No error occurred.
An asynchronous IO operation is not yet complete. This usually does not
indicate a fatal error. Typically this error will be generated as a
notification to wait for some external notification that the IO operation
A generic failure occurred.
An operation was aborted (due to user action).
An argument to the function is incorrect.
The handle or file descriptor is invalid.
The file or directory cannot be found.
An operation timed out.
The file is too large.
An unexpected error. This may be caused by a programming mistake or an
Permission to access a resource, other than the network, was denied.
The operation failed because of unimplemented functionality.
There were not enough resources to complete the operation.
Memory allocation failed.
The file upload failed because the file's modification time was different
from the expectation.
The socket is not connected.
The file already exists.
The path or file name is too long.
Not enough room left on the disk.
The file has a virus.
The client chose to block the request.
The network changed.
The request was blocked by the URL block list configured by the domain
The socket is already connected.
The request was blocked because the forced reenrollment check is still
pending. This error can only occur on ChromeOS.
The error can be emitted by code in chrome/browser/policy/policy_helpers.cc.
The upload failed because the upload stream needed to be re-read, due to a
retry or a redirect, but the upload stream doesn't support that operation.
The request failed because the URLRequestContext is shutting down, or has
been shut down.
The request failed because the response was delivered along with requirements
which are not met ('X-Frame-Options' and 'Content-Security-Policy' ancestor
checks and 'Cross-Origin-Resource-Policy', for instance).
The request was blocked by system policy disallowing some or all cleartext
requests. Used for NetworkSecurityPolicy on Android.
The request was blocked by a Content Security Policy
The request was blocked because of no H/2 or QUIC session.
A connection was closed (corresponding to a TCP FIN).
A connection was reset (corresponding to a TCP RST).
A connection attempt was refused.
A connection timed out as a result of not receiving an ACK for data sent.
This can include a FIN packet that did not get ACK'd.
A connection attempt failed.
The host name could not be resolved.
The Internet connection has been lost.
An SSL protocol error occurred.
The IP address or port number is invalid (e.g., cannot connect to the IP
address 0 or the port 0).
The IP address is unreachable. This usually means that there is no route to
the specified host or network.
The server requested a client certificate for SSL client authentication.
A tunnel connection through the proxy could not be established.
No SSL protocol versions are enabled.
The client and server don't support a common SSL protocol version or
The server requested a renegotiation (rehandshake).
The proxy requested authentication (for tunnel establishment) with an
During SSL renegotiation (rehandshake), the server sent a certificate with
Note: this error is not in the -2xx range so that it won't be handled as a
The SSL handshake failed because of a bad or missing client certificate.
A connection attempt timed out.
There are too many pending DNS resolves, so a request in the queue was
Failed establishing a connection to the SOCKS proxy server for a target host.
The SOCKS proxy server failed establishing connection to the target host
because that host is unreachable.
The request to negotiate an alternate protocol failed.
The peer sent an SSL no_renegotiation alert message.
Winsock sometimes reports more data written than passed. This is probably
due to a broken LSP.
An SSL peer sent us a fatal decompression_failure alert. This typically
occurs when a peer selects DEFLATE compression in the mistaken belief that
it supports it.
An SSL peer sent us a fatal bad_record_mac alert. This has been observed
from servers with buggy DEFLATE support.
The proxy requested authentication (for tunnel establishment).
Could not create a connection to the proxy server. An error occurred
either in resolving its name, or in connecting a socket to it.
Note that this does NOT include failures during the actual "CONNECT" method
of an HTTP proxy.
A mandatory proxy configuration could not be used. Currently this means
that a mandatory PAC script could not be fetched, parsed or executed.
We've hit the max socket limit for the socket pool while preconnecting. We
don't bother trying to preconnect more sockets.
The permission to use the SSL client certificate's private key was denied.
The SSL client certificate has no private key.
The certificate presented by the HTTPS Proxy was invalid.
An error occurred when trying to do a name resolution (DNS).
Permission to access the network was denied. This is used to distinguish
errors that were most likely caused by a firewall from other access denied
errors. See also ERR_ACCESS_DENIED.
The request throttler module cancelled this request to avoid DDOS.
A request to create an SSL tunnel connection through the HTTPS proxy
received a 302 (temporary redirect) response. The response body might
include a description of why the request failed.
TODO(https://crbug.com/928551): This is deprecated and should not be used by
We were unable to sign the CertificateVerify data of an SSL client auth
handshake with the client certificate's private key.
Possible causes for this include the user implicitly or explicitly
denying access to the private key, the private key may not be valid for
signing, the key may be relying on a cached handle which is no longer
valid, or the CSP won't allow arbitrary data to be signed.
