// This file contains the list of network errors.
// 0- 99 System related errors
// 100-199 Connection related errors
// 200-299 Certificate errors
// 300-399 HTTP errors
// 400-499 Cache errors
// 500-599 ?
// 600-699 FTP errors
// 700-799 Certificate manager errors
// 800-899 DNS resolver errors
// An asynchronous IO operation is not yet complete. This usually does not
// indicate a fatal error. Typically this error will be generated as a
// notification to wait for some external notification that the IO operation
// finally completed.
// A generic failure occurred.
// An operation was aborted (due to user action).
// An argument to the function is incorrect.
// The handle or file descriptor is invalid.
// The file or directory cannot be found.
// An operation timed out.
// The file is too large.
// An unexpected error. This may be caused by a programming mistake or an
// invalid assumption.
// Permission to access a resource, other than the network, was denied.
// The operation failed because of unimplemented functionality.
// There were not enough resources to complete the operation.
// Memory allocation failed.
// The file upload failed because the file's modification time was different
// from the expectation.
// The socket is not connected.
// The file already exists.
// The path or file name is too long.
// Not enough room left on the disk.
// The file has a virus.
// The client chose to block the request.
// The network changed.
// The request was blocked by the URL blacklist configured by the domain
// The socket is already connected.
// The request was blocked because the forced reenrollment check is still
// pending. This error can only occur on ChromeOS.
// The error can be emitted by code in chrome/browser/policy/policy_helpers.cc.
// The upload failed because the upload stream needed to be re-read, due to a
// retry or a redirect, but the upload stream doesn't support that operation.
// The request failed because the URLRequestContext is shutting down, or has
// been shut down.
// The request failed because the response was delivered along with requirements
// which are not met ('X-Frame-Options' and 'Content-Security-Policy' ancestor
// checks, for instance).
// The request failed after the response was received, based on client-side
// heuristics that point to the possiblility of a cross-site scripting attack.
// The request was blocked by system policy disallowing some or all cleartext
// requests. Used for NetworkSecurityPolicy on Android.
// A connection was closed (corresponding to a TCP FIN).
// A connection was reset (corresponding to a TCP RST).
// A connection attempt was refused.
// A connection timed out as a result of not receiving an ACK for data sent.
// This can include a FIN packet that did not get ACK'd.
// A connection attempt failed.
// The host name could not be resolved.
// The Internet connection has been lost.
// An SSL protocol error occurred.
// The IP address or port number is invalid (e.g., cannot connect to the IP
// address 0 or the port 0).
// The IP address is unreachable. This usually means that there is no route to
// the specified host or network.
// The server requested a client certificate for SSL client authentication.
// A tunnel connection through the proxy could not be established.
// No SSL protocol versions are enabled.
// The client and server don't support a common SSL protocol version or
// cipher suite.
// The server requested a renegotiation (rehandshake).
// The proxy requested authentication (for tunnel establishment) with an
// unsupported method.
// During SSL renegotiation (rehandshake), the server sent a certificate with
// an error.
// Note: this error is not in the -2xx range so that it won't be handled as a
// certificate error.
// The SSL handshake failed because of a bad or missing client certificate.
// A connection attempt timed out.
// There are too many pending DNS resolves, so a request in the queue was
// Failed establishing a connection to the SOCKS proxy server for a target host.
// The SOCKS proxy server failed establishing connection to the target host
// because that host is unreachable.
// The request to negotiate an alternate protocol failed.
// The peer sent an SSL no_renegotiation alert message.
// Winsock sometimes reports more data written than passed. This is probably
// due to a broken LSP.
// An SSL peer sent us a fatal decompression_failure alert. This typically
// occurs when a peer selects DEFLATE compression in the mistaken belief that
// it supports it.
// An SSL peer sent us a fatal bad_record_mac alert. This has been observed
// from servers with buggy DEFLATE support.
// The proxy requested authentication (for tunnel establishment).
// The SSL server attempted to use a weak ephemeral Diffie-Hellman key.
