1 // Copyright 2018 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_BASE_FEATURES_H_ 6 #define NET_BASE_FEATURES_H_ 7 8 #include <string> 9 #include <string_view> 10 11 #include "base/feature_list.h" 12 #include "base/metrics/field_trial_params.h" 13 #include "base/time/time.h" 14 #include "build/build_config.h" 15 #include "crypto/crypto_buildflags.h" 16 #include "net/base/net_export.h" 17 #include "net/net_buildflags.h" 18 19 namespace net::features { 20 21 // Enables ALPS extension of TLS 1.3 for HTTP/2, see 22 // https://vasilvv.github.io/tls-alps/draft-vvv-tls-alps.html and 23 // https://vasilvv.github.io/httpbis-alps/draft-vvv-httpbis-alps.html. 24 NET_EXPORT BASE_DECLARE_FEATURE(kAlpsForHttp2); 25 26 // Disable H2 reprioritization, in order to measure its impact. 27 NET_EXPORT BASE_DECLARE_FEATURE(kAvoidH2Reprioritization); 28 29 // When kCapReferrerToOriginOnCrossOrigin is enabled, HTTP referrers on cross- 30 // origin requests are restricted to contain at most the source origin. 31 NET_EXPORT BASE_DECLARE_FEATURE(kCapReferrerToOriginOnCrossOrigin); 32 33 // Enables the built-in DNS resolver. 34 NET_EXPORT BASE_DECLARE_FEATURE(kAsyncDns); 35 36 // Support for altering the parameters used for DNS transaction timeout. See 37 // ResolveContext::SecureTransactionTimeout(). 38 NET_EXPORT BASE_DECLARE_FEATURE(kDnsTransactionDynamicTimeouts); 39 // Multiplier applied to current fallback periods in determining a transaction 40 // timeout. 41 NET_EXPORT extern const base::FeatureParam<double> 42 kDnsTransactionTimeoutMultiplier; 43 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 44 kDnsMinTransactionTimeout; 45 46 // Enables querying HTTPS DNS records that will affect results from HostResolver 47 // and may be used to affect connection behavior. Whether or not those results 48 // are used (e.g. to connect via ECH) may be controlled by separate features. 49 NET_EXPORT BASE_DECLARE_FEATURE(kUseDnsHttpsSvcb); 50 51 // Param to control whether or not HostResolver, when using Secure DNS, will 52 // fail the entire connection attempt when receiving an inconclusive response to 53 // an HTTPS query (anything except transport error, timeout, or SERVFAIL). Used 54 // to prevent certain downgrade attacks against ECH behavior. 55 NET_EXPORT extern const base::FeatureParam<bool> 56 kUseDnsHttpsSvcbEnforceSecureResponse; 57 58 // If we are still waiting for an HTTPS transaction after all the 59 // other transactions in an insecure DnsTask have completed, we will compute a 60 // timeout for the remaining transaction. The timeout will be 61 // `kUseDnsHttpsSvcbInsecureExtraTimePercent.Get() / 100 * t`, where `t` is the 62 // time delta since the first query began. And the timeout will additionally be 63 // clamped by: 64 // (a) `kUseDnsHttpsSvcbInsecureExtraTimeMin.Get()` 65 // (b) `kUseDnsHttpsSvcbInsecureExtraTimeMax.Get()` 66 // 67 // Any param is ignored if zero, and if one of min/max is non-zero with a zero 68 // percent param it will be used as an absolute timeout. If all are zero, there 69 // is no timeout specific to HTTPS transactions, only the regular DNS query 70 // timeout and server fallback. 71 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 72 kUseDnsHttpsSvcbInsecureExtraTimeMax; 73 NET_EXPORT extern const base::FeatureParam<int> 74 kUseDnsHttpsSvcbInsecureExtraTimePercent; 75 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 76 kUseDnsHttpsSvcbInsecureExtraTimeMin; 77 78 // Same as `kUseDnsHttpsSvcbInsecureExtraTime...