roll skia to 4276
[chromium-blink-merge.git] / net / base / transport_security_state_static.json
blob0725298ce1e3fc580c6ec3b3c6330433c4ab9f21
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 // This file contains the HSTS preloaded list in a machine readable format.
7 // The top-level element is a dictionary with two keys: "pinsets" maps details
8 // of certificate pinning to a name and "entries" contains the HSTS details for
9 // each host.
11 // "pinsets" is a list of objects. Each object has the following members:
12 //   name: (string) the name of the pinset
13 //   static_spki_hashes: (list of strings) the set of allowed SPKIs hashes
14 //   bad_static_spki_hashes: (optional list of strings) the set of forbidden SPKIs hashes
16 // For a given pinset, a certifiacte is accepted if at least one of the
17 // "static_spki_hashes" SPKIs is found in the chain and none of the "bad_static_spki_hashes" SPKIs are.
18 // SPKIs are specified as names, which must match up with the file of
19 // certificates.
21 // "entries" is a list of objects. Each object has the following members:
22 //   name: (string) the DNS name of the host in question
23 //   include_subdomains: (optional bool) whether subdomains of |name| are also covered
24 //   mode: (optional string) "force-https" iff covered names should require HTTPS
25 //   pins: (optional string) the |name| member of an object in |pinsets|
28   "pinsets": [
29     {
30       "name": "test",
31       "static_spki_hashes": [
32         "TestSPKI"
33       ]
34     },
35     {
36       "name": "google",
37       "static_spki_hashes": [
38         "VeriSignClass3",
39         "VeriSignClass3_G3",
40         "Google1024",
41         "Google2048",
42         "EquifaxSecureCA"
43       ],
44       "bad_static_spki_hashes": [
45         "Aetna",
46         "Intel",
47         "TCTrustCenter",
48         "Vodafone"
49       ]
50     },
51     {
52       "name": "tor",
53       "static_spki_hashes": [
54         "RapidSSL",
55         "DigiCertEVRoot",
56         "Tor1",
57         "Tor2",
58         "Tor3"
59       ]
60     },
61     {
62       "name": "twitterCom",
63       "static_spki_hashes": [
64         "VeriSignClass1",
65         "VeriSignClass3",
66         "VeriSignClass3_G4",
67         "VeriSignClass4_G3",
68         "VeriSignClass3_G3",
69         "VeriSignClass1_G3",
70         "VeriSignClass2_G3",
71         "VeriSignClass3_G2",
72         "VeriSignClass2_G2",
73         "VeriSignClass3_G5",
74         "VeriSignUniversal",
75         "GeoTrustGlobal",
76         "GeoTrustGlobal2",
77         "GeoTrustUniversal",
78         "GeoTrustUniversal2",
79         "GeoTrustPrimary",
80         "GeoTrustPrimary_G2",
81         "GeoTrustPrimary_G3",
82         "Twitter1"
83       ]
84     },
85     {
86       "name": "twitterCDN",
87       "static_spki_hashes": [
88         "VeriSignClass1",
89         "VeriSignClass3",
90         "VeriSignClass3_G4",
91         "VeriSignClass4_G3",
92         "VeriSignClass3_G3",
93         "VeriSignClass1_G3",
94         "VeriSignClass2_G3",
95         "VeriSignClass3_G2",
96         "VeriSignClass2_G2",
97         "VeriSignClass3_G5",
98         "VeriSignUniversal",
99         "GeoTrustGlobal",
100         "GeoTrustGlobal2",
101         "GeoTrustUniversal",
102         "GeoTrustUniversal2",
103         "GeoTrustPrimary",
104         "GeoTrustPrimary_G2",
105         "GeoTrustPrimary_G3",
106         "Twitter1",
108         "Entrust_2048",
109         "Entrust_EV",
110         "Entrust_G2",
111         "Entrust_SSL",
112         "AAACertificateServices",
113         "AddTrustClass1CARoot",
114         "AddTrustExternalCARoot",
115         "AddTrustPublicCARoot",
116         "AddTrustQualifiedCARoot",
117         "COMODOCertificationAuthority",
118         "SecureCertificateServices",
119         "TrustedCertificateServices",
120         "UTNDATACorpSGC",
121         "UTNUSERFirstClientAuthenticationandEmail",
122         "UTNUSERFirstHardware",
123         "UTNUSERFirstObject",
124         "GTECyberTrustGlobalRoot"
125       ]
126     },
127     {
128       "name": "tor2web",
129       "static_spki_hashes": [
130         "AlphaSSL_G2",
131         "Tor2web"
132       ]
133     }
134   ],
136   "entries": [
137     // Dummy entry to test certificate pinning.
138     { "name": "pinningtest.appspot.com", "include_subdomains": true, "pins": "test" },
140     // (*.)google.com, iff using SSL, must use an acceptable certificate.
