search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Roll src/third_party/WebKit d0c7791:6b6978f (svn 192455:192456)
[chromium-blink-merge.git] / net / http / transport_security_state_unittest.cc
blob2e7340878211954fda0662e80a4fb6fb42f2befe
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/http/transport_security_state.h"
6
7 #include <algorithm>
8 #include <string>
9 #include <vector>
10
11 #include "base/base64.h"
12 #include "base/files/file_path.h"
13 #include "base/rand_util.h"
14 #include "base/sha1.h"
15 #include "base/strings/string_piece.h"
16 #include "crypto/sha2.h"
17 #include "net/base/net_errors.h"
18 #include "net/base/net_log.h"
19 #include "net/base/test_completion_callback.h"
20 #include "net/base/test_data_directory.h"
21 #include "net/cert/asn1_util.h"
22 #include "net/cert/cert_verifier.h"
23 #include "net/cert/cert_verify_result.h"
24 #include "net/cert/test_root_certs.h"
25 #include "net/cert/x509_cert_types.h"
26 #include "net/cert/x509_certificate.h"
27 #include "net/http/http_util.h"
28 #include "net/ssl/ssl_info.h"
29 #include "net/test/cert_test_util.h"
30 #include "testing/gtest/include/gtest/gtest.h"
31
32 #if defined(USE_OPENSSL)
33 #include "crypto/openssl_util.h"
34 #else
35 #include "crypto/nss_util.h"
36 #endif
37
38 namespace net {
39
40 class TransportSecurityStateTest : public testing::Test {
41 public:
42 void SetUp() override {
43 #if defined(USE_OPENSSL)
44 crypto::EnsureOpenSSLInit();
45 #else
46 crypto::EnsureNSSInit();
47 #endif
48 }
49
50 static void DisableStaticPins(TransportSecurityState* state) {
51 state->enable_static_pins_ = false;
52 }
53
54 static void EnableStaticPins(TransportSecurityState* state) {
55 state->enable_static_pins_ = true;
56 }
57
58 static HashValueVector GetSampleSPKIHashes() {
59 HashValueVector spki_hashes;
60 HashValue hash(HASH_VALUE_SHA1);
61 memset(hash.data(), 0, hash.size());
62 spki_hashes.push_back(hash);
63 return spki_hashes;
64 }
65
66 protected:
67 bool GetStaticDomainState(TransportSecurityState* state,
68 const std::string& host,
69 TransportSecurityState::DomainState* result) {
70 return state->GetStaticDomainState(host, result);
71 }
72 };
73
74 TEST_F(TransportSecurityStateTest, SimpleMatches) {
75 TransportSecurityState state;
76 const base::Time current_time(base::Time::Now());
77 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
78
79 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com"));
80 bool include_subdomains = false;
81 state.AddHSTS("yahoo.com", expiry, include_subdomains);
82 EXPECT_TRUE(state.ShouldUpgradeToSSL("yahoo.com"));
83 }
84
85 TEST_F(TransportSecurityStateTest, MatchesCase1) {
86 TransportSecurityState state;
87 const base::Time current_time(base::Time::Now());
88 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
89
90 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com"));
91 bool include_subdomains = false;
92 state.AddHSTS("YAhoo.coM", expiry, include_subdomains);
93 EXPECT_TRUE(state.ShouldUpgradeToSSL("yahoo.com"));
94 }
95
96 TEST_F(TransportSecurityStateTest, Fuzz) {
97 TransportSecurityState state;
98 TransportSecurityState::DomainState domain_state;
99
100 EnableStaticPins(&state);
101
102 for (size_t i = 0; i < 128; i++) {
103 std::string hostname;
104
105 for (;;) {
106 if (base::RandInt(0, 16) == 7) {
107 break;
108 }
109 if (i > 0 && base::RandInt(0, 7) == 7) {
110 hostname.append(1, '.');
111 }
112 hostname.append(1, 'a' + base::RandInt(0, 25));
113 }
114 state.GetStaticDomainState(hostname, &domain_state);
115 }
116 }
117
118 TEST_F(TransportSecurityStateTest, MatchesCase2) {
119 TransportSecurityState state;
120 const base::Time current_time(base::Time::Now());
121 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
122
123 EXPECT_FALSE(state.ShouldUpgradeToSSL("YAhoo.coM"));
124 bool include_subdomains = false;
125 state.AddHSTS("yahoo.com", expiry, include_subdomains);
126 EXPECT_TRUE(state.ShouldUpgradeToSSL("YAhoo.coM"));
127 }
128
129 TEST_F(TransportSecurityStateTest, SubdomainMatches) {
130 TransportSecurityState state;
131 const base::Time current_time(base::Time::Now());
132 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
133
134 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com"));
135 bool include_subdomains = true;
136 state.AddHSTS("yahoo.com", expiry, include_subdomains);
137 EXPECT_TRUE(state.ShouldUpgradeToSSL("yahoo.com"));
138 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.yahoo.com"));
139 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.yahoo.com"));
140 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.baz.yahoo.com"));
141 EXPECT_FALSE(state.ShouldUpgradeToSSL("com"));
142 EXPECT_FALSE(state.ShouldUpgradeToSSL("notyahoo.com"));
143 }
144
145 TEST_F(TransportSecurityStateTest, FatalSSLErrors) {
146 TransportSecurityState state;
147 const base::Time current_time(base::Time::Now());
148 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
149
150 state.AddHSTS("example1.com", expiry, false);
151 state.AddHPKP("example2.com", expiry, false, GetSampleSPKIHashes());
152
153 // The presense of either HSTS or HPKP is enough to make SSL errors fatal.
