1 // Copyright (c) 2018 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_BASE_FEATURES_H_ 6 #define NET_BASE_FEATURES_H_ 7 8 #include <string> 9 10 #include "base/feature_list.h" 11 #include "base/metrics/field_trial_params.h" 12 #include "base/strings/string_piece.h" 13 #include "base/time/time.h" 14 #include "net/base/net_export.h" 15 #include "net/net_buildflags.h" 16 17 namespace net { 18 namespace features { 19 20 // Toggles the `Accept-Language` HTTP request header, which 21 // https://github.com/WICG/lang-client-hint proposes that we deprecate. 22 NET_EXPORT extern const base::Feature kAcceptLanguageHeader; 23 24 // When kCapReferrerToOriginOnCrossOrigin is enabled, HTTP referrers on cross- 25 // origin requests are restricted to contain at most the source origin. 26 NET_EXPORT extern const base::Feature kCapReferrerToOriginOnCrossOrigin; 27 28 // Enables TLS 1.3 early data. 29 NET_EXPORT extern const base::Feature kEnableTLS13EarlyData; 30 31 // Support for altering the parameters used for DNS transaction timeout. See 32 // ResolveContext::SecureTransactionTimeout(). 33 NET_EXPORT extern const base::Feature kDnsTransactionDynamicTimeouts; 34 // Multiplier applied to current fallback periods in determining a transaction 35 // timeout. 36 NET_EXPORT extern const base::FeatureParam<double> 37 kDnsTransactionTimeoutMultiplier; 38 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 39 kDnsMinTransactionTimeout; 40 41 // Enables DNS queries for HTTPSSVC or INTEGRITY records, depending on feature 42 // parameters. These queries will only be made over DoH. HTTPSSVC responses may 43 // cause us to upgrade the URL to HTTPS and/or to attempt QUIC. 44 NET_EXPORT extern const base::Feature kDnsHttpssvc; 45 46 // Disable H2 reprioritization, in order to measure its impact. 47 NET_EXPORT extern const base::Feature kAvoidH2Reprioritization; 48 49 // Determine which kind of record should be queried: HTTPSSVC or INTEGRITY. No 50 // more than one of these feature parameters should be enabled at once. In the 51 // event that both are enabled, |kDnsHttpssvcUseIntegrity| takes priority, and 52 // |kDnsHttpssvcUseHttpssvc| will be ignored. 53 NET_EXPORT extern const base::FeatureParam<bool> kDnsHttpssvcUseHttpssvc; 54 NET_EXPORT extern const base::FeatureParam<bool> kDnsHttpssvcUseIntegrity; 55 56 // Enable HTTPSSVC or INTEGRITY to be queried over insecure DNS. 57 NET_EXPORT extern const base::FeatureParam<bool> 58 kDnsHttpssvcEnableQueryOverInsecure; 59 60 // If we are still waiting for an HTTPSSVC or INTEGRITY query after all the 61 // other queries in a DnsTask have completed, we will compute a timeout for the 62 // remaining query. The timeout will be the min of: 63 // (a) |kDnsHttpssvcExtraTimeMs.Get()| 64 // (b) |kDnsHttpssvcExtraTimePercent.Get() / 100 * t|, where |t| is the 65 // number of milliseconds since the first query began. 66 NET_EXPORT extern const base::FeatureParam<int> kDnsHttpssvcExtraTimeMs; 67 NET_EXPORT extern const base::FeatureParam<int> kDnsHttpssvcExtraTimePercent; 68 69 // These parameters, respectively, are the list of experimental and control 70 // domains for which we will query HTTPSSVC or INTEGRITY records. We expect 71 // valid INTEGRITY results for experiment domains. We expect no INTEGRITY 72 // results for control domains. 73 // 74 // The format of both parameters is a comma-separated list of domains. 75 // Whitespace around domain names is permitted. Trailing comma is optional. 76 // 77 // See helper functions: 78 // |dns_httpssvc_experiment::GetDnsHttpssvcExperimentDomains| and 79 // |dns_httpssvc_experiment::GetDnsHttpssvcControlDomains|. 