Process only the first Strict-Transport-Security header. In accordance with the specification. BUG=156147 Review URL: https://chromiumcodereview.appspot.com/11192045 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@165013 0039d316-1c4b-4281-b951-d872f2087c98

commit: 242d8565075bb8c8f0fb3ef6a7651b39e6b67241 [log] [tgz]
author: [email protected] <[email protected]@0039d316-1c4b-4281-b951-d872f2087c98> Tue Oct 30 21:20:46 2012
committer: [email protected] <[email protected]@0039d316-1c4b-4281-b951-d872f2087c98> Tue Oct 30 21:20:46 2012
tree: 827ac26a7b1988ba56d38b628cf020a03e6c1736
parent: f9ba71d83695d37f061b6657485b390ea5d76261 [diff] [blame]
diff --git a/net/url_request/url_request_http_job.cc b/net/url_request/url_request_http_job.cc
index aab892f3..2860e7e5 100644
--- a/net/url_request/url_request_http_job.cc
+++ b/net/url_request/url_request_http_job.cc

@@ -701,7 +701,16 @@
   void* iter = NULL;
   base::Time now = base::Time::Now();
 
+  // http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec:
+  //
+  //   If a UA receives more than one STS header field in a HTTP response
+  //   message over secure transport, then the UA MUST process only the
+  //   first such header field.
+  bool seen_sts = false;
   while (headers->EnumerateHeader(&iter, "Strict-Transport-Security", &value)) {
+    if (seen_sts)
+      return;
+    seen_sts = true;
     TransportSecurityState::DomainState domain_state;
     if (domain_state.ParseSTSHeader(now, value))
       security_state->EnableHost(host, domain_state);
commit	242d8565075bb8c8f0fb3ef6a7651b39e6b67241	[log] [tgz]
author	[email protected] <[email protected]@0039d316-1c4b-4281-b951-d872f2087c98>	Tue Oct 30 21:20:46 2012
committer	[email protected] <[email protected]@0039d316-1c4b-4281-b951-d872f2087c98>	Tue Oct 30 21:20:46 2012
tree	827ac26a7b1988ba56d38b628cf020a03e6c1736
parent	f9ba71d83695d37f061b6657485b390ea5d76261 [diff] [blame]