New issue
Advanced search Search tips

Issue 679012 link

Starred by 17 users

Issue metadata

Status: Assigned
Owner:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Task



Sign in to add a comment

Expect-CT HTTP header

Project Member Reported by est...@chromium.org, Jan 6 2017

Issue description

Change description:
Expect-CT is an HTTP header that allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed. When a site enables the Expect-CT header, they are requesting that Chrome check that any certificate for that site appears in public CT logs.

Changes to API surface:
New 'Expect-CT' HTTP header

Links:
https://datatracker.ietf.org/doc/draft-stark-expect-ct/

Public standards discussion:
https://lists.w3.org/Archives/Public/ietf-http-wg/2016OctDec/0695.html
https://lists.w3.org/Archives/Public/ietf-http-wg/2016OctDec/0582.html
https://lists.w3.org/Archives/Public/ietf-http-wg/2016OctDec/0427.html
https://lists.w3.org/Archives/Public/ietf-http-wg/2016OctDec/0549.html

Support in other browsers:
Internet Explorer: none
Firefox: plans to implement
Safari: none

 
Components: Internals>Network>DomainSecurityPolicy
Project Member

Comment 2 by bugdroid1@chromium.org, Apr 18 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2cf091d5d77a9d4d5451a010c2fd90442b57345e

commit 2cf091d5d77a9d4d5451a010c2fd90442b57345e
Author: estark <estark@chromium.org>
Date: Tue Apr 18 00:30:08 2017

Store dynamic Expect-CT state

This CL begins to implement the Expect-CT HTTP header (draft spec at
https://tools.ietf.org/html/draft-ietf-httpbis-expect-ct-00). It adds:

- a map to TransportSecurityState to track dynamically enabled Expect-CT
  hosts, mirroring how dynamic HPKP and HSTS state is stored.
- corresponding TransportSecurityState methods for adding, updating,
  and retrieving dynamic Expect-CT state.
- fields to the pre-existing TransportSecurityState::ExpectCTState struct
  needed to implement the spec (in particular, an |enforce| boolean and
  dates for implementing max-age). The ExpectCTState struct has up
  until now only been used for implementing Chrome's experimental
  preload-list-only version of Expect-CT, which is report-only and does
  not have an enforcement mode, nor a dynamic version.

(I2I at https://groups.google.com/a/chromium.org/d/msg/blink-dev/tgn5R-58iek/Q6YCnu0RFQAJ)

BUG=679012

Review-Url: https://codereview.chromium.org/2747173005
Cr-Commit-Position: refs/heads/master@{#465077}

[modify] https://crrev.com/2cf091d5d77a9d4d5451a010c2fd90442b57345e/net/http/transport_security_state.cc
[modify] https://crrev.com/2cf091d5d77a9d4d5451a010c2fd90442b57345e/net/http/transport_security_state.h
[modify] https://crrev.com/2cf091d5d77a9d4d5451a010c2fd90442b57345e/net/http/transport_security_state_unittest.cc

Project Member

Comment 3 by bugdroid1@chromium.org, Apr 19 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a368232f23a0dc98b909bdc424e11f794a8364e6

commit a368232f23a0dc98b909bdc424e11f794a8364e6
Author: estark <estark@chromium.org>
Date: Wed Apr 19 00:33:56 2017

Serialize and deserialize dynamic Expect-CT state

This CL serializes/deserializes dynamic Expect-CT state in
TransportSecurityPersister. This is a step in the implementation of the draft
Expect-CT HTTP header
(https://tools.ietf.org/html/draft-ietf-httpbis-expect-ct-00).

BUG=679012

Review-Url: https://codereview.chromium.org/2751803002
Cr-Commit-Position: refs/heads/master@{#465436}

[modify] https://crrev.com/a368232f23a0dc98b909bdc424e11f794a8364e6/net/http/transport_security_persister.cc
[modify] https://crrev.com/a368232f23a0dc98b909bdc424e11f794a8364e6/net/http/transport_security_persister.h
[modify] https://crrev.com/a368232f23a0dc98b909bdc424e11f794a8364e6/net/http/transport_security_persister_unittest.cc

Project Member

Comment 4 by bugdroid1@chromium.org, Apr 21 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa

commit a57e81656f11b9ec7de47d3fdbe8aa297311b5fa
Author: estark <estark@chromium.org>
Date: Fri Apr 21 18:01:05 2017

Add Expect-CT header parsing

This CL implements parsing of the Expect-CT HTTP header (draft spec at
https://tools.ietf.org/html/draft-ietf-httpbis-expect-ct-00).

BUG=679012

Review-Url: https://codereview.chromium.org/2753703002
Cr-Commit-Position: refs/heads/master@{#466386}

