bcarrella/cef
1
0
Fork 0
mirror of https://bitbucket.org/chromiumembedded/cef synced 2025-02-16 20:20:51 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add option to enable/disable net security expiration (issue #1994)

Browse Source 
- Net security (CT, HSTS) expiration based on build age is now
  disabled by default.
- Add new enable_net_security_expiration option to CefSettings and
  CefRequestContextSettings.
This commit is contained in:
Marshall Greenblatt 2016-11-18 16:11:38 -05:00
parent d7afec5dbd
commit ffd843c47c
8 changed files with 158 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
include/internal/cef_types.h
View File

@ -376,6 +376,19 @@ typedef struct _cef_settings_t {
/// ///
int ignore_certificate_errors; int ignore_certificate_errors;
///
// Set to true (1) to enable date-based expiration of built in network
// security information (i.e. certificate transparency logs, HSTS preloading
// and pinning information). Enabling this option improves network security
// but may cause HTTPS load failures when using CEF binaries built more than
// 10 weeks in the past. See https://www.certificate-transparency.org/ and
// https://www.chromium.org/hsts for details. Also configurable using the
// "enable-net-security-expiration" command-line switch. Can be overridden for
// individual CefRequestContext instances via the
// CefRequestContextSettings.enable_net_security_expiration value.
///
int enable_net_security_expiration;
/// ///
// Opaque background color used for accelerated content. By default the // Opaque background color used for accelerated content. By default the
// background color will be white. Only the RGB compontents of the specified // background color will be white. Only the RGB compontents of the specified
@ -443,6 +456,17 @@ typedef struct _cef_request_context_settings_t {
/// ///
int ignore_certificate_errors; int ignore_certificate_errors;
///
// Set to true (1) to enable date-based expiration of built in network
// security information (i.e. certificate transparency logs, HSTS preloading
// and pinning information). Enabling this option improves network security
// but may cause HTTPS load failures when using CEF binaries built more than
// 10 weeks in the past. See https://www.certificate-transparency.org/ and
// https://www.chromium.org/hsts for details. Can be set globally using the
// CefSettings.enable_net_security_expiration value.
///
int enable_net_security_expiration;
/// ///
// Comma delimited ordered list of language codes without any whitespace that // Comma delimited ordered list of language codes without any whitespace that
// will be used in the "Accept-Language" HTTP header. Can be set globally // will be used in the "Accept-Language" HTTP header. Can be set globally

4
include/internal/cef_types_wrappers.h
View File

@ -607,6 +607,8 @@ struct CefSettingsTraits {
target->uncaught_exception_stack_size = src->uncaught_exception_stack_size; target->uncaught_exception_stack_size = src->uncaught_exception_stack_size;
target->context_safety_implementation = src->context_safety_implementation; target->context_safety_implementation = src->context_safety_implementation;
target->ignore_certificate_errors = src->ignore_certificate_errors; target->ignore_certificate_errors = src->ignore_certificate_errors;
target->enable_net_security_expiration =
src->enable_net_security_expiration;
target->background_color = src->background_color; target->background_color = src->background_color;
cef_string_set(src->accept_language_list.str, cef_string_set(src->accept_language_list.str,
@ -639,6 +641,8 @@ struct CefRequestContextSettingsTraits {
target->persist_session_cookies = src->persist_session_cookies; target->persist_session_cookies = src->persist_session_cookies;
target->persist_user_preferences = src->persist_user_preferences; target->persist_user_preferences = src->persist_user_preferences;
target->ignore_certificate_errors = src->ignore_certificate_errors; target->ignore_certificate_errors = src->ignore_certificate_errors;
target->enable_net_security_expiration =
src->enable_net_security_expiration;
cef_string_set(src->accept_language_list.str, cef_string_set(src->accept_language_list.str,
src->accept_language_list.length, &target->accept_language_list, copy); src->accept_language_list.length, &target->accept_language_list, copy);
} }

