Chromium Code Reviews Chromium Code Reviews
Issue 1223233002:
Common Name Mismatch Handler For WWW Subdomain Mismatch case (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: chrome/browser/ssl/ssl_error_handler.cc |
| diff --git a/chrome/browser/ssl/ssl_error_handler.cc b/chrome/browser/ssl/ssl_error_handler.cc |
| index 594a68357e021e497a456f2e572acbcb7c939b1a..48258710ee4b496823b07dd76e2a448f79aa6e3f 100644 |
| --- a/chrome/browser/ssl/ssl_error_handler.cc |
| +++ b/chrome/browser/ssl/ssl_error_handler.cc |
| @@ -11,6 +11,7 @@ |
| #include "chrome/browser/profiles/profile.h" |
| #include "chrome/browser/ssl/ssl_blocking_page.h" |
| #include "chrome/browser/ssl/ssl_cert_reporter.h" |
| +#include "chrome/browser/ssl/ssl_error_classification.h" |
| #include "content/public/browser/notification_service.h" |
| #include "content/public/browser/notification_source.h" |
| #include "content/public/browser/web_contents.h" |
| @@ -39,6 +40,8 @@ enum SSLErrorHandlerEvent { |
| SHOW_CAPTIVE_PORTAL_INTERSTITIAL_OVERRIDABLE, |
| SHOW_SSL_INTERSTITIAL_NONOVERRIDABLE, |
| SHOW_SSL_INTERSTITIAL_OVERRIDABLE, |
| + SHOW_COMMON_NAME_MISMATCH_INTERSTITIAL_NONOVERRIDABLE, |
| + SHOW_COMMON_NAME_MISMATCH_INTERSTITIAL_OVERRIDABLE, |
| SSL_ERROR_HANDLER_EVENT_COUNT |
| }; |
| @@ -48,10 +51,10 @@ void RecordUMA(SSLErrorHandlerEvent event) { |
| SSL_ERROR_HANDLER_EVENT_COUNT); |
| } |
| -#if defined(ENABLE_CAPTIVE_PORTAL_DETECTION) |
| // The delay before displaying the SSL interstitial for cert errors. |
| -// - If a "captive portal detected" result arrives in this many seconds, |
| -// a captive portal interstitial is displayed. |
| +// - If a "captive portal detected" or "suggested URL valid" result |
| +// arrives in this many seconds, then a captive portal interstitial |
| +// or a common name mismatch interstitial is displayed. |
| // - Otherwise, an SSL interstitial is displayed. |
| const int kDefaultInterstitialDisplayDelayInSeconds = 2; |
| @@ -74,6 +77,7 @@ base::TimeDelta GetInterstitialDisplayDelay( |
| return base::TimeDelta(); |
| } |
| +#if defined(ENABLE_CAPTIVE_PORTAL_DETECTION) |
| bool IsCaptivePortalInterstitialEnabled() { |
| return base::FieldTrialList::FindFullName("CaptivePortalInterstitial") == |
| "Enabled"; |
| @@ -92,13 +96,6 @@ void SSLErrorHandler::HandleSSLError( |
| int options_mask, |
| scoped_ptr<SSLCertReporter> ssl_cert_reporter, |
| const base::Callback<void(bool)>& callback) { |
| -#if defined(ENABLE_CAPTIVE_PORTAL_DETECTION) |
| - CaptivePortalTabHelper* captive_portal_tab_helper = |
| - CaptivePortalTabHelper::FromWebContents(web_contents); |
| - if (captive_portal_tab_helper) { |
| - captive_portal_tab_helper->OnSSLCertError(ssl_info); |
| - } |
| -#endif |
| DCHECK(!FromWebContents(web_contents)); |
| web_contents->SetUserData( |
| UserDataKey(), |
| @@ -137,15 +134,8 @@ SSLErrorHandler::SSLErrorHandler(content::WebContents* web_contents, |
| request_url_(request_url), |
| options_mask_(options_mask), |
| callback_(callback), |
| - ssl_cert_reporter_(ssl_cert_reporter.Pass()) { |
| -#if defined(ENABLE_CAPTIVE_PORTAL_DETECTION) |
| - Profile* profile = Profile::FromBrowserContext( |
| - web_contents->GetBrowserContext()); |
| - registrar_.Add(this, |