[modify] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/BUILD.gn
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_000.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_001.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_002.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_003.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_004.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_005.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_006.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_007.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_008.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_009.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_010.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_011.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_012.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_013.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_014.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_015.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_016.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_017.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_018.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_019.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_020.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_021.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_022.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_023.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_024.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_025.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_026.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_027.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_028.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_029.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_030.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_031.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_032.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_033.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_034.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_035.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_036.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_037.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_038.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_039.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_040.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_041.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_042.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_043.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_044.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_045.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_046.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_047.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_048.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_049.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_050.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_051.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_052.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_053.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_054.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_055.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_056.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_057.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_058.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_059.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_060.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_061.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_062.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_063.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_064.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_065.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_066.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_067.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_068.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_069.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_070.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_071.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_072.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_073.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_074.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_075.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_076.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_077.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_078.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_079.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_080.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_081.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_082.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_083.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_084.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_085.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_086.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_087.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_088.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_089.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_090.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_091.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_092.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_093.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_094.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_095.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_096.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_097.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_098.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_099.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_100.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_101.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_102.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_103.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_104.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_105.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_106.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_107.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_108.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_109.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_110.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_111.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_112.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_113.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_114.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_115.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_116.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_117.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_118.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_119.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_120.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_121.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_122.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_123.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_124.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_125.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_126.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_127.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_128.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_129.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_130.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_131.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_132.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_133.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_134.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_135.txt
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_data/http_security_headers/http_security_header_136.txt
[modify] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/data/fuzzer_dictionaries/net_http_security_headers_fuzzer.dict
[modify] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/http/http_security_headers.cc
[modify] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/http/http_security_headers.h
[add] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/http/http_security_headers_expect_ct_fuzzer.cc
[modify] https://crrev.com/a57e81656f11b9ec7de47d3fdbe8aa297311b5fa/net/http/http_security_headers_unittest.cc

Project Member

Comment 5 by bugdroid1@chromium.org, Apr 27 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ee03de14cb653c1e21ea4df5499a9fc183d9a921

commit ee03de14cb653c1e21ea4df5499a9fc183d9a921
Author: estark <estark@chromium.org>
Date: Thu Apr 27 02:35:40 2017

Process Expect-CT HTTP header

This CL processes the Expect-CT header when received on HTTP
responses. TransportSecurityState parses the header and, if valid and received
on a compliant connection, stores the Expect-CT state for the current host. (If
valid but received on a non-compliant connection, the header information is not
stored but a report is sent to alert the site owner of the misconfiguration.) A
follow-up CL will check the dynamic Expect-CT state on connection setup.

BUG=679012

Review-Url: https://codereview.chromium.org/2774763005
Cr-Commit-Position: refs/heads/master@{#467555}

[modify] https://crrev.com/ee03de14cb653c1e21ea4df5499a9fc183d9a921/net/http/transport_security_state.cc
[modify] https://crrev.com/ee03de14cb653c1e21ea4df5499a9fc183d9a921/net/http/transport_security_state.h
[modify] https://crrev.com/ee03de14cb653c1e21ea4df5499a9fc183d9a921/net/http/transport_security_state_unittest.cc
[modify] https://crrev.com/ee03de14cb653c1e21ea4df5499a9fc183d9a921/tools/metrics/histograms/histograms.xml

Project Member

Comment 6 by bugdroid1@chromium.org, May 5 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bf1b5296ef441a71980bd48279c4442cb53957fd

commit bf1b5296ef441a71980bd48279c4442cb53957fd
Author: estark <estark@chromium.org>
Date: Fri May 05 17:05:25 2017

Check Expect-CT at connection setup

This CL adds an Expect-CT check to ShouldRequireCT(), with an option to send
reports if the host is configured with Expect-CT.

This CL is missing a test for ProofVerifierChromium, which I'm omitting because
all the tests for that file are mysteriously disabled and I'm not sure why.

BUG=679012

Review-Url: https://codereview.chromium.org/2850033002
Cr-Commit-Position: refs/heads/master@{#469686}

[modify] https://crrev.com/bf1b5296ef441a71980bd48279c4442cb53957fd/chrome/browser/ssl/chrome_expect_ct_reporter.cc
[modify] https://crrev.com/bf1b5296ef441a71980bd48279c4442cb53957fd/chrome/browser/ssl/chrome_expect_ct_reporter.h
[modify] https://crrev.com/bf1b5296ef441a71980bd48279c4442cb53957fd/chrome/browser/ssl/chrome_expect_ct_reporter_unittest.cc
[modify] https://crrev.com/bf1b5296ef441a71980bd48279c4442cb53957fd/net/http/transport_security_state.cc
[modify] https://crrev.com/bf1b5296ef441a71980bd48279c4442cb53957fd/net/http/transport_security_state.h
[modify] https://crrev.com/bf1b5296ef441a71980bd48279c4442cb53957fd/net/http/transport_security_state_unittest.cc
[modify] https://crrev.com/bf1b5296ef441a71980bd48279c4442cb53957fd/net/quic/chromium/crypto/proof_verifier_chromium.cc
[modify] https://crrev.com/bf1b5296ef441a71980bd48279c4442cb53957fd/net/socket/ssl_client_socket_impl.cc
[modify] https://crrev.com/bf1b5296ef441a71980bd48279c4442cb53957fd/net/socket/ssl_client_socket_unittest.cc
[modify] https://crrev.com/bf1b5296ef441a71980bd48279c4442cb53957fd/net/spdy/chromium/spdy_session.cc
[modify] https://crrev.com/bf1b5296ef441a71980bd48279c4442cb53957fd/net/spdy/chromium/spdy_session_unittest.cc
[modify] https://crrev.com/bf1b5296ef441a71980bd48279c4442cb53957fd/net/url_request/url_request_unittest.cc

Project Member

Comment 7 by bugdroid1@chromium.org, May 23 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8ed543597520a61e2b12d8ed6fef02e97171a5d6

commit 8ed543597520a61e2b12d8ed6fef02e97171a5d6
Author: estark <estark@chromium.org>
Date: Tue May 23 17:35:34 2017

Do not require Expect-CT report-uris to be quoted

Requiring quoted URLs was cargo-culted from the HPKP implementation. The HPKP
spec does not actually say that report-uris must be quoted -- it's simply that
all the examples quote them. So it's possibly a bug that Chrome's HPKP implementation
requires quoted report-uris. The Expect-CT spec doesn't say anything about quoting
report-uris nor do I see a reason that it should, so Chrome's implementation shouldn't
require them.

