| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "chrome/browser/ssl/ssl_policy.h" | |
| 6 | |
| 7 #include "base/base_switches.h" | |
| 8 #include "base/command_line.h" | |
| 9 #include "base/memory/singleton.h" | |
| 10 #include "base/string_piece.h" | |
| 11 #include "base/string_util.h" | |
| 12 #include "chrome/browser/ssl/ssl_cert_error_handler.h" | |
| 13 #include "chrome/browser/ssl/ssl_error_info.h" | |
| 14 #include "chrome/browser/ssl/ssl_request_info.h" | |
| 15 #include "chrome/common/jstemplate_builder.h" | |
| 16 #include "chrome/common/time_format.h" | |
| 17 #include "chrome/common/url_constants.h" | |
| 18 #include "content/browser/renderer_host/render_process_host.h" | |
| 19 #include "content/browser/renderer_host/render_view_host.h" | |
| 20 #include "content/browser/site_instance.h" | |
| 21 #include "content/browser/tab_contents/navigation_entry.h" | |
| 22 #include "content/browser/tab_contents/tab_contents.h" | |
| 23 #include "grit/generated_resources.h" | |
| 24 #include "net/base/cert_status_flags.h" | |
| 25 #include "net/base/ssl_info.h" | |
| 26 #include "webkit/glue/resource_type.h" | |
| 27 | |
| 28 namespace { | |
| 29 | |
| 30 static const char kDot = '.'; | |
| 31 | |
| 32 static bool IsIntranetHost(const std::string& host) { | |
| 33 const size_t dot = host.find(kDot); | |
| 34 return dot == std::string::npos || dot == host.length() - 1; | |
| 35 } | |
| 36 | |
| 37 } // namespace | |
| 38 | |
| 39 SSLPolicy::SSLPolicy(SSLPolicyBackend* backend) | |
| 40 : backend_(backend) { | |
| 41 DCHECK(backend_); | |
| 42 } | |
| 43 | |
| 44 void SSLPolicy::OnCertError(SSLCertErrorHandler* handler) { | |
| 45 // First we check if we know the policy for this error. | |
| 46 net::CertPolicy::Judgment judgment = | |
| 47 backend_->QueryPolicy(handler->ssl_info().cert, | |
| 48 handler->request_url().host()); | |
| 49 | |
| 50 if (judgment == net::CertPolicy::ALLOWED) { | |
| 51 handler->ContinueRequest(); | |
| 52 return; | |
| 53 } | |
| 54 | |
| 55 // The judgment is either DENIED or UNKNOWN. | |
| 56 // For now we handle the DENIED as the UNKNOWN, which means a blocking | |
| 57 // page is shown to the user every time he comes back to the page. | |
| 58 | |
| 59 switch (handler->cert_error()) { | |
| 60 case net::ERR_CERT_COMMON_NAME_INVALID: | |
| 61 case net::ERR_CERT_DATE_INVALID: | |
| 62 case net::ERR_CERT_AUTHORITY_INVALID: | |
| 63 case net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM: | |
| 64 OnCertErrorInternal(handler, SSLBlockingPage::ERROR_OVERRIDABLE); | |
| 65 break; | |
| 66 case net::ERR_CERT_NO_REVOCATION_MECHANISM: | |
| 67 // Ignore this error. | |
| 68 handler->ContinueRequest(); | |
| 69 break; | |
| 70 case net::ERR_CERT_UNABLE_TO_CHECK_REVOCATION: | |
| 71 // We ignore this error but will show a warning status in the location | |
| 72 // bar. | |
| 73 handler->ContinueRequest(); | |
| 74 break; | |
| 75 case net::ERR_CERT_CONTAINS_ERRORS: | |
| 76 case net::ERR_CERT_REVOKED: | |
| 77 case net::ERR_CERT_INVALID: | |
| 78 case net::ERR_CERT_NOT_IN_DNS: | |
| 79 OnCertErrorInternal(handler, SSLBlockingPage::ERROR_FATAL); | |
| 80 break; | |
| 81 default: | |
| 82 NOTREACHED(); | |
| 83 handler->CancelRequest(); | |
| 84 break; | |
| 85 } | |
| 86 } | |
| 87 | |
| 88 void SSLPolicy::DidRunInsecureContent(NavigationEntry* entry, | |
