Common Name Mismatch Handler For WWW Subdomain Mismatch case

chrome/browser/ssl/ssl_browser_tests.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback.h"
 #include "base/command_line.h"
 #include "base/location.h"
 #include "base/metrics/field_trial.h"
@@ skipping 10 matching lines @@
 #include "chrome/browser/chrome_notification_types.h"
 #include "chrome/browser/interstitials/security_interstitial_page_test_utils.h"
 #include "chrome/browser/net/certificate_error_reporter.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/ssl/cert_logger.pb.h"
 #include "chrome/browser/ssl/cert_report_helper.h"
 #include "chrome/browser/ssl/cert_verifier_browser_test.h"
 #include "chrome/browser/ssl/certificate_error_report.h"
 #include "chrome/browser/ssl/certificate_reporting_test_utils.h"
 #include "chrome/browser/ssl/chrome_ssl_host_state_delegate.h"
+#include "chrome/browser/ssl/common_name_mismatch_handler.h"
 #include "chrome/browser/ssl/ssl_blocking_page.h"
+#include "chrome/browser/ssl/ssl_error_handler.h"
 #include "chrome/browser/ui/browser.h"
 #include "chrome/browser/ui/browser_commands.h"
 #include "chrome/browser/ui/browser_navigator.h"
 #include "chrome/browser/ui/browser_tabstrip.h"
 #include "chrome/browser/ui/tabs/tab_strip_model.h"
 #include "chrome/common/chrome_paths.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/pref_names.h"
 #include "chrome/test/base/in_process_browser_test.h"
 #include "chrome/test/base/ui_test_utils.h"
 #include "components/content_settings/core/browser/host_content_settings_map.h"
 #include "components/security_interstitials/core/metrics_helper.h"
 #include "components/variations/variations_associated_data.h"
 #include "components/web_modal/web_contents_modal_dialog_manager.h"
 #include "content/public/browser/browser_context.h"
 #include "content/public/browser/interstitial_page.h"
 #include "content/public/browser/navigation_controller.h"
 #include "content/public/browser/navigation_entry.h"
 #include "content/public/browser/notification_service.h"
 #include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/render_view_host.h"
 #include "content/public/browser/render_widget_host_view.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/browser/web_contents_observer.h"
 #include "content/public/common/security_style.h"
 #include "content/public/common/ssl_status.h"
 #include "content/public/test/browser_test_utils.h"
 #include "content/public/test/download_test_observer.h"
+#include "content/public/test/test_navigation_observer.h"
 #include "content/public/test/test_renderer_host.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/net_errors.h"
 #include "net/base/test_data_directory.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/mock_cert_verifier.h"
 #include "net/cert/x509_certificate.h"
+#include "net/dns/mock_host_resolver.h"
 #include "net/ssl/ssl_info.h"
+#include "net/test/cert_test_util.h"
 #include "net/test/spawned_test_server/spawned_test_server.h"
+#include "net/test/test_certificate_data.h"
 #include "net/url_request/url_request_context.h"
 
 #if defined(USE_NSS_CERTS)
 #include "chrome/browser/net/nss_context.h"
 #include "net/base/crypto_module.h"
 #include "net/cert/nss_cert_database.h"
 #endif  // defined(USE_NSS_CERTS)
 
 using base::ASCIIToUTF16;
 using chrome_browser_interstitials::SecurityInterstitialIDNTest;
@@ skipping 2177 matching lines @@
 
   ProceedThroughInterstitial(tab);
   EXPECT_TRUE(state->HasAllowException(https_server_host));
 
   ui_test_utils::NavigateToURL(browser(),
                                https_server_.GetURL("files/ssl/google.html"));
   ASSERT_FALSE(tab->GetInterstitialPage());
   EXPECT_FALSE(state->HasAllowException(https_server_host));
 }
 
+// Verifies that invoking the SSL Blocking page with a suggested URL displays
+// the common name mismatch interstitial with a link to suggested URL.
+IN_PROC_BROWSER_TEST_F(SSLUITest, SSLBlockingPageWithSuggestedURL) {
+  content::WebContents* contents =
+      browser()->tab_strip_model()->GetActiveWebContents();
+  net::SSLInfo ssl_info;
+  ssl_info.cert = net::X509Certificate::CreateFromBytes(
+      reinterpret_cast<const char*>(google_der), sizeof(google_der));

[Ryan Sleevi, 2015/08/07 00:14:11]

Same comments; like I said on email, use ImportCertFromFile here; that's the
preferred pattern :)

[Bhanu Dev, 2015/08/07 22:28:48]

Done.

