| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/base_switches.h" | 5 #include "base/base_switches.h" |
| 6 #include "base/bind.h" | 6 #include "base/bind.h" |
| 7 #include "base/bind_helpers.h" | 7 #include "base/bind_helpers.h" |
| 8 #include "base/callback.h" | 8 #include "base/callback.h" |
| 9 #include "base/command_line.h" | 9 #include "base/command_line.h" |
| 10 #include "base/location.h" | 10 #include "base/location.h" |
| (...skipping 532 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 543 base::RunLoop().RunUntilIdle(); | 543 base::RunLoop().RunUntilIdle(); |
| 544 EXPECT_EQ(std::string(), GetLatestHostnameReported()); | 544 EXPECT_EQ(std::string(), GetLatestHostnameReported()); |
| 545 } | 545 } |
| 546 } | 546 } |
| 547 | 547 |
| 548 net::EmbeddedTestServer https_server_; | 548 net::EmbeddedTestServer https_server_; |
| 549 net::EmbeddedTestServer https_server_expired_; | 549 net::EmbeddedTestServer https_server_expired_; |
| 550 net::EmbeddedTestServer https_server_mismatched_; | 550 net::EmbeddedTestServer https_server_mismatched_; |
| 551 net::SpawnedTestServer wss_server_expired_; | 551 net::SpawnedTestServer wss_server_expired_; |
| 552 | 552 |
| 553 protected: |
| 554 // Navigates to an interstitial and clicks through the certificate |
| 555 // error; then navigates to a page at |path| that loads unsafe content. |
| 556 void SetUpUnsafeContentsWithUserException(const std::string& path) { |
| 557 ASSERT_TRUE(https_server_.Start()); |
| 558 // Note that it is necessary to user https_server_mismatched_ here over the |
| 559 // other invalid cert servers. This is because the test relies on the two |
| 560 // servers having different hosts since SSL exceptions are per-host, not per |
| 561 // origin, and https_server_mismatched_ uses 'localhost' rather than |
| 562 // '127.0.0.1'. |
| 563 ASSERT_TRUE(https_server_mismatched_.Start()); |
| 564 |
| 565 // Navigate to an unsafe site. Proceed with interstitial page to indicate |
| 566 // the user approves the bad certificate. |
| 567 ui_test_utils::NavigateToURL( |
| 568 browser(), https_server_mismatched_.GetURL("/ssl/blank_page.html")); |
| 569 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); |
| 570 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID, |
| 571 AuthState::SHOWING_INTERSTITIAL); |
| 572 ProceedThroughInterstitial(tab); |
| 573 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID, |
| 574 AuthState::NONE); |
| 575 |
| 576 std::string replacement_path; |
| 577 GetFilePathWithHostAndPortReplacement( |
| 578 path, https_server_mismatched_.host_port_pair(), &replacement_path); |
| 579 ui_test_utils::NavigateToURL(browser(), |
| 580 https_server_.GetURL(replacement_path)); |
| 581 } |
| 582 |
| 553 private: | 583 private: |
| 554 typedef net::SpawnedTestServer::SSLOptions SSLOptions; | 584 typedef net::SpawnedTestServer::SSLOptions SSLOptions; |
| 555 | 585 |
| 556 DISALLOW_COPY_AND_ASSIGN(SSLUITest); | 586 DISALLOW_COPY_AND_ASSIGN(SSLUITest); |
| 557 }; | 587 }; |
| 558 | 588 |
| 559 class SSLUITestBlock : public SSLUITest { | 589 class SSLUITestBlock : public SSLUITest { |
| 560 public: | 590 public: |
| 561 SSLUITestBlock() : SSLUITest() {} | 591 SSLUITestBlock() : SSLUITest() {} |
| 562 | 592 |
| (...skipping 1547 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2110 page_with_unsafe_worker_path)); | 2140 page_with_unsafe_worker_path)); |
| 2111 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); | 2141 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); |
| 2112 // Expect Worker not to load insecure content. | 2142 // Expect Worker not to load insecure content. |
| 2113 CheckWorkerLoadResult(tab, false); | 2143 CheckWorkerLoadResult(tab, false); |
| 2114 // The bad content is filtered, expect the state to be authenticated. | 2144 // The bad content is filtered, expect the state to be authenticated. |