` except for secure DnsTasks. 79 // 80 // If `kUseDnsHttpsSvcbEnforceSecureResponse` is enabled, the timeouts will not 81 // be used because there is no sense killing a transaction early if that will 82 // just kill the entire request. 83 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 84 kUseDnsHttpsSvcbSecureExtraTimeMax; 85 NET_EXPORT extern const base::FeatureParam<int> 86 kUseDnsHttpsSvcbSecureExtraTimePercent; 87 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 88 kUseDnsHttpsSvcbSecureExtraTimeMin; 89 90 // Update protocol using ALPN information in HTTPS DNS records. 91 NET_EXPORT BASE_DECLARE_FEATURE(kUseDnsHttpsSvcbAlpn); 92 93 // If enabled, HostResolver will use the new HostResolverCache that separately 94 // caches by DNS type, unlike the old HostCache that always cached by merged 95 // request results. May enable related behavior such as separately sorting DNS 96 // results after each transaction rather than sorting collectively after all 97 // transactions complete. 98 NET_EXPORT BASE_DECLARE_FEATURE(kUseHostResolverCache); 99 100 // Enables the DNS ServiceEndpointRequest API, which provides intermediate 101 // service endpoints in the middle of a DNS transaction so that clients of this 102 // API can attempt connections as soon as candidate endpoints are available. 103 NET_EXPORT BASE_DECLARE_FEATURE(kUseServiceEndpointRequest); 104 105 // If the `kUseAlternativePortForGloballyReachableCheck` flag is enabled, the 106 // globally reachable check will use the port number specified by 107 // `kAlternativePortForGloballyReachableCheck` flag. Otherwise, the globally 108 // reachable check will use 443 port. 109 NET_EXPORT extern const base::FeatureParam<int> 110 kAlternativePortForGloballyReachableCheck; 111 NET_EXPORT BASE_DECLARE_FEATURE(kUseAlternativePortForGloballyReachableCheck); 112 113 // If enabled, overrides IPv6 reachability probe results based on the system's 114 // IP addresses. 115 NET_EXPORT BASE_DECLARE_FEATURE(kEnableIPv6ReachabilityOverride); 116 117 // Enables TLS 1.3 early data. 118 NET_EXPORT BASE_DECLARE_FEATURE(kEnableTLS13EarlyData); 119 120 // Enables optimizing the network quality estimation algorithms in network 121 // quality estimator (NQE). 122 NET_EXPORT BASE_DECLARE_FEATURE(kNetworkQualityEstimator); 123 124 // Splits cache entries by the request's includeCredentials. 125 NET_EXPORT BASE_DECLARE_FEATURE(kSplitCacheByIncludeCredentials); 126 127 // Splits cache entries by the request's NetworkIsolationKey if one is 128 // available. 129 NET_EXPORT BASE_DECLARE_FEATURE(kSplitCacheByNetworkIsolationKey); 130 131 // Splits the generated code cache by the request's NetworkIsolationKey if one 132 // is available. Note that this feature is also gated behind 133 // `net::HttpCache::IsSplitCacheEnabled()`. 134 NET_EXPORT BASE_DECLARE_FEATURE(kSplitCodeCacheByNetworkIsolationKey); 135 136 // Splits host cache entries by the DNS request's NetworkAnonymizationKey if one 137 // is available. Also prevents merging live DNS lookups when there is a NAK 138 // mismatch. 139 NET_EXPORT BASE_DECLARE_FEATURE(kSplitHostCacheByNetworkIsolationKey); 140 141 // Partitions connections based on the NetworkAnonymizationKey associated with a 142 // request. 