From d2758b2f1dd88d273ff70864a0dd03a7c4e9dc78 Mon Sep 17 00:00:00 2001 From: Timur Pocheptsov Date: Mon, 23 Jan 2017 12:26:55 +0100 Subject: Refactor HSTS cache implementation The original monstrosity is not needed at all. It was born only to implement RFC6797's description of the host matching algorithm (starting from superdomains and moving to subdomains). Actually, it does not really matter how we find known host - it can be a congruent match first instead, and then we proceed with superdomains. This way I can use QMap and my tests so far show it actually works faster (both insertion and lookup), also the code is cleaner now. Also, introduce the new class QHstsPolicy that essentially allows to mark a host as known host and conveniently encapsulates host name/expiration date/ subdomains policy. Add a public API providing access to HSTS policies, so that client code can pre-set or read back discovered known hosts (to implement persistent HSTS storage, for example). We support server-driven HSTS - this means client code is allowed to provide policies as hints to QNetworkAccessManager, but these policies can be overridden by HTTP responses with 'Strict-Transport-Security' headers. Change-Id: I64d250b6dc78bcb01003fadeded5302471d1389e Reviewed-by: Timur Pocheptsov --- src/network/access/qnetworkaccessmanager.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'src/network/access/qnetworkaccessmanager.h') diff --git a/src/network/access/qnetworkaccessmanager.h b/src/network/access/qnetworkaccessmanager.h index 143407fb25..52769627f3 100644 --- a/src/network/access/qnetworkaccessmanager.h +++ b/src/network/access/qnetworkaccessmanager.h @@ -61,6 +61,7 @@ class QNetworkReply; class QNetworkProxy; class QNetworkProxyFactory; class QSslError; +class QHstsPolicy; #ifndef QT_NO_BEARERMANAGEMENT class QNetworkConfiguration; #endif @@ -123,6 +124,8 @@ public: void enableStrictTransportSecurity(); void disableStrictTransportSecurity(); bool strictTransportSecurityEnabled() const; + void addStrictTransportSecurityHosts(const QList &knownHosts); + QList strictTransportSecurityHosts() const; QNetworkReply *head(const QNetworkRequest &request); QNetworkReply *get(const QNetworkRequest &request); -- cgit v1.2.3