search

alex / what-happens-when

An attempt to answer the age old interview question "What happens when you type google.com into your browser and press enter?"
39.78k stars 5.53k forks source link

Check Malware/Phishing lists #9

Open devd opened 10 years ago

devd commented 10 years ago

Most browsers would check the URL typed in against malware/phishing lists and the load is blocked if the URL is in the blacklist. This happens, afaik, right after checking HSTS list.

(Chrome might have hardcoded Google.com to bypass these lists)

davidben commented 10 years ago

This happens, afaik, right after checking HSTS list.

I believe it's actually before, but that's an implementation detail. HSTS is implemented in Chrome within the network stack. Each time it goes to follow a URL, it decides what code to use to service it. If HSTS kicks in, it generates a redirect instead of going through the usual HTTP codepath. On a redirect, generated by HSTS or not, it goes through this entry point again.

https://code.google.com/p/chromium/codesearch#chromium/src/net/url_request/url_request_http_job.cc&l=214

Safe Browsing is implemented outside the network stack as a resource throttle; it hooks into the resource loading layer which uses the network stack and kicks in both before you start a request altogether and before each redirect. (Note that HSTS also counts as a redirect.) Resource throttles are allowed to defer requests or cancel them altogether.

https://code.google.com/p/chromium/codesearch#chromium/src/content/public/browser/resource_throttle.h https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/renderer_host/safe_browsing_resource_throttle.cc

(Chrome might have hardcoded Google.com to bypass these lists)

It does not.

devd commented 10 years ago

You are right:it happens before the HSTS check, but (as you note) followed by the redirect to HTTPS it happens again.

FWIW, this matches my understanding of Firefox. The relevant part of Firefox is here: http://mxr.mozilla.org/mozilla-central/source/netwerk/protocol/http/nsHttpChannel.cpp#4572 But I have been burnt in the past--thinking I understood the code when I really didn't---so please take my claims with a big grain of salt.

davidben commented 10 years ago

Well, after an HSTS redirect and then the Safe Browsing check, HSTS kicks in again via that factory. It's just not going to do anything useful the second time.