Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(2150)

Unified Diff: chrome/browser/ssl/ssl_policy.cc

Issue 48060: SSLPolicy Fix: Step 7.... (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: '' Created 11 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « chrome/browser/ssl/ssl_policy.h ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: chrome/browser/ssl/ssl_policy.cc
===================================================================
--- chrome/browser/ssl/ssl_policy.cc (revision 11853)
+++ chrome/browser/ssl/ssl_policy.cc (working copy)
@@ -38,8 +38,6 @@
// Wrap all these helper classes in an anonymous namespace.
namespace {
-static const char kDot = '.';
-
class ShowUnsafeContentTask : public Task {
public:
ShowUnsafeContentTask(const GURL& main_frame_url,
@@ -116,263 +114,110 @@
blocking_page->Show();
}
-#if 0
-// See TODO(jcampan) below.
-static bool IsIntranetHost(const std::string& host) {
- const size_t dot = host.find(kDot);
- return dot == std::string::npos || dot == host.length() - 1;
+} // namespace
+
+SSLPolicy::SSLPolicy() {
}
-#endif
-class CommonNameInvalidPolicy : public SSLPolicy {
- public:
- static SSLPolicy* GetInstance() {
- return Singleton<CommonNameInvalidPolicy>::get();
- }
+SSLPolicy* SSLPolicy::GetDefaultPolicy() {
+ return Singleton<SSLPolicy>::get();
+}
- void OnCertError(const GURL& main_frame_url,
- SSLManager::CertError* error) {
- OnOverridableCertError(main_frame_url, error);
- }
-};
+void SSLPolicy::OnCertError(const GURL& main_frame_url,
+ SSLManager::CertError* error) {
+ // First we check if we know the policy for this error.
+ net::X509Certificate::Policy::Judgment judgment =
+ error->manager()->QueryPolicy(error->ssl_info().cert,
+ error->request_url().host());
-class DateInvalidPolicy : public SSLPolicy {
- public:
- static SSLPolicy* GetInstance() {
- return Singleton<DateInvalidPolicy>::get();
- }
-
- void OnCertError(const GURL& main_frame_url,
- SSLManager::CertError* error) {
- OnOverridableCertError(main_frame_url, error);
- }
-};
-
-class AuthorityInvalidPolicy : public SSLPolicy {
- public:
- static SSLPolicy* GetInstance() {
- return Singleton<AuthorityInvalidPolicy>::get();
- }
-
- void OnCertError(const GURL& main_frame_url,
- SSLManager::CertError* error) {
- OnOverridableCertError(main_frame_url, error);
- }
-};
-
-class ContainsErrorsPolicy : public SSLPolicy {
- public:
- static SSLPolicy* GetInstance() {
- return Singleton<ContainsErrorsPolicy>::get();
- }
-
- void OnCertError(const GURL& main_frame_url,
- SSLManager::CertError* error) {
- OnFatalCertError(main_frame_url, error);
- }
-};
-
-class NoRevocationMechanismPolicy : public SSLPolicy {
- public:
- static SSLPolicy* GetInstance() {
- return Singleton<NoRevocationMechanismPolicy>::get();
- }
-
- void OnCertError(const GURL& main_frame_url,
- SSLManager::CertError* error) {
- // Silently ignore this error.
+ if (judgment == net::X509Certificate::Policy::ALLOWED) {
+ // We've been told to allow this certificate.
+ if (error->manager()->SetMaxSecurityStyle(
+ SECURITY_STYLE_AUTHENTICATION_BROKEN)) {
+ NotificationService::current()->Notify(
+ NotificationType::SSL_VISIBLE_STATE_CHANGED,
+ Source<NavigationController>(error->manager()->controller()),
+ Details<NavigationEntry>(
+ error->manager()->controller()->GetActiveEntry()));
+ }
error->ContinueRequest();
+ return;
}
-};
-class UnableToCheckRevocationPolicy : public SSLPolicy {
- public:
- static SSLPolicy* GetInstance() {
- return Singleton<UnableToCheckRevocationPolicy>::get();
- }
+ // The judgment is either DENIED or UNKNOWN.