BUG=679012

Review-Url: https://codereview.chromium.org/2895373002
Cr-Commit-Position: refs/heads/master@{#473959}

[modify] https://crrev.com/8ed543597520a61e2b12d8ed6fef02e97171a5d6/net/http/http_security_headers.cc
[modify] https://crrev.com/8ed543597520a61e2b12d8ed6fef02e97171a5d6/net/http/http_security_headers_unittest.cc

Project Member

Comment 8 by bugdroid1@chromium.org, May 26 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6952c722b2c48bcc634950d6cbf171083b1fea53

commit 6952c722b2c48bcc634950d6cbf171083b1fea53
Author: estark <estark@chromium.org>
Date: Fri May 26 05:39:15 2017

Do not send repeated Expect-CT reports to the same host+port

To avoid duplicate reports, this CL adds an ExpiringCache, keyed by
request hostname+port, to not send repeated Expect-CT reports.

As noted in a comment, it's possible that the same host+port could generate
legitimately different Expect-CT reports and it could be useful for the server
operator to receive both of them. However, this seems unlikely to happen in
practice. In a future refactor in which we move the Expect-CT reporting code
into //net, it would be easier to use more of the report contents as the cache
key (so that meaningfully different reports would not share a cache key), but
keying by host+port should suffice for now.

BUG=679012

Review-Url: https://codereview.chromium.org/2901183002
Cr-Commit-Position: refs/heads/master@{#474927}

[modify] https://crrev.com/6952c722b2c48bcc634950d6cbf171083b1fea53/net/http/transport_security_state.cc
[modify] https://crrev.com/6952c722b2c48bcc634950d6cbf171083b1fea53/net/http/transport_security_state.h
[modify] https://crrev.com/6952c722b2c48bcc634950d6cbf171083b1fea53/net/http/transport_security_state_unittest.cc
[modify] https://crrev.com/6952c722b2c48bcc634950d6cbf171083b1fea53/net/socket/ssl_client_socket_unittest.cc

Project Member

Comment 9 by bugdroid1@chromium.org, Jun 20 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ae028b467bda4a4adcc64de62d47d44ff3920524

commit ae028b467bda4a4adcc64de62d47d44ff3920524
Author: estark <estark@chromium.org>
Date: Tue Jun 20 23:25:01 2017

Add effective-expiration-date to Expect-CT reports

This CL sends the Expect-CT expiration into the reporter, to include in the
report as key "effective-expiration-date".

http://httpwg.org/http-extensions/expect-ct.html#rfc.section.3.1

BUG=679012

Review-Url: https://codereview.chromium.org/2944953002
Cr-Commit-Position: refs/heads/master@{#481022}

[modify] https://crrev.com/ae028b467bda4a4adcc64de62d47d44ff3920524/chrome/browser/ssl/chrome_expect_ct_reporter.cc
[modify] https://crrev.com/ae028b467bda4a4adcc64de62d47d44ff3920524/chrome/browser/ssl/chrome_expect_ct_reporter.h
[modify] https://crrev.com/ae028b467bda4a4adcc64de62d47d44ff3920524/chrome/browser/ssl/chrome_expect_ct_reporter_unittest.cc
[modify] https://crrev.com/ae028b467bda4a4adcc64de62d47d44ff3920524/net/http/transport_security_state.cc
[modify] https://crrev.com/ae028b467bda4a4adcc64de62d47d44ff3920524/net/http/transport_security_state.h
[modify] https://crrev.com/ae028b467bda4a4adcc64de62d47d44ff3920524/net/http/transport_security_state_unittest.cc
[modify] https://crrev.com/ae028b467bda4a4adcc64de62d47d44ff3920524/net/socket/ssl_client_socket_unittest.cc
[modify] https://crrev.com/ae028b467bda4a4adcc64de62d47d44ff3920524/net/url_request/url_request_unittest.cc

Project Member

Comment 10 by bugdroid1@chromium.org, Jun 28 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/19bd384f656790e8e409086b5b97a53b3a6f5921

commit 19bd384f656790e8e409086b5b97a53b3a6f5921
Author: estark <estark@chromium.org>
Date: Wed Jun 28 06:36:30 2017

Update SCT serialization and other format details in Expect-CT reports

This adds a net::ct::EncodeSignedCertificateTimestamp function alongside the
existing CT serialization functions, and uses it to properly encode SCTs in
Expect-CT reports.

The relevant spec change is
https://github.com/httpwg/http-extensions/commit/20c5cfd5ef5b630e142b3251ecafc004ad8f2092,
though it hasn't made it into a published draft yet. Before, we were including a
JSON object containing a subset of information from the SCT based on the source of
the SCT, but that was deemed unnecessary and now the spec just says to include a
standard serialization of the SCT.

