1 // Copyright 2018 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_BASE_FEATURES_H_ 6 #define NET_BASE_FEATURES_H_ 7 8 #include <string> 9 #include <string_view> 10 11 #include "base/feature_list.h" 12 #include "base/metrics/field_trial_params.h" 13 #include "base/time/time.h" 14 #include "build/build_config.h" 15 #include "crypto/crypto_buildflags.h" 16 #include "net/base/net_export.h" 17 #include "net/net_buildflags.h" 18 19 namespace net::features { 20 21 // Enables ALPS extension of TLS 1.3 for HTTP/2, see 22 // https://vasilvv.github.io/tls-alps/draft-vvv-tls-alps.html and 23 // https://vasilvv.github.io/httpbis-alps/draft-vvv-httpbis-alps.html. 24 NET_EXPORT BASE_DECLARE_FEATURE(kAlpsForHttp2); 25 26 // Disable H2 reprioritization, in order to measure its impact. 27 NET_EXPORT BASE_DECLARE_FEATURE(kAvoidH2Reprioritization); 28 29 // When kCapReferrerToOriginOnCrossOrigin is enabled, HTTP referrers on cross- 30 // origin requests are restricted to contain at most the source origin. 31 NET_EXPORT BASE_DECLARE_FEATURE(kCapReferrerToOriginOnCrossOrigin); 32 33 // Support for altering the parameters used for DNS transaction timeout. See 34 // ResolveContext::SecureTransactionTimeout(). 35 NET_EXPORT BASE_DECLARE_FEATURE(kDnsTransactionDynamicTimeouts); 36 // Multiplier applied to current fallback periods in determining a transaction 37 // timeout. 38 NET_EXPORT extern const base::FeatureParam<double> 39 kDnsTransactionTimeoutMultiplier; 40 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 41 kDnsMinTransactionTimeout; 42 43 // Enables querying HTTPS DNS records that will affect results from HostResolver 44 // and may be used to affect connection behavior. Whether or not those results 45 // are used (e.g. to connect via ECH) may be controlled by separate features. 46 NET_EXPORT BASE_DECLARE_FEATURE(kUseDnsHttpsSvcb); 47 48 // Param to control whether or not HostResolver, when using Secure DNS, will 49 // fail the entire connection attempt when receiving an inconclusive response to 50 // an HTTPS query (anything except transport error, timeout, or SERVFAIL). Used 51 // to prevent certain downgrade attacks against ECH behavior. 52 NET_EXPORT extern const base::FeatureParam<bool> 53 kUseDnsHttpsSvcbEnforceSecureResponse; 54 55 // If we are still waiting for an HTTPS transaction after all the 56 // other transactions in an insecure DnsTask have completed, we will compute a 57 // timeout for the remaining transaction. The timeout will be 58 // `kUseDnsHttpsSvcbInsecureExtraTimePercent.Get() / 100 * t`, where `t` is the 59 // time delta since the first query began. And the timeout will additionally be 60 // clamped by: 61 // (a) `kUseDnsHttpsSvcbInsecureExtraTimeMin.Get()` 62 // (b) `kUseDnsHttpsSvcbInsecureExtraTimeMax.Get()` 63 // 64 // Any param is ignored if zero, and if one of min/max is non-zero with a zero 65 // percent param it will be used as an absolute timeout. If all are zero, there 66 // is no timeout specific to HTTPS transactions, only the regular DNS query 67 // timeout and server fallback. 68 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 69 kUseDnsHttpsSvcbInsecureExtraTimeMax; 70 NET_EXPORT extern const base::FeatureParam<int> 71 kUseDnsHttpsSvcbInsecureExtraTimePercent; 72 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 73 kUseDnsHttpsSvcbInsecureExtraTimeMin; 74 75 // Same as `kUseDnsHttpsSvcbInsecureExtraTime...