// Could not create a connection to the proxy server. An error occurred
// either in resolving its name, or in connecting a socket to it.
// Note that this does NOT include failures during the actual "CONNECT" method
// of an HTTP proxy.
// A mandatory proxy configuration could not be used. Currently this means
// that a mandatory PAC script could not be fetched, parsed or executed.
// -132 was formerly ERR_ESET_ANTI_VIRUS_SSL_INTERCEPTION
// We've hit the max socket limit for the socket pool while preconnecting. We
// don't bother trying to preconnect more sockets.
// The permission to use the SSL client certificate's private key was denied.
// The SSL client certificate has no private key.
// The certificate presented by the HTTPS Proxy was invalid.
// An error occurred when trying to do a name resolution (DNS).
// Permission to access the network was denied. This is used to distinguish
// errors that were most likely caused by a firewall from other access denied
// errors. See also ERR_ACCESS_DENIED.
// The request throttler module cancelled this request to avoid DDOS.
// A request to create an SSL tunnel connection through the HTTPS proxy
// received a non-200 (OK) and non-407 (Proxy Auth) response. The response
// body might include a description of why the request failed.
// We were unable to sign the CertificateVerify data of an SSL client auth
// handshake with the client certificate's private key.
// Possible causes for this include the user implicitly or explicitly
// denying access to the private key, the private key may not be valid for
// signing, the key may be relying on a cached handle which is no longer
// valid, or the CSP won't allow arbitrary data to be signed.
// The message was too large for the transport. (for example a UDP message
// which exceeds size threshold).
// A SPDY session already exists, and should be used instead of this connection.
// Error -144 was removed (LIMIT_VIOLATION).
// Websocket protocol error. Indicates that we are terminating the connection
// due to a malformed frame or other protocol violation.
// Error -146 was removed (PROTOCOL_SWITCHED)
// Returned when attempting to bind an address that is already in use.
// An operation failed because the SSL handshake has not completed.
// SSL peer's public key is invalid.
// The certificate didn't match the built-in public key pins for the host name.
// The pins are set in net/http/transport_security_state.cc and require that
// one of a set of public keys exist on the path from the leaf to the root.
// Server request for client certificate did not contain any types we support.
// Server requested one type of cert, then requested a different type while the
// first was still being generated.
// An SSL peer sent us a fatal decrypt_error alert. This typically occurs when
// a peer could not correctly verify a signature (in CertificateVerify or
// ServerKeyExchange) or validate a Finished message.
// There are too many pending WebSocketJob instances, so the new job was not
// pushed to the queue.
// Error -155 was removed (TOO_MANY_SOCKET_STREAMS)
// The SSL server certificate changed in a renegotiation.
// Error -157 was removed (SSL_INAPPROPRIATE_FALLBACK).
// Error -158 was removed (CT_NO_SCTS_VERIFIED_OK).
// The SSL server sent us a fatal unrecognized_name alert.
// Failed to set the socket's receive buffer size as requested.
// Failed to set the socket's send buffer size as requested.
// Failed to set the socket's receive buffer size as requested, despite success
// return code from setsockopt.
// Failed to set the socket's send buffer size as requested, despite success
// return code from setsockopt.
// Failed to import a client certificate from the platform store into the SSL
// Error -165 was removed (SSL_FALLBACK_BEYOND_MINIMUM_VERSION).
// Resolving a hostname to an IP address list included the IPv4 address
// "127.0.53.53". This is a special IP address which ICANN has recommended to
// indicate there was a name collision, and alert admins to a potential
// The SSL server presented a certificate which could not be decoded. This is
// not a certificate error code as no X509Certificate object is available. This
// error is fatal.
// Certificate Transparency: Received a signed tree head that failed to parse.
// Certificate Transparency: Received a signed tree head whose JSON parsing was
// OK but was missing some of the fields.
// The attempt to reuse a connection to send proxy auth credentials failed
// before the AuthController was used to generate credentials. The caller should
// reuse the controller with a new connection. This error is only used
// internally by the network stack.
