New issue
Advanced search Search tips

Issue 650327 link

Starred by 2 users
Status: Fixed
Owner:
est...@chromium.org
Closed: Sep 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug



Sign in to add a comment

TransportSecurityState violation reports do not include a Content-Type header

Project Member Reported by est...@chromium.org, Sep 26 2016 
TransportSecurityState sends JSON violation reports for HPKP and Expect-Staple that do not include a Content-Type header. This is inconvenient for report collection servers which check the Content-Type of incoming requests before logging them. Seems like Chrome should probably set a Content-Type header of application/json on these reports.

Comment 1 by est...@chromium.org, Sep 28 2016

Status: Fixed (was: Assigned)
Not sure why the commit didn't get picked up automatically, but the fix for this landed in https://codereview.chromium.org/2365353004/.
Project Member

Comment 2 by bugdroid1@chromium.org, Sep 28 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b1716e2e3830aa031dc335b0403913efadb199dd

commit b1716e2e3830aa031dc335b0403913efadb199dd
Author: estark <estark@chromium.org>
Date: Wed Sep 28 06:03:44 2016

Add Content-Type header to net::ReportSender reports

Two sites that are opted into OCSP Expect-Staple reporting
(www.dropbox.com, www.caddyserver.com) reported that they were receiving
reports from Chrome with empty request bodies. This turned out to be
their logging code not handling requests with no Content-Type
header. When TransportSecurityState sends JSON violation reports for
HPKP and Expect-Staple, it ought to be sending a Content-Type header of
application/json. Thus, this CL adds a |content_type| parameter to
net::ReportSender::Send() and updates the users of net::ReportSender
(including TransportSecurityState) to set |content_type| appropriately.

BUG= 650327 

Review-Url: https://codereview.chromium.org/2365353004
Cr-Commit-Position: refs/heads/master@{#421459}

[modify] https://crrev.com/b1716e2e3830aa031dc335b0403913efadb199dd/chrome/browser/safe_browsing/mock_permission_report_sender.cc
[modify] https://crrev.com/b1716e2e3830aa031dc335b0403913efadb199dd/chrome/browser/safe_browsing/mock_permission_report_sender.h
[modify] https://crrev.com/b1716e2e3830aa031dc335b0403913efadb199dd/chrome/browser/safe_browsing/permission_reporter.cc
[modify] https://crrev.com/b1716e2e3830aa031dc335b0403913efadb199dd/chrome/browser/safe_browsing/permission_reporter_unittest.cc
[modify] https://crrev.com/b1716e2e3830aa031dc335b0403913efadb199dd/chrome/browser/ssl/chrome_expect_ct_reporter.cc
[modify] https://crrev.com/b1716e2e3830aa031dc335b0403913efadb199dd/chrome/browser/ssl/chrome_expect_ct_reporter_unittest.cc
[modify] https://crrev.com/b1716e2e3830aa031dc335b0403913efadb199dd/components/certificate_reporting/error_reporter.cc
[modify] https://crrev.com/b1716e2e3830aa031dc335b0403913efadb199dd/components/certificate_reporting/error_reporter_unittest.cc
[modify] https://crrev.com/b1716e2e3830aa031dc335b0403913efadb199dd/net/http/transport_security_state.cc
[modify] https://crrev.com/b1716e2e3830aa031dc335b0403913efadb199dd/net/http/transport_security_state.h
[modify] https://crrev.com/b1716e2e3830aa031dc335b0403913efadb199dd/net/http/transport_security_state_unittest.cc
[modify] https://crrev.com/b1716e2e3830aa031dc335b0403913efadb199dd/net/url_request/report_sender.cc
[modify] https://crrev.com/b1716e2e3830aa031dc335b0403913efadb199dd/net/url_request/report_sender.h
[modify] https://crrev.com/b1716e2e3830aa031dc335b0403913efadb199dd/net/url_request/report_sender_unittest.cc
[modify] https://crrev.com/b1716e2e3830aa031dc335b0403913efadb199dd/net/url_request/url_request_unittest.cc

Comment 3 by est...@chromium.org, Sep 30 2016

Labels: Merge-Request-54
Requesting a merge to M54 for the commit in Comment 2. This has been on Canary for ~24 hours and I verified the fix.

