// Copyright (c) 2018 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef NET_BASE_FEATURES_H_ #define NET_BASE_FEATURES_H_ #include #include "base/feature_list.h" #include "base/metrics/field_trial_params.h" #include "base/strings/string_piece.h" #include "base/time/time.h" #include "net/base/net_export.h" #include "net/net_buildflags.h" namespace net { namespace features { // Toggles the `Accept-Language` HTTP request header, which // https://github.com/WICG/lang-client-hint proposes that we deprecate. NET_EXPORT extern const base::Feature kAcceptLanguageHeader; // When kCapReferrerToOriginOnCrossOrigin is enabled, HTTP referrers on cross- // origin requests are restricted to contain at most the source origin. NET_EXPORT extern const base::Feature kCapReferrerToOriginOnCrossOrigin; // Enables TLS 1.3 early data. NET_EXPORT extern const base::Feature kEnableTLS13EarlyData; // Support for altering the parameters used for DNS transaction timeout. See // ResolveContext::SecureTransactionTimeout(). NET_EXPORT extern const base::Feature kDnsTransactionDynamicTimeouts; // Multiplier applied to current fallback periods in determining a transaction // timeout. NET_EXPORT extern const base::FeatureParam kDnsTransactionTimeoutMultiplier; NET_EXPORT extern const base::FeatureParam kDnsMinTransactionTimeout; // Enables DNS queries for HTTPSSVC or INTEGRITY records, depending on feature // parameters. These queries will only be made over DoH. HTTPSSVC responses may // cause us to upgrade the URL to HTTPS and/or to attempt QUIC. NET_EXPORT extern const base::Feature kDnsHttpssvc; // Disable H2 reprioritization, in order to measure its impact. NET_EXPORT extern const base::Feature kAvoidH2Reprioritization; // Determine which kind of record should be queried: HTTPSSVC or INTEGRITY. No // more than one of these feature parameters should be enabled at once. In the // event that both are enabled, |kDnsHttpssvcUseIntegrity| takes priority, and // |kDnsHttpssvcUseHttpssvc| will be ignored. NET_EXPORT extern const base::FeatureParam kDnsHttpssvcUseHttpssvc; NET_EXPORT extern const base::FeatureParam kDnsHttpssvcUseIntegrity; // Enable HTTPSSVC or INTEGRITY to be queried over insecure DNS. NET_EXPORT extern const base::FeatureParam kDnsHttpssvcEnableQueryOverInsecure; // If we are still waiting for an HTTPSSVC or INTEGRITY query after all the // other queries in a DnsTask have completed, we will compute a timeout for the // remaining query. The timeout will be the min of: // (a) |kDnsHttpssvcExtraTimeMs.Get()| // (b) |kDnsHttpssvcExtraTimePercent.Get() / 100 * t|, where |t| is the // number of milliseconds since the first query began. NET_EXPORT extern const base::FeatureParam kDnsHttpssvcExtraTimeMs; NET_EXPORT extern const base::FeatureParam kDnsHttpssvcExtraTimePercent; // These parameters, respectively, are the list of experimental and control // domains for which we will query HTTPSSVC or INTEGRITY records. We expect // valid INTEGRITY results for experiment domains. We expect no INTEGRITY // results for control domains. // // The format of both parameters is a comma-separated list of domains. // Whitespace around domain names is permitted. Trailing comma is optional. // // See helper functions: // |dns_httpssvc_experiment::GetDnsHttpssvcExperimentDomains| and // |dns_httpssvc_experiment::GetDnsHttpssvcControlDomains|. NET_EXPORT extern const base::FeatureParam kDnsHttpssvcExperimentDomains; NET_EXPORT extern const base::FeatureParam kDnsHttpssvcControlDomains; // This param controls how we determine whether a domain is an experimental or // control domain. When false, domains must be in |kDnsHttpssvcControlDomains| // to be considered a control. When true, we ignore |kDnsHttpssvcControlDomains| // and any non-experiment domain (not in |kDnsHttpssvcExperimentDomains|) is // considered a control domain. NET_EXPORT extern const base::FeatureParam kDnsHttpssvcControlDomainWildcard; namespace dns_httpssvc_experiment { // Get the value of |kDnsHttpssvcExtraTimeMs|. NET_EXPORT base::TimeDelta GetExtraTimeAbsolute(); } // namespace dns_httpssvc_experiment // Enables optimizing the network quality estimation algorithms in network // quality estimator (NQE). NET_EXPORT extern const base::Feature kNetworkQualityEstimator; // Splits cache entries by the request's NetworkIsolationKey if one is // available. NET_EXPORT extern const base::Feature kSplitCacheByNetworkIsolationKey; // Splits host cache entries by the DNS request's NetworkIsolationKey if one is // available. Also prevents