// Certificate Transparency: Failed to parse the received consistency proof.
// The SSL server required an unsupported cipher suite that has since been
// removed. This error will temporarily be signaled on a fallback for one or two
// releases immediately following a cipher suite's removal, after which the
// fallback will be removed.
// When a WebSocket handshake is done successfully and the connection has been
// upgraded, the URLRequest is cancelled with this error code.
// Socket ReadIfReady support is not implemented. This error should not be user
// visible, because the normal Read() method is used as a fallback.
// This error is emitted if TLS 1.3 is enabled, connecting with it failed, but
// retrying at a downgraded maximum version succeeded. This could mean:
// 1. This is a transient network error that will be resolved when the user
// 2. The user is behind a buggy network middlebox, firewall, or proxy which is
// interfering with TLS 1.3.
// 3. The server is buggy and does not implement TLS version negotiation
// correctly. TLS 1.3 was tweaked to avoid a common server bug here, so this
// is unlikely.
// Certificate error codes
// The values of certificate error codes must be consecutive.
// The server responded with a certificate whose common name did not match
// the host name. This could mean:
// 1. An attacker has redirected our traffic to their server and is
// presenting a certificate for which they know the private key.
// 2. The server is misconfigured and responding with the wrong cert.
// 3. The user is on a wireless network and is being redirected to the
// network's login page.
// 4. The OS has used a DNS search suffix and the server doesn't have
// a certificate for the abbreviated name in the address bar.
// The server responded with a certificate that, by our clock, appears to
// either not yet be valid or to have expired. This could mean:
// 1. An attacker is presenting an old certificate for which they have
// managed to obtain the private key.
// 2. The server is misconfigured and is not presenting a valid cert.
// 3. Our clock is wrong.
// The server responded with a certificate that is signed by an authority
// we don't trust. The could mean:
// 1. An attacker has substituted the real certificate for a cert that
// contains their public key and is signed by their cousin.
// 2. The server operator has a legitimate certificate from a CA we don't
// know about, but should trust.
// 3. The server is presenting a self-signed certificate, providing no
// defense against active attackers (but foiling passive attackers).
// The server responded with a certificate that contains errors.
// This error is not recoverable.
// MSDN describes this error as follows:
// "The SSL certificate contains errors."
// NOTE: It's unclear how this differs from ERR_CERT_INVALID. For consistency,
// use that code instead of this one from now on.
// The certificate has no mechanism for determining if it is revoked. In
// effect, this certificate cannot be revoked.
// Revocation information for the security certificate for this site is not
// available. This could mean:
// 1. An attacker has compromised the private key in the certificate and is
// blocking our attempt to find out that the cert was revoked.
// 2. The certificate is unrevoked, but the revocation server is busy or
// The server responded with a certificate has been revoked.
// We have the capability to ignore this error, but it is probably not the
// thing to do.
// The server responded with a certificate that is invalid.
// This error is not recoverable.
// MSDN describes this error as follows:
// "The SSL certificate is invalid."
// The server responded with a certificate that is signed using a weak
// signature algorithm.
// -209 is availible: was CERT_NOT_IN_DNS.
// The host name specified in the certificate is not unique.
// The server responded with a certificate that contains a weak key (e.g.
// a too-small RSA key).
// The certificate claimed DNS names that are in violation of name constraints.
// The certificate's validity period is too long.
// Certificate Transparency was required for this connection, but the server
// did not provide CT information that complied with the policy.
// Add new certificate error codes here.
// Update the value of CERT_END whenever you add a new certificate error
// The value immediately past the last certificate error code.
// The URL is invalid.
// The scheme of the URL is disallowed.
// The scheme of the URL is unknown.
// Attempting to load an URL resulted in too many redirects.
// Attempting to load an URL resulted in an unsafe redirect (e.g., a redirect
// to file:// is considered unsafe).
