1 // Copyright 2018 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_BASE_FEATURES_H_ 6 #define NET_BASE_FEATURES_H_ 7 8 #include <string> 9 #include <string_view> 10 11 #include "base/feature_list.h" 12 #include "base/metrics/field_trial_params.h" 13 #include "base/time/time.h" 14 #include "build/build_config.h" 15 #include "crypto/crypto_buildflags.h" 16 #include "net/base/net_export.h" 17 #include "net/net_buildflags.h" 18 19 namespace net::features { 20 21 // Enables ALPS extension of TLS 1.3 for HTTP/2, see 22 // https://vasilvv.github.io/tls-alps/draft-vvv-tls-alps.html and 23 // https://vasilvv.github.io/httpbis-alps/draft-vvv-httpbis-alps.html. 24 NET_EXPORT BASE_DECLARE_FEATURE(kAlpsForHttp2); 25 26 // Disable H2 reprioritization, in order to measure its impact. 27 NET_EXPORT BASE_DECLARE_FEATURE(kAvoidH2Reprioritization); 28 29 // When kCapReferrerToOriginOnCrossOrigin is enabled, HTTP referrers on cross- 30 // origin requests are restricted to contain at most the source origin. 31 NET_EXPORT BASE_DECLARE_FEATURE(kCapReferrerToOriginOnCrossOrigin); 32 33 // Enables the built-in DNS resolver. 34 NET_EXPORT BASE_DECLARE_FEATURE(kAsyncDns); 35 36 // Support for altering the parameters used for DNS transaction timeout. See 37 // ResolveContext::SecureTransactionTimeout(). 38 NET_EXPORT BASE_DECLARE_FEATURE(kDnsTransactionDynamicTimeouts); 39 // Multiplier applied to current fallback periods in determining a transaction 40 // timeout. 41 NET_EXPORT extern const base::FeatureParam<double> 42 kDnsTransactionTimeoutMultiplier; 43 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 44 kDnsMinTransactionTimeout; 45 46 // Enables querying HTTPS DNS records that will affect results from HostResolver 47 // and may be used to affect connection behavior. Whether or not those results 48 // are used (e.g. to connect via ECH) may be controlled by separate features. 49 NET_EXPORT BASE_DECLARE_FEATURE(kUseDnsHttpsSvcb); 50 51 // Param to control whether or not HostResolver, when using Secure DNS, will 52 // fail the entire connection attempt when receiving an inconclusive response to 53 // an HTTPS query (anything except transport error, timeout, or SERVFAIL). Used 54 // to prevent certain downgrade attacks against ECH behavior. 55 NET_EXPORT extern const base::FeatureParam<bool> 56 kUseDnsHttpsSvcbEnforceSecureResponse; 57 58 // If we are still waiting for an HTTPS transaction after all the 59 // other transactions in an insecure DnsTask have completed, we will compute a 60 // timeout for the remaining transaction. The timeout will be 61 // `kUseDnsHttpsSvcbInsecureExtraTimePercent.Get() / 100 * t`, where `t` is the 62 // time delta since the first query began. And the timeout will additionally be 63 // clamped by: 64 // (a) `kUseDnsHttpsSvcbInsecureExtraTimeMin.Get()` 65 // (b) `kUseDnsHttpsSvcbInsecureExtraTimeMax.Get()` 66 // 67 // Any param is ignored if zero, and if one of min/max is non-zero with a zero 68 // percent param it will be used as an absolute timeout. If all are zero, there 69 // is no timeout specific to HTTPS transactions, only the regular DNS query 70 // timeout and server fallback. 71 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 72 kUseDnsHttpsSvcbInsecureExtraTimeMax; 73 NET_EXPORT extern const base::FeatureParam<int> 74 kUseDnsHttpsSvcbInsecureExtraTimePercent; 75 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 76 kUseDnsHttpsSvcbInsecureExtraTimeMin; 77 78 // Same as `kUseDnsHttpsSvcbInsecureExtraTime...` except for secure DnsTasks. 79 // 80 // If `kUseDnsHttpsSvcbEnforceSecureResponse` is enabled, the timeouts will not 81 // be used because there is no sense killing a transaction early if that will 82 // just kill the entire request. 83 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 84 kUseDnsHttpsSvcbSecureExtraTimeMax; 85 NET_EXPORT extern const base::FeatureParam<int> 86 kUseDnsHttpsSvcbSecureExtraTimePercent; 87 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 88 kUseDnsHttpsSvcbSecureExtraTimeMin; 89 90 // Update protocol using ALPN information in HTTPS DNS records. 91 NET_EXPORT BASE_DECLARE_FEATURE(kUseDnsHttpsSvcbAlpn); 92 93 // If enabled, HostResolver will use the new HostResolverCache that separately 94 // caches by DNS type, unlike the old HostCache that always cached by merged 95 // request results. May enable related behavior such as separately sorting DNS 96 // results after each transaction rather than sorting collectively after all 97 // transactions complete. 