Move Expect-CT to services/network so that it can work with the network service.

Bug: 844032
Cq-Include-Trybots: luci.chromium.try:linux_mojo
Change-Id: I20c4e95fb05cf87109050f7905fb6a5b468dbf91
Reviewed-on: https://chromium-review.googlesource.com/1102172Reviewed-by: Nasko Oskov <nasko@chromium.org>
Reviewed-by: Emily Stark <estark@chromium.org>
Reviewed-by: Ramin Halavati <rhalavati@chromium.org>
Commit-Queue: John Abd-El-Malek <jam@chromium.org>
Cr-Commit-Position: refs/heads/master@{#568058}

build/android/pylib/gtest/filter/unit_tests_disabled

@@ -76,8 +76,5 @@ SyncSearchEngineDataTypeControllerTest.*
 # crbug.com/256259
 DiagnosticsModelTest.RunAll
 
-# crbug.com/758996
-ChromeExpectCTReporterTest.*
-
 # Death tests are not supported with apks.
 *DeathTest*

chrome/browser/BUILD.gn

@@ -1408,8 +1408,6 @@ jumbo_split_static_library("browser") {
     "ssl/certificate_error_report.h",
     "ssl/certificate_error_reporter.cc",
     "ssl/certificate_error_reporter.h",
-    "ssl/chrome_expect_ct_reporter.cc",
-    "ssl/chrome_expect_ct_reporter.h",
     "ssl/chrome_ssl_host_state_delegate.cc",
     "ssl/chrome_ssl_host_state_delegate.h",
     "ssl/chrome_ssl_host_state_delegate_factory.cc",

chrome/browser/net/profile_network_context_service.cc

@@ -216,6 +216,7 @@ ProfileNetworkContextService::CreateNetworkContextParams(
   proxy_config_monitor_.AddToNetworkContextParams(network_context_params.get());
 
   network_context_params->enable_certificate_reporting = true;
+  network_context_params->enable_expect_ct_reporting = true;
 
   return network_context_params;
 }

chrome/browser/profiles/profile_io_data.cc

@@ -42,7 +42,6 @@
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/profiles/profile_manager.h"
 #include "chrome/browser/signin/account_consistency_mode_manager.h"
-#include "chrome/browser/ssl/chrome_expect_ct_reporter.h"
 #include "chrome/common/buildflags.h"
 #include "chrome/common/chrome_paths.h"
 #include "chrome/common/chrome_switches.h"
@@ -704,15 +703,6 @@ ProfileIOData::~ProfileIOData() {
   if (domain_reliability_monitor_unowned_)
     domain_reliability_monitor_unowned_->Shutdown();
 
-  if (main_request_context_) {
-    main_request_context_->transport_security_state()->SetExpectCTReporter(
-        nullptr);
-    expect_ct_reporter_.reset();
-
-    main_request_context_->transport_security_state()->SetRequireCTDelegate(
-        nullptr);
-  }
-
   // TODO(ajwong): These AssertNoURLRequests() calls are unnecessary since they
   // are already done in the URLRequestContext destructor.
   if (extensions_request_context_)
@@ -1201,15 +1191,6 @@ void ProfileIOData::Init(
           !GetMetricsEnabledStateOnIOThread());
     }
 
-    // Attach some things to the URLRequestContextBuilder's
-    // TransportSecurityState.  Since no requests have been made yet, safe to do
-    // this even after the call to Build().
-
-    expect_ct_reporter_.reset(new ChromeExpectCTReporter(
-        main_request_context_, base::Closure(), base::Closure()));
-    main_request_context_->transport_security_state()->SetExpectCTReporter(
-        expect_ct_reporter_.get());
-
     resource_context_->host_resolver_ =
         io_thread_globals->system_request_context->host_resolver();
     resource_context_->request_context_ = main_request_context_;

chrome/browser/profiles/profile_io_data.h

@@ -41,7 +41,6 @@
 
 class ChromeNetworkDelegate;
 class ChromeURLRequestContextGetter;
-class ChromeExpectCTReporter;
 class HostContentSettingsMap;
 class ProtocolHandlerRegistry;
 
@@ -592,7 +591,6 @@ class ProfileIOData {
   mutable std::unique_ptr<data_reduction_proxy::DataReductionProxyIOData>
       data_reduction_proxy_io_data_;
 