The message was too large for the transport. (for example a UDP message
which exceeds size threshold).
Websocket protocol error. Indicates that we are terminating the connection
due to a malformed frame or other protocol violation.
Returned when attempting to bind an address that is already in use.
An operation failed because the SSL handshake has not completed.
SSL peer's public key is invalid.
The certificate didn't match the built-in public key pins for the host name.
The pins are set in net/http/transport_security_state.cc and require that
one of a set of public keys exist on the path from the leaf to the root.
Server request for client certificate did not contain any types we support.
An SSL peer sent us a fatal decrypt_error alert. This typically occurs when
a peer could not correctly verify a signature (in CertificateVerify or
ServerKeyExchange) or validate a Finished message.
There are too many pending WebSocketJob instances, so the new job was not
pushed to the queue.
The SSL server certificate changed in a renegotiation.
The SSL server sent us a fatal unrecognized_name alert.
Failed to set the socket's receive buffer size as requested.
Failed to set the socket's send buffer size as requested.
Failed to set the socket's receive buffer size as requested, despite success
return code from setsockopt.
Failed to set the socket's send buffer size as requested, despite success
return code from setsockopt.
Failed to import a client certificate from the platform store into the SSL
Resolving a hostname to an IP address list included the IPv4 address
"127.0.53.53". This is a special IP address which ICANN has recommended to
indicate there was a name collision, and alert admins to a potential
The SSL server presented a certificate which could not be decoded. This is
not a certificate error code as no X509Certificate object is available. This
error is fatal.
Certificate Transparency: Received a signed tree head that failed to parse.
Certificate Transparency: Received a signed tree head whose JSON parsing was
OK but was missing some of the fields.
The attempt to reuse a connection to send proxy auth credentials failed
before the AuthController was used to generate credentials. The caller should
reuse the controller with a new connection. This error is only used
internally by the network stack.
Certificate Transparency: Failed to parse the received consistency proof.
The SSL server required an unsupported cipher suite that has since been
removed. This error will temporarily be signaled on a fallback for one or two
releases immediately following a cipher suite's removal, after which the
fallback will be removed.
When a WebSocket handshake is done successfully and the connection has been
upgraded, the URLRequest is cancelled with this error code.
Socket ReadIfReady support is not implemented. This error should not be user
visible, because the normal Read() method is used as a fallback.
No socket buffer space is available.
There were no common signature algorithms between our client certificate
private key and the server's preferences.
TLS 1.3 early data was rejected by the server. This will be received before
any data is returned from the socket. The request should be retried with
early data disabled.
TLS 1.3 early data was offered, but the server responded with TLS 1.2 or
earlier. This is an internal error code to account for a
backwards-compatibility issue with early data and TLS 1.2. It will be
received before any data is returned from the socket. The request should be
retried with early data disabled.
See https://tools.ietf.org/html/rfc8446#appendix-D.3 for details.
TLS 1.3 was enabled, but a lower version was negotiated and the server
returned a value indicating it supported TLS 1.3. This is part of a security
check in TLS 1.3, but it may also indicate the user is behind a buggy
TLS-terminating proxy which implemented TLS 1.2 incorrectly. (See
The server's certificate has a keyUsage extension incompatible with the
negotiated TLS key exchange method.
The server responded with a certificate whose common name did not match
the host name. This could mean:
1. An attacker has redirected our traffic to their server and is
presenting a certificate for which they know the private key.
2. The server is misconfigured and responding with the wrong cert.
3. The user is on a wireless network and is being redirected to the
network's login page.
4. The OS has used a DNS search suffix and the server doesn't have
a certificate for the abbreviated name in the address bar.
The server responded with a certificate that, by our clock, appears to
either not yet be valid or to have expired. This could mean:
1. An attacker is presenting an old certificate for which they have
managed to obtain the private key.
2. The server is misconfigured and is not presenting a valid cert.
3. Our clock is wrong.
The server responded with a certificate that is signed by an authority
we don't trust. The could mean:
1. An attacker has substituted the real certificate for a cert that
contains their public key and is signed by their cousin.
2. The server operator has a legitimate certificate from a CA we don't
know about, but should trust.
3. The server is presenting a self-signed certificate, providing no
defense against active attackers (but foiling passive attackers).
The server responded with a certificate that contains errors.
This error is not recoverable.
MSDN describes this error as follows:
"The SSL certificate contains errors."
NOTE: It's unclear how this differs from ERR_CERT_INVALID. For consistency,
use that code instead of this one from now on.
The certificate has no mechanism for determining if it is revoked. In
effect, this certificate cannot be revoked.
Revocation information for the security certificate for this site is not
available. This could mean:
1. An attacker has compromised the private key in the certificate and is
blocking our attempt to find out that the cert was revoked.