98 NET_EXPORT BASE_DECLARE_FEATURE(kUseHostResolverCache); 99 100 // Enables the Happy Eyeballs v3, where we use intermediate DNS resolution 101 // results to make connection attempts as soon as possible. 102 NET_EXPORT BASE_DECLARE_FEATURE(kHappyEyeballsV3); 103 104 // If the `kUseAlternativePortForGloballyReachableCheck` flag is enabled, the 105 // globally reachable check will use the port number specified by 106 // `kAlternativePortForGloballyReachableCheck` flag. Otherwise, the globally 107 // reachable check will use 443 port. 108 NET_EXPORT extern const base::FeatureParam<int> 109 kAlternativePortForGloballyReachableCheck; 110 NET_EXPORT BASE_DECLARE_FEATURE(kUseAlternativePortForGloballyReachableCheck); 111 112 // If enabled, overrides IPv6 reachability probe results based on the system's 113 // IP addresses. 114 NET_EXPORT BASE_DECLARE_FEATURE(kEnableIPv6ReachabilityOverride); 115 116 // Enables TLS 1.3 early data. 117 NET_EXPORT BASE_DECLARE_FEATURE(kEnableTLS13EarlyData); 118 119 // Enables optimizing the network quality estimation algorithms in network 120 // quality estimator (NQE). 121 NET_EXPORT BASE_DECLARE_FEATURE(kNetworkQualityEstimator); 122 123 // The maximum age in seconds of observations to be used for calculating the 124 // HTTP RTT from the historical data. 125 // Negative value means infinite. i.e. all data are used. 126 NET_EXPORT extern const base::FeatureParam<int> kRecentHTTPThresholdInSeconds; 127 128 // The maximum age in seconds of observations to be used for calculating the 129 // transport RTT from the historical data. 130 // Negative value means infinite. i.e. all data are used. 131 NET_EXPORT extern const base::FeatureParam<int> 132 kRecentTransportThresholdInSeconds; 133 134 // The maximum age in seconds of observations to be used for calculating the 135 // end to end RTT from the historical data. 136 // Negative value means infinite. i.e. all data are used. 137 NET_EXPORT extern const base::FeatureParam<int> 138 kRecentEndToEndThresholdInSeconds; 139 140 // Number of observations received after which the effective connection type 141 // should be recomputed. 142 NET_EXPORT extern const base::FeatureParam<int> 143 kCountNewObservationsReceivedComputeEct; 144 145 // Maximum number of observations that can be held in a single 146 // ObservationBuffer. 147 NET_EXPORT extern const base::FeatureParam<int> kObservationBufferSize; 148 149 // Minimum duration between two consecutive computations of effective 150 // connection type. Set to non-zero value as a performance optimization. 151 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 152 kEffectiveConnectionTypeRecomputationInterval; 153 154 // Splits cache entries by the request's includeCredentials. 155 NET_EXPORT BASE_DECLARE_FEATURE(kSplitCacheByIncludeCredentials); 156 157 // Splits cache entries by the request's NetworkIsolationKey if one is 158 // available. 159 NET_EXPORT BASE_DECLARE_FEATURE(kSplitCacheByNetworkIsolationKey); 160 161 // The following flags are used as part of an experiment to modify the HTTP 162 // cache key scheme to better protect against leaks via navigations. 163 // These flags are mutually exclusive, and for each flag the HTTP cache will be 164 // cleared when the flag first transitions from being disabled to being enabled. 165 // 166 // This flag incorporates a boolean into the cache key that is true for 167 // renderer-initiated main frame navigations when the request initiator site is 168 // cross-site to the URL being navigated to. 169 NET_EXPORT BASE_DECLARE_FEATURE( 170 kSplitCacheByCrossSiteMainFrameNavigationBoolean); 171 // This flag incorporates the request initiator site into the cache key for 172 // renderer-initiated main frame navigations when the request initiator site is 173 // cross-site to the URL being navigated to. If the request initiator site is 174 // opaque, then no caching is performed of the navigated-to document. 