Chromium Code Reviews Chromium Code Reviews
Issue 1058003004:
Forget SSL error exceptions when good certs seen for regular requests. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/bind.h" | 5 #include "base/bind.h" |
| 6 #include "base/bind_helpers.h" | 6 #include "base/bind_helpers.h" |
| 7 #include "base/callback.h" | 7 #include "base/callback.h" |
| 8 #include "base/command_line.h" | 8 #include "base/command_line.h" |
| 9 #include "base/prefs/pref_service.h" | 9 #include "base/prefs/pref_service.h" |
| 10 #include "base/strings/string_util.h" | 10 #include "base/strings/string_util.h" |
| 11 #include "base/strings/stringprintf.h" | 11 #include "base/strings/stringprintf.h" |
| 12 #include "base/strings/utf_string_conversions.h" | 12 #include "base/strings/utf_string_conversions.h" |
| 13 #include "base/time/time.h" | 13 #include "base/time/time.h" |
| 14 #include "chrome/app/chrome_command_ids.h" | 14 #include "chrome/app/chrome_command_ids.h" |
| 15 #include "chrome/browser/browser_process.h" | 15 #include "chrome/browser/browser_process.h" |
| 16 #include "chrome/browser/chrome_notification_types.h" | 16 #include "chrome/browser/chrome_notification_types.h" |
| 17 #include "chrome/browser/interstitials/security_interstitial_page_test_utils.h" | 17 #include "chrome/browser/interstitials/security_interstitial_page_test_utils.h" |
| 18 #include "chrome/browser/net/certificate_error_reporter.h" | 18 #include "chrome/browser/net/certificate_error_reporter.h" |
| 19 #include "chrome/browser/profiles/profile.h" | 19 #include "chrome/browser/profiles/profile.h" |
| 20 #include "chrome/browser/safe_browsing/ping_manager.h" | 20 #include "chrome/browser/safe_browsing/ping_manager.h" |
| 21 #include "chrome/browser/safe_browsing/safe_browsing_service.h" | 21 #include "chrome/browser/safe_browsing/safe_browsing_service.h" |
| 22 #include "chrome/browser/ssl/chrome_ssl_host_state_delegate.h" | |
| 22 #include "chrome/browser/ssl/ssl_blocking_page.h" | 23 #include "chrome/browser/ssl/ssl_blocking_page.h" |
| 23 #include "chrome/browser/ui/browser.h" | 24 #include "chrome/browser/ui/browser.h" |
| 24 #include "chrome/browser/ui/browser_commands.h" | 25 #include "chrome/browser/ui/browser_commands.h" |
| 25 #include "chrome/browser/ui/browser_navigator.h" | 26 #include "chrome/browser/ui/browser_navigator.h" |
| 26 #include "chrome/browser/ui/browser_tabstrip.h" | 27 #include "chrome/browser/ui/browser_tabstrip.h" |
| 27 #include "chrome/browser/ui/tabs/tab_strip_model.h" | 28 #include "chrome/browser/ui/tabs/tab_strip_model.h" |
| 28 #include "chrome/common/chrome_paths.h" | 29 #include "chrome/common/chrome_paths.h" |
| 29 #include "chrome/common/chrome_switches.h" | 30 #include "chrome/common/chrome_switches.h" |
| 30 #include "chrome/common/pref_names.h" | 31 #include "chrome/common/pref_names.h" |
| 31 #include "chrome/test/base/in_process_browser_test.h" | 32 #include "chrome/test/base/in_process_browser_test.h" |
| 32 #include "chrome/test/base/ui_test_utils.h" | 33 #include "chrome/test/base/ui_test_utils.h" |
| 33 #include "components/content_settings/core/browser/host_content_settings_map.h" | 34 #include "components/content_settings/core/browser/host_content_settings_map.h" |
| 34 #include "components/web_modal/web_contents_modal_dialog_manager.h" | 35 #include "components/web_modal/web_contents_modal_dialog_manager.h" |
| 35 #include "content/public/browser/browser_context.h" | 36 #include "content/public/browser/browser_context.h" |
| 36 #include "content/public/browser/interstitial_page.h" | 37 #include "content/public/browser/interstitial_page.h" |
| 37 #include "content/public/browser/navigation_controller.h" | 38 #include "content/public/browser/navigation_controller.h" |
| 38 #include "content/public/browser/navigation_entry.h" | 39 #include "content/public/browser/navigation_entry.h" |