+  // Create a new SSL blocking page for https://example.com with
+  // https://www.example.com as the suggested URL.
+  SSLBlockingPage* blocking_page = new SSLBlockingPage(
+      contents, net::ERR_CERT_COMMON_NAME_INVALID, ssl_info,
+      GURL("https://example.com"), 0, base::Time::NowFromSystemTime(), nullptr,
+      base::Callback<void(bool)>(), GURL("https://www.example.com"));
+  blocking_page->Show();
+
+  WaitForInterstitialAttach(contents);
+
+  EXPECT_TRUE(
+      WaitForRenderFrameReady(contents->GetInterstitialPage()->GetMainFrame()));
+  // The interstitial should display a link to www.example.com
+  EXPECT_TRUE(chrome_browser_interstitials::IsInterstitialDisplayingText(
+      contents->GetInterstitialPage(), "www.example.com"));
+  // Verify that the link has the text "suggest-link", the id of the
+  // link element displayed.
+  EXPECT_TRUE(chrome_browser_interstitials::IsInterstitialDisplayingText(
+      contents->GetInterstitialPage(), "suggest-link"));
+}
+
+// Visit the URL www.test.example.com on a server that presents a valid
+// certificate for test.example.com. Verify that the common name mismatch
+// interstitial is displayed with a link to test.example.com. Click the
+// suggested URL link and make sure the page navigates to suggested URL.
+IN_PROC_BROWSER_TEST_F(CertVerifierBrowserTest,

[Ryan Sleevi, 2015/08/07 00:14:11]

From a testing design, normally the fixture naming matches what's being tested.

I totally understand that your fixture either needs to be a
CertVerifierBrowserTest, but you have two options to better express this for
test naming

1) Using inheritance - i.e. class MyTestName : public CertVerifierBrowserTest
2) Using aliasing (typedefs or using) - e.g. using MyTestName =
CertVerifierBrowserTest

Both of these ensure that the stringified test name is meaningful, even if the
actual implementation is a CertVerifierBrowserTest

[Bhanu Dev, 2015/08/07 22:28:48]

Done.
Thank you for letting me know about this.

+                       ShouldShowWWWSubdomainMismatchInterstitial) {
+  net::SpawnedTestServer https_server_example_domain_(
+      net::SpawnedTestServer::TYPE_HTTPS,
+      net::SpawnedTestServer::SSLOptions(
+          net::SpawnedTestServer::SSLOptions::CERT_OK),
+      base::FilePath(kDocRoot));
+  ASSERT_TRUE(https_server_example_domain_.Start());
+
+  host_resolver()->AddRule("test.example.com", "127.0.0.1");

[Ryan Sleevi, 2015/08/07 00:14:11]

BUG: You shouldn't assume that SpawnedTestServer is 127.0.0.1

You should be using AddRule() to add the test server's hostname - either using
AddRule(..., https_server_example_domain_.GetURL("").host()), or, simpler,
AddRule(..., https_server_example_domain_.host_port_pair().host())   

using host_port_pair() should properly handle  any IPv6 support

[Bhanu Dev, 2015/08/07 22:28:48]

Done.
I was using 127.0.0.1 as I verified that GetHostName() returns 127.0.0.1 for
CERT_OK. Anyway, I agree with you that it is good to get the hostname each time.

+  host_resolver()->AddRule("www.test.example.com", "127.0.0.1");
+
+  scoped_refptr<net::X509Certificate> cert1 =
+      net::ImportCertFromFile(net::GetTestCertsDirectory(), "ok_cert.pem");
+
+  net::CertVerifyResult verify_result;
+  verify_result.verified_cert = net::ImportCertFromFile(
+      net::GetTestCertsDirectory(), "quic_test.example.com.crt");

[Ryan Sleevi, 2015/08/07 00:14:11]

Haha, I should have been clearer in my email. Out of *all* of the test certs you
could have picked, you arguably picked the least-best one. Sorry! :P

They're the least-best because they're kept in sync with Google3 and it gets a
whole messy thing to update. I would pick any of the test certificates that have
a checked in generator script in net/data/ssl/scripts (you can see what
certificates this is via net/data/ssl/certificates/README )

[Bhanu Dev, 2015/08/07 22:28:48]

Haha. Ok, I went through most of the certs and *picked* this because this has
the most suitable dns name(test.example.com) which is a top level domain and not
127.0.0.1 or localhost as used by most certs. 

