JoJo
/
LeOSium_webview
1
0
Fork 0
Code Pull Requests Packages Projects Releases 2 Wiki Activity
LeOSium_webview/LeOS/patches/Enable-Certificate-Transpar...

248 lines
11 KiB
Diff
Raw Normal View History

creation
2023-11-18 11:46:19 +01:00
From: csagan5 <32685696+csagan5@users.noreply.github.com>
Date: Fri, 10 Jun 2022 14:20:02 +0200
Subject: Enable Certificate Transparency
Reporting/auditing functionalities are disabled; a flag is exposed.
Add guard to make sure that certificate transparency stays enabled
by default.
License: GPL-3.0-only - https://spdx.org/licenses/GPL-3.0-only.html
---
chrome/browser/about_flags.cc | 5 +++++
chrome/browser/browser_features.cc | 13 +++++++------
chrome/browser/browser_features.h | 1 +
chrome/browser/flag_descriptions.cc | 6 +++++-
chrome/browser/flag_descriptions.h | 5 ++++-
.../browser/net/system_network_context_manager.cc | 6 +-----
chrome/browser/ssl/sct_reporting_service.cc | 5 +++++
chrome/common/chrome_features.cc | 10 ++--------
net/http/transport_security_state.cc | 5 +++--
net/url_request/report_sender.cc | 3 ++-
services/network/network_context.cc | 2 +-
.../network/sct_auditing/sct_auditing_handler.cc | 2 ++
12 files changed, 38 insertions(+), 25 deletions(-)
diff --git a/chrome/browser/about_flags.cc b/chrome/browser/about_flags.cc
--- a/chrome/browser/about_flags.cc
+++ b/chrome/browser/about_flags.cc
@@ -9878,6 +9878,11 @@ const FeatureEntry kFeatureEntries[] = {
flag_descriptions::kWebMidiDescription, kOsAll,
FEATURE_VALUE_TYPE(features::kWebMidi)},
+ {"certificate-transparency-enabled",
+ flag_descriptions::kCTEnabledName,
+ flag_descriptions::kCTEnabledDescription, kOsAll,
+ FEATURE_VALUE_TYPE(features::kCertificateTransparency)},
+
#if BUILDFLAG(IS_CHROMEOS_ASH)
{"dns-over-https-with-identifiers-reuse-old-policy",
flag_descriptions::kDnsOverHttpsWithIdentifiersReuseOldPolicyName,
diff --git a/chrome/browser/browser_features.cc b/chrome/browser/browser_features.cc
--- a/chrome/browser/browser_features.cc
+++ b/chrome/browser/browser_features.cc
@@ -77,6 +77,11 @@ BASE_FEATURE(kEnableUniveralLinks,
base::FEATURE_ENABLED_BY_DEFAULT);
#endif
+// Enables Certificate Transparency
+BASE_FEATURE(kCertificateTransparency,
+ "CertificateTransparency", // must be enabled
+ base::FEATURE_ENABLED_BY_DEFAULT); // in Bromite
+
#if BUILDFLAG(IS_CHROMEOS_ASH)
// Enables reading and writing PWA notification permissions from quick settings
// menu.
@@ -177,12 +182,8 @@ BASE_FEATURE(kWebUsbDeviceDetection,
// update the list of accepted logs. Embedders who are planning to enable this
// should first reach out to chrome-certificate-transparency@google.com.
BASE_FEATURE(kCertificateTransparencyAskBeforeEnabling,
- "CertificateTransparencyAskBeforeEnabling",
-#if BUILDFLAG(GOOGLE_CHROME_BRANDING)
- base::FEATURE_ENABLED_BY_DEFAULT);
-#else
- base::FEATURE_DISABLED_BY_DEFAULT);
-#endif // BUILDFLAG(GOOGLE_CHROME_BRANDING)
+ "CertificateTransparencyAskBeforeEnabling", // enabled
+ base::FEATURE_ENABLED_BY_DEFAULT); // by default
BASE_FEATURE(kLargeFaviconFromGoogle,
"LargeFaviconFromGoogle",
diff --git a/chrome/browser/browser_features.h b/chrome/browser/browser_features.h
--- a/chrome/browser/browser_features.h
+++ b/chrome/browser/browser_features.h
@@ -58,6 +58,7 @@ BASE_DECLARE_FEATURE(kTabCaptureBlueBorderCrOS);
BASE_DECLARE_FEATURE(kWebUsbDeviceDetection);
+BASE_DECLARE_FEATURE(kCertificateTransparency);
BASE_DECLARE_FEATURE(kCertificateTransparencyAskBeforeEnabling);
BASE_DECLARE_FEATURE(kLargeFaviconFromGoogle);
diff --git a/chrome/browser/flag_descriptions.cc b/chrome/browser/flag_descriptions.cc
--- a/chrome/browser/flag_descriptions.cc
+++ b/chrome/browser/flag_descriptions.cc
@@ -7760,7 +7760,11 @@ const char kAutofillCreditCardUploadDescription[] =
#endif // defined(TOOLKIT_VIEWS) || BUILDFLAG(IS_ANDROID)
-#if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_ANDROID)
+#if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_ANDROID) || BUILDFLAG(IS_LINUX)
+const char kCTEnabledName[] = "Enable Certificate Transparency";
+const char kCTEnabledDescription[] =
+ "Enables compliance against the Certificate Transparency Policy, with reporting disabled.";
+
const char kElasticOverscrollName[] = "Elastic Overscroll";
const char kElasticOverscrollDescription[] =
"Enables Elastic Overscrolling on touchscreens and precision touchpads.";
diff --git a/chrome/browser/flag_descriptions.h b/chrome/browser/flag_descriptions.h
--- a/chrome/browser/flag_descriptions.h
+++ b/chrome/browser/flag_descriptions.h
@@ -4496,7 +4496,10 @@ extern const char kAutofillCreditCardUploadDescription[];
#endif // defined(TOOLKIT_VIEWS) || BUILDFLAG(IS_ANDROID)
-#if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_ANDROID)
+#if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_ANDROID) || BUILDFLAG(IS_LINUX)
+extern const char kCTEnabledName[];
+extern const char kCTEnabledDescription[];
+
extern const char kElasticOverscrollName[];
extern const char kElasticOverscrollDescription[];
#endif // BUILDFLAG(IS_WIN) || BUILDFLAG(IS_ANDROID)
diff --git a/chrome/browser/net/system_network_context_manager.cc b/chrome/browser/net/system_network_context_manager.cc
--- a/chrome/browser/net/system_network_context_manager.cc
+++ b/chrome/browser/net/system_network_context_manager.cc
@@ -957,7 +957,6 @@ void SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
bool SystemNetworkContextManager::IsCertificateTransparencyEnabled() {
if (certificate_transparency_enabled_for_testing_.has_value())
return certificate_transparency_enabled_for_testing_.value();
-#if defined(OFFICIAL_BUILD)
// TODO(carlosil): Figure out if we can/should remove the OFFICIAL_BUILD
// check now that enforcement does not rely on build dates.
// Certificate Transparency is enabled:
@@ -965,10 +964,7 @@ bool SystemNetworkContextManager::IsCertificateTransparencyEnabled() {
// - on an opt-in basis for other builds and embedders, controlled with the
// kCertificateTransparencyAskBeforeEnabling flag
return base::FeatureList::IsEnabled(
- features::kCertificateTransparencyAskBeforeEnabling);
-#else
- return false;
-#endif // defined(OFFICIAL_BUILD)
+ features::kCertificateTransparency);
}
#if BUILDFLAG(CHROME_ROOT_STORE_OPTIONAL)
diff --git a/chrome/browser/ssl/sct_reporting_service.cc b/chrome/browser/ssl/sct_reporting_service.cc
--- a/chrome/browser/ssl/sct_reporting_service.cc
+++ b/chrome/browser/ssl/sct_reporting_service.cc
@@ -211,6 +211,11 @@ void SetSCTAuditingEnabledForStoragePartition(
} // namespace
network::mojom::SCTAuditingMode SCTReportingService::GetReportingMode() {
+ if ((true)) {
+ // always disabled in Bromite
+ return network::mojom::SCTAuditingMode::kDisabled;
+ }
+
if (profile_->IsOffTheRecord() ||
!base::FeatureList::IsEnabled(features::kSCTAuditing)) {
return network::mojom::SCTAuditingMode::kDisabled;
diff --git a/chrome/common/chrome_features.cc b/chrome/common/chrome_features.cc
--- a/chrome/common/chrome_features.cc
+++ b/chrome/common/chrome_features.cc
@@ -1127,15 +1127,9 @@ BASE_FEATURE(kSchedulerConfiguration,
base::FEATURE_DISABLED_BY_DEFAULT);
#endif // BUILDFLAG(IS_CHROMEOS_ASH)
-// Controls whether SCT audit reports are queued and the rate at which they
-// should be sampled. Default sampling rate is 1/10,000 certificates.
-#if BUILDFLAG(GOOGLE_CHROME_BRANDING) && !BUILDFLAG(IS_ANDROID)
-BASE_FEATURE(kSCTAuditing, "SCTAuditing", base::FEATURE_ENABLED_BY_DEFAULT);
-#else
// This requires backend infrastructure and a data collection policy.
// Non-Chrome builds should not use Chrome's infrastructure.
BASE_FEATURE(kSCTAuditing, "SCTAuditing", base::FEATURE_DISABLED_BY_DEFAULT);
-#endif
constexpr base::FeatureParam<double> kSCTAuditingSamplingRate{
&kSCTAuditing, "sampling_rate", 0.0001};
@@ -1144,8 +1138,8 @@ constexpr base::FeatureParam<double> kSCTAuditingSamplingRate{
// about an SCT seen in the wild. If it hasn't been seen, then it is considered
// a security incident and uploaded to Google.
BASE_FEATURE(kSCTAuditingHashdance,
- "SCTAuditingHashdance",
- base::FEATURE_ENABLED_BY_DEFAULT);
+ "SCTAuditingHashdance", // disabled
+ base::FEATURE_DISABLED_BY_DEFAULT); // by default
// An estimated high bound for the time it takes Google to ingest updates to an
// SCT log. Chrome will wait for at least this time plus the Log's Maximum Merge
diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc
--- a/net/http/transport_security_state.cc
+++ b/net/http/transport_security_state.cc
@@ -329,6 +329,7 @@ class HSTSPreloadDecoder : public net::extras::PreloadDecoder {
bool DecodeHSTSPreload(const std::string& search_hostname, PreloadResult* out) {
#if !BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
+#error "BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST) must be enabled"
if (g_hsts_source == nullptr)
return false;
#endif
@@ -374,8 +375,8 @@ bool DecodeHSTSPreload(const std::string& search_hostname, PreloadResult* out) {
// static
BASE_FEATURE(kCertificateTransparencyEnforcement,
- "CertificateTransparencyEnforcement",
- base::FEATURE_ENABLED_BY_DEFAULT);
+ "CertificateTransparencyEnforcement", // must be enabled
+ base::FEATURE_ENABLED_BY_DEFAULT); // in Bromite
void SetTransportSecurityStateSourceForTesting(
const TransportSecurityStateSource* source) {
diff --git a/net/url_request/report_sender.cc b/net/url_request/report_sender.cc
--- a/net/url_request/report_sender.cc
+++ b/net/url_request/report_sender.cc
@@ -87,7 +87,8 @@ void ReportSender::Send(
URLRequest* raw_url_request = url_request.get();
inflight_requests_[raw_url_request] = std::move(url_request);
- raw_url_request->Start();
+ // pretend that request completed
+ OnResponseStarted(raw_url_request, OK);
}
void ReportSender::OnResponseStarted(URLRequest* request, int net_error) {
diff --git a/services/network/network_context.cc b/services/network/network_context.cc
--- a/services/network/network_context.cc
+++ b/services/network/network_context.cc
@@ -2796,7 +2796,7 @@ URLRequestContextOwner NetworkContext::MakeURLRequestContext(
// TransportSecurityState. Since no requests have been made yet, safe to do
// this even after the call to Build().
- if (params_->enable_certificate_reporting) {
+ if ((false) /* params_->enable_certificate_reporting*/) {
net::NetworkTrafficAnnotationTag traffic_annotation =
net::DefineNetworkTrafficAnnotation("domain_security_policy", R"(
semantics {
diff --git a/services/network/sct_auditing/sct_auditing_handler.cc b/services/network/sct_auditing/sct_auditing_handler.cc
--- a/services/network/sct_auditing/sct_auditing_handler.cc
+++ b/services/network/sct_auditing/sct_auditing_handler.cc
@@ -109,6 +109,7 @@ void SCTAuditingHandler::MaybeEnqueueReport(
if (mode_ == mojom::SCTAuditingMode::kDisabled) {
return;
}
+ if ((true)) return;
// Only audit valid SCTs. This ensures that they come from a known log, have
// a valid signature, and thus are expected to be public certificates. If
@@ -324,6 +325,7 @@ void SCTAuditingHandler::AddReporter(
if (mode_ == mojom::SCTAuditingMode::kDisabled) {
return;
}
+ if ((true)) return;
auto reporter = std::make_unique<SCTAuditingReporter>(
owner_network_context_, reporter_key, std::move(report),
--
2.25.1