1 // Copyright 2017 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "services/network/network_context.h"
6
7 #include <memory>
8 #include <string>
9 #include <utility>
10
11 #include "base/barrier_closure.h"
12 #include "base/base64.h"
13 #include "base/bind.h"
14 #include "base/build_time.h"
15 #include "base/command_line.h"
16 #include "base/containers/unique_ptr_adapters.h"
17 #include "base/feature_list.h"
18 #include "base/logging.h"
19 #include "base/memory/ptr_util.h"
20 #include "base/memory/ref_counted.h"
21 #include "base/metrics/histogram_functions.h"
22 #include "base/optional.h"
23 #include "base/sequenced_task_runner.h"
24 #include "base/stl_util.h"
25 #include "base/strings/string_number_conversions.h"
26 #include "base/strings/utf_string_conversions.h"
27 #include "base/task/current_thread.h"
28 #include "base/task/post_task.h"
29 #include "base/task/task_traits.h"
30 #include "base/task/thread_pool.h"
31 #include "base/threading/thread_task_runner_handle.h"
32 #include "build/build_config.h"
33 #include "build/chromecast_buildflags.h"
34 #include "build/chromeos_buildflags.h"
35 #include "components/cookie_config/cookie_store_util.h"
36 #include "components/domain_reliability/monitor.h"
37 #include "components/network_session_configurator/browser/network_session_configurator.h"
38 #include "components/network_session_configurator/common/network_switches.h"
39 #include "components/prefs/json_pref_store.h"
40 #include "components/prefs/pref_registry_simple.h"
41 #include "components/prefs/pref_service.h"
42 #include "components/prefs/pref_service_factory.h"
43 #include "crypto/sha2.h"
44 #include "mojo/public/cpp/bindings/pending_receiver.h"
45 #include "net/base/load_flags.h"
46 #include "net/base/net_errors.h"
47 #include "net/base/network_delegate.h"
48 #include "net/base/network_isolation_key.h"
49 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
50 #include "net/cert/caching_cert_verifier.h"
51 #include "net/cert/cert_verifier.h"
52 #include "net/cert/coalescing_cert_verifier.h"
53 #include "net/cert_net/cert_net_fetcher_url_request.h"
54 #include "net/cookies/cookie_monster.h"
55 #include "net/dns/host_cache.h"
56 #include "net/dns/mapped_host_resolver.h"
57 #include "net/extras/sqlite/sqlite_persistent_cookie_store.h"
58 #include "net/http/http_auth.h"
59 #include "net/http/http_auth_handler_factory.h"
60 #include "net/http/http_auth_preferences.h"
61 #include "net/http/http_cache.h"
62 #include "net/http/http_network_session.h"
63 #include "net/http/http_request_headers.h"
64 #include "net/http/http_server_properties.h"
65 #include "net/http/http_transaction_factory.h"
66 #include "net/proxy_resolution/configured_proxy_resolution_service.h"
67 #include "net/proxy_resolution/proxy_config.h"
68 #include "net/traffic_annotation/network_traffic_annotation.h"
69 #include "net/url_request/report_sender.h"
70 #include "net/url_request/static_http_user_agent_settings.h"
71 #include "net/url_request/url_request.h"
72 #include "net/url_request/url_request_context.h"
73 #include "net/url_request/url_request_context_builder.h"
74 #include "services/network/cookie_manager.h"
75 #include "services/network/cors/cors_url_loader_factory.h"
76 #include "services/network/host_resolver.h"
77 #include "services/network/http_auth_cache_copier.h"
78 #include "services/network/http_server_properties_pref_delegate.h"
79 #include "services/network/ignore_errors_cert_verifier.h"
80 #include "services/network/net_log_exporter.h"
81 #include "services/network/network_service.h"
82 #include "services/network/network_service_network_delegate.h"
83 #include "services/network/network_service_proxy_delegate.h"
84 #include "services/network/network_usage_accumulator.h"
85 #include "services/network/p2p/socket_manager.h"
86 #include "services/network/proxy_config_service_mojo.h"
87 #include "services/network/proxy_lookup_request.h"
88 #include "services/network/proxy_resolving_socket_factory_mojo.h"
89 #include "services/network/public/cpp/cert_verifier/cert_verifier_creation.h"
90 #include "services/network/public/cpp/cert_verifier/mojo_cert_verifier.h"
91 #include "services/network/public/cpp/content_security_policy/content_security_policy.h"
92 #include "services/network/public/cpp/features.h"
93 #include "services/network/public/cpp/network_switches.h"
94 #include "services/network/public/cpp/parsed_headers.h"
95 #include "services/network/public/mojom/network_context.mojom-forward.h"
96 #include "services/network/public/mojom/network_context.mojom.h"
97 #include "services/network/public/mojom/url_loader_factory.mojom.h"
98 #include "services/network/quic_transport.h"
99 #include "services/network/resolve_host_request.h"
100 #include "services/network/resource_scheduler/resource_scheduler_client.h"
101 #include "services/network/restricted_cookie_manager.h"
102 #include "services/network/session_cleanup_cookie_store.h"
103 #include "services/network/ssl_config_service_mojo.h"
104 #include "services/network/throttling/network_conditions.h"
105 #include "services/network/throttling/throttling_controller.h"
106 #include "services/network/throttling/throttling_network_transaction_factory.h"
107 #include "services/network/trust_tokens/expiry_inspecting_record_expiry_delegate.h"
108 #include "services/network/trust_tokens/has_trust_tokens_answerer.h"
109 #include "services/network/trust_tokens/in_memory_trust_token_persister.h"
110 #include "services/network/trust_tokens/pending_trust_token_store.h"
111 #include "services/network/trust_tokens/sqlite_trust_token_persister.h"
112 #include "services/network/trust_tokens/suitable_trust_token_origin.h"
113 #include "services/network/trust_tokens/trust_token_parameterization.h"
114 #include "services/network/trust_tokens/trust_token_store.h"
115 #include "services/network/url_loader.h"
116 #include "services/network/url_request_context_builder_mojo.h"
117
118 #if BUILDFLAG(IS_CT_SUPPORTED)
119 #include "components/certificate_transparency/chrome_ct_policy_enforcer.h"
120 #include "components/certificate_transparency/chrome_require_ct_delegate.h"
121 #include "components/certificate_transparency/ct_known_logs.h"
122 #include "net/cert/ct_log_verifier.h"
123 #include "net/cert/multi_log_ct_verifier.h"
124 #include "services/network/expect_ct_reporter.h"
125 #include "services/network/sct_auditing_cache.h"
126 #endif // BUILDFLAG(IS_CT_SUPPORTED)
127
128 #if !BUILDFLAG(DISABLE_FTP_SUPPORT)
129 #include "net/ftp/ftp_auth_cache.h"
130 #endif // !BUILDFLAG(DISABLE_FTP_SUPPORT)
131
132 #if BUILDFLAG(IS_ASH)
133 #include "services/network/cert_verifier_with_trust_anchors.h"
134 #endif // BUILDFLAG(IS_ASH)
135
136 #if !defined(OS_IOS)
137 #include "services/network/websocket_factory.h"
138 #endif // !defined(OS_IOS)
139
140 #if BUILDFLAG(ENABLE_REPORTING)
141 #include "net/base/http_user_agent_settings.h"
142 #include "net/extras/sqlite/sqlite_persistent_reporting_and_nel_store.h"
143 #include "net/network_error_logging/network_error_logging_service.h"
144 #include "net/reporting/reporting_browsing_data_remover.h"
145 #include "net/reporting/reporting_policy.h"
146 #include "net/reporting/reporting_report.h"
147 #include "net/reporting/reporting_service.h"
148 #endif // BUILDFLAG(ENABLE_REPORTING)
149
150 #if BUILDFLAG(ENABLE_MDNS)
151 #include "services/network/mdns_responder.h"
152 #endif // BUILDFLAG(ENABLE_MDNS)
153
154 #if defined(OS_ANDROID)
155 #include "base/android/application_status_listener.h"
156 #endif
157
158 namespace network {
159
160 namespace {
161
162 #if BUILDFLAG(IS_CT_SUPPORTED)
163 // A Base-64 encoded DER certificate for use in test Expect-CT reports. The
164 // contents of the certificate don't matter.
165 const char kTestReportCert[] =
166 "MIIDvzCCAqegAwIBAgIBAzANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQGEwJVUzET"
167 "MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEQMA4G"
168 "A1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290IENBMB4XDTE3MDYwNTE3"
169 "MTA0NloXDTI3MDYwMzE3MTA0NlowYDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh"
170 "bGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3Qg"
171 "Q0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC"
172 "AQoCggEBALS/0pcz5RNbd2W9cxp1KJtHWea3MOhGM21YW9ofCv/k5C3yHfiJ6GQu"
173 "9sPN16OO1/fN59gOEMPnVtL85ebTTuL/gk0YY4ewo97a7wo3e6y1t0PO8gc53xTp"
174 "w6RBPn5oRzSbe2HEGOYTzrO0puC6A+7k6+eq9G2+l1uqBpdQAdB4uNaSsOTiuUOI"
175 "ta4UZH1ScNQFHAkl1eJPyaiC20Exw75EbwvU/b/B7tlivzuPtQDI0d9dShOtceRL"
176 "X9HZckyD2JNAv2zNL2YOBNa5QygkySX9WXD+PfKpCk7Cm8TenldeXRYl5ni2REkp"
177 "nfa/dPuF1g3xZVjyK9aPEEnIAC2I4i0CAwEAAaOBgDB+MAwGA1UdEwEB/wQCMAAw"
178 "HQYDVR0OBBYEFODc4C8HiHQ6n9Mwo3GK+dal5aZTMB8GA1UdIwQYMBaAFJsmC4qY"
179 "qbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAP"
180 "BgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQB6FEQuUDRcC5jkX3aZ"
181 "uuTeZEqMVL7JXgvgFqzXsPb8zIdmxr/tEDfwXx2qDf2Dpxts7Fq4vqUwimK4qV3K"
182 "7heLnWV2+FBvV1eeSfZ7AQj+SURkdlyo42r41+t13QUf+Z0ftR9266LSWLKrukeI"
183 "Mxk73hOkm/u8enhTd00dy/FN9dOFBFHseVMspWNxIkdRILgOmiyfQNRgxNYdOf0e"
184 "EfELR8Hn6WjZ8wAbvO4p7RTrzu1c/RZ0M+NLkID56Brbl70GC2h5681LPwAOaZ7/"
185 "mWQ5kekSyJjmLfF12b+h9RVAt5MrXZgk2vNujssgGf4nbWh4KZyQ6qrs778ZdDLm"
186 "yfUn";
187 #endif // BUILDFLAG(IS_CT_SUPPORTED)
188
189 net::CertVerifier* g_cert_verifier_for_testing = nullptr;
190
191 // A CertVerifier that forwards all requests to |g_cert_verifier_for_testing|.
192 // This is used to allow NetworkContexts to have their own
193 // std::unique_ptr<net::CertVerifier> while forwarding calls to the shared
194 // verifier.
195 class WrappedTestingCertVerifier : public net::CertVerifier {
196 public:
197 ~WrappedTestingCertVerifier() override = default;
198
199 // CertVerifier implementation
Verify(const RequestParams & params,net::CertVerifyResult * verify_result,net::CompletionOnceCallback callback,std::unique_ptr<Request> * out_req,const net::NetLogWithSource & net_log)200 int Verify(const RequestParams& params,
201 net::CertVerifyResult* verify_result,
202 net::CompletionOnceCallback callback,
203 std::unique_ptr<Request>* out_req,
204 const net::NetLogWithSource& net_log) override {
205 verify_result->Reset();
206 if (!g_cert_verifier_for_testing)
207 return net::ERR_FAILED;
208 return g_cert_verifier_for_testing->Verify(
209 params, verify_result, std::move(callback), out_req, net_log);
210 }
SetConfig(const Config & config)211 void SetConfig(const Config& config) override {
212 if (!g_cert_verifier_for_testing)
213 return;
214 g_cert_verifier_for_testing->SetConfig(config);
215 }
216 };
217
218 // Predicate function to determine if the given |domain| matches the
219 // |filter_type| and |filter_domains| from a |mojom::ClearDataFilter|.
MatchesDomainFilter(mojom::ClearDataFilter_Type filter_type,std::set<std::string> filter_domains,const std::string & domain)220 bool MatchesDomainFilter(mojom::ClearDataFilter_Type filter_type,
221 std::set<std::string> filter_domains,
222 const std::string& domain) {
223 bool found_domain = filter_domains.find(domain) != filter_domains.end();
224 return (filter_type == mojom::ClearDataFilter_Type::DELETE_MATCHES) ==
225 found_domain;
226 }
227
228 // Returns a callback that checks if a domain matches the |filter|. |filter|
229 // must contain no origins. A null filter matches everything.
MakeDomainFilter(mojom::ClearDataFilter * filter)230 base::RepeatingCallback<bool(const std::string& host_name)> MakeDomainFilter(
231 mojom::ClearDataFilter* filter) {
232 if (!filter)
233 return base::BindRepeating([](const std::string&) { return true; });
234
235 DCHECK(filter->origins.empty())
236 << "Origin filtering not allowed in a domain-only filter";
237
238 std::set<std::string> filter_domains;
239 filter_domains.insert(filter->domains.begin(), filter->domains.end());
240 return base::BindRepeating(&MatchesDomainFilter, filter->type,
241 std::move(filter_domains));
242 }
243
244 // Predicate function to determine if the given |url| matches the |filter_type|,
245 // |filter_domains| and |filter_origins| from a |mojom::ClearDataFilter|.
MatchesUrlFilter(mojom::ClearDataFilter_Type filter_type,std::set<std::string> filter_domains,std::set<url::Origin> filter_origins,const GURL & url)246 bool MatchesUrlFilter(mojom::ClearDataFilter_Type filter_type,
247 std::set<std::string> filter_domains,
248 std::set<url::Origin> filter_origins,
249 const GURL& url) {
250 std::string url_registrable_domain =
251 net::registry_controlled_domains::GetDomainAndRegistry(
252 url, net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES);
253 bool found_domain =
254 (filter_domains.find(url_registrable_domain != ""
255 ? url_registrable_domain
256 : url.host()) != filter_domains.end());
257
258 bool found_origin =
259 (filter_origins.find(url::Origin::Create(url)) != filter_origins.end());
260
261 return (filter_type == mojom::ClearDataFilter_Type::DELETE_MATCHES) ==
262 (found_domain || found_origin);
263 }
264
265 // Builds a generic GURL-matching predicate function based on |filter|. If
266 // |filter| is null, creates an always-true predicate.
BuildUrlFilter(mojom::ClearDataFilterPtr filter)267 base::RepeatingCallback<bool(const GURL&)> BuildUrlFilter(
268 mojom::ClearDataFilterPtr filter) {
269 if (!filter) {
270 return base::BindRepeating([](const GURL&) { return true; });
271 }
272
273 std::set<std::string> filter_domains;
274 filter_domains.insert(filter->domains.begin(), filter->domains.end());
275
276 std::set<url::Origin> filter_origins;
277 filter_origins.insert(filter->origins.begin(), filter->origins.end());
278
279 return base::BindRepeating(&MatchesUrlFilter, filter->type,
280 std::move(filter_domains),
281 std::move(filter_origins));
282 }
283
284 #if defined(OS_ANDROID)
285 class NetworkContextApplicationStatusListener
286 : public base::android::ApplicationStatusListener {
287 public:
288 // base::android::ApplicationStatusListener implementation:
SetCallback(const ApplicationStateChangeCallback & callback)289 void SetCallback(const ApplicationStateChangeCallback& callback) override {
290 DCHECK(!callback_);
291 DCHECK(callback);
292 callback_ = callback;
293 }
294
Notify(base::android::ApplicationState state)295 void Notify(base::android::ApplicationState state) override {
296 if (callback_)
297 callback_.Run(state);
298 }
299
300 private:
301 ApplicationStateChangeCallback callback_;
302 };
303 #endif
304
305 struct TestVerifyCertState {
306 net::CertVerifyResult result;
307 std::unique_ptr<net::CertVerifier::Request> request;
308 };
309
TestVerifyCertCallback(std::unique_ptr<TestVerifyCertState> request,NetworkContext::VerifyCertificateForTestingCallback callback,int result)310 void TestVerifyCertCallback(
311 std::unique_ptr<TestVerifyCertState> request,
312 NetworkContext::VerifyCertificateForTestingCallback callback,
313 int result) {
314 std::move(callback).Run(result);
315 }
316
HashesToBase64String(const net::HashValueVector & hashes)317 std::string HashesToBase64String(const net::HashValueVector& hashes) {
318 std::string str;
319 for (size_t i = 0; i != hashes.size(); ++i) {
320 if (i != 0)
321 str += ",";
322 str += hashes[i].ToString();
323 }
324 return str;
325 }
326
327 #if BUILDFLAG(IS_CT_SUPPORTED)
328 // SCTAuditingDelegate is an implementation of the delegate interface that is
329 // aware of per-NetworkContext details (to allow the cache to notify the
330 // associated NetworkContextClient of new reports, and to apply
331 // per-NetworkContext enabled/disabled status for the auditing feature).