80 NET_EXPORT extern const base::FeatureParam<std::string> 81 kDnsHttpssvcExperimentDomains; 82 NET_EXPORT extern const base::FeatureParam<std::string> 83 kDnsHttpssvcControlDomains; 84 85 // This param controls how we determine whether a domain is an experimental or 86 // control domain. When false, domains must be in |kDnsHttpssvcControlDomains| 87 // to be considered a control. When true, we ignore |kDnsHttpssvcControlDomains| 88 // and any non-experiment domain (not in |kDnsHttpssvcExperimentDomains|) is 89 // considered a control domain. 90 NET_EXPORT extern const base::FeatureParam<bool> 91 kDnsHttpssvcControlDomainWildcard; 92 93 namespace dns_httpssvc_experiment { 94 // Get the value of |kDnsHttpssvcExtraTimeMs|. 95 NET_EXPORT base::TimeDelta GetExtraTimeAbsolute(); 96 } // namespace dns_httpssvc_experiment 97 98 // Enables optimizing the network quality estimation algorithms in network 99 // quality estimator (NQE). 100 NET_EXPORT extern const base::Feature kNetworkQualityEstimator; 101 102 // Splits cache entries by the request's NetworkIsolationKey if one is 103 // available. 104 NET_EXPORT extern const base::Feature kSplitCacheByNetworkIsolationKey; 105 106 // Splits host cache entries by the DNS request's NetworkIsolationKey if one is 107 // available. Also prevents merging live DNS lookups when there is a NIK 108 // mismatch. 109 NET_EXPORT extern const base::Feature kSplitHostCacheByNetworkIsolationKey; 110 111 // Partitions connections based on the NetworkIsolationKey associated with a 112 // request. 113 NET_EXPORT extern const base::Feature 114 kPartitionConnectionsByNetworkIsolationKey; 115 116 // Partitions HttpServerProperties based on the NetworkIsolationKey associated 117 // with a request. 118 NET_EXPORT extern const base::Feature 119 kPartitionHttpServerPropertiesByNetworkIsolationKey; 120 121 // Partitions TLS sessions and QUIC server configs based on the 122 // NetworkIsolationKey associated with a request. 123 // 124 // This feature requires kPartitionConnectionsByNetworkIsolationKey to be 125 // enabled to work. 126 NET_EXPORT extern const base::Feature 127 kPartitionSSLSessionsByNetworkIsolationKey; 128 129 // Partitions Expect-CT data by NetworkIsolationKey. This only affects the 130 // Expect-CT data itself. Regardless of this value, reports will be uploaded 131 // using the associated NetworkIsolationKey, when one's available. 132 // 133 // This feature requires kPartitionConnectionsByNetworkIsolationKey, 134 // kPartitionHttpServerPropertiesByNetworkIsolationKey, and 135 // kPartitionConnectionsByNetworkIsolationKey to all be enabled to work. 136 NET_EXPORT extern const base::Feature 137 kPartitionExpectCTStateByNetworkIsolationKey; 138 139 // Partitions Network Error Logging and Reporting API data by 140 // NetworkIsolationKey. Also partitions all reports generated by other consumers 141 // of the reporting API. Applies the NetworkIsolationKey to reports uploads as 142 // well. 143 // 144 // When disabled, the main entry points of the reporting and NEL services ignore 145 // NetworkIsolationKey parameters, and they're cleared while loading from the 146 // cache, but internal objects can be created with them (e.g., endpoints), for 147 // testing. 148 NET_EXPORT extern const base::Feature 149 kPartitionNelAndReportingByNetworkIsolationKey; 150 151 // Enables limiting the size of Expect-CT table. 152 NET_EXPORT extern const base::Feature kExpectCTPruning; 153 154 // FeatureParams associated with kExpectCTPruning. 155 156 // Expect-CT pruning runs when this many entries are hit. 157 NET_EXPORT extern const base::FeatureParam<int> kExpectCTPruneMax; 158 // The Expect-CT pruning logic attempts to reduce entries to at most this many. 159 NET_EXPORT extern const base::FeatureParam<int> kExpectCTPruneMin; 160 // Non-transient entries with |enforce| set are safe from being pruned if 161 // they're less than this many days old, unless the number of entries exceeds 162 // |kExpectCTMaxEntriesPerNik|. 