bcarrella
/
cef
mirror of https://bitbucket.org/chromiumembedded/cef
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cef/patch/patches/net_security_expiration_199...

53 lines
2.2 KiB
Diff
Raw Blame History

diff --git net/http/transport_security_state.cc net/http/transport_security_state.cc
index b7a2bca7bf42..5987ee212a12 100644
--- net/http/transport_security_state.cc
+++ net/http/transport_security_state.cc
@@ -1100,8 +1100,12 @@ void TransportSecurityState::ClearReportCachesForTesting() {
sent_expect_ct_reports_cache_.Clear();
}
-// static
-bool TransportSecurityState::IsBuildTimely() {
+// Returns true if the current build is recent enough to ensure that
+// built-in security information (e.g. CT Logs) is fresh enough.
+bool TransportSecurityState::IsBuildTimely() const {
+ if (!enforce_net_security_expiration_)
+ return true;
+
const base::Time build_time = base::GetBuildTime();
// We consider built-in information to be timely for 10 weeks.
return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
diff --git net/http/transport_security_state.h net/http/transport_security_state.h
index 48ccb74e2e1d..79dc9958d1de 100644
--- net/http/transport_security_state.h
+++ net/http/transport_security_state.h
@@ -530,6 +530,10 @@ class NET_EXPORT TransportSecurityState {
void EnableStaticPinsForTesting() { enable_static_pins_ = true; }
bool has_dynamic_pkp_state() const { return !enabled_pkp_hosts_.empty(); }
+ void set_enforce_net_security_expiration(bool enforce) {
+ enforce_net_security_expiration_ = enforce;
+ }
+
private:
friend class TransportSecurityStateTest;
friend class TransportSecurityStateStaticFuzzer;
@@ -548,7 +552,7 @@ class NET_EXPORT TransportSecurityState {
// IsBuildTimely returns true if the current build is new enough ensure that
// built in security information (i.e. HSTS preloading and pinning
// information) is timely.
- static bool IsBuildTimely();
+ bool IsBuildTimely() const;
// Helper method for actually checking pins.
PKPStatus CheckPublicKeyPinsImpl(
@@ -646,6 +650,8 @@ class NET_EXPORT TransportSecurityState {
// True if public key pinning bypass is enabled for local trust anchors.
bool enable_pkp_bypass_for_local_trust_anchors_;
+ bool enforce_net_security_expiration_ = true;
+
ExpectCTReporter* expect_ct_reporter_ = nullptr;
RequireCTDelegate* require_ct_delegate_ = nullptr;
Reference in New Issue View Git Blame Copy Permalink