` except for secure DnsTasks. 76 // 77 // If `kUseDnsHttpsSvcbEnforceSecureResponse` is enabled, the timeouts will not 78 // be used because there is no sense killing a transaction early if that will 79 // just kill the entire request. 80 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 81 kUseDnsHttpsSvcbSecureExtraTimeMax; 82 NET_EXPORT extern const base::FeatureParam<int> 83 kUseDnsHttpsSvcbSecureExtraTimePercent; 84 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 85 kUseDnsHttpsSvcbSecureExtraTimeMin; 86 87 // Update protocol using ALPN information in HTTPS DNS records. 88 NET_EXPORT BASE_DECLARE_FEATURE(kUseDnsHttpsSvcbAlpn); 89 90 // If the `kUseAlternativePortForGloballyReachableCheck` flag is enabled, the 91 // globally reachable check will use the port number specified by 92 // `kAlternativePortForGloballyReachableCheck` flag. Otherwise, the globally 93 // reachable check will use 443 port. 94 NET_EXPORT extern const base::FeatureParam<int> 95 kAlternativePortForGloballyReachableCheck; 96 NET_EXPORT BASE_DECLARE_FEATURE(kUseAlternativePortForGloballyReachableCheck); 97 98 // If enabled, overrides IPv6 reachability probe results based on the system's 99 // IP addresses. 100 NET_EXPORT BASE_DECLARE_FEATURE(kEnableIPv6ReachabilityOverride); 101 102 // If enabled allows the use of SHA-1 by the server for signatures 103 // in the TLS handshake. 104 NET_EXPORT BASE_DECLARE_FEATURE(kSHA1ServerSignature); 105 106 // Enables TLS 1.3 early data. 107 NET_EXPORT BASE_DECLARE_FEATURE(kEnableTLS13EarlyData); 108 109 // Enables the TLS Encrypted ClientHello feature. 110 // https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-13 111 NET_EXPORT BASE_DECLARE_FEATURE(kEncryptedClientHello); 112 113 // Enables the TLS Encrypted ClientHello feature for QUIC. Only takes effect if 114 // kEncryptedClientHello is also enabled. 115 // 116 // TODO(crbug.com/1287248): Remove this flag when ECH for QUIC is fully 117 // implemented. This flag is just a temporary mechanism for now. 118 NET_EXPORT BASE_DECLARE_FEATURE(kEncryptedClientHelloQuic); 119 120 // Enables checking the X.509 keyUsage extension in TLS 1.2 for RSA server 121 // certificates that chain to a local trust anchor. 122 // 123 // Independent of the setting of this feature, keyUsage is always checked at TLS 124 // 1.3, for ECDSA certificates, and for all certificates that chain to a known 125 // root. 126 NET_EXPORT BASE_DECLARE_FEATURE(kRSAKeyUsageForLocalAnchors); 127 128 // Enables optimizing the network quality estimation algorithms in network 129 // quality estimator (NQE). 130 NET_EXPORT BASE_DECLARE_FEATURE(kNetworkQualityEstimator); 131 132 // Splits cache entries by the request's includeCredentials. 133 NET_EXPORT BASE_DECLARE_FEATURE(kSplitCacheByIncludeCredentials); 134 135 // Splits cache entries by the request's NetworkIsolationKey if one is 136 // available. 137 NET_EXPORT BASE_DECLARE_FEATURE(kSplitCacheByNetworkIsolationKey); 138 139 // Splits the generated code cache by the request's NetworkIsolationKey if one 140 // is available. Note that this feature is also gated behind 141 // `net::HttpCache::IsSplitCacheEnabled()`. 142 NET_EXPORT BASE_DECLARE_FEATURE(kSplitCodeCacheByNetworkIsolationKey); 143 144 // Splits host cache entries by the DNS request's NetworkAnonymizationKey if one 145 // is available. Also prevents merging live DNS lookups when there is a NAK 146 // mismatch. 