154 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example1.com"));
155 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example2.com"));
156 }
157
158 // Tests that HPKP and HSTS state both expire. Also tests that expired entries
159 // are pruned.
160 TEST_F(TransportSecurityStateTest, Expiration) {
161 TransportSecurityState state;
162 const base::Time current_time(base::Time::Now());
163 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
164 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000);
165
166 // Note: this test assumes that inserting an entry with an expiration time in
167 // the past works and is pruned on query.
168 state.AddHSTS("example1.com", older, false);
169 EXPECT_TRUE(TransportSecurityState::Iterator(state).HasNext());
170 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.com"));
171 // Querying |state| for a domain should flush out expired entries.
172 EXPECT_FALSE(TransportSecurityState::Iterator(state).HasNext());
173
174 state.AddHPKP("example1.com", older, false, GetSampleSPKIHashes());
175 EXPECT_TRUE(TransportSecurityState::Iterator(state).HasNext());
176 EXPECT_FALSE(state.HasPublicKeyPins("example1.com"));
177 // Querying |state| for a domain should flush out expired entries.
178 EXPECT_FALSE(TransportSecurityState::Iterator(state).HasNext());
179
180 state.AddHSTS("example1.com", older, false);
181 state.AddHPKP("example1.com", older, false, GetSampleSPKIHashes());
182 EXPECT_TRUE(TransportSecurityState::Iterator(state).HasNext());
183 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("example1.com"));
184 // Querying |state| for a domain should flush out expired entries.
185 EXPECT_FALSE(TransportSecurityState::Iterator(state).HasNext());
186
187 // Test that HSTS can outlive HPKP.
188 state.AddHSTS("example1.com", expiry, false);
189 state.AddHPKP("example1.com", older, false, GetSampleSPKIHashes());
190 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.com"));
191 EXPECT_FALSE(state.HasPublicKeyPins("example1.com"));
192
193 // Test that HPKP can outlive HSTS.
194 state.AddHSTS("example2.com", older, false);
195 state.AddHPKP("example2.com", expiry, false, GetSampleSPKIHashes());
196 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.com"));
197 EXPECT_TRUE(state.HasPublicKeyPins("example2.com"));
198 }
199
200 TEST_F(TransportSecurityStateTest, InvalidDomains) {
201 TransportSecurityState state;
202 const base::Time current_time(base::Time::Now());
203 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
204
205 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com"));
206 bool include_subdomains = true;
207 state.AddHSTS("yahoo.com", expiry, include_subdomains);
208 EXPECT_TRUE(state.ShouldUpgradeToSSL("www-.foo.yahoo.com"));
209 EXPECT_TRUE(state.ShouldUpgradeToSSL("2\x01.foo.yahoo.com"));
210 }
211
212 // Tests that HPKP and HSTS state are queried independently for subdomain
213 // matches.
214 TEST_F(TransportSecurityStateTest, IndependentSubdomain) {
215 TransportSecurityState state;
216 const base::Time current_time(base::Time::Now());
217 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
218
219 state.AddHSTS("example1.com", expiry, true);
220 state.AddHPKP("example1.com", expiry, false, GetSampleSPKIHashes());
221
222 state.AddHSTS("example2.com", expiry, false);
223 state.AddHPKP("example2.com", expiry, true, GetSampleSPKIHashes());
224
225 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.com"));
226 EXPECT_FALSE(state.HasPublicKeyPins("foo.example1.com"));
227 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example2.com"));
228 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.com"));
229 }
230
231 // Tests that HPKP and HSTS state are inserted and overridden independently.
232 TEST_F(TransportSecurityStateTest, IndependentInsertion) {
233 TransportSecurityState state;
234 const base::Time current_time(base::Time::Now());
235 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
236
237 // Place an includeSubdomains HSTS entry below a normal HPKP entry.
238 state.AddHSTS("example1.com", expiry, true);
239 state.AddHPKP("foo.example1.com", expiry, false, GetSampleSPKIHashes());
240
241 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.com"));
242 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.com"));
243 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.com"));
244 EXPECT_FALSE(state.HasPublicKeyPins("example1.com"));
245
246 // Drop the includeSubdomains from the HSTS entry.
247 state.AddHSTS("example1.com", expiry, false);
248
249 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example1.com"));
250 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.com"));
251
252 // Place an includeSubdomains HPKP entry below a normal HSTS entry.
253 state.AddHSTS("foo.example2.com", expiry, false);
254 state.AddHPKP("example2.com", expiry, true, GetSampleSPKIHashes());
255
256 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.com"));
257 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.com"));
258
259 // Drop the includeSubdomains from the HSTS entry.
260 state.AddHPKP("example2.com", expiry, false, GetSampleSPKIHashes());
261
262 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.com"));
263 EXPECT_FALSE(state.HasPublicKeyPins("foo.example2.com"));
264 }
265
266 // Tests that GetDynamicDomainState appropriately stitches together the results
267 // of HSTS and HPKP.
