Block plaintext WebSocket requests to domains under HSTS.
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 5 Apr 2016 04:12:48 +0000 (04:12 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 5 Apr 2016 04:12:48 +0000 (04:12 +0000)
commitc75b1c8f16395a0901c213e7095f2d4fca6b47ff
treeeeac263f2b036b34c4ffab453d8cd1e69a32eb8a
parentebb03612bac25ba692d3be76f3a3e5510be056c7
Block plaintext WebSocket requests to domains under HSTS.
https://bugs.webkit.org/show_bug.cgi?id=156049
<rdar://problem/13820000>

Patch by John Wilander <wilander@apple.com> on 2016-04-04
Reviewed by Brent Fulgham.

No new tests because the way TLS is setup for layout tests doesn't allow the server to set HSTS for 127.0.0.1 nor localhost. This is tracked in <rdar://problem/25467825>.

* Modules/websockets/WebSocketChannel.cpp:
(WebCore::WebSocketChannel::connect):
    - Now sends usesEphemeralSession to SocketStreamHandle::create.
* platform/network/cf/SocketStreamHandle.h:
(WebCore::SocketStreamHandle::create):
    - Added parameter usesEphemeralSession which it passes on to the SocketStreamHandle constructor.
* platform/network/cf/SocketStreamHandleCFNet.cpp:
(WebCore::SocketStreamHandle::SocketStreamHandle):
    - Now blocks plaintext WebSocket connections for domains under HSTS if not in an ephemeral session.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199039 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/Modules/websockets/WebSocketChannel.cpp
Source/WebCore/platform/network/cf/SocketStreamHandle.h
Source/WebCore/platform/network/cf/SocketStreamHandleCFNet.cpp