147 NET_EXPORT BASE_DECLARE_FEATURE(kSplitHostCacheByNetworkIsolationKey); 148 149 // Partitions connections based on the NetworkAnonymizationKey associated with a 150 // request. 151 NET_EXPORT BASE_DECLARE_FEATURE(kPartitionConnectionsByNetworkIsolationKey); 152 153 // Partitions HttpServerProperties based on the NetworkAnonymizationKey 154 // associated with a request. 155 NET_EXPORT BASE_DECLARE_FEATURE( 156 kPartitionHttpServerPropertiesByNetworkIsolationKey); 157 158 // Partitions TLS sessions and QUIC server configs based on the 159 // NetworkAnonymizationKey associated with a request. 160 // 161 // This feature requires kPartitionConnectionsByNetworkIsolationKey to be 162 // enabled to work. 163 NET_EXPORT BASE_DECLARE_FEATURE(kPartitionSSLSessionsByNetworkIsolationKey); 164 165 // Partitions Network Error Logging and Reporting API data by 166 // NetworkAnonymizationKey. Also partitions all reports generated by other 167 // consumers of the reporting API. Applies the NetworkAnonymizationKey to 168 // reports uploads as well. 169 // 170 // When disabled, the main entry points of the reporting and NEL services ignore 171 // NetworkAnonymizationKey parameters, and they're cleared while loading from 172 // the cache, but internal objects can be created with them (e.g., endpoints), 173 // for testing. 174 NET_EXPORT BASE_DECLARE_FEATURE(kPartitionNelAndReportingByNetworkIsolationKey); 175 176 // Creates a <double key + is_cross_site> NetworkIsolationKey which is used 177 // to partition the HTTP cache. This key will have the following properties: 178 // `top_frame_site_` -> the schemeful site of the top level page. 179 // `frame_site_` -> std::nullopt. 180 // `is_cross_site_` -> a boolean indicating whether the frame site is 181 // schemefully cross-site from the top-level site. 182 NET_EXPORT BASE_DECLARE_FEATURE(kEnableCrossSiteFlagNetworkIsolationKey); 183 NET_EXPORT BASE_DECLARE_FEATURE( 184 kEnableFrameSiteSharedOpaqueNetworkIsolationKey); 185 NET_EXPORT BASE_DECLARE_FEATURE(kHttpCacheKeyingExperimentControlGroup); 186 187 // Enables sending TLS 1.3 Key Update messages on TLS 1.3 connections in order 188 // to ensure that this corner of the spec is exercised. This is currently 189 // disabled by default because we discovered incompatibilities with some 190 // servers. 191 NET_EXPORT BASE_DECLARE_FEATURE(kTLS13KeyUpdate); 192 193 // Enables permuting TLS extensions in the ClientHello, to reduce the risk of 194 // non-compliant servers ossifying parts of the ClientHello and interfering with 195 // deployment of future security improvements. 196 NET_EXPORT BASE_DECLARE_FEATURE(kPermuteTLSExtensions); 197 198 // Enables Kyber-based post-quantum key-agreements in TLS 1.3 connections. 199 NET_EXPORT BASE_DECLARE_FEATURE(kPostQuantumKyber); 200 201 // Changes the timeout after which unused sockets idle sockets are cleaned up. 202 NET_EXPORT BASE_DECLARE_FEATURE(kNetUnusedIdleSocketTimeout); 203 204 // When enabled, the time threshold for Lax-allow-unsafe cookies will be lowered 205 // from 2 minutes to 10 seconds. This time threshold refers to the age cutoff 206 // for which cookies that default into SameSite=Lax, which are newer than the 207 // threshold, will be sent with any top-level cross-site navigation regardless 208 // of HTTP method (i.e. allowing unsafe methods). This is a convenience for 209 // integration tests which may want to test behavior of cookies older than the 210 // threshold, but which would not be practical to run for 2 minutes. 