143 NET_EXPORT BASE_DECLARE_FEATURE(kPartitionConnectionsByNetworkIsolationKey); 144 145 // Partitions HttpServerProperties based on the NetworkAnonymizationKey 146 // associated with a request. 147 NET_EXPORT BASE_DECLARE_FEATURE( 148 kPartitionHttpServerPropertiesByNetworkIsolationKey); 149 150 // Partitions TLS sessions and QUIC server configs based on the 151 // NetworkAnonymizationKey associated with a request. 152 // 153 // This feature requires kPartitionConnectionsByNetworkIsolationKey to be 154 // enabled to work. 155 NET_EXPORT BASE_DECLARE_FEATURE(kPartitionSSLSessionsByNetworkIsolationKey); 156 157 // Partitions Network Error Logging and Reporting API data by 158 // NetworkAnonymizationKey. Also partitions all reports generated by other 159 // consumers of the reporting API. Applies the NetworkAnonymizationKey to 160 // reports uploads as well. 161 // 162 // When disabled, the main entry points of the reporting and NEL services ignore 163 // NetworkAnonymizationKey parameters, and they're cleared while loading from 164 // the cache, but internal objects can be created with them (e.g., endpoints), 165 // for testing. 166 NET_EXPORT BASE_DECLARE_FEATURE(kPartitionNelAndReportingByNetworkIsolationKey); 167 168 // Creates a <double key + is_cross_site> NetworkIsolationKey which is used 169 // to partition the HTTP cache. This key will have the following properties: 170 // `top_frame_site_` -> the schemeful site of the top level page. 171 // `frame_site_` -> std::nullopt. 172 // `is_cross_site_` -> a boolean indicating whether the frame site is 173 // schemefully cross-site from the top-level site. 174 NET_EXPORT BASE_DECLARE_FEATURE(kEnableCrossSiteFlagNetworkIsolationKey); 175 NET_EXPORT BASE_DECLARE_FEATURE( 176 kEnableFrameSiteSharedOpaqueNetworkIsolationKey); 177 NET_EXPORT BASE_DECLARE_FEATURE(kHttpCacheKeyingExperimentControlGroup); 178 179 // Enables sending TLS 1.3 Key Update messages on TLS 1.3 connections in order 180 // to ensure that this corner of the spec is exercised. This is currently 181 // disabled by default because we discovered incompatibilities with some 182 // servers. 183 NET_EXPORT BASE_DECLARE_FEATURE(kTLS13KeyUpdate); 184 185 // Enables permuting TLS extensions in the ClientHello, to reduce the risk of 186 // non-compliant servers ossifying parts of the ClientHello and interfering with 187 // deployment of future security improvements. 188 NET_EXPORT BASE_DECLARE_FEATURE(kPermuteTLSExtensions); 189 190 // Enables Kyber-based post-quantum key-agreements in TLS 1.3 connections. 191 NET_EXPORT BASE_DECLARE_FEATURE(kPostQuantumKyber); 192 193 // Changes the timeout after which unused sockets idle sockets are cleaned up. 194 NET_EXPORT BASE_DECLARE_FEATURE(kNetUnusedIdleSocketTimeout); 195 196 // When enabled, the time threshold for Lax-allow-unsafe cookies will be lowered 197 // from 2 minutes to 10 seconds. This time threshold refers to the age cutoff 198 // for which cookies that default into SameSite=Lax, which are newer than the 199 // threshold, will be sent with any top-level cross-site navigation regardless 200 // of HTTP method (i.e. allowing unsafe methods). This is a convenience for 201 // integration tests which may want to test behavior of cookies older than the 202 // threshold, but which would not be practical to run for 2 minutes. 