+ // For now we handle the DENIED as the UNKNOWN, which means a blocking
+ // page is shown to the user every time he comes back to the page.
- void OnCertError(const GURL& main_frame_url,
- SSLManager::CertError* error) {
- // We ignore this error and display an info-bar.
- error->ContinueRequest();
- error->manager()->ShowMessage(l10n_util::GetString(
- IDS_CERT_ERROR_UNABLE_TO_CHECK_REVOCATION_INFO_BAR));
- }
-};
-
-class RevokedPolicy : public SSLPolicy {
- public:
- static SSLPolicy* GetInstance() {
- return Singleton<RevokedPolicy>::get();
- }
-
- void OnCertError(const GURL& main_frame_url,
- SSLManager::CertError* error) {
- OnFatalCertError(main_frame_url, error);
- }
-};
-
-class InvalidPolicy : public SSLPolicy {
- public:
- static SSLPolicy* GetInstance() {
- return Singleton<InvalidPolicy>::get();
- }
-
- void OnCertError(const GURL& main_frame_url,
- SSLManager::CertError* error) {
- OnFatalCertError(main_frame_url, error);
- }
-};
-
-class DefaultPolicy : public SSLPolicy {
- public:
- DefaultPolicy() {
- // Load our helper classes to handle various cert errors.
- DCHECK(SubPolicyIndex(net::ERR_CERT_COMMON_NAME_INVALID) == 0);
- sub_policies_[0] = CommonNameInvalidPolicy::GetInstance();
- DCHECK(SubPolicyIndex(net::ERR_CERT_DATE_INVALID) == 1);
- sub_policies_[1] = DateInvalidPolicy::GetInstance();
- DCHECK(SubPolicyIndex(net::ERR_CERT_AUTHORITY_INVALID) == 2);
- sub_policies_[2] = AuthorityInvalidPolicy::GetInstance();
- DCHECK(SubPolicyIndex(net::ERR_CERT_CONTAINS_ERRORS) == 3);
- sub_policies_[3] = ContainsErrorsPolicy::GetInstance();
- DCHECK(SubPolicyIndex(net::ERR_CERT_NO_REVOCATION_MECHANISM) == 4);
- sub_policies_[4] = NoRevocationMechanismPolicy::GetInstance();
- DCHECK(SubPolicyIndex(net::ERR_CERT_UNABLE_TO_CHECK_REVOCATION) == 5);
- sub_policies_[5] = UnableToCheckRevocationPolicy::GetInstance();
- DCHECK(SubPolicyIndex(net::ERR_CERT_REVOKED) == 6);
- sub_policies_[6] = RevokedPolicy::GetInstance();
- DCHECK(SubPolicyIndex(net::ERR_CERT_INVALID) == 7);
- sub_policies_[7] = InvalidPolicy::GetInstance();
- DCHECK(SubPolicyIndex(net::ERR_CERT_END) == 8);
- }
-
- void OnCertError(const GURL& main_frame_url,
- SSLManager::CertError* error) {
- size_t index = SubPolicyIndex(error->cert_error());
- if (index < 0 || index >= arraysize(sub_policies_)) {
+ switch(error->cert_error()) {
+ case net::ERR_CERT_COMMON_NAME_INVALID:
+ case net::ERR_CERT_DATE_INVALID:
+ case net::ERR_CERT_AUTHORITY_INVALID:
+ OnOverridableCertError(main_frame_url, error);
+ break;
+ case net::ERR_CERT_NO_REVOCATION_MECHANISM:
+ // Ignore this error.
+ error->ContinueRequest();
+ break;
+ case net::ERR_CERT_UNABLE_TO_CHECK_REVOCATION:
+ // We ignore this error and display an infobar.