211 NET_EXPORT BASE_DECLARE_FEATURE(kShortLaxAllowUnsafeThreshold); 212 213 // When enabled, the SameSite by default feature does not add the 214 // "Lax-allow-unsafe" behavior. Any cookies that do not specify a SameSite 215 // attribute will be treated as Lax only, i.e. POST and other unsafe HTTP 216 // methods will not be allowed at all for top-level cross-site navigations. 217 // This only has an effect if the cookie defaults to SameSite=Lax. 218 NET_EXPORT BASE_DECLARE_FEATURE(kSameSiteDefaultChecksMethodRigorously); 219 220 #if BUILDFLAG(CHROME_ROOT_STORE_OPTIONAL) 221 // When enabled, use the Chrome Root Store instead of the system root store 222 NET_EXPORT BASE_DECLARE_FEATURE(kChromeRootStoreUsed); 223 #endif // BUILDFLAG(CHROME_ROOT_STORE_OPTIONAL) 224 225 // When enabled, bssl::TrustStore implementations will use TRUSTED_LEAF, 226 // TRUSTED_ANCHOR_OR_LEAF, and TRUSTED_ANCHOR as appropriate. When disabled, 227 // bssl::TrustStore implementation will only use TRUSTED_ANCHOR. 228 // TODO(https://crbug.com/1403034): remove this a few milestones after the 229 // trusted leaf support has been launched on all relevant platforms. 230 #if BUILDFLAG(IS_MAC) || BUILDFLAG(USE_NSS_CERTS) || BUILDFLAG(IS_WIN) 231 NET_EXPORT BASE_DECLARE_FEATURE(kTrustStoreTrustedLeafSupport); 232 #endif 233 234 // Turns off streaming media caching to disk when on battery power. 235 NET_EXPORT BASE_DECLARE_FEATURE(kTurnOffStreamingMediaCachingOnBattery); 236 237 // Turns off streaming media caching to disk always. 238 NET_EXPORT BASE_DECLARE_FEATURE(kTurnOffStreamingMediaCachingAlways); 239 240 // When enabled this feature will cause same-site calculations to take into 241 // account the scheme of the site-for-cookies and the request/response url. 242 NET_EXPORT BASE_DECLARE_FEATURE(kSchemefulSameSite); 243 244 // Enables a process-wide limit on "open" UDP sockets. See 245 // udp_socket_global_limits.h for details on what constitutes an "open" socket. 246 NET_EXPORT BASE_DECLARE_FEATURE(kLimitOpenUDPSockets); 247 248 // FeatureParams associated with kLimitOpenUDPSockets. 249 250 // Sets the maximum allowed open UDP sockets. Provisioning more sockets than 251 // this will result in a failure (ERR_INSUFFICIENT_RESOURCES). 252 NET_EXPORT extern const base::FeatureParam<int> kLimitOpenUDPSocketsMax; 253 254 // Enables a timeout on individual TCP connect attempts, based on 255 // the parameter values. 256 NET_EXPORT BASE_DECLARE_FEATURE(kTimeoutTcpConnectAttempt); 257 258 // FeatureParams associated with kTimeoutTcpConnectAttempt. 259 260 // When there is an estimated RTT available, the experimental TCP connect 261 // attempt timeout is calculated as: 262 // 263 // clamp(kTimeoutTcpConnectAttemptMin, 264 // kTimeoutTcpConnectAttemptMax, 265 // <Estimated RTT> * kTimeoutTcpConnectAttemptRTTMultiplier); 266 // 267 // Otherwise the TCP connect attempt timeout is set to 268 // kTimeoutTcpConnectAttemptMax. 