2. The certificate is unrevoked, but the revocation server is busy or
The server responded with a certificate has been revoked.
We have the capability to ignore this error, but it is probably not the
thing to do.
The server responded with a certificate that is invalid.
This error is not recoverable.
MSDN describes this error as follows:
"The SSL certificate is invalid."
The server responded with a certificate that is signed using a weak
The host name specified in the certificate is not unique.
The server responded with a certificate that contains a weak key (e.g.
a too-small RSA key).
The certificate claimed DNS names that are in violation of name constraints.
The certificate's validity period is too long.
Certificate Transparency was required for this connection, but the server
did not provide CT information that complied with the policy.
The certificate chained to a legacy Symantec root that is no longer trusted.
The certificate is known to be used for interception by an entity other
the device owner.
The connection uses an obsolete version of SSL/TLS.
The value immediately past the last certificate error code.
The URL is invalid.
The scheme of the URL is disallowed.
The scheme of the URL is unknown.
Attempting to load an URL resulted in a redirect to an invalid URL.
Attempting to load an URL resulted in too many redirects.
Attempting to load an URL resulted in an unsafe redirect (e.g., a redirect
to file:// is considered unsafe).
Attempting to load an URL with an unsafe port number. These are port
numbers that correspond to services, which are not robust to spurious input
that may be constructed as a result of an allowed web construct (e.g., HTTP
looks a lot like SMTP, so form submission to port 25 is denied).
The server's response was invalid.
Error in chunked transfer encoding.
The server did not support the request method.
The response was 407 (Proxy Authentication Required), yet we did not send
the request to a proxy.
The server closed the connection without sending any data.
The headers section of the response is too large.
The evaluation of the PAC script failed.
The response was 416 (Requested range not satisfiable) and the server cannot
satisfy the range requested.
The identity used for authentication is invalid.
Content decoding of the response body failed.
An operation could not be completed because all network IO
FLIP data received without receiving a SYN_REPLY on the stream.
Converting the response to target encoding failed.
The server sent an FTP directory listing in a format we do not understand.
There are no supported proxies in the provided list.
There is an HTTP/2 protocol error.
Credentials could not be established during HTTP Authentication.
An HTTP Authentication scheme was tried which is not supported on this
Detecting the encoding of the response failed.
(GSSAPI) No Kerberos credentials were available during HTTP Authentication.
An unexpected, but documented, SSPI or GSSAPI status code was returned.
The environment was not set up correctly for authentication (for
example, no KDC could be found or the principal is unknown.
An undocumented SSPI or GSSAPI status code was returned.
The HTTP response was too big to drain.
The HTTP response contained multiple distinct Content-Length headers.
HTTP/2 headers have been received, but not all of them - status or version
headers are missing, so we're expecting additional frames to complete them.
No PAC URL configuration could be retrieved from DHCP. This can indicate
either a failure to retrieve the DHCP configuration, or that there was no
PAC URL configured in DHCP.
The HTTP response contained multiple Content-Disposition headers.
The HTTP response contained multiple Location headers.
HTTP/2 server refused the request without processing, and sent either a
GOAWAY frame with error code NO_ERROR and Last-Stream-ID lower than the
stream id corresponding to the request indicating that this request has not
been processed yet, or a RST_STREAM frame with error code REFUSED_STREAM.
Client MAY retry (on a different connection). See RFC7540 Section 8.1.4.
HTTP/2 server didn't respond to the PING message.
The HTTP response body transferred fewer bytes than were advertised by the
Content-Length header when the connection is closed.
The HTTP response body is transferred with Chunked-Encoding, but the
terminating zero-length chunk was never sent when the connection is closed.
There is a QUIC protocol error.
The HTTP headers were truncated by an EOF.
The QUIC crytpo handshake failed. This means that the server was unable
to read any requests sent, so they may be resent.
Transport security is inadequate for the HTTP/2 version.
The peer violated HTTP/2 flow control.
The peer sent an improperly sized HTTP/2 frame.
Decoding or encoding of compressed HTTP/2 headers failed.
Proxy Auth Requested without a valid Client Socket Handle.
HTTP_1_1_REQUIRED error code received on HTTP/2 session.
HTTP_1_1_REQUIRED error code received on HTTP/2 session to proxy.
The PAC script terminated fatally and must be reloaded.
The server was expected to return an HTTP/1.x response, but did not. Rather
than treat it as HTTP/0.9, this error is returned.
Initializing content decoding failed.
Received HTTP/2 RST_STREAM frame with NO_ERROR error code. This error should
be handled internally by HTTP/2 code, and should not make it above the
The pushed stream claimed by the request is no longer available.