| 2115 CheckAuthenticatedState(tab, AuthState::NONE); | 2145 CheckAuthenticatedState(tab, AuthState::NONE); |
| 2116 } | 2146 } |
| 2117 | 2147 |
| 2118 // This test, and the related test TestUnsafeContentsWithUserException, verify | 2148 // This test, and the related test TestUnsafeContentsWithUserException, verify |
| 2119 // that if unsafe content is loaded but the host of that unsafe content has a | 2149 // that if unsafe content is loaded but the host of that unsafe content has a |
| 2120 // user exception, the content runs and the security style remains | 2150 // user exception, the content runs and the security style is downgraded. |
| 2121 // authenticated. This is not necessarily the behavior that should exist, but it | |
| 2122 // is verification that it does behave that way. See https://crbug.com/477868 | |
| 2123 // for more inforamtion on this. | |
| 2124 IN_PROC_BROWSER_TEST_F(SSLUITest, TestUnsafeContentsInWorkerWithUserException) { | 2151 IN_PROC_BROWSER_TEST_F(SSLUITest, TestUnsafeContentsInWorkerWithUserException) { |
| 2125 ASSERT_TRUE(https_server_.Start()); | 2152 ASSERT_TRUE(https_server_.Start()); |
| 2126 // Note that it is necessary to user https_server_mismatched_ here over the | 2153 // Note that it is necessary to user https_server_mismatched_ here over the |
| 2127 // other invalid cert servers. This is because the test relies on the two | 2154 // other invalid cert servers. This is because the test relies on the two |
| 2128 // servers having different hosts since SSL exceptions are per-host, not per | 2155 // servers having different hosts since SSL exceptions are per-host, not per |
| 2129 // origin, and https_server_mismatched_ uses 'localhost' rather than | 2156 // origin, and https_server_mismatched_ uses 'localhost' rather than |
| 2130 // '127.0.0.1'. | 2157 // '127.0.0.1'. |
| 2131 ASSERT_TRUE(https_server_mismatched_.Start()); | 2158 ASSERT_TRUE(https_server_mismatched_.Start()); |
| 2132 | 2159 |
| 2133 // Navigate to an unsafe site. Proceed with interstitial page to indicate | 2160 // Navigate to an unsafe site. Proceed with interstitial page to indicate |
| 2134 // the user approves the bad certificate. | 2161 // the user approves the bad certificate. |
| 2135 ui_test_utils::NavigateToURL( | 2162 ui_test_utils::NavigateToURL( |
| 2136 browser(), https_server_mismatched_.GetURL("/ssl/blank_page.html")); | 2163 browser(), https_server_mismatched_.GetURL("/ssl/blank_page.html")); |
| 2137 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); | 2164 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); |
| 2138 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID, | 2165 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID, |
| 2139 AuthState::SHOWING_INTERSTITIAL); | 2166 AuthState::SHOWING_INTERSTITIAL); |
| 2140 ProceedThroughInterstitial(tab); | 2167 ProceedThroughInterstitial(tab); |
| 2141 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID, | 2168 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID, |
| 2142 AuthState::NONE); | 2169 AuthState::NONE); |
| 2143 | 2170 |
| 2144 // Navigate to safe page that has Worker loading unsafe content. | 2171 // Navigate to safe page that has Worker loading unsafe content. |
| 2145 // Expect content to load but be marked as auth broken due to running insecure | 2172 // Expect content to load but be marked as auth broken due to running insecure |
| 2146 // content. | 2173 // content. |
| 2147 std::string page_with_unsafe_worker_path; | 2174 std::string page_with_unsafe_worker_path; |
| 2148 GetPageWithUnsafeWorkerPath(https_server_mismatched_, | 2175 GetPageWithUnsafeWorkerPath(https_server_mismatched_, |
| 2149 &page_with_unsafe_worker_path); | 2176 &page_with_unsafe_worker_path); |
| 2150 ui_test_utils::NavigateToURL( | 2177 ui_test_utils::NavigateToURL( |
| 2151 browser(), https_server_.GetURL(page_with_unsafe_worker_path)); | 2178 browser(), https_server_.GetURL(page_with_unsafe_worker_path)); |