| 39 #include "content/public/browser/notification_service.h" | 40 #include "content/public/browser/notification_service.h" |
| 40 #include "content/public/browser/render_frame_host.h" | 41 #include "content/public/browser/render_frame_host.h" |
| 42 #include "content/public/browser/render_process_host.h" | |
| 41 #include "content/public/browser/render_view_host.h" | 43 #include "content/public/browser/render_view_host.h" |
| 42 #include "content/public/browser/render_widget_host_view.h" | 44 #include "content/public/browser/render_widget_host_view.h" |
| 43 #include "content/public/browser/web_contents.h" | 45 #include "content/public/browser/web_contents.h" |
| 44 #include "content/public/browser/web_contents_observer.h" | 46 #include "content/public/browser/web_contents_observer.h" |
| 45 #include "content/public/common/security_style.h" | 47 #include "content/public/common/security_style.h" |
| 46 #include "content/public/common/ssl_status.h" | 48 #include "content/public/common/ssl_status.h" |
| 47 #include "content/public/test/browser_test_utils.h" | 49 #include "content/public/test/browser_test_utils.h" |
| 48 #include "content/public/test/download_test_observer.h" | 50 #include "content/public/test/download_test_observer.h" |
| 49 #include "content/public/test/test_renderer_host.h" | 51 #include "content/public/test/test_renderer_host.h" |
| 50 #include "net/base/net_errors.h" | 52 #include "net/base/net_errors.h" |
| 51 #include "net/base/test_data_directory.h" | 53 #include "net/base/test_data_directory.h" |
| 52 #include "net/cert/cert_status_flags.h" | 54 #include "net/cert/cert_status_flags.h" |
| 55 #include "net/cert/test_root_certs.h" | |
| 53 #include "net/cert/x509_certificate.h" | 56 #include "net/cert/x509_certificate.h" |
| 57 #include "net/http/http_transaction_factory.h" | |
| 54 #include "net/ssl/ssl_info.h" | 58 #include "net/ssl/ssl_info.h" |
| 55 #include "net/test/spawned_test_server/spawned_test_server.h" | 59 #include "net/test/spawned_test_server/spawned_test_server.h" |
| 56 #include "net/url_request/url_request_context.h" | 60 #include "net/url_request/url_request_context.h" |
| 61 #include "net/url_request/url_request_context_getter.h" | |
| 57 | 62 |
| 58 #if defined(USE_NSS) | 63 #if defined(USE_NSS) |
| 59 #include "chrome/browser/net/nss_context.h" | 64 #include "chrome/browser/net/nss_context.h" |
| 60 #include "net/base/crypto_module.h" | 65 #include "net/base/crypto_module.h" |
| 61 #include "net/cert/nss_cert_database.h" | 66 #include "net/cert/nss_cert_database.h" |
| 62 #endif // defined(USE_NSS) | 67 #endif // defined(USE_NSS) |
| 63 | 68 |
| 64 using base::ASCIIToUTF16; | 69 using base::ASCIIToUTF16; |
| 65 using chrome_browser_interstitials::SecurityInterstitialIDNTest; | 70 using chrome_browser_interstitials::SecurityInterstitialIDNTest; |
| 66 using chrome_browser_net::CertificateErrorReporter; | 71 using chrome_browser_net::CertificateErrorReporter; |
| (...skipping 148 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 215 }; | 220 }; |
| 216 | 221 |
| 217 void SetUpMockReporter(SafeBrowsingService* safe_browsing_service, | 222 void SetUpMockReporter(SafeBrowsingService* safe_browsing_service, |
| 218 MockReporter* reporter) { | 223 MockReporter* reporter) { |
| 219 safe_browsing_service->ping_manager()->SetCertificateErrorReporterForTesting( | 224 safe_browsing_service->ping_manager()->SetCertificateErrorReporterForTesting( |
| 220 scoped_ptr<CertificateErrorReporter>(reporter)); | 225 scoped_ptr<CertificateErrorReporter>(reporter)); |
| 221 } | 226 } |
| 222 | 227 |
| 223 } // namespace CertificateReporting | 228 } // namespace CertificateReporting |
| 224 | 229 |
| 230 void RootCertsChangedOnIO(net::URLRequestContextGetter* context_getter) { | |
|
Ryan Sleevi
2015/04/09 20:55:48
s/OnIO/OnIOThread/
Ryan Sleevi
2015/04/09 20:55:48
DANGER WILL ROBINSON: Passing a naked pointer arou
jww
2015/04/16 23:59:07
Done.