163 NET_EXPORT extern const base::FeatureParam<int> kExpectCTSafeFromPruneDays; 164 // If, after pruning transient, non-enforced, old Expect-CT entries, 165 // kExpectCTPruneMin is still exceeded, then all NetworkIsolationKeys will be 166 // capped to this many entries, based on last observation date. 167 NET_EXPORT extern const base::FeatureParam<int> kExpectCTMaxEntriesPerNik; 168 // Minimum delay between successive prunings of Expect-CT entries, in seconds. 169 NET_EXPORT extern const base::FeatureParam<int> kExpectCTPruneDelaySecs; 170 171 // Enables sending TLS 1.3 Key Update messages on TLS 1.3 connections in order 172 // to ensure that this corner of the spec is exercised. This is currently 173 // disabled by default because we discovered incompatibilities with some 174 // servers. 175 NET_EXPORT extern const base::Feature kTLS13KeyUpdate; 176 177 // Enables CECPQ2, a post-quantum key-agreement, in TLS 1.3 connections. 178 NET_EXPORT extern const base::Feature kPostQuantumCECPQ2; 179 180 // Changes the timeout after which unused sockets idle sockets are cleaned up. 181 NET_EXPORT extern const base::Feature kNetUnusedIdleSocketTimeout; 182 183 // When enabled, makes cookies without a SameSite attribute behave like 184 // SameSite=Lax cookies by default, and requires SameSite=None to be specified 185 // in order to make cookies available in a third-party context. When disabled, 186 // the default behavior for cookies without a SameSite attribute specified is no 187 // restriction, i.e., available in a third-party context. 188 // The "Lax-allow-unsafe" mitigation allows these cookies to be sent on 189 // top-level cross-site requests with an unsafe (e.g. POST) HTTP method, if the 190 // cookie is no more than 2 minutes old. 191 NET_EXPORT extern const base::Feature kSameSiteByDefaultCookies; 192 193 // When enabled, cookies without SameSite restrictions that don't specify the 194 // Secure attribute will be rejected if set from an insecure context, or treated 195 // as secure if set from a secure context. This ONLY has an effect if 196 // SameSiteByDefaultCookies is also enabled. 197 NET_EXPORT extern const base::Feature kCookiesWithoutSameSiteMustBeSecure; 198 199 // When enabled, the time threshold for Lax-allow-unsafe cookies will be lowered 200 // from 2 minutes to 10 seconds. This time threshold refers to the age cutoff 201 // for which cookies that default into SameSite=Lax, which are newer than the 202 // threshold, will be sent with any top-level cross-site navigation regardless 203 // of HTTP method (i.e. allowing unsafe methods). This is a convenience for 204 // integration tests which may want to test behavior of cookies older than the 205 // threshold, but which would not be practical to run for 2 minutes. 206 NET_EXPORT extern const base::Feature kShortLaxAllowUnsafeThreshold; 207 208 // When enabled, the SameSite by default feature does not add the 209 // "Lax-allow-unsafe" behavior. Any cookies that do not specify a SameSite 210 // attribute will be treated as Lax only, i.e. POST and other unsafe HTTP 211 // methods will not be allowed at all for top-level cross-site navigations. 212 // This only has an effect if the cookie defaults to SameSite=Lax. 213 NET_EXPORT extern const base::Feature kSameSiteDefaultChecksMethodRigorously; 214 215 #if BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED) 216 // When enabled, use the builtin cert verifier instead of the platform verifier. 