203 NET_EXPORT BASE_DECLARE_FEATURE(kShortLaxAllowUnsafeThreshold); 204 205 // When enabled, the SameSite by default feature does not add the 206 // "Lax-allow-unsafe" behavior. Any cookies that do not specify a SameSite 207 // attribute will be treated as Lax only, i.e. POST and other unsafe HTTP 208 // methods will not be allowed at all for top-level cross-site navigations. 209 // This only has an effect if the cookie defaults to SameSite=Lax. 210 NET_EXPORT BASE_DECLARE_FEATURE(kSameSiteDefaultChecksMethodRigorously); 211 212 // When enabled, bssl::TrustStore implementations will use TRUSTED_LEAF, 213 // TRUSTED_ANCHOR_OR_LEAF, and TRUSTED_ANCHOR as appropriate. When disabled, 214 // bssl::TrustStore implementation will only use TRUSTED_ANCHOR. 215 // TODO(https://crbug.com/1403034): remove this a few milestones after the 216 // trusted leaf support has been launched on all relevant platforms. 217 #if BUILDFLAG(IS_MAC) || BUILDFLAG(USE_NSS_CERTS) || BUILDFLAG(IS_WIN) 218 NET_EXPORT BASE_DECLARE_FEATURE(kTrustStoreTrustedLeafSupport); 219 #endif 220 221 // Turns off streaming media caching to disk when on battery power. 222 NET_EXPORT BASE_DECLARE_FEATURE(kTurnOffStreamingMediaCachingOnBattery); 223 224 // Turns off streaming media caching to disk always. 225 NET_EXPORT BASE_DECLARE_FEATURE(kTurnOffStreamingMediaCachingAlways); 226 227 // When enabled this feature will cause same-site calculations to take into 228 // account the scheme of the site-for-cookies and the request/response url. 229 NET_EXPORT BASE_DECLARE_FEATURE(kSchemefulSameSite); 230 231 // Enables a process-wide limit on "open" UDP sockets. See 232 // udp_socket_global_limits.h for details on what constitutes an "open" socket. 233 NET_EXPORT BASE_DECLARE_FEATURE(kLimitOpenUDPSockets); 234 235 // FeatureParams associated with kLimitOpenUDPSockets. 236 237 // Sets the maximum allowed open UDP sockets. Provisioning more sockets than 238 // this will result in a failure (ERR_INSUFFICIENT_RESOURCES). 239 NET_EXPORT extern const base::FeatureParam<int> kLimitOpenUDPSocketsMax; 240 241 // Enables a timeout on individual TCP connect attempts, based on 242 // the parameter values. 243 NET_EXPORT BASE_DECLARE_FEATURE(kTimeoutTcpConnectAttempt); 244 245 // FeatureParams associated with kTimeoutTcpConnectAttempt. 246 247 // When there is an estimated RTT available, the experimental TCP connect 248 // attempt timeout is calculated as: 249 // 250 // clamp(kTimeoutTcpConnectAttemptMin, 251 // kTimeoutTcpConnectAttemptMax, 252 // <Estimated RTT> * kTimeoutTcpConnectAttemptRTTMultiplier); 253 // 254 // Otherwise the TCP connect attempt timeout is set to 255 // kTimeoutTcpConnectAttemptMax. 256 NET_EXPORT extern const base::FeatureParam<double> 257 kTimeoutTcpConnectAttemptRTTMultiplier; 258 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 259 kTimeoutTcpConnectAttemptMin; 260 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 261 kTimeoutTcpConnectAttemptMax; 262 263 #if BUILDFLAG(ENABLE_REPORTING) 264 // When enabled this feature will allow a new Reporting-Endpoints header to 265 // configure reporting endpoints for report delivery. This is used to support 266 // the new Document Reporting spec. 267 NET_EXPORT BASE_DECLARE_FEATURE(kDocumentReporting); 268 #endif // BUILDFLAG(ENABLE_REPORTING) 269 270 #if BUILDFLAG(IS_POSIX) || BUILDFLAG(IS_FUCHSIA) 271 // When enabled, UDPSocketPosix increments the global counter of bytes received 272 // every time bytes are received, instead of using a timer to batch updates. 