Do not require Expect-CT report-uris to be quoted

Requiring quoted URLs was cargo-culted from the HPKP implementation. The HPKP spec does not actually say that report-uris must be quoted -- it's simply that all the examples quote them. So it's possibly a bug that Chrome's HPKP implementation requires quoted report-uris. The Expect-CT spec doesn't say anything about quoting report-uris nor do I see a reason that it should, so Chrome's implementation shouldn't require them. BUG=679012 Review-Url: https://codereview.chromium.org/2895373002 Cr-Commit-Position: refs/heads/master@{#473959}

Do not require Expect-CT report-uris to be quoted
Requiring quoted URLs was cargo-culted from the HPKP implementation. The HPKP spec does not actually say that report-uris must be quoted -- it's simply that all the examples quote them. So it's possibly a bug that Chrome's HPKP implementation requires quoted report-uris. The Expect-CT spec doesn't say anything about quoting report-uris nor do I see a reason that it should, so Chrome's implementation shouldn't require them. BUG=679012 Review-Url: https://codereview.chromium.org/2895373002 Cr-Commit-Position: refs/heads/master@{#473959}
8ed54359 · estark · Commit bot · c5f564e3 · 8ed54359 · 8ed54359
Commit 8ed54359 authored May 23, 2017 by estark Committed by Commit bot May 23, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 6 deletions

net/http/http_security_headers.cc net/http/http_security_headers.cc +1 -4

net/http/http_security_headers_unittest.cc net/http/http_security_headers_unittest.cc +9 -2

No files found.
--- a/net/http/http_security_headers.cc
+++ b/net/http/http_security_headers.cc
@@ -368,7 +368,7 @@ bool ParseHPKPReportOnlyHeader(const std::string& value,
 // "Expect-CT" ":"
 //     "max-age" "=" delta-seconds
 //     [ "," "enforce" ]
-//     [ "," "report-uri" "=" uri-reference ]
+//     [ "," "report-uri" "=" absolute-URI ]
 bool ParseExpectCTHeader(const std::string& value,
                         base::TimeDelta* max_age,
                         bool* enforce,
@@ -413,9 +413,6 @@ bool ParseExpectCTHeader(const std::string& value,
      // field."
      if (has_report_uri)
        return false;
-      // report-uris are always quoted.
-      if (!name_value_pairs.value_is_quoted())
-        return false;

      has_report_uri = true;
      parsed_report_uri = GURL(base::StringPiece(name_value_pairs.value_begin(),

--- a/net/http/http_security_headers_unittest.cc
+++ b/net/http/http_security_headers_unittest.cc
@@ -994,8 +994,6 @@ TEST_F(HttpSecurityHeadersTest, BogusExpectCTHeaders) {
                                   &max_age, &enforce, &report_uri));
  EXPECT_FALSE(ParseExpectCTHeader("max-age=999, report-uri=\"foo;bar\"",
                                   &max_age, &enforce, &report_uri));
-  EXPECT_FALSE(ParseExpectCTHeader("max-age=999, report-uri=http://blah",
-                                   &max_age, &enforce, &report_uri));
  EXPECT_FALSE(ParseExpectCTHeader("max-age=999, report-uri=\"\"", &max_age,
                                   &enforce, &report_uri));

@@ -1085,6 +1083,15 @@ TEST_F(HttpSecurityHeadersTest, ValidExpectCTHeaders) {
  EXPECT_TRUE(enforce);
  EXPECT_EQ(GURL("https://foo.test"), report_uri);

+  enforce = false;
+  report_uri = GURL();
+  EXPECT_TRUE(
+      ParseExpectCTHeader("enforce,report-uri=https://foo.test,max-age=123",
+                          &max_age, &enforce, &report_uri));
+  EXPECT_EQ(base::TimeDelta::FromSeconds(123), max_age);
+  EXPECT_TRUE(enforce);
+  EXPECT_EQ(GURL("https://foo.test"), report_uri);
+
  report_uri = GURL();
  enforce = false;
  EXPECT_TRUE(ParseExpectCTHeader("report-uri=\"https://foo.test\",max-age=123",