-  mutable std::unique_ptr<ChromeExpectCTReporter> expect_ct_reporter_;
 #if defined(OS_CHROMEOS)
   mutable std::string username_hash_;
   mutable SystemKeySlotUseType system_key_slot_use_type_;

chrome/browser/ssl/chrome_expect_ct_reporter_browsertest.cc

@@ -11,7 +11,6 @@
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/ssl/cert_verifier_browser_test.h"
 #include "chrome/browser/ui/browser.h"
-#include "chrome/common/chrome_features.h"
 #include "chrome/test/base/in_process_browser_test.h"
 #include "chrome/test/base/ui_test_utils.h"
 #include "content/public/browser/browser_thread.h"
@@ -20,8 +19,7 @@
 #include "net/test/embedded_test_server/embedded_test_server.h"
 #include "net/test/embedded_test_server/http_request.h"
 #include "net/test/embedded_test_server/http_response.h"
-#include "net/url_request/url_request_context.h"
-#include "net/url_request/url_request_context_getter.h"
+#include "services/network/public/cpp/features.h"
 
 namespace {
 
@@ -78,6 +76,18 @@ class ExpectCTBrowserTest : public CertVerifierBrowserTest {
     return http_response;
   }
 
+  std::unique_ptr<net::test_server::HttpResponse> TestRequestHandler(
+      const GURL& report_url,
+      const net::test_server::HttpRequest& request) {
+    std::unique_ptr<net::test_server::BasicHttpResponse> http_response(
+        new net::test_server::BasicHttpResponse());
+    http_response->set_code(net::HTTP_OK);
+    std::string header_value = "report-uri=\"";
+    header_value += report_url.spec() + "\", enforce, max-age=3600";
+    http_response->AddCustomHeader("Expect-CT", header_value);
+    return http_response;
+  }
+
  protected:
   void WaitForReport() { run_loop_->Run(); }
 
@@ -94,32 +104,26 @@ class ExpectCTBrowserTest : public CertVerifierBrowserTest {
   DISALLOW_COPY_AND_ASSIGN(ExpectCTBrowserTest);
 };
 
-void AddExpectCTHeaderOnIO(net::URLRequestContextGetter* getter,
-                           const std::string& host,
-                           const GURL& report_uri) {
-  DCHECK_CURRENTLY_ON(content::BrowserThread::IO);
-  net::URLRequestContext* context = getter->GetURLRequestContext();
-  context->transport_security_state()->AddExpectCT(
-      host, base::Time::Now() + base::TimeDelta::FromSeconds(1000), true,
-      report_uri);
-}
-
 // Tests that an Expect-CT reporter is properly set up and used for violations
 // of Expect-CT HTTP headers.
 IN_PROC_BROWSER_TEST_F(ExpectCTBrowserTest, TestDynamicExpectCTReporting) {
   base::test::ScopedFeatureList scoped_feature_list;
   scoped_feature_list.InitWithFeatures(
-      {features::kExpectCTReporting,
+      {network::features::kExpectCTReporting,
        net::TransportSecurityState::kDynamicExpectCTFeature},
       {});
 
-  net::EmbeddedTestServer test_server(net::EmbeddedTestServer::TYPE_HTTPS);
-  ASSERT_TRUE(test_server.Start());
-
   net::EmbeddedTestServer report_server;
   report_server.RegisterRequestHandler(base::Bind(
       &ExpectCTBrowserTest::ReportRequestHandler, base::Unretained(this)));
   ASSERT_TRUE(report_server.Start());
+  GURL report_url = report_server.GetURL("/");
+
+  net::EmbeddedTestServer test_server(net::EmbeddedTestServer::TYPE_HTTPS);
+  test_server.RegisterRequestHandler(
+      base::Bind(&ExpectCTBrowserTest::TestRequestHandler,
+                 base::Unretained(this), report_url));
+  ASSERT_TRUE(test_server.Start());
 
   // Set up the mock cert verifier to accept |test_server|'s certificate as
   // valid and as if it is issued by a known root. (CT checks are skipped for
@@ -131,15 +135,8 @@ IN_PROC_BROWSER_TEST_F(ExpectCTBrowserTest, TestDynamicExpectCTReporting) {
   verify_result.cert_status = 0;
   mock_cert_verifier()->AddResultForCert(cert, verify_result, net::OK);
 
-  // Fire off a task to simulate as if a previous request to |test_server| had
-  // set a valid Expect-CT header.
-  scoped_refptr<net::URLRequestContextGetter> url_request_context_getter =
-      browser()->profile()->GetRequestContext();
-  content::BrowserThread::PostTask(
-      content::BrowserThread::IO, FROM_HERE,
-      base::BindOnce(
-          &AddExpectCTHeaderOnIO, base::RetainedRef(url_request_context_getter),
-          test_server.GetURL("/").host(), report_server.GetURL("/")));
+  // Fire off a request so that |test_server| sets a valid Expect-CT header.
+  ui_test_utils::NavigateToURL(browser(), test_server.GetURL("/"));
 