273 // This should reduce the number of wake ups and improve battery consumption. 274 // TODO(https://crbug.com/1189805): Cleanup the feature after verifying that it 275 // doesn't negatively affect performance. 276 NET_EXPORT BASE_DECLARE_FEATURE(kUdpSocketPosixAlwaysUpdateBytesReceived); 277 #endif // BUILDFLAG(IS_POSIX) || BUILDFLAG(IS_FUCHSIA) 278 279 // When this feature is enabled, redirected requests will be considered 280 // cross-site for the purpose of SameSite cookies if any redirect hop was 281 // cross-site to the target URL, even if the original initiator of the 282 // redirected request was same-site with the target URL (and the 283 // site-for-cookies). 284 // See spec changes in https://github.com/httpwg/http-extensions/pull/1348 285 NET_EXPORT BASE_DECLARE_FEATURE(kCookieSameSiteConsidersRedirectChain); 286 287 // When this feature is enabled, the network service will wait until First-Party 288 // Sets are initialized before issuing requests that use the HTTP cache or 289 // cookies. 290 NET_EXPORT BASE_DECLARE_FEATURE(kWaitForFirstPartySetsInit); 291 292 // Controls the maximum time duration an outermost frame navigation should be 293 // deferred by RWS initialization. 294 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 295 kWaitForFirstPartySetsInitNavigationThrottleTimeout; 296 297 // When enabled, a cross-site ancestor chain bit is included in the partition 298 // key in partitioned cookies. 299 NET_EXPORT BASE_DECLARE_FEATURE(kAncestorChainBitEnabledInPartitionedCookies); 300 301 // When enabled, cookie-related code will treat cookies containing '\0', '\r', 302 // and '\n' as invalid and reject the cookie. 303 NET_EXPORT BASE_DECLARE_FEATURE(kBlockTruncatedCookies); 304 305 // Controls whether static key pinning is enforced. 306 NET_EXPORT BASE_DECLARE_FEATURE(kStaticKeyPinningEnforcement); 307 308 // When enabled, cookies with a non-ASCII domain attribute will be rejected. 309 NET_EXPORT BASE_DECLARE_FEATURE(kCookieDomainRejectNonASCII); 310 311 NET_EXPORT BASE_DECLARE_FEATURE(kThirdPartyStoragePartitioning); 312 NET_EXPORT BASE_DECLARE_FEATURE(kSupportPartitionedBlobUrl); 313 314 // Feature to enable consideration of 3PC deprecation trial settings. 315 NET_EXPORT BASE_DECLARE_FEATURE(kTpcdTrialSettings); 316 317 // Feature to enable consideration of top-level 3PC deprecation trial settings. 318 NET_EXPORT BASE_DECLARE_FEATURE(kTopLevelTpcdTrialSettings); 319 320 // Whether to enable the use of 3PC based on 3PCD metadata grants delivered via 321 // component updater. 322 NET_EXPORT BASE_DECLARE_FEATURE(kTpcdMetadataGrants); 323 324 // Whether to enable staged rollback of the TPCD Metadata Entries. 325 NET_EXPORT BASE_DECLARE_FEATURE(kTpcdMetadataStagedRollback); 326 327 // Whether ALPS parsing is on for any type of frame. 328 NET_EXPORT BASE_DECLARE_FEATURE(kAlpsParsing); 329 330 // Whether ALPS parsing is on for client hint parsing specifically. 331 NET_EXPORT BASE_DECLARE_FEATURE(kAlpsClientHintParsing); 332 333 // Whether to kill the session on Error::kAcceptChMalformed. 334 NET_EXPORT BASE_DECLARE_FEATURE(kShouldKillSessionOnAcceptChMalformed); 335 336 NET_EXPORT BASE_DECLARE_FEATURE(kCaseInsensitiveCookiePrefix); 337 338 NET_EXPORT BASE_DECLARE_FEATURE(kEnableWebsocketsOverHttp3); 339 340 // Whether to do IPv4 to IPv6 address translation for IPv4 literals. 