175 NET_EXPORT BASE_DECLARE_FEATURE(kSplitCacheByMainFrameNavigationInitiator); 176 // This flag incorporates the request initiator site into the cache key for all 177 // renderer-initiated navigations (including subframe navigations) when the 178 // request initiator site is cross-site to the URL being navigated to. If the 179 // request initiator is opaque, then no caching is performed of the navigated-to 180 // document. When this scheme is used, the `is-subframe-document-resource` 181 // boolean is not incorporated into the cache key, since incorporating the 182 // initiator site for subframe navigations should be sufficient for mitigating 183 // the attacks that the `is-subframe-document-resource` mitigates. 184 NET_EXPORT BASE_DECLARE_FEATURE(kSplitCacheByNavigationInitiator); 185 // This flag doesn't result in changes to the HTTP cache scheme but provides an 186 // experiment control group that mitigates the differences inherent in changing 187 // cache key schemes. 188 NET_EXPORT BASE_DECLARE_FEATURE(kHttpCacheKeyingExperimentControlGroup2024); 189 190 // Splits the generated code cache by the request's NetworkIsolationKey if one 191 // is available. Note that this feature is also gated behind 192 // `net::HttpCache::IsSplitCacheEnabled()`. 193 NET_EXPORT BASE_DECLARE_FEATURE(kSplitCodeCacheByNetworkIsolationKey); 194 195 // Partitions connections and other network states based on the 196 // NetworkAnonymizationKey associated with a request. 197 // See https://github.com/MattMenke2/Explainer---Partition-Network-State. 198 NET_EXPORT BASE_DECLARE_FEATURE(kPartitionConnectionsByNetworkIsolationKey); 199 200 // Enables post-quantum key-agreements in TLS 1.3 connections. kUseMLKEM 201 // controls whether ML-KEM or Kyber (its predecessor) is used. The flag is named 202 // after Kyber because it was originally introduced for Kyber. 203 NET_EXPORT BASE_DECLARE_FEATURE(kPostQuantumKyber); 204 205 // Causes TLS 1.3 connections to use the ML-KEM standard instead of the Kyber 206 // draft standard for post-quantum key-agreement. Post-quantum key-agreement 207 // must be enabled (e.g. via kPostQuantumKyber) for this to have an effect. 208 // 209 // TODO(crbug.com/40910498): Remove this flag sometime after M131 has reached 210 // stable without issues. 211 NET_EXPORT BASE_DECLARE_FEATURE(kUseMLKEM); 212 213 // Changes the timeout after which unused sockets idle sockets are cleaned up. 214 NET_EXPORT BASE_DECLARE_FEATURE(kNetUnusedIdleSocketTimeout); 215 216 // When enabled, the time threshold for Lax-allow-unsafe cookies will be lowered 217 // from 2 minutes to 10 seconds. This time threshold refers to the age cutoff 218 // for which cookies that default into SameSite=Lax, which are newer than the 219 // threshold, will be sent with any top-level cross-site navigation regardless 220 // of HTTP method (i.e. allowing unsafe methods). This is a convenience for 221 // integration tests which may want to test behavior of cookies older than the 222 // threshold, but which would not be practical to run for 2 minutes. 223 NET_EXPORT BASE_DECLARE_FEATURE(kShortLaxAllowUnsafeThreshold); 224 225 // When enabled, the SameSite by default feature does not add the 226 // "Lax-allow-unsafe" behavior. Any cookies that do not specify a SameSite 227 // attribute will be treated as Lax only, i.e. POST and other unsafe HTTP 228 // methods will not be allowed at all for top-level cross-site navigations. 229 // This only has an effect if the cookie defaults to SameSite=Lax. 230 NET_EXPORT BASE_DECLARE_FEATURE(kSameSiteDefaultChecksMethodRigorously); 231 232 // When enabled this feature will cause same-site calculations to take into 233 // account the scheme of the site-for-cookies and the request/response url. 234 NET_EXPORT BASE_DECLARE_FEATURE(kSchemefulSameSite); 235 236 // Enables a process-wide limit on "open" UDP sockets. See 237 // udp_socket_global_limits.h for details on what constitutes an "open" socket. 238 NET_EXPORT BASE_DECLARE_FEATURE(kLimitOpenUDPSockets); 239 240 // FeatureParams associated with kLimitOpenUDPSockets. 241 242 // Sets the maximum allowed open UDP sockets. Provisioning more sockets than 243 // this will result in a failure (ERR_INSUFFICIENT_RESOURCES). 244 NET_EXPORT extern const base::FeatureParam<int> kLimitOpenUDPSocketsMax; 245 246 // Enables a timeout on individual TCP connect attempts, based on 247 // the parameter values. 248 NET_EXPORT BASE_DECLARE_FEATURE(kTimeoutTcpConnectAttempt); 249 250 // FeatureParams associated with kTimeoutTcpConnectAttempt. 