| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/base_switches.h" | 5 #include "base/base_switches.h" |
| 6 #include "base/bind.h" | 6 #include "base/bind.h" |
| 7 #include "base/bind_helpers.h" | 7 #include "base/bind_helpers.h" |
| 8 #include "base/callback.h" | 8 #include "base/callback.h" |
| 9 #include "base/command_line.h" | 9 #include "base/command_line.h" |
| 10 #include "base/location.h" | 10 #include "base/location.h" |
| (...skipping 534 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 545 base::RunLoop().RunUntilIdle(); | 545 base::RunLoop().RunUntilIdle(); |
| 546 EXPECT_EQ(std::string(), GetLatestHostnameReported()); | 