I changed this and used spdy_pooling.pem now.

+  verify_result.cert_status = net::CERT_STATUS_COMMON_NAME_INVALID;
+
+  // Request to "www.test.example.com" should result in
+  // |net::ERR_CERT_COMMON_NAME_INVALID| error.
+  mock_cert_verifier()->AddResultForCertAndHost(
+      cert1.get(), "www.test.example.com", verify_result,
+      net::ERR_CERT_COMMON_NAME_INVALID);
+
+  net::CertVerifyResult verify_result_valid;
+  verify_result_valid.verified_cert = net::ImportCertFromFile(
+      net::GetTestCertsDirectory(), "quic_test.example.com.crt");
+  // Request to "www.test.example.com" should not result in any error.
+  mock_cert_verifier()->AddResultForCertAndHost(cert1.get(), "test.example.com",
+                                                verify_result_valid, net::OK);
+
+  // The path does not matter.
+  GURL https_server_url =
+      https_server_example_domain_.GetURL("files/ssl/google.html?a=b");
+  GURL::Replacements replacements;
+  replacements.SetHostStr("www.test.example.com");
+  GURL https_server_mismatched_url =
+      https_server_url.ReplaceComponents(replacements);
+
+  ui_test_utils::NavigateToURL(browser(), https_server_mismatched_url);
+
+  WebContents* contents = browser()->tab_strip_model()->GetActiveWebContents();
+  WaitForInterstitialAttach(contents);
+  // An interstitial should be displayed with a
+  // |CERT_STATUS_COMMON_NAME_INVALID| error.
+  CheckSecurityState(contents, net::CERT_STATUS_COMMON_NAME_INVALID,
+                     content::SECURITY_STYLE_AUTHENTICATION_BROKEN,
+                     AuthState::SHOWING_INTERSTITIAL);
+  EXPECT_EQ(SSLBlockingPage::kTypeForTesting, contents->GetInterstitialPage()
+                                                  ->GetDelegateForTesting()
+                                                  ->GetTypeForTesting());

[Ryan Sleevi, 2015/08/07 00:14:11]

did git cl format do this? Weirdest formatting I've seen yet from it.

[Bhanu Dev, 2015/08/07 22:28:48]

Yes. Anyway, the browser tests are changed now, so I don't need this anymore.