A pushed stream was claimed and later reset by the server. When this happens,
the request should be retried.
An HTTP transaction was retried too many times due for authentication or
invalid certificates. This may be due to a bug in the net stack that would
otherwise infinite loop, or if the server or proxy continually requests fresh
credentials or presents a fresh invalid certificate.
Received an HTTP/2 frame on a closed stream.
Client is refusing an HTTP/2 stream.
A pushed HTTP/2 stream was claimed by a request based on matching URL and
request headers, but the pushed response headers do not match the request.
The server returned a non-2xx HTTP response code.
Not that this error is only used by certain APIs that interpret the HTTP
response itself. URLRequest for instance just passes most non-2xx
response back as success.
The certificate presented on a QUIC connection does not chain to a known root
and the origin connected to is not on a list of domains where unknown roots
A GOAWAY frame has been received indicating that the request has not been
processed and is therefore safe to retry on a different connection.
The cache does not have the requested entry.
Unable to read from the disk cache.
Unable to write to the disk cache.
The operation is not supported for this entry.
The disk cache is unable to open this entry.
The disk cache is unable to create this entry.
Multiple transactions are racing to create disk cache entries. This is an
internal error returned from the HttpCache to the HttpCacheTransaction that
tells the transaction to restart the entry-creation logic because the state
of the cache has changed.
The cache was unable to read a checksum record on an entry. This can be
returned from attempts to read from the cache. It is an internal error,
returned by the SimpleCache backend, but not by any URLRequest methods
The cache found an entry with an invalid checksum. This can be returned from
attempts to read from the cache. It is an internal error, returned by the
SimpleCache backend, but not by any URLRequest methods or members.
Internal error code for the HTTP cache. The cache lock timeout has fired.
Received a challenge after the transaction has read some data, and the
credentials aren't available. There isn't a way to get them at that point.
Internal not-quite error code for the HTTP cache. In-memory hints suggest
that the cache entry would not have been useable with the transaction's
current configuration (e.g. load flags, mode, etc.)
The disk cache is unable to doom this entry.
The disk cache is unable to open or create this entry.
The server's response was insecure (e.g. there was a cert error).
An attempt to import a client certificate failed, as the user's key
database lacked a corresponding private key.
An error adding a certificate to the OS certificate database.
An error occurred while handling a signed exchange.
An error occurred while handling a Web Bundle source.
A Trust Tokens protocol operation-executing request failed for one of a
number of reasons (precondition failure, internal error, bad response).
When handling a Trust Tokens protocol operation-executing request, the system
was able to execute the request's Trust Tokens operation without sending the
request to its destination: for instance, the results could have been present
in a local cache (for redemption) or the operation could have been diverted
to a local provider (for "platform-provided" issuance).
A generic error for failed FTP control connection command.
If possible, please use or add a more specific error code.
The server cannot fulfill the request at this point. This is a temporary
FTP response code 421.
The server has aborted the transfer.
FTP response code 426.
The file is busy, or some other temporary error condition on opening
FTP response code 450.
Server rejected our command because of syntax errors.
FTP response codes 500, 501.
Server does not support the command we issued.
FTP response codes 502, 504.
Server rejected our command because we didn't issue the commands in right
FTP response code 503.
PKCS #12 import failed due to incorrect password.
PKCS #12 import failed due to other error.
CA import failed - not a CA cert.
Import failed - certificate already exists in database.
Note it's a little weird this is an error but reimporting a PKCS12 is ok
(no-op). That's how Mozilla does it, though.
CA import failed due to some other error.
Server certificate import failed due to some internal error.
PKCS #12 import failed due to invalid MAC.
PKCS #12 import failed due to invalid/corrupt file.
PKCS #12 import failed due to unsupported features.
Key generation failed.
Failure to export private key.
Self-signed certificate generation failed.
The certificate database changed in some way.
DNS resolver received a malformed response.
DNS server requires TCP
DNS server failed. This error is returned for all of the following
1 - Format error - The name server was unable to interpret the query.
2 - Server failure - The name server was unable to process this query
due to a problem with the name server.
4 - Not Implemented - The name server does not support the requested
kind of query.
5 - Refused - The name server refuses to perform the specified
operation for policy reasons.
DNS transaction timed out.
The entry was not found in cache or other local sources, for lookups where
only local sources were queried.
TODO(ericorth): Consider renaming to DNS_LOCAL_MISS or something like that as
the cache is not necessarily queried either.
Suffix search list rules prevent resolution of the given host name.
Failed to sort addresses according to RFC3484.
Failed to resolve the hostname of a DNS-over-HTTPS server.
DNS identified the request as disallowed for insecure connection (http/ws).
Error should be handled as if an HTTP redirect was received to redirect to
https or wss.