268 TEST_F(TransportSecurityStateTest, DynamicDomainState) {
269 TransportSecurityState state;
270 const base::Time current_time(base::Time::Now());
271 const base::Time expiry1 = current_time + base::TimeDelta::FromSeconds(1000);
272 const base::Time expiry2 = current_time + base::TimeDelta::FromSeconds(2000);
273
274 state.AddHSTS("example.com", expiry1, true);
275 state.AddHPKP("foo.example.com", expiry2, false, GetSampleSPKIHashes());
276
277 TransportSecurityState::DomainState domain_state;
278 ASSERT_TRUE(state.GetDynamicDomainState("foo.example.com", &domain_state));
279 EXPECT_TRUE(domain_state.ShouldUpgradeToSSL());
280 EXPECT_TRUE(domain_state.HasPublicKeyPins());
281 EXPECT_TRUE(domain_state.sts.include_subdomains);
282 EXPECT_FALSE(domain_state.pkp.include_subdomains);
283 EXPECT_EQ(expiry1, domain_state.sts.expiry);
284 EXPECT_EQ(expiry2, domain_state.pkp.expiry);
285 EXPECT_EQ("example.com", domain_state.sts.domain);
286 EXPECT_EQ("foo.example.com", domain_state.pkp.domain);
287 }
288
289 // Tests that new pins always override previous pins. This should be true for
290 // both pins at the same domain or includeSubdomains pins at a parent domain.
291 TEST_F(TransportSecurityStateTest, NewPinsOverride) {
292 TransportSecurityState state;
293 TransportSecurityState::DomainState domain_state;
294 const base::Time current_time(base::Time::Now());
295 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
296 HashValue hash1(HASH_VALUE_SHA1);
297 memset(hash1.data(), 0x01, hash1.size());
298 HashValue hash2(HASH_VALUE_SHA1);
299 memset(hash2.data(), 0x02, hash1.size());
300 HashValue hash3(HASH_VALUE_SHA1);
301 memset(hash3.data(), 0x03, hash1.size());
302
303 state.AddHPKP("example.com", expiry, true, HashValueVector(1, hash1));
304
305 ASSERT_TRUE(state.GetDynamicDomainState("foo.example.com", &domain_state));
306 ASSERT_EQ(1u, domain_state.pkp.spki_hashes.size());
307 EXPECT_TRUE(domain_state.pkp.spki_hashes[0].Equals(hash1));
308
309 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash2));
310
311 ASSERT_TRUE(state.GetDynamicDomainState("foo.example.com", &domain_state));
312 ASSERT_EQ(1u, domain_state.pkp.spki_hashes.size());
313 EXPECT_TRUE(domain_state.pkp.spki_hashes[0].Equals(hash2));
314
315 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3));
316
317 ASSERT_TRUE(state.GetDynamicDomainState("foo.example.com", &domain_state));
318 ASSERT_EQ(1u, domain_state.pkp.spki_hashes.size());
319 EXPECT_TRUE(domain_state.pkp.spki_hashes[0].Equals(hash3));
320 }
321
322 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) {
323 TransportSecurityState state;
324 const base::Time current_time(base::Time::Now());
325 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
326 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000);
327
328 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com"));
329 bool include_subdomains = false;
330 state.AddHSTS("yahoo.com", expiry, include_subdomains);
331
332 state.DeleteAllDynamicDataSince(expiry);
333 EXPECT_TRUE(state.ShouldUpgradeToSSL("yahoo.com"));
334 state.DeleteAllDynamicDataSince(older);
335 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com"));
336
337 // |state| should be empty now.
338 EXPECT_FALSE(TransportSecurityState::Iterator(state).HasNext());
339 }
340
341 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) {
342 TransportSecurityState state;
343 const base::Time current_time(base::Time::Now());
344 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
345 bool include_subdomains = false;
346 state.AddHSTS("yahoo.com", expiry, include_subdomains);
347
348 EXPECT_TRUE(state.ShouldUpgradeToSSL("yahoo.com"));
349 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com"));
350 EXPECT_TRUE(state.DeleteDynamicDataForHost("yahoo.com"));
351 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com"));
352 }
353
354 TEST_F(TransportSecurityStateTest, EnableStaticPins) {
355 TransportSecurityState state;
356 TransportSecurityState::DomainState domain_state;
357
358 EnableStaticPins(&state);
359
360 EXPECT_TRUE(
361 state.GetStaticDomainState("chrome.google.com", &domain_state));
362 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
363 }
364
365 TEST_F(TransportSecurityStateTest, DisableStaticPins) {
366 TransportSecurityState state;
367 TransportSecurityState::DomainState domain_state;
368
369 DisableStaticPins(&state);
370 EXPECT_TRUE(
371 state.GetStaticDomainState("chrome.google.com", &domain_state));
372 EXPECT_TRUE(domain_state.pkp.spki_hashes.empty());
373 }
374
375 TEST_F(TransportSecurityStateTest, IsPreloaded) {
376 const std::string paypal = "paypal.com";
377 const std::string www_paypal = "www.paypal.com";
378 const std::string foo_paypal = "foo.paypal.com";
379 const std::string a_www_paypal = "a.www.paypal.com";
380 const std::string abc_paypal = "a.b.c.paypal.com";
381 const std::string example = "example.com";
382 const std::string aypal = "aypal.com";
383
384 TransportSecurityState state;
385 TransportSecurityState::DomainState domain_state;
386
387 EXPECT_TRUE(GetStaticDomainState(&state, paypal, &domain_state));
388 EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, &domain_state));
389 EXPECT_FALSE(domain_state.sts.include_subdomains);
390 EXPECT_FALSE(GetStaticDomainState(&state, a_www_paypal, &domain_state));
391 EXPECT_FALSE(GetStaticDomainState(&state, abc_paypal, &domain_state));
392 EXPECT_FALSE(GetStaticDomainState(&state, example, &domain_state));
393 EXPECT_FALSE(GetStaticDomainState(&state, aypal, &domain_state));
394 }
395
396 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) {
397 TransportSecurityState state;
398 TransportSecurityState::DomainState domain_state;
399
400 // The domain wasn't being set, leading to a blank string in the
401 // chrome://net-internals/#hsts UI. So test that.