+
+  content::RenderFrameHost* rfh =
+      contents->GetInterstitialPage()->GetMainFrame();
+  EXPECT_TRUE(WaitForRenderFrameReady(rfh));
+  // The interstitial should display a link to www.test.example.com
+  EXPECT_TRUE(chrome_browser_interstitials::IsInterstitialDisplayingText(
+      contents->GetInterstitialPage(), "test.example.com"));
+  // Verify that the link has the text "suggest-link", the id of the
+  // link element displayed.
+  EXPECT_TRUE(chrome_browser_interstitials::IsInterstitialDisplayingText(
+      contents->GetInterstitialPage(), "suggest-link"));
+
+  const char kOpenSuggestedLinkJS[] =
+      "document.getElementById('suggest-link').click();";
+  content::TestNavigationObserver observer(contents, 1);
+  EXPECT_TRUE(content::ExecuteScript(rfh, kOpenSuggestedLinkJS));
+  observer.Wait();
+
+  CheckSecurityState(contents, CertError::NONE,
+                     content::SECURITY_STYLE_AUTHENTICATED, AuthState::NONE);
+  replacements.SetHostStr("test.example.com");
+  GURL https_server_new_url = https_server_url.ReplaceComponents(replacements);
+  // Verify that the current URL is the suggested URL.
+  EXPECT_EQ(https_server_new_url.spec(),
+            contents->GetLastCommittedURL().spec());
+}
+
+// Visit the URL example.org on a server that presents a valid certificate
+// for www.example.org. Verify that the common name mismatch interstitial is
+// displayed with a link to www.example.org.
+IN_PROC_BROWSER_TEST_F(CertVerifierBrowserTest,
+                       CheckWWWSubdomainMismatchInverse) {
+  net::SpawnedTestServer https_server_example_domain_(
+      net::SpawnedTestServer::TYPE_HTTPS,
+      net::SpawnedTestServer::SSLOptions(
+          net::SpawnedTestServer::SSLOptions::CERT_OK),
+      base::FilePath(kDocRoot));
+  ASSERT_TRUE(https_server_example_domain_.Start());
+
+  host_resolver()->AddRule("www.example.org", "127.0.0.1");
+  host_resolver()->AddRule("example.org", "127.0.0.1");
+
+  scoped_refptr<net::X509Certificate> cert1 =
+      net::ImportCertFromFile(net::GetTestCertsDirectory(), "ok_cert.pem");
+
+  net::CertVerifyResult verify_result;
+  verify_result.verified_cert =
+      net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
+  verify_result.cert_status = net::CERT_STATUS_COMMON_NAME_INVALID;
+
+  mock_cert_verifier()->AddResultForCertAndHost(
+      cert1.get(), "example.org", verify_result,
+      net::ERR_CERT_COMMON_NAME_INVALID);
+
+  net::CertVerifyResult verify_result_valid;
+  verify_result_valid.verified_cert =
+      net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
+  mock_cert_verifier()->AddResultForCertAndHost(cert1.get(), "www.example.org",
+                                                verify_result_valid, net::OK);
+
+  GURL https_server_url =
+      https_server_example_domain_.GetURL("files/ssl/google.html?a=b");
+  GURL::Replacements replacements;
+  replacements.SetHostStr("example.org");
+  GURL https_server_mismatched_url =
+      https_server_url.ReplaceComponents(replacements);
+
+  ui_test_utils::NavigateToURL(browser(), https_server_mismatched_url);
+
+  WebContents* contents = browser()->tab_strip_model()->GetActiveWebContents();
+  WaitForInterstitialAttach(contents);
+  CheckSecurityState(contents, net::CERT_STATUS_COMMON_NAME_INVALID,
+                     content::SECURITY_STYLE_AUTHENTICATION_BROKEN,
+                     AuthState::SHOWING_INTERSTITIAL);
+  EXPECT_EQ(SSLBlockingPage::kTypeForTesting, contents->GetInterstitialPage()
+                                                  ->GetDelegateForTesting()
+                                                  ->GetTypeForTesting());
+
+  EXPECT_TRUE(
+      WaitForRenderFrameReady(contents->GetInterstitialPage()->GetMainFrame()));
+  // The interstitial should display a link to www.example.org
+  EXPECT_TRUE(chrome_browser_interstitials::IsInterstitialDisplayingText(
+      contents->GetInterstitialPage(), "www.example.org"));
+  // Verify that the link has the text "suggest-link", the id of the