| 2152 CheckWorkerLoadResult(tab, true); // Worker loads insecure content | 2179 CheckWorkerLoadResult(tab, true); // Worker loads insecure content |
| 2153 CheckAuthenticatedState(tab, CertError::NONE); | 2180 CheckAuthenticationBrokenState(tab, CertError::NONE, |
| 2181 AuthState::RAN_INSECURE_CONTENT); |
| 2154 } | 2182 } |
| 2155 | 2183 |
| 2156 // Visits a page with unsafe content and makes sure that if a user exception to | 2184 // Visits a page with unsafe content and makes sure that if a user exception to |
| 2157 // the certificate error is present, the image is loaded and script executes. | 2185 // the certificate error is present, the image is loaded and script executes. |
| 2158 // | |
| 2159 // See the comment above SSLUITest.TestUnsafeContentsInWorkerWithUserException | |
| 2160 // for a discussion about the desired behavior. | |
| 2161 IN_PROC_BROWSER_TEST_F(SSLUITest, TestUnsafeContentsWithUserException) { | 2186 IN_PROC_BROWSER_TEST_F(SSLUITest, TestUnsafeContentsWithUserException) { |
| 2162 ASSERT_TRUE(https_server_.Start()); | 2187 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); |
| 2163 // Note that it is necessary to user https_server_mismatched_ here over the | 2188 ASSERT_NO_FATAL_FAILURE(SetUpUnsafeContentsWithUserException( |
| 2164 // other invalid cert servers. This is because the test relies on the two | 2189 "/ssl/page_with_unsafe_contents.html")); |
| 2165 // servers having different hosts since SSL exceptions are per-host, not per | 2190 CheckAuthenticationBrokenState( |
| 2166 // origin, and https_server_mismatched_ uses 'localhost' rather than | 2191 tab, CertError::NONE, |
| 2167 // '127.0.0.1'. | 2192 AuthState::RAN_INSECURE_CONTENT | AuthState::DISPLAYED_INSECURE_CONTENT); |
| 2168 ASSERT_TRUE(https_server_mismatched_.Start()); | |
| 2169 | 2193 |
| 2170 // Navigate to an unsafe site. Proceed with interstitial page to indicate | 2194 int img_width; |
| 2171 // the user approves the bad certificate. | 2195 EXPECT_TRUE(content::ExecuteScriptAndExtractInt( |
| 2172 ui_test_utils::NavigateToURL( | 2196 tab, "window.domAutomationController.send(ImageWidth());", &img_width)); |
| 2173 browser(), https_server_mismatched_.GetURL("/ssl/blank_page.html")); | 2197 // In order to check that the image was loaded, we check its width. |
| 2174 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); | 2198 // The actual image (Google logo) is 114 pixels wide, so we assume a good |
| 2175 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID, | 2199 // image is greater than 100. |
| 2176 AuthState::SHOWING_INTERSTITIAL); | 2200 EXPECT_GT(img_width, 100); |
| 2177 ProceedThroughInterstitial(tab); | |
| 2178 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID, | |
| 2179 AuthState::NONE); | |
| 2180 | 2201 |
| 2202 bool js_result = false; |
| 2203 EXPECT_TRUE(content::ExecuteScriptAndExtractBool( |
| 2204 tab, "window.domAutomationController.send(IsFooSet());", &js_result)); |
| 2205 EXPECT_TRUE(js_result); |
| 2206 |
| 2207 // Test that active subresources with the same certificate errors as |
| 2208 // the main resources don't cause mixed content UI downgrades. (Such |
| 2209 // errors would be confusing and duplicative.) |
| 2181 std::string replacement_path; | 2210 std::string replacement_path; |
| 2182 GetFilePathWithHostAndPortReplacement( | 2211 GetFilePathWithHostAndPortReplacement( |
| 2183 "/ssl/page_with_unsafe_contents.html", | 2212 "/ssl/page_with_unsafe_contents.html", |
| 2184 https_server_mismatched_.host_port_pair(), &replacement_path); | 2213 https_server_mismatched_.host_port_pair(), &replacement_path); |
| 2185 ui_test_utils::NavigateToURL(browser(), | 2214 ui_test_utils::NavigateToURL( |
| 2186 https_server_.GetURL(replacement_path)); | 2215 browser(), https_server_mismatched_.GetURL(replacement_path)); |
| 2216 js_result = false; |