3
libcef/browser/context.cc
View File

@ -368,6 +368,9 @@ void CefContext::PopulateRequestContextSettings(
settings->ignore_certificate_errors = settings->ignore_certificate_errors =
settings_.ignore_certificate_errors || settings_.ignore_certificate_errors ||
command_line->HasSwitch(switches::kIgnoreCertificateErrors); command_line->HasSwitch(switches::kIgnoreCertificateErrors);
settings->enable_net_security_expiration =
settings_.enable_net_security_expiration ||
command_line->HasSwitch(switches::kEnableNetSecurityExpiration);
CefString(&settings->accept_language_list) = CefString(&settings->accept_language_list) =
CefString(&settings_.accept_language_list); CefString(&settings_.accept_language_list);
} }

15
libcef/browser/net/url_request_context_getter_impl.cc
View File

@ -216,8 +216,12 @@ net::URLRequestContext* CefURLRequestContextGetterImpl::GetURLRequestContext() {
storage_->set_host_resolver(net::HostResolver::CreateDefaultResolver(NULL)); storage_->set_host_resolver(net::HostResolver::CreateDefaultResolver(NULL));
storage_->set_cert_verifier(net::CertVerifier::CreateDefault()); storage_->set_cert_verifier(net::CertVerifier::CreateDefault());
storage_->set_transport_security_state(
base::WrapUnique(new net::TransportSecurityState)); std::unique_ptr<net::TransportSecurityState> transport_security_state(
new net::TransportSecurityState);
transport_security_state->set_enforce_net_security_expiration(
settings_.enable_net_security_expiration ? true : false);
storage_->set_transport_security_state(std::move(transport_security_state));
std::vector<scoped_refptr<const net::CTLogVerifier>> ct_logs( std::vector<scoped_refptr<const net::CTLogVerifier>> ct_logs(
net::ct::CreateLogVerifiersForKnownLogs()); net::ct::CreateLogVerifiersForKnownLogs());
@ -226,8 +230,11 @@ net::URLRequestContext* CefURLRequestContextGetterImpl::GetURLRequestContext() {
ct_verifier->AddLogs(ct_logs); ct_verifier->AddLogs(ct_logs);
storage_->set_cert_transparency_verifier(std::move(ct_verifier)); storage_->set_cert_transparency_verifier(std::move(ct_verifier));
storage_->set_ct_policy_enforcer( std::unique_ptr<net::CTPolicyEnforcer> ct_policy_enforcer(
base::WrapUnique(new net::CTPolicyEnforcer)); new net::CTPolicyEnforcer);
ct_policy_enforcer->set_enforce_net_security_expiration(
settings_.enable_net_security_expiration ? true : false);
storage_->set_ct_policy_enforcer(std::move(ct_policy_enforcer));
std::unique_ptr<net::ProxyService> system_proxy_service = std::unique_ptr<net::ProxyService> system_proxy_service =
ProxyServiceFactory::CreateProxyService( ProxyServiceFactory::CreateProxyService(

3
libcef/common/cef_switches.cc
View File

@ -122,4 +122,7 @@ const char kPluginPolicy_Block[] = "block";
// Expose preferences used only by unit tests. // Expose preferences used only by unit tests.
const char kEnablePreferenceTesting[] = "enable-preference-testing"; const char kEnablePreferenceTesting[] = "enable-preference-testing";
// Enable date-based expiration of built in network security information.
const char kEnableNetSecurityExpiration[] = "enable-net-security-expiration";
} // namespace switches } // namespace switches

1
libcef/common/cef_switches.h
View File

@ -51,6 +51,7 @@ extern const char kPluginPolicy_Allow[];
extern const char kPluginPolicy_Detect[]; extern const char kPluginPolicy_Detect[];
extern const char kPluginPolicy_Block[]; extern const char kPluginPolicy_Block[];
extern const char kEnablePreferenceTesting[]; extern const char kEnablePreferenceTesting[];
extern const char kEnableNetSecurityExpiration[];
} // namespace switches } // namespace switches

6
patch/patch.cfg
View File

@ -264,4 +264,10 @@ patches = [
'name': 'webview_plugin_2352673003', 'name': 'webview_plugin_2352673003',
'path': '../', 'path': '../',
}, },
{
# Support an option to enable/disable net security expiration.
# https://bitbucket.org/chromiumembedded/cef/issues/1994
'name': 'net_security_expiration_1994',
'path': '../',
},
] ]