332 class SCTAuditingDelegate : public net::SCTAuditingDelegate {
333 public:
334 explicit SCTAuditingDelegate(const base::WeakPtr<NetworkContext>& context);
335 ~SCTAuditingDelegate() override;
336
337 // net::SCTAuditingDelegate:
338 void MaybeEnqueueReport(
339 const net::HostPortPair& host_port_pair,
340 const net::X509Certificate* validated_certificate_chain,
341 const net::SignedCertificateTimestampAndStatusList&
342 signed_certificate_timestamps) override;
343 bool IsSCTAuditingEnabled() override;
344
345 private:
346 base::WeakPtr<NetworkContext> context_;
347 };
348
SCTAuditingDelegate(const base::WeakPtr<NetworkContext> & context)349 SCTAuditingDelegate::SCTAuditingDelegate(
350 const base::WeakPtr<NetworkContext>& context)
351 : context_(context) {}
352
353 SCTAuditingDelegate::~SCTAuditingDelegate() = default;
354
MaybeEnqueueReport(const net::HostPortPair & host_port_pair,const net::X509Certificate * validated_certificate_chain,const net::SignedCertificateTimestampAndStatusList & signed_certificate_timestamps)355 void SCTAuditingDelegate::MaybeEnqueueReport(
356 const net::HostPortPair& host_port_pair,
357 const net::X509Certificate* validated_certificate_chain,
358 const net::SignedCertificateTimestampAndStatusList&
359 signed_certificate_timestamps) {
360 if (!context_)
361 return;
362 context_->MaybeEnqueueSCTReport(host_port_pair, validated_certificate_chain,
363 signed_certificate_timestamps);
364 }
365
IsSCTAuditingEnabled()366 bool SCTAuditingDelegate::IsSCTAuditingEnabled() {
367 if (!context_)
368 return false;
369 return context_->is_sct_auditing_enabled();
370 }
371 #endif // BUILDFLAG(IS_CT_SUPPORTED)
372
373 } // namespace
374
375 constexpr uint32_t NetworkContext::kMaxOutstandingRequestsPerProcess;
376
377 NetworkContext::PendingCertVerify::PendingCertVerify() = default;
378 NetworkContext::PendingCertVerify::~PendingCertVerify() = default;
379
380 // net::NetworkDelegate that wraps
NetworkContext(NetworkService * network_service,mojo::PendingReceiver<mojom::NetworkContext> receiver,mojom::NetworkContextParamsPtr params,OnConnectionCloseCallback on_connection_close_callback)381 NetworkContext::NetworkContext(
382 NetworkService* network_service,
383 mojo::PendingReceiver<mojom::NetworkContext> receiver,
384 mojom::NetworkContextParamsPtr params,
385 OnConnectionCloseCallback on_connection_close_callback)
386 : network_service_(network_service),
387 url_request_context_(nullptr),
388 params_(std::move(params)),
389 on_connection_close_callback_(std::move(on_connection_close_callback)),
390 #if defined(OS_ANDROID)
391 app_status_listener_(
392 std::make_unique<NetworkContextApplicationStatusListener>()),
393 #endif
394 receiver_(this, std::move(receiver)),
395 cors_preflight_controller_(network_service) {
396 mojo::PendingRemote<mojom::URLLoaderFactory>
397 url_loader_factory_for_cert_net_fetcher;
398 mojo::PendingReceiver<mojom::URLLoaderFactory>
399 url_loader_factory_for_cert_net_fetcher_receiver =
400 url_loader_factory_for_cert_net_fetcher
401 .InitWithNewPipeAndPassReceiver();
402
403 scoped_refptr<SessionCleanupCookieStore> session_cleanup_cookie_store =
404 MakeSessionCleanupCookieStore();
405
406 url_request_context_owner_ =
407 MakeURLRequestContext(std::move(url_loader_factory_for_cert_net_fetcher),
408 session_cleanup_cookie_store);
409 url_request_context_ = url_request_context_owner_.url_request_context.get();
410 cookie_manager_ = std::make_unique<CookieManager>(
411 url_request_context_, network_service_->preloaded_first_party_sets(),
412 std::move(session_cleanup_cookie_store),
413 std::move(params_->cookie_manager_params));
414
415 network_service_->RegisterNetworkContext(this);
416
417 // Only register for destruction if |this| will be wholly lifetime-managed
418 // by the NetworkService. In the other constructors, lifetime is shared with
419 // other consumers, and thus self-deletion is not safe and can result in
420 // double-frees.
421 receiver_.set_disconnect_handler(base::BindOnce(
422 &NetworkContext::OnConnectionError, base::Unretained(this)));
423
424 socket_factory_ = std::make_unique<SocketFactory>(
425 url_request_context_->net_log(), url_request_context_);
426 resource_scheduler_ = std::make_unique<ResourceScheduler>();
427
428 origin_policy_manager_ = std::make_unique<OriginPolicyManager>(this);
429
430 if (params_->http_auth_static_network_context_params) {
431 http_auth_merged_preferences_.SetAllowDefaultCredentials(
432 params_->http_auth_static_network_context_params
433 ->allow_default_credentials);
434 }
435
436 InitializeCorsParams();
437
438 SetSplitAuthCacheByNetworkIsolationKey(
439 params_->split_auth_cache_by_network_isolation_key);
440
441 #if BUILDFLAG(IS_CT_SUPPORTED)
442 if (params_->ct_policy)
443 SetCTPolicy(std::move(params_->ct_policy));
444 SetSCTAuditingEnabled(params_->enable_sct_auditing);
445 #endif
446
447 #if defined(OS_ANDROID)
448 if (params_->cookie_manager)
449 GetCookieManager(std::move(params_->cookie_manager));
450 #endif
451
452 CreateURLLoaderFactoryForCertNetFetcher(
453 std::move(url_loader_factory_for_cert_net_fetcher_receiver));
454 }
455
NetworkContext(NetworkService * network_service,mojo::PendingReceiver<mojom::NetworkContext> receiver,net::URLRequestContext * url_request_context,const std::vector<std::string> & cors_exempt_header_list)456 NetworkContext::NetworkContext(
457 NetworkService* network_service,
458 mojo::PendingReceiver<mojom::NetworkContext> receiver,
459 net::URLRequestContext* url_request_context,
460 const std::vector<std::string>& cors_exempt_header_list)
461 : network_service_(network_service),
462 url_request_context_(url_request_context),
463 #if defined(OS_ANDROID)
464 app_status_listener_(
465 std::make_unique<NetworkContextApplicationStatusListener>()),
466 #endif
467 receiver_(this, std::move(receiver)),
468 cookie_manager_(std::make_unique<CookieManager>(
469 url_request_context,
470 nullptr,
471 nullptr /* preloaded_first_party_sets */,
472 nullptr)),
473 socket_factory_(
474 std::make_unique<SocketFactory>(url_request_context_->net_log(),
475 url_request_context)),
476 cors_preflight_controller_(network_service) {
477 // May be nullptr in tests.
478 if (network_service_)
479 network_service_->RegisterNetworkContext(this);
480 resource_scheduler_ = std::make_unique<ResourceScheduler>();
481
482 for (const auto& key : cors_exempt_header_list)
483 cors_exempt_header_list_.insert(key);
484
485 origin_policy_manager_ = std::make_unique<OriginPolicyManager>(this);
486 }
487
~NetworkContext()488 NetworkContext::~NetworkContext() {
489 // May be nullptr in tests.
490 if (network_service_)
491 network_service_->DeregisterNetworkContext(this);
492
493 if (cert_net_fetcher_)
494 cert_net_fetcher_->Shutdown();
495
496 if (domain_reliability_monitor_)
497 domain_reliability_monitor_->Shutdown();
498 // Because of the order of declaration in the class,
499 // domain_reliability_monitor_ will be destroyed before
500 // |url_loader_factories_| which could own URLLoader's whose destructor call
501 // back into this class and might use domain_reliability_monitor_. So we reset
502 // |domain_reliability_monitor_| here explicitly, instead of changing the
503 // order, because any work calling into |domain_reliability_monitor_| at
504 // shutdown would be unnecessary as the reports would be thrown out.
505 domain_reliability_monitor_.reset();
506
507 if (url_request_context_ &&
508 url_request_context_->transport_security_state()) {
509 if (certificate_report_sender_) {
510 // Destroy |certificate_report_sender_| before |url_request_context_|,
511 // since the former has a reference to the latter.
512 url_request_context_->transport_security_state()->SetReportSender(
513 nullptr);
514 certificate_report_sender_.reset();
515 }
516
517 #if BUILDFLAG(IS_CT_SUPPORTED)
518 if (expect_ct_reporter_) {
519 url_request_context_->transport_security_state()->SetExpectCTReporter(
520 nullptr);
521 expect_ct_reporter_.reset();
522 }
523
524 if (require_ct_delegate_) {
525 url_request_context_->transport_security_state()->SetRequireCTDelegate(
526 nullptr);
527 }
528 #endif // BUILDFLAG(IS_CT_SUPPORTED)
529 }
530 }
531
532 // static
SetCertVerifierForTesting(net::CertVerifier * cert_verifier)533 void NetworkContext::SetCertVerifierForTesting(
534 net::CertVerifier* cert_verifier) {
535 g_cert_verifier_for_testing = cert_verifier;
536 }
537
CreateURLLoaderFactory(mojo::PendingReceiver<mojom::URLLoaderFactory> receiver,mojom::URLLoaderFactoryParamsPtr params,scoped_refptr<ResourceSchedulerClient> resource_scheduler_client)538 void NetworkContext::CreateURLLoaderFactory(
539 mojo::PendingReceiver<mojom::URLLoaderFactory> receiver,
540 mojom::URLLoaderFactoryParamsPtr params,
541 scoped_refptr<ResourceSchedulerClient> resource_scheduler_client) {
542 url_loader_factories_.emplace(std::make_unique<cors::CorsURLLoaderFactory>(
543 this, std::move(params), std::move(resource_scheduler_client),
544 std::move(receiver), &cors_origin_access_list_));
545 }
546
CreateURLLoaderFactoryForCertNetFetcher(mojo::PendingReceiver<mojom::URLLoaderFactory> factory_receiver)547 void NetworkContext::CreateURLLoaderFactoryForCertNetFetcher(
548 mojo::PendingReceiver<mojom::URLLoaderFactory> factory_receiver) {
549 // TODO(crbug.com/1087790): investigate changing these params.
550 auto url_loader_factory_params = mojom::URLLoaderFactoryParams::New();
551 url_loader_factory_params->is_trusted = true;
552 url_loader_factory_params->process_id = mojom::kBrowserProcessId;
553 url_loader_factory_params->automatically_assign_isolation_info = true;
554 url_loader_factory_params->is_corb_enabled = false;
555 CreateURLLoaderFactory(std::move(factory_receiver),
556 std::move(url_loader_factory_params));
557 }
558
ActivateDohProbes()559 void NetworkContext::ActivateDohProbes() {
560 DCHECK(url_request_context_->host_resolver());
561
562 doh_probes_request_.reset();
563 doh_probes_request_ =
564 url_request_context_->host_resolver()->CreateDohProbeRequest();
565 doh_probes_request_->Start();
566 }
567
SetClient(mojo::PendingRemote<mojom::NetworkContextClient> client)568 void NetworkContext::SetClient(
569 mojo::PendingRemote<mojom::NetworkContextClient> client) {
570 client_.reset();
571 client_.Bind(std::move(client));
572 }
573
CreateURLLoaderFactory(mojo::PendingReceiver<mojom::URLLoaderFactory> receiver,mojom::URLLoaderFactoryParamsPtr params)574 void NetworkContext::CreateURLLoaderFactory(
575 mojo::PendingReceiver<mojom::URLLoaderFactory> receiver,
576 mojom::URLLoaderFactoryParamsPtr params) {
577 scoped_refptr<ResourceSchedulerClient> resource_scheduler_client;
578 resource_scheduler_client = base::MakeRefCounted<ResourceSchedulerClient>(
579 params->process_id, ++current_resource_scheduler_client_id_,
580 resource_scheduler_.get(),
581 url_request_context_->network_quality_estimator());
582 CreateURLLoaderFactory(std::move(receiver), std::move(params),
583 std::move(resource_scheduler_client));
584 }
585
ResetURLLoaderFactories()586 void NetworkContext::ResetURLLoaderFactories() {
587 // Move all factories to a temporary vector so ClearBindings() does not
588 // invalidate the iterator if the factory gets deleted.
589 std::vector<cors::CorsURLLoaderFactory*> factories;
590 factories.reserve(url_loader_factories_.size());
591 for (const auto& factory : url_loader_factories_)
592 factories.push_back(factory.get());
593 for (auto* factory : factories)
594 factory->ClearBindings();
595 }
596
GetCookieManager(mojo::PendingReceiver<mojom::CookieManager> receiver)597 void NetworkContext::GetCookieManager(
598 mojo::PendingReceiver<mojom::CookieManager> receiver) {
599 cookie_manager_->AddReceiver(std::move(receiver));
600 }
601
GetRestrictedCookieManager(mojo::PendingReceiver<mojom::RestrictedCookieManager> receiver,mojom::RestrictedCookieManagerRole role,const url::Origin & origin,const net::SiteForCookies & site_for_cookies,const url::Origin & top_frame_origin,mojo::PendingRemote<mojom::CookieAccessObserver> cookie_observer)602 void NetworkContext::GetRestrictedCookieManager(
603 mojo::PendingReceiver<mojom::RestrictedCookieManager> receiver,
604 mojom::RestrictedCookieManagerRole role,
605 const url::Origin& origin,
606 const net::SiteForCookies& site_for_cookies,
607 const url::Origin& top_frame_origin,
608 mojo::PendingRemote<mojom::CookieAccessObserver> cookie_observer) {
609 mojom::NetworkServiceClient* network_service_client = nullptr;
610 if (network_service())
611 network_service_client = network_service()->client();
612
613 restricted_cookie_manager_receivers_.Add(
614 std::make_unique<RestrictedCookieManager>(
615 role, url_request_context_->cookie_store(),
616 &cookie_manager_->cookie_settings(), origin, site_for_cookies,
617 top_frame_origin, std::move(cookie_observer)),
618 std::move(receiver));
619 }
620
GetHasTrustTokensAnswerer(mojo::PendingReceiver<mojom::HasTrustTokensAnswerer> receiver,const url::Origin & top_frame_origin)621 void NetworkContext::GetHasTrustTokensAnswerer(
622 mojo::PendingReceiver<mojom::HasTrustTokensAnswerer> receiver,
623 const url::Origin& top_frame_origin) {
624 // Only called when Trust Tokens is enabled, i.e. trust_token_store_ is
625 // non-null.
626 DCHECK(trust_token_store_);
627
628 base::Optional<SuitableTrustTokenOrigin> suitable_top_frame_origin =
629 SuitableTrustTokenOrigin::Create(top_frame_origin);
630
631 // It's safe to dereference |suitable_top_frame_origin| here as, during the
632 // process of vending the HasTrustTokensAnswerer, the browser ensures that
633 // the requesting context's top frame origin is suitable for Trust Tokens.