269 NET_EXPORT extern const base::FeatureParam<double> 270 kTimeoutTcpConnectAttemptRTTMultiplier; 271 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 272 kTimeoutTcpConnectAttemptMin; 273 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 274 kTimeoutTcpConnectAttemptMax; 275 276 #if BUILDFLAG(ENABLE_REPORTING) 277 // When enabled this feature will allow a new Reporting-Endpoints header to 278 // configure reporting endpoints for report delivery. This is used to support 279 // the new Document Reporting spec. 280 NET_EXPORT BASE_DECLARE_FEATURE(kDocumentReporting); 281 #endif // BUILDFLAG(ENABLE_REPORTING) 282 283 #if BUILDFLAG(IS_POSIX) || BUILDFLAG(IS_FUCHSIA) 284 // When enabled, UDPSocketPosix increments the global counter of bytes received 285 // every time bytes are received, instead of using a timer to batch updates. 286 // This should reduce the number of wake ups and improve battery consumption. 287 // TODO(https://crbug.com/1189805): Cleanup the feature after verifying that it 288 // doesn't negatively affect performance. 289 NET_EXPORT BASE_DECLARE_FEATURE(kUdpSocketPosixAlwaysUpdateBytesReceived); 290 #endif // BUILDFLAG(IS_POSIX) || BUILDFLAG(IS_FUCHSIA) 291 292 // When this feature is enabled, redirected requests will be considered 293 // cross-site for the purpose of SameSite cookies if any redirect hop was 294 // cross-site to the target URL, even if the original initiator of the 295 // redirected request was same-site with the target URL (and the 296 // site-for-cookies). 297 // See spec changes in https://github.com/httpwg/http-extensions/pull/1348 298 NET_EXPORT BASE_DECLARE_FEATURE(kCookieSameSiteConsidersRedirectChain); 299 300 // When this feature is enabled, the network service will wait until First-Party 301 // Sets are initialized before issuing requests that use the HTTP cache or 302 // cookies. 303 NET_EXPORT BASE_DECLARE_FEATURE(kWaitForFirstPartySetsInit); 304 305 // When enabled, sites can opt-in to having their cookies partitioned by 306 // top-level site with the Partitioned attribute. Partitioned cookies will only 307 // be sent when the browser is on the same top-level site that it was on when 308 // the cookie was set. 309 NET_EXPORT BASE_DECLARE_FEATURE(kPartitionedCookies); 310 311 // When enabled, cookie-related code will treat cookies containing '\0', '\r', 312 // and '\n' as invalid and reject the cookie. 313 NET_EXPORT BASE_DECLARE_FEATURE(kBlockTruncatedCookies); 314 315 // Controls whether static key pinning is enforced. 316 NET_EXPORT BASE_DECLARE_FEATURE(kStaticKeyPinningEnforcement); 317 318 // When enabled, cookies with a non-ASCII domain attribute will be rejected. 319 NET_EXPORT BASE_DECLARE_FEATURE(kCookieDomainRejectNonASCII); 320 321 NET_EXPORT BASE_DECLARE_FEATURE(kThirdPartyStoragePartitioning); 322 NET_EXPORT BASE_DECLARE_FEATURE(kSupportPartitionedBlobUrl); 323 324 // Feature to enable consideration of 3PCD Support settings. 325 NET_EXPORT BASE_DECLARE_FEATURE(kTpcdSupportSettings); 326 327 // Whether to enable the use of 3PC based on 3PCD metadata grants delivered via 328 // component updater. 329 NET_EXPORT BASE_DECLARE_FEATURE(kTpcdMetadataGrants); 330 331 // Whether ALPS parsing is on for any type of frame. 332 NET_EXPORT BASE_DECLARE_FEATURE(kAlpsParsing); 333 334 // Whether ALPS parsing is on for client hint parsing specifically. 335 NET_EXPORT BASE_DECLARE_FEATURE(kAlpsClientHintParsing); 336 337 // Whether to kill the session on Error::kAcceptChMalformed. 338 NET_EXPORT BASE_DECLARE_FEATURE(kShouldKillSessionOnAcceptChMalformed); 339 340 NET_EXPORT BASE_DECLARE_FEATURE(kCaseInsensitiveCookiePrefix); 341 342 NET_EXPORT BASE_DECLARE_FEATURE(kEnableWebsocketsOverHttp3); 343 344 // Whether to do IPv4 to IPv6 address translation for IPv4 literals. 