+  // link element displayed.
+  EXPECT_TRUE(chrome_browser_interstitials::IsInterstitialDisplayingText(
+      contents->GetInterstitialPage(), "suggest-link"));
+}
+
+// This observer waits for the SSLErrorHandler to start an interstitial timer
+// for the given web contents.
+class SSLInterstitialTimerObserver {
+ public:
+  explicit SSLInterstitialTimerObserver(content::WebContents* web_contents);
+  ~SSLInterstitialTimerObserver();
+
+  // Waits until the interstitial delay timer in SSLErrorHandler is started.
+  void WaitForTimerStarted();
+
+ private:
+  void OnTimerStarted(content::WebContents* web_contents);
+
+  const content::WebContents* web_contents_;
+  SSLErrorHandler::TimerStartedCallback callback_;
+
+  scoped_refptr<content::MessageLoopRunner> message_loop_runner_;
+
+  DISALLOW_COPY_AND_ASSIGN(SSLInterstitialTimerObserver);
+};
+
+SSLInterstitialTimerObserver::SSLInterstitialTimerObserver(
+    content::WebContents* web_contents)
+    : web_contents_(web_contents),
+      message_loop_runner_(new content::MessageLoopRunner) {
+  callback_ = base::Bind(&SSLInterstitialTimerObserver::OnTimerStarted,
+                         base::Unretained(this));
+  SSLErrorHandler::SetInterstitialTimerStartedCallbackForTest(&callback_);
+}
+
+SSLInterstitialTimerObserver::~SSLInterstitialTimerObserver() {
+  SSLErrorHandler::SetInterstitialTimerStartedCallbackForTest(nullptr);
+}
+
+void SSLInterstitialTimerObserver::WaitForTimerStarted() {
+  message_loop_runner_->Run();
+}
+
+void SSLInterstitialTimerObserver::OnTimerStarted(
+    content::WebContents* web_contents) {
+  if (web_contents_ == web_contents && message_loop_runner_.get())
+    message_loop_runner_->Quit();
+}
+
+// Tests this scenario:
+// - |CommonNameMismatchHandler| does not give a callback as it's set into the
+//   state |IGNORE_REQUESTS_FOR_TESTING|. So no suggested URL check result can
+//   arrive.
+// - A cert error triggers an interstitial timer with a very long timeout.
+// - No suggested URL check results arrive, causing the tab to appear as loading
+//   indefinitely (also because the timer has a long timeout).
+// - Stopping the page load shouldn't result in any interstitials.
+IN_PROC_BROWSER_TEST_F(CertVerifierBrowserTest,
+                       InterstitialStopNavigationWhileLoading) {
+  net::SpawnedTestServer https_server_example_domain_(
+      net::SpawnedTestServer::TYPE_HTTPS,
+      net::SpawnedTestServer::SSLOptions(
+          net::SpawnedTestServer::SSLOptions::CERT_OK),
+      base::FilePath(kDocRoot));
+  ASSERT_TRUE(https_server_example_domain_.Start());
+
+  host_resolver()->AddRule("test.example.com", "127.0.0.1");
+  host_resolver()->AddRule("www.test.example.com", "127.0.0.1");
+
+  scoped_refptr<net::X509Certificate> cert1 =
+      net::ImportCertFromFile(net::GetTestCertsDirectory(), "ok_cert.pem");
+
+  net::CertVerifyResult verify_result;
+  verify_result.verified_cert = net::ImportCertFromFile(
+      net::GetTestCertsDirectory(), "quic_test.example.com.crt");
+  verify_result.cert_status = net::CERT_STATUS_COMMON_NAME_INVALID;
+
+  mock_cert_verifier()->AddResultForCertAndHost(
+      cert1.get(), "www.test.example.com", verify_result,
+      net::ERR_CERT_COMMON_NAME_INVALID);
+
+  net::CertVerifyResult verify_result_valid;
+  verify_result_valid.verified_cert = net::ImportCertFromFile(
+      net::GetTestCertsDirectory(), "quic_test.example.com.crt");
+  mock_cert_verifier()->AddResultForCertAndHost(cert1.get(), "test.example.com",
+                                                verify_result_valid, net::OK);
+
+  GURL https_server_url =
+      https_server_example_domain_.GetURL("files/ssl/google.html?a=b");
+  GURL::Replacements replacements;
+  replacements.SetHostStr("www.test.example.com");
+  GURL https_server_mismatched_url =
+      https_server_url.ReplaceComponents(replacements);
+
+  WebContents* contents = browser()->tab_strip_model()->GetActiveWebContents();
+  CommonNameMismatchHandler::set_state_for_testing(