634 auto answerer = std::make_unique<HasTrustTokensAnswerer>(
635 std::move(*suitable_top_frame_origin), trust_token_store_.get());
636
637 has_trust_tokens_answerers_.Add(std::move(answerer), std::move(receiver));
638 }
639
OnProxyLookupComplete(ProxyLookupRequest * proxy_lookup_request)640 void NetworkContext::OnProxyLookupComplete(
641 ProxyLookupRequest* proxy_lookup_request) {
642 auto it = proxy_lookup_requests_.find(proxy_lookup_request);
643 DCHECK(it != proxy_lookup_requests_.end());
644 proxy_lookup_requests_.erase(it);
645 }
646
DisableQuic()647 void NetworkContext::DisableQuic() {
648 url_request_context_->http_transaction_factory()->GetSession()->DisableQuic();
649 }
650
DestroyURLLoaderFactory(cors::CorsURLLoaderFactory * url_loader_factory)651 void NetworkContext::DestroyURLLoaderFactory(
652 cors::CorsURLLoaderFactory* url_loader_factory) {
653 const int32_t process_id = url_loader_factory->process_id();
654
655 auto it = url_loader_factories_.find(url_loader_factory);
656 DCHECK(it != url_loader_factories_.end());
657 url_loader_factories_.erase(it);
658
659 // Reset bytes transferred for the process if |url_loader_factory| is the
660 // last factory associated with the process.
661 if (network_service() &&
662 std::none_of(url_loader_factories_.cbegin(), url_loader_factories_.cend(),
663 [process_id](const auto& factory) {
664 return factory->process_id() == process_id;
665 })) {
666 network_service()
667 ->network_usage_accumulator()
668 ->ClearBytesTransferredForProcess(process_id);
669 }
670 }
671
Remove(QuicTransport * transport)672 void NetworkContext::Remove(QuicTransport* transport) {
673 auto it = quic_transports_.find(transport);
674 if (it != quic_transports_.end()) {
675 quic_transports_.erase(it);
676 }
677 }
678
LoaderCreated(uint32_t process_id)679 void NetworkContext::LoaderCreated(uint32_t process_id) {
680 loader_count_per_process_[process_id] += 1;
681 }
682
LoaderDestroyed(uint32_t process_id)683 void NetworkContext::LoaderDestroyed(uint32_t process_id) {
684 auto it = loader_count_per_process_.find(process_id);
685 DCHECK(it != loader_count_per_process_.end());
686 it->second -= 1;
687 if (it->second == 0)
688 loader_count_per_process_.erase(it);
689 }
690
CanCreateLoader(uint32_t process_id)691 bool NetworkContext::CanCreateLoader(uint32_t process_id) {
692 auto it = loader_count_per_process_.find(process_id);
693 uint32_t count = (it == loader_count_per_process_.end() ? 0 : it->second);
694 return count < max_loaders_per_process_;
695 }
696
GetNumOutstandingResolveHostRequestsForTesting() const697 size_t NetworkContext::GetNumOutstandingResolveHostRequestsForTesting() const {
698 size_t sum = 0;
699 if (internal_host_resolver_)
700 sum += internal_host_resolver_->GetNumOutstandingRequestsForTesting();
701 for (const auto& host_resolver : host_resolvers_)
702 sum += host_resolver.first->GetNumOutstandingRequestsForTesting();
703 return sum;
704 }
705
SkipReportingPermissionCheck() const706 bool NetworkContext::SkipReportingPermissionCheck() const {
707 return params_ && params_->skip_reporting_send_permission_check;
708 }
709
ClearTrustTokenData(mojom::ClearDataFilterPtr filter,base::OnceClosure done)710 void NetworkContext::ClearTrustTokenData(mojom::ClearDataFilterPtr filter,
711 base::OnceClosure done) {
712 if (!trust_token_store_) {
713 std::move(done).Run();
714 return;
715 }
716 trust_token_store_->ExecuteOrEnqueue(base::BindOnce(
717 [](mojom::ClearDataFilterPtr filter, base::OnceClosure done,
718 TrustTokenStore* store) {
719 ignore_result(store->ClearDataForFilter(std::move(filter)));
720 std::move(done).Run();
721 },
722 std::move(filter), std::move(done)));
723 }
724
ClearNetworkingHistoryBetween(base::Time start_time,base::Time end_time,base::OnceClosure completion_callback)725 void NetworkContext::ClearNetworkingHistoryBetween(
726 base::Time start_time,
727 base::Time end_time,
728 base::OnceClosure completion_callback) {
729 auto barrier = base::BarrierClosure(2, std::move(completion_callback));
730
731 url_request_context_->transport_security_state()->DeleteAllDynamicDataBetween(
732 start_time, end_time, barrier);
733
734 // TODO(mmenke): Neither of these methods waits until the changes have been
735 // commited to disk. They probably should, as most similar methods net/
736 // exposes do.
737 // May not be set in all tests.
738 if (network_qualities_pref_delegate_)
739 network_qualities_pref_delegate_->ClearPrefs();
740
741 url_request_context_->http_server_properties()->Clear(barrier);
742 }
743
ClearHttpCache(base::Time start_time,base::Time end_time,mojom::ClearDataFilterPtr filter,ClearHttpCacheCallback callback)744 void NetworkContext::ClearHttpCache(base::Time start_time,
745 base::Time end_time,
746 mojom::ClearDataFilterPtr filter,
747 ClearHttpCacheCallback callback) {
748 // It's safe to use Unretained below as the HttpCacheDataRemover is owned by
749 // |this| and guarantees it won't call its callback if deleted.
750 http_cache_data_removers_.push_back(HttpCacheDataRemover::CreateAndStart(
751 url_request_context_, std::move(filter), start_time, end_time,
752 base::BindOnce(&NetworkContext::OnHttpCacheCleared,
753 base::Unretained(this), std::move(callback))));
754 }
755
ComputeHttpCacheSize(base::Time start_time,base::Time end_time,ComputeHttpCacheSizeCallback callback)756 void NetworkContext::ComputeHttpCacheSize(
757 base::Time start_time,
758 base::Time end_time,
759 ComputeHttpCacheSizeCallback callback) {
760 // It's safe to use Unretained below as the HttpCacheDataCounter is owned by
761 // |this| and guarantees it won't call its callback if deleted.
762 http_cache_data_counters_.push_back(HttpCacheDataCounter::CreateAndStart(
763 url_request_context_, start_time, end_time,
764 base::BindOnce(&NetworkContext::OnHttpCacheSizeComputed,
765 base::Unretained(this), std::move(callback))));
766 }
767
ClearHostCache(mojom::ClearDataFilterPtr filter,ClearHostCacheCallback callback)768 void NetworkContext::ClearHostCache(mojom::ClearDataFilterPtr filter,
769 ClearHostCacheCallback callback) {
770 net::HostCache* host_cache =
771 url_request_context_->host_resolver()->GetHostCache();
772 DCHECK(host_cache);
773 host_cache->ClearForHosts(MakeDomainFilter(filter.get()));
774 std::move(callback).Run();
775 }
776
ClearHttpAuthCache(base::Time start_time,base::Time end_time,ClearHttpAuthCacheCallback callback)777 void NetworkContext::ClearHttpAuthCache(base::Time start_time,
778 base::Time end_time,
779 ClearHttpAuthCacheCallback callback) {
780 net::HttpNetworkSession* http_session =
781 url_request_context_->http_transaction_factory()->GetSession();
782 DCHECK(http_session);
783
784 http_session->http_auth_cache()->ClearEntriesAddedBetween(start_time,
785 end_time);
786 // TODO(mmenke): Use another error code for this, as ERR_ABORTED has somewhat
787 // magical handling with respect to navigations.
788 http_session->CloseAllConnections(net::ERR_ABORTED, "Clearing auth cache");
789
790 std::move(callback).Run();
791 }
792
793 #if BUILDFLAG(ENABLE_REPORTING)
ClearReportingCacheReports(mojom::ClearDataFilterPtr filter,ClearReportingCacheReportsCallback callback)794 void NetworkContext::ClearReportingCacheReports(
795 mojom::ClearDataFilterPtr filter,
796 ClearReportingCacheReportsCallback callback) {
797 net::ReportingService* reporting_service =
798 url_request_context_->reporting_service();
799 if (reporting_service) {
800 if (filter) {
801 reporting_service->RemoveBrowsingData(
802 net::ReportingBrowsingDataRemover::DATA_TYPE_REPORTS,
803 BuildUrlFilter(std::move(filter)));
804 } else {
805 reporting_service->RemoveAllBrowsingData(
806 net::ReportingBrowsingDataRemover::DATA_TYPE_REPORTS);
807 }
808 }
809
810 std::move(callback).Run();
811 }
812
ClearReportingCacheClients(mojom::ClearDataFilterPtr filter,ClearReportingCacheClientsCallback callback)813 void NetworkContext::ClearReportingCacheClients(
814 mojom::ClearDataFilterPtr filter,
815 ClearReportingCacheClientsCallback callback) {
816 net::ReportingService* reporting_service =
817 url_request_context_->reporting_service();
818 if (reporting_service) {
819 if (filter) {
820 reporting_service->RemoveBrowsingData(
821 net::ReportingBrowsingDataRemover::DATA_TYPE_CLIENTS,
822 BuildUrlFilter(std::move(filter)));
823 } else {
824 reporting_service->RemoveAllBrowsingData(
825 net::ReportingBrowsingDataRemover::DATA_TYPE_CLIENTS);
826 }
827 }
828
829 std::move(callback).Run();
830 }
831
ClearNetworkErrorLogging(mojom::ClearDataFilterPtr filter,ClearNetworkErrorLoggingCallback callback)832 void NetworkContext::ClearNetworkErrorLogging(
833 mojom::ClearDataFilterPtr filter,
834 ClearNetworkErrorLoggingCallback callback) {
835 net::NetworkErrorLoggingService* logging_service =
836 url_request_context_->network_error_logging_service();
837 if (logging_service) {
838 if (filter) {
839 logging_service->RemoveBrowsingData(BuildUrlFilter(std::move(filter)));
840 } else {
841 logging_service->RemoveAllBrowsingData();
842 }
843 }
844
845 std::move(callback).Run();
846 }
847
QueueReport(const std::string & type,const std::string & group,const GURL & url,const net::NetworkIsolationKey & network_isolation_key,const base::Optional<std::string> & user_agent,base::Value body)848 void NetworkContext::QueueReport(
849 const std::string& type,
850 const std::string& group,
851 const GURL& url,
852 const net::NetworkIsolationKey& network_isolation_key,
853 const base::Optional<std::string>& user_agent,
854 base::Value body) {
855 // TODO(mmenke): Once all callers have been updated to send a
856 // NetworkIsolationKey, DCHECK network_isolation_key() is not null, when
857 // require_network_isolation_key() is set on the URLRequestContext.
858 DCHECK(body.is_dict());
859 if (!body.is_dict())
860 return;
861
862 // Get the ReportingService.
863 net::URLRequestContext* request_context = url_request_context();
864 net::ReportingService* reporting_service =
865 request_context->reporting_service();
866 // TODO(paulmeyer): Remove this once the network service ships everywhere.
867 if (!reporting_service) {
868 net::ReportingReport::RecordReportDiscardedForNoReportingService();
869 return;
870 }
871
872 std::string reported_user_agent = user_agent.value_or("");
873 if (reported_user_agent.empty() &&
874 request_context->http_user_agent_settings() != nullptr) {
875 reported_user_agent =
876 request_context->http_user_agent_settings()->GetUserAgent();
877 }
878
879 reporting_service->QueueReport(
880 url, network_isolation_key, reported_user_agent, group, type,
881 base::Value::ToUniquePtrValue(std::move(body)), 0 /* depth */);
882 }
883
QueueSignedExchangeReport(mojom::SignedExchangeReportPtr report,const net::NetworkIsolationKey & network_isolation_key)884 void NetworkContext::QueueSignedExchangeReport(
885 mojom::SignedExchangeReportPtr report,
886 const net::NetworkIsolationKey& network_isolation_key) {
887 // TODO(mmenke): Once all callers have been updated to send a
888 // NetworkIsolationKey, DCHECK network_isolation_key() is not null, when
889 // require_network_isolation_key() is set on the URLRequestContext.
890
891 net::URLRequestContext* request_context = url_request_context();
892 net::NetworkErrorLoggingService* logging_service =
893 request_context->network_error_logging_service();
894 if (!logging_service)
895 return;
896 std::string user_agent;
897 if (request_context->http_user_agent_settings() != nullptr) {
898 user_agent = request_context->http_user_agent_settings()->GetUserAgent();
899 }
900 net::NetworkErrorLoggingService::SignedExchangeReportDetails details;
901 details.network_isolation_key = network_isolation_key;
902 details.success = report->success;
903 details.type = std::move(report->type);
904 details.outer_url = std::move(report->outer_url);
905 details.inner_url = std::move(report->inner_url);
906 details.cert_url = std::move(report->cert_url);
907 details.referrer = std::move(report->referrer);
908 details.server_ip_address = std::move(report->server_ip_address);
909 details.protocol = std::move(report->protocol);
910 details.method = std::move(report->method);
911 details.status_code = report->status_code;
912 details.elapsed_time = report->elapsed_time;
913 details.user_agent = std::move(user_agent);
914 logging_service->QueueSignedExchangeReport(std::move(details));
915 }
916
917 #else // BUILDFLAG(ENABLE_REPORTING)
ClearReportingCacheReports(mojom::ClearDataFilterPtr filter,ClearReportingCacheReportsCallback callback)918 void NetworkContext::ClearReportingCacheReports(
919 mojom::ClearDataFilterPtr filter,
920 ClearReportingCacheReportsCallback callback) {
921 NOTREACHED();
922 }
923
ClearReportingCacheClients(mojom::ClearDataFilterPtr filter,ClearReportingCacheClientsCallback callback)924 void NetworkContext::ClearReportingCacheClients(
925 mojom::ClearDataFilterPtr filter,
926 ClearReportingCacheClientsCallback callback) {
927 NOTREACHED();
928 }
929
ClearNetworkErrorLogging(mojom::ClearDataFilterPtr filter,ClearNetworkErrorLoggingCallback callback)930 void NetworkContext::ClearNetworkErrorLogging(
931 mojom::ClearDataFilterPtr filter,
932 ClearNetworkErrorLoggingCallback callback) {
933 NOTREACHED();
934 }
935
QueueReport(const std::string & type,const std::string & group,const GURL & url,const net::NetworkIsolationKey & network_isolation_key,const base::Optional<std::string> & user_agent,base::Value body)936 void NetworkContext::QueueReport(
937 const std::string& type,
938 const std::string& group,
939 const GURL& url,
940 const net::NetworkIsolationKey& network_isolation_key,
941 const base::Optional<std::string>& user_agent,
942 base::Value body) {
943 NOTREACHED();
944 }
945
QueueSignedExchangeReport(mojom::SignedExchangeReportPtr report,const net::NetworkIsolationKey & network_isolation_key)946 void NetworkContext::QueueSignedExchangeReport(
947 mojom::SignedExchangeReportPtr report,
948 const net::NetworkIsolationKey& network_isolation_key) {
949 NOTREACHED();
950 }
951 #endif // BUILDFLAG(ENABLE_REPORTING)
952
ClearDomainReliability(mojom::ClearDataFilterPtr filter,DomainReliabilityClearMode mode,ClearDomainReliabilityCallback callback)953 void NetworkContext::ClearDomainReliability(
954 mojom::ClearDataFilterPtr filter,
955 DomainReliabilityClearMode mode,
956 ClearDomainReliabilityCallback callback) {
957 if (domain_reliability_monitor_) {
958 domain_reliability::DomainReliabilityClearMode dr_mode;
959 if (mode ==
960 mojom::NetworkContext::DomainReliabilityClearMode::CLEAR_CONTEXTS) {
961 dr_mode = domain_reliability::CLEAR_CONTEXTS;
962 } else {
963 dr_mode = domain_reliability::CLEAR_BEACONS;
964 }
965
966 domain_reliability_monitor_->ClearBrowsingData(
967 dr_mode, BuildUrlFilter(std::move(filter)));
968 }
969 std::move(callback).Run();
970 }
971
GetDomainReliabilityJSON(GetDomainReliabilityJSONCallback callback)972 void NetworkContext::GetDomainReliabilityJSON(
973 GetDomainReliabilityJSONCallback callback) {
974 if (!domain_reliability_monitor_) {
975 base::DictionaryValue data;
976 data.SetString("error", "no_service");
977 std::move(callback).Run(std::move(data));
978 return;
979 }
980
981 std::move(callback).Run(
982 std::move(*domain_reliability_monitor_->GetWebUIData()));
983 }
984
CloseAllConnections(CloseAllConnectionsCallback callback)985 void NetworkContext::CloseAllConnections(CloseAllConnectionsCallback callback) {
986 net::HttpNetworkSession* http_session =
987 url_request_context_->http_transaction_factory()->GetSession();
988 DCHECK(http_session);
989
990 // TODO(mmenke): Use another error code for this, as ERR_ABORTED has somewhat
991 // magical handling with respect to navigations.