   // Navigate to a test server URL, which should trigger an Expect-CT report
   // because the test server doesn't serve SCTs.
@@ -155,7 +152,7 @@ IN_PROC_BROWSER_TEST_F(ExpectCTBrowserTest,
                        TestDynamicExpectCTHeaderProcessing) {
   base::test::ScopedFeatureList scoped_feature_list;
   scoped_feature_list.InitWithFeatures(
-      {features::kExpectCTReporting,
+      {network::features::kExpectCTReporting,
        net::TransportSecurityState::kDynamicExpectCTFeature},
       {});
 

chrome/browser/ui/webui/net_internals/DEPS

 include_rules = [
   "+components/onc",
   "+components/user_manager",
+  "+services/network/expect_ct_reporter.h",
 ]

chrome/browser/ui/webui/net_internals/net_internals_ui.cc

@@ -38,7 +38,6 @@
 #include "chrome/browser/net/chrome_network_delegate.h"
 #include "chrome/browser/net/net_export_helper.h"
 #include "chrome/browser/profiles/profile.h"
-#include "chrome/browser/ssl/chrome_expect_ct_reporter.h"
 #include "chrome/common/channel_info.h"
 #include "chrome/common/chrome_paths.h"
 #include "chrome/common/url_constants.h"
@@ -73,6 +72,7 @@
 #include "net/proxy_resolution/proxy_resolution_service.h"
 #include "net/url_request/url_request_context.h"
 #include "net/url_request/url_request_context_getter.h"
+#include "services/network/expect_ct_reporter.h"
 
 #if defined(OS_CHROMEOS)
 #include "chrome/browser/chromeos/file_manager/filesystem_api_util.h"
@@ -364,7 +364,7 @@ class NetInternalsMessageHandler::IOThreadImpl
   // local variable so that it lives long enough to receive the result of
   // sending a report, which is delivered to the JavaScript via a JavaScript
   // command.
-  std::unique_ptr<ChromeExpectCTReporter> expect_ct_reporter_;
+  std::unique_ptr<network::ExpectCTReporter> expect_ct_reporter_;
 
   DISALLOW_COPY_AND_ASSIGN(IOThreadImpl);
 };
@@ -899,7 +899,7 @@ void NetInternalsMessageHandler::IOThreadImpl::OnExpectCTTestReport(
         std::make_unique<base::Value>("success");
     std::unique_ptr<base::Value> failure =
         std::make_unique<base::Value>("failure");
-    expect_ct_reporter_ = std::make_unique<ChromeExpectCTReporter>(
+    expect_ct_reporter_ = std::make_unique<network::ExpectCTReporter>(
         GetMainContext(),
         base::Bind(
             &NetInternalsMessageHandler::IOThreadImpl::SendJavascriptCommand,

chrome/common/chrome_features.cc

@@ -224,11 +224,6 @@ const base::Feature kDownloadsLocationChange{"DownloadsLocationChange",
                                              base::FEATURE_DISABLED_BY_DEFAULT};
 #endif
 
-// Enables Expect CT reporting, which sends reports for opted-in sites
-// that don't serve sufficient Certificate Transparency information.
-const base::Feature kExpectCTReporting{"ExpectCTReporting",
-                                       base::FEATURE_ENABLED_BY_DEFAULT};
-
 // An experimental way of showing app banners, which has modal banners and gives
 // developers more control over when to show them.
 const base::Feature kExperimentalAppBanners {

chrome/common/chrome_features.h

@@ -118,8 +118,6 @@ extern const base::Feature kDownloadsForeground;
 extern const base::Feature kDownloadsLocationChange;
 #endif
 
-extern const base::Feature kExpectCTReporting;
-
 extern const base::Feature kExperimentalAppBanners;
 
 #if defined(OS_CHROMEOS)

chrome/test/BUILD.gn

@@ -2585,7 +2585,6 @@ test("unit_tests") {
     "../browser/signin/unified_consent_helper_unittest.cc",
     "../browser/ssl/certificate_error_report_unittest.cc",
     "../browser/ssl/certificate_error_reporter_unittest.cc",
-    "../browser/ssl/chrome_expect_ct_reporter_unittest.cc",
     "../browser/ssl/insecure_sensitive_input_driver_unittest.cc",
     "../browser/ssl/security_state_tab_helper_unittest.cc",
     "../browser/ssl/ssl_config_service_manager_pref_unittest.cc",

