dart-lang · mehmetf · Feb 8, 2020 · Feb 9, 2020 · roman-vanesyan · Feb 11, 2020
diff --git a/sdk/lib/_http/http.dart b/sdk/lib/_http/http.dart
@@ -1763,6 +1763,14 @@ abstract class HttpClient {
     return overrides.findProxyFromEnvironment(url, environment);
   }
 
+  static bool get isHttpAllowed {
+    HttpOverrides overrides = HttpOverrides.current;
+    if (overrides == null) {
+      return _HttpClient._isHttpAllowedByDefault;
+    }
+    return overrides.isHttpAllowed();
+  }
+
   /**
    * Sets the function to be called when a proxy is requesting
    * authentication. Information on the proxy in use and the security

diff --git a/sdk/lib/_http/http_impl.dart b/sdk/lib/_http/http_impl.dart
@@ -2136,6 +2136,7 @@ class _HttpClient implements HttpClient {
   Function _authenticate;
   Function _authenticateProxy;
   Function _findProxy = HttpClient.findProxyFromEnvironment;
+  bool _isHttpAllowed = HttpClient.isHttpAllowed;
   Duration _idleTimeout = const Duration(seconds: 15);
   BadCertificateCallback _badCertificateCallback;
 
@@ -2151,6 +2152,13 @@ class _HttpClient implements HttpClient {
 
   _HttpClient(this._context);
 
+  static bool get _isHttpAllowedByDefault {
+    if (Platform.isIOS) return true;
+    if (Platform.isAndroid) return true;
+    // Add any more Platform specific defaults here.
+    return true;
+  }
+
   void set idleTimeout(Duration timeout) {
     _idleTimeout = timeout;
     for (var c in _connectionTargets.values) {
@@ -2285,6 +2293,10 @@ class _HttpClient implements HttpClient {
     }
 
     bool isSecure = (uri.scheme == "https");
+    if (!_isHttpAllowed && !isSecure) {
+      throw new ArgumentError("HTTP traffic is not supported in this client. Please use HTTPS.");
+    }
+
     int port = uri.port;
     if (port == 0) {
       port =

diff --git a/sdk/lib/_http/overrides.dart b/sdk/lib/_http/overrides.dart
@@ -52,10 +52,11 @@ abstract class HttpOverrides {
       {HttpClient Function(SecurityContext) createHttpClient,
       String Function(Uri uri, Map<String, String> environment)
           findProxyFromEnvironment,
+      bool allowHttp,
       ZoneSpecification zoneSpecification,
       Function onError}) {
     HttpOverrides overrides =
-        new _HttpOverridesScope(createHttpClient, findProxyFromEnvironment);
+        new _HttpOverridesScope(createHttpClient, findProxyFromEnvironment, allowHttp);
     return _asyncRunZoned<R>(body,
         zoneValues: {_httpOverridesToken: overrides},
         zoneSpecification: zoneSpecification,
@@ -89,6 +90,11 @@ abstract class HttpOverrides {
   String findProxyFromEnvironment(Uri url, Map<String, String> environment) {
     return _HttpClient._findProxyFromEnvironment(url, environment);
   }
+
+  /// Specifies whether HTTP communication in cleartext is allowed.
+  bool isHttpAllowed() {
+    return _HttpClient._isHttpAllowedByDefault;
+  }
 }
 
 class _HttpOverridesScope extends HttpOverrides {
@@ -97,8 +103,16 @@ class _HttpOverridesScope extends HttpOverrides {
   final HttpClient Function(SecurityContext) _createHttpClient;
   final String Function(Uri uri, Map<String, String> environment)
       _findProxyFromEnvironment;
+  final bool _allowHttp;
+
+  _HttpOverridesScope(this._createHttpClient, this._findProxyFromEnvironment, this._allowHttp);
 
-  _HttpOverridesScope(this._createHttpClient, this._findProxyFromEnvironment);
+  @override
+  bool isHttpAllowed() {
+    if (_allowHttp != null) return _allowHttp;
+    if (_previous != null) return _previous.isHttpAllowed();
+    return super.isHttpAllowed();
+  }
 
   @override
   HttpClient createHttpClient(SecurityContext context) {