Implement a compact mode for simple preloaded HSTS entries. |
||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.39 Safari/537.36 Steps to reproduce the problem: Chrome supports HSTS preloading [1] and ships the list of preloaded domains [2] inside the binary. This list is a trie represented as a byte array that uses Huffman for compression. Apart from HSTS the trie also contains HPKP, Expect-CT, and/or Expect-Staple state for some entries. Because the trie can store multiple states it needs additional bit flags for each entry to indicate whether it uses an option or not. In the current list, the vast majority of entries only configure HSTS+IncludeSubdomains because that's the requirement for automatic preloading through hstspreload.org. With the current trie format all these entries use 3 additional bits (one each for HPKP, Expect-CT, and Expect-Staple) to indicate they don't use any of these options. Experimentation has shown that introducing a new compact format for entries that only configure HSTS+IncludeSubdomains (we'll call these "simple entries") reduces the binary size of the trie by ~5% [3]. The new format will add a "simple entry" flag that, when set to 1, indicates the entry configures only HSTS+IncludeSubdomains and that the other flags will be omitted. This saves 4 (3 bits for the extra states and 1 bit for the IncludeSubdomains flag) bits for the simple entries but adds one bit for all other entries. In practice (with the current list) this results in an overall win. [1] Website owners can request HSTS preloading through https://hstspreload.org/. [2] https://cs.chromium.org/chromium/src/net/http/transport_security_state_static.json [3] https://bugs.chromium.org/p/chromium/issues/detail?id=603597#c14 What is the expected behavior? What went wrong? Did this work before? No Chrome version: 61.0.3163.39 Channel: n/a OS Version: OS X 10.12.5 Flash Version: Please move this to the Internals>Network>DomainSecurityPolicy component.
,
Aug 28 2017
Considering this as a feature request and making the status to Untriaged so that the issue would get addressed. Thank you.
,
Aug 28 2017
Martijn@ has already started this, but we can't assign him as an owner.
,
Sep 22 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/31ba3d3cb5589adb4db2c89be9fb2286ef066f1c commit 31ba3d3cb5589adb4db2c89be9fb2286ef066f1c Author: Martijn Croonen <martijn@martijnc.be> Date: Fri Sep 22 17:50:05 2017 Implement a compact mode for simple preloaded domain security entries. The serialization format for preloaded domain security policy entries uses bit flags for the various policies it supports (currently HSTS, HPKP, Expect-CT, and Expect-Staple) so that each entry can enable or disable the policies separately. This means each entry uses at least 5 bits regardless of the number of policies it actually enables (1 bit for each supported policy and one for the IncludeSubdomains flag). This CL adds a new bit flag to each entry that indicates the entry only wants to configure HSTS+IncludeSubdomains (we'll call these "simple entries"). When this flag is set to 1, the other flags will be omitted. When this flag is set to 0, the other flags are present and should be parsed as before. This CL regresses the size of the non-simple entries but because the bulk of entries in the current list are HSTS+IncludeSubdomains only this results in an overall size reduction of ~5% on all platforms [1]. The majority of entries are HSTS+IncludeSubdomains because they are preloaded through hstspreload.org which requires HSTS+IncludeSubdomains. Bug: 759221 [1] https://bugs.chromium.org/p/chromium/issues/detail?id=603597#c14 Change-Id: I64dfb50350f5dba7c7b281245a9facc33ce10b75 Reviewed-on: https://chromium-review.googlesource.com/636423 Commit-Queue: Martijn Croonen <martijn@martijnc.be> Reviewed-by: Chris Bentzel <cbentzel@chromium.org> Reviewed-by: Lucas Garron <lgarron@chromium.org> Cr-Commit-Position: refs/heads/master@{#503789} [modify] https://crrev.com/31ba3d3cb5589adb4db2c89be9fb2286ef066f1c/net/http/transport_security_state.cc [modify] https://crrev.com/31ba3d3cb5589adb4db2c89be9fb2286ef066f1c/net/http/transport_security_state_static_unittest3.json [modify] https://crrev.com/31ba3d3cb5589adb4db2c89be9fb2286ef066f1c/net/http/transport_security_state_unittest.cc [modify] https://crrev.com/31ba3d3cb5589adb4db2c89be9fb2286ef066f1c/net/tools/transport_security_state_generator/trie/trie_writer.cc
,
Oct 8 2017
|
||||
►
Sign in to add a comment |
||||
Comment 1 by tapted@chromium.org
, Aug 28 2017