services/network/BUILD.gn

@@ -28,6 +28,8 @@ component("network_service") {
     "cross_origin_read_blocking.h",
     "data_pipe_element_reader.cc",
     "data_pipe_element_reader.h",
+    "expect_ct_reporter.cc",
+    "expect_ct_reporter.h",
     "http_cache_data_remover.cc",
     "http_cache_data_remover.h",
     "http_server_properties_pref_delegate.cc",
@@ -189,6 +191,7 @@ source_set("tests") {
     "cors/preflight_controller_unittest.cc",
     "cross_origin_read_blocking_unittest.cc",
     "data_pipe_element_reader_unittest.cc",
+    "expect_ct_reporter_unittest.cc",
     "http_cache_data_remover_unittest.cc",
     "ignore_errors_cert_verifier_unittest.cc",
     "keepalive_statistics_recorder_unittest.cc",

services/network/OWNERS

@@ -11,6 +11,8 @@ per-file cross_origin_read_blocking*=creis@chromium.org
 per-file cross_origin_read_blocking*=nick@chromium.org
 per-file cross_origin_read_blocking*=lukasza@chromium.org
 
+per-file expect_ct_reporter*=estark@chromium.org
+
 per-file manifest.json=set noparent
 per-file manifest.json=file://ipc/SECURITY_OWNERS
 per-file *_type_converter*.*=set noparent

chrome/browser/ssl/chrome_expect_ct_reporter.cc → services/network/expect_ct_reporter.cc

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "chrome/browser/ssl/chrome_expect_ct_reporter.h"
+#include "services/network/expect_ct_reporter.h"
 
 #include <set>
 #include <string>
@@ -19,13 +19,14 @@
 #include "base/time/time.h"
 #include "base/time/time_to_iso8601.h"
 #include "base/values.h"
-#include "chrome/common/chrome_features.h"
 #include "net/base/load_flags.h"
 #include "net/cert/ct_serialization.h"
 #include "net/traffic_annotation/network_traffic_annotation.h"
 #include "net/url_request/report_sender.h"
 #include "net/url_request/url_request_context.h"
+#include "services/network/public/cpp/features.h"
 
+namespace network {
 namespace {
 
 // Returns true if |request| contains any of the |allowed_values| in a response
@@ -107,9 +108,8 @@ void AddSCT(const net::SignedCertificateTimestampAndStatus& sct,
   list->Append(std::move(list_item));
 }
 
-constexpr net::NetworkTrafficAnnotationTag
-    kChromeExpectCtReporterTrafficAnnotation =
-        net::DefineNetworkTrafficAnnotation("chrome_expect_ct_reporter", R"(
+constexpr net::NetworkTrafficAnnotationTag kExpectCTReporterTrafficAnnotation =
+    net::DefineNetworkTrafficAnnotation("expect_ct_reporter", R"(
         semantics {
           sender: "Expect-CT reporting for Certificate Transparency reporting"
           description:
@@ -135,20 +135,18 @@ constexpr net::NetworkTrafficAnnotationTag
 
 }  // namespace
 
-ChromeExpectCTReporter::ChromeExpectCTReporter(
-    net::URLRequestContext* request_context,
-    const base::Closure& success_callback,
-    const base::Closure& failure_callback)
-    : report_sender_(
-          new net::ReportSender(request_context,
-                                kChromeExpectCtReporterTrafficAnnotation)),
+ExpectCTReporter::ExpectCTReporter(net::URLRequestContext* request_context,
+                                   const base::Closure& success_callback,
+                                   const base::Closure& failure_callback)
+    : report_sender_(new net::ReportSender(request_context,
+                                           kExpectCTReporterTrafficAnnotation)),
       request_context_(request_context),
       success_callback_(success_callback),
       failure_callback_(failure_callback) {}
 
-ChromeExpectCTReporter::~ChromeExpectCTReporter() {}
+ExpectCTReporter::~ExpectCTReporter() {}
 
-void ChromeExpectCTReporter::OnExpectCTFailed(
+void ExpectCTReporter::OnExpectCTFailed(
     const net::HostPortPair& host_port_pair,
     const GURL& report_uri,
     base::Time expiration,
@@ -192,8 +190,8 @@ void ChromeExpectCTReporter::OnExpectCTFailed(
   SendPreflight(report_uri, serialized_report);
 }
 
-void ChromeExpectCTReporter::OnResponseStarted(net::URLRequest* request,
-                                               int net_error) {
+void ExpectCTReporter::OnResponseStarted(net::URLRequest* request,
+                                         int net_error) {
   auto preflight_it = inflight_preflights_.find(request);
   DCHECK(inflight_preflights_.end() != inflight_preflights_.find(request));
   PreflightInProgress* preflight = preflight_it->second.get();
@@ -226,23 +224,22 @@ void ChromeExpectCTReporter::OnResponseStarted(net::URLRequest* request,
     return;
   }
 
