Force usage of HTTPS for Google services.

This is effectively a revert of http://crrev.com/136205 , switching back to searchdomaincheck "format=domain" from "format=url", but this time using HTTPS instead of HTTP. Note that in general this should have no visible effect, since for Chrome 25+ searchdomaincheck is supposed to be sending "https..." URLs anyway. The only difference is that, if searchdomaincheck is never accessed, the "out of the box" default value for the Google homepage switches from "http://www.google.com/" to "https://www.google.com/". This shouldn't cause any additional bustage to existing users, since Google search over HTTP will just redirect to HTTPS anyway, so anyone whose network doesn't support HTTPS accesses is already seeing broken behavior. (For the same reason, this means even the "out of the box default" change noted above shouldn't really be visible to end users.) It's still possible for users to "downgrade" Google searches to HTTP using the nosslsearch mechanism, but that's not in scope for Chrome to address. BUG=364183 TEST=none TBR=isherman Review URL: https://codereview.chromium.org/263023002 Cr-Commit-Position: refs/heads/master@{#314721}

Force usage of HTTPS for Google services.
This is effectively a revert of http://crrev.com/136205 , switching back to searchdomaincheck "format=domain" from "format=url", but this time using HTTPS instead of HTTP. Note that in general this should have no visible effect, since for Chrome 25+ searchdomaincheck is supposed to be sending "https..." URLs anyway. The only difference is that, if searchdomaincheck is never accessed, the "out of the box" default value for the Google homepage switches from "http://www.google.com/" to "https://www.google.com/". This shouldn't cause any additional bustage to existing users, since Google search over HTTP will just redirect to HTTPS anyway, so anyone whose network doesn't support HTTPS accesses is already seeing broken behavior. (For the same reason, this means even the "out of the box default" change noted above shouldn't really be visible to end users.) It's still possible for users to "downgrade" Google searches to HTTP using the nosslsearch mechanism, but that's not in scope for Chrome to address. BUG=364183 TEST=none TBR=isherman Review URL: https://codereview.chromium.org/263023002 Cr-Commit-Position: refs/heads/master@{#314721}
2d834f82 · pkasting · Commit bot · da4b8ca7 · 2d834f82 · 2d834f82
Commit 2d834f82 authored Feb 04, 2015 by pkasting Committed by Commit bot Feb 05, 2015
2 changed files
--- a/components/google/core/browser/google_url_tracker.cc
+++ b/components/google/core/browser/google_url_tracker.cc
@@ -17,9 +17,9 @@


 const char GoogleURLTracker::kDefaultGoogleHomepage[] =
-    "http://www.google.com/";
+    "https://www.google.com/";
 const char GoogleURLTracker::kSearchDomainCheckURL[] =
-    "https://www.google.com/searchdomaincheck?format=url&type=chrome";
+    "https://www.google.com/searchdomaincheck?format=domain&type=chrome";

 GoogleURLTracker::GoogleURLTracker(scoped_ptr<GoogleURLTrackerClient> client,
                                   Mode mode)
@@ -81,16 +81,16 @@ void GoogleURLTracker::OnURLFetchComplete(const net::URLFetcher* source) {
    return;
  }

-  // See if the response data was valid.  It should be
-  // "<scheme>://[www.]google.<TLD>/".
+  // See if the response data was valid.  It should be ".google.<TLD>".
  std::string url_str;
  source->GetResponseAsString(&url_str);
  base::TrimWhitespace(url_str, base::TRIM_ALL, &url_str);
-  GURL url(url_str);
+  if (!StartsWithASCII(url_str, ".google.", false))
+    return;
+  GURL url("https://www" + url_str);
  if (!url.is_valid() || (url.path().length() > 1) || url.has_query() ||
      url.has_ref() ||
-      !google_util::IsGoogleDomainUrl(url,
-                                      google_util::DISALLOW_SUBDOMAIN,
+      !google_util::IsGoogleDomainUrl(url, google_util::DISALLOW_SUBDOMAIN,
                                      google_util::DISALLOW_NON_STANDARD_PORTS))
    return;


