Honor NetworkSecurityPolicy regarding cleartext traffic.
This makes HttpClient instances honor the process-wide policy about
cleartext network traffic. If cleartext network traffic is not
permitted, then attempts to send a cleartext HTTP request will throw
This change is needed despite platform-provided HttpClient being
deprecated because a large fraction of applications still use this
HttpClient library to generate HTTP traffic instead of using
HttpClient is modular -- most of its parts can be replaced with
alternative implementations. Thus, this CL enforces the cleartext
traffic policy in DefaultRequestDirector because RequestDirector is
least commonly replaced (if ever) and there are no other
RequestDirector implementations provided by the library.
The cleartext policy is enforced pretty late in the process of
emitting a request to give time for any HttpRequestInterceptor
instances to see the request. This is because some apps use a
HttpRequestInterceptor to enforce their own policies about cleartext
HTTP such as catching accidental use of cleartext HTTP and reporting
it to their servers for analysis.
1 file changed