-  report_sender_->Send(preflight->report_uri,
-                       "application/expect-ct-report+json; charset=utf-8",
-                       preflight->serialized_report, success_callback_,
-                       // Since |this| owns the |report_sender_|, it's safe to
-                       // use base::Unretained here: |report_sender_| will be
-                       // destroyed before |this|.
-                       base::Bind(&ChromeExpectCTReporter::OnReportFailure,
-                                  base::Unretained(this)));
+  report_sender_->Send(
+      preflight->report_uri, "application/expect-ct-report+json; charset=utf-8",
+      preflight->serialized_report, success_callback_,
+      // Since |this| owns the |report_sender_|, it's safe to
+      // use base::Unretained here: |report_sender_| will be
+      // destroyed before |this|.
+      base::Bind(&ExpectCTReporter::OnReportFailure, base::Unretained(this)));
   inflight_preflights_.erase(request);
 }
 
-void ChromeExpectCTReporter::OnReadCompleted(net::URLRequest* request,
-                                             int bytes_read) {
+void ExpectCTReporter::OnReadCompleted(net::URLRequest* request,
+                                       int bytes_read) {
   NOTREACHED();
 }
 
-ChromeExpectCTReporter::PreflightInProgress::PreflightInProgress(
+ExpectCTReporter::PreflightInProgress::PreflightInProgress(
     std::unique_ptr<net::URLRequest> request,
     const std::string& serialized_report,
     const GURL& report_uri)
@@ -250,14 +247,13 @@ ChromeExpectCTReporter::PreflightInProgress::PreflightInProgress(
       serialized_report(serialized_report),
       report_uri(report_uri) {}
 
-ChromeExpectCTReporter::PreflightInProgress::~PreflightInProgress() {}
+ExpectCTReporter::PreflightInProgress::~PreflightInProgress() {}
 
-void ChromeExpectCTReporter::SendPreflight(
-    const GURL& report_uri,
-    const std::string& serialized_report) {
+void ExpectCTReporter::SendPreflight(const GURL& report_uri,
+                                     const std::string& serialized_report) {
   std::unique_ptr<net::URLRequest> url_request =
       request_context_->CreateRequest(report_uri, net::DEFAULT_PRIORITY, this,
-                                      kChromeExpectCtReporterTrafficAnnotation);
+                                      kExpectCTReporterTrafficAnnotation);
   url_request->SetLoadFlags(net::LOAD_BYPASS_CACHE | net::LOAD_DISABLE_CACHE |
                             net::LOAD_DO_NOT_SEND_AUTH_DATA |
                             net::LOAD_DO_NOT_SEND_COOKIES |
@@ -276,10 +272,12 @@ void ChromeExpectCTReporter::SendPreflight(
   raw_request->Start();
 }
 
-void ChromeExpectCTReporter::OnReportFailure(const GURL& report_uri,
-                                             int net_error,
-                                             int http_response_code) {
+void ExpectCTReporter::OnReportFailure(const GURL& report_uri,
+                                       int net_error,
+                                       int http_response_code) {
   base::UmaHistogramSparse("SSL.ExpectCTReportFailure2", -net_error);
   if (!failure_callback_.is_null())
     failure_callback_.Run();
 }
+
+}  // namespace network

chrome/browser/ssl/chrome_expect_ct_reporter.h → services/network/expect_ct_reporter.h

@@ -2,12 +2,13 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef CHROME_BROWSER_SSL_CHROME_EXPECT_CT_REPORTER_H_
-#define CHROME_BROWSER_SSL_CHROME_EXPECT_CT_REPORTER_H_
+#ifndef SERVICES_NETWORK_EXPECT_CT_REPORTER_H_
+#define SERVICES_NETWORK_EXPECT_CT_REPORTER_H_
 
 #include <map>
 #include <memory>
 
+#include "base/component_export.h"
 #include "base/macros.h"
 #include "net/http/transport_security_state.h"
 #include "net/url_request/url_request.h"
@@ -17,6 +18,8 @@ class ReportSender;
 class URLRequestContext;
 }  // namespace net
 