merging live DNS lookups when there is a NIK // mismatch. NET_EXPORT extern const base::Feature kSplitHostCacheByNetworkIsolationKey; // Partitions connections based on the NetworkIsolationKey associated with a // request. NET_EXPORT extern const base::Feature kPartitionConnectionsByNetworkIsolationKey; // Partitions HttpServerProperties based on the NetworkIsolationKey associated // with a request. NET_EXPORT extern const base::Feature kPartitionHttpServerPropertiesByNetworkIsolationKey; // Partitions TLS sessions and QUIC server configs based on the // NetworkIsolationKey associated with a request. // // This feature requires kPartitionConnectionsByNetworkIsolationKey to be // enabled to work. NET_EXPORT extern const base::Feature kPartitionSSLSessionsByNetworkIsolationKey; // Partitions Expect-CT data by NetworkIsolationKey. This only affects the // Expect-CT data itself. Regardless of this value, reports will be uploaded // using the associated NetworkIsolationKey, when one's available. // // This feature requires kPartitionConnectionsByNetworkIsolationKey, // kPartitionHttpServerPropertiesByNetworkIsolationKey, and // kPartitionConnectionsByNetworkIsolationKey to all be enabled to work. NET_EXPORT extern const base::Feature kPartitionExpectCTStateByNetworkIsolationKey; // Partitions Network Error Logging and Reporting API data by // NetworkIsolationKey. Also partitions all reports generated by other consumers // of the reporting API. Applies the NetworkIsolationKey to reports uploads as // well. // // When disabled, the main entry points of the reporting and NEL services ignore // NetworkIsolationKey parameters, and they're cleared while loading from the // cache, but internal objects can be created with them (e.g., endpoints), for // testing. NET_EXPORT extern const base::Feature kPartitionNelAndReportingByNetworkIsolationKey; // Enables limiting the size of Expect-CT table. NET_EXPORT extern const base::Feature kExpectCTPruning; // FeatureParams associated with kExpectCTPruning. // Expect-CT pruning runs when this many entries are hit. NET_EXPORT extern const base::FeatureParam kExpectCTPruneMax; // The Expect-CT pruning logic attempts to reduce entries to at most this many. NET_EXPORT extern const base::FeatureParam kExpectCTPruneMin; // Non-transient entries with |enforce| set are safe from being pruned if // they're less than this many days old, unless the number of entries exceeds // |kExpectCTMaxEntriesPerNik|. NET_EXPORT extern const base::FeatureParam kExpectCTSafeFromPruneDays; // If, after pruning transient, non-enforced, old Expect-CT entries, // kExpectCTPruneMin is still exceeded, then all NetworkIsolationKeys will be // capped to this many entries, based on last observation date. NET_EXPORT extern const base::FeatureParam kExpectCTMaxEntriesPerNik; // Minimum delay between successive prunings of Expect-CT entries, in seconds. NET_EXPORT extern const base::FeatureParam kExpectCTPruneDelaySecs; // Enables sending TLS 1.3 Key Update messages on TLS 1.3 connections in order // to ensure that this corner of the spec is exercised. This is currently // disabled by default because we discovered incompatibilities with some // servers. NET_EXPORT extern const base::Feature kTLS13KeyUpdate; // Enables CECPQ2, a post-quantum key-agreement, in TLS 1.3 connections. NET_EXPORT extern const base::Feature kPostQuantumCECPQ2; // Changes the timeout after which unused sockets idle sockets are cleaned up. NET_EXPORT extern const base::Feature kNetUnusedIdleSocketTimeout; // When enabled, makes cookies without a SameSite attribute behave like // SameSite=Lax cookies by default, and requires SameSite=None to be specified // in order to make cookies available in a third-party context. When disabled, // the default behavior for cookies without a SameSite attribute specified is no // restriction, i.e., available in a third-party context. // The "Lax-allow-unsafe" mitigation allows these cookies to be sent on // top-level cross-site requests with an unsafe (e.g. POST) HTTP method, if the // cookie is no more than 2 minutes old. NET_EXPORT extern const base::Feature kSameSiteByDefaultCookies; // When enabled, cookies without SameSite restrictions that don't specify the // Secure attribute will be rejected if set from an insecure context, or treated // as secure if set from a secure context. This ONLY has an effect if // SameSiteByDefaultCookies is also enabled. NET_EXPORT extern const base::Feature kCookiesWithoutSameSiteMustBeSecure; // When enabled, the time