Comment 4 by dimu@chromium.org, Sep 30 2016

Labels: -Merge-Request-54 Merge-Approved-54 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M54 (branch: 2840)
Project Member

Comment 5 by bugdroid1@chromium.org, Sep 30 2016

Labels: -merge-approved-54 merge-merged-2840
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe

commit 61b52dfd2e3ee00f90c06ddb536139095bbb4cbe
Author: Emily Stark <estark@google.com>
Date: Fri Sep 30 15:41:09 2016

Add Content-Type header to net::ReportSender reports

Two sites that are opted into OCSP Expect-Staple reporting
(www.dropbox.com, www.caddyserver.com) reported that they were receiving
reports from Chrome with empty request bodies. This turned out to be
their logging code not handling requests with no Content-Type
header. When TransportSecurityState sends JSON violation reports for
HPKP and Expect-Staple, it ought to be sending a Content-Type header of
application/json. Thus, this CL adds a |content_type| parameter to
net::ReportSender::Send() and updates the users of net::ReportSender
(including TransportSecurityState) to set |content_type| appropriately.

BUG= 650327 

Review-Url: https://codereview.chromium.org/2365353004
Cr-Commit-Position: refs/heads/master@{#421459}
(cherry picked from commit b1716e2e3830aa031dc335b0403913efadb199dd)

Review URL: https://codereview.chromium.org/2374253010 .

Cr-Commit-Position: refs/branch-heads/2840@{#600}
Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607}

[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/chrome/browser/safe_browsing/mock_permission_report_sender.cc
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/chrome/browser/safe_browsing/mock_permission_report_sender.h
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/chrome/browser/safe_browsing/permission_reporter.cc
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/chrome/browser/safe_browsing/permission_reporter_unittest.cc
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/chrome/browser/ssl/chrome_expect_ct_reporter.cc
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/chrome/browser/ssl/chrome_expect_ct_reporter_unittest.cc
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/components/certificate_reporting/error_reporter.cc
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/components/certificate_reporting/error_reporter_unittest.cc
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/net/http/transport_security_state.cc
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/net/http/transport_security_state.h
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/net/http/transport_security_state_unittest.cc
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/net/url_request/report_sender.cc
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/net/url_request/report_sender.h
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/net/url_request/report_sender_unittest.cc
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/net/url_request/url_request_unittest.cc
Project Member

Comment 6 by bugdroid1@chromium.org, Oct 27 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe

commit 61b52dfd2e3ee00f90c06ddb536139095bbb4cbe
Author: Emily Stark <estark@google.com>
Date: Fri Sep 30 15:41:09 2016

Add Content-Type header to net::ReportSender reports

Two sites that are opted into OCSP Expect-Staple reporting
(www.dropbox.com, www.caddyserver.com) reported that they were receiving
reports from Chrome with empty request bodies. This turned out to be
their logging code not handling requests with no Content-Type
header. When TransportSecurityState sends JSON violation reports for
HPKP and Expect-Staple, it ought to be sending a Content-Type header of
application/json. Thus, this CL adds a |content_type| parameter to
net::ReportSender::Send() and updates the users of net::ReportSender
(including TransportSecurityState) to set |content_type| appropriately.

BUG= 650327 

Review-Url: https://codereview.chromium.org/2365353004
Cr-Commit-Position: refs/heads/master@{#421459}
(cherry picked from commit b1716e2e3830aa031dc335b0403913efadb199dd)

Review URL: https://codereview.chromium.org/2374253010 .

Cr-Commit-Position: refs/branch-heads/2840@{#600}
Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607}

[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/chrome/browser/safe_browsing/mock_permission_report_sender.cc
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/chrome/browser/safe_browsing/mock_permission_report_sender.h
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/chrome/browser/safe_browsing/permission_reporter.cc
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/chrome/browser/safe_browsing/permission_reporter_unittest.cc
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/chrome/browser/ssl/chrome_expect_ct_reporter.cc
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/chrome/browser/ssl/chrome_expect_ct_reporter_unittest.cc
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/components/certificate_reporting/error_reporter.cc
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/components/certificate_reporting/error_reporter_unittest.cc
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/net/http/transport_security_state.cc
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/net/http/transport_security_state.h
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/net/http/transport_security_state_unittest.cc
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/net/url_request/report_sender.cc
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/net/url_request/report_sender.h
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/net/url_request/report_sender_unittest.cc
[modify] https://crrev.com/61b52dfd2e3ee00f90c06ddb536139095bbb4cbe/net/url_request/url_request_unittest.cc

Sign in to add a comment