992 http_session->CloseAllConnections(net::ERR_ABORTED,
993 "Embedder closing all connections");
994
995 std::move(callback).Run();
996 }
997
CloseIdleConnections(CloseIdleConnectionsCallback callback)998 void NetworkContext::CloseIdleConnections(
999 CloseIdleConnectionsCallback callback) {
1000 net::HttpNetworkSession* http_session =
1001 url_request_context_->http_transaction_factory()->GetSession();
1002 DCHECK(http_session);
1003
1004 http_session->CloseIdleConnections("Embedder closing idle connections");
1005
1006 std::move(callback).Run();
1007 }
1008
SetNetworkConditions(const base::UnguessableToken & throttling_profile_id,mojom::NetworkConditionsPtr conditions)1009 void NetworkContext::SetNetworkConditions(
1010 const base::UnguessableToken& throttling_profile_id,
1011 mojom::NetworkConditionsPtr conditions) {
1012 std::unique_ptr<NetworkConditions> network_conditions;
1013 if (conditions) {
1014 network_conditions.reset(new NetworkConditions(
1015 conditions->offline, conditions->latency.InMillisecondsF(),
1016 conditions->download_throughput, conditions->upload_throughput));
1017 }
1018 ThrottlingController::SetConditions(throttling_profile_id,
1019 std::move(network_conditions));
1020 }
1021
SetAcceptLanguage(const std::string & new_accept_language)1022 void NetworkContext::SetAcceptLanguage(const std::string& new_accept_language) {
1023 // This may only be called on NetworkContexts created with the constructor
1024 // that calls MakeURLRequestContext().
1025 DCHECK(user_agent_settings_);
1026 user_agent_settings_->set_accept_language(new_accept_language);
1027 }
1028
SetEnableReferrers(bool enable_referrers)1029 void NetworkContext::SetEnableReferrers(bool enable_referrers) {
1030 // This may only be called on NetworkContexts created with the constructor
1031 // that calls MakeURLRequestContext().
1032 DCHECK(network_delegate_);
1033 network_delegate_->set_enable_referrers(enable_referrers);
1034 }
1035
1036 #if BUILDFLAG(IS_ASH)
UpdateAdditionalCertificates(mojom::AdditionalCertificatesPtr additional_certificates)1037 void NetworkContext::UpdateAdditionalCertificates(
1038 mojom::AdditionalCertificatesPtr additional_certificates) {
1039 if (!cert_verifier_with_trust_anchors_) {
1040 CHECK(g_cert_verifier_for_testing);
1041 return;
1042 }
1043 if (!additional_certificates) {
1044 cert_verifier_with_trust_anchors_->SetAdditionalCerts(
1045 net::CertificateList(), net::CertificateList());
1046 return;
1047 }
1048
1049 cert_verifier_with_trust_anchors_->SetAdditionalCerts(
1050 additional_certificates->trust_anchors,
1051 additional_certificates->all_certificates);
1052 }
1053 #endif // BUILDFLAG(IS_ASH)
1054
1055 #if BUILDFLAG(IS_CT_SUPPORTED)
SetCTPolicy(mojom::CTPolicyPtr ct_policy)1056 void NetworkContext::SetCTPolicy(mojom::CTPolicyPtr ct_policy) {
1057 if (!require_ct_delegate_)
1058 return;
1059
1060 require_ct_delegate_->UpdateCTPolicies(
1061 ct_policy->required_hosts, ct_policy->excluded_hosts,
1062 ct_policy->excluded_spkis, ct_policy->excluded_legacy_spkis);
1063 }
1064
AddExpectCT(const std::string & domain,base::Time expiry,bool enforce,const GURL & report_uri,const net::NetworkIsolationKey & network_isolation_key,AddExpectCTCallback callback)1065 void NetworkContext::AddExpectCT(
1066 const std::string& domain,
1067 base::Time expiry,
1068 bool enforce,
1069 const GURL& report_uri,
1070 const net::NetworkIsolationKey& network_isolation_key,
1071 AddExpectCTCallback callback) {
1072 net::TransportSecurityState* transport_security_state =
1073 url_request_context()->transport_security_state();
1074 if (!transport_security_state) {
1075 std::move(callback).Run(false);
1076 return;
1077 }
1078
1079 transport_security_state->AddExpectCT(domain, expiry, enforce, report_uri,
1080 network_isolation_key);
1081 std::move(callback).Run(true);
1082 }
1083
SetExpectCTTestReport(const GURL & report_uri,SetExpectCTTestReportCallback callback)1084 void NetworkContext::SetExpectCTTestReport(
1085 const GURL& report_uri,
1086 SetExpectCTTestReportCallback callback) {
1087 std::string decoded_dummy_cert;
1088 DCHECK(base::Base64Decode(kTestReportCert, &decoded_dummy_cert));
1089 scoped_refptr<net::X509Certificate> dummy_cert =
1090 net::X509Certificate::CreateFromBytes(decoded_dummy_cert.data(),
1091 decoded_dummy_cert.size());
1092
1093 LazyCreateExpectCTReporter(url_request_context());
1094
1095 // We need to save |callback| into a queue because this implementation is
1096 // relying on the success/failed observer methods of network::ExpectCTReporter
1097 // which can be called at any time, and for other reasons. It's unlikely
1098 // but it is possible that |callback| could be called for some other event
1099 // other than the one initiated below when calling OnExpectCTFailed.
1100 outstanding_set_expect_ct_callbacks_.push(std::move(callback));
1101
1102 // Send a test report with dummy data.
1103 net::SignedCertificateTimestampAndStatusList dummy_sct_list;
1104 expect_ct_reporter_->OnExpectCTFailed(
1105 net::HostPortPair("expect-ct-report.test", 443), report_uri,
1106 base::Time::Now(), dummy_cert.get(), dummy_cert.get(), dummy_sct_list,
1107 // No need for a shared NetworkIsolationKey here, as this is test-only
1108 // code and none
1109 // of the tests that call it care about the NetworkIsolationKey.
1110 net::NetworkIsolationKey::CreateTransient());
1111 }
1112
LazyCreateExpectCTReporter(net::URLRequestContext * url_request_context)1113 void NetworkContext::LazyCreateExpectCTReporter(
1114 net::URLRequestContext* url_request_context) {
1115 if (expect_ct_reporter_)
1116 return;
1117
1118 // This instance owns owns and outlives expect_ct_reporter_, so safe to
1119 // pass |this|.
1120 expect_ct_reporter_ = std::make_unique<network::ExpectCTReporter>(
1121 url_request_context,
1122 base::BindRepeating(&NetworkContext::OnSetExpectCTTestReportSuccess,
1123 base::Unretained(this)),
1124 base::BindRepeating(&NetworkContext::OnSetExpectCTTestReportFailure,
1125 base::Unretained(this)));
1126 }
1127
OnSetExpectCTTestReportSuccess()1128 void NetworkContext::OnSetExpectCTTestReportSuccess() {
1129 if (outstanding_set_expect_ct_callbacks_.empty())
1130 return;
1131 std::move(outstanding_set_expect_ct_callbacks_.front()).Run(true);
1132 outstanding_set_expect_ct_callbacks_.pop();
1133 }
1134
OnSetExpectCTTestReportFailure()1135 void NetworkContext::OnSetExpectCTTestReportFailure() {
1136 if (outstanding_set_expect_ct_callbacks_.empty())
1137 return;
1138 std::move(outstanding_set_expect_ct_callbacks_.front()).Run(false);
1139 outstanding_set_expect_ct_callbacks_.pop();
1140 }
1141
GetExpectCTState(const std::string & domain,const net::NetworkIsolationKey & network_isolation_key,GetExpectCTStateCallback callback)1142 void NetworkContext::GetExpectCTState(
1143 const std::string& domain,
1144 const net::NetworkIsolationKey& network_isolation_key,
1145 GetExpectCTStateCallback callback) {
1146 base::DictionaryValue result;
1147 if (base::IsStringASCII(domain)) {
1148 net::TransportSecurityState* transport_security_state =
1149 url_request_context()->transport_security_state();
1150 if (transport_security_state) {
1151 net::TransportSecurityState::ExpectCTState dynamic_expect_ct_state;
1152 bool found = transport_security_state->GetDynamicExpectCTState(
1153 domain, network_isolation_key, &dynamic_expect_ct_state);
1154
1155 // TODO(estark): query static Expect-CT state as well.
1156 if (found) {
1157 result.SetString("dynamic_expect_ct_domain", domain);
1158 result.SetDouble("dynamic_expect_ct_observed",
1159 dynamic_expect_ct_state.last_observed.ToDoubleT());
1160 result.SetDouble("dynamic_expect_ct_expiry",
1161 dynamic_expect_ct_state.expiry.ToDoubleT());
1162 result.SetBoolean("dynamic_expect_ct_enforce",
1163 dynamic_expect_ct_state.enforce);
1164 result.SetString("dynamic_expect_ct_report_uri",
1165 dynamic_expect_ct_state.report_uri.spec());
1166 }
1167
1168 result.SetBoolean("result", found);
1169 } else {
1170 result.SetString("error", "no Expect-CT state active");
1171 }
1172 } else {
1173 result.SetString("error", "non-ASCII domain name");
1174 }
1175
1176 std::move(callback).Run(std::move(result));
1177 }
1178
MaybeEnqueueSCTReport(const net::HostPortPair & host_port_pair,const net::X509Certificate * validated_certificate_chain,const net::SignedCertificateTimestampAndStatusList & signed_certificate_timestamps)1179 void NetworkContext::MaybeEnqueueSCTReport(
1180 const net::HostPortPair& host_port_pair,
1181 const net::X509Certificate* validated_certificate_chain,
1182 const net::SignedCertificateTimestampAndStatusList&
1183 signed_certificate_timestamps) {
1184 network_service()->sct_auditing_cache()->MaybeEnqueueReport(
1185 this, host_port_pair, validated_certificate_chain,
1186 signed_certificate_timestamps);
1187 }
1188
SetSCTAuditingEnabled(bool enabled)1189 void NetworkContext::SetSCTAuditingEnabled(bool enabled) {
1190 is_sct_auditing_enabled_ = enabled;
1191 }
1192 #endif // BUILDFLAG(IS_CT_SUPPORTED)
1193
CreateUDPSocket(mojo::PendingReceiver<mojom::UDPSocket> receiver,mojo::PendingRemote<mojom::UDPSocketListener> listener)1194 void NetworkContext::CreateUDPSocket(
1195 mojo::PendingReceiver<mojom::UDPSocket> receiver,
1196 mojo::PendingRemote<mojom::UDPSocketListener> listener) {
1197 socket_factory_->CreateUDPSocket(std::move(receiver), std::move(listener));
1198 }
1199
CreateTCPServerSocket(const net::IPEndPoint & local_addr,uint32_t backlog,const net::MutableNetworkTrafficAnnotationTag & traffic_annotation,mojo::PendingReceiver<mojom::TCPServerSocket> receiver,CreateTCPServerSocketCallback callback)1200 void NetworkContext::CreateTCPServerSocket(
1201 const net::IPEndPoint& local_addr,
1202 uint32_t backlog,
1203 const net::MutableNetworkTrafficAnnotationTag& traffic_annotation,
1204 mojo::PendingReceiver<mojom::TCPServerSocket> receiver,
1205 CreateTCPServerSocketCallback callback) {
1206 socket_factory_->CreateTCPServerSocket(
1207 local_addr, backlog,
1208 static_cast<net::NetworkTrafficAnnotationTag>(traffic_annotation),
1209 std::move(receiver), std::move(callback));
1210 }
1211
CreateTCPConnectedSocket(const base::Optional<net::IPEndPoint> & local_addr,const net::AddressList & remote_addr_list,mojom::TCPConnectedSocketOptionsPtr tcp_connected_socket_options,const net::MutableNetworkTrafficAnnotationTag & traffic_annotation,mojo::PendingReceiver<mojom::TCPConnectedSocket> receiver,mojo::PendingRemote<mojom::SocketObserver> observer,CreateTCPConnectedSocketCallback callback)1212 void NetworkContext::CreateTCPConnectedSocket(
1213 const base::Optional<net::IPEndPoint>& local_addr,
1214 const net::AddressList& remote_addr_list,
1215 mojom::TCPConnectedSocketOptionsPtr tcp_connected_socket_options,
1216 const net::MutableNetworkTrafficAnnotationTag& traffic_annotation,
1217 mojo::PendingReceiver<mojom::TCPConnectedSocket> receiver,
1218 mojo::PendingRemote<mojom::SocketObserver> observer,
1219 CreateTCPConnectedSocketCallback callback) {
1220 socket_factory_->CreateTCPConnectedSocket(
1221 local_addr, remote_addr_list, std::move(tcp_connected_socket_options),
1222 static_cast<net::NetworkTrafficAnnotationTag>(traffic_annotation),
1223 std::move(receiver), std::move(observer), std::move(callback));
1224 }
1225
CreateTCPBoundSocket(const net::IPEndPoint & local_addr,const net::MutableNetworkTrafficAnnotationTag & traffic_annotation,mojo::PendingReceiver<mojom::TCPBoundSocket> receiver,CreateTCPBoundSocketCallback callback)1226 void NetworkContext::CreateTCPBoundSocket(
1227 const net::IPEndPoint& local_addr,
1228 const net::MutableNetworkTrafficAnnotationTag& traffic_annotation,
1229 mojo::PendingReceiver<mojom::TCPBoundSocket> receiver,
1230 CreateTCPBoundSocketCallback callback) {
1231 socket_factory_->CreateTCPBoundSocket(
1232 local_addr,
1233 static_cast<net::NetworkTrafficAnnotationTag>(traffic_annotation),
1234 std::move(receiver), std::move(callback));
1235 }
1236
CreateProxyResolvingSocketFactory(mojo::PendingReceiver<mojom::ProxyResolvingSocketFactory> receiver)1237 void NetworkContext::CreateProxyResolvingSocketFactory(
1238 mojo::PendingReceiver<mojom::ProxyResolvingSocketFactory> receiver) {
1239 proxy_resolving_socket_factories_.Add(
1240 std::make_unique<ProxyResolvingSocketFactoryMojo>(url_request_context()),
1241 std::move(receiver));
1242 }
1243
LookUpProxyForURL(const GURL & url,const net::NetworkIsolationKey & network_isolation_key,mojo::PendingRemote<mojom::ProxyLookupClient> proxy_lookup_client)1244 void NetworkContext::LookUpProxyForURL(
1245 const GURL& url,
1246 const net::NetworkIsolationKey& network_isolation_key,
1247 mojo::PendingRemote<mojom::ProxyLookupClient> proxy_lookup_client) {
1248 DCHECK(proxy_lookup_client);
1249 std::unique_ptr<ProxyLookupRequest> proxy_lookup_request(
1250 std::make_unique<ProxyLookupRequest>(std::move(proxy_lookup_client), this,
1251 network_isolation_key));
1252 ProxyLookupRequest* proxy_lookup_request_ptr = proxy_lookup_request.get();
1253 proxy_lookup_requests_.insert(std::move(proxy_lookup_request));
1254 proxy_lookup_request_ptr->Start(url);
1255 }
1256
ForceReloadProxyConfig(ForceReloadProxyConfigCallback callback)1257 void NetworkContext::ForceReloadProxyConfig(
1258 ForceReloadProxyConfigCallback callback) {
1259 net::ConfiguredProxyResolutionService* configured_proxy_resolution_service =
1260 nullptr;
1261 if (url_request_context()
1262 ->proxy_resolution_service()
1263 ->CastToConfiguredProxyResolutionService(
1264 &configured_proxy_resolution_service)) {
1265 configured_proxy_resolution_service->ForceReloadProxyConfig();
1266 } else {
1267 LOG(WARNING)
1268 << "NetworkContext::ForceReloadProxyConfig() had no effect, as the "
1269 "underlying ProxyResolutionService does not support that concept.";
1270 }
1271 std::move(callback).Run();
1272 }
1273
ClearBadProxiesCache(ClearBadProxiesCacheCallback callback)1274 void NetworkContext::ClearBadProxiesCache(
1275 ClearBadProxiesCacheCallback callback) {
1276 url_request_context()->proxy_resolution_service()->ClearBadProxiesCache();
1277 std::move(callback).Run();
1278 }
1279
CreateWebSocket(const GURL & url,const std::vector<std::string> & requested_protocols,const net::SiteForCookies & site_for_cookies,const net::IsolationInfo & isolation_info,std::vector<mojom::HttpHeaderPtr> additional_headers,int32_t process_id,int32_t render_frame_id,const url::Origin & origin,uint32_t options,const net::MutableNetworkTrafficAnnotationTag & traffic_annotation,mojo::PendingRemote<mojom::WebSocketHandshakeClient> handshake_client,mojo::PendingRemote<mojom::AuthenticationHandler> auth_handler,mojo::PendingRemote<mojom::TrustedHeaderClient> header_client)1280 void NetworkContext::CreateWebSocket(
1281 const GURL& url,
1282 const std::vector<std::string>& requested_protocols,
1283 const net::SiteForCookies& site_for_cookies,
1284 const net::IsolationInfo& isolation_info,
1285 std::vector<mojom::HttpHeaderPtr> additional_headers,
1286 int32_t process_id,
1287 int32_t render_frame_id,
1288 const url::Origin& origin,
1289 uint32_t options,
1290 const net::MutableNetworkTrafficAnnotationTag& traffic_annotation,
