diff options
author | Timur Pocheptsov <timur.pocheptsov@qt.io> | 2017-01-06 19:04:22 +0100 |
---|---|---|
committer | Timur Pocheptsov <timur.pocheptsov@qt.io> | 2017-01-20 08:41:50 +0000 |
commit | 83f4f9b40135f137f4f6fb009067392884f82426 (patch) | |
tree | 7cbf888411f17615f42c529a60aa81bd81076f7b /src/network/access/qnetworkreplyhttpimpl.cpp | |
parent | da0241a2e7df020b2ae3b93c7a4204af851222f3 (diff) |
Add HTTP strict tranport security support to QNAM
HTTP Strict Transport Security (HSTS) is a web security policy that
allows a web server to declare that user agents should only interact
with it using secure HTTPS connections. HSTS is described by RFC6797.
This patch introduces a new API in Network Access Manager to enable
this policy or disable it (default - STS is disabled).
We also implement QHstsCache which caches known HTTS hosts, does
host name lookup and domain name matching; QHstsHeaderParser to
parse HSTS headers with HSTS policies.
A new autotest added to test the caching, host name matching
and headers parsing.
[ChangeLog][QtNetwork] Added HTTP Strict Transport Security to QNAM
Task-number: QTPM-238
Change-Id: Iabb5920344bf204a0d3036284f0d60675c29315c
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Diffstat (limited to 'src/network/access/qnetworkreplyhttpimpl.cpp')
-rw-r--r-- | src/network/access/qnetworkreplyhttpimpl.cpp | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/src/network/access/qnetworkreplyhttpimpl.cpp b/src/network/access/qnetworkreplyhttpimpl.cpp index 19f424b35f..7d863ef53c 100644 --- a/src/network/access/qnetworkreplyhttpimpl.cpp +++ b/src/network/access/qnetworkreplyhttpimpl.cpp @@ -52,6 +52,7 @@ #include "QtCore/qelapsedtimer.h" #include "QtNetwork/qsslconfiguration.h" #include "qhttpthreaddelegate_p.h" +#include "qhsts_p.h" #include "qthread.h" #include "QtCore/qcoreapplication.h" @@ -384,6 +385,12 @@ void QNetworkReplyHttpImpl::ignoreSslErrors() { Q_D(QNetworkReplyHttpImpl); + if (d->managerPrivate && d->managerPrivate->stsEnabled + && d->managerPrivate->stsCache.isKnownHost(url())) { + // We cannot ignore any Security Transport-related errors for this host. + return; + } + d->pendingIgnoreAllSslErrors = true; } @@ -391,6 +398,12 @@ void QNetworkReplyHttpImpl::ignoreSslErrorsImplementation(const QList<QSslError> { Q_D(QNetworkReplyHttpImpl); + if (d->managerPrivate && d->managerPrivate->stsEnabled + && d->managerPrivate->stsCache.isKnownHost(url())) { + // We cannot ignore any Security Transport-related errors for this host. + return; + } + // the pending list is set if QNetworkReply::ignoreSslErrors(const QList<QSslError> &errors) // is called before QNetworkAccessManager::get() (or post(), etc.) d->pendingIgnoreSslErrorsList = errors; @@ -1179,6 +1192,15 @@ void QNetworkReplyHttpImplPrivate::replyDownloadMetaData(const QList<QPair<QByte statusCode = sc; reasonPhrase = rp; +#ifndef QT_NO_SSL + // We parse this header only if we're using secure transport: + // + // RFC6797, 8.1 + // If an HTTP response is received over insecure transport, the UA MUST + // ignore any present STS header field(s). + if (url.scheme() == QLatin1String("https") && managerPrivate->stsEnabled) + managerPrivate->stsCache.updateFromHeaders(hm, url); +#endif // Download buffer if (!db.isNull()) { downloadBufferPointer = db; |