jww
2015/04/16 23:59:07
Done.
| |
| 231 context_getter->GetURLRequestContext() | |
| 232 ->http_transaction_factory() | |
| 233 ->GetSession() | |
| 234 ->CloseAllConnections(); | |
| 235 } | |
| 236 | |
| 237 void RootCertsChanged(WebContents* contents) { | |
|
Ryan Sleevi
2015/04/09 20:55:48
Document
jww
2015/04/16 23:59:07
Done.
| |
| 238 net::CertDatabase::GetInstance()->NotifyObserversOfCACertChanged(NULL); | |
|
Ryan Sleevi
2015/04/09 20:55:48
Running this on not-IO thread? Sounds super sketch
jww
2015/04/16 23:59:07
I'ved moved it to RootCertsChangedOnIOThread().
| |
| 239 | |
| 240 scoped_refptr<net::URLRequestContextGetter> url_request_context = | |
| 241 contents->GetBrowserContext()->GetRequestContextForRenderProcess( | |
| 242 contents->GetRenderProcessHost()->GetID()); | |
| 243 base::RunLoop run_loop; | |
| 244 content::BrowserThread::PostTaskAndReply( | |
| 245 content::BrowserThread::IO, FROM_HERE, | |
| 246 base::Bind(&RootCertsChangedOnIO, url_request_context), | |
| 247 run_loop.QuitClosure()); | |
| 248 | |
| 249 run_loop.Run(); | |
| 250 base::RunLoop().RunUntilIdle(); | |
| 251 } | |
| 252 | |
| 225 } // namespace | 253 } // namespace |
| 226 | 254 |
| 227 class SSLUITest : public InProcessBrowserTest { | 255 class SSLUITest : public InProcessBrowserTest { |
| 228 public: | 256 public: |
| 229 SSLUITest() | 257 SSLUITest() |
| 230 : https_server_(net::SpawnedTestServer::TYPE_HTTPS, | 258 : https_server_(net::SpawnedTestServer::TYPE_HTTPS, |
| 231 SSLOptions(SSLOptions::CERT_OK), | 259 SSLOptions(SSLOptions::CERT_OK), |
| 232 base::FilePath(kDocRoot)), | 260 base::FilePath(kDocRoot)), |
| 233 https_server_expired_(net::SpawnedTestServer::TYPE_HTTPS, | 261 https_server_expired_(net::SpawnedTestServer::TYPE_HTTPS, |
| 234 SSLOptions(SSLOptions::CERT_EXPIRED), | 262 SSLOptions(SSLOptions::CERT_EXPIRED), |
| (...skipping 1887 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2122 ui::PAGE_TRANSITION_TYPED); | 2150 ui::PAGE_TRANSITION_TYPED); |
| 2123 EXPECT_EQ(2, browser()->tab_strip_model()->count()); | 2151 EXPECT_EQ(2, browser()->tab_strip_model()->count()); |
| 2124 EXPECT_EQ(0, browser()->tab_strip_model()->active_index()); | 2152 EXPECT_EQ(0, browser()->tab_strip_model()->active_index()); |
| 2125 EXPECT_EQ(tab, browser()->tab_strip_model()->GetWebContentsAt(1)); | 2153 EXPECT_EQ(tab, browser()->tab_strip_model()->GetWebContentsAt(1)); |
| 2126 EXPECT_FALSE(tab->GetRenderWidgetHostView()->IsShowing()); | 2154 EXPECT_FALSE(tab->GetRenderWidgetHostView()->IsShowing()); |
| 2127 | 2155 |
| 2128 browser()->tab_strip_model()->ActivateTabAt(1, true); | 2156 browser()->tab_strip_model()->ActivateTabAt(1, true); |
| 2129 EXPECT_TRUE(tab->GetRenderWidgetHostView()->IsShowing()); | 2157 EXPECT_TRUE(tab->GetRenderWidgetHostView()->IsShowing()); |
| 2130 } | 2158 } |
| 2131 | 2159 |
| 2160 // Verifies that if a bad certificate is seen for a host and the user proceeds | |
| 2161 // through the interstitial, the decision to proceed is initially remembered. | |
| 2162 // However, if this is followed by another visit, and a good certificate | |
| 2163 // is seen for the same host, the original exception is forgotten. | |
| 2164 IN_PROC_BROWSER_TEST_F(SSLUITest, BadCertFollowedByGoodCert) { | |
| 2165 ASSERT_TRUE(https_server_.Start()); | |
| 2166 std::string https_server_host = | |
| 2167 https_server_.GetURL("files/ssl/google.html").host(); | |
| 2168 | |
| 2169 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); | |
| 2170 net::TestRootCerts* root_certs = net::TestRootCerts::GetInstance(); | |
| 2171 | |
| 2172 ASSERT_TRUE(root_certs != NULL); | |
|
Ryan Sleevi
2015/04/09 20:55:48
ASSERT_TRUE(root_certs)
jww
2015/04/16 23:59:06
Done.