402 EXPECT_TRUE(
403 state.GetStaticDomainState("market.android.com", &domain_state));
404 EXPECT_EQ(domain_state.sts.domain, "market.android.com");
405 EXPECT_EQ(domain_state.pkp.domain, "market.android.com");
406 EXPECT_TRUE(state.GetStaticDomainState(
407 "sub.market.android.com", &domain_state));
408 EXPECT_EQ(domain_state.sts.domain, "market.android.com");
409 EXPECT_EQ(domain_state.pkp.domain, "market.android.com");
410 }
411
412 static bool StaticShouldRedirect(const char* hostname) {
413 TransportSecurityState state;
414 TransportSecurityState::DomainState domain_state;
415 return state.GetStaticDomainState(
416 hostname, &domain_state) &&
417 domain_state.ShouldUpgradeToSSL();
418 }
419
420 static bool HasStaticState(const char* hostname) {
421 TransportSecurityState state;
422 TransportSecurityState::DomainState domain_state;
423 return state.GetStaticDomainState(hostname, &domain_state);
424 }
425
426 static bool HasStaticPublicKeyPins(const char* hostname) {
427 TransportSecurityState state;
428 TransportSecurityStateTest::EnableStaticPins(&state);
429 TransportSecurityState::DomainState domain_state;
430 if (!state.GetStaticDomainState(hostname, &domain_state))
431 return false;
432
433 return domain_state.HasPublicKeyPins();
434 }
435
436 static bool OnlyPinningInStaticState(const char* hostname) {
437 TransportSecurityState state;
438 TransportSecurityStateTest::EnableStaticPins(&state);
439 TransportSecurityState::DomainState domain_state;
440 if (!state.GetStaticDomainState(hostname, &domain_state))
441 return false;
442
443 return (domain_state.pkp.spki_hashes.size() > 0 ||
444 domain_state.pkp.bad_spki_hashes.size() > 0) &&
445 !domain_state.ShouldUpgradeToSSL();
446 }
447
448 TEST_F(TransportSecurityStateTest, Preloaded) {
449 TransportSecurityState state;
450 TransportSecurityState::DomainState domain_state;
451
452 // We do more extensive checks for the first domain.
453 EXPECT_TRUE(
454 state.GetStaticDomainState("www.paypal.com", &domain_state));
455 EXPECT_EQ(domain_state.sts.upgrade_mode,
456 TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
457 EXPECT_FALSE(domain_state.sts.include_subdomains);
458 EXPECT_FALSE(domain_state.pkp.include_subdomains);
459
460 EXPECT_TRUE(HasStaticState("paypal.com"));
461 EXPECT_FALSE(HasStaticState("www2.paypal.com"));
462
463 // Google hosts:
464
465 EXPECT_TRUE(StaticShouldRedirect("chrome.google.com"));
466 EXPECT_TRUE(StaticShouldRedirect("checkout.google.com"));
467 EXPECT_TRUE(StaticShouldRedirect("wallet.google.com"));
468 EXPECT_TRUE(StaticShouldRedirect("docs.google.com"));
469 EXPECT_TRUE(StaticShouldRedirect("sites.google.com"));
470 EXPECT_TRUE(StaticShouldRedirect("drive.google.com"));
471 EXPECT_TRUE(StaticShouldRedirect("spreadsheets.google.com"));
472 EXPECT_TRUE(StaticShouldRedirect("appengine.google.com"));
473 EXPECT_TRUE(StaticShouldRedirect("market.android.com"));
474 EXPECT_TRUE(StaticShouldRedirect("encrypted.google.com"));
475 EXPECT_TRUE(StaticShouldRedirect("accounts.google.com"));
476 EXPECT_TRUE(StaticShouldRedirect("profiles.google.com"));
477 EXPECT_TRUE(StaticShouldRedirect("mail.google.com"));
478 EXPECT_TRUE(StaticShouldRedirect("chatenabled.mail.google.com"));
479 EXPECT_TRUE(StaticShouldRedirect("talkgadget.google.com"));
480 EXPECT_TRUE(StaticShouldRedirect("hostedtalkgadget.google.com"));
481 EXPECT_TRUE(StaticShouldRedirect("talk.google.com"));
482 EXPECT_TRUE(StaticShouldRedirect("plus.google.com"));
483 EXPECT_TRUE(StaticShouldRedirect("groups.google.com"));
484 EXPECT_TRUE(StaticShouldRedirect("apis.google.com"));
485 EXPECT_FALSE(StaticShouldRedirect("chart.apis.google.com"));
486 EXPECT_TRUE(StaticShouldRedirect("ssl.google-analytics.com"));
487 EXPECT_TRUE(StaticShouldRedirect("gmail.com"));
488 EXPECT_TRUE(StaticShouldRedirect("www.gmail.com"));
489 EXPECT_TRUE(StaticShouldRedirect("googlemail.com"));
490 EXPECT_TRUE(StaticShouldRedirect("www.googlemail.com"));
491 EXPECT_TRUE(StaticShouldRedirect("googleplex.com"));
492 EXPECT_TRUE(StaticShouldRedirect("www.googleplex.com"));
493
494 // These domains used to be only HSTS when SNI was available.