+      CommonNameMismatchHandler::IGNORE_REQUESTS_FOR_TESTING);
+  SSLInterstitialTimerObserver interstitial_timer_observer(contents);
+
+  ui_test_utils::NavigateToURLWithDisposition(
+      browser(), https_server_mismatched_url, CURRENT_TAB,
+      ui_test_utils::BROWSER_TEST_NONE);
+  interstitial_timer_observer.WaitForTimerStarted();
+
+  EXPECT_TRUE(contents->IsLoading());
+  content::WindowedNotificationObserver observer(
+      content::NOTIFICATION_LOAD_STOP,
+      content::NotificationService::AllSources());
+  contents->Stop();
+  observer.Wait();
+
+  SSLErrorHandler* ssl_error_handler =
+      SSLErrorHandler::FromWebContents(contents);
+  // Make sure that the |SSLErrorHandler| is deleted.
+  EXPECT_FALSE(ssl_error_handler);
+  EXPECT_FALSE(contents->ShowingInterstitialPage());
+  EXPECT_FALSE(contents->IsLoading());
+}
+
+// Same as above, but instead of stopping, the loading page is reloaded. The end
+// result is the same. (i.e. page load stops, no interstitials shown)
+IN_PROC_BROWSER_TEST_F(CertVerifierBrowserTest,
+                       InterstitialReloadNavigationWhileLoading) {
+  net::SpawnedTestServer https_server_example_domain_(
+      net::SpawnedTestServer::TYPE_HTTPS,
+      net::SpawnedTestServer::SSLOptions(
+          net::SpawnedTestServer::SSLOptions::CERT_OK),
+      base::FilePath(kDocRoot));
+  ASSERT_TRUE(https_server_example_domain_.Start());
+
+  host_resolver()->AddRule("test.example.com", "127.0.0.1");
+  host_resolver()->AddRule("www.test.example.com", "127.0.0.1");
+
+  scoped_refptr<net::X509Certificate> cert1 =
+      net::ImportCertFromFile(net::GetTestCertsDirectory(), "ok_cert.pem");
+
+  net::CertVerifyResult verify_result;
+  verify_result.verified_cert = net::ImportCertFromFile(
+      net::GetTestCertsDirectory(), "quic_test.example.com.crt");
+  verify_result.cert_status = net::CERT_STATUS_COMMON_NAME_INVALID;
+
+  mock_cert_verifier()->AddResultForCertAndHost(
+      cert1.get(), "www.test.example.com", verify_result,
+      net::ERR_CERT_COMMON_NAME_INVALID);
+
+  net::CertVerifyResult verify_result_valid;
+  verify_result_valid.verified_cert = net::ImportCertFromFile(
+      net::GetTestCertsDirectory(), "quic_test.example.com.crt");
+  mock_cert_verifier()->AddResultForCertAndHost(cert1.get(), "test.example.com",
+                                                verify_result_valid, net::OK);
+
+  GURL https_server_url =
+      https_server_example_domain_.GetURL("files/ssl/google.html?a=b");
+  GURL::Replacements replacements;
+  replacements.SetHostStr("www.test.example.com");
+  GURL https_server_mismatched_url =
+      https_server_url.ReplaceComponents(replacements);
+
+  WebContents* contents = browser()->tab_strip_model()->GetActiveWebContents();
+  CommonNameMismatchHandler::set_state_for_testing(
+      CommonNameMismatchHandler::IGNORE_REQUESTS_FOR_TESTING);
+  SSLInterstitialTimerObserver interstitial_timer_observer(contents);
+
+  ui_test_utils::NavigateToURLWithDisposition(
+      browser(), https_server_mismatched_url, CURRENT_TAB,
+      ui_test_utils::BROWSER_TEST_NONE);
+  interstitial_timer_observer.WaitForTimerStarted();
+
+  EXPECT_TRUE(contents->IsLoading());
+  content::TestNavigationObserver observer(contents, 1);
+  chrome::Reload(browser(), CURRENT_TAB);
+  observer.Wait();
+
+  SSLErrorHandler* ssl_error_handler =
+      SSLErrorHandler::FromWebContents(contents);
+  // Make sure that the |SSLErrorHandler| is deleted.
+  EXPECT_FALSE(ssl_error_handler);
+  EXPECT_FALSE(contents->ShowingInterstitialPage());
+  EXPECT_FALSE(contents->IsLoading());
+}
+
+// Same as above, but instead of reloading, the page is navigated away. The
+// new page should load, and no interstitials should be shown.
+IN_PROC_BROWSER_TEST_F(CertVerifierBrowserTest,
+                       InterstitialNavigateAwayWhileLoading) {
+  net::SpawnedTestServer https_server_example_domain_(
+      net::SpawnedTestServer::TYPE_HTTPS,
+      net::SpawnedTestServer::SSLOptions(