345 NET_EXPORT BASE_DECLARE_FEATURE(kUseNAT64ForIPv4Literal); 346 347 // Whether to block newly added forbidden headers (https://crbug.com/1362331). 348 NET_EXPORT BASE_DECLARE_FEATURE(kBlockNewForbiddenHeaders); 349 350 #if BUILDFLAG(IS_WIN) 351 // Whether to probe for SHA-256 on some legacy platform keys, before assuming 352 // the key requires SHA-1. See SSLPlatformKeyWin for details. 353 NET_EXPORT BASE_DECLARE_FEATURE(kPlatformKeyProbeSHA256); 354 355 // Whether or not to use the GetNetworkConnectivityHint API on modern Windows 356 // versions for the Network Change Notifier. 357 NET_EXPORT BASE_DECLARE_FEATURE(kEnableGetNetworkConnectivityHintAPI); 358 #endif 359 360 // Prefetch to follow normal semantics instead of 5-minute rule 361 // https://crbug.com/1345207 362 NET_EXPORT BASE_DECLARE_FEATURE(kPrefetchFollowsNormalCacheSemantics); 363 364 // A flag for new Kerberos feature, that suggests new UI 365 // when Kerberos authentication in browser fails on ChromeOS. 366 // b/260522530 367 #if BUILDFLAG(IS_CHROMEOS) 368 NET_EXPORT BASE_DECLARE_FEATURE(kKerberosInBrowserRedirect); 369 #endif 370 371 // A flag to use asynchronous session creation for new QUIC sessions. 372 NET_EXPORT BASE_DECLARE_FEATURE(kAsyncQuicSession); 373 374 // A flag to make multiport context creation asynchronous. 375 NET_EXPORT BASE_DECLARE_FEATURE(kAsyncMultiPortPath); 376 377 // Enables custom proxy configuration for the IP Protection experimental proxy. 378 NET_EXPORT BASE_DECLARE_FEATURE(kEnableIpProtectionProxy); 379 380 // Sets the name of the IP protection auth token server. 381 NET_EXPORT extern const base::FeatureParam<std::string> kIpPrivacyTokenServer; 382 383 // Sets the path component of the IP protection auth token server URL used for 384 // getting initial token signing data. 385 NET_EXPORT extern const base::FeatureParam<std::string> 386 kIpPrivacyTokenServerGetInitialDataPath; 387 388 // Sets the path component of the IP protection auth token server URL used for 389 // getting blind-signed tokens. 390 NET_EXPORT extern const base::FeatureParam<std::string> 391 kIpPrivacyTokenServerGetTokensPath; 392 393 // Sets the path component of the IP protection auth token server URL used for 394 // getting proxy configuration. 395 NET_EXPORT extern const base::FeatureParam<std::string> 396 kIpPrivacyTokenServerGetProxyConfigPath; 397 398 // Sets the batch size to fetch new auth tokens for IP protection. 399 NET_EXPORT extern const base::FeatureParam<int> 400 kIpPrivacyAuthTokenCacheBatchSize; 401 402 // Sets the cache low-water-mark for auth tokens for IP protection. 403 NET_EXPORT extern const base::FeatureParam<int> 404 kIpPrivacyAuthTokenCacheLowWaterMark; 405 406 // Sets the normal time between fetches of the IP protection proxy list. 407 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 408 kIpPrivacyProxyListFetchInterval; 409 410 // Sets the minimum time between fetches of the IP protection proxy list, such 411 // as when a re-fetch is forced due to an error. 412 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 413 kIpPrivacyProxyListMinFetchInterval; 414 415 // Controls whether IP Protection _proxying_ is bypassed by not including any 416 // of the proxies in the proxy list. This supports experimental comparison of 417 // connections that _would_ have been proxied, but were not. 418 NET_EXPORT extern const base::FeatureParam<bool> kIpPrivacyDirectOnly; 419 420 // Controls whether the BlindSignAuth library used by IP Protection should use 421 // the privacy pass token format. 