341 NET_EXPORT BASE_DECLARE_FEATURE(kUseNAT64ForIPv4Literal); 342 343 // Whether to block newly added forbidden headers (https://crbug.com/1362331). 344 NET_EXPORT BASE_DECLARE_FEATURE(kBlockNewForbiddenHeaders); 345 346 #if BUILDFLAG(IS_WIN) 347 // Whether to probe for SHA-256 on some legacy platform keys, before assuming 348 // the key requires SHA-1. See SSLPlatformKeyWin for details. 349 NET_EXPORT BASE_DECLARE_FEATURE(kPlatformKeyProbeSHA256); 350 351 // Whether or not to use the GetNetworkConnectivityHint API on modern Windows 352 // versions for the Network Change Notifier. 353 NET_EXPORT BASE_DECLARE_FEATURE(kEnableGetNetworkConnectivityHintAPI); 354 #endif 355 356 // Prefetch to follow normal semantics instead of 5-minute rule 357 // https://crbug.com/1345207 358 NET_EXPORT BASE_DECLARE_FEATURE(kPrefetchFollowsNormalCacheSemantics); 359 360 // A flag for new Kerberos feature, that suggests new UI 361 // when Kerberos authentication in browser fails on ChromeOS. 362 // b/260522530 363 #if BUILDFLAG(IS_CHROMEOS) 364 NET_EXPORT BASE_DECLARE_FEATURE(kKerberosInBrowserRedirect); 365 #endif 366 367 // A flag to use asynchronous session creation for new QUIC sessions. 368 NET_EXPORT BASE_DECLARE_FEATURE(kAsyncQuicSession); 369 370 // A flag to make multiport context creation asynchronous. 371 NET_EXPORT BASE_DECLARE_FEATURE(kAsyncMultiPortPath); 372 373 // Enables custom proxy configuration for the IP Protection experimental proxy. 374 NET_EXPORT BASE_DECLARE_FEATURE(kEnableIpProtectionProxy); 375 376 // Sets the name of the IP protection auth token server. 377 NET_EXPORT extern const base::FeatureParam<std::string> kIpPrivacyTokenServer; 378 379 // Sets the path component of the IP protection auth token server URL used for 380 // getting initial token signing data. 381 NET_EXPORT extern const base::FeatureParam<std::string> 382 kIpPrivacyTokenServerGetInitialDataPath; 383 384 // Sets the path component of the IP protection auth token server URL used for 385 // getting blind-signed tokens. 386 NET_EXPORT extern const base::FeatureParam<std::string> 387 kIpPrivacyTokenServerGetTokensPath; 388 389 // Sets the path component of the IP protection auth token server URL used for 390 // getting proxy configuration. 391 NET_EXPORT extern const base::FeatureParam<std::string> 392 kIpPrivacyTokenServerGetProxyConfigPath; 393 394 // Sets the batch size to fetch new auth tokens for IP protection. 395 NET_EXPORT extern const base::FeatureParam<int> 396 kIpPrivacyAuthTokenCacheBatchSize; 397 398 // Sets the cache low-water-mark for auth tokens for IP protection. 399 NET_EXPORT extern const base::FeatureParam<int> 400 kIpPrivacyAuthTokenCacheLowWaterMark; 401 402 // Sets the normal time between fetches of the IP protection proxy list. 403 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 404 kIpPrivacyProxyListFetchInterval; 405 406 // Sets the minimum time between fetches of the IP protection proxy list, such 407 // as when a re-fetch is forced due to an error. 408 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 409 kIpPrivacyProxyListMinFetchInterval; 410 411 // Overrides the ProxyA hostname normally set by the proxylist fetch. 412 NET_EXPORT extern const base::FeatureParam<std::string> 413 kIpPrivacyProxyAHostnameOverride; 414 415 // Overrides the ProxyB hostname normally set by the proxylist fetch. 