Do not show untrustworthy strings in the basic auth dialog.

chrome/browser/ui/login/login_prompt.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/ui/login/login_prompt.h"
 
 #include <string>
 #include <vector>
 
 #include "base/bind.h"
@@ skipping 14 matching lines @@
 #include "components/password_manager/core/browser/log_manager.h"
 #include "components/password_manager/core/browser/password_manager.h"
 #include "components/url_formatter/elide_url.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/notification_registrar.h"
 #include "content/public/browser/notification_service.h"
 #include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/resource_dispatcher_host.h"
 #include "content/public/browser/resource_request_info.h"
 #include "content/public/browser/web_contents.h"
+#include "content/public/common/origin_util.h"
 #include "net/base/auth.h"
 #include "net/base/load_flags.h"
 #include "net/base/net_util.h"
 #include "net/http/http_transaction_factory.h"
 #include "net/url_request/url_request.h"
 #include "net/url_request/url_request_context.h"
 #include "ui/base/l10n/l10n_util.h"
 #include "ui/gfx/text_elider.h"
 
 #if defined(ENABLE_EXTENSIONS)
@@ skipping 57 matching lines @@
   WebContents* parent_contents = handler->GetWebContentsForLogin();
   if (!parent_contents)
     return;
   prerender::PrerenderContents* prerender_contents =
       prerender::PrerenderContents::FromWebContents(parent_contents);
   if (prerender_contents) {
     prerender_contents->Destroy(prerender::FINAL_STATUS_AUTH_NEEDED);
     return;
   }
 
-  // The realm is controlled by the remote server, so there is no reason
-  // to believe it is of a reasonable length.
-  base::string16 elided_realm;
-  gfx::ElideString(base::UTF8ToUTF16(auth_info->realm), 120, &elided_realm);
-
   std::string languages;
   content::WebContents* web_contents = handler->GetWebContentsForLogin();
   if (web_contents) {
     Profile* profile =
         Profile::FromBrowserContext(web_contents->GetBrowserContext());
     if (profile)
       languages = profile->GetPrefs()->GetString(prefs::kAcceptLanguages);
   }
 
-  base::string16 authority =
-      url_formatter::FormatUrlForSecurityDisplay(request_url, languages);
+  base::string16 authority = l10n_util::GetStringFUTF16(
+      auth_info->is_proxy ? IDS_LOGIN_DIALOG_PROXY_AUTHORITY
+                          : IDS_LOGIN_DIALOG_AUTHORITY,
+      url_formatter::FormatUrlForSecurityDisplay(request_url, languages));
   base::string16 explanation;
-  if (auth_info->is_proxy) {
-    explanation = elided_realm.empty()
-        ? l10n_util::GetStringFUTF16(
-            IDS_LOGIN_DIALOG_DESCRIPTION_PROXY_NO_REALM, authority)
-        : l10n_util::GetStringFUTF16(IDS_LOGIN_DIALOG_DESCRIPTION_PROXY,
-                                     authority, elided_realm);
-  } else {
-    explanation = elided_realm.empty()
-        ? l10n_util::GetStringFUTF16(IDS_LOGIN_DIALOG_DESCRIPTION_NO_REALM,
-                                     authority)
-        : l10n_util::GetStringFUTF16(IDS_LOGIN_DIALOG_DESCRIPTION, authority,
-                                     elided_realm);
+  if (!content::IsOriginSecure(request_url)) {
+    explanation =
+        l10n_util::GetStringUTF16(IDS_LOGIN_DIALOG_DESCRIPTION_NOT_SECURE);
   }
 
   password_manager::PasswordManager* password_manager =
       handler->GetPasswordManagerForLogin();
 
   if (!password_manager) {
 #if defined(ENABLE_EXTENSIONS)
     // A WebContents in a <webview> (a GuestView type) does not have a password
     // manager, but still needs to be able to show login prompts.
     if (guest_view::GuestViewBase::FromWebContents(parent_contents)) {
-      handler->BuildViewWithoutPasswordManager(explanation);
+      handler->BuildViewWithoutPasswordManager(authority, explanation);
       return;
     }
 #endif
     handler->CancelAuth();
     return;
   }
 
   if (password_manager &&
       password_manager->client()->GetLogManager()->IsLoggingActive()) {
     password_manager::BrowserSavePasswordProgressLogger logger(
         password_manager->client()->GetLogManager());
     logger.LogMessage(
         autofill::SavePasswordProgressLogger::STRING_SHOW_LOGIN_PROMPT_METHOD);
   }
 
   PasswordForm observed_form(
       MakeInputForPasswordManager(request_url, auth_info));
-  handler->BuildViewWithPasswordManager(explanation, password_manager,
-                                        observed_form);
+  handler->BuildViewWithPasswordManager(authority, explanation,
+                                        password_manager, observed_form);
 }
 
 }  // namespace
 
 // ----------------------------------------------------------------------------
 // LoginHandler
 
 LoginHandler::LoginModelData::LoginModelData(
     password_manager::LoginModel* login_model,
     const autofill::PasswordForm& observed_form)
@@ skipping 35 matching lines @@
   // Reference is no longer valid.
   request_ = NULL;
 
   // Give up on auth if the request was cancelled. Since the dialog was canceled
   // by the ResourceLoader and not the user, we should cancel the navigation as
   // well. This can happen when a new navigation interrupts the current one.
   DoCancelAuth(true);
 }
 
 void LoginHandler::BuildViewWithPasswordManager(
+    const base::string16& authority,
     const base::string16& explanation,
     password_manager::PasswordManager* password_manager,
     const autofill::PasswordForm& observed_form) {
   password_manager_ = password_manager;
   password_form_ = observed_form;
   LoginHandler::LoginModelData model_data(password_manager, observed_form);
-  BuildViewImpl(explanation, &model_data);
+  BuildViewImpl(authority, explanation, &model_data);
 }
 
 void LoginHandler::BuildViewWithoutPasswordManager(
+    const base::string16& authority,
     const base::string16& explanation) {
-  BuildViewImpl(explanation, nullptr);
+  BuildViewImpl(authority, explanation, nullptr);
 }
 
 WebContents* LoginHandler::GetWebContentsForLogin() const {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
 
   content::RenderFrameHost* rfh = content::RenderFrameHost::FromID(
       render_process_host_id_, render_frame_id_);
   return WebContents::FromRenderFrameHost(rfh);
 }
 
@@ skipping 367 matching lines @@
     signon_realm = auth_info.challenger.ToString();
     signon_realm.append("/");
   } else {
     // Take scheme, host, and port from the url.
     signon_realm = url.GetOrigin().spec();
     // This ends with a "/".
   }
   signon_realm.append(auth_info.realm);
   return signon_realm;
 }