Avoid SingleTreeTracker revealing hostnames to a DNS resolver
SingleTreeTracker could previously reveal to a DNS resolver that a user
was accessing a particular host, as a side-effect of performing a
Certificate Transparency inclusion check over DNS. It will now first
check that a DNS lookup for that host has already occurred (i.e. the DNS
resolver already knows that the user has been accessing that host),
otherwise it will avoid revealing that information by not performing an
inclusion check.
Bug: 506227, 682193
Cq-Include-Trybots: master.tryserver.chromium.android:android_cronet_tester;master.tryserver.chromium.linux:linux_mojo;master.tryserver.chromium.mac:ios-simulator-cronet
Change-Id: Ifd5ef10773155b5b27aea32bee9c460320c1e264
Reviewed-on: https://chromium-review.googlesource.com/768790
Commit-Queue: Rob Percival <[email protected]>
Reviewed-by: Miriam Gershenson <[email protected]>
Reviewed-by: Matt Menke <[email protected]>
Reviewed-by: Ryan Sleevi <[email protected]>
Cr-Commit-Position: refs/heads/master@{#523717}diff --git a/chrome/browser/io_thread.h b/chrome/browser/io_thread.h
index 5144df5..b590583 100644
--- a/chrome/browser/io_thread.h
+++ b/chrome/browser/io_thread.h
@@ -220,6 +220,8 @@
// in-process NetworkService that lives on the IO thread.
content::mojom::NetworkService* GetNetworkServiceOnUIThread();
+ certificate_transparency::TreeStateTracker* ct_tree_tracker() const;
+
private:
// BrowserThreadDelegate implementation, runs on the IO thread.
// This handles initialization and destruction of state that must