The other report format changes made to bring the implementation in line with the
spec are:
- Shortening the 'origin' string values
- Wrapping the report in a JSON dictionary with a single 'expect-ct-report' key

BUG=679012

Review-Url: https://codereview.chromium.org/2959593002
Cr-Commit-Position: refs/heads/master@{#482905}

[modify] https://crrev.com/19bd384f656790e8e409086b5b97a53b3a6f5921/chrome/browser/ssl/chrome_expect_ct_reporter.cc
[modify] https://crrev.com/19bd384f656790e8e409086b5b97a53b3a6f5921/chrome/browser/ssl/chrome_expect_ct_reporter_unittest.cc
[modify] https://crrev.com/19bd384f656790e8e409086b5b97a53b3a6f5921/net/cert/ct_serialization.cc
[modify] https://crrev.com/19bd384f656790e8e409086b5b97a53b3a6f5921/net/cert/ct_serialization.h
[modify] https://crrev.com/19bd384f656790e8e409086b5b97a53b3a6f5921/net/cert/ct_serialization_unittest.cc

Project Member

Comment 11 by bugdroid1@chromium.org, Jun 28 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8af690d4cd89e0e402d08ce8e4f078acf862a317

commit 8af690d4cd89e0e402d08ce8e4f078acf862a317
Author: engedy <engedy@chromium.org>
Date: Wed Jun 28 09:22:57 2017

Revert of Update SCT serialization format in Expect-CT reports (patchset #3 id:40001 of https://codereview.chromium.org/2959593002/ )

Reason for revert:
Heap-buffer-overflow on Chromium OS ASAN builders during ChromeExpectCTReporterTest.SendReport.

Please see comments on revert CL for more detail.

Original issue's description:
> Update SCT serialization and other format details in Expect-CT reports
>
> This adds a net::ct::EncodeSignedCertificateTimestamp function alongside the
> existing CT serialization functions, and uses it to properly encode SCTs in
> Expect-CT reports.
>
> The relevant spec change is
> https://github.com/httpwg/http-extensions/commit/20c5cfd5ef5b630e142b3251ecafc004ad8f2092,
> though it hasn't made it into a published draft yet. Before, we were including a
> JSON object containing a subset of information from the SCT based on the source of
> the SCT, but that was deemed unnecessary and now the spec just says to include a
> standard serialization of the SCT.
>
> The other report format changes made to bring the implementation in line with the
> spec are:
> - Shortening the 'origin' string values
> - Wrapping the report in a JSON dictionary with a single 'expect-ct-report' key
>
> BUG=679012
>
> Review-Url: https://codereview.chromium.org/2959593002
> Cr-Commit-Position: refs/heads/master@{#482905}
> Committed: https://chromium.googlesource.com/chromium/src/+/19bd384f656790e8e409086b5b97a53b3a6f5921

TBR=mattm@chromium.org,estark@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=679012

Review-Url: https://codereview.chromium.org/2960163002
Cr-Commit-Position: refs/heads/master@{#482924}

[modify] https://crrev.com/8af690d4cd89e0e402d08ce8e4f078acf862a317/chrome/browser/ssl/chrome_expect_ct_reporter.cc
[modify] https://crrev.com/8af690d4cd89e0e402d08ce8e4f078acf862a317/chrome/browser/ssl/chrome_expect_ct_reporter_unittest.cc
[modify] https://crrev.com/8af690d4cd89e0e402d08ce8e4f078acf862a317/net/cert/ct_serialization.cc
[modify] https://crrev.com/8af690d4cd89e0e402d08ce8e4f078acf862a317/net/cert/ct_serialization.h
[modify] https://crrev.com/8af690d4cd89e0e402d08ce8e4f078acf862a317/net/cert/ct_serialization_unittest.cc

Project Member

Comment 12 by bugdroid1@chromium.org, Jun 28 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/03b29e1fbf80c616d6aaff6201ee8771f4df986b

commit 03b29e1fbf80c616d6aaff6201ee8771f4df986b
Author: estark <estark@chromium.org>
Date: Wed Jun 28 18:26:45 2017

Reland of Update SCT serialization format in Expect-CT reports (patchset #1 id:1 of https://codereview.chromium.org/2960163002/ )

Reason for revert:
Fixing buffer overflow in test code

Original issue's description:
> Revert of Update SCT serialization format in Expect-CT reports (patchset #3 id:40001 of https://codereview.chromium.org/2959593002/ )
>
> Reason for revert:
> Heap-buffer-overflow on Chromium OS ASAN builders during ChromeExpectCTReporterTest.SendReport.
>
> Please see comments on revert CL for more detail.
>
> Original issue's description:
> > Update SCT serialization and other format details in Expect-CT reports
> >
> > This adds a net::ct::EncodeSignedCertificateTimestamp function alongside the
> > existing CT serialization functions, and uses it to properly encode SCTs in
> > Expect-CT reports.
> >
> > The relevant spec change is
> > https://github.com/httpwg/http-extensions/commit/20c5cfd5ef5b630e142b3251ecafc004ad8f2092,
> > though it hasn't made it into a published draft yet. Before, we were including a
> > JSON object containing a subset of information from the SCT based on the source of
> > the SCT, but that was deemed unnecessary and now the spec just says to include a
> > standard serialization of the SCT.
> >
> > The other report format changes made to bring the implementation in line with the
> > spec are:
> > - Shortening the 'origin' string values
> > - Wrapping the report in a JSON dictionary with a single 'expect-ct-report' key
> >
> > BUG=679012
> >
> > Review-Url: https://codereview.chromium.org/2959593002
> > Cr-Commit-Position: refs/heads/master@{#482905}
> > Committed: https://chromium.googlesource.com/chromium/src/+/19bd384f656790e8e409086b5b97a53b3a6f5921
>
> TBR=mattm@chromium.org,estark@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=679012
>
> Review-Url: https://codereview.chromium.org/2960163002
> Cr-Commit-Position: refs/heads/master@{#482924}
> Committed: https://chromium.googlesource.com/chromium/src/+/8af690d4cd89e0e402d08ce8e4f078acf862a317