495 EXPECT_TRUE(state.GetStaticDomainState("gmail.com", &domain_state));
496 EXPECT_TRUE(state.GetStaticDomainState("www.gmail.com", &domain_state));
497 EXPECT_TRUE(state.GetStaticDomainState("googlemail.com", &domain_state));
498 EXPECT_TRUE(state.GetStaticDomainState("www.googlemail.com", &domain_state));
499
500 // Other hosts:
501
502 EXPECT_TRUE(StaticShouldRedirect("aladdinschools.appspot.com"));
503
504 EXPECT_TRUE(StaticShouldRedirect("ottospora.nl"));
505 EXPECT_TRUE(StaticShouldRedirect("www.ottospora.nl"));
506
507 EXPECT_TRUE(StaticShouldRedirect("www.paycheckrecords.com"));
508
509 EXPECT_TRUE(StaticShouldRedirect("lastpass.com"));
510 EXPECT_TRUE(StaticShouldRedirect("www.lastpass.com"));
511 EXPECT_FALSE(HasStaticState("blog.lastpass.com"));
512
513 EXPECT_TRUE(StaticShouldRedirect("keyerror.com"));
514 EXPECT_TRUE(StaticShouldRedirect("www.keyerror.com"));
515
516 EXPECT_TRUE(StaticShouldRedirect("entropia.de"));
517 EXPECT_TRUE(StaticShouldRedirect("www.entropia.de"));
518 EXPECT_FALSE(HasStaticState("foo.entropia.de"));
519
520 EXPECT_TRUE(StaticShouldRedirect("www.elanex.biz"));
521 EXPECT_FALSE(HasStaticState("elanex.biz"));
522 EXPECT_FALSE(HasStaticState("foo.elanex.biz"));
523
524 EXPECT_TRUE(StaticShouldRedirect("sunshinepress.org"));
525 EXPECT_TRUE(StaticShouldRedirect("www.sunshinepress.org"));
526 EXPECT_TRUE(StaticShouldRedirect("a.b.sunshinepress.org"));
527
528 EXPECT_TRUE(StaticShouldRedirect("www.noisebridge.net"));
529 EXPECT_FALSE(HasStaticState("noisebridge.net"));
530 EXPECT_FALSE(HasStaticState("foo.noisebridge.net"));
531
532 EXPECT_TRUE(StaticShouldRedirect("neg9.org"));
533 EXPECT_FALSE(HasStaticState("www.neg9.org"));
534
535 EXPECT_TRUE(StaticShouldRedirect("riseup.net"));
536 EXPECT_TRUE(StaticShouldRedirect("foo.riseup.net"));
537
538 EXPECT_TRUE(StaticShouldRedirect("factor.cc"));
539 EXPECT_FALSE(HasStaticState("www.factor.cc"));
540
541 EXPECT_TRUE(StaticShouldRedirect("members.mayfirst.org"));
542 EXPECT_TRUE(StaticShouldRedirect("support.mayfirst.org"));
543 EXPECT_TRUE(StaticShouldRedirect("id.mayfirst.org"));
544 EXPECT_TRUE(StaticShouldRedirect("lists.mayfirst.org"));
545 EXPECT_FALSE(HasStaticState("www.mayfirst.org"));
546
547 EXPECT_TRUE(StaticShouldRedirect("romab.com"));
548 EXPECT_TRUE(StaticShouldRedirect("www.romab.com"));
549 EXPECT_TRUE(StaticShouldRedirect("foo.romab.com"));
550
551 EXPECT_TRUE(StaticShouldRedirect("logentries.com"));
552 EXPECT_TRUE(StaticShouldRedirect("www.logentries.com"));
553 EXPECT_FALSE(HasStaticState("foo.logentries.com"));
554
555 EXPECT_TRUE(StaticShouldRedirect("stripe.com"));
556 EXPECT_TRUE(StaticShouldRedirect("foo.stripe.com"));
557
558 EXPECT_TRUE(StaticShouldRedirect("cloudsecurityalliance.org"));
559 EXPECT_TRUE(StaticShouldRedirect("foo.cloudsecurityalliance.org"));
560
561 EXPECT_TRUE(StaticShouldRedirect("login.sapo.pt"));
562 EXPECT_TRUE(StaticShouldRedirect("foo.login.sapo.pt"));
563
564 EXPECT_TRUE(StaticShouldRedirect("mattmccutchen.net"));
565 EXPECT_TRUE(StaticShouldRedirect("foo.mattmccutchen.net"));
566
567 EXPECT_TRUE(StaticShouldRedirect("betnet.fr"));
568 EXPECT_TRUE(StaticShouldRedirect("foo.betnet.fr"));
569
570 EXPECT_TRUE(StaticShouldRedirect("uprotect.it"));
571 EXPECT_TRUE(StaticShouldRedirect("foo.uprotect.it"));
572
573 EXPECT_TRUE(StaticShouldRedirect("squareup.com"));
574 EXPECT_FALSE(HasStaticState("foo.squareup.com"));
575
576 EXPECT_TRUE(StaticShouldRedirect("cert.se"));
577 EXPECT_TRUE(StaticShouldRedirect("foo.cert.se"));
578
579 EXPECT_TRUE(StaticShouldRedirect("crypto.is"));
580 EXPECT_TRUE(StaticShouldRedirect("foo.crypto.is"));
581
582 EXPECT_TRUE(StaticShouldRedirect("simon.butcher.name"));
583 EXPECT_TRUE(StaticShouldRedirect("foo.simon.butcher.name"));
584
585 EXPECT_TRUE(StaticShouldRedirect("linx.net"));
586 EXPECT_TRUE(StaticShouldRedirect("foo.linx.net"));
587
588 EXPECT_TRUE(StaticShouldRedirect("dropcam.com"));
589 EXPECT_TRUE(StaticShouldRedirect("www.dropcam.com"));
590 EXPECT_FALSE(HasStaticState("foo.dropcam.com"));
591
592 EXPECT_TRUE(StaticShouldRedirect("ebanking.indovinabank.com.vn"));
593 EXPECT_TRUE(StaticShouldRedirect("foo.ebanking.indovinabank.com.vn"));
594
595 EXPECT_TRUE(StaticShouldRedirect("epoxate.com"));
596 EXPECT_FALSE(HasStaticState("foo.epoxate.com"));
597
598 EXPECT_FALSE(HasStaticState("foo.torproject.org"));
599
600 EXPECT_TRUE(StaticShouldRedirect("www.moneybookers.com"));
601 EXPECT_FALSE(HasStaticState("moneybookers.com"));
602
603 EXPECT_TRUE(StaticShouldRedirect("ledgerscope.net"));
604 EXPECT_TRUE(StaticShouldRedirect("www.ledgerscope.net"));