141     { "name": "google.com", "include_subdomains": true, "pins": "google" },
143     // Now we force HTTPS for subtrees of google.com.
144     { "name": "health.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
145     { "name": "checkout.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
146     { "name": "chrome.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
147     { "name": "docs.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
148     { "name": "sites.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
149     { "name": "spreadsheets.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
150     { "name": "appengine.google.com", "mode": "force-https", "pins": "google" },
151     { "name": "encrypted.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
152     { "name": "accounts.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
153     { "name": "profiles.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
154     { "name": "mail.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
155     { "name": "talkgadget.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
156     { "name": "talk.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
157     { "name": "hostedtalkgadget.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
158     { "name": "plus.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
160     // Other Google related domain that must use HTTPS.
161     { "name": "market.android.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
162     { "name": "ssl.google-analytics.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
163     { "name": "drive.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
164     { "name": "googleplex.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
165     { "name": "groups.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
166     { "name": "apis.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
168     // chart.apis.google.com is *not* HSTS because the certificate doesn't match
169     // and there are lots of links out there that still use the name. The correct
170     // hostname for this is chart.googleapis.com.
171     { "name": "chart.apis.google.com", "include_subdomains": true, "pins": "google" },
173     // Other Google-related domains that must use an acceptable certificate
174     // iff using SSL.
175     { "name": "ytimg.com", "include_subdomains": true, "pins": "google" },
176     { "name": "googleusercontent.com", "include_subdomains": true, "pins": "google" },
177     { "name": "youtube.com", "include_subdomains": true, "pins": "google" },
178     { "name": "googleapis.com", "include_subdomains": true, "pins": "google" },
179     { "name": "googleadservices.com", "include_subdomains": true, "pins": "google" },
180     { "name": "googlecode.com", "include_subdomains": true, "pins": "google" },
181     { "name": "appspot.com", "include_subdomains": true, "pins": "google" },
182     { "name": "googlesyndication.com", "include_subdomains": true, "pins": "google" },
183     { "name": "doubleclick.net", "include_subdomains": true, "pins": "google" },
184     { "name": "ssl.gstatic.com", "include_subdomains": true, "pins": "google" },
185     // Exclude the learn.doubleclick.net subdomain because it uses a different
186     // CA.
187     { "name": "learn.doubleclick.net", "include_subdomains": true },
189     // Force HTTPS for sites that have requested it.
190     { "name": "www.paypal.com", "mode": "force-https" },
191     { "name": "www.elanex.biz", "mode": "force-https" },
192     { "name": "jottit.com", "include_subdomains": true, "mode": "force-https" },
193     { "name": "sunshinepress.org", "include_subdomains": true, "mode": "force-https" },
194     { "name": "www.noisebridge.net", "mode": "force-https" },
195     { "name": "neg9.org", "mode": "force-https" },
196     { "name": "riseup.net", "include_subdomains": true, "mode": "force-https" },
197     { "name": "factor.cc", "mode": "force-https" },
198     { "name": "members.mayfirst.org", "mode": "force-https" },
199     { "name": "support.mayfirst.org", "mode": "force-https" },
200     { "name": "id.mayfirst.org", "mode": "force-https" },
201     { "name": "lists.mayfirst.org", "mode": "force-https" },
202     { "name": "aladdinschools.appspot.com", "mode": "force-https" },
203     { "name": "ottospora.nl", "include_subdomains": true, "mode": "force-https" },
204     { "name": "www.paycheckrecords.com", "mode": "force-https" },
205     { "name": "lastpass.com", "mode": "force-https" },
206     { "name": "www.lastpass.com", "mode": "force-https" },
207     { "name": "keyerror.com", "include_subdomains": true, "mode": "force-https" },
208     { "name": "entropia.de", "mode": "force-https" },
209     { "name": "www.entropia.de", "mode": "force-https" },
210     { "name": "romab.com", "include_subdomains": true, "mode": "force-https" },
211     { "name": "logentries.com", "mode": "force-https" },
212     { "name": "www.logentries.com", "mode": "force-https" },
213     { "name": "stripe.com", "include_subdomains": true, "mode": "force-https" },
214     { "name": "cloudsecurityalliance.org", "include_subdomains": true, "mode": "force-https" },