1291 mojo::PendingRemote<mojom::WebSocketHandshakeClient> handshake_client,
1292 mojo::PendingRemote<mojom::AuthenticationHandler> auth_handler,
1293 mojo::PendingRemote<mojom::TrustedHeaderClient> header_client) {
1294 #if !defined(OS_IOS)
1295 if (!websocket_factory_)
1296 websocket_factory_ = std::make_unique<WebSocketFactory>(this);
1297
1298 DCHECK_GE(process_id, 0);
1299 if (process_id == mojom::kBrowserProcessId) {
1300 DCHECK_EQ(render_frame_id, 0);
1301 }
1302
1303 websocket_factory_->CreateWebSocket(
1304 url, requested_protocols, site_for_cookies, isolation_info,
1305 std::move(additional_headers), process_id, render_frame_id, origin,
1306 options,
1307 static_cast<net::NetworkTrafficAnnotationTag>(traffic_annotation),
1308 std::move(handshake_client), std::move(auth_handler),
1309 std::move(header_client));
1310 #endif // !defined(OS_IOS)
1311 }
1312
CreateQuicTransport(const GURL & url,const url::Origin & origin,const net::NetworkIsolationKey & key,std::vector<mojom::QuicTransportCertificateFingerprintPtr> fingerprints,mojo::PendingRemote<mojom::QuicTransportHandshakeClient> pending_handshake_client)1313 void NetworkContext::CreateQuicTransport(
1314 const GURL& url,
1315 const url::Origin& origin,
1316 const net::NetworkIsolationKey& key,
1317 std::vector<mojom::QuicTransportCertificateFingerprintPtr> fingerprints,
1318 mojo::PendingRemote<mojom::QuicTransportHandshakeClient>
1319 pending_handshake_client) {
1320 quic_transports_.insert(
1321 std::make_unique<QuicTransport>(url, origin, key, fingerprints, this,
1322 std::move(pending_handshake_client)));
1323 }
1324
CreateNetLogExporter(mojo::PendingReceiver<mojom::NetLogExporter> receiver)1325 void NetworkContext::CreateNetLogExporter(
1326 mojo::PendingReceiver<mojom::NetLogExporter> receiver) {
1327 net_log_exporter_receivers_.Add(std::make_unique<NetLogExporter>(this),
1328 std::move(receiver));
1329 }
1330
ResolveHost(const net::HostPortPair & host,const net::NetworkIsolationKey & network_isolation_key,mojom::ResolveHostParametersPtr optional_parameters,mojo::PendingRemote<mojom::ResolveHostClient> response_client)1331 void NetworkContext::ResolveHost(
1332 const net::HostPortPair& host,
1333 const net::NetworkIsolationKey& network_isolation_key,
1334 mojom::ResolveHostParametersPtr optional_parameters,
1335 mojo::PendingRemote<mojom::ResolveHostClient> response_client) {
1336 if (!internal_host_resolver_) {
1337 internal_host_resolver_ = std::make_unique<HostResolver>(
1338 url_request_context_->host_resolver(), url_request_context_->net_log());
1339 }
1340
1341 internal_host_resolver_->ResolveHost(host, network_isolation_key,
1342 std::move(optional_parameters),
1343 std::move(response_client));
1344 }
1345
CreateHostResolver(const base::Optional<net::DnsConfigOverrides> & config_overrides,mojo::PendingReceiver<mojom::HostResolver> receiver)1346 void NetworkContext::CreateHostResolver(
1347 const base::Optional<net::DnsConfigOverrides>& config_overrides,
1348 mojo::PendingReceiver<mojom::HostResolver> receiver) {
1349 net::HostResolver* internal_resolver = url_request_context_->host_resolver();
1350 std::unique_ptr<net::HostResolver> private_internal_resolver;
1351
1352 if (config_overrides &&
1353 config_overrides.value() != net::DnsConfigOverrides()) {
1354 // If custom configuration is needed, create a separate internal resolver
1355 // with the specified configuration overrides. Because we are using a non-
1356 // standard resolver, disable the cache.
1357 //
1358 // TODO(crbug.com/846423): Consider allowing per-resolve overrides, so the
1359 // same net::HostResolver with the same scheduler and cache can be used with
1360 // different overrides. But since this is only used for special cases for
1361 // now, much easier to create entirely separate net::HostResolver instances.
1362 net::HostResolver::ManagerOptions options;
1363 options.insecure_dns_client_enabled = true;
1364 options.dns_config_overrides = config_overrides.value();
1365 private_internal_resolver =
1366 network_service_->host_resolver_factory()->CreateStandaloneResolver(
1367 url_request_context_->net_log(), std::move(options),
1368 "" /* host_mapping_rules */, false /* enable_caching */);
1369 private_internal_resolver->SetRequestContext(url_request_context_);
1370 internal_resolver = private_internal_resolver.get();
1371 }
1372
1373 host_resolvers_.emplace(
1374 std::make_unique<HostResolver>(
1375 std::move(receiver),
1376 base::BindOnce(&NetworkContext::OnHostResolverShutdown,
1377 base::Unretained(this)),
1378 internal_resolver, url_request_context_->net_log()),
1379 std::move(private_internal_resolver));
1380 }
1381
VerifyCertForSignedExchange(const scoped_refptr<net::X509Certificate> & certificate,const GURL & url,const net::NetworkIsolationKey & network_isolation_key,const std::string & ocsp_result,const std::string & sct_list,VerifyCertForSignedExchangeCallback callback)1382 void NetworkContext::VerifyCertForSignedExchange(
1383 const scoped_refptr<net::X509Certificate>& certificate,
1384 const GURL& url,
1385 const net::NetworkIsolationKey& network_isolation_key,
1386 const std::string& ocsp_result,
1387 const std::string& sct_list,
1388 VerifyCertForSignedExchangeCallback callback) {
1389 // TODO(https://crbug.com/1087091): DCHECK that |network_isolation_key| is
1390 // populated when |require_network_isolation_key| is true, once all consumers
1391 // are passing in a NetworkIsolationKey.
1392
1393 int cert_verify_id = ++next_cert_verify_id_;
1394 auto pending_cert_verify = std::make_unique<PendingCertVerify>();
1395 pending_cert_verify->callback = std::move(callback);
1396 pending_cert_verify->result = std::make_unique<net::CertVerifyResult>();
1397 pending_cert_verify->certificate = certificate;
1398 pending_cert_verify->url = url;
1399 pending_cert_verify->network_isolation_key = network_isolation_key;
1400 pending_cert_verify->ocsp_result = ocsp_result;
1401 pending_cert_verify->sct_list = sct_list;
1402 net::CertVerifier* cert_verifier =
1403 g_cert_verifier_for_testing ? g_cert_verifier_for_testing
1404 : url_request_context_->cert_verifier();
1405 int result = cert_verifier->Verify(
1406 net::CertVerifier::RequestParams(certificate, url.host(),
1407 0 /* cert_verify_flags */, ocsp_result,
1408 sct_list),
1409 pending_cert_verify->result.get(),
1410 base::BindOnce(&NetworkContext::OnVerifyCertForSignedExchangeComplete,
1411 base::Unretained(this), cert_verify_id),
1412 &pending_cert_verify->request,
1413 net::NetLogWithSource::Make(url_request_context_->net_log(),
1414 net::NetLogSourceType::CERT_VERIFIER_JOB));
1415 cert_verifier_requests_[cert_verify_id] = std::move(pending_cert_verify);
1416
1417 if (result != net::ERR_IO_PENDING)
1418 OnVerifyCertForSignedExchangeComplete(cert_verify_id, result);
1419 }
1420
ParseHeaders(const GURL & url,const scoped_refptr<net::HttpResponseHeaders> & headers,ParseHeadersCallback callback)1421 void NetworkContext::ParseHeaders(
1422 const GURL& url,
1423 const scoped_refptr<net::HttpResponseHeaders>& headers,
1424 ParseHeadersCallback callback) {
1425 std::move(callback).Run(PopulateParsedHeaders(headers, url));
1426 }
1427
NotifyExternalCacheHit(const GURL & url,const std::string & http_method,const net::NetworkIsolationKey & key,bool is_subframe_document_resource)1428 void NetworkContext::NotifyExternalCacheHit(
1429 const GURL& url,
1430 const std::string& http_method,
1431 const net::NetworkIsolationKey& key,
1432 bool is_subframe_document_resource) {
1433 net::HttpCache* cache =
1434 url_request_context_->http_transaction_factory()->GetCache();
1435 if (cache) {
1436 cache->OnExternalCacheHit(url, http_method, key,
1437 is_subframe_document_resource);
1438 }
1439 }
1440
SetCorsOriginAccessListsForOrigin(const url::Origin & source_origin,std::vector<mojom::CorsOriginPatternPtr> allow_patterns,std::vector<mojom::CorsOriginPatternPtr> block_patterns,SetCorsOriginAccessListsForOriginCallback callback)1441 void NetworkContext::SetCorsOriginAccessListsForOrigin(
1442 const url::Origin& source_origin,
1443 std::vector<mojom::CorsOriginPatternPtr> allow_patterns,
1444 std::vector<mojom::CorsOriginPatternPtr> block_patterns,
1445 SetCorsOriginAccessListsForOriginCallback callback) {
1446 cors_origin_access_list_.SetAllowListForOrigin(source_origin, allow_patterns);
1447 cors_origin_access_list_.SetBlockListForOrigin(source_origin, block_patterns);
1448 std::move(callback).Run();
1449 }
1450
AddHSTS(const std::string & host,base::Time expiry,bool include_subdomains,AddHSTSCallback callback)1451 void NetworkContext::AddHSTS(const std::string& host,
1452 base::Time expiry,
1453 bool include_subdomains,
1454 AddHSTSCallback callback) {
1455 net::TransportSecurityState* state =
1456 url_request_context_->transport_security_state();
1457 state->AddHSTS(host, expiry, include_subdomains);
1458 std::move(callback).Run();
1459 }
1460
IsHSTSActiveForHost(const std::string & host,IsHSTSActiveForHostCallback callback)1461 void NetworkContext::IsHSTSActiveForHost(const std::string& host,
1462 IsHSTSActiveForHostCallback callback) {
1463 net::TransportSecurityState* security_state =
1464 url_request_context_->transport_security_state();
1465
1466 if (!security_state) {
1467 std::move(callback).Run(false);
1468 return;
1469 }
1470
1471 std::move(callback).Run(security_state->ShouldUpgradeToSSL(host));
1472 }
1473
GetHSTSState(const std::string & domain,GetHSTSStateCallback callback)1474 void NetworkContext::GetHSTSState(const std::string& domain,
1475 GetHSTSStateCallback callback) {
1476 base::DictionaryValue result;
1477
1478 if (base::IsStringASCII(domain)) {
1479 net::TransportSecurityState* transport_security_state =
1480 url_request_context()->transport_security_state();
1481 if (transport_security_state) {
1482 net::TransportSecurityState::STSState static_sts_state;
1483 net::TransportSecurityState::PKPState static_pkp_state;
1484 bool found_static = transport_security_state->GetStaticDomainState(
1485 domain, &static_sts_state, &static_pkp_state);
1486 if (found_static) {
1487 result.SetInteger("static_upgrade_mode",
1488 static_cast<int>(static_sts_state.upgrade_mode));
1489 result.SetBoolean("static_sts_include_subdomains",
1490 static_sts_state.include_subdomains);
1491 result.SetDouble("static_sts_observed",
1492 static_sts_state.last_observed.ToDoubleT());
1493 result.SetDouble("static_sts_expiry",
1494 static_sts_state.expiry.ToDoubleT());
1495 result.SetBoolean("static_pkp_include_subdomains",
1496 static_pkp_state.include_subdomains);
1497 result.SetDouble("static_pkp_observed",
1498 static_pkp_state.last_observed.ToDoubleT());
1499 result.SetDouble("static_pkp_expiry",
1500 static_pkp_state.expiry.ToDoubleT());
1501 result.SetString("static_spki_hashes",
1502 HashesToBase64String(static_pkp_state.spki_hashes));
1503 result.SetString("static_sts_domain", static_sts_state.domain);
1504 result.SetString("static_pkp_domain", static_pkp_state.domain);
1505 }
1506
1507 net::TransportSecurityState::STSState dynamic_sts_state;
1508 net::TransportSecurityState::PKPState dynamic_pkp_state;
1509 bool found_sts_dynamic = transport_security_state->GetDynamicSTSState(
1510 domain, &dynamic_sts_state);
1511
1512 bool found_pkp_dynamic = transport_security_state->GetDynamicPKPState(
1513 domain, &dynamic_pkp_state);
1514 if (found_sts_dynamic) {
1515 result.SetInteger("dynamic_upgrade_mode",
1516 static_cast<int>(dynamic_sts_state.upgrade_mode));
1517 result.SetBoolean("dynamic_sts_include_subdomains",
1518 dynamic_sts_state.include_subdomains);
1519 result.SetDouble("dynamic_sts_observed",
1520 dynamic_sts_state.last_observed.ToDoubleT());
1521 result.SetDouble("dynamic_sts_expiry",
1522 dynamic_sts_state.expiry.ToDoubleT());
1523 result.SetString("dynamic_sts_domain", dynamic_sts_state.domain);
1524 }
1525
1526 if (found_pkp_dynamic) {
1527 result.SetBoolean("dynamic_pkp_include_subdomains",
1528 dynamic_pkp_state.include_subdomains);
1529 result.SetDouble("dynamic_pkp_observed",
1530 dynamic_pkp_state.last_observed.ToDoubleT());
1531 result.SetDouble("dynamic_pkp_expiry",
1532 dynamic_pkp_state.expiry.ToDoubleT());
1533 result.SetString("dynamic_spki_hashes",
1534 HashesToBase64String(dynamic_pkp_state.spki_hashes));
1535 result.SetString("dynamic_pkp_domain", dynamic_pkp_state.domain);
1536 }
1537
1538 result.SetBoolean("result",
1539 found_static || found_sts_dynamic || found_pkp_dynamic);
1540 } else {
1541 result.SetString("error", "no TransportSecurityState active");
1542 }
1543 } else {
1544 result.SetString("error", "non-ASCII domain name");
1545 }
1546
1547 std::move(callback).Run(std::move(result));
1548 }
1549
DeleteDynamicDataForHost(const std::string & host,DeleteDynamicDataForHostCallback callback)1550 void NetworkContext::DeleteDynamicDataForHost(
1551 const std::string& host,
1552 DeleteDynamicDataForHostCallback callback) {
1553 net::TransportSecurityState* transport_security_state =
1554 url_request_context()->transport_security_state();
1555 if (!transport_security_state) {
1556 std::move(callback).Run(false);
1557 return;
1558 }
1559
1560 std::move(callback).Run(
1561 transport_security_state->DeleteDynamicDataForHost(host));
1562 }
1563
EnableStaticKeyPinningForTesting(EnableStaticKeyPinningForTestingCallback callback)1564 void NetworkContext::EnableStaticKeyPinningForTesting(
1565 EnableStaticKeyPinningForTestingCallback callback) {
1566 net::TransportSecurityState* state =
1567 url_request_context_->transport_security_state();
1568 state->EnableStaticPinsForTesting();
1569 std::move(callback).Run();
1570 }
1571
VerifyCertificateForTesting(const scoped_refptr<net::X509Certificate> & certificate,const std::string & hostname,const std::string & ocsp_response,const std::string & sct_list,VerifyCertificateForTestingCallback callback)1572 void NetworkContext::VerifyCertificateForTesting(
1573 const scoped_refptr<net::X509Certificate>& certificate,
1574 const std::string& hostname,
1575 const std::string& ocsp_response,
1576 const std::string& sct_list,
1577 VerifyCertificateForTestingCallback callback) {
1578 net::CertVerifier* cert_verifier = url_request_context_->cert_verifier();
1579
1580 auto state = std::make_unique<TestVerifyCertState>();
1581 auto* request = &state->request;
1582 auto* result = &state->result;
1583
1584 cert_verifier->Verify(
1585 net::CertVerifier::RequestParams(certificate.get(), hostname, 0,
1586 ocsp_response, sct_list),
1587 result,
1588 base::BindOnce(TestVerifyCertCallback, std::move(state),
1589 std::move(callback)),
1590 request, net::NetLogWithSource());
1591 }
1592
PreconnectSockets(uint32_t num_streams,const GURL & original_url,bool allow_credentials,const net::NetworkIsolationKey & network_isolation_key)1593 void NetworkContext::PreconnectSockets(
1594 uint32_t num_streams,
1595 const GURL& original_url,
1596 bool allow_credentials,
1597 const net::NetworkIsolationKey& network_isolation_key) {
1598 GURL url = GetHSTSRedirect(original_url);
1599
1600 // |PreconnectSockets| may receive arguments from the renderer, which is not
1601 // guaranteed to validate them.
