SSLPolicy fix: Step 9.

chrome/browser/ssl/ssl_manager.cc

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/ssl/ssl_manager.h"
 
 #include "base/message_loop.h"
 #include "base/string_util.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/load_from_memory_cache_details.h"
@@ skipping 188 matching lines @@
 // Delegate API method.
 bool SSLManager::DidMarkHostAsBroken(const std::string& host) const {
   return ssl_host_state_->DidMarkHostAsBroken(host);
 }
 
 // Delegate API method.
 void SSLManager::DenyCertForHost(net::X509Certificate* cert,
                                  const std::string& host) {
   // Remember that we don't like this cert for this host.
   ssl_host_state_->DenyCertForHost(cert, host);
-  DispatchSSLInternalStateChanged();
 }
 
 // Delegate API method.
 void SSLManager::AllowCertForHost(net::X509Certificate* cert,
                                   const std::string& host) {
   ssl_host_state_->AllowCertForHost(cert, host);
-  DispatchSSLInternalStateChanged();
 }
 
 // Delegate API method.
 net::X509Certificate::Policy::Judgment SSLManager::QueryPolicy(
     net::X509Certificate* cert, const std::string& host) {
   return ssl_host_state_->QueryPolicy(cert, host);
 }
 
 // Delegate API method.
 void SSLManager::AllowMixedContentForHost(const std::string& host) {
   ssl_host_state_->AllowMixedContentForHost(host);
-  DispatchSSLInternalStateChanged();
 }
 
 // Delegate API method.
 bool SSLManager::DidAllowMixedContentForHost(const std::string& host) const {
   return ssl_host_state_->DidAllowMixedContentForHost(host);
 }
 
 bool SSLManager::ProcessedSSLErrorFromRequest() const {
   NavigationEntry* entry = controller_->GetActiveEntry();
   if (!entry) {
@@ skipping 260 matching lines @@
                                     URLRequest* request,
                                     MessageLoop* ui_loop) {
   ResourceDispatcherHost::ExtraRequestInfo* info =
       ResourceDispatcherHost::ExtraInfoForRequest(request);
   DCHECK(info);
 
   // We cheat here and talk to the SSLPolicy on the IO thread because we need
   // to respond synchronously to avoid delaying all network requests...
   if (!SSLPolicy::IsMixedContent(request->url(),
                                  info->resource_type,
-                                 info->main_frame_origin))
+                                 info->filter_policy,
+                                 info->frame_origin))
     return true;
 
 
   ui_loop->PostTask(FROM_HERE,
       NewRunnableMethod(new MixedContentHandler(rdh, request,
                                                 info->resource_type,
                                                 info->frame_origin,
                                                 info->main_frame_origin,
                                                 ui_loop),
                         &MixedContentHandler::Dispatch));
@@ skipping 46 matching lines @@
       NotificationService::NoDetails());
 }
 
 void SSLManager::DispatchSSLVisibleStateChanged() {
   NotificationService::current()->Notify(
       NotificationType::SSL_VISIBLE_STATE_CHANGED,
       Source<NavigationController>(controller_),
       NotificationService::NoDetails());
 }
 
-void SSLManager::InitializeEntryIfNeeded(NavigationEntry* entry) {
-  DCHECK(entry);
+void SSLManager::UpdateEntry(NavigationEntry* entry) {
+  // We don't always have a navigation entry to update, for example in the
+  // case of the Web Inspector.
+  if (!entry)
+    return;
 
-  // If the security style of the entry is SECURITY_STYLE_UNKNOWN, then it is a
-  // fresh entry and should get the default style.
-  if (entry->ssl().security_style() == SECURITY_STYLE_UNKNOWN) {
-    entry->ssl().set_security_style(
-        delegate()->GetDefaultStyle(entry->url()));
-  }
-}
+  NavigationEntry::SSLStatus original_ssl_status = entry->ssl();  // Copy!
 
-void SSLManager::NavigationStateChanged() {
-  NavigationEntry* active_entry = controller_->GetActiveEntry();
-  if (!active_entry)
-    return;  // Nothing showing yet.
+  delegate()->UpdateEntry(this, entry);
 
-  // This might be a new entry we've never seen before.
-  InitializeEntryIfNeeded(active_entry);
+  if (!entry->ssl().Equals(original_ssl_status))
+    DispatchSSLVisibleStateChanged();
 }
 
 void SSLManager::DidLoadFromMemoryCache(LoadFromMemoryCacheDetails* details) {
   DCHECK(details);
 
   // Simulate loading this resource through the usual path.
   // Note that we specify SUB_RESOURCE as the resource type as WebCore only
   // caches sub-resources.
+  // This resource must have been loaded with FilterPolicy::DONT_FILTER because
+  // filtered resouces aren't cachable.
   scoped_refptr<RequestInfo> info = new RequestInfo(
       this,
       details->url(),
       ResourceType::SUB_RESOURCE,
       details->frame_origin(),
       details->main_frame_origin(),
+      FilterPolicy::DONT_FILTER,
       details->ssl_cert_id(),
       details->ssl_cert_status());
 
   // Simulate loading this resource through the usual path.
   delegate()->OnRequestStarted(info.get());
 }
 
 void SSLManager::DidCommitProvisionalLoad(
     const NotificationDetails& in_details) {
   NavigationController::LoadCommittedDetails* details =
       Details<NavigationController::LoadCommittedDetails>(in_details).ptr();
 