+namespace network {
+
 // This class monitors for violations of CT policy and sends reports
 // about failures for sites that have opted in. Must be deleted before
 // the URLRequestContext that is passed to the constructor, so that it
@@ -26,17 +29,17 @@ class URLRequestContext;
 // sends CORS preflight requests before sending reports. Expect-CT is not
 // evaluated with a particular frame or request as context, so the preflight
 // request contains an `Origin: null` header instead of a particular origin.
-class ChromeExpectCTReporter
+class COMPONENT_EXPORT(NETWORK_SERVICE) ExpectCTReporter
     : public net::TransportSecurityState::ExpectCTReporter,
       net::URLRequest::Delegate {
  public:
-  // Constructs a ChromeExpectCTReporter that sends reports with the given
+  // Constructs a ExpectCTReporter that sends reports with the given
   // |request_context|. |success_callback| is called whenever a report sends
   // successfully, and |failure_callback| whenever a report fails to send.
-  ChromeExpectCTReporter(net::URLRequestContext* request_context,
-                         const base::Closure& success_callback,
-                         const base::Closure& failure_callback);
-  ~ChromeExpectCTReporter() override;
+  ExpectCTReporter(net::URLRequestContext* request_context,
+                   const base::Closure& success_callback,
+                   const base::Closure& failure_callback);
+  ~ExpectCTReporter() override;
 
   // net::ExpectCTReporter:
   void OnExpectCTFailed(const net::HostPortPair& host_port_pair,
@@ -68,16 +71,15 @@ class ChromeExpectCTReporter
     const GURL report_uri;
   };
 
-  FRIEND_TEST_ALL_PREFIXES(ChromeExpectCTReporterTest, FeatureDisabled);
-  FRIEND_TEST_ALL_PREFIXES(ChromeExpectCTReporterTest, EmptyReportURI);
-  FRIEND_TEST_ALL_PREFIXES(ChromeExpectCTReporterTest, SendReport);
-  FRIEND_TEST_ALL_PREFIXES(ChromeExpectCTReporterTest,
-                           PreflightContainsWhitespace);
-  FRIEND_TEST_ALL_PREFIXES(ChromeExpectCTReporterTest,
+  FRIEND_TEST_ALL_PREFIXES(ExpectCTReporterTest, FeatureDisabled);
+  FRIEND_TEST_ALL_PREFIXES(ExpectCTReporterTest, EmptyReportURI);
+  FRIEND_TEST_ALL_PREFIXES(ExpectCTReporterTest, SendReport);
+  FRIEND_TEST_ALL_PREFIXES(ExpectCTReporterTest, PreflightContainsWhitespace);
+  FRIEND_TEST_ALL_PREFIXES(ExpectCTReporterTest,
                            BadCORSPreflightResponseOrigin);
-  FRIEND_TEST_ALL_PREFIXES(ChromeExpectCTReporterTest,
+  FRIEND_TEST_ALL_PREFIXES(ExpectCTReporterTest,
                            BadCORSPreflightResponseMethods);
-  FRIEND_TEST_ALL_PREFIXES(ChromeExpectCTReporterTest,
+  FRIEND_TEST_ALL_PREFIXES(ExpectCTReporterTest,
                            BadCORSPreflightResponseHeaders);
 
   // Starts a CORS preflight request to obtain permission from the server to
@@ -106,7 +108,9 @@ class ChromeExpectCTReporter
   std::map<net::URLRequest*, std::unique_ptr<PreflightInProgress>>
       inflight_preflights_;
 
-  DISALLOW_COPY_AND_ASSIGN(ChromeExpectCTReporter);
+  DISALLOW_COPY_AND_ASSIGN(ExpectCTReporter);
 };
 
-#endif  // CHROME_BROWSER_SSL_CHROME_EXPECT_CT_REPORTER_H_
+}  // namespace network
+
+#endif  // SERVICES_NETWORK_EXPECT_CT_REPORTER_H_

services/network/network_context.cc

@@ -56,6 +56,7 @@
 #include "net/url_request/static_http_user_agent_settings.h"
 #include "net/url_request/url_request_context.h"
 #include "net/url_request/url_request_context_builder.h"
+#include "services/network/expect_ct_reporter.h"
 #include "services/network/http_server_properties_pref_delegate.h"
 #include "services/network/ignore_errors_cert_verifier.h"
 #include "services/network/mojo_net_log.h"
@@ -258,7 +259,7 @@ NetworkContext::NetworkContext(
       network_service->network_quality_estimator(),
       network_service_->GetHttpAuthHandlerFactory(),
       network_service_->sth_reporter(), &ct_tree_tracker_,
-      &require_ct_delegate_, &certificate_report_sender_,
+      &require_ct_delegate_, &certificate_report_sender_, &expect_ct_reporter_,
       &user_agent_settings_);
   url_request_context_ = url_request_context_owner_.url_request_context.get();
 
@@ -316,6 +317,12 @@ NetworkContext::~NetworkContext() {
       certificate_report_sender_.reset();
     }
 