TBR=mattm@chromium.org,engedy@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=679012

Review-Url: https://codereview.chromium.org/2960183003
Cr-Commit-Position: refs/heads/master@{#483070}

[modify] https://crrev.com/03b29e1fbf80c616d6aaff6201ee8771f4df986b/chrome/browser/ssl/chrome_expect_ct_reporter.cc
[modify] https://crrev.com/03b29e1fbf80c616d6aaff6201ee8771f4df986b/chrome/browser/ssl/chrome_expect_ct_reporter_unittest.cc
[modify] https://crrev.com/03b29e1fbf80c616d6aaff6201ee8771f4df986b/net/cert/ct_serialization.cc
[modify] https://crrev.com/03b29e1fbf80c616d6aaff6201ee8771f4df986b/net/cert/ct_serialization.h
[modify] https://crrev.com/03b29e1fbf80c616d6aaff6201ee8771f4df986b/net/cert/ct_serialization_unittest.cc

Project Member

Comment 13 by bugdroid1@chromium.org, Jun 28 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3817bb935917d0215bab904c063c47cbe3db3142

commit 3817bb935917d0215bab904c063c47cbe3db3142
Author: engedy <engedy@chromium.org>
Date: Wed Jun 28 19:06:55 2017

Revert of Update SCT serialization format in Expect-CT reports (patchset #3 id:180001 of https://codereview.chromium.org/2960183003/ )

Reason for revert:
Compile failure on Win builder.

Original issue's description:
> Reland of Update SCT serialization format in Expect-CT reports (patchset #1 id:1 of https://codereview.chromium.org/2960163002/ )
>
> Reason for revert:
> Fixing buffer overflow in test code
>
> Original issue's description:
> > Revert of Update SCT serialization format in Expect-CT reports (patchset #3 id:40001 of https://codereview.chromium.org/2959593002/ )
> >
> > Reason for revert:
> > Heap-buffer-overflow on Chromium OS ASAN builders during ChromeExpectCTReporterTest.SendReport.
> >
> > Please see comments on revert CL for more detail.
> >
> > Original issue's description:
> > > Update SCT serialization and other format details in Expect-CT reports
> > >
> > > This adds a net::ct::EncodeSignedCertificateTimestamp function alongside the
> > > existing CT serialization functions, and uses it to properly encode SCTs in
> > > Expect-CT reports.
> > >
> > > The relevant spec change is
> > > https://github.com/httpwg/http-extensions/commit/20c5cfd5ef5b630e142b3251ecafc004ad8f2092,
> > > though it hasn't made it into a published draft yet. Before, we were including a
> > > JSON object containing a subset of information from the SCT based on the source of
> > > the SCT, but that was deemed unnecessary and now the spec just says to include a
> > > standard serialization of the SCT.
> > >
> > > The other report format changes made to bring the implementation in line with the
> > > spec are:
> > > - Shortening the 'origin' string values
> > > - Wrapping the report in a JSON dictionary with a single 'expect-ct-report' key
> > >
> > > BUG=679012
> > >
> > > Review-Url: https://codereview.chromium.org/2959593002
> > > Cr-Commit-Position: refs/heads/master@{#482905}
> > > Committed: https://chromium.googlesource.com/chromium/src/+/19bd384f656790e8e409086b5b97a53b3a6f5921
> >
> > TBR=mattm@chromium.org,estark@chromium.org
> > # Skipping CQ checks because original CL landed less than 1 days ago.
> > NOPRESUBMIT=true
> > NOTREECHECKS=true
> > NOTRY=true
> > BUG=679012
> >
> > Review-Url: https://codereview.chromium.org/2960163002
> > Cr-Commit-Position: refs/heads/master@{#482924}
> > Committed: https://chromium.googlesource.com/chromium/src/+/8af690d4cd89e0e402d08ce8e4f078acf862a317
>
> TBR=mattm@chromium.org,engedy@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=679012
>
> Review-Url: https://codereview.chromium.org/2960183003
> Cr-Commit-Position: refs/heads/master@{#483070}
> Committed: https://chromium.googlesource.com/chromium/src/+/03b29e1fbf80c616d6aaff6201ee8771f4df986b

TBR=mattm@chromium.org,estark@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=679012

Review-Url: https://codereview.chromium.org/2963783003
Cr-Commit-Position: refs/heads/master@{#483090}

[modify] https://crrev.com/3817bb935917d0215bab904c063c47cbe3db3142/chrome/browser/ssl/chrome_expect_ct_reporter.cc
[modify] https://crrev.com/3817bb935917d0215bab904c063c47cbe3db3142/chrome/browser/ssl/chrome_expect_ct_reporter_unittest.cc
[modify] https://crrev.com/3817bb935917d0215bab904c063c47cbe3db3142/net/cert/ct_serialization.cc
[modify] https://crrev.com/3817bb935917d0215bab904c063c47cbe3db3142/net/cert/ct_serialization.h
[modify] https://crrev.com/3817bb935917d0215bab904c063c47cbe3db3142/net/cert/ct_serialization_unittest.cc

Project Member

Comment 14 by bugdroid1@chromium.org, Jun 29 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1a6f723925d0a370035e5228803ca82b58577d46

commit 1a6f723925d0a370035e5228803ca82b58577d46
Author: estark <estark@chromium.org>
Date: Thu Jun 29 01:07:19 2017

Reland of Update SCT serialization format in Expect-CT reports (patchset #1 id:1 of https://codereview.chromium.org/2963783003/ )

Reason for revert:
Accidentally skipped CQ checks on the previous reland. Broke the build on Windows due to truncation of hex literal bytes.