| 89 const std::string& security_origin) { | |
| 90 if (!entry) | |
| 91 return; | |
| 92 | |
| 93 SiteInstance* site_instance = entry->site_instance(); | |
| 94 if (!site_instance) | |
| 95 return; | |
| 96 | |
| 97 backend_->HostRanInsecureContent(GURL(security_origin).host(), | |
| 98 site_instance->GetProcess()->id()); | |
| 99 } | |
| 100 | |
| 101 void SSLPolicy::OnRequestStarted(SSLRequestInfo* info) { | |
| 102 // TODO(abarth): This mechanism is wrong. What we should be doing is sending | |
| 103 // this information back through WebKit and out some FrameLoaderClient | |
| 104 // methods. | |
| 105 | |
| 106 if (net::IsCertStatusError(info->ssl_cert_status())) | |
| 107 backend_->HostRanInsecureContent(info->url().host(), info->child_id()); | |
| 108 } | |
| 109 | |
| 110 void SSLPolicy::UpdateEntry(NavigationEntry* entry, TabContents* tab_contents) { | |
| 111 DCHECK(entry); | |
| 112 | |
| 113 InitializeEntryIfNeeded(entry); | |
| 114 | |
| 115 if (!entry->url().SchemeIsSecure()) | |
| 116 return; | |
| 117 | |
| 118 // An HTTPS response may not have a certificate for some reason. When that | |
| 119 // happens, use the unauthenticated (HTTP) rather than the authentication | |
| 120 // broken security style so that we can detect this error condition. | |
| 121 if (!entry->ssl().cert_id()) { | |
| 122 entry->ssl().set_security_style(SECURITY_STYLE_UNAUTHENTICATED); | |
| 123 return; | |
| 124 } | |
| 125 | |
| 126 if (!(entry->ssl().cert_status() & net::CERT_STATUS_COMMON_NAME_INVALID)) { | |
| 127 // CAs issue certificates for intranet hosts to everyone. Therefore, we | |
| 128 // mark intranet hosts as being non-unique. | |
| 129 if (IsIntranetHost(entry->url().host())) { | |
| 130 entry->ssl().set_cert_status(entry->ssl().cert_status() | | |
| 131 net::CERT_STATUS_NON_UNIQUE_NAME); | |
| 132 } | |
| 133 } | |
| 134 | |
| 135 // If CERT_STATUS_UNABLE_TO_CHECK_REVOCATION is the only certificate error, | |
| 136 // don't lower the security style to SECURITY_STYLE_AUTHENTICATION_BROKEN. | |
| 137 int cert_errors = entry->ssl().cert_status() & net::CERT_STATUS_ALL_ERRORS; | |
| 138 if (cert_errors) { | |
| 139 if (cert_errors != net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION) | |
| 140 entry->ssl().set_security_style(SECURITY_STYLE_AUTHENTICATION_BROKEN); | |
| 141 return; | |
| 142 } | |
| 143 | |
| 144 SiteInstance* site_instance = entry->site_instance(); | |
| 145 // Note that |site_instance| can be NULL here because NavigationEntries don't | |
| 146 // necessarily have site instances. Without a process, the entry can't | |
| 147 // possibly have insecure content. See bug http://crbug.com/12423. | |
| 148 if (site_instance && | |
| 149 backend_->DidHostRunInsecureContent(entry->url().host(), | |
| 150 site_instance->GetProcess()->id())) { | |
| 151 entry->ssl().set_security_style(SECURITY_STYLE_AUTHENTICATION_BROKEN); | |
| 152 entry->ssl().set_ran_insecure_content(); | |
| 153 return; | |
| 154 } | |
| 155 | |
| 156 if (tab_contents->displayed_insecure_content()) | |
| 157 entry->ssl().set_displayed_insecure_content(); | |
| 158 } | |
| 159 | |
| 160 //////////////////////////////////////////////////////////////////////////////// | |
| 161 // SSLBlockingPage::Delegate methods | |
| 162 | |