1602 if (num_streams == 0)
1603 return;
1604
1605 std::string user_agent;
1606 if (url_request_context_->http_user_agent_settings()) {
1607 user_agent =
1608 url_request_context_->http_user_agent_settings()->GetUserAgent();
1609 }
1610 net::HttpRequestInfo request_info;
1611 request_info.url = url;
1612 request_info.method = net::HttpRequestHeaders::kGetMethod;
1613 request_info.extra_headers.SetHeader(net::HttpRequestHeaders::kUserAgent,
1614 user_agent);
1615
1616 if (allow_credentials) {
1617 request_info.load_flags = net::LOAD_NORMAL;
1618 request_info.privacy_mode = net::PRIVACY_MODE_DISABLED;
1619 } else {
1620 request_info.load_flags = net::LOAD_DO_NOT_SAVE_COOKIES;
1621 request_info.privacy_mode = net::PRIVACY_MODE_ENABLED;
1622 }
1623 request_info.network_isolation_key = network_isolation_key;
1624
1625 net::HttpTransactionFactory* factory =
1626 url_request_context_->http_transaction_factory();
1627 net::HttpNetworkSession* session = factory->GetSession();
1628 net::HttpStreamFactory* http_stream_factory = session->http_stream_factory();
1629 http_stream_factory->PreconnectStreams(
1630 base::saturated_cast<int32_t>(num_streams), request_info);
1631 }
1632
CreateP2PSocketManager(const net::NetworkIsolationKey & network_isolation_key,mojo::PendingRemote<mojom::P2PTrustedSocketManagerClient> client,mojo::PendingReceiver<mojom::P2PTrustedSocketManager> trusted_socket_manager,mojo::PendingReceiver<mojom::P2PSocketManager> socket_manager_receiver)1633 void NetworkContext::CreateP2PSocketManager(
1634 const net::NetworkIsolationKey& network_isolation_key,
1635 mojo::PendingRemote<mojom::P2PTrustedSocketManagerClient> client,
1636 mojo::PendingReceiver<mojom::P2PTrustedSocketManager>
1637 trusted_socket_manager,
1638 mojo::PendingReceiver<mojom::P2PSocketManager> socket_manager_receiver) {
1639 std::unique_ptr<P2PSocketManager> socket_manager =
1640 std::make_unique<P2PSocketManager>(
1641 network_isolation_key, std::move(client),
1642 std::move(trusted_socket_manager), std::move(socket_manager_receiver),
1643 base::BindRepeating(&NetworkContext::DestroySocketManager,
1644 base::Unretained(this)),
1645 url_request_context_);
1646 socket_managers_[socket_manager.get()] = std::move(socket_manager);
1647 }
1648
CreateMdnsResponder(mojo::PendingReceiver<mojom::MdnsResponder> responder_receiver)1649 void NetworkContext::CreateMdnsResponder(
1650 mojo::PendingReceiver<mojom::MdnsResponder> responder_receiver) {
1651 #if BUILDFLAG(ENABLE_MDNS)
1652 if (!mdns_responder_manager_)
1653 mdns_responder_manager_ = std::make_unique<MdnsResponderManager>();
1654
1655 mdns_responder_manager_->CreateMdnsResponder(std::move(responder_receiver));
1656 #else
1657 NOTREACHED();
1658 #endif // BUILDFLAG(ENABLE_MDNS)
1659 }
1660
AddDomainReliabilityContextForTesting(const GURL & origin,const GURL & upload_url,AddDomainReliabilityContextForTestingCallback callback)1661 void NetworkContext::AddDomainReliabilityContextForTesting(
1662 const GURL& origin,
1663 const GURL& upload_url,
1664 AddDomainReliabilityContextForTestingCallback callback) {
1665 auto config = std::make_unique<domain_reliability::DomainReliabilityConfig>();
1666 config->origin = origin;
1667 config->include_subdomains = false;
1668 config->collectors.push_back(std::make_unique<GURL>(upload_url));
1669 config->success_sample_rate = 1.0;
1670 config->failure_sample_rate = 1.0;
1671 domain_reliability_monitor_->AddContextForTesting(std::move(config));
1672 std::move(callback).Run();
1673 }
1674
ForceDomainReliabilityUploadsForTesting(ForceDomainReliabilityUploadsForTestingCallback callback)1675 void NetworkContext::ForceDomainReliabilityUploadsForTesting(
1676 ForceDomainReliabilityUploadsForTestingCallback callback) {
1677 domain_reliability_monitor_->ForceUploadsForTesting();
1678 std::move(callback).Run();
1679 }
1680
SetSplitAuthCacheByNetworkIsolationKey(bool split_auth_cache_by_network_isolation_key)1681 void NetworkContext::SetSplitAuthCacheByNetworkIsolationKey(
1682 bool split_auth_cache_by_network_isolation_key) {
1683 url_request_context_->http_transaction_factory()
1684 ->GetSession()
1685 ->http_auth_cache()
1686 ->SetKeyServerEntriesByNetworkIsolationKey(
1687 split_auth_cache_by_network_isolation_key);
1688 }
1689
SaveHttpAuthCacheProxyEntries(SaveHttpAuthCacheProxyEntriesCallback callback)1690 void NetworkContext::SaveHttpAuthCacheProxyEntries(
1691 SaveHttpAuthCacheProxyEntriesCallback callback) {
1692 net::HttpAuthCache* http_auth_cache =
1693 url_request_context_->http_transaction_factory()
1694 ->GetSession()
1695 ->http_auth_cache();
1696 base::UnguessableToken cache_key =
1697 network_service_->http_auth_cache_copier()->SaveHttpAuthCache(
1698 *http_auth_cache);
1699 std::move(callback).Run(cache_key);
1700 }
1701
LoadHttpAuthCacheProxyEntries(const base::UnguessableToken & cache_key,LoadHttpAuthCacheProxyEntriesCallback callback)1702 void NetworkContext::LoadHttpAuthCacheProxyEntries(
1703 const base::UnguessableToken& cache_key,
1704 LoadHttpAuthCacheProxyEntriesCallback callback) {
1705 net::HttpAuthCache* http_auth_cache =
1706 url_request_context_->http_transaction_factory()
1707 ->GetSession()
1708 ->http_auth_cache();
1709 network_service_->http_auth_cache_copier()->LoadHttpAuthCache(
1710 cache_key, http_auth_cache);
1711 std::move(callback).Run();
1712 }
1713
AddAuthCacheEntry(const net::AuthChallengeInfo & challenge,const net::NetworkIsolationKey & network_isolation_key,const net::AuthCredentials & credentials,AddAuthCacheEntryCallback callback)1714 void NetworkContext::AddAuthCacheEntry(
1715 const net::AuthChallengeInfo& challenge,
1716 const net::NetworkIsolationKey& network_isolation_key,
1717 const net::AuthCredentials& credentials,
1718 AddAuthCacheEntryCallback callback) {
1719 if (challenge.challenger.scheme() == url::kFtpScheme) {
1720 #if !BUILDFLAG(DISABLE_FTP_SUPPORT)
1721 net::FtpAuthCache* auth_cache = url_request_context_->ftp_auth_cache();
1722 auth_cache->Add(challenge.challenger.GetURL(), credentials);
1723 #else
1724 NOTREACHED();
1725 #endif // BUILDFLAG(DISABLE_FTP_SUPPORT)
1726 } else {
1727 net::HttpAuthCache* http_auth_cache =
1728 url_request_context_->http_transaction_factory()
1729 ->GetSession()
1730 ->http_auth_cache();
1731 http_auth_cache->Add(challenge.challenger.GetURL(),
1732 challenge.is_proxy ? net::HttpAuth::AUTH_PROXY
1733 : net::HttpAuth::AUTH_SERVER,
1734 challenge.realm,
1735 net::HttpAuth::StringToScheme(challenge.scheme),
1736 network_isolation_key, challenge.challenge,
1737 credentials, challenge.path);
1738 }
1739 std::move(callback).Run();
1740 }
1741
LookupServerBasicAuthCredentials(const GURL & url,const net::NetworkIsolationKey & network_isolation_key,LookupServerBasicAuthCredentialsCallback callback)1742 void NetworkContext::LookupServerBasicAuthCredentials(
1743 const GURL& url,
1744 const net::NetworkIsolationKey& network_isolation_key,
1745 LookupServerBasicAuthCredentialsCallback callback) {
1746 net::HttpAuthCache* http_auth_cache =
1747 url_request_context_->http_transaction_factory()
1748 ->GetSession()
1749 ->http_auth_cache();
1750 net::HttpAuthCache::Entry* entry =
1751 http_auth_cache->LookupByPath(url.GetOrigin(), net::HttpAuth::AUTH_SERVER,
1752 network_isolation_key, url.path());
1753 if (entry && entry->scheme() == net::HttpAuth::AUTH_SCHEME_BASIC)
1754 std::move(callback).Run(entry->credentials());
1755 else
1756 std::move(callback).Run(base::nullopt);
1757 }
1758
1759 #if BUILDFLAG(IS_ASH)
LookupProxyAuthCredentials(const net::ProxyServer & proxy_server,const std::string & auth_scheme,const std::string & realm,LookupProxyAuthCredentialsCallback callback)1760 void NetworkContext::LookupProxyAuthCredentials(
1761 const net::ProxyServer& proxy_server,
1762 const std::string& auth_scheme,
1763 const std::string& realm,
1764 LookupProxyAuthCredentialsCallback callback) {
1765 net::HttpAuth::Scheme net_scheme =
1766 net::HttpAuth::StringToScheme(base::ToLowerASCII(auth_scheme));
1767 if (net_scheme == net::HttpAuth::Scheme::AUTH_SCHEME_MAX) {
1768 std::move(callback).Run(base::nullopt);
1769 return;
1770 }
1771 net::HttpAuthCache* http_auth_cache =
1772 url_request_context_->http_transaction_factory()
1773 ->GetSession()
1774 ->http_auth_cache();
1775 // TODO(https://crbug.com/1103768): Mapping proxy addresses to URLs is a
1776 // lossy conversion, shouldn't do this.
1777 const char* scheme =
1778 proxy_server.is_secure_http_like() ? "https://" : "http://";
1779 GURL proxy_url(scheme + proxy_server.host_port_pair().ToString());
1780 if (!proxy_url.is_valid()) {
1781 std::move(callback).Run(base::nullopt);
1782 return;
1783 }
1784
1785 // Unlike server credentials, proxy credentials are not keyed on
1786 // NetworkIsolationKey.
1787 net::HttpAuthCache::Entry* entry =
1788 http_auth_cache->Lookup(proxy_url, net::HttpAuth::AUTH_PROXY, realm,
1789 net_scheme, net::NetworkIsolationKey());
1790 if (entry)
1791 std::move(callback).Run(entry->credentials());
1792 else
1793 std::move(callback).Run(base::nullopt);
1794 }
1795 #endif
1796
GetHttpAuthPreferences() const1797 const net::HttpAuthPreferences* NetworkContext::GetHttpAuthPreferences() const {
1798 return &http_auth_merged_preferences_;
1799 }
1800
NumOpenQuicTransports() const1801 size_t NetworkContext::NumOpenQuicTransports() const {
1802 return std::count_if(quic_transports_.begin(), quic_transports_.end(),
1803 [](const std::unique_ptr<QuicTransport>& transport) {
1804 return !transport->torn_down();
1805 });
1806 }
1807
OnHttpAuthDynamicParamsChanged(const mojom::HttpAuthDynamicParams * http_auth_dynamic_network_service_params)1808 void NetworkContext::OnHttpAuthDynamicParamsChanged(
1809 const mojom::HttpAuthDynamicParams*
1810 http_auth_dynamic_network_service_params) {
1811 http_auth_merged_preferences_.SetServerAllowlist(
1812 http_auth_dynamic_network_service_params->server_allowlist);
1813 http_auth_merged_preferences_.SetDelegateAllowlist(
1814 http_auth_dynamic_network_service_params->delegate_allowlist);
1815 http_auth_merged_preferences_.set_delegate_by_kdc_policy(
1816 http_auth_dynamic_network_service_params->delegate_by_kdc_policy);
1817 http_auth_merged_preferences_.set_negotiate_disable_cname_lookup(
1818 http_auth_dynamic_network_service_params->negotiate_disable_cname_lookup);
1819 http_auth_merged_preferences_.set_negotiate_enable_port(
1820 http_auth_dynamic_network_service_params->enable_negotiate_port);
1821 http_auth_merged_preferences_.set_basic_over_http_enabled(
1822 http_auth_dynamic_network_service_params->basic_over_http_enabled);
1823 #if defined(OS_POSIX) || defined(OS_FUCHSIA)
1824 http_auth_merged_preferences_.set_ntlm_v2_enabled(
1825 http_auth_dynamic_network_service_params->ntlm_v2_enabled);
1826 #endif
1827
1828 #if defined(OS_ANDROID)
1829 http_auth_merged_preferences_.set_auth_android_negotiate_account_type(
1830 http_auth_dynamic_network_service_params->android_negotiate_account_type);
1831 #endif
1832
1833 #if BUILDFLAG(IS_ASH)
1834 http_auth_merged_preferences_.set_allow_gssapi_library_load(
1835 http_auth_dynamic_network_service_params->allow_gssapi_library_load);
1836 #endif
1837 }
1838
MakeURLRequestContext(mojo::PendingRemote<mojom::URLLoaderFactory> url_loader_factory_for_cert_net_fetcher,scoped_refptr<SessionCleanupCookieStore> session_cleanup_cookie_store)1839 URLRequestContextOwner NetworkContext::MakeURLRequestContext(
1840 mojo::PendingRemote<mojom::URLLoaderFactory>
1841 url_loader_factory_for_cert_net_fetcher,
1842 scoped_refptr<SessionCleanupCookieStore> session_cleanup_cookie_store) {
1843 URLRequestContextBuilderMojo builder;
1844 const base::CommandLine* command_line =
1845 base::CommandLine::ForCurrentProcess();
1846
1847 DCHECK(
1848 g_cert_verifier_for_testing ||
1849 !base::FeatureList::IsEnabled(network::features::kCertVerifierService) ||
1850 (params_->cert_verifier_params &&
1851 params_->cert_verifier_params->is_remote_params()))
1852 << "If cert verification service is on, the creator of the "
1853 "NetworkContext should pass CertVerifierServiceRemoteParams.";
1854
1855 std::unique_ptr<net::CertVerifier> cert_verifier;
1856 if (g_cert_verifier_for_testing) {
1857 cert_verifier = std::make_unique<WrappedTestingCertVerifier>();
1858 } else {
1859 if (params_->cert_verifier_params &&
1860 params_->cert_verifier_params->is_remote_params()) {
1861 // base::Unretained() is safe below because |this| will own
1862 // |cert_verifier|.