605 EXPECT_FALSE(HasStaticState("status.ledgerscope.net"));
606
607 EXPECT_TRUE(StaticShouldRedirect("foo.app.recurly.com"));
608 EXPECT_TRUE(StaticShouldRedirect("foo.api.recurly.com"));
609
610 EXPECT_TRUE(StaticShouldRedirect("greplin.com"));
611 EXPECT_TRUE(StaticShouldRedirect("www.greplin.com"));
612 EXPECT_FALSE(HasStaticState("foo.greplin.com"));
613
614 EXPECT_TRUE(StaticShouldRedirect("luneta.nearbuysystems.com"));
615 EXPECT_TRUE(StaticShouldRedirect("foo.luneta.nearbuysystems.com"));
616
617 EXPECT_TRUE(StaticShouldRedirect("ubertt.org"));
618 EXPECT_TRUE(StaticShouldRedirect("foo.ubertt.org"));
619
620 EXPECT_TRUE(StaticShouldRedirect("pixi.me"));
621 EXPECT_TRUE(StaticShouldRedirect("www.pixi.me"));
622
623 EXPECT_TRUE(StaticShouldRedirect("grepular.com"));
624 EXPECT_TRUE(StaticShouldRedirect("www.grepular.com"));
625
626 EXPECT_TRUE(StaticShouldRedirect("mydigipass.com"));
627 EXPECT_FALSE(StaticShouldRedirect("foo.mydigipass.com"));
628 EXPECT_TRUE(StaticShouldRedirect("www.mydigipass.com"));
629 EXPECT_FALSE(StaticShouldRedirect("foo.www.mydigipass.com"));
630 EXPECT_TRUE(StaticShouldRedirect("developer.mydigipass.com"));
631 EXPECT_FALSE(StaticShouldRedirect("foo.developer.mydigipass.com"));
632 EXPECT_TRUE(StaticShouldRedirect("www.developer.mydigipass.com"));
633 EXPECT_FALSE(StaticShouldRedirect("foo.www.developer.mydigipass.com"));
634 EXPECT_TRUE(StaticShouldRedirect("sandbox.mydigipass.com"));
635 EXPECT_FALSE(StaticShouldRedirect("foo.sandbox.mydigipass.com"));
636 EXPECT_TRUE(StaticShouldRedirect("www.sandbox.mydigipass.com"));
637 EXPECT_FALSE(StaticShouldRedirect("foo.www.sandbox.mydigipass.com"));
638
639 EXPECT_TRUE(StaticShouldRedirect("bigshinylock.minazo.net"));
640 EXPECT_TRUE(StaticShouldRedirect("foo.bigshinylock.minazo.net"));
641
642 EXPECT_TRUE(StaticShouldRedirect("crate.io"));
643 EXPECT_TRUE(StaticShouldRedirect("foo.crate.io"));
644 }
645
646 TEST_F(TransportSecurityStateTest, PreloadedPins) {
647 TransportSecurityState state;
648 EnableStaticPins(&state);
649 TransportSecurityState::DomainState domain_state;
650
651 // We do more extensive checks for the first domain.
652 EXPECT_TRUE(
653 state.GetStaticDomainState("www.paypal.com", &domain_state));
654 EXPECT_EQ(domain_state.sts.upgrade_mode,
655 TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
656 EXPECT_FALSE(domain_state.sts.include_subdomains);
657 EXPECT_FALSE(domain_state.pkp.include_subdomains);
658
659 EXPECT_TRUE(OnlyPinningInStaticState("www.google.com"));
660 EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com"));
661 EXPECT_TRUE(OnlyPinningInStaticState("google.com"));
662 EXPECT_TRUE(OnlyPinningInStaticState("www.youtube.com"));
663 EXPECT_TRUE(OnlyPinningInStaticState("youtube.com"));
664 EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com"));
665 EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com"));
666 EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com"));
667 EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com"));
668 EXPECT_TRUE(OnlyPinningInStaticState("www.google-analytics.com"));
669 EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com"));
670 EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com"));
671 EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com"));
672 EXPECT_TRUE(OnlyPinningInStaticState("appspot.com"));
673 EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com"));
674 EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net"));
675 EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com"));
676
677 EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org"));
678 EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org"));
679 EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org"));
680 EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org"));
681 EXPECT_FALSE(HasStaticState("foo.torproject.org"));
682
683 EXPECT_TRUE(state.GetStaticDomainState("torproject.org", &domain_state));
684 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
685 EXPECT_TRUE(state.GetStaticDomainState("www.torproject.org", &domain_state));
686 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
687 EXPECT_TRUE(
688 state.GetStaticDomainState("check.torproject.org", &domain_state));
689 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
690 EXPECT_TRUE(state.GetStaticDomainState("blog.torproject.org", &domain_state));
691 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
692
693 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
694
695 // Check that Facebook subdomains have pinning but not HSTS.
