From baa5cec5e779971e3b2c9e4a47c79307e9d7d2f6 Mon Sep 17 00:00:00 2001
From: Chris Thompson <cthomp@chromium.org>
Date: Fri, 15 Jul 2022 16:19:51 +0000
Subject: [PATCH] Disable TLS 1.0/1.1 support in WebView by default

This (1) flips the kWebViewLegacyTlsSupport feature flag to be
disabled by default (turning off support for TLS 1.0/1.1 in WebView),
(2) removes the field trial config entry, and (3) updates a test for
the flag-enabled case.

Bug: 1294330
Change-Id: I977e200870c41612c95962e021c07dd52b74f132
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3763335
Reviewed-by: Richard Coles <torne@chromium.org>
Commit-Queue: Chris Thompson <cthomp@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1024775}
---
 .../browser/aw_browser_context_unittest.cc        |  7 ++++++-
 android_webview/common/aw_features.cc             |  2 +-
 testing/variations/fieldtrial_testing_config.json | 15 ---------------
 3 files changed, 7 insertions(+), 17 deletions(-)

diff --git a/android_webview/browser/aw_browser_context_unittest.cc b/android_webview/browser/aw_browser_context_unittest.cc
index a1460916722635..f753ccf8b26087 100644
--- a/android_webview/browser/aw_browser_context_unittest.cc
+++ b/android_webview/browser/aw_browser_context_unittest.cc
@@ -84,8 +84,13 @@ TEST_F(AwBrowserContextTest, SHA1LocalAnchorsAllowed) {
       network_context_params.initial_ssl_config->sha1_local_anchors_enabled);
 }
 
-// Tests that TLS 1.0/1.1 is still allowed for WebView by default.
+// Tests that TLS 1.0/1.1 is still allowed for WebView if the escape hatch
+// feature is enabled.
 TEST_F(AwBrowserContextTest, LegacyTLSVersionsAllowed) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndEnableFeature(
+      android_webview::features::kWebViewLegacyTlsSupport);
+
   AwBrowserContext context;
   network::mojom::NetworkContextParams network_context_params;
   cert_verifier::mojom::CertVerifierCreationParams cert_verifier_params;
diff --git a/android_webview/common/aw_features.cc b/android_webview/common/aw_features.cc
index 2c2b21c3cee63c..5957e3f5a0757c 100644
--- a/android_webview/common/aw_features.cc
+++ b/android_webview/common/aw_features.cc
@@ -57,7 +57,7 @@ const base::Feature kWebViewJavaJsBridgeMojo{"WebViewJavaJsBridgeMojo",
 
 // When enabled, connections using legacy TLS 1.0/1.1 versions are allowed.
 const base::Feature kWebViewLegacyTlsSupport{"WebViewLegacyTlsSupport",
-                                             base::FEATURE_ENABLED_BY_DEFAULT};
+                                             base::FEATURE_DISABLED_BY_DEFAULT};
 
 // Measure the number of pixels occupied by one or more WebViews as a
 // proportion of the total screen size. Depending on the number of
diff --git a/testing/variations/fieldtrial_testing_config.json b/testing/variations/fieldtrial_testing_config.json
index 1174a34e31f111..cd6319cc3026d7 100644
--- a/testing/variations/fieldtrial_testing_config.json
+++ b/testing/variations/fieldtrial_testing_config.json
@@ -10076,21 +10076,6 @@
             ]
         }
     ],
-    "WebViewLegacyTlsSupport": [
-        {
-            "platforms": [
-                "android_webview"
-            ],
-            "experiments": [
-                {
-                    "name": "Disabled",
-                    "disable_features": [
-                        "WebViewLegacyTlsSupport"
-                    ]
-                }
-            ]
-        }
-    ],
     "WebViewMeasureScreenCoverage": [
         {
             "platforms": [