| 163 SSLErrorInfo SSLPolicy::GetSSLErrorInfo(SSLCertErrorHandler* handler) { | |
| 164 return SSLErrorInfo::CreateError( | |
| 165 SSLErrorInfo::NetErrorToErrorType(handler->cert_error()), | |
| 166 handler->ssl_info().cert, handler->request_url()); | |
| 167 } | |
| 168 | |
| 169 void SSLPolicy::OnDenyCertificate(SSLCertErrorHandler* handler) { | |
| 170 // Default behavior for rejecting a certificate. | |
| 171 // | |
| 172 // While DenyCertForHost() executes synchronously on this thread, | |
| 173 // CancelRequest() gets posted to a different thread. Calling | |
| 174 // DenyCertForHost() first ensures deterministic ordering. | |
| 175 backend_->DenyCertForHost(handler->ssl_info().cert, | |
| 176 handler->request_url().host()); | |
| 177 handler->CancelRequest(); | |
| 178 } | |
| 179 | |
| 180 void SSLPolicy::OnAllowCertificate(SSLCertErrorHandler* handler) { | |
| 181 // Default behavior for accepting a certificate. | |
| 182 // Note that we should not call SetMaxSecurityStyle here, because the active | |
| 183 // NavigationEntry has just been deleted (in HideInterstitialPage) and the | |
| 184 // new NavigationEntry will not be set until DidNavigate. This is ok, | |
| 185 // because the new NavigationEntry will have its max security style set | |
| 186 // within DidNavigate. | |
| 187 // | |
| 188 // While AllowCertForHost() executes synchronously on this thread, | |
| 189 // ContinueRequest() gets posted to a different thread. Calling | |
| 190 // AllowCertForHost() first ensures deterministic ordering. | |
| 191 backend_->AllowCertForHost(handler->ssl_info().cert, | |
| 192 handler->request_url().host()); | |
| 193 handler->ContinueRequest(); | |
| 194 } | |
| 195 | |
| 196 //////////////////////////////////////////////////////////////////////////////// | |
| 197 // Certificate Error Routines | |
| 198 | |
| 199 void SSLPolicy::OnCertErrorInternal(SSLCertErrorHandler* handler, | |
| 200 SSLBlockingPage::ErrorLevel error_level) { | |
| 201 if (handler->resource_type() != ResourceType::MAIN_FRAME) { | |
| 202 // A sub-resource has a certificate error. The user doesn't really | |
| 203 // have a context for making the right decision, so block the | |
| 204 // request hard, without an info bar to allow showing the insecure | |
| 205 // content. | |
| 206 handler->DenyRequest(); | |
| 207 return; | |
| 208 } | |
| 209 SSLBlockingPage* blocking_page = new SSLBlockingPage(handler, this, | |
| 210 error_level); | |
| 211 blocking_page->Show(); | |
| 212 } | |
| 213 | |
| 214 void SSLPolicy::InitializeEntryIfNeeded(NavigationEntry* entry) { | |
| 215 if (entry->ssl().security_style() != SECURITY_STYLE_UNKNOWN) | |
| 216 return; | |
| 217 | |
| 218 entry->ssl().set_security_style(entry->url().SchemeIsSecure() ? | |
| 219 SECURITY_STYLE_AUTHENTICATED : SECURITY_STYLE_UNAUTHENTICATED); | |
| 220 } | |
| 221 | |
| 222 void SSLPolicy::OriginRanInsecureContent(const std::string& origin, int pid) { | |
| 223 GURL parsed_origin(origin); | |
| 224 if (parsed_origin.SchemeIsSecure()) | |
| 225 backend_->HostRanInsecureContent(parsed_origin.host(), pid); | |
| 226 } | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 7111013:
Move most of the core SSL code from chrome to content. The UI code that's specific to Chrome (i.... (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/