| - chrome::NOTIFICATION_CAPTIVE_PORTAL_CHECK_RESULT, |
| - content::Source<Profile>(profile)); |
| -#endif |
| -} |
| + profile_(Profile::FromBrowserContext(web_contents->GetBrowserContext())), |
| + ssl_cert_reporter_(ssl_cert_reporter.Pass()) {} |
| SSLErrorHandler::~SSLErrorHandler() { |
| } |
| @@ -153,7 +143,45 @@ SSLErrorHandler::~SSLErrorHandler() { |
| void SSLErrorHandler::StartHandlingError() { |
| RecordUMA(HANDLE_ALL); |
| + std::vector<std::string> dns_names; |
| + ssl_info_.cert->GetDNSNames(&dns_names); |
| + DCHECK(!dns_names.empty()); |
| + GURL suggested_url; |
| + if (GetSuggestedUrl(dns_names, &suggested_url)) { |
| + net::CertStatus extra_cert_errors = |
| + ssl_info_.cert_status ^ net::CERT_STATUS_COMMON_NAME_INVALID; |
|
davidben
2015/08/17 18:59:19
What if CERT_STATUS_COMMON_NAME_INVALID isn't in c
Bhanu Dev
2015/08/18 05:09:10
The cert_status must have CERT_STATUS_COMMON_NAME_
|
| + |
| + // Show the SSL intersitial if |CERT_STATUS_COMMON_NAME_INVALID| is not |
| + // the only error. Need not check for captive portal in this case. |
| + // (See the comment below). |
| + if (net::IsCertStatusError(extra_cert_errors) && |
| + !net::IsCertStatusMinorError(ssl_info_.cert_status)) { |
| + ShowSSLInterstitial(); |
| + return; |
| + } |
| + CheckSuggestedUrl(suggested_url); |
| + timer_.Start(FROM_HERE, |
| + GetInterstitialDisplayDelay(g_interstitial_delay_type), this, |
| + &SSLErrorHandler::OnTimerExpired); |
| + if (g_timer_started_callback) |
| + g_timer_started_callback->Run(web_contents_); |
| + |
| + // Do not check for a captive portal in this case, because a captive |
| + // portal most likely cannot serve a valid certificate which passes the |
| + // similarity check. |
| + return; |
| + } |
| + |
| #if defined(ENABLE_CAPTIVE_PORTAL_DETECTION) |
| + CaptivePortalTabHelper* captive_portal_tab_helper = |
| + CaptivePortalTabHelper::FromWebContents(web_contents_); |
| + if (captive_portal_tab_helper) { |
| + captive_portal_tab_helper->OnSSLCertError(ssl_info_); |
| + } |
| + |
| + registrar_.Add(this, chrome::NOTIFICATION_CAPTIVE_PORTAL_CHECK_RESULT, |
| + content::Source<Profile>(profile_)); |
| + |
| if (IsCaptivePortalInterstitialEnabled()) { |
| CheckForCaptivePortal(); |
| timer_.Start(FROM_HERE, |
| @@ -172,12 +200,34 @@ void SSLErrorHandler::OnTimerExpired() { |
| ShowSSLInterstitial(); |
| } |
| +bool SSLErrorHandler::GetSuggestedUrl(const std::vector<std::string>& dns_names, |
| + GURL* suggested_url) const { |
| + return CommonNameMismatchHandler::GetSuggestedUrl(request_url_, dns_names, |
| + suggested_url); |
| +} |
| + |
| +void SSLErrorHandler::CheckSuggestedUrl(const GURL& suggested_url) { |
| + scoped_refptr<net::URLRequestContextGetter> request_context( |
| + profile_->GetRequestContext()); |
| + common_name_mismatch_handler_.reset( |
| + new CommonNameMismatchHandler(request_url_, request_context)); |
| + |
| + common_name_mismatch_handler_->CheckSuggestedUrl( |
| + suggested_url, |
| + base::Bind(&SSLErrorHandler::CommonNameMismatchHandlerCallback, |
| + base::Unretained(this))); |
| +} |
| + |
| +void SSLErrorHandler::NavigateToSuggestedURL(const GURL& suggested_url) { |
| + content::NavigationController::LoadURLParams load_params(suggested_url); |