106
patch/patches/net_security_expiration_1994.patch Normal file
View File

@ -0,0 +1,106 @@
diff --git net/cert/ct_policy_enforcer.cc net/cert/ct_policy_enforcer.cc
index a4e1e81..f3c627d 100644
--- net/cert/ct_policy_enforcer.cc
+++ net/cert/ct_policy_enforcer.cc
@@ -33,15 +33,6 @@ namespace net {
namespace {
-// Returns true if the current build is recent enough to ensure that
-// built-in security information (e.g. CT Logs) is fresh enough.
-// TODO(eranm): Move to base or net/base
-bool IsBuildTimely() {
- const base::Time build_time = base::GetBuildTime();
- // We consider built-in information to be timely for 10 weeks.
- return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
-}
-
// Returns a rounded-down months difference of |start| and |end|,
// together with an indication of whether the last month was
// a full month, because the range starts specified in the policy
@@ -455,4 +446,13 @@ ct::EVPolicyCompliance CTPolicyEnforcer::DoesConformToCTEVPolicy(
return details.status;
}
+bool CTPolicyEnforcer::IsBuildTimely() const {
+ if (!enforce_net_security_expiration_)
+ return true;
+
+ const base::Time build_time = base::GetBuildTime();
+ // We consider built-in information to be timely for 10 weeks.
+ return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
+}
+
} // namespace net
diff --git net/cert/ct_policy_enforcer.h net/cert/ct_policy_enforcer.h
index c49e091..d3edffa 100644
--- net/cert/ct_policy_enforcer.h
+++ net/cert/ct_policy_enforcer.h
@@ -100,6 +100,17 @@ class NET_EXPORT CTPolicyEnforcer {
const ct::EVCertsWhitelist* ev_whitelist,
const SCTList& verified_scts,
const BoundNetLog& net_log);
+
+ void set_enforce_net_security_expiration(bool enforce) {
+ enforce_net_security_expiration_ = enforce;
+ }
+
+ private:
+ // Returns true if the current build is recent enough to ensure that
+ // built-in security information (e.g. CT Logs) is fresh enough.
+ bool IsBuildTimely() const;
+
+ bool enforce_net_security_expiration_ = true;
};
} // namespace net
diff --git net/http/transport_security_state.cc net/http/transport_security_state.cc
index 026871b..f7251e8 100644
--- net/http/transport_security_state.cc
+++ net/http/transport_security_state.cc
@@ -1343,8 +1343,10 @@ void TransportSecurityState::SetShouldRequireCTForTesting(bool* required) {
g_ct_required_for_testing = *required ? 1 : -1;
}
-// static
-bool TransportSecurityState::IsBuildTimely() {
+bool TransportSecurityState::IsBuildTimely() const {
+ if (!enforce_net_security_expiration_)
+ return true;
+
const base::Time build_time = base::GetBuildTime();
// We consider built-in information to be timely for 10 weeks.
return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
diff --git net/http/transport_security_state.h net/http/transport_security_state.h
index 3326ca2..a2de308 100644
--- net/http/transport_security_state.h
+++ net/http/transport_security_state.h
@@ -472,6 +472,10 @@ class NET_EXPORT TransportSecurityState
// nullptr to reset.
static void SetShouldRequireCTForTesting(bool* required);
+ void set_enforce_net_security_expiration(bool enforce) {
+ enforce_net_security_expiration_ = enforce;
+ }
+
private:
friend class TransportSecurityStateTest;
FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly);
@@ -495,7 +499,7 @@ class NET_EXPORT TransportSecurityState
// IsBuildTimely returns true if the current build is new enough ensure that
// built in security information (i.e. HSTS preloading and pinning
// information) is timely.
- static bool IsBuildTimely();
+ bool IsBuildTimely() const;
// Helper method for actually checking pins.
PKPStatus CheckPublicKeyPinsImpl(
@@ -586,6 +590,8 @@ class NET_EXPORT TransportSecurityState
// True if public key pinning bypass is enabled for local trust anchors.
bool enable_pkp_bypass_for_local_trust_anchors_;
+ bool enforce_net_security_expiration_ = true;
+
ExpectCTReporter* expect_ct_reporter_ = nullptr;
RequireCTDelegate* require_ct_delegate_ = nullptr;