696 EXPECT_TRUE(state.GetStaticDomainState("facebook.com", &domain_state));
697 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
698 EXPECT_TRUE(StaticShouldRedirect("facebook.com"));
699
700 EXPECT_FALSE(state.GetStaticDomainState("foo.facebook.com", &domain_state));
701
702 EXPECT_TRUE(state.GetStaticDomainState("www.facebook.com", &domain_state));
703 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
704 EXPECT_TRUE(StaticShouldRedirect("www.facebook.com"));
705
706 EXPECT_TRUE(
707 state.GetStaticDomainState("foo.www.facebook.com", &domain_state));
708 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
709 EXPECT_TRUE(StaticShouldRedirect("foo.www.facebook.com"));
710 }
711
712 TEST_F(TransportSecurityStateTest, LongNames) {
713 TransportSecurityState state;
714 const char kLongName[] =
715 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd"
716 "WaveletIdDomainAndBlipBlipid";
717 TransportSecurityState::DomainState domain_state;
718 // Just checks that we don't hit a NOTREACHED.
719 EXPECT_FALSE(state.GetStaticDomainState(kLongName, &domain_state));
720 EXPECT_FALSE(state.GetDynamicDomainState(kLongName, &domain_state));
721 }
722
723 TEST_F(TransportSecurityStateTest, BuiltinCertPins) {
724 TransportSecurityState state;
725 EnableStaticPins(&state);
726 TransportSecurityState::DomainState domain_state;
727
728 EXPECT_TRUE(
729 state.GetStaticDomainState("chrome.google.com", &domain_state));
730 EXPECT_TRUE(HasStaticPublicKeyPins("chrome.google.com"));
731
732 HashValueVector hashes;
733 std::string failure_log;
734 // Checks that a built-in list does exist.
735 EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes, &failure_log));
736 EXPECT_FALSE(HasStaticPublicKeyPins("www.paypal.com"));
737
738 EXPECT_TRUE(HasStaticPublicKeyPins("docs.google.com"));
739 EXPECT_TRUE(HasStaticPublicKeyPins("1.docs.google.com"));
740 EXPECT_TRUE(HasStaticPublicKeyPins("sites.google.com"));
741 EXPECT_TRUE(HasStaticPublicKeyPins("drive.google.com"));
742 EXPECT_TRUE(HasStaticPublicKeyPins("spreadsheets.google.com"));
743 EXPECT_TRUE(HasStaticPublicKeyPins("wallet.google.com"));
744 EXPECT_TRUE(HasStaticPublicKeyPins("checkout.google.com"));
745 EXPECT_TRUE(HasStaticPublicKeyPins("appengine.google.com"));
746 EXPECT_TRUE(HasStaticPublicKeyPins("market.android.com"));
747 EXPECT_TRUE(HasStaticPublicKeyPins("encrypted.google.com"));
748 EXPECT_TRUE(HasStaticPublicKeyPins("accounts.google.com"));
749 EXPECT_TRUE(HasStaticPublicKeyPins("profiles.google.com"));
750 EXPECT_TRUE(HasStaticPublicKeyPins("mail.google.com"));
751 EXPECT_TRUE(HasStaticPublicKeyPins("chatenabled.mail.google.com"));
752 EXPECT_TRUE(HasStaticPublicKeyPins("talkgadget.google.com"));
753 EXPECT_TRUE(HasStaticPublicKeyPins("hostedtalkgadget.google.com"));
754 EXPECT_TRUE(HasStaticPublicKeyPins("talk.google.com"));
755 EXPECT_TRUE(HasStaticPublicKeyPins("plus.google.com"));
756 EXPECT_TRUE(HasStaticPublicKeyPins("groups.google.com"));
757 EXPECT_TRUE(HasStaticPublicKeyPins("apis.google.com"));
758
759 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.gstatic.com"));
760 EXPECT_TRUE(HasStaticPublicKeyPins("gstatic.com"));
761 EXPECT_TRUE(HasStaticPublicKeyPins("www.gstatic.com"));
762 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.google-analytics.com"));
763 EXPECT_TRUE(HasStaticPublicKeyPins("www.googleplex.com"));
764
765 EXPECT_TRUE(HasStaticPublicKeyPins("twitter.com"));
766 EXPECT_FALSE(HasStaticPublicKeyPins("foo.twitter.com"));
767 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
768 EXPECT_TRUE(HasStaticPublicKeyPins("api.twitter.com"));
769 EXPECT_TRUE(HasStaticPublicKeyPins("oauth.twitter.com"));
770 EXPECT_TRUE(HasStaticPublicKeyPins("mobile.twitter.com"));
771 EXPECT_TRUE(HasStaticPublicKeyPins("dev.twitter.com"));
772 EXPECT_TRUE(HasStaticPublicKeyPins("business.twitter.com"));
773 EXPECT_TRUE(HasStaticPublicKeyPins("platform.twitter.com"));
774 EXPECT_TRUE(HasStaticPublicKeyPins("si0.twimg.com"));
775 }
776
777 static bool AddHash(const std::string& type_and_base64,
778 HashValueVector* out) {
779 HashValue hash;
780 if (!hash.FromString(type_and_base64))
781 return false;
782
783 out->push_back(hash);
784 return true;
785 }
786
787 TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) {
788 // kGoodPath is blog.torproject.org.