threshold for Lax-allow-unsafe cookies will be lowered // from 2 minutes to 10 seconds. This time threshold refers to the age cutoff // for which cookies that default into SameSite=Lax, which are newer than the // threshold, will be sent with any top-level cross-site navigation regardless // of HTTP method (i.e. allowing unsafe methods). This is a convenience for // integration tests which may want to test behavior of cookies older than the // threshold, but which would not be practical to run for 2 minutes. NET_EXPORT extern const base::Feature kShortLaxAllowUnsafeThreshold; // When enabled, the SameSite by default feature does not add the // "Lax-allow-unsafe" behavior. Any cookies that do not specify a SameSite // attribute will be treated as Lax only, i.e. POST and other unsafe HTTP // methods will not be allowed at all for top-level cross-site navigations. // This only has an effect if the cookie defaults to SameSite=Lax. NET_EXPORT extern const base::Feature kSameSiteDefaultChecksMethodRigorously; #if BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED) // When enabled, use the builtin cert verifier instead of the platform verifier. NET_EXPORT extern const base::Feature kCertVerifierBuiltinFeature; #endif NET_EXPORT extern const base::Feature kAppendFrameOriginToNetworkIsolationKey; // Turns off streaming media caching to disk when on battery power. NET_EXPORT extern const base::Feature kTurnOffStreamingMediaCachingOnBattery; // Turns off streaming media caching to disk always. NET_EXPORT extern const base::Feature kTurnOffStreamingMediaCachingAlways; // When enabled, sites that use TLS versions below the |version_min_warn| // threshold are marked with the LEGACY_TLS CertStatus and return an // ERR_SSL_OBSOLETE_VERSION error. This is used to trigger an interstitial // warning for these pages. NET_EXPORT extern const base::Feature kLegacyTLSEnforced; // When enabled this feature will cause same-site calculations to take into // account the scheme of the site-for-cookies and the request/response url. NET_EXPORT extern const base::Feature kSchemefulSameSite; // When enabled, TLS connections will initially not offer 3DES and SHA-1 but // enable them on fallback. This is used to improve metrics around usage of // those algorithms. If disabled, the algorithms will always be offered. NET_EXPORT extern const base::Feature kTLSLegacyCryptoFallbackForMetrics; // When enabled, DNS_PROBE_FINISHED_NXDOMAIN error pages may show // locally-generated suggestions to visit similar domains. NET_EXPORT extern const base::Feature kUseLookalikesForNavigationSuggestions; // When enabled, the Network Quality Estimator (NQE) will notify the operating // system whenever it detects that the current default network may have // significantly degraded connectivity. Currently only effective on Android. NET_EXPORT extern const base::Feature kReportPoorConnectivity; // When enabled, the NQE may preemptively request that the OS activate a mobile // network when requests on the active Wi-Fi connection are stalled. This can be // used to warm the radio for a faster transition if/when the OS chooses to drop // the Wi-Fi connection. NET_EXPORT extern const base::Feature kPreemptiveMobileNetworkActivation; // Enables a process-wide limit on "open" UDP sockets. See // udp_socket_global_limits.h for details on what constitutes an "open" socket. NET_EXPORT extern const base::Feature kLimitOpenUDPSockets; // FeatureParams associated with kLimitOpenUDPSockets. // Sets the maximum allowed open UDP sockets. Provisioning more sockets than // this will result in a failure (ERR_INSUFFICIENT_RESOURCES). NET_EXPORT extern const base::FeatureParam kLimitOpenUDPSocketsMax; // Enables a timeout on individual TCP connect attempts, based on // the parameter values. NET_EXPORT extern const base::Feature kTimeoutTcpConnectAttempt; // FeatureParams associated with kTimeoutTcpConnectAttempt. // When there is an estimated RTT available, the experimental TCP connect // attempt timeout is calculated as: // // clamp(kTimeoutTcpConnectAttemptMin, // kTimeoutTcpConnectAttemptMax, // * kTimeoutTcpConnectAttemptRTTMultiplier); // // Otherwise the TCP connect attempt timeout is set to // kTimeoutTcpConnectAttemptMax. NET_EXPORT extern const base::FeatureParam kTimeoutTcpConnectAttemptRTTMultiplier; NET_EXPORT extern const base::FeatureParam kTimeoutTcpConnectAttemptMin; NET_EXPORT extern const base::FeatureParam kTimeoutTcpConnectAttemptMax; } // namespace features } // namespace net #endif // NET_BASE_FEATURES_H_