between onSendHeaders and onHeadersReceived (or the asynchronous, non-cancelling onResponseStarted), which would execute when a socket had been assigned to the request (since we perform late-binding of sockets), but before the request itself had been written. For example, this would allow the blocking of particular Certificate Authorities, or the enforcement of additional trust mechanisms (without allowing extensions to override distrust)

I had closed out some of the older bugs because they became too muddled, but overall, I'm supportive of this, and think that Emily & Lucas' work on the Security Panel / DevTools would facilitate exposing more of this to the renderer.

There's some new privacy risks here, but they may already be subsumed into the overall risk of the webRequest API. However, care must be taken, given <webview>'s exposure of webRequest, to make sure we've got everything balanced.

Comment 3 by alex.gay...@gmail.com, Mar 27 2016 

Ryan, to make I follow, would you want to tie this together with a new "onSocketAllocated" event and expose this information only there?

Comment 4 by rsleevi@chromium.org, Mar 27 2016 

No

Comment 5 by asargent@chromium.org, Jul 22 2016

Status: Available (was: Untriaged)
Marking as Available to get out of our triage queue (I don't think anyone on the extensions team proper would be implementing this, but if net folks are supportive we'd be happy to have them or someone else contribute a patch).

Comment 6 by alex.gay...@gmail.com, Jul 23 2016 

If you have a suggestion for where in the code builds the JS object that's passed to the callback, I might take a pass at figuring this out (no promises though).

Comment 7 by rsleevi@chromium.org, Jul 23 2016 

The closest approximation is https://cs.chromium.org/chromium/src/extensions/browser/api/web_request/web_request_api.cc?rcl=0&l=724

That's after the connection is made (onSendHeaders is before), but also after the header information is received.

The JS object is constructed at https://cs.chromium.org/chromium/src/extensions/browser/api/web_request/web_request_event_details.h?rcl=1469215596&l=25
Project Member

Comment 8 by sheriffbot@chromium.org, Jul 24 2017

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available. If you change it back, also remove the "Hotlist-Recharge-Cold" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by rdevlin....@chromium.org, Sep 22 2017

Cc: palmer@chromium.org rdevlin....@chromium.org rsleevi@chromium.org
palmer@/rsleevi@, can we dupe this into Roland's work on issue 628819?

Comment 10 by davidben@chromium.org, Sep 22 2017

Mergedinto: 628819
Status: Duplicate (was: Untriaged)

Sign in to add a comment