+ error->ContinueRequest();
+ error->manager()->ShowMessage(l10n_util::GetString(
+ IDS_CERT_ERROR_UNABLE_TO_CHECK_REVOCATION_INFO_BAR));
+ break;
+ case net::ERR_CERT_CONTAINS_ERRORS:
+ case net::ERR_CERT_REVOKED:
+ case net::ERR_CERT_INVALID:
+ OnFatalCertError(main_frame_url, error);
+ break;
+ default:
NOTREACHED();
error->CancelRequest();
- return;
- }
-
- // First we check if we know the policy for this error.
- net::X509Certificate::Policy::Judgment judgment =
- error->manager()->QueryPolicy(error->ssl_info().cert,
- error->request_url().host());
-
- switch (judgment) {
- case net::X509Certificate::Policy::ALLOWED:
- // We've been told to allow this certificate.
- if (error->manager()->SetMaxSecurityStyle(
- SECURITY_STYLE_AUTHENTICATION_BROKEN)) {
- NotificationService::current()->Notify(
- NotificationType::SSL_VISIBLE_STATE_CHANGED,
- Source<NavigationController>(error->manager()->controller()),
- Details<NavigationEntry>(
- error->manager()->controller()->GetActiveEntry()));
- }
- error->ContinueRequest();
- break;
- case net::X509Certificate::Policy::DENIED:
- // For now we handle the DENIED as the UNKNOWN, which means a blocking
- // page is shown to the user every time he comes back to the page.
- case net::X509Certificate::Policy::UNKNOWN:
- // We don't know how to handle this error. Ask our sub-policies.
- sub_policies_[index]->OnCertError(main_frame_url, error);
- break;
- default:
- NOTREACHED();
- }
+ break;
}
+}
- void OnMixedContent(NavigationController* navigation_controller,
- const GURL& main_frame_url,
- SSLManager::MixedContentHandler* mixed_content_handler) {
- PrefService* prefs = navigation_controller->profile()->GetPrefs();
- FilterPolicy::Type filter_policy = FilterPolicy::DONT_FILTER;
- if (!mixed_content_handler->manager()->
- CanShowInsecureContent(main_frame_url)) {
- filter_policy = FilterPolicy::FromInt(
- prefs->GetInteger(prefs::kMixedContentFiltering));
- }
- if (filter_policy != FilterPolicy::DONT_FILTER) {
- mixed_content_handler->manager()->ShowMessageWithLink(
- l10n_util::GetString(IDS_SSL_INFO_BAR_FILTERED_CONTENT),
- l10n_util::GetString(IDS_SSL_INFO_BAR_SHOW_CONTENT),
- new ShowUnsafeContentTask(main_frame_url, mixed_content_handler));
- }
- mixed_content_handler->StartRequest(filter_policy);
-
- NavigationEntry* entry = navigation_controller->GetLastCommittedEntry();
- DCHECK(entry);
- // Even though we are loading the mixed-content resource, it will not be
- // included in the page when we set the policy to FILTER_ALL or
- // FILTER_ALL_EXCEPT_IMAGES (only images and they are stamped with warning
- // icons), so we don't set the mixed-content mode in these cases.
- if (filter_policy == FilterPolicy::DONT_FILTER)
- entry->ssl().set_has_mixed_content();
-
- // Print a message indicating the mixed-contents resource in the console.