251 252 // When there is an estimated RTT available, the experimental TCP connect 253 // attempt timeout is calculated as: 254 // 255 // clamp(kTimeoutTcpConnectAttemptMin, 256 // kTimeoutTcpConnectAttemptMax, 257 // <Estimated RTT> * kTimeoutTcpConnectAttemptRTTMultiplier); 258 // 259 // Otherwise the TCP connect attempt timeout is set to 260 // kTimeoutTcpConnectAttemptMax. 261 NET_EXPORT extern const base::FeatureParam<double> 262 kTimeoutTcpConnectAttemptRTTMultiplier; 263 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 264 kTimeoutTcpConnectAttemptMin; 265 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 266 kTimeoutTcpConnectAttemptMax; 267 268 #if BUILDFLAG(ENABLE_REPORTING) 269 // When enabled this feature will allow a new Reporting-Endpoints header to 270 // configure reporting endpoints for report delivery. This is used to support 271 // the new Document Reporting spec. 272 NET_EXPORT BASE_DECLARE_FEATURE(kDocumentReporting); 273 #endif // BUILDFLAG(ENABLE_REPORTING) 274 275 // When this feature is enabled, redirected requests will be considered 276 // cross-site for the purpose of SameSite cookies if any redirect hop was 277 // cross-site to the target URL, even if the original initiator of the 278 // redirected request was same-site with the target URL (and the 279 // site-for-cookies). 280 // See spec changes in https://github.com/httpwg/http-extensions/pull/1348 281 NET_EXPORT BASE_DECLARE_FEATURE(kCookieSameSiteConsidersRedirectChain); 282 283 // When this feature is enabled, servers can include an 284 // allow-same-site-none-cookies value that notifies the browser that same-site 285 // SameSite=None cookies should be allowed in sandboxed contexts with 3PC 286 // restrictions. 287 NET_EXPORT BASE_DECLARE_FEATURE(kAllowSameSiteNoneCookiesInSandbox); 288 289 // When this feature is enabled, the network service will wait until First-Party 290 // Sets are initialized before issuing requests that use the HTTP cache or 291 // cookies. 292 NET_EXPORT BASE_DECLARE_FEATURE(kWaitForFirstPartySetsInit); 293 294 // Controls the maximum time duration an outermost frame navigation should be 295 // deferred by RWS initialization. 296 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 297 kWaitForFirstPartySetsInitNavigationThrottleTimeout; 298 299 // When enabled, a cross-site ancestor chain bit is included in the partition 300 // key in partitioned cookies. 301 NET_EXPORT BASE_DECLARE_FEATURE(kAncestorChainBitEnabledInPartitionedCookies); 302 303 // Controls whether static key pinning is enforced. 304 NET_EXPORT BASE_DECLARE_FEATURE(kStaticKeyPinningEnforcement); 305 306 // When enabled, cookies with a non-ASCII domain attribute will be rejected. 307 NET_EXPORT BASE_DECLARE_FEATURE(kCookieDomainRejectNonASCII); 308 309 NET_EXPORT BASE_DECLARE_FEATURE(kThirdPartyStoragePartitioning); 310 311 // Controls consideration of top-level 3PCD origin trial settings. 312 NET_EXPORT BASE_DECLARE_FEATURE(kTopLevelTpcdOriginTrial); 313 314 // Feature to enable consideration of 3PC deprecation trial settings. 315 NET_EXPORT BASE_DECLARE_FEATURE(kTpcdTrialSettings); 316 317 // Feature to enable consideration of top-level 3PC deprecation trial settings. 318 NET_EXPORT BASE_DECLARE_FEATURE(kTopLevelTpcdTrialSettings); 319 320 // Whether to enable the use of 3PC based on 3PCD metadata grants delivered via 321 // component updater. 322 NET_EXPORT BASE_DECLARE_FEATURE(kTpcdMetadataGrants); 323 324 // Whether to enable staged rollback of the TPCD Metadata Entries. 325 NET_EXPORT BASE_DECLARE_FEATURE(kTpcdMetadataStageControl); 326 327 // Whether ALPS parsing is on for any type of frame. 328 NET_EXPORT BASE_DECLARE_FEATURE(kAlpsParsing); 329 330 // Whether ALPS parsing is on for client hint parsing specifically. 331 NET_EXPORT BASE_DECLARE_FEATURE(kAlpsClientHintParsing); 332 333 // Whether to kill the session on Error::kAcceptChMalformed. 334 NET_EXPORT BASE_DECLARE_FEATURE(kShouldKillSessionOnAcceptChMalformed); 335 336 NET_EXPORT BASE_DECLARE_FEATURE(kEnableWebsocketsOverHttp3); 337 338 #if BUILDFLAG(IS_WIN) 339 // Whether or not to use the GetNetworkConnectivityHint API on modern Windows 340 // versions for the Network Change Notifier. 