Original issue's description:
> Revert of Update SCT serialization format in Expect-CT reports (patchset #3 id:180001 of https://codereview.chromium.org/2960183003/ )
>
> Reason for revert:
> Compile failure on Win builder.
>
> Original issue's description:
> > Reland of Update SCT serialization format in Expect-CT reports (patchset #1 id:1 of https://codereview.chromium.org/2960163002/ )
> >
> > Reason for revert:
> > Fixing buffer overflow in test code
> >
> > Original issue's description:
> > > Revert of Update SCT serialization format in Expect-CT reports (patchset #3 id:40001 of https://codereview.chromium.org/2959593002/ )
> > >
> > > Reason for revert:
> > > Heap-buffer-overflow on Chromium OS ASAN builders during ChromeExpectCTReporterTest.SendReport.
> > >
> > > Please see comments on revert CL for more detail.
> > >
> > > Original issue's description:
> > > > Update SCT serialization and other format details in Expect-CT reports
> > > >
> > > > This adds a net::ct::EncodeSignedCertificateTimestamp function alongside the
> > > > existing CT serialization functions, and uses it to properly encode SCTs in
> > > > Expect-CT reports.
> > > >
> > > > The relevant spec change is
> > > > https://github.com/httpwg/http-extensions/commit/20c5cfd5ef5b630e142b3251ecafc004ad8f2092,
> > > > though it hasn't made it into a published draft yet. Before, we were including a
> > > > JSON object containing a subset of information from the SCT based on the source of
> > > > the SCT, but that was deemed unnecessary and now the spec just says to include a
> > > > standard serialization of the SCT.
> > > >
> > > > The other report format changes made to bring the implementation in line with the
> > > > spec are:
> > > > - Shortening the 'origin' string values
> > > > - Wrapping the report in a JSON dictionary with a single 'expect-ct-report' key
> > > >
> > > > BUG=679012
> > > >
> > > > Review-Url: https://codereview.chromium.org/2959593002
> > > > Cr-Commit-Position: refs/heads/master@{#482905}
> > > > Committed: https://chromium.googlesource.com/chromium/src/+/19bd384f656790e8e409086b5b97a53b3a6f5921
> > >
> > > TBR=mattm@chromium.org,estark@chromium.org
> > > # Skipping CQ checks because original CL landed less than 1 days ago.
> > > NOPRESUBMIT=true
> > > NOTREECHECKS=true
> > > NOTRY=true
> > > BUG=679012
> > >
> > > Review-Url: https://codereview.chromium.org/2960163002
> > > Cr-Commit-Position: refs/heads/master@{#482924}
> > > Committed: https://chromium.googlesource.com/chromium/src/+/8af690d4cd89e0e402d08ce8e4f078acf862a317
> >
> > TBR=mattm@chromium.org,engedy@chromium.org
> > # Skipping CQ checks because original CL landed less than 1 days ago.
> > NOPRESUBMIT=true
> > NOTREECHECKS=true
> > NOTRY=true
> > BUG=679012
> >
> > Review-Url: https://codereview.chromium.org/2960183003
> > Cr-Commit-Position: refs/heads/master@{#483070}
> > Committed: https://chromium.googlesource.com/chromium/src/+/03b29e1fbf80c616d6aaff6201ee8771f4df986b
>
> TBR=mattm@chromium.org,estark@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=679012
>
> Review-Url: https://codereview.chromium.org/2963783003
> Cr-Commit-Position: refs/heads/master@{#483090}
> Committed: https://chromium.googlesource.com/chromium/src/+/3817bb935917d0215bab904c063c47cbe3db3142

TBR=mattm@chromium.org,engedy@chromium.org
BUG=679012

Review-Url: https://codereview.chromium.org/2957063005
Cr-Commit-Position: refs/heads/master@{#483239}

[modify] https://crrev.com/1a6f723925d0a370035e5228803ca82b58577d46/chrome/browser/ssl/chrome_expect_ct_reporter.cc
[modify] https://crrev.com/1a6f723925d0a370035e5228803ca82b58577d46/chrome/browser/ssl/chrome_expect_ct_reporter_unittest.cc
[modify] https://crrev.com/1a6f723925d0a370035e5228803ca82b58577d46/net/cert/ct_serialization.cc
[modify] https://crrev.com/1a6f723925d0a370035e5228803ca82b58577d46/net/cert/ct_serialization.h
[modify] https://crrev.com/1a6f723925d0a370035e5228803ca82b58577d46/net/cert/ct_serialization_unittest.cc

Project Member

Comment 15 by bugdroid1@chromium.org, Jul 7 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/70adceb53e4a7c7d1cbfa080ab6fd4d6ae2878c6

commit 70adceb53e4a7c7d1cbfa080ab6fd4d6ae2878c6
Author: estark <estark@chromium.org>
Date: Fri Jul 07 07:09:16 2017

Implement CORS preflights for Expect-CT reports

Expect-CT reports are sent with a Content-Type header of
application/expect-ct-report+json. This Content-Type (nor "application/json") is
not CORS safelisted, meaning that Chrome arguably ought to send CORS preflights
to make sure the designated report collection server has opted in to receive
Expect-CT reports. Otherwise, web content would be able to trigger reports to
arbitrary endpoints with a non-safelisted Content-Type header.

