diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2021-07-12 13:28:03 +0200 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2021-10-04 10:20:44 +0200 |
commit | bd3046fd688a64ffccbf1dcf6fceac6ec1aefe6c (patch) | |
tree | 528860fafb8d91453343fe74794f6cc30ef7302d | |
parent | 9747fbdc8f1b55cc9a4002861c47a1c10bc9d90f (diff) | |
download | qtwebengine-chromium-bd3046fd688a64ffccbf1dcf6fceac6ec1aefe6c.tar.gz |
Use Chrome HSTS
We now enable it by default,but allow users to disable it with
--disable-features=ChromeStaticPinning
Fixes: QTBUG-88036
Change-Id: I0fac896c16a8a060232419d9d03978cd0e2803d0
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/net/base/features.cc | 3 | ||||
-rw-r--r-- | chromium/net/base/features.h | 2 | ||||
-rw-r--r-- | chromium/net/http/transport_security_state.cc | 6 |
3 files changed, 9 insertions, 2 deletions
diff --git a/chromium/net/base/features.cc b/chromium/net/base/features.cc index 407919d15b7..3970e0983b4 100644 --- a/chromium/net/base/features.cc +++ b/chromium/net/base/features.cc @@ -20,6 +20,9 @@ const base::Feature kAlpsForHttp2{"AlpsForHttp2", const base::Feature kCapReferrerToOriginOnCrossOrigin{ "CapReferrerToOriginOnCrossOrigin", base::FEATURE_DISABLED_BY_DEFAULT}; +const base::Feature kChromeStaticPinning{ + "ChromeStaticPinning", base::FEATURE_ENABLED_BY_DEFAULT}; + const base::Feature kDnsTransactionDynamicTimeouts{ "DnsTransactionDynamicTimeouts", base::FEATURE_DISABLED_BY_DEFAULT}; diff --git a/chromium/net/base/features.h b/chromium/net/base/features.h index b97d7dd4ddf..dfc8396ede1 100644 --- a/chromium/net/base/features.h +++ b/chromium/net/base/features.h @@ -34,6 +34,8 @@ NET_EXPORT extern const base::Feature kCapReferrerToOriginOnCrossOrigin; // Enables TLS 1.3 early data. NET_EXPORT extern const base::Feature kEnableTLS13EarlyData; +NET_EXPORT extern const base::Feature kChromeStaticPinning; + // Support for altering the parameters used for DNS transaction timeout. See // ResolveContext::SecureTransactionTimeout(). NET_EXPORT extern const base::Feature kDnsTransactionDynamicTimeouts; diff --git a/chromium/net/http/transport_security_state.cc b/chromium/net/http/transport_security_state.cc index 857a7b4d0cb..86e1c379a95 100644 --- a/chromium/net/http/transport_security_state.cc +++ b/chromium/net/http/transport_security_state.cc @@ -407,8 +407,10 @@ TransportSecurityState::TransportSecurityState( // Static pinning is only enabled for official builds to make sure that // others don't end up with pins that cannot be easily updated. #if !BUILDFLAG(GOOGLE_CHROME_BRANDING) || defined(OS_ANDROID) || defined(OS_IOS) - enable_static_pins_ = false; - enable_static_expect_ct_ = false; + if (!base::FeatureList::IsEnabled(features::kChromeStaticPinning)) { + enable_static_pins_ = false; + enable_static_expect_ct_ = false; + } #endif // Check that there no invalid entries in the static HSTS bypass list. for (auto& host : hsts_host_bypass_list) { |