416 NET_EXPORT extern const base::FeatureParam<std::string> 417 kIpPrivacyProxyBHostnameOverride; 418 419 // Controls whether IP Protection _proxying_ is bypassed by not including any 420 // of the proxies in the proxy list. This supports experimental comparison of 421 // connections that _would_ have been proxied, but were not. 422 NET_EXPORT extern const base::FeatureParam<bool> kIpPrivacyDirectOnly; 423 424 // The PSK added to connections to proxyB with `Proxy-Authorization: Preshared 425 // $PSK`. 426 NET_EXPORT extern const base::FeatureParam<std::string> kIpPrivacyProxyBPsk; 427 428 // If true, pass OAuth token to Phosphor in GetProxyConfig API for IP 429 // Protection. 430 NET_EXPORT extern const base::FeatureParam<bool> 431 kIpPrivacyIncludeOAuthTokenInGetProxyConfig; 432 433 // Controls whether a header ("IP-Protection: 1") should be added to proxied 434 // network requests. 435 NET_EXPORT extern const base::FeatureParam<bool> 436 kIpPrivacyAddHeaderToProxiedRequests; 437 438 // Token expirations will have a random time between 5 seconds and this delta 439 // subtracted from their expiration, in order to even out the load on the token 440 // servers. 441 NET_EXPORT extern const base::FeatureParam<base::TimeDelta> 442 kIpPrivacyExpirationFuzz; 443 444 // If true, only proxy traffic when the top-level site uses the http:// or 445 // https:// schemes. This prevents attempts to proxy from top-level sites with 446 // chrome://, chrome-extension://, or other non-standard schemes, in addition to 447 // top-level sites using less common schemes like blob:// and data://. 448 NET_EXPORT extern const base::FeatureParam<bool> 449 kIpPrivacyRestrictTopLevelSiteSchemes; 450 451 // If true, IP protection will attempt to use QUIC to connect to proxies, 452 // falling back to HTTPS. If false, it will only use HTTPs. 453 NET_EXPORT extern const base::FeatureParam<bool> kIpPrivacyUseQuicProxies; 454 455 // If true, IP protection will only use QUIC to connect to proxies, with no 456 // fallback to HTTPS. This is intended for development of the QUIC 457 // functionality. 458 NET_EXPORT extern const base::FeatureParam<bool> kIpPrivacyUseQuicProxiesOnly; 459 460 // Truncate IP protection proxy chains to a single proxy. This is intended for 461 // development of the QUIC functionality. 462 NET_EXPORT extern const base::FeatureParam<bool> kIpPrivacyUseSingleProxy; 463 464 // Send all traffic to this host via IP Protection proxies, regardless of MDL, 465 // 1P/3P, or token availability. This is intended for development of the QUIC 466 // functionality. 467 NET_EXPORT extern const base::FeatureParam<std::string> kIpPrivacyAlwaysProxy; 468 469 // Whether QuicParams::migrate_sessions_on_network_change_v2 defaults to true or 470 // false. This is needed as a workaround to set this value to true on Android 471 // but not on WebView (until crbug.com/1430082 has been fixed). 472 NET_EXPORT BASE_DECLARE_FEATURE(kMigrateSessionsOnNetworkChangeV2); 473 474 // Enables whether blackhole detector should be disabled during connection 475 // migration and there is no available network. 476 NET_EXPORT BASE_DECLARE_FEATURE(kDisableBlackholeOnNoNewNetwork); 477 478 #if BUILDFLAG(IS_LINUX) 479 // AddressTrackerLinux will not run inside the network service in this 480 // configuration, which will improve the Linux network service sandbox. 