diff options
Diffstat (limited to 'src/network/access/qnetworkaccessmanager.cpp')
-rw-r--r-- | src/network/access/qnetworkaccessmanager.cpp | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/src/network/access/qnetworkaccessmanager.cpp b/src/network/access/qnetworkaccessmanager.cpp index 949b5563d9..7aa8e61d26 100644 --- a/src/network/access/qnetworkaccessmanager.cpp +++ b/src/network/access/qnetworkaccessmanager.cpp @@ -693,6 +693,55 @@ void QNetworkAccessManager::setCookieJar(QNetworkCookieJar *cookieJar) } /*! + \since 5.9 + + Enables HTTP Strict Transport Security (HSTS, RFC6797). When processing a + request, QNetworkAccessManager automatically replaces "http" scheme with + "https" and uses a secure transport if a host is a known HSTS host. + Port 80 if it's set explicitly is replaced by port 443. + + When HSTS is enabled, for each HTTP response containing HSTS header and + received over a secure transport, QNetworkAccessManager will update its HSTS + cache, either remembering a host with a valid policy or removing a host with + expired/disabled HSTS policy. + + \sa disableStrictTransportSecurity(), strictTransportSecurityEnabled() +*/ +void QNetworkAccessManager::enableStrictTransportSecurity() +{ + Q_D(QNetworkAccessManager); + d->stsEnabled = true; +} + +/*! + \since 5.9 + + Disables HTTP Strict Transport Security (HSTS). HSTS headers in responses would + be ignored, no scheme/port mapping is done. + + \sa enableStrictTransportSecurity() +*/ +void QNetworkAccessManager::disableStrictTransportSecurity() +{ + Q_D(QNetworkAccessManager); + d->stsEnabled = false; +} + +/*! + \since 5.9 + + Returns true if HTTP Strict Transport Security (HSTS) was enabled. By default + HSTS is disabled. + + \sa enableStrictTransportSecurity +*/ +bool QNetworkAccessManager::strictTransportSecurityEnabled() const +{ + Q_D(const QNetworkAccessManager); + return d->stsEnabled; +} + +/*! Posts a request to obtain the network headers for \a request and returns a new QNetworkReply object which will contain such headers. @@ -1299,6 +1348,24 @@ QNetworkReply *QNetworkAccessManager::createRequest(QNetworkAccessManager::Opera || scheme == QLatin1String("https") || scheme == QLatin1String("preconnect-https") #endif ) { +#ifndef QT_NO_SSL + if (strictTransportSecurityEnabled() && d->stsCache.isKnownHost(request.url())) { + QUrl stsUrl(request.url()); + // RFC6797, 8.3: + // The UA MUST replace the URI scheme with "https" [RFC2818], + // and if the URI contains an explicit port component of "80", + // then the UA MUST convert the port component to be "443", or + // if the URI contains an explicit port component that is not + // equal to "80", the port component value MUST be preserved; + // otherwise, + // if the URI does not contain an explicit port component, the UA + // MUST NOT add one. + if (stsUrl.port() == 80) + stsUrl.setPort(443); + stsUrl.setScheme(QLatin1String("https")); + request.setUrl(stsUrl); + } +#endif QNetworkReplyHttpImpl *reply = new QNetworkReplyHttpImpl(this, request, op, outgoingData); #ifndef QT_NO_BEARERMANAGEMENT connect(this, SIGNAL(networkSessionConnected()), |