341 NET_EXPORT BASE_DECLARE_FEATURE(kEnableGetNetworkConnectivityHintAPI); 342 343 // Whether or not to enable TCP port randomization via SO_RANDOMIZE_PORT on 344 // Windows 20H1+. 345 NET_EXPORT BASE_DECLARE_FEATURE(kEnableTcpPortRandomization); 346 347 // Whether to use a TCP socket implementation which uses an IO completion 348 // handler to be notified of completed reads and writes, instead of an event. 349 NET_EXPORT BASE_DECLARE_FEATURE(kTcpSocketIoCompletionPortWin); 350 #endif 351 352 // Avoid creating cache entries for transactions that are most likely no-store. 353 NET_EXPORT BASE_DECLARE_FEATURE(kAvoidEntryCreationForNoStore); 354 NET_EXPORT extern const base::FeatureParam<int> 355 kAvoidEntryCreationForNoStoreCacheSize; 356 357 // Prefetch to follow normal semantics instead of 5-minute rule 358 // https://crbug.com/1345207 359 NET_EXPORT BASE_DECLARE_FEATURE(kPrefetchFollowsNormalCacheSemantics); 360 361 // A flag for new Kerberos feature, that suggests new UI 362 // when Kerberos authentication in browser fails on ChromeOS. 363 // b/260522530 364 #if BUILDFLAG(IS_CHROMEOS) 365 NET_EXPORT BASE_DECLARE_FEATURE(kKerberosInBrowserRedirect); 366 #endif 367 368 // A flag to use asynchronous session creation for new QUIC sessions. 369 NET_EXPORT BASE_DECLARE_FEATURE(kAsyncQuicSession); 370 371 // A flag to make multiport context creation asynchronous. 372 NET_EXPORT BASE_DECLARE_FEATURE(kAsyncMultiPortPath); 373 374 // Enables custom proxy configuration for the IP Protection experimental proxy. 375 NET_EXPORT BASE_DECLARE_FEATURE(kEnableIpProtectionProxy); 376 377 // Sets the name of the IP protection auth token server. 378 NET_EXPORT extern const base::FeatureParam<std::string> kIpPrivacyTokenServer; 379 380 // Sets the path component of the IP protection auth token server URL used for 381 // getting initial token signing data. 382 NET_EXPORT extern const base::FeatureParam<std::string> 383 kIpPrivacyTokenServerGetInitialDataPath; 384 385 // Sets the path component of the IP protection auth token server URL used for 386 // getting blind-signed tokens. 387 NET_EXPORT extern const base::FeatureParam<std::string> 388 kIpPrivacyTokenServerGetTokensPath; 389 390 // Sets the path component of the IP protection auth token server URL used for 391 // getting proxy configuration. 392 NET_EXPORT extern const base::FeatureParam<std::string> 393 kIpPrivacyTokenServerGetProxyConfigPath; 394 395 // Sets the batch size to fetch new auth tokens for IP protection. 396 NET_EXPORT extern const base::FeatureParam<int> 397 kIpPrivacyAuthTokenCacheBatchSize; 398 399 // Sets the cache low-water-mark for auth tokens for IP protection. 400 NET_EXPORT extern const base::FeatureParam<int> 401 kIpPrivacyAuthTokenCacheLowWaterMark; 402 403 // Sets the normal time between fetches of the IP protection proxy list. 404 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 405 kIpPrivacyProxyListFetchInterval; 406 407 // Sets the minimum time between fetches of the IP protection proxy list, such 408 // as when a re-fetch is forced due to an error. 409 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 410 kIpPrivacyProxyListMinFetchInterval; 411 412 // Fetches of the IP Protection proxy list will have a random time in the range 413 // of plus or minus this delta added to their interval. 414 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 415 kIpPrivacyProxyListFetchIntervalFuzz; 416 417 // Overrides the ProxyA hostname normally set by the proxylist fetch. 418 NET_EXPORT extern const base::FeatureParam<std::string> 419 kIpPrivacyProxyAHostnameOverride; 420 421 // Overrides the ProxyB hostname normally set by the proxylist fetch. 422 NET_EXPORT extern const base::FeatureParam<std::string> 423 kIpPrivacyProxyBHostnameOverride; 424 425 // Controls whether IP Protection _proxying_ is bypassed by not including any 426 // of the proxies in the proxy list. This supports experimental comparison of 427 // connections that _would_ have been proxied, but were not. 428 NET_EXPORT extern const base::FeatureParam<bool> kIpPrivacyDirectOnly; 429 430 // If true, pass OAuth token to Phosphor in GetProxyConfig API for IP 431 // Protection. 432 NET_EXPORT extern const base::FeatureParam<bool> 433 kIpPrivacyIncludeOAuthTokenInGetProxyConfig; 434 435 // Controls whether a header ("IP-Protection: 1") should be added to proxied 436 // network requests. 