Therefore, this CL implements CORS preflight requests before sending
reports. The wrinkle is that Expect-CT is checked at connection setup time,
before being associated with a particular URLRequest, much less an initiating
origin, so we cannot construct a proper Origin header to include in the
preflight request. Instead, we set the Origin header to "null", and expect
`Access-Control-Allow-Origin: *` or `Access-Control-Allow-Origin: null` in
response. While this is a bit weird, it is safe because reports are sent without
credentials and it requires the server to opt in to receiving reports.

See https://lists.w3.org/Archives/Public/ietf-http-wg/2017AprJun/0168.html for
more discussion on the CORS issues and background on why we have settled on
sending `Origin: null` preflights.

https://fetch.spec.whatwg.org/#cors-preflight-fetch describes the preflights
implemented in this CL.

BUG=679012

Review-Url: https://codereview.chromium.org/2970913002
Cr-Commit-Position: refs/heads/master@{#484849}

[modify] https://crrev.com/70adceb53e4a7c7d1cbfa080ab6fd4d6ae2878c6/chrome/browser/ssl/chrome_expect_ct_reporter.cc
[modify] https://crrev.com/70adceb53e4a7c7d1cbfa080ab6fd4d6ae2878c6/chrome/browser/ssl/chrome_expect_ct_reporter.h
[modify] https://crrev.com/70adceb53e4a7c7d1cbfa080ab6fd4d6ae2878c6/chrome/browser/ssl/chrome_expect_ct_reporter_unittest.cc

Project Member

Comment 16 by bugdroid1@chromium.org, Jul 12 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f51e5d491800e1a112f009266589625b1f6a4ab6

commit f51e5d491800e1a112f009266589625b1f6a4ab6
Author: Emily Stark <estark@google.com>
Date: Wed Jul 12 23:48:50 2017

Add browser test and testing config for dynamic Expect-CT reporting

This CL adds a browser test to check that the ChromeExpectCTReporter is properly
created and set up to receive reports, particularly for dynamic Expect-CT
violations. It also enables the dynamic Expect-CT feature on the waterfall.

BUG=679012, 642517 

Change-Id: I3ea01207ea5852b9bd0bbb1d90799ee4555c854e
Reviewed-on: https://chromium-review.googlesource.com/566572
Reviewed-by: Jesse Doherty <jwd@chromium.org>
Reviewed-by: Mustafa Emre Acer <meacer@chromium.org>
Commit-Queue: Emily Stark <estark@chromium.org>
Cr-Commit-Position: refs/heads/master@{#486158}
[add] https://crrev.com/f51e5d491800e1a112f009266589625b1f6a4ab6/chrome/browser/ssl/chrome_expect_ct_reporter_browser_tests.cc
[modify] https://crrev.com/f51e5d491800e1a112f009266589625b1f6a4ab6/chrome/test/BUILD.gn
[modify] https://crrev.com/f51e5d491800e1a112f009266589625b1f6a4ab6/testing/variations/fieldtrial_testing_config.json

Project Member

Comment 17 by bugdroid1@chromium.org, Jul 13 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3ca8fd661af507b4c2980ae6fd961b8346b3dfa3

commit 3ca8fd661af507b4c2980ae6fd961b8346b3dfa3
Author: Emily Stark <estark@chromium.org>
Date: Thu Jul 13 17:00:34 2017

Revert "Add browser test and testing config for dynamic Expect-CT reporting"

This reverts commit f51e5d491800e1a112f009266589625b1f6a4ab6.

Reason for revert: This test fails on official builds because the field trial testing config doesn't apply. I will explicitly enable the Finch feature in the test and reland.

Original change's description:
> Add browser test and testing config for dynamic Expect-CT reporting
> 
> This CL adds a browser test to check that the ChromeExpectCTReporter is properly
> created and set up to receive reports, particularly for dynamic Expect-CT
> violations. It also enables the dynamic Expect-CT feature on the waterfall.
> 
> BUG=679012, 642517 
> 
> Change-Id: I3ea01207ea5852b9bd0bbb1d90799ee4555c854e
> Reviewed-on: https://chromium-review.googlesource.com/566572
> Reviewed-by: Jesse Doherty <jwd@chromium.org>
> Reviewed-by: Mustafa Emre Acer <meacer@chromium.org>
> Commit-Queue: Emily Stark <estark@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#486158}

TBR=jwd@chromium.org,meacer@chromium.org,estark@chromium.org

Change-Id: I60d13cfa015707d535e0afb86cf10d74ecb35b79
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: 679012,  642517 
Reviewed-on: https://chromium-review.googlesource.com/570383
Reviewed-by: Emily Stark <estark@chromium.org>
Commit-Queue: Emily Stark <estark@chromium.org>
Cr-Commit-Position: refs/heads/master@{#486415}
[delete] https://crrev.com/450a8feea254f54e61be2bf5529e26027c656d6b/chrome/browser/ssl/chrome_expect_ct_reporter_browser_tests.cc
[modify] https://crrev.com/3ca8fd661af507b4c2980ae6fd961b8346b3dfa3/chrome/test/BUILD.gn
[modify] https://crrev.com/3ca8fd661af507b4c2980ae6fd961b8346b3dfa3/testing/variations/fieldtrial_testing_config.json