   // Ignore in-page navigations, they should not change the security style or
   // the info-bars.
   if (details->is_in_page)
     return;
 
-  // Decode the security details.
-  int ssl_cert_id, ssl_cert_status, ssl_security_bits;
-  DeserializeSecurityInfo(details->serialized_security_info,
-                          &ssl_cert_id, &ssl_cert_status, &ssl_security_bits);
+  NavigationEntry* entry = controller_->GetActiveEntry();
 
-  bool changed = false;
   if (details->is_main_frame) {
-    // Update the SSL states of the pending entry.
-    NavigationEntry* entry = controller_->GetActiveEntry();
     if (entry) {
+      // Decode the security details.
+      int ssl_cert_id, ssl_cert_status, ssl_security_bits;
+      DeserializeSecurityInfo(details->serialized_security_info,
+                              &ssl_cert_id,
+                              &ssl_cert_status,
+                              &ssl_security_bits);
+
       // We may not have an entry if this is a navigation to an initial blank
       // page. Reset the SSL information and add the new data we have.
       entry->ssl() = NavigationEntry::SSLStatus();
-      InitializeEntryIfNeeded(entry);  // For security_style.
       entry->ssl().set_cert_id(ssl_cert_id);
       entry->ssl().set_cert_status(ssl_cert_status);
       entry->ssl().set_security_bits(ssl_security_bits);
-      changed = true;
     }
-
     ShowPendingMessages();
   }
 
-  // An HTTPS response may not have a certificate for some reason.  When that
-  // happens, use the unauthenticated (HTTP) rather than the authentication
-  // broken security style so that we can detect this error condition.
-  if (net::IsCertStatusError(ssl_cert_status) &&
-      !details->is_content_filtered) {
-    changed |= SetMaxSecurityStyle(SECURITY_STYLE_AUTHENTICATION_BROKEN);
-    if (!details->is_main_frame &&
-        !details->entry->ssl().has_unsafe_content()) {
-      details->entry->ssl().set_has_unsafe_content();
-      changed = true;
-    }
-  } else if (details->entry->url().SchemeIsSecure() && !ssl_cert_id) {
-    if (details->is_main_frame) {
-      changed |= SetMaxSecurityStyle(SECURITY_STYLE_UNAUTHENTICATED);
-    } else {
-      // If the frame has been blocked we keep our security style as
-      // authenticated in that case as nothing insecure is actually showing or
-      // loaded.
-      if (!details->is_content_filtered &&
-          !details->entry->ssl().has_mixed_content()) {
-        details->entry->ssl().set_has_mixed_content();
-        changed = true;
-      }
-    }
-  }
-
-  if (changed) {
-    // Only send the notification when something actually changed.
-    NotificationService::current()->Notify(
-        NotificationType::SSL_VISIBLE_STATE_CHANGED,
-        Source<NavigationController>(controller_),
-        NotificationService::NoDetails());
-  }
+  UpdateEntry(entry);
 }
 
 void SSLManager::DidFailProvisionalLoadWithError(
     ProvisionalLoadDetails* details) {
   DCHECK(details);
 
   // Ignore in-page navigations.
   if (details->in_page_navigation())
     return;
 
   if (details->main_frame())
     ClearPendingMessages();
 }
 
 void SSLManager::DidStartResourceResponse(ResourceRequestDetails* details) {
   DCHECK(details);
 
   scoped_refptr<RequestInfo> info = new RequestInfo(
       this,
       details->url(),
       details->resource_type(),
       details->frame_origin(),
       details->main_frame_origin(),
+      details->filter_policy(),
       details->ssl_cert_id(),
       details->ssl_cert_status());
 
   // Notify our delegate that we started a resource request.  Ideally, the
   // delegate should have the ability to cancel the request, but we can't do
   // that yet.
   delegate()->OnRequestStarted(info.get());
 }
 
 void SSLManager::DidReceiveResourceRedirect(ResourceRedirectDetails* details) {
   // TODO(abarth): Make sure our redirect behavior is correct.  If we ever see
   //               a non-HTTPS resource in the redirect chain, we want to
   //               trigger mixed content, even if the redirect chain goes back
   //               to HTTPS.  This is because the network attacker can redirect
   //               the HTTP request to https://attacker.com/payload.js.
 }
 
 void SSLManager::ShowPendingMessages() {
   std::vector<SSLMessageInfo>::const_iterator iter;
   for (iter = pending_messages_.begin();
        iter != pending_messages_.end(); ++iter) {
     ShowMessageWithLink(iter->message, iter->link_text, iter->action);
   }
   ClearPendingMessages();
 }
 
 void SSLManager::DidChangeSSLInternalState() {
-  // TODO(abarth): We'll need to do something here in the next step.
+  UpdateEntry(controller_->GetActiveEntry());
 }
 
 void SSLManager::ClearPendingMessages() {
   pending_messages_.clear();
 }
 
 // static
 std::string SSLManager::SerializeSecurityInfo(int cert_id,
                                               int cert_status,
                                               int security_bits) {
@@ skipping 46 matching lines @@
   }
 
   if (ca_name) {
     // TODO(wtc): should we show the root CA's name instead?
     *ca_name = l10n_util::GetStringF(
         IDS_SECURE_CONNECTION_EV_CA,
         UTF8ToWide(cert.issuer().organization_names[0]));
   }
   return true;
 }