437 NET_EXPORT extern const base::FeatureParam<bool> 438 kIpPrivacyAddHeaderToProxiedRequests; 439 440 // Token expirations will have a random time between 5 seconds and this delta 441 // subtracted from their expiration, in order to even out the load on the token 442 // servers. 443 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 444 kIpPrivacyExpirationFuzz; 445 446 // Backoff time applied when fetching tokens from the IP Protection auth 447 // token server encounters an error indicating that the primary account is not 448 // eligible (e.g., user is signed in but not eligible for IP protection) or 449 // a 403 (FORBIDDEN) status code (e.g., quota exceeded). 450 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 451 kIpPrivacyTryGetAuthTokensNotEligibleBackoff; 452 453 // Backoff time applied when fetching tokens from the IP Protection auth 454 // token server encounters a transient error, such as a failure to fetch 455 // an OAuth token for a primary account or a network issue. 456 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 457 kIpPrivacyTryGetAuthTokensTransientBackoff; 458 459 // Backoff time applied when fetching tokens from the IP Protection auth 460 // token server encounters a 400 (BAD REQUEST) or 401 (UNAUTHORIZED) status code 461 // which suggests a bug. 462 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 463 kIpPrivacyTryGetAuthTokensBugBackoff; 464 465 // If true, only proxy traffic when the top-level site uses the http:// or 466 // https:// schemes. This prevents attempts to proxy from top-level sites with 467 // chrome://, chrome-extension://, or other non-standard schemes, in addition to 468 // top-level sites using less common schemes like blob:// and data://. 469 NET_EXPORT extern const base::FeatureParam<bool> 470 kIpPrivacyRestrictTopLevelSiteSchemes; 471 472 // If true, IP protection will attempt to use QUIC to connect to proxies, 473 // falling back to HTTPS. If false, it will only use HTTPs. 474 NET_EXPORT extern const base::FeatureParam<bool> kIpPrivacyUseQuicProxies; 475 476 // If true, IP protection will only use QUIC to connect to proxies, with no 477 // fallback to HTTPS. This is intended for development of the QUIC 478 // functionality. 479 NET_EXPORT extern const base::FeatureParam<bool> kIpPrivacyUseQuicProxiesOnly; 480 481 // Truncate IP protection proxy chains to a single proxy. This is intended for 482 // development of the QUIC functionality. 483 NET_EXPORT extern const base::FeatureParam<bool> kIpPrivacyUseSingleProxy; 484 485 // Send all traffic to this host via IP Protection proxies, regardless of MDL, 486 // 1P/3P, or token availability. This is intended for development of the QUIC 487 // functionality. 488 NET_EXPORT extern const base::FeatureParam<std::string> kIpPrivacyAlwaysProxy; 489 490 // Fallback to direct when connections to IP protection proxies fail. This 491 // defaults to true and is intended for development of the QUIC functionality. 492 NET_EXPORT extern const base::FeatureParam<bool> kIpPrivacyFallbackToDirect; 493 494 // Identifier for an experiment arm, to be sent to IP Protection proxies and the 495 // token server in the `Ip-Protection-Debug-Experiment-Arm` header. The default 496 // value, 0, is not sent. 497 NET_EXPORT extern const base::FeatureParam<int> kIpPrivacyDebugExperimentArm; 498 499 // Caches tokens by geo allowing for tokens to be preserved on network/geo 500 // changes. The default value of this feature is false which maintains existing 501 // behavior by default. 502 NET_EXPORT extern const base::FeatureParam<bool> kIpPrivacyCacheTokensByGeo; 503 504 // When enabled and an IP protection delegate can be be created in the 505 // `NetworkContext`, a `IpProtectionProxyDelegate` will ALWAYS be created even 506 // for `NetworkContexts` that do not participate in IP protection. This is 507 // necessary for the WebView traffic experiment. By default, this feature param 508 // is false and will not create a delegate when IP protection is not enabled. 509 // Further, this also prevents the unnecessary instantiation of the 510 // `IpProtectionCore` for a `NetworkContext` that does not participate in IP 511 // protection. 