| + load_params.transition_type = ui::PAGE_TRANSITION_TYPED; |
|
davidben
2015/08/17 18:59:19
This seems off. The URL wasn't typed into the omni
Bhanu Dev
2015/08/18 05:09:10
Used this since, https://code.google.com/p/chromiu
|
| + web_contents()->GetController().LoadURLWithParams(load_params); |
| +} |
| + |
| void SSLErrorHandler::CheckForCaptivePortal() { |
| #if defined(ENABLE_CAPTIVE_PORTAL_DETECTION) |
| - Profile* profile = Profile::FromBrowserContext( |
| - web_contents_->GetBrowserContext()); |
| CaptivePortalService* captive_portal_service = |
| - CaptivePortalServiceFactory::GetForProfile(profile); |
| + CaptivePortalServiceFactory::GetForProfile(profile_); |
| captive_portal_service->DetectCaptivePortal(); |
| #else |
| NOTREACHED(); |
| @@ -187,9 +237,7 @@ void SSLErrorHandler::CheckForCaptivePortal() { |
| void SSLErrorHandler::ShowCaptivePortalInterstitial(const GURL& landing_url) { |
| #if defined(ENABLE_CAPTIVE_PORTAL_DETECTION) |
| // Show captive portal blocking page. The interstitial owns the blocking page. |
| - const Profile* const profile = |
| - Profile::FromBrowserContext(web_contents_->GetBrowserContext()); |
| - RecordUMA(SSLBlockingPage::IsOverridable(options_mask_, profile) |
| + RecordUMA(SSLBlockingPage::IsOverridable(options_mask_, profile_) |
| ? SHOW_CAPTIVE_PORTAL_INTERSTITIAL_OVERRIDABLE |
| : SHOW_CAPTIVE_PORTAL_INTERSTITIAL_NONOVERRIDABLE); |
| (new CaptivePortalBlockingPage(web_contents_, request_url_, landing_url, |
| @@ -205,14 +253,14 @@ void SSLErrorHandler::ShowCaptivePortalInterstitial(const GURL& landing_url) { |
| void SSLErrorHandler::ShowSSLInterstitial() { |
| // Show SSL blocking page. The interstitial owns the blocking page. |
| - const Profile* const profile = |
| - Profile::FromBrowserContext(web_contents_->GetBrowserContext()); |
| - RecordUMA(SSLBlockingPage::IsOverridable(options_mask_, profile) |
| + RecordUMA(SSLBlockingPage::IsOverridable(options_mask_, profile_) |
| ? SHOW_SSL_INTERSTITIAL_OVERRIDABLE |
| : SHOW_SSL_INTERSTITIAL_NONOVERRIDABLE); |
| + |
| (new SSLBlockingPage(web_contents_, cert_error_, ssl_info_, request_url_, |
| options_mask_, base::Time::NowFromSystemTime(), |
| - ssl_cert_reporter_.Pass(), callback_))->Show(); |
| + ssl_cert_reporter_.Pass(), callback_)) |
| + ->Show(); |
| // Once an interstitial is displayed, no need to keep the handler around. |
| // This is the equivalent of "delete this". |
| web_contents_->RemoveUserData(UserDataKey()); |
| @@ -255,5 +303,21 @@ void SSLErrorHandler::DeleteSSLErrorHandler() { |
| if (!callback_.is_null()) { |
| base::ResetAndReturn(&callback_).Run(false); |
| } |
| + if (common_name_mismatch_handler_) { |
| + common_name_mismatch_handler_->Cancel(); |
| + common_name_mismatch_handler_.reset(); |
| + } |
| web_contents_->RemoveUserData(UserDataKey()); |
| } |
| + |
| +void SSLErrorHandler::CommonNameMismatchHandlerCallback( |
| + const CommonNameMismatchHandler::SuggestedUrlCheckResult& result, |
| + const GURL& suggested_url) { |
| + timer_.Stop(); |
| + if (result == CommonNameMismatchHandler::SuggestedUrlCheckResult:: |
| + SUGGESTED_URL_AVAILABLE) { |
| + NavigateToSuggestedURL(suggested_url); |
| + } else { |
| + ShowSSLInterstitial(); |
| + } |
| +} |
