Add option to enable/disable net security expiration (issue #1994)

- Net security (CT, HSTS) expiration based on build age is now disabled by default. - Add new enable_net_security_expiration option to CefSettings and CefRequestContextSettings.
2025-06-05 21:39:12 +02:00 · 2016-11-18 16:11:38 -05:00
parent 4ecff1670e
commit c6881fe145
8 changed files with 158 additions and 4 deletions
--- a/include/internal/cef_types.h
+++ b/include/internal/cef_types.h
@@ -376,6 +376,19 @@ typedef struct _cef_settings_t {
  ///
  int ignore_certificate_errors;

+  ///
+  // Set to true (1) to enable date-based expiration of built in network
+  // security information (i.e. certificate transparency logs, HSTS preloading
+  // and pinning information). Enabling this option improves network security
+  // but may cause HTTPS load failures when using CEF binaries built more than
+  // 10 weeks in the past. See https://www.certificate-transparency.org/ and
+  // https://www.chromium.org/hsts for details. Also configurable using the
+  // "enable-net-security-expiration" command-line switch. Can be overridden for
+  // individual CefRequestContext instances via the
+  // CefRequestContextSettings.enable_net_security_expiration value.
+  ///
+  int enable_net_security_expiration;
+
  ///
  // Opaque background color used for accelerated content. By default the
  // background color will be white. Only the RGB compontents of the specified
@@ -443,6 +456,17 @@ typedef struct _cef_request_context_settings_t {
  ///
  int ignore_certificate_errors;

+  ///
+  // Set to true (1) to enable date-based expiration of built in network
+  // security information (i.e. certificate transparency logs, HSTS preloading
+  // and pinning information). Enabling this option improves network security
+  // but may cause HTTPS load failures when using CEF binaries built more than
+  // 10 weeks in the past. See https://www.certificate-transparency.org/ and
+  // https://www.chromium.org/hsts for details. Can be set globally using the
+  // CefSettings.enable_net_security_expiration value.
+  ///
+  int enable_net_security_expiration;
+
  ///
  // Comma delimited ordered list of language codes without any whitespace that
  // will be used in the "Accept-Language" HTTP header. Can be set globally
--- a/include/internal/cef_types_wrappers.h
+++ b/include/internal/cef_types_wrappers.h
@@ -607,6 +607,8 @@ struct CefSettingsTraits {
    target->uncaught_exception_stack_size = src->uncaught_exception_stack_size;
    target->context_safety_implementation = src->context_safety_implementation;
    target->ignore_certificate_errors = src->ignore_certificate_errors;
+    target->enable_net_security_expiration =
+        src->enable_net_security_expiration;
    target->background_color = src->background_color;

    cef_string_set(src->accept_language_list.str,
@@ -639,6 +641,8 @@ struct CefRequestContextSettingsTraits {
    target->persist_session_cookies = src->persist_session_cookies;
    target->persist_user_preferences = src->persist_user_preferences;
    target->ignore_certificate_errors = src->ignore_certificate_errors;
+    target->enable_net_security_expiration =
+        src->enable_net_security_expiration;
    cef_string_set(src->accept_language_list.str,
        src->accept_language_list.length, &target->accept_language_list, copy);
  }