--- a/components/google/core/browser/google_url_tracker_unittest.cc
+++ b/components/google/core/browser/google_url_tracker_unittest.cc
@@ -207,7 +207,7 @@ TEST_F(GoogleURLTrackerTest, DontFetchWhenNoOneRequestsCheck) {
  FinishSleep();
  // No one called RequestServerCheck() so nothing should have happened.
  EXPECT_FALSE(GetFetcher());
-  MockSearchDomainCheckResponse("http://www.google.co.uk/");
+  MockSearchDomainCheckResponse(".google.co.uk");
  EXPECT_EQ(GURL(GoogleURLTracker::kDefaultGoogleHomepage), google_url());
  EXPECT_FALSE(listener_notified());
 }
@@ -219,13 +219,13 @@ TEST_F(GoogleURLTrackerTest, Update) {
  EXPECT_FALSE(listener_notified());

  FinishSleep();
-  MockSearchDomainCheckResponse("http://www.google.co.uk/");
-  EXPECT_EQ(GURL("http://www.google.co.uk/"), google_url());
+  MockSearchDomainCheckResponse(".google.co.uk");
+  EXPECT_EQ(GURL("https://www.google.co.uk/"), google_url());
  EXPECT_TRUE(listener_notified());
 }

 TEST_F(GoogleURLTrackerTest, DontUpdateWhenUnchanged) {
-  GURL original_google_url("http://www.google.co.uk/");
+  GURL original_google_url("https://www.google.co.uk/");
  set_google_url(original_google_url);

  RequestServerCheck();
@@ -234,14 +234,14 @@ TEST_F(GoogleURLTrackerTest, DontUpdateWhenUnchanged) {
  EXPECT_FALSE(listener_notified());

  FinishSleep();
-  MockSearchDomainCheckResponse(original_google_url.spec());
+  MockSearchDomainCheckResponse(".google.co.uk");
  EXPECT_EQ(original_google_url, google_url());
  // No one should be notified, because the new URL matches the old.
  EXPECT_FALSE(listener_notified());
 }

-TEST_F(GoogleURLTrackerTest, DontPromptOnBadReplies) {
-  GURL original_google_url("http://www.google.co.uk/");
+TEST_F(GoogleURLTrackerTest, DontUpdateOnBadReplies) {
+  GURL original_google_url("https://www.google.co.uk/");
  set_google_url(original_google_url);

  RequestServerCheck();
@@ -249,33 +249,39 @@ TEST_F(GoogleURLTrackerTest, DontPromptOnBadReplies) {
  EXPECT_EQ(original_google_url, google_url());
  EXPECT_FALSE(listener_notified());

-  // Old-style domain string.
+  // Old-style URL string.
  FinishSleep();
-  MockSearchDomainCheckResponse(".google.co.in");
+  MockSearchDomainCheckResponse("https://www.google.com/");
  EXPECT_EQ(original_google_url, google_url());
  EXPECT_FALSE(listener_notified());

-  // Bad subdomain.
+  // Not a Google domain.
+  FinishSleep();
+  MockSearchDomainCheckResponse(".google.evil.com");
+  EXPECT_EQ(original_google_url, google_url());
+  EXPECT_FALSE(listener_notified());
+
+  // Doesn't start with .google.
  NotifyNetworkChanged();
-  MockSearchDomainCheckResponse("http://mail.google.com/");
+  MockSearchDomainCheckResponse(".mail.google.com");
  EXPECT_EQ(original_google_url, google_url());
  EXPECT_FALSE(listener_notified());

  // Non-empty path.
  NotifyNetworkChanged();
-  MockSearchDomainCheckResponse("http://www.google.com/search");
+  MockSearchDomainCheckResponse(".google.com/search");
  EXPECT_EQ(original_google_url, google_url());
  EXPECT_FALSE(listener_notified());

  // Non-empty query.
  NotifyNetworkChanged();
-  MockSearchDomainCheckResponse("http://www.google.com/?q=foo");
+  MockSearchDomainCheckResponse(".google.com/?q=foo");
  EXPECT_EQ(original_google_url, google_url());
  EXPECT_FALSE(listener_notified());