| |
| 2173 root_certs->Clear(); | |
| 2174 | |
| 2175 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); | |
| 2176 ChromeSSLHostStateDelegate* state = | |
| 2177 reinterpret_cast<ChromeSSLHostStateDelegate*>( | |
| 2178 profile->GetSSLHostStateDelegate()); | |
| 2179 | |
| 2180 ui_test_utils::NavigateToURL(browser(), | |
| 2181 https_server_.GetURL("files/ssl/google.html")); | |
| 2182 | |
| 2183 ProceedThroughInterstitial(tab); | |
| 2184 EXPECT_TRUE(state->HasAllowException(https_server_host)); | |
| 2185 | |
| 2186 ASSERT_TRUE(https_server_.LoadTestRootCert()); | |
| 2187 RootCertsChanged(tab); | |
| 2188 ui_test_utils::NavigateToURL(browser(), | |
| 2189 https_server_.GetURL("files/ssl/google.html")); | |
| 2190 ASSERT_FALSE(tab->GetInterstitialPage()); | |
| 2191 EXPECT_FALSE(state->HasAllowException(https_server_host)); | |
| 2192 } | |
| 2193 | |
| 2132 class SSLBlockingPageIDNTest : public SecurityInterstitialIDNTest { | 2194 class SSLBlockingPageIDNTest : public SecurityInterstitialIDNTest { |
| 2133 protected: | 2195 protected: |
| 2134 // SecurityInterstitialIDNTest implementation | 2196 // SecurityInterstitialIDNTest implementation |
| 2135 SecurityInterstitialPage* CreateInterstitial( | 2197 SecurityInterstitialPage* CreateInterstitial( |
| 2136 content::WebContents* contents, | 2198 content::WebContents* contents, |
| 2137 const GURL& request_url) const override { | 2199 const GURL& request_url) const override { |
| 2138 net::SSLInfo ssl_info; | 2200 net::SSLInfo ssl_info; |
| 2139 ssl_info.cert = new net::X509Certificate( | 2201 ssl_info.cert = new net::X509Certificate( |
| 2140 request_url.host(), "CA", base::Time::Max(), base::Time::Max()); | 2202 request_url.host(), "CA", base::Time::Max(), base::Time::Max()); |
| 2141 return new SSLBlockingPage( | 2203 return new SSLBlockingPage( |
| (...skipping 10 matching lines...) Expand all Loading... | |
| 2152 | 2214 |
| 2153 // Visit a page over https that contains a frame with a redirect. | 2215 // Visit a page over https that contains a frame with a redirect. |
| 2154 | 2216 |
| 2155 // XMLHttpRequest insecure content in synchronous mode. | 2217 // XMLHttpRequest insecure content in synchronous mode. |
| 2156 | 2218 |
| 2157 // XMLHttpRequest insecure content in asynchronous mode. | 2219 // XMLHttpRequest insecure content in asynchronous mode. |
| 2158 | 2220 |
| 2159 // XMLHttpRequest over bad ssl in synchronous mode. | 2221 // XMLHttpRequest over bad ssl in synchronous mode. |
| 2160 | 2222 |
| 2161 // XMLHttpRequest over OK ssl in synchronous mode. | 2223 // XMLHttpRequest over OK ssl in synchronous mode. |
| OLD | NEW |
