diff options
| author | Timur Pocheptsov <timur.pocheptsov@qt.io> | 2017-01-23 12:26:55 +0100 |
|---|---|---|
| committer | Timur Pocheptsov <timur.pocheptsov@qt.io> | 2017-01-24 20:33:20 +0000 |
| commit | d2758b2f1dd88d273ff70864a0dd03a7c4e9dc78 (patch) | |
| tree | 0f6e4fe0d1ac3289ce1a3d6ae53722560a05829c /src/network/access/qnetworkaccessmanager.h | |
| parent | bd78f57463c381203099d7939c9d37cba0341713 (diff) | |
Refactor HSTS cache implementation
The original monstrosity is not needed at all. It was born only to implement
RFC6797's description of the host matching algorithm (starting from superdomains
and moving to subdomains). Actually, it does not really matter how we find
known host - it can be a congruent match first instead, and then we proceed
with superdomains. This way I can use QMap and my tests so far show it actually
works faster (both insertion and lookup), also the code is cleaner now.
Also, introduce the new class QHstsPolicy that essentially allows to mark
a host as known host and conveniently encapsulates host name/expiration date/
subdomains policy.
Add a public API providing access to HSTS policies, so that client code
can pre-set or read back discovered known hosts (to implement persistent
HSTS storage, for example).
We support server-driven HSTS - this means client code is allowed to provide
policies as hints to QNetworkAccessManager, but these policies can be
overridden by HTTP responses with 'Strict-Transport-Security' headers.
Change-Id: I64d250b6dc78bcb01003fadeded5302471d1389e
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Diffstat (limited to 'src/network/access/qnetworkaccessmanager.h')
| -rw-r--r-- | src/network/access/qnetworkaccessmanager.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/network/access/qnetworkaccessmanager.h b/src/network/access/qnetworkaccessmanager.h index 143407fb25..52769627f3 100644 --- a/src/network/access/qnetworkaccessmanager.h +++ b/src/network/access/qnetworkaccessmanager.h @@ -61,6 +61,7 @@ class QNetworkReply; class QNetworkProxy; class QNetworkProxyFactory; class QSslError; +class QHstsPolicy; #ifndef QT_NO_BEARERMANAGEMENT class QNetworkConfiguration; #endif @@ -123,6 +124,8 @@ public: void enableStrictTransportSecurity(); void disableStrictTransportSecurity(); bool strictTransportSecurityEnabled() const; + void addStrictTransportSecurityHosts(const QList<QHstsPolicy> &knownHosts); + QList<QHstsPolicy> strictTransportSecurityHosts() const; QNetworkReply *head(const QNetworkRequest &request); QNetworkReply *get(const QNetworkRequest &request); |