Project Member

Comment 18 by bugdroid1@chromium.org, Jul 14 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/886f7089046c0ab1bf44c2f9a02e18b0dc0ad7d6

commit 886f7089046c0ab1bf44c2f9a02e18b0dc0ad7d6
Author: Emily Stark <estark@google.com>
Date: Fri Jul 14 02:18:58 2017

Reland "Add browser test and testing config for dynamic Expect-CT reporting"

This is a reland of f51e5d491800e1a112f009266589625b1f6a4ab6
Original change's description:
> Add browser test and testing config for dynamic Expect-CT reporting
> 
> This CL adds a browser test to check that the ChromeExpectCTReporter is properly
> created and set up to receive reports, particularly for dynamic Expect-CT
> violations. It also enables the dynamic Expect-CT feature on the waterfall.
> 
> BUG=679012, 642517 
> 
> Change-Id: I3ea01207ea5852b9bd0bbb1d90799ee4555c854e
> Reviewed-on: https://chromium-review.googlesource.com/566572
> Reviewed-by: Jesse Doherty <jwd@chromium.org>
> Reviewed-by: Mustafa Emre Acer <meacer@chromium.org>
> Commit-Queue: Emily Stark <estark@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#486158}

TBR=jwd@chromium.org

Bug: 679012,  642517 
Change-Id: If0a05ea0823f0427f04c455206ab8a7f7020fc89
Reviewed-on: https://chromium-review.googlesource.com/570561
Reviewed-by: Emily Stark <estark@chromium.org>
Reviewed-by: Mustafa Emre Acer <meacer@chromium.org>
Commit-Queue: Emily Stark <estark@chromium.org>
Cr-Commit-Position: refs/heads/master@{#486637}
[add] https://crrev.com/886f7089046c0ab1bf44c2f9a02e18b0dc0ad7d6/chrome/browser/ssl/chrome_expect_ct_reporter_browser_tests.cc
[modify] https://crrev.com/886f7089046c0ab1bf44c2f9a02e18b0dc0ad7d6/chrome/test/BUILD.gn
[modify] https://crrev.com/886f7089046c0ab1bf44c2f9a02e18b0dc0ad7d6/testing/variations/fieldtrial_testing_config.json

Project Member

Comment 19 by bugdroid1@chromium.org, Aug 19 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/41b44be779b6df756738b8cf615e2b417b6ffcdd

commit 41b44be779b6df756738b8cf615e2b417b6ffcdd
Author: Emily Stark <estark@google.com>
Date: Sat Aug 19 00:22:28 2017

Turn on dynamic Expect-CT by default

Expect-CT headers are launching in Chrome 61 (approved via blink-dev OWP process
and launch review) so we can enable the Finch feature by default.

Bug: 679012
Change-Id: I1502c18bd1ad6ed218e527f7acd808c14124cc76
Reviewed-on: https://chromium-review.googlesource.com/596407
Commit-Queue: Emily Stark <estark@chromium.org>
Reviewed-by: Matt Mueller <mattm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#495761}
[modify] https://crrev.com/41b44be779b6df756738b8cf615e2b417b6ffcdd/net/http/transport_security_state.cc

Labels: migrated-launch-owp Type-Task
This issue has been automatically relabelled type=task because type=launch-owp issues are now officially deprecated. The deprecation is because they were creating confusion about how to get launch approvals, which should be instead done via type=launch issues.

We recommend this issue be used for implementation tracking (for public visibility), but if you already have an issue for that, you may mark this as duplicate.

For more details see here: https://docs.google.com/document/d/1JA6RohjtZQc26bTrGoIE_bSXGXUDQz8vc6G0n_sZJ2o/edit

For any questions, please contact owencm, sshruthi, larforge
Project Member

Comment 21 by bugdroid1@chromium.org, Oct 2 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/516411c4fbf8953eaf5c34804fcc82ca9a7efe59

commit 516411c4fbf8953eaf5c34804fcc82ca9a7efe59
Author: Emily Stark <estark@google.com>
Date: Mon Oct 02 18:36:33 2017

Add UMA histogram for Expect-CT header processing

This CL records a histogram whenever an Expect-CT header is processed. This
tells us how many connections serve Expect-CT headers and how many parse
successfully.

Bug: 679012
Change-Id: I4cc8929a440e8f3508db53c424594afab8a7c318
Reviewed-on: https://chromium-review.googlesource.com/690705
Reviewed-by: Matt Mueller <mattm@chromium.org>
Reviewed-by: Emily Stark <estark@chromium.org>
Reviewed-by: Ilya Sherman <isherman@chromium.org>
Commit-Queue: Emily Stark <estark@chromium.org>
Cr-Commit-Position: refs/heads/master@{#505689}
[modify] https://crrev.com/516411c4fbf8953eaf5c34804fcc82ca9a7efe59/net/http/transport_security_state.cc
[modify] https://crrev.com/516411c4fbf8953eaf5c34804fcc82ca9a7efe59/net/http/transport_security_state_unittest.cc
[modify] https://crrev.com/516411c4fbf8953eaf5c34804fcc82ca9a7efe59/tools/metrics/histograms/histograms.xml

Sign in to add a comment