789 static const char* const kGoodPath[] = {
790 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=",
791 "sha1/o5OZxATDsgmwgcIfIWIneMJ0jkw=",
792 "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=",
793 NULL,
794 };
795
796 // kBadPath is plus.google.com via Trustcenter, which is utterly wrong for
797 // torproject.org.
798 static const char* const kBadPath[] = {
799 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=",
800 "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=",
801 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=",
802 NULL,
803 };
804
805 HashValueVector good_hashes, bad_hashes;
806
807 for (size_t i = 0; kGoodPath[i]; i++) {
808 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
809 }
810 for (size_t i = 0; kBadPath[i]; i++) {
811 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
812 }
813
814 TransportSecurityState state;
815 EnableStaticPins(&state);
816
817 TransportSecurityState::DomainState domain_state;
818 EXPECT_TRUE(
819 state.GetStaticDomainState("blog.torproject.org", &domain_state));
820 EXPECT_TRUE(domain_state.HasPublicKeyPins());
821
822 std::string failure_log;
823 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes, &failure_log));
824 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes, &failure_log));
825 }
826
827 TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) {
828 TransportSecurityState state;
829 EnableStaticPins(&state);
830 TransportSecurityState::DomainState domain_state;
831
832 EXPECT_FALSE(StaticShouldRedirect("www.google-analytics.com"));
833
834 EXPECT_TRUE(HasStaticPublicKeyPins("www.google-analytics.com"));
835 EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
836 EXPECT_TRUE(HasStaticPublicKeyPins("www.google.com"));
837 EXPECT_TRUE(HasStaticPublicKeyPins("mail-attachment.googleusercontent.com"));
838 EXPECT_TRUE(HasStaticPublicKeyPins("www.youtube.com"));
839 EXPECT_TRUE(HasStaticPublicKeyPins("i.ytimg.com"));
840 EXPECT_TRUE(HasStaticPublicKeyPins("googleapis.com"));
841 EXPECT_TRUE(HasStaticPublicKeyPins("ajax.googleapis.com"));
842 EXPECT_TRUE(HasStaticPublicKeyPins("googleadservices.com"));
843 EXPECT_TRUE(HasStaticPublicKeyPins("pagead2.googleadservices.com"));
844 EXPECT_TRUE(HasStaticPublicKeyPins("googlecode.com"));
845 EXPECT_TRUE(HasStaticPublicKeyPins("kibbles.googlecode.com"));
846 EXPECT_TRUE(HasStaticPublicKeyPins("appspot.com"));
847 EXPECT_TRUE(HasStaticPublicKeyPins("googlesyndication.com"));
848 EXPECT_TRUE(HasStaticPublicKeyPins("doubleclick.net"));
849 EXPECT_TRUE(HasStaticPublicKeyPins("ad.doubleclick.net"));
850 EXPECT_FALSE(HasStaticPublicKeyPins("learn.doubleclick.net"));
851 EXPECT_TRUE(HasStaticPublicKeyPins("a.googlegroups.com"));
852 }
853
854 TEST_F(TransportSecurityStateTest, OverrideBuiltins) {
855 EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
856 EXPECT_FALSE(StaticShouldRedirect("google.com"));
857 EXPECT_FALSE(StaticShouldRedirect("www.google.com"));
858
859 TransportSecurityState state;
860 const base::Time current_time(base::Time::Now());
861 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
862 state.AddHSTS("www.google.com", expiry, true);
863
864 EXPECT_TRUE(state.ShouldUpgradeToSSL("www.google.com"));
865 }
866
867 TEST_F(TransportSecurityStateTest, GooglePinnedProperties) {
868 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
869 "www.example.com"));
870 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
871 "www.paypal.com"));
872 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
873 "mail.twitter.com"));
874 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
875 "www.google.com.int"));
876 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
877 "jottit.com"));
878 // learn.doubleclick.net has a more specific match than
879 // *.doubleclick.com, and has 0 or NULL for its required certs.
880 // This test ensures that the exact-match-preferred behavior
881 // works.
882 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
883 "learn.doubleclick.net"));
884
885 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
886 "encrypted.google.com"));
887 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
888 "mail.google.com"));
889 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
890 "accounts.google.com"));
891 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
892 "doubleclick.net"));
893 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
894 "ad.doubleclick.net"));
895 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
896 "youtube.com"));
897 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
898 "www.profiles.google.com"));
899 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
900 "checkout.google.com"));
901 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
902 "googleadservices.com"));
903
904 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
905 "www.example.com"));
906 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
907 "www.paypal.com"));
908 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
909 "checkout.google.com"));
910 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
911 "googleadservices.com"));
912
913 // Test some SNI hosts:
914 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
915 "gmail.com"));
916 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
917 "googlegroups.com"));
918 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
919 "www.googlegroups.com"));
920
921 // These hosts used to only be HSTS when SNI was available.
922 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
923 "gmail.com"));
924 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
925 "googlegroups.com"));
926 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
927 "www.googlegroups.com"));
928 }
929
930 } // namespace net