- const std::wstring& msg = l10n_util::GetStringF(
- IDS_MIXED_CONTENT_LOG_MESSAGE,
- UTF8ToWide(entry->url().spec()),
- UTF8ToWide(mixed_content_handler->request_url().spec()));
- mixed_content_handler->manager()->
- AddMessageToConsole(msg, MESSAGE_LEVEL_WARNING);
-
- NotificationService::current()->Notify(
- NotificationType::SSL_VISIBLE_STATE_CHANGED,
- Source<NavigationController>(navigation_controller),
- Details<NavigationEntry>(entry));
+void SSLPolicy::OnMixedContent(
+ NavigationController* navigation_controller,
+ const GURL& main_frame_url,
+ SSLManager::MixedContentHandler* mixed_content_handler) {
+ PrefService* prefs = navigation_controller->profile()->GetPrefs();
+ FilterPolicy::Type filter_policy = FilterPolicy::DONT_FILTER;
+ if (!mixed_content_handler->manager()->
+ CanShowInsecureContent(main_frame_url)) {
+ filter_policy = FilterPolicy::FromInt(
+ prefs->GetInteger(prefs::kMixedContentFiltering));
}
-
- void OnDenyCertificate(SSLManager::CertError* error) {
- size_t index = SubPolicyIndex(error->cert_error());
- if (index < 0 || index >= arraysize(sub_policies_)) {
- NOTREACHED();
- return;
- }
- sub_policies_[index]->OnDenyCertificate(error);
+ if (filter_policy != FilterPolicy::DONT_FILTER) {
+ mixed_content_handler->manager()->ShowMessageWithLink(
+ l10n_util::GetString(IDS_SSL_INFO_BAR_FILTERED_CONTENT),
+ l10n_util::GetString(IDS_SSL_INFO_BAR_SHOW_CONTENT),
+ new ShowUnsafeContentTask(main_frame_url, mixed_content_handler));
}
+ mixed_content_handler->StartRequest(filter_policy);
- void OnAllowCertificate(SSLManager::CertError* error) {
- size_t index = SubPolicyIndex(error->cert_error());
- if (index < 0 || index >= arraysize(sub_policies_)) {
- NOTREACHED();
- return;
- }
- sub_policies_[index]->OnAllowCertificate(error);
- }
+ NavigationEntry* entry = navigation_controller->GetLastCommittedEntry();
+ DCHECK(entry);
+ // Even though we are loading the mixed-content resource, it will not be
+ // included in the page when we set the policy to FILTER_ALL or
+ // FILTER_ALL_EXCEPT_IMAGES (only images and they are stamped with warning
+ // icons), so we don't set the mixed-content mode in these cases.
+ if (filter_policy == FilterPolicy::DONT_FILTER)
+ entry->ssl().set_has_mixed_content();
- private:
- // Returns the index of the sub-policy for |cert_error| in the
- // sub_policies_ array.
- int SubPolicyIndex(int cert_error) {
- // Certificate errors are negative integers from net::ERR_CERT_BEGIN
- // (inclusive) to net::ERR_CERT_END (exclusive) in *decreasing* order.
- return net::ERR_CERT_BEGIN - cert_error;
- }
- SSLPolicy* sub_policies_[net::ERR_CERT_BEGIN - net::ERR_CERT_END];
-};
+ // Print a message indicating the mixed-contents resource in the console.
+ const std::wstring& msg = l10n_util::GetStringF(
+ IDS_MIXED_CONTENT_LOG_MESSAGE,
+ UTF8ToWide(entry->url().spec()),
+ UTF8ToWide(mixed_content_handler->request_url().spec()));
+ mixed_content_handler->manager()->
+ AddMessageToConsole(msg, MESSAGE_LEVEL_WARNING);
-} // namespace
-
-SSLPolicy* SSLPolicy::GetDefaultPolicy() {
- // Lazily initialize our default policy instance.
- static SSLPolicy* default_policy = new DefaultPolicy();
- return default_policy;
+ NotificationService::current()->Notify(
+ NotificationType::SSL_VISIBLE_STATE_CHANGED,
+ Source<NavigationController>(navigation_controller),
+ Details<NavigationEntry>(entry));
}
-SSLPolicy::SSLPolicy() {
-}
-
-void SSLPolicy::OnCertError(const GURL& main_frame_url,
- SSLManager::CertError* error) {
- // Default to secure behavior.
- error->CancelRequest();
-}
-
void SSLPolicy::OnRequestStarted(SSLManager* manager, const GURL& url,
ResourceType::Type resource_type,
int ssl_cert_id, int ssl_cert_status) {
« no previous file with comments | « chrome/browser/ssl/ssl_policy.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698