217 NET_EXPORT extern const base::Feature kCertVerifierBuiltinFeature; 218 #endif 219 220 NET_EXPORT extern const base::Feature kAppendFrameOriginToNetworkIsolationKey; 221 222 // Turns off streaming media caching to disk when on battery power. 223 NET_EXPORT extern const base::Feature kTurnOffStreamingMediaCachingOnBattery; 224 225 // Turns off streaming media caching to disk always. 226 NET_EXPORT extern const base::Feature kTurnOffStreamingMediaCachingAlways; 227 228 // When enabled, sites that use TLS versions below the |version_min_warn| 229 // threshold are marked with the LEGACY_TLS CertStatus and return an 230 // ERR_SSL_OBSOLETE_VERSION error. This is used to trigger an interstitial 231 // warning for these pages. 232 NET_EXPORT extern const base::Feature kLegacyTLSEnforced; 233 234 // When enabled this feature will cause same-site calculations to take into 235 // account the scheme of the site-for-cookies and the request/response url. 236 NET_EXPORT extern const base::Feature kSchemefulSameSite; 237 238 // When enabled, TLS connections will initially not offer 3DES and SHA-1 but 239 // enable them on fallback. This is used to improve metrics around usage of 240 // those algorithms. If disabled, the algorithms will always be offered. 241 NET_EXPORT extern const base::Feature kTLSLegacyCryptoFallbackForMetrics; 242 243 // When enabled, DNS_PROBE_FINISHED_NXDOMAIN error pages may show 244 // locally-generated suggestions to visit similar domains. 245 NET_EXPORT extern const base::Feature kUseLookalikesForNavigationSuggestions; 246 247 // When enabled, the Network Quality Estimator (NQE) will notify the operating 248 // system whenever it detects that the current default network may have 249 // significantly degraded connectivity. Currently only effective on Android. 250 NET_EXPORT extern const base::Feature kReportPoorConnectivity; 251 252 // When enabled, the NQE may preemptively request that the OS activate a mobile 253 // network when requests on the active Wi-Fi connection are stalled. This can be 254 // used to warm the radio for a faster transition if/when the OS chooses to drop 255 // the Wi-Fi connection. 256 NET_EXPORT extern const base::Feature kPreemptiveMobileNetworkActivation; 257 258 // Enables a process-wide limit on "open" UDP sockets. See 259 // udp_socket_global_limits.h for details on what constitutes an "open" socket. 260 NET_EXPORT extern const base::Feature kLimitOpenUDPSockets; 261 262 // FeatureParams associated with kLimitOpenUDPSockets. 263 264 // Sets the maximum allowed open UDP sockets. Provisioning more sockets than 265 // this will result in a failure (ERR_INSUFFICIENT_RESOURCES). 266 NET_EXPORT extern const base::FeatureParam<int> kLimitOpenUDPSocketsMax; 267 268 // Enables a timeout on individual TCP connect attempts, based on 269 // the parameter values. 270 NET_EXPORT extern const base::Feature kTimeoutTcpConnectAttempt; 271 272 // FeatureParams associated with kTimeoutTcpConnectAttempt. 273 274 // When there is an estimated RTT available, the experimental TCP connect 275 // attempt timeout is calculated as: 276 // 277 // clamp(kTimeoutTcpConnectAttemptMin, 278 // kTimeoutTcpConnectAttemptMax, 279 // <Estimated RTT> * kTimeoutTcpConnectAttemptRTTMultiplier); 280 // 281 // Otherwise the TCP connect attempt timeout is set to 282 // kTimeoutTcpConnectAttemptMax. 283 NET_EXPORT extern const base::FeatureParam<double> 284 kTimeoutTcpConnectAttemptRTTMultiplier; 285 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 286 kTimeoutTcpConnectAttemptMin; 287 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 288 kTimeoutTcpConnectAttemptMax; 289 290 } // namespace features 291 } // namespace net 292 293 #endif // NET_BASE_FEATURES_H_ 294