422 NET_EXPORT extern const base::FeatureParam<bool> kIpPrivacyBsaEnablePrivacyPass; 423 424 // The PSK added to connections to proxyB with `Proxy-Authorization: Preshared 425 // $PSK`. 426 NET_EXPORT extern const base::FeatureParam<std::string> kIpPrivacyProxyBPsk; 427 428 // If true, use the `proxy_chains` provided by Phosphor. Otherwise, use the 429 // `first_hop_hostnames` (and thus always single-proxy chains). 430 NET_EXPORT extern const base::FeatureParam<bool> kIpPrivacyUseProxyChains; 431 432 // Whether QuicParams::migrate_sessions_on_network_change_v2 defaults to true or 433 // false. This is needed as a workaround to set this value to true on Android 434 // but not on WebView (until crbug.com/1430082 has been fixed). 435 NET_EXPORT BASE_DECLARE_FEATURE(kMigrateSessionsOnNetworkChangeV2); 436 437 // Enables whether blackhole detector should be disabled during connection 438 // migration and there is no available network. 439 NET_EXPORT BASE_DECLARE_FEATURE(kDisableBlackholeOnNoNewNetwork); 440 441 #if BUILDFLAG(IS_LINUX) 442 // AddressTrackerLinux will not run inside the network service in this 443 // configuration, which will improve the Linux network service sandbox. 444 // TODO(crbug.com/1312226): remove this. 445 NET_EXPORT BASE_DECLARE_FEATURE(kAddressTrackerLinuxIsProxied); 446 #endif // BUILDFLAG(IS_LINUX) 447 448 // Enables binding of cookies to the port that originally set them by default. 449 NET_EXPORT BASE_DECLARE_FEATURE(kEnablePortBoundCookies); 450 451 // Enables binding of cookies to the scheme that originally set them. Also 452 // enables domain cookie shadowing protection. 453 NET_EXPORT BASE_DECLARE_FEATURE(kEnableSchemeBoundCookies); 454 455 // Enables enabling third-party cookie blocking from the command line. 456 NET_EXPORT BASE_DECLARE_FEATURE(kForceThirdPartyCookieBlocking); 457 458 // Enables Early Hints on HTTP/1.1. 459 NET_EXPORT BASE_DECLARE_FEATURE(kEnableEarlyHintsOnHttp11); 460 461 // Enables draft-07 version of WebTransport over HTTP/3. 462 NET_EXPORT BASE_DECLARE_FEATURE(kEnableWebTransportDraft07); 463 464 // Enables Zstandard Content-Encoding support. 465 NET_EXPORT BASE_DECLARE_FEATURE(kZstdContentEncoding); 466 467 NET_EXPORT BASE_DECLARE_FEATURE(kThirdPartyPartitionedStorageAllowedByDefault); 468 469 // Enables the HTTP extensible priorities "priority" header. 470 // RFC 9218 471 NET_EXPORT BASE_DECLARE_FEATURE(kPriorityHeader); 472 473 // Enables a more efficient implementation of SpdyHeadersToHttpResponse(). 474 NET_EXPORT BASE_DECLARE_FEATURE(kSpdyHeadersToHttpResponseUseBuilder); 475 476 // Enables receiving ECN bit by sockets in Chrome. 477 NET_EXPORT BASE_DECLARE_FEATURE(kReceiveEcn); 478 479 NET_EXPORT BASE_DECLARE_FEATURE(kNewCertPathBuilderIterationLimit); 480 481 // Enables using the new ALPS codepoint to negotiate application settings. 482 NET_EXPORT BASE_DECLARE_FEATURE(kUseAlpsNewCodepoint); 483 484 // Treat HTTP header `Expires: "0"` as expired value according section 5.3 on 485 // RFC 9111. 486 // TODO(https://crbug.com/853508): Remove after the bug fix will go well for a 487 // while on stable channels. 488 NET_EXPORT BASE_DECLARE_FEATURE(kTreatHTTPExpiresHeaderValueZeroAsExpired); 489 490 } // namespace net::features 491 492 #endif // NET_BASE_FEATURES_H_ 493