+          net::SpawnedTestServer::SSLOptions::CERT_OK),
+      base::FilePath(kDocRoot));
+  ASSERT_TRUE(https_server_example_domain_.Start());
+
+  host_resolver()->AddRule("test.example.com", "127.0.0.1");
+  host_resolver()->AddRule("www.test.example.com", "127.0.0.1");
+
+  scoped_refptr<net::X509Certificate> cert1 =
+      net::ImportCertFromFile(net::GetTestCertsDirectory(), "ok_cert.pem");
+
+  net::CertVerifyResult verify_result;
+  verify_result.verified_cert = net::ImportCertFromFile(
+      net::GetTestCertsDirectory(), "quic_test.example.com.crt");
+  verify_result.cert_status = net::CERT_STATUS_COMMON_NAME_INVALID;
+
+  mock_cert_verifier()->AddResultForCertAndHost(
+      cert1.get(), "www.test.example.com", verify_result,
+      net::ERR_CERT_COMMON_NAME_INVALID);
+
+  net::CertVerifyResult verify_result_valid;
+  verify_result_valid.verified_cert = net::ImportCertFromFile(
+      net::GetTestCertsDirectory(), "quic_test.example.com.crt");
+  mock_cert_verifier()->AddResultForCertAndHost(cert1.get(), "test.example.com",
+                                                verify_result_valid, net::OK);
+
+  GURL https_server_url =
+      https_server_example_domain_.GetURL("files/ssl/google.html?a=b");
+  GURL::Replacements replacements;
+  replacements.SetHostStr("www.test.example.com");
+  GURL https_server_mismatched_url =
+      https_server_url.ReplaceComponents(replacements);
+
+  WebContents* contents = browser()->tab_strip_model()->GetActiveWebContents();
+  CommonNameMismatchHandler::set_state_for_testing(
+      CommonNameMismatchHandler::IGNORE_REQUESTS_FOR_TESTING);
+  SSLInterstitialTimerObserver interstitial_timer_observer(contents);
+
+  ui_test_utils::NavigateToURLWithDisposition(
+      browser(), https_server_mismatched_url, CURRENT_TAB,
+      ui_test_utils::BROWSER_TEST_NONE);
+  interstitial_timer_observer.WaitForTimerStarted();
+
+  EXPECT_TRUE(contents->IsLoading());
+  content::TestNavigationObserver observer(contents, 1);
+  browser()->OpenURL(content::OpenURLParams(GURL("https://google.com"),
+                                            content::Referrer(), CURRENT_TAB,
+                                            ui::PAGE_TRANSITION_TYPED, false));
+  observer.Wait();
+
+  SSLErrorHandler* ssl_error_handler =
+      SSLErrorHandler::FromWebContents(contents);
+  // Make sure that the |SSLErrorHandler| is deleted.
+  EXPECT_FALSE(ssl_error_handler);
+  EXPECT_FALSE(contents->ShowingInterstitialPage());
+  EXPECT_FALSE(contents->IsLoading());
+}
+
 class SSLBlockingPageIDNTest : public SecurityInterstitialIDNTest {
  protected:
   // SecurityInterstitialIDNTest implementation
   SecurityInterstitialPage* CreateInterstitial(
       content::WebContents* contents,
       const GURL& request_url) const override {
     net::SSLInfo ssl_info;
     ssl_info.cert = new net::X509Certificate(
         request_url.host(), "CA", base::Time::Max(), base::Time::Max());
-    return new SSLBlockingPage(
-        contents, net::ERR_CERT_CONTAINS_ERRORS, ssl_info, request_url, 0,
-        base::Time::NowFromSystemTime(), nullptr, base::Callback<void(bool)>());
+    return new SSLBlockingPage(contents, net::ERR_CERT_CONTAINS_ERRORS,
+                               ssl_info, request_url, 0,
+                               base::Time::NowFromSystemTime(), nullptr,
+                               base::Callback<void(bool)>(), GURL());
   }
 };
 
 IN_PROC_BROWSER_TEST_F(SSLBlockingPageIDNTest, SSLBlockingPageDecodesIDN) {
   EXPECT_TRUE(VerifyIDNDecoded());
 }
 
 IN_PROC_BROWSER_TEST_F(CertVerifierBrowserTest, MockCertVerifierSmokeTest) {
   net::SpawnedTestServer https_server(
       net::SpawnedTestServer::TYPE_HTTPS,
@@ skipping 18 matching lines @@
 
 // Visit a page over https that contains a frame with a redirect.
 
 // XMLHttpRequest insecure content in synchronous mode.
 
 // XMLHttpRequest insecure content in asynchronous mode.
 
 // XMLHttpRequest over bad ssl in synchronous mode.
 
 // XMLHttpRequest over OK ssl in synchronous mode.