Legacy TLS: Lookup control sites by eTLD+1

Bug: 1055906
Change-Id: I974c8cc5993299a6611c4bd14f515c865d9bef02
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2073218Reviewed-by: Emily Stark <estark@chromium.org>
Reviewed-by: Matt Menke <mmenke@chromium.org>
Commit-Queue: Christopher Thompson <cthomp@chromium.org>
Cr-Commit-Position: refs/heads/master@{#745226}

chrome/browser/ssl/ssl_browsertest.cc

@@ -7453,6 +7453,30 @@ IN_PROC_BROWSER_TEST_F(LegacyTLSInterstitialTest, LegacyTLSNotFatal) {
   EXPECT_EQ(security_interstitials::CMD_TEXT_FOUND, result);
 }
 
+// Tests that the legacy TLS control config applies to subdomains if the
+// registrable domain is in the control config.
+IN_PROC_BROWSER_TEST_F(LegacyTLSInterstitialTest,
+                       ControlConfigIncludesSubdomains) {
+  InitializeLegacyTLSConfigWithControl();
+  base::RunLoop run_loop;
+  InitializeLegacyTLSConfigWithControlNetworkService(&run_loop);
+
+  SetTLSVersion(net::SSL_PROTOCOL_VERSION_TLS1);
+  ASSERT_TRUE(https_server()->Start());
+
+  base::HistogramTester histograms;
+
+  ui_test_utils::NavigateToURL(
+      browser(), https_server()->GetURL(std::string("www.") + kLegacyTLSHost,
+                                        "/ssl/google.html"));
+  auto* tab = browser()->tab_strip_model()->GetActiveWebContents();
+  EXPECT_FALSE(
+      chrome_browser_interstitials::IsShowingLegacyTLSInterstitial(tab));
+
+  // Interstitial metrics should not have been recorded from this navigation.
+  histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 0);
+}
+
 // Checks that SimpleURLLoader, which uses services/network/url_loader.cc, goes
 // through the new NetworkServiceClient interface to deliver cert error
 // notifications to the browser which then overrides the certificate error.

services/network/legacy_tls_config_distributor.cc

@@ -17,6 +17,7 @@
 #include "base/task/task_traits.h"
 #include "base/task/thread_pool.h"
 #include "crypto/sha2.h"
+#include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 
 namespace network {
 
@@ -50,8 +51,16 @@ scoped_refptr<LegacyTLSExperimentConfig> LegacyTLSExperimentConfig::Parse(
 
 bool LegacyTLSExperimentConfig::ShouldSuppressLegacyTLSWarning(
     const std::string& hostname) const {
+  // Match on eTLD+1 rather than full hostname (to account for subdomains and
+  // redirects). If no registrable domain is found, default to using the
+  // hostname as-is.
+  auto domain = net::registry_controlled_domains::GetDomainAndRegistry(
+      hostname, net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES);
+  if (domain.empty())
+    domain = hostname;
+
   // Convert bytes from crypto::SHA256 so we can compare to the proto contents.
-  std::string host_hash_bytes = crypto::SHA256HashString(hostname);
+  std::string host_hash_bytes = crypto::SHA256HashString(domain);
   std::string host_hash = base::ToLowerASCII(
       base::HexEncode(host_hash_bytes.data(), host_hash_bytes.size()));
   const auto& control_site_hashes = proto_.control_site_hashes();