512 NET_EXPORT extern const base::FeatureParam<bool> kIpPrivacyAlwaysCreateCore; 513 514 // Enables IP protection incognito mode. The default value of this feature is 515 // false which maintains existing behavior by default. When set to true, the 516 // main profile Network Context won't proxy traffic using IP Protection. 517 NET_EXPORT extern const base::FeatureParam<bool> kIpPrivacyOnlyInIncognito; 518 519 // Whether QuicParams::migrate_sessions_on_network_change_v2 defaults to true or 520 // false. This is needed as a workaround to set this value to true on Android 521 // but not on WebView (until crbug.com/1430082 has been fixed). 522 NET_EXPORT BASE_DECLARE_FEATURE(kMigrateSessionsOnNetworkChangeV2); 523 524 // Enables whether blackhole detector should be disabled during connection 525 // migration and there is no available network. 526 NET_EXPORT BASE_DECLARE_FEATURE(kDisableBlackholeOnNoNewNetwork); 527 528 #if BUILDFLAG(IS_LINUX) 529 // AddressTrackerLinux will not run inside the network service in this 530 // configuration, which will improve the Linux network service sandbox. 531 // TODO(crbug.com/40220507): remove this. 532 NET_EXPORT BASE_DECLARE_FEATURE(kAddressTrackerLinuxIsProxied); 533 #endif // BUILDFLAG(IS_LINUX) 534 535 // Enables binding of cookies to the port that originally set them by default. 536 NET_EXPORT BASE_DECLARE_FEATURE(kEnablePortBoundCookies); 537 538 // Enables binding of cookies to the scheme that originally set them. Also 539 // enables domain cookie shadowing protection. 540 NET_EXPORT BASE_DECLARE_FEATURE(kEnableSchemeBoundCookies); 541 542 // Enables expiration duration limit (3 hours) for cookies on insecure websites. 543 // This feature is a no-op unless kEnableSchemeBoundCookies is enabled. 544 NET_EXPORT BASE_DECLARE_FEATURE(kTimeLimitedInsecureCookies); 545 546 // Enables enabling third-party cookie blocking from the command line. 547 NET_EXPORT BASE_DECLARE_FEATURE(kForceThirdPartyCookieBlocking); 548 549 // Enables Early Hints on HTTP/1.1. 550 NET_EXPORT BASE_DECLARE_FEATURE(kEnableEarlyHintsOnHttp11); 551 552 // Enables draft-07 version of WebTransport over HTTP/3. 553 NET_EXPORT BASE_DECLARE_FEATURE(kEnableWebTransportDraft07); 554 555 NET_EXPORT BASE_DECLARE_FEATURE(kThirdPartyPartitionedStorageAllowedByDefault); 556 557 // Enables a more efficient implementation of SpdyHeadersToHttpResponse(). 558 NET_EXPORT BASE_DECLARE_FEATURE(kSpdyHeadersToHttpResponseUseBuilder); 559 560 // Enables receiving ECN bit by UDP sockets in Chrome, and reporting the counts 561 // to QUIC servers via ACK frames. 562 NET_EXPORT BASE_DECLARE_FEATURE(kReportEcn); 563 564 // Enables using the new ALPS codepoint to negotiate application settings for 565 // HTTP2. 566 NET_EXPORT BASE_DECLARE_FEATURE(kUseNewAlpsCodepointHttp2); 567 568 // Enables using the new ALPS codepoint to negotiate application settings for 569 // QUIC. 570 NET_EXPORT BASE_DECLARE_FEATURE(kUseNewAlpsCodepointQUIC); 571 572 // Treat HTTP header `Expires: "0"` as expired value according section 5.3 on 573 // RFC 9111. 574 // TODO(crbug.com/41395025): Remove after the bug fix will go well for a 575 // while on stable channels. 576 NET_EXPORT BASE_DECLARE_FEATURE(kTreatHTTPExpiresHeaderValueZeroAsExpired); 577 578 // Enables truncating the response body to the content length. 579 NET_EXPORT BASE_DECLARE_FEATURE(kTruncateBodyToContentLength); 580 581 #if BUILDFLAG(IS_MAC) 582 // Reduces the frequency of IP address change notifications that result in 583 // TCP and QUIC connection resets. 584 NET_EXPORT BASE_DECLARE_FEATURE(kReduceIPAddressChangeNotification); 585 #endif // BUILDFLAG(IS_MAC) 586 587 // This feature will enable the Device Bound Session Credentials protocol to let 588 // the server assert sessions (and cookies) are bound to a specific device. 589 NET_EXPORT BASE_DECLARE_FEATURE(kDeviceBoundSessions); 590 // This feature will enable the browser to persist Device Bound Session data 591 // across restarts. This feature is only valid if `kDeviceBoundSessions` is 592 // enabled. 593 NET_EXPORT BASE_DECLARE_FEATURE(kPersistDeviceBoundSessions); 594 595 // Enables storing connection subtype in NetworkChangeNotifierDelegateAndroid to 596 // save the cost of the JNI call for future access. 