+    if (expect_ct_reporter_) {
+      url_request_context_->transport_security_state()->SetExpectCTReporter(
+          nullptr);
+      expect_ct_reporter_.reset();
+    }
+
     if (require_ct_delegate_) {
       url_request_context_->transport_security_state()->SetRequireCTDelegate(
           nullptr);
@@ -680,6 +687,7 @@ URLRequestContextOwner NetworkContext::ApplyContextParamsToBuilder(
     std::unique_ptr<certificate_transparency::ChromeRequireCTDelegate>*
         out_require_ct_delegate,
     std::unique_ptr<net::ReportSender>* out_certificate_report_sender,
+    std::unique_ptr<ExpectCTReporter>* out_expect_ct_reporter,
     net::StaticHttpUserAgentSettings** out_http_user_agent_settings) {
   if (net_log)
     builder->set_net_log(net_log);
@@ -842,6 +850,10 @@ URLRequestContextOwner NetworkContext::ApplyContextParamsToBuilder(
   auto result =
       URLRequestContextOwner(std::move(pref_service), builder->Build());
 
+  // Attach some things to the URLRequestContextBuilder's
+  // TransportSecurityState.  Since no requests have been made yet, safe to do
+  // this even after the call to Build().
+
   if (network_context_params->enable_certificate_reporting) {
     net::NetworkTrafficAnnotationTag traffic_annotation =
         net::DefineNetworkTrafficAnnotation("domain_security_policy", R"(
@@ -877,6 +889,14 @@ URLRequestContextOwner NetworkContext::ApplyContextParamsToBuilder(
         (*out_certificate_report_sender).get());
   }
 
+  if (network_context_params->enable_expect_ct_reporting &&
+      out_expect_ct_reporter) {
+    *out_expect_ct_reporter = std::make_unique<ExpectCTReporter>(
+        result.url_request_context.get(), base::Closure(), base::Closure());
+    result.url_request_context->transport_security_state()->SetExpectCTReporter(
+        (*out_expect_ct_reporter).get());
+  }
+
 #if !defined(OS_IOS)
   if (base::FeatureList::IsEnabled(certificate_transparency::kCTLogAuditing) &&
       out_ct_tree_tracker && sth_reporter && !ct_logs.empty()) {
@@ -1020,7 +1040,7 @@ URLRequestContextOwner NetworkContext::MakeURLRequestContext(
                        : nullptr,
       network_service_ ? network_service_->sth_reporter() : nullptr,
       &ct_tree_tracker_, &require_ct_delegate_, &certificate_report_sender_,
-      &user_agent_settings_);
+      &expect_ct_reporter_, &user_agent_settings_);
 
   return result;
 }

services/network/network_context.h

@@ -50,6 +50,7 @@ class STHReporter;
 }  // namespace certificate_transparency
 
 namespace network {
+class ExpectCTReporter;
 class NetworkService;
 class ResourceScheduler;
 class ResourceSchedulerClient;
@@ -224,6 +225,7 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) NetworkContext
       std::unique_ptr<certificate_transparency::ChromeRequireCTDelegate>*
           out_require_ct_delegate,
       std::unique_ptr<net::ReportSender>* out_certificate_report_sender,
+      std::unique_ptr<ExpectCTReporter>* out_expect_ct_reporter,
       net::StaticHttpUserAgentSettings** out_http_user_agent_settings);
 
   // Invoked when the HTTP cache was cleared. Invokes |callback|.
@@ -292,6 +294,8 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) NetworkContext
   // URLRequestContext), and must be disconnected from it before it's destroyed.
   std::unique_ptr<net::ReportSender> certificate_report_sender_;
 
+  std::unique_ptr<ExpectCTReporter> expect_ct_reporter_;
+
   std::unique_ptr<certificate_transparency::ChromeRequireCTDelegate>
       require_ct_delegate_;
   std::unique_ptr<certificate_transparency::TreeStateTracker> ct_tree_tracker_;

services/network/public/cpp/features.cc

@@ -7,6 +7,11 @@
 namespace network {
 namespace features {
 
+// Enables Expect CT reporting, which sends reports for opted-in sites
+// that don't serve sufficient Certificate Transparency information.
+const base::Feature kExpectCTReporting{"ExpectCTReporting",
+                                       base::FEATURE_ENABLED_BY_DEFAULT};
+
 const base::Feature kNetworkErrorLogging{"NetworkErrorLogging",
                                          base::FEATURE_DISABLED_BY_DEFAULT};
 // Enables the network service.