  // Non-empty ref.
  NotifyNetworkChanged();
-  MockSearchDomainCheckResponse("http://www.google.com/#anchor");
+  MockSearchDomainCheckResponse(".google.com/#anchor");
  EXPECT_EQ(original_google_url, google_url());
  EXPECT_FALSE(listener_notified());

@@ -289,14 +295,14 @@ TEST_F(GoogleURLTrackerTest, DontPromptOnBadReplies) {
 TEST_F(GoogleURLTrackerTest, RefetchOnNetworkChange) {
  RequestServerCheck();
  FinishSleep();
-  MockSearchDomainCheckResponse("http://www.google.co.uk/");
-  EXPECT_EQ(GURL("http://www.google.co.uk/"), google_url());
+  MockSearchDomainCheckResponse(".google.co.uk");
+  EXPECT_EQ(GURL("https://www.google.co.uk/"), google_url());
  EXPECT_TRUE(listener_notified());
  clear_listener_notified();

  NotifyNetworkChanged();
-  MockSearchDomainCheckResponse("http://www.google.co.in/");
-  EXPECT_EQ(GURL("http://www.google.co.in/"), google_url());
+  MockSearchDomainCheckResponse(".google.co.in");
+  EXPECT_EQ(GURL("https://www.google.co.in/"), google_url());
  EXPECT_TRUE(listener_notified());
 }

@@ -305,7 +311,7 @@ TEST_F(GoogleURLTrackerTest, DontRefetchWhenNoOneRequestsCheck) {
  NotifyNetworkChanged();
  // No one called RequestServerCheck() so nothing should have happened.
  EXPECT_FALSE(GetFetcher());
-  MockSearchDomainCheckResponse("http://www.google.co.uk/");
+  MockSearchDomainCheckResponse(".google.co.uk");
  EXPECT_EQ(GURL(GoogleURLTracker::kDefaultGoogleHomepage), google_url());
  EXPECT_FALSE(listener_notified());
 }
@@ -313,33 +319,33 @@ TEST_F(GoogleURLTrackerTest, DontRefetchWhenNoOneRequestsCheck) {
 TEST_F(GoogleURLTrackerTest, FetchOnLateRequest) {
  FinishSleep();
  NotifyNetworkChanged();
-  MockSearchDomainCheckResponse("http://www.google.co.jp/");
+  MockSearchDomainCheckResponse(".google.co.jp");

  RequestServerCheck();
  // The first request for a check should trigger a fetch if it hasn't happened
  // already.
-  MockSearchDomainCheckResponse("http://www.google.co.uk/");
-  EXPECT_EQ(GURL("http://www.google.co.uk/"), google_url());
+  MockSearchDomainCheckResponse(".google.co.uk");
+  EXPECT_EQ(GURL("https://www.google.co.uk/"), google_url());
  EXPECT_TRUE(listener_notified());
 }

 TEST_F(GoogleURLTrackerTest, DontFetchTwiceOnLateRequests) {
  FinishSleep();
  NotifyNetworkChanged();
-  MockSearchDomainCheckResponse("http://www.google.co.jp/");
+  MockSearchDomainCheckResponse(".google.co.jp");

  RequestServerCheck();
  // The first request for a check should trigger a fetch if it hasn't happened
  // already.
-  MockSearchDomainCheckResponse("http://www.google.co.uk/");
-  EXPECT_EQ(GURL("http://www.google.co.uk/"), google_url());
+  MockSearchDomainCheckResponse(".google.co.uk");
+  EXPECT_EQ(GURL("https://www.google.co.uk/"), google_url());
  EXPECT_TRUE(listener_notified());
  clear_listener_notified();

  RequestServerCheck();
  // The second request should be ignored.
  EXPECT_FALSE(GetFetcher());
-  MockSearchDomainCheckResponse("http://www.google.co.in/");
-  EXPECT_EQ(GURL("http://www.google.co.uk/"), google_url());
+  MockSearchDomainCheckResponse(".google.co.in");
+  EXPECT_EQ(GURL("https://www.google.co.uk/"), google_url());
  EXPECT_FALSE(listener_notified());
 }