215     { "name": "login.sapo.pt", "include_subdomains": true, "mode": "force-https" },
216     { "name": "mattmccutchen.net", "include_subdomains": true, "mode": "force-https" },
217     { "name": "betnet.fr", "include_subdomains": true, "mode": "force-https" },
218     { "name": "uprotect.it", "include_subdomains": true, "mode": "force-https" },
219     { "name": "squareup.com", "mode": "force-https" },
220     { "name": "cert.se", "include_subdomains": true, "mode": "force-https" },
221     { "name": "crypto.is", "include_subdomains": true, "mode": "force-https" },
222     { "name": "simon.butcher.name", "include_subdomains": true, "mode": "force-https" },
223     { "name": "linx.net", "include_subdomains": true, "mode": "force-https" },
224     { "name": "dropcam.com", "mode": "force-https" },
225     { "name": "www.dropcam.com", "mode": "force-https" },
226     { "name": "ebanking.indovinabank.com.vn", "include_subdomains": true, "mode": "force-https" },
227     { "name": "epoxate.com", "mode": "force-https" },
228     { "name": "torproject.org", "mode": "force-https", "pins": "tor" },
229     { "name": "blog.torproject.org", "include_subdomains": true, "mode": "force-https", "pins": "tor" },
230     { "name": "check.torproject.org", "include_subdomains": true, "mode": "force-https", "pins": "tor" },
231     { "name": "www.torproject.org", "include_subdomains": true, "mode": "force-https", "pins": "tor" },
232     { "name": "www.moneybookers.com", "include_subdomains": true, "mode": "force-https" },
233     { "name": "ledgerscope.net", "mode": "force-https" },
234     { "name": "www.ledgerscope.net", "mode": "force-https" },
235     { "name": "kyps.net", "mode": "force-https" },
236     { "name": "www.kyps.net", "mode": "force-https" },
237     { "name": "app.recurly.com", "include_subdomains": true, "mode": "force-https" },
238     { "name": "api.recurly.com", "include_subdomains": true, "mode": "force-https" },
239     { "name": "greplin.com", "mode": "force-https" },
240     { "name": "www.greplin.com", "mode": "force-https" },
241     { "name": "luneta.nearbuysystems.com", "include_subdomains": true, "mode": "force-https" },
242     { "name": "ubertt.org", "include_subdomains": true, "mode": "force-https" },
243     { "name": "pixi.me", "include_subdomains": true, "mode": "force-https" },
244     { "name": "grepular.com", "include_subdomains": true, "mode": "force-https" },
245     { "name": "mydigipass.com", "mode": "force-https" },
246     { "name": "www.mydigipass.com", "mode": "force-https" },
247     { "name": "developer.mydigipass.com", "mode": "force-https" },
248     { "name": "www.developer.mydigipass.com", "mode": "force-https" },
249     { "name": "sandbox.mydigipass.com", "mode": "force-https" },
250     { "name": "www.sandbox.mydigipass.com", "mode": "force-https" },
251     { "name": "crypto.cat", "include_subdomains": true, "mode": "force-https" },
252     { "name": "bigshinylock.minazo.net", "include_subdomains": true, "mode": "force-https" },
253     { "name": "crate.io", "include_subdomains": true, "mode": "force-https" },
254     { "name": "twitter.com", "pins": "twitterCom" },
255     { "name": "www.twitter.com", "include_subdomains": true, "pins": "twitterCom" },
256     { "name": "api.twitter.com", "include_subdomains": true, "pins": "twitterCDN" },
257     { "name": "oauth.twitter.com", "include_subdomains": true, "pins": "twitterCom" },
258     { "name": "mobile.twitter.com", "include_subdomains": true, "pins": "twitterCom" },
259     { "name": "dev.twitter.com", "include_subdomains": true, "pins": "twitterCom" },
260     { "name": "business.twitter.com", "include_subdomains": true, "pins": "twitterCom" },
261     { "name": "platform.twitter.com", "include_subdomains": true, "pins": "twitterCDN" },
262     { "name": "si0.twimg.com", "include_subdomains": true, "pins": "twitterCDN" },
263     { "name": "twimg0-a.akamaihd.net", "include_subdomains": true, "pins": "twitterCDN" },
264     { "name": "braintreegateway.com", "include_subdomains": true, "mode": "force-https" },
265     { "name": "braintreepayments.com", "mode": "force-https" },
266     { "name": "www.braintreepayments.com", "mode": "force-https" },
267     { "name": "emailprivacytester.com", "mode": "force-https" },
268     { "name": "tor2web.org", "include_subdomains": true, "pins": "tor2web" },
269     { "name": "business.medbank.com.mt", "include_subdomains": true },
270     { "name": "arivo.com.br", "include_subdomains": true },
272     // Entries that are only valid if the client supports SNI.
273     { "name": "gmail.com", "mode": "force-https", "pins": "google", "snionly": true },
274     { "name": "googlemail.com", "mode": "force-https", "pins": "google", "snionly": true },
275     { "name": "www.gmail.com", "mode": "force-https", "pins": "google", "snionly": true },
276     { "name": "www.googlemail.com", "mode": "force-https", "pins": "google", "snionly": true },
277     { "name": "google-analytics.com", "include_subdomains": true, "pins": "google", "snionly": true },
278     { "name": "googlegroups.com", "include_subdomains": true, "pins": "google", "snionly": true }
279   ]