| 2217 EXPECT_TRUE(content::ExecuteScriptAndExtractBool( |
| 2218 tab, "window.domAutomationController.send(IsFooSet());", &js_result)); |
| 2219 EXPECT_TRUE(js_result); |
| 2220 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID, |
| 2221 AuthState::NONE); |
| 2222 } |
| 2187 | 2223 |
| 2188 // When the bad content is filtered, the state is expected to be | 2224 // Like the test above, but only displaying inactive content (an image). |
| 2189 // authenticated. | 2225 IN_PROC_BROWSER_TEST_F(SSLUITest, TestUnsafeImageWithUserException) { |
| 2190 CheckAuthenticatedState(tab, AuthState::NONE); | 2226 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); |
| 2227 ASSERT_NO_FATAL_FAILURE( |
| 2228 SetUpUnsafeContentsWithUserException("/ssl/page_with_unsafe_image.html")); |
| 2229 CheckAuthenticatedState(tab, AuthState::DISPLAYED_INSECURE_CONTENT); |
| 2191 | 2230 |
| 2192 int img_width; | 2231 int img_width; |
| 2193 EXPECT_TRUE(content::ExecuteScriptAndExtractInt( | 2232 EXPECT_TRUE(content::ExecuteScriptAndExtractInt( |
| 2194 tab, "window.domAutomationController.send(ImageWidth());", &img_width)); | 2233 tab, "window.domAutomationController.send(ImageWidth());", &img_width)); |
| 2195 // In order to check that the image was loaded, we check its width. | 2234 // In order to check that the image was loaded, we check its width. |
| 2196 // The actual image (Google logo) is 114 pixels wide, so we assume a good | 2235 // The actual image (Google logo) is 114 pixels wide, so we assume a good |
| 2197 // image is greater than 100. | 2236 // image is greater than 100. |
| 2198 EXPECT_GT(img_width, 100); | 2237 EXPECT_GT(img_width, 100); |
| 2199 | |
| 2200 bool js_result = false; | |
| 2201 EXPECT_TRUE(content::ExecuteScriptAndExtractBool( | |
| 2202 tab, "window.domAutomationController.send(IsFooSet());", &js_result)); | |
| 2203 EXPECT_TRUE(js_result); | |
| 2204 CheckAuthenticatedState(tab, CertError::NONE); | |
| 2205 } | 2238 } |
| 2206 | 2239 |
| 2207 // Test that when the browser blocks displaying insecure content (images), the | 2240 // Test that when the browser blocks displaying insecure content (images), the |
| 2208 // indicator shows a secure page, because the blocking made the otherwise | 2241 // indicator shows a secure page, because the blocking made the otherwise |
| 2209 // unsafe page safe (the notification of this state is handled by other means). | 2242 // unsafe page safe (the notification of this state is handled by other means). |
| 2210 IN_PROC_BROWSER_TEST_F(SSLUITestBlock, TestBlockDisplayingInsecureImage) { | 2243 IN_PROC_BROWSER_TEST_F(SSLUITestBlock, TestBlockDisplayingInsecureImage) { |
| 2211 ASSERT_TRUE(embedded_test_server()->Start()); | 2244 ASSERT_TRUE(embedded_test_server()->Start()); |
| 2212 ASSERT_TRUE(https_server_.Start()); | 2245 ASSERT_TRUE(https_server_.Start()); |
| 2213 | 2246 |
| 2214 std::string replacement_path; | 2247 std::string replacement_path; |
| (...skipping 661 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2876 | 2909 |
| 2877 // Visit a page over https that contains a frame with a redirect. | 2910 // Visit a page over https that contains a frame with a redirect. |
| 2878 | 2911 |
| 2879 // XMLHttpRequest insecure content in synchronous mode. | 2912 // XMLHttpRequest insecure content in synchronous mode. |
| 2880 | 2913 |
| 2881 // XMLHttpRequest insecure content in asynchronous mode. | 2914 // XMLHttpRequest insecure content in asynchronous mode. |
| 2882 | 2915 |
| 2883 // XMLHttpRequest over bad ssl in synchronous mode. | 2916 // XMLHttpRequest over bad ssl in synchronous mode. |
| 2884 | 2917 |
| 2885 // XMLHttpRequest over OK ssl in synchronous mode. | 2918 // XMLHttpRequest over OK ssl in synchronous mode. |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1415923015:
Downgrade lock icon for broken-HTTPS subresources (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master