1863 // TODO(https://crbug.com/1085233): this cert verifier should deal with
1864 // disconnections if the CertVerifierService is run outside of the browser
1865 // process.
1866 cert_verifier = std::make_unique<cert_verifier::MojoCertVerifier>(
1867 std::move(params_->cert_verifier_params->get_remote_params()
1868 ->cert_verifier_service),
1869 std::move(url_loader_factory_for_cert_net_fetcher),
1870 base::BindRepeating(
1871 &NetworkContext::CreateURLLoaderFactoryForCertNetFetcher,
1872 base::Unretained(this)));
1873 } else {
1874 mojom::CertVerifierCreationParams* creation_params = nullptr;
1875 if (params_->cert_verifier_params &&
1876 params_->cert_verifier_params->is_creation_params()) {
1877 creation_params =
1878 params_->cert_verifier_params->get_creation_params().get();
1879 }
1880
1881 if (IsUsingCertNetFetcher())
1882 cert_net_fetcher_ =
1883 base::MakeRefCounted<net::CertNetFetcherURLRequest>();
1884
1885 cert_verifier = CreateCertVerifier(creation_params, cert_net_fetcher_);
1886 }
1887
1888 // Whether the cert verifier is remote or in-process, we should wrap it in
1889 // caching and coalescing layers to avoid extra verifications and IPCs.
1890 cert_verifier = std::make_unique<net::CachingCertVerifier>(
1891 std::make_unique<net::CoalescingCertVerifier>(
1892 std::move(cert_verifier)));
1893
1894 #if BUILDFLAG(IS_ASH)
1895 cert_verifier_with_trust_anchors_ =
1896 new CertVerifierWithTrustAnchors(base::BindRepeating(
1897 &NetworkContext::TrustAnchorUsed, base::Unretained(this)));
1898 UpdateAdditionalCertificates(
1899 std::move(params_->initial_additional_certificates));
1900 cert_verifier_with_trust_anchors_->InitializeOnIOThread(
1901 std::move(cert_verifier));
1902 cert_verifier = base::WrapUnique(cert_verifier_with_trust_anchors_);
1903 #endif // BUILDFLAG(IS_ASH)
1904 }
1905
1906 builder.SetCertVerifier(IgnoreErrorsCertVerifier::MaybeWrapCertVerifier(
1907 *command_line, nullptr, std::move(cert_verifier)));
1908
1909 std::unique_ptr<NetworkServiceNetworkDelegate> network_delegate =
1910 std::make_unique<NetworkServiceNetworkDelegate>(
1911 params_->enable_referrers,
1912 params_->validate_referrer_policy_on_initial_request,
1913 std::move(params_->proxy_error_client), this);
1914 network_delegate_ = network_delegate.get();
1915 builder.set_network_delegate(std::move(network_delegate));
1916
1917 if (params_->initial_custom_proxy_config ||
1918 params_->custom_proxy_config_client_receiver) {
1919 std::unique_ptr<NetworkServiceProxyDelegate> proxy_delegate =
1920 std::make_unique<NetworkServiceProxyDelegate>(
1921 std::move(params_->initial_custom_proxy_config),
1922 std::move(params_->custom_proxy_config_client_receiver));
1923 proxy_delegate_ = proxy_delegate.get();
1924 builder.set_proxy_delegate(std::move(proxy_delegate));
1925 }
1926
1927 net::NetLog* net_log = nullptr;
1928 if (network_service_) {
1929 net_log = network_service_->net_log();
1930 builder.set_net_log(net_log);
1931 builder.set_host_resolver_manager(
1932 network_service_->host_resolver_manager());
1933 builder.set_host_resolver_factory(
1934 network_service_->host_resolver_factory());
1935 builder.SetHttpAuthHandlerFactory(
1936 network_service_->CreateHttpAuthHandlerFactory(this));
1937 builder.set_network_quality_estimator(
1938 network_service_->network_quality_estimator());
1939 }
1940
1941 if (session_cleanup_cookie_store) {
1942 std::unique_ptr<net::CookieMonster> cookie_store =
1943 std::make_unique<net::CookieMonster>(session_cleanup_cookie_store.get(),
1944 net_log);
1945 if (params_->persist_session_cookies)
1946 cookie_store->SetPersistSessionCookies(true);
1947
1948 builder.SetCookieStore(std::move(cookie_store));
1949 }
1950
1951 if (base::FeatureList::IsEnabled(features::kTrustTokens)) {
1952 trust_token_store_ = std::make_unique<PendingTrustTokenStore>();
1953
1954 if (params_->trust_token_path) {
1955 SQLiteTrustTokenPersister::CreateForFilePath(
1956 base::ThreadPool::CreateSequencedTaskRunner(
1957 {base::MayBlock(), kTrustTokenDatabaseTaskPriority,
1958 base::TaskShutdownBehavior::BLOCK_SHUTDOWN}),
1959 *params_->trust_token_path, kTrustTokenWriteBufferingWindow,
1960 base::BindOnce(&NetworkContext::FinishConstructingTrustTokenStore,
1961 weak_factory_.GetWeakPtr()));
1962 } else {
1963 trust_token_store_->OnStoreReady(std::make_unique<TrustTokenStore>(
1964 std::make_unique<InMemoryTrustTokenPersister>(),
1965 std::make_unique<ExpiryInspectingRecordExpiryDelegate>(
1966 network_service()->trust_token_key_commitments())));
1967 }
1968 }
1969
1970 std::unique_ptr<net::StaticHttpUserAgentSettings> user_agent_settings =
1971 std::make_unique<net::StaticHttpUserAgentSettings>(
1972 params_->accept_language, params_->user_agent);
1973 // Borrow an alias for future use before giving the builder ownership.
1974 user_agent_settings_ = user_agent_settings.get();
1975 builder.set_http_user_agent_settings(std::move(user_agent_settings));
1976
1977 builder.set_enable_brotli(params_->enable_brotli);
1978 if (params_->context_name)
1979 builder.set_name(*params_->context_name);
1980
1981 if (params_->proxy_resolver_factory) {
1982 builder.SetMojoProxyResolverFactory(
1983 std::move(params_->proxy_resolver_factory));
1984 }
1985
1986 #if BUILDFLAG(IS_ASH)
1987 if (params_->dhcp_wpad_url_client) {
1988 builder.SetDhcpWpadUrlClient(std::move(params_->dhcp_wpad_url_client));
1989 }
1990 #endif // BUILDFLAG(IS_ASH)
1991
1992 if (!params_->http_cache_enabled) {
1993 builder.DisableHttpCache();
1994 } else {
1995 net::URLRequestContextBuilder::HttpCacheParams cache_params;
1996 cache_params.max_size = params_->http_cache_max_size;
1997 if (!params_->http_cache_path) {
1998 cache_params.type =
1999 net::URLRequestContextBuilder::HttpCacheParams::IN_MEMORY;
2000 } else {
2001 cache_params.path = *params_->http_cache_path;
2002 cache_params.type = network_session_configurator::ChooseCacheType();
2003 }
2004 cache_params.reset_cache = params_->reset_http_cache_backend;
2005
2006 #if defined(OS_ANDROID)
2007 cache_params.app_status_listener = app_status_listener();
2008 #endif
2009 builder.EnableHttpCache(cache_params);
2010 }
2011
2012 std::unique_ptr<SSLConfigServiceMojo> ssl_config_service =
2013 std::make_unique<SSLConfigServiceMojo>(
2014 std::move(params_->initial_ssl_config),
2015 std::move(params_->ssl_config_client_receiver),
2016 network_service_->crl_set_distributor(),
2017 network_service_->legacy_tls_config_distributor());
2018 SSLConfigServiceMojo* ssl_config_service_raw = ssl_config_service.get();
2019 builder.set_ssl_config_service(std::move(ssl_config_service));
2020
2021 if (!params_->initial_proxy_config &&
2022 !params_->proxy_config_client_receiver.is_valid()) {
2023 params_->initial_proxy_config =
2024 net::ProxyConfigWithAnnotation::CreateDirect();
2025 }
2026 builder.set_proxy_config_service(std::make_unique<ProxyConfigServiceMojo>(
2027 std::move(params_->proxy_config_client_receiver),
2028 std::move(params_->initial_proxy_config),
2029 std::move(params_->proxy_config_poller_client)));
2030 builder.set_pac_quick_check_enabled(params_->pac_quick_check_enabled);
2031
2032 std::unique_ptr<PrefService> pref_service;
2033 if (params_->http_server_properties_path) {
2034 scoped_refptr<JsonPrefStore> json_pref_store(new JsonPrefStore(
2035 *params_->http_server_properties_path, nullptr,
2036 base::ThreadPool::CreateSequencedTaskRunner(
2037 {base::MayBlock(), base::TaskShutdownBehavior::BLOCK_SHUTDOWN,
2038 base::TaskPriority::BEST_EFFORT})));
2039 PrefServiceFactory pref_service_factory;
2040 pref_service_factory.set_user_prefs(json_pref_store);
2041 pref_service_factory.set_async(true);
2042 scoped_refptr<PrefRegistrySimple> pref_registry(new PrefRegistrySimple());
2043 HttpServerPropertiesPrefDelegate::RegisterPrefs(pref_registry.get());
2044 NetworkQualitiesPrefDelegate::RegisterPrefs(pref_registry.get());
2045 pref_service = pref_service_factory.Create(pref_registry.get());
2046
2047 builder.SetHttpServerProperties(std::make_unique<net::HttpServerProperties>(
2048 std::make_unique<HttpServerPropertiesPrefDelegate>(pref_service.get()),
2049 net_log));
2050
2051 network_qualities_pref_delegate_ =
2052 std::make_unique<NetworkQualitiesPrefDelegate>(
2053 pref_service.get(), network_service_->network_quality_estimator());
2054 }
2055
2056 if (params_->transport_security_persister_path) {
2057 builder.set_transport_security_persister_path(
2058 *params_->transport_security_persister_path);
2059 }
2060 builder.set_hsts_policy_bypass_list(params_->hsts_policy_bypass_list);
2061
2062 #if !BUILDFLAG(DISABLE_FTP_SUPPORT)
2063 builder.set_ftp_enabled(params_->enable_ftp_url_support);
2064 #else // BUILDFLAG(DISABLE_FTP_SUPPORT)
2065 DCHECK(!params_->enable_ftp_url_support);
2066 #endif
2067
2068 #if BUILDFLAG(ENABLE_REPORTING)
2069 bool reporting_enabled = base::FeatureList::IsEnabled(features::kReporting);
2070 if (reporting_enabled) {
2071 auto reporting_policy = net::ReportingPolicy::Create();
2072 if (params_->reporting_delivery_interval) {
2073 reporting_policy->delivery_interval =
2074 *params_->reporting_delivery_interval;
2075 reporting_policy->endpoint_backoff_policy.initial_delay_ms =
2076 params_->reporting_delivery_interval->InMilliseconds();
2077 }
2078 builder.set_reporting_policy(std::move(reporting_policy));
2079 } else {
2080 builder.set_reporting_policy(nullptr);
2081 }
2082
2083 bool nel_enabled =
2084 base::FeatureList::IsEnabled(features::kNetworkErrorLogging);
2085 builder.set_network_error_logging_enabled(nel_enabled);
2086
2087 if (params_->reporting_and_nel_store_path &&
2088 (reporting_enabled || nel_enabled)) {
2089 scoped_refptr<base::SequencedTaskRunner> client_task_runner =
2090 base::ThreadTaskRunnerHandle::Get();
2091 scoped_refptr<base::SequencedTaskRunner> background_task_runner =
2092 base::ThreadPool::CreateSequencedTaskRunner(
2093 {base::MayBlock(),
2094 net::GetReportingAndNelStoreBackgroundSequencePriority(),
2095 base::TaskShutdownBehavior::BLOCK_SHUTDOWN});
2096 std::unique_ptr<net::SQLitePersistentReportingAndNelStore> sqlite_store(
2097 new net::SQLitePersistentReportingAndNelStore(
2098 params_->reporting_and_nel_store_path.value(), client_task_runner,
2099 background_task_runner));
2100 builder.set_persistent_reporting_and_nel_store(std::move(sqlite_store));
2101 } else {
2102 builder.set_persistent_reporting_and_nel_store(nullptr);
2103 }
2104
2105 #endif // BUILDFLAG(ENABLE_REPORTING)
2106
2107 net::HttpNetworkSession::Params session_params;
2108 bool is_quic_force_disabled = false;
2109 if (network_service_ && network_service_->quic_disabled())
2110 is_quic_force_disabled = true;
2111
2112 auto quic_context = std::make_unique<net::QuicContext>();
2113 network_session_configurator::ParseCommandLineAndFieldTrials(
2114 *base::CommandLine::ForCurrentProcess(), is_quic_force_disabled,
2115 params_->quic_user_agent_id, &session_params, quic_context->params());
2116
2117 session_params.disable_idle_sockets_close_on_memory_pressure =
2118 params_->disable_idle_sockets_close_on_memory_pressure;
2119
2120 if (network_service_) {
2121 session_params.key_auth_cache_server_entries_by_network_isolation_key =
2122 network_service_->split_auth_cache_by_network_isolation_key();
2123 }
2124
2125 session_params.key_auth_cache_server_entries_by_network_isolation_key =
2126 base::FeatureList::IsEnabled(
2127 features::kSplitAuthCacheByNetworkIsolationKey);
2128
2129 builder.set_http_network_session_params(session_params);
2130 builder.set_quic_context(std::move(quic_context));
2131
2132 builder.SetCreateHttpTransactionFactoryCallback(
2133 base::BindOnce([](net::HttpNetworkSession* session)
2134 -> std::unique_ptr<net::HttpTransactionFactory> {
2135 return std::make_unique<ThrottlingNetworkTransactionFactory>(session);
2136 }));
2137
2138 #if BUILDFLAG(IS_CT_SUPPORTED)
2139 std::vector<scoped_refptr<const net::CTLogVerifier>> ct_logs;
2140 std::vector<std::pair<std::string, base::TimeDelta>> disqualified_logs;
2141 std::vector<std::string> operated_by_google_logs;
2142
2143 if (!params_->ct_logs.empty()) {
2144 for (const auto& log : params_->ct_logs) {
2145 if (log->operated_by_google || log->disqualified_at) {
2146 std::string log_id = crypto::SHA256HashString(log->public_key);
2147 if (log->operated_by_google)
2148 operated_by_google_logs.push_back(log_id);
2149 if (log->disqualified_at) {
2150 disqualified_logs.push_back(
2151 std::make_pair(log_id, log->disqualified_at.value()));
2152 }
2153 }
2154 scoped_refptr<const net::CTLogVerifier> log_verifier =
2155 net::CTLogVerifier::Create(log->public_key, log->name);
2156 if (!log_verifier) {
2157 // TODO: Signal bad configuration (such as bad key).