services/network/public/cpp/features.h

@@ -11,6 +11,8 @@
 namespace network {
 namespace features {
 
+COMPONENT_EXPORT(NETWORK_CPP)
+extern const base::Feature kExpectCTReporting;
 COMPONENT_EXPORT(NETWORK_CPP)
 extern const base::Feature kNetworkErrorLogging;
 COMPONENT_EXPORT(NETWORK_CPP)

services/network/public/mojom/network_context.mojom

@@ -148,6 +148,10 @@ struct NetworkContextParams {
   // servers, so they can discover misconfigurations.
   bool enable_certificate_reporting = false;
 
+  // Enables Expect CT reporting, which sends reports for opted-in sites that
+  // don't serve sufficient Certificate Transparency information.
+  bool enable_expect_ct_reporting = false;
+
   // The Certificate Transparency logs that are known to the client. SCTs from
   // these logs will be extracted and verified; other SCTs will be treated as
   // unrecognized.

services/network/url_request_context_builder_mojo.cc

@@ -45,6 +45,7 @@ URLRequestContextOwner URLRequestContextBuilderMojo::Create(
       nullptr /* sth_distributor */, nullptr /* out_ct_tree_tracker */,
       nullptr /* out_require_ct_delegate */,
       nullptr /* out_certificate_report_sender */,
+      nullptr /* out_expect_ct_reporter */,
       nullptr /* out_static_user_agent_settings */);
 }
 

testing/buildbot/filters/mojo.fyi.network_browser_tests.filter

@@ -209,11 +209,6 @@
 -NetInternalsTest.netInternalsTimelineViewZoomOut
 -NetInternalsTest.netInternalsTourTabs
 
-# Move ChromeExpectCTReporter to services/network
-# https://crbug.com/844032
--ExpectCTBrowserTest.TestDynamicExpectCTHeaderProcessing
--ExpectCTBrowserTest.TestDynamicExpectCTReporting
-
 # https://crbug.com/721398
 -WebViewTest.ClearDataCache
 

tools/traffic_annotation/summary/annotations.xml

@@ -41,7 +41,6 @@ Refer to README.md for content description and update process.
  <item id="certificate_verifier" hash_code="113553577" type="0" content_hash_code="62346354" os_list="linux,windows" file_path="net/cert_net/cert_net_fetcher_impl.cc"/>
  <item id="chrome_apps_socket_api" hash_code="8591273" type="0" content_hash_code="70868355" os_list="linux,windows" file_path="extensions/browser/api/socket/socket.cc"/>
  <item id="chrome_cleaner" hash_code="27071967" type="0" content_hash_code="111240292" os_list="windows" file_path="chrome/browser/safe_browsing/chrome_cleaner/chrome_cleaner_fetcher_win.cc"/>
- <item id="chrome_expect_ct_reporter" hash_code="57276415" type="0" content_hash_code="137551346" os_list="linux,windows" file_path="chrome/browser/ssl/chrome_expect_ct_reporter.cc"/>
  <item id="chrome_feedback_report_app" hash_code="134729048" type="0" content_hash_code="73916972" os_list="linux,windows" file_path="components/feedback/feedback_uploader.cc"/>
  <item id="chrome_variations_service" hash_code="115188287" type="0" content_hash_code="32485683" os_list="linux,windows" file_path="components/variations/service/variations_service.cc"/>
  <item id="client_download_request" hash_code="125522256" type="0" content_hash_code="23897505" os_list="linux,windows" file_path="chrome/browser/safe_browsing/download_protection/check_client_download_request.cc"/>
@@ -92,6 +91,7 @@ Refer to README.md for content description and update process.
  <item id="download_web_contents_frame" hash_code="56351037" type="0" content_hash_code="3657889" os_list="linux,windows" file_path="content/browser/web_contents/web_contents_impl.cc"/>
  <item id="downloads_api_run_async" hash_code="121068967" type="0" content_hash_code="87443585" os_list="linux,windows" file_path="chrome/browser/extensions/api/downloads/downloads_api.cc"/>
  <item id="drag_download_file" hash_code="95910019" type="0" content_hash_code="126492858" os_list="linux,windows" file_path="content/browser/download/drag_download_file.cc"/>
+ <item id="expect_ct_reporter" hash_code="57276415" type="0" content_hash_code="130492494" os_list="windows" file_path="services/network/expect_ct_reporter.cc"/>
  <item id="extension_blacklist" hash_code="59592717" type="0" content_hash_code="116742516" os_list="linux,windows" file_path="chrome/browser/extensions/blacklist_state_fetcher.cc"/>
  <item id="extension_crx_fetcher" hash_code="21145003" type="0" content_hash_code="79150319" os_list="linux,windows" file_path="extensions/browser/updater/extension_downloader.cc"/>
  <item id="extension_install_signer" hash_code="50464499" type="0" content_hash_code="88088656" os_list="linux,windows" file_path="chrome/browser/extensions/install_signer.cc"/>