597 NET_EXPORT BASE_DECLARE_FEATURE(kStoreConnectionSubtype); 598 599 // When enabled, all proxies in a proxy chain are partitioned by the NAK for the 600 // endpoint of the connection. When disabled, proxies carrying tunnels to other 601 // proxies (i.e., all proxies but the last one in the ProxyChain) are not 602 // partitioned, allowing greater connection re-use. 603 NET_EXPORT BASE_DECLARE_FEATURE(kPartitionProxyChains); 604 605 // Enables more checks when creating a SpdySession for proxy. These checks are 606 // already applied to non-proxy SpdySession creations. 607 // TODO(crbug.com/343519247): Remove this once we are sure that these checks are 608 // not causing any problems. 609 NET_EXPORT BASE_DECLARE_FEATURE(kSpdySessionForProxyAdditionalChecks); 610 611 // When this feature is enabled, Chromium can use stored shared dictionaries 612 // even when the connection is using HTTP/1 for non-localhost requests. 613 NET_EXPORT BASE_DECLARE_FEATURE(kCompressionDictionaryTransportOverHttp1); 614 615 // When this feature is enabled, Chromium can use stored shared dictionaries 616 // even when the connection is using HTTP/2 for non-localhost requests. 617 NET_EXPORT BASE_DECLARE_FEATURE(kCompressionDictionaryTransportOverHttp2); 618 619 // When this feature is enabled, Chromium will use stored shared dictionaries 620 // only if the request URL is a localhost URL or the transport layer is using a 621 // certificate rooted at a standard CA root. 622 NET_EXPORT BASE_DECLARE_FEATURE( 623 kCompressionDictionaryTransportRequireKnownRootCert); 624 625 // Enables enterprises to use the Reporting API to collect 3PCD-related 626 // issues from sites used in their organization. 627 NET_EXPORT BASE_DECLARE_FEATURE(kReportingApiEnableEnterpriseCookieIssues); 628 629 // Optimize parsing data: URLs. 630 NET_EXPORT BASE_DECLARE_FEATURE(kOptimizeParsingDataUrls); 631 632 // Enables support for codepoints defined in draft-ietf-tls-tls13-pkcs1, which 633 // enable RSA keys to be used with client certificates even if they do not 634 // support RSA-PSS. 635 NET_EXPORT BASE_DECLARE_FEATURE(kLegacyPKCS1ForTLS13); 636 637 // Keep whitespace for non-base64 encoded data: URLs. 638 NET_EXPORT BASE_DECLARE_FEATURE(kKeepWhitespaceForDataUrls); 639 640 // If enabled, unrecognized keys in a No-Vary-Search header will be ignored. 641 // Otherwise, unrecognized keys are treated as if the header was invalid. 642 NET_EXPORT BASE_DECLARE_FEATURE(kNoVarySearchIgnoreUnrecognizedKeys); 643 644 // If enabled, then a cookie entry containing both encrypted and plaintext 645 // values is considered invalid, and the entire eTLD group will be dropped. 646 NET_EXPORT BASE_DECLARE_FEATURE(kEncryptedAndPlaintextValuesAreInvalid); 647 648 // Kill switch for Static CT Log (aka Tiled Log aka Sunlight) 649 // enforcements in Certificate Transparency policy checks. If disabled, SCTs 650 // from Static CT Logs will simply be ignored. 651 NET_EXPORT BASE_DECLARE_FEATURE(kEnableStaticCTAPIEnforcement); 652 653 // Finch experiment to select a disk cache backend. 654 enum class DiskCacheBackend { 655 kSimple, 656 kBlockfile, 657 }; 658 NET_EXPORT BASE_DECLARE_FEATURE(kDiskCacheBackendExperiment); 659 NET_EXPORT extern const base::FeatureParam<DiskCacheBackend> 660 kDiskCacheBackendParam; 661 662 // If enabled, ignore Strict-Transport-Security for [*.]localhost hosts. 663 NET_EXPORT BASE_DECLARE_FEATURE(kIgnoreHSTSForLocalhost); 664 665 // If enabled, main frame navigation resources will be prioritized in Simple 666 // Cache. So they will be less likely to be evicted. 667 NET_EXPORT BASE_DECLARE_FEATURE(kSimpleCachePrioritizedCaching); 668 // This is a factor by which we divide the size of an entry that has the 669 // HINT_HIGH_PRIORITY flag set to prioritize it for eviction to be less likely 670 // evicted. 671 NET_EXPORT extern const base::FeatureParam<int> 672 kSimpleCachePrioritizedCachingPrioritizationFactor; 673 // The period of time that the entry with HINT_HIGH_PRIORITY flag is considered 674 // prioritized. 675 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 676 kSimpleCachePrioritizedCachingPrioritizationPeriod; 677 678 #if BUILDFLAG(USE_NSS_CERTS) 679 // If enabled, use new implementation of client cert path building. 680 NET_EXPORT BASE_DECLARE_FEATURE(kNewClientCertPathBuilding); 681 #endif // BUILDFLAG(USE_NSS_CERTS) 682 683 } // namespace net::features 684 685 #endif // NET_BASE_FEATURES_H_ 686