2158 continue;
2159 }
2160 ct_logs.push_back(std::move(log_verifier));
2161 }
2162 auto ct_verifier = std::make_unique<net::MultiLogCTVerifier>();
2163 ct_verifier->AddLogs(ct_logs);
2164 builder.set_ct_verifier(std::move(ct_verifier));
2165 }
2166
2167 if (params_->enforce_chrome_ct_policy) {
2168 std::sort(std::begin(operated_by_google_logs),
2169 std::end(operated_by_google_logs));
2170 std::sort(std::begin(disqualified_logs), std::end(disqualified_logs));
2171
2172 builder.set_ct_policy_enforcer(
2173 std::make_unique<certificate_transparency::ChromeCTPolicyEnforcer>(
2174 params_->ct_log_update_time, disqualified_logs,
2175 operated_by_google_logs));
2176 }
2177
2178 builder.set_sct_auditing_delegate(
2179 std::make_unique<SCTAuditingDelegate>(weak_factory_.GetWeakPtr()));
2180 #endif // BUILDFLAG(IS_CT_SUPPORTED)
2181
2182 builder.set_host_mapping_rules(
2183 command_line->GetSwitchValueASCII(switches::kHostResolverRules));
2184
2185 auto result =
2186 URLRequestContextOwner(std::move(pref_service), builder.Build());
2187
2188 result.url_request_context->set_require_network_isolation_key(
2189 params_->require_network_isolation_key);
2190
2191 // Subscribe the CertVerifier to configuration changes that are exposed via
2192 // the mojom::SSLConfig, but which are not part of the
2193 // net::SSLConfig[Service] interfaces.
2194 ssl_config_service_raw->SetCertVerifierForConfiguring(
2195 result.url_request_context->cert_verifier());
2196
2197 // Attach some things to the URLRequestContextBuilder's
2198 // TransportSecurityState. Since no requests have been made yet, safe to do
2199 // this even after the call to Build().
2200
2201 if (params_->enable_certificate_reporting) {
2202 net::NetworkTrafficAnnotationTag traffic_annotation =
2203 net::DefineNetworkTrafficAnnotation("domain_security_policy", R"(
2204 semantics {
2205 sender: "Domain Security Policy"
2206 description:
2207 "Websites can opt in to have Chrome send reports to them when "
2208 "Chrome observes connections to that website that do not meet "
2209 "stricter security policies, such as with HTTP Public Key Pinning. "
2210 "Websites can use this feature to discover misconfigurations that "
2211 "prevent them from complying with stricter security policies that "
2212 "they\'ve opted in to."
2213 trigger:
2214 "Chrome observes that a user is loading a resource from a website "
2215 "that has opted in for security policy reports, and the connection "
2216 "does not meet the required security policies."
2217 data:
2218 "The time of the request, the hostname and port being requested, "
2219 "the certificate chain, and sometimes certificate revocation "
2220 "information included on the connection."
2221 destination: OTHER
2222 }
2223 policy {
2224 cookies_allowed: NO
2225 setting: "This feature cannot be disabled by settings."
2226 policy_exception_justification:
2227 "Not implemented, this is a feature that websites can opt into and "
2228 "thus there is no Chrome-wide policy to disable it."
2229 })");
2230 certificate_report_sender_ = std::make_unique<net::ReportSender>(
2231 result.url_request_context.get(), traffic_annotation);
2232 result.url_request_context->transport_security_state()->SetReportSender(
2233 certificate_report_sender_.get());
2234 }
2235
2236 #if defined(OS_ANDROID)
2237 result.url_request_context->set_check_cleartext_permitted(
2238 params_->check_clear_text_permitted);
2239 #endif // defined(OS_ANDROID)
2240
2241 #if BUILDFLAG(IS_CT_SUPPORTED)
2242 if (params_->enable_expect_ct_reporting) {
2243 LazyCreateExpectCTReporter(result.url_request_context.get());
2244 result.url_request_context->transport_security_state()->SetExpectCTReporter(
2245 expect_ct_reporter_.get());
2246 }
2247
2248 if (params_->enforce_chrome_ct_policy) {
2249 require_ct_delegate_ =
2250 std::make_unique<certificate_transparency::ChromeRequireCTDelegate>();
2251 result.url_request_context->transport_security_state()
2252 ->SetRequireCTDelegate(require_ct_delegate_.get());
2253 }
2254 #endif // BUILDFLAG(IS_CT_SUPPORTED)
2255
2256 if (params_->enable_domain_reliability) {
2257 domain_reliability_monitor_ =
2258 std::make_unique<domain_reliability::DomainReliabilityMonitor>(
2259 result.url_request_context.get(),
2260 params_->domain_reliability_upload_reporter,
2261 base::BindRepeating(&NetworkContext::CanUploadDomainReliability,
2262 base::Unretained(this)));
2263 domain_reliability_monitor_->AddBakedInConfigs();
2264 domain_reliability_monitor_->SetDiscardUploads(
2265 params_->discard_domain_reliablity_uploads);
2266 }
2267
2268 if (proxy_delegate_) {
2269 proxy_delegate_->SetProxyResolutionService(
2270 result.url_request_context->proxy_resolution_service());
2271 }
2272
2273 if (cert_net_fetcher_)
2274 cert_net_fetcher_->SetURLRequestContext(result.url_request_context.get());
2275
2276 return result;
2277 }
2278
2279 scoped_refptr<SessionCleanupCookieStore>
2280 NetworkContext::MakeSessionCleanupCookieStore() const {
2281 if (!params_->cookie_path) {
2282 DCHECK(!params_->restore_old_session_cookies);
2283 DCHECK(!params_->persist_session_cookies);
2284 return nullptr;
2285 }
2286 scoped_refptr<base::SequencedTaskRunner> client_task_runner =
2287 base::ThreadTaskRunnerHandle::Get();
2288 scoped_refptr<base::SequencedTaskRunner> background_task_runner =
2289 base::ThreadPool::CreateSequencedTaskRunner(
2290 {base::MayBlock(), net::GetCookieStoreBackgroundSequencePriority(),
2291 base::TaskShutdownBehavior::BLOCK_SHUTDOWN});
2292
2293 net::CookieCryptoDelegate* crypto_delegate = nullptr;
2294 if (params_->enable_encrypted_cookies) {
2295 #if (defined(OS_LINUX) && !defined(OS_CHROMEOS) && !BUILDFLAG(IS_CHROMECAST)) || defined(OS_BSD)
2296 DCHECK(network_service_->os_crypt_config_set())
2297 << "NetworkService::SetCryptConfig must be called before creating a "
2298 "NetworkContext with encrypted cookies.";
2299 #endif
2300 crypto_delegate = cookie_config::GetCookieCryptoDelegate();
2301 }
2302 scoped_refptr<net::SQLitePersistentCookieStore> sqlite_store(
2303 new net::SQLitePersistentCookieStore(
2304 params_->cookie_path.value(), client_task_runner,
2305 background_task_runner, params_->restore_old_session_cookies,
2306 crypto_delegate));
2307
2308 return base::MakeRefCounted<SessionCleanupCookieStore>(sqlite_store);
2309 }
2310
2311 void NetworkContext::OnHttpCacheCleared(ClearHttpCacheCallback callback,
2312 HttpCacheDataRemover* remover) {
2313 bool removed = false;
2314 for (auto iter = http_cache_data_removers_.begin();
2315 iter != http_cache_data_removers_.end(); ++iter) {
2316 if (iter->get() == remover) {
2317 removed = true;
2318 http_cache_data_removers_.erase(iter);
2319 break;
2320 }
2321 }
2322 DCHECK(removed);
2323 std::move(callback).Run();
2324 }
2325
2326 void NetworkContext::OnHostResolverShutdown(HostResolver* resolver) {
2327 auto found_resolver = host_resolvers_.find(resolver);
2328 DCHECK(found_resolver != host_resolvers_.end());
2329 host_resolvers_.erase(found_resolver);
2330 }
2331
2332 void NetworkContext::OnHttpCacheSizeComputed(
2333 ComputeHttpCacheSizeCallback callback,
2334 HttpCacheDataCounter* counter,
2335 bool is_upper_limit,
2336 int64_t result_or_error) {
2337 EraseIf(http_cache_data_counters_, base::MatchesUniquePtr(counter));
2338 std::move(callback).Run(is_upper_limit, result_or_error);
2339 }
2340
2341 void NetworkContext::OnConnectionError() {
2342 // If owned by the network service, this call will delete |this|.
2343 if (on_connection_close_callback_)
2344 std::move(on_connection_close_callback_).Run(this);
2345 }
2346
2347 GURL NetworkContext::GetHSTSRedirect(const GURL& original_url) {
2348 // TODO(lilyhoughton) This needs to be gotten rid of once explicit
2349 // construction with a URLRequestContext is no longer supported.
2350 if (!url_request_context_->transport_security_state() ||
2351 !original_url.SchemeIs("http") ||
2352 !url_request_context_->transport_security_state()->ShouldUpgradeToSSL(
2353 original_url.host())) {
2354 return original_url;
2355 }
2356
2357 url::Replacements<char> replacements;
2358 const char kNewScheme[] = "https";
2359 replacements.SetScheme(kNewScheme, url::Component(0, strlen(kNewScheme)));
2360 return original_url.ReplaceComponents(replacements);
2361 }
2362
2363 void NetworkContext::DestroySocketManager(P2PSocketManager* socket_manager) {
2364 auto iter = socket_managers_.find(socket_manager);
2365 DCHECK(iter != socket_managers_.end());
2366 socket_managers_.erase(iter);
2367 }
2368
2369 void NetworkContext::CanUploadDomainReliability(
2370 const GURL& origin,
2371 base::OnceCallback<void(bool)> callback) {
2372 client_->OnCanSendDomainReliabilityUpload(
2373 origin,
2374 base::BindOnce([](base::OnceCallback<void(bool)> callback,
2375 bool allowed) { std::move(callback).Run(allowed); },
2376 std::move(callback)));
2377 }
2378
2379 void NetworkContext::OnVerifyCertForSignedExchangeComplete(int cert_verify_id,
2380 int result) {
2381 auto iter = cert_verifier_requests_.find(cert_verify_id);
2382 DCHECK(iter != cert_verifier_requests_.end());
2383
2384 auto pending_cert_verify = std::move(iter->second);
2385 cert_verifier_requests_.erase(iter);
2386
2387 #if BUILDFLAG(IS_CT_SUPPORTED)
2388 if (result == net::OK) {
2389 net::X509Certificate* verified_cert =
2390 pending_cert_verify->result->verified_cert.get();
2391 url_request_context_->cert_transparency_verifier()->Verify(
2392 pending_cert_verify->url.host(), verified_cert,
2393 pending_cert_verify->ocsp_result, pending_cert_verify->sct_list,
2394 &pending_cert_verify->result->scts,
2395 net::NetLogWithSource::Make(
2396 network_service_ ? url_request_context_->net_log() : nullptr,
2397 net::NetLogSourceType::CERT_VERIFIER_JOB));
2398
2399 net::ct::SCTList verified_scts;
2400 for (const auto& sct_and_status : pending_cert_verify->result->scts) {
2401 if (sct_and_status.status == net::ct::SCT_STATUS_OK)
2402 verified_scts.push_back(sct_and_status.sct);
2403 }
2404 pending_cert_verify->result->policy_compliance =
2405 url_request_context_->ct_policy_enforcer()->CheckCompliance(
2406 verified_cert, verified_scts,
2407 net::NetLogWithSource::Make(
2408 network_service_ ? url_request_context_->net_log() : nullptr,
2409 net::NetLogSourceType::CERT_VERIFIER_JOB));
2410
2411 // TODO(https://crbug.com/803774): We should determine whether EV & SXG
2412 // should be a thing (due to the online/offline signing difference)
2413 if (pending_cert_verify->result->cert_status & net::CERT_STATUS_IS_EV &&
2414 pending_cert_verify->result->policy_compliance !=
2415 net::ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS &&
2416 pending_cert_verify->result->policy_compliance !=
2417 net::ct::CTPolicyCompliance::CT_POLICY_BUILD_NOT_TIMELY) {
2418 pending_cert_verify->result->cert_status |=
2419 net::CERT_STATUS_CT_COMPLIANCE_FAILED;
2420 pending_cert_verify->result->cert_status &= ~net::CERT_STATUS_IS_EV;
2421 }
2422
2423 net::TransportSecurityState::CTRequirementsStatus ct_requirement_status =
2424 url_request_context_->transport_security_state()->CheckCTRequirements(
2425 net::HostPortPair::FromURL(pending_cert_verify->url),
2426 pending_cert_verify->result->is_issued_by_known_root,
2427 pending_cert_verify->result->public_key_hashes, verified_cert,
2428 pending_cert_verify->certificate.get(),
2429 pending_cert_verify->result->scts,
2430 net::TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2431 pending_cert_verify->result->policy_compliance,
2432 pending_cert_verify->network_isolation_key);
2433
2434 if (url_request_context_->sct_auditing_delegate() &&
2435 url_request_context_->sct_auditing_delegate()->IsSCTAuditingEnabled() &&
2436 pending_cert_verify->result->is_issued_by_known_root) {
2437 url_request_context_->sct_auditing_delegate()->MaybeEnqueueReport(
2438 net::HostPortPair::FromURL(pending_cert_verify->url), verified_cert,
2439 pending_cert_verify->result->scts);
2440 }
2441
2442 switch (ct_requirement_status) {
2443 case net::TransportSecurityState::CT_REQUIREMENTS_NOT_MET:
2444 result = net::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED;
2445 break;
2446 case net::TransportSecurityState::CT_REQUIREMENTS_MET:
2447 break;
2448 case net::TransportSecurityState::CT_NOT_REQUIRED:
2449 // CT is not required if the certificate does not chain to a publicly
2450 // trusted root certificate.
2451 if (!pending_cert_verify->result->is_issued_by_known_root)
2452 break;
2453 // For old certificates (issued before 2018-05-01),
2454 // CheckCTRequirements() may return CT_NOT_REQUIRED, so we check the
2455 // compliance status here.
2456 // TODO(https://crbug.com/851778): Remove this condition once we require
2457 // signing certificates to have CanSignHttpExchanges extension, because
2458 // such certificates should be naturally after 2018-05-01.
2459 if (pending_cert_verify->result->policy_compliance ==
2460 net::ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS ||
2461 pending_cert_verify->result->policy_compliance ==
2462 net::ct::CTPolicyCompliance::CT_POLICY_BUILD_NOT_TIMELY) {
2463 break;
2464 }
2465 // Require CT compliance, by overriding CT_NOT_REQUIRED and treat it as
2466 // ERR_CERTIFICATE_TRANSPARENCY_REQUIRED.
2467 result = net::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED;
2468 }
2469 }
2470 #endif // BUILDFLAG(IS_CT_SUPPORTED)
2471
2472 std::move(pending_cert_verify->callback)
2473 .Run(result, *pending_cert_verify->result.get());
2474 }
2475
2476 #if BUILDFLAG(IS_ASH)
2477 void NetworkContext::TrustAnchorUsed() {
2478 client_->OnTrustAnchorUsed();
2479 }
2480 #endif
2481
2482 void NetworkContext::InitializeCorsParams() {
2483 for (const auto& pattern : params_->cors_origin_access_list) {
2484 cors_origin_access_list_.SetAllowListForOrigin(pattern->source_origin,
2485 pattern->allow_patterns);
2486 cors_origin_access_list_.SetBlockListForOrigin(pattern->source_origin,
2487 pattern->block_patterns);
2488 }
2489 for (const auto& key : params_->cors_exempt_header_list)
2490 cors_exempt_header_list_.insert(key);
2491 }
2492
2493 void NetworkContext::FinishConstructingTrustTokenStore(
2494 std::unique_ptr<SQLiteTrustTokenPersister> persister) {
2495 trust_token_store_->OnStoreReady(std::make_unique<TrustTokenStore>(
2496 std::move(persister),
2497 std::make_unique<ExpiryInspectingRecordExpiryDelegate>(
2498 network_service()->trust_token_key_commitments())));
2499 }
2500
2501 void NetworkContext::GetOriginPolicyManager(
2502 mojo::PendingReceiver<mojom::OriginPolicyManager> receiver) {
2503 origin_policy_manager_->AddReceiver(std::move(receiver));
2504 }
2505
2506 void NetworkContext::CreateTrustedUrlLoaderFactoryForNetworkService(
2507 mojo::PendingReceiver<mojom::URLLoaderFactory>
2508 url_loader_factory_pending_receiver) {
2509 auto url_loader_factory_params = mojom::URLLoaderFactoryParams::New();
2510 url_loader_factory_params->is_trusted = true;
2511 url_loader_factory_params->process_id = network::mojom::kBrowserProcessId;
2512 CreateURLLoaderFactory(std::move(url_loader_factory_pending_receiver),
2513 std::move(url_loader_factory_params));
2514 }
2515
2516 } // namespace network
2517