// Attempting to load an URL with an unsafe port number. These are port
// numbers that correspond to services, which are not robust to spurious input
// that may be constructed as a result of an allowed web construct (e.g., HTTP
// looks a lot like SMTP, so form submission to port 25 is denied).
// The server's response was invalid.
// Error in chunked transfer encoding.
// The server did not support the request method.
// The response was 407 (Proxy Authentication Required), yet we did not send
// the request to a proxy.
// The server closed the connection without sending any data.
// The headers section of the response is too large.
// The PAC requested by HTTP did not have a valid status code (non-200).
// The evaluation of the PAC script failed.
// The response was 416 (Requested range not satisfiable) and the server cannot
// satisfy the range requested.
// The identity used for authentication is invalid.
// Content decoding of the response body failed.
// An operation could not be completed because all network IO
// is suspended.
// FLIP data received without receiving a SYN_REPLY on the stream.
// Converting the response to target encoding failed.
// The server sent an FTP directory listing in a format we do not understand.
// Attempted use of an unknown SPDY stream id.
// There are no supported proxies in the provided list.
// There is a SPDY protocol error.
// Credentials could not be established during HTTP Authentication.
// An HTTP Authentication scheme was tried which is not supported on this
// Detecting the encoding of the response failed.
// (GSSAPI) No Kerberos credentials were available during HTTP Authentication.
// An unexpected, but documented, SSPI or GSSAPI status code was returned.
// The environment was not set up correctly for authentication (for
// example, no KDC could be found or the principal is unknown.
// An undocumented SSPI or GSSAPI status code was returned.
// The HTTP response was too big to drain.
// The HTTP response contained multiple distinct Content-Length headers.
// SPDY Headers have been received, but not all of them - status or version
// headers are missing, so we're expecting additional frames to complete them.
// No PAC URL configuration could be retrieved from DHCP. This can indicate
// either a failure to retrieve the DHCP configuration, or that there was no
// PAC URL configured in DHCP.
// The HTTP response contained multiple Content-Disposition headers.
// The HTTP response contained multiple Location headers.
// HTTP/2 server refused the request without processing, and sent either a
// GOAWAY frame with error code NO_ERROR and Last-Stream-ID lower than the
// stream id corresponding to the request indicating that this request has not
// been processed yet, or a RST_STREAM frame with error code REFUSED_STREAM.
// Client MAY retry (on a different connection). See RFC7540 Section 8.1.4.
// SPDY server didn't respond to the PING message.
// Obsolete. Kept here to avoid reuse, as the old error can still appear on
// NET_ERROR(PIPELINE_EVICTION, -353)
// The HTTP response body transferred fewer bytes than were advertised by the
// Content-Length header when the connection is closed.
// The HTTP response body is transferred with Chunked-Encoding, but the
// terminating zero-length chunk was never sent when the connection is closed.
// There is a QUIC protocol error.
// The HTTP headers were truncated by an EOF.
// The QUIC crytpo handshake failed. This means that the server was unable
// to read any requests sent, so they may be resent.
// Obsolete. Kept here to avoid reuse, as the old error can still appear on
// NET_ERROR(REQUEST_FOR_SECURE_RESOURCE_OVER_INSECURE_QUIC, -359)
// Transport security is inadequate for the SPDY version.
// The peer violated SPDY flow control.
// The peer sent an improperly sized SPDY frame.
// Decoding or encoding of compressed SPDY headers failed.
// Proxy Auth Requested without a valid Client Socket Handle.
// HTTP_1_1_REQUIRED error code received on HTTP/2 session.
// HTTP_1_1_REQUIRED error code received on HTTP/2 session to proxy.
// The PAC script terminated fatally and must be reloaded.
// Obsolete. Kept here to avoid reuse.
// Request is throttled because of a Backoff header.
// See: crbug.com/486891.
// NET_ERROR(TEMPORARY_BACKOFF, -369)
// The server was expected to return an HTTP/1.x response, but did not. Rather
// than treat it as HTTP/0.9, this error is returned.