481 // TODO(crbug.com/1312226): remove this. 482 NET_EXPORT BASE_DECLARE_FEATURE(kAddressTrackerLinuxIsProxied); 483 #endif // BUILDFLAG(IS_LINUX) 484 485 // Enables binding of cookies to the port that originally set them by default. 486 NET_EXPORT BASE_DECLARE_FEATURE(kEnablePortBoundCookies); 487 488 // Enables binding of cookies to the scheme that originally set them. Also 489 // enables domain cookie shadowing protection. 490 NET_EXPORT BASE_DECLARE_FEATURE(kEnableSchemeBoundCookies); 491 492 // Enables expiration duration limit (3 hours) for cookies on insecure websites. 493 // This feature is a no-op unless kEnableSchemeBoundCookies is enabled. 494 NET_EXPORT BASE_DECLARE_FEATURE(kTimeLimitedInsecureCookies); 495 496 // Enables enabling third-party cookie blocking from the command line. 497 NET_EXPORT BASE_DECLARE_FEATURE(kForceThirdPartyCookieBlocking); 498 499 // Enables an exception for third-party cookie blocking when the request is 500 // same-site with the top-level document, opted into CORS, but embedded in a 501 // cross-site context. 502 NET_EXPORT BASE_DECLARE_FEATURE(kThirdPartyCookieTopLevelSiteCorsException); 503 504 // Enables Early Hints on HTTP/1.1. 505 NET_EXPORT BASE_DECLARE_FEATURE(kEnableEarlyHintsOnHttp11); 506 507 // Enables draft-07 version of WebTransport over HTTP/3. 508 NET_EXPORT BASE_DECLARE_FEATURE(kEnableWebTransportDraft07); 509 510 // Enables Zstandard Content-Encoding support. 511 NET_EXPORT BASE_DECLARE_FEATURE(kZstdContentEncoding); 512 513 NET_EXPORT BASE_DECLARE_FEATURE(kThirdPartyPartitionedStorageAllowedByDefault); 514 515 // Enables the HTTP extensible priorities "priority" header. 516 // RFC 9218 517 NET_EXPORT BASE_DECLARE_FEATURE(kPriorityHeader); 518 519 // Enables a more efficient implementation of SpdyHeadersToHttpResponse(). 520 NET_EXPORT BASE_DECLARE_FEATURE(kSpdyHeadersToHttpResponseUseBuilder); 521 522 // Enables receiving ECN bit by sockets in Chrome. 523 NET_EXPORT BASE_DECLARE_FEATURE(kReceiveEcn); 524 525 // Enables using the new ALPS codepoint to negotiate application settings for 526 // HTTP2. 527 NET_EXPORT BASE_DECLARE_FEATURE(kUseNewAlpsCodepointHttp2); 528 529 // Enables using the new ALPS codepoint to negotiate application settings for 530 // QUIC. 531 NET_EXPORT BASE_DECLARE_FEATURE(kUseNewAlpsCodepointQUIC); 532 533 // Treat HTTP header `Expires: "0"` as expired value according section 5.3 on 534 // RFC 9111. 535 // TODO(https://crbug.com/853508): Remove after the bug fix will go well for a 536 // while on stable channels. 537 NET_EXPORT BASE_DECLARE_FEATURE(kTreatHTTPExpiresHeaderValueZeroAsExpired); 538 539 // Enables truncating the response body to the content length. 540 NET_EXPORT BASE_DECLARE_FEATURE(kTruncateBodyToContentLength); 541 542 #if BUILDFLAG(IS_MAC) 543 // Reduces the frequency of IP address change notifications that result in 544 // TCP and QUIC connection resets. 545 NET_EXPORT BASE_DECLARE_FEATURE(kReduceIPAddressChangeNotification); 546 #endif // BUILDFLAG(IS_MAC) 547 548 // This feature will enable the Device Bound Session Credentials protocol to let 549 // the server assert sessions (and cookies) are bound to a specific device. 550 NET_EXPORT BASE_DECLARE_FEATURE(kDeviceBoundSessions); 551 552 } // namespace net::features 553 554 #endif // NET_BASE_FEATURES_H_ 555