From: uazo Date: Tue, 1 Aug 2023 13:56:42 +0000 Subject: Disable remote altsvc for h3 connections and only sets the use of port 443 License: GPL-2.0-or-later - https://spdx.org/licenses/GPL-2.0-or-later.html --- net/http/http_server_properties_manager.cc | 2 +- net/http/http_stream_factory_job_controller.cc | 9 ++------- net/quic/quic_context.h | 2 +- 3 files changed, 4 insertions(+), 9 deletions(-) diff --git a/net/http/http_server_properties_manager.cc b/net/http/http_server_properties_manager.cc --- a/net/http/http_server_properties_manager.cc +++ b/net/http/http_server_properties_manager.cc @@ -38,7 +38,7 @@ const int kMissingVersion = 0; const int kVersionNumber = 5; // Persist at most 200 currently-broken alternative services to disk. -const int kMaxBrokenAlternativeServicesToPersist = 200; +const int kMaxBrokenAlternativeServicesToPersist = 0; const char kServerKey[] = "server"; const char kQuicServerIdKey[] = "server_id"; diff --git a/net/http/http_stream_factory_job_controller.cc b/net/http/http_stream_factory_job_controller.cc --- a/net/http/http_stream_factory_job_controller.cc +++ b/net/http/http_stream_factory_job_controller.cc @@ -1233,11 +1233,7 @@ HttpStreamFactory::JobController::GetAlternativeServiceInfoInternal( // single user on a multi-user system to hijack the alternate protocol. // These systems also enforce ports <1024 as restricted ports. So don't // allow protocol upgrades to user-controllable ports. - const int kUnrestrictedPort = 1024; - if (!session_->params().enable_user_alternate_protocol_ports && - (alternative_service_info.alternative_service().port >= - kUnrestrictedPort && - original_url.EffectiveIntPort() < kUnrestrictedPort)) + if (alternative_service_info.alternative_service().port != 443) continue; if (alternative_service_info.protocol() == kProtoHTTP2) { @@ -1274,8 +1270,7 @@ HttpStreamFactory::JobController::GetAlternativeServiceInfoInternal( GURL destination = CreateAltSvcUrl( original_url, alternative_service_info.host_port_pair()); - if (session_key.host() != destination.host_piece() && - !session_->context().quic_context->params()->allow_remote_alt_svc) { + if (session_key.host() != destination.host_piece()) { continue; } RewriteUrlWithHostMappingRules(destination); diff --git a/net/quic/quic_context.h b/net/quic/quic_context.h --- a/net/quic/quic_context.h +++ b/net/quic/quic_context.h @@ -179,7 +179,7 @@ struct NET_EXPORT QuicParams { bool allow_server_migration = false; // If true, allows QUIC to use alternative services with a different // hostname from the origin. - bool allow_remote_alt_svc = true; + bool allow_remote_alt_svc = false; // Disabled by default // If true, estimate the initial RTT for QUIC connections based on network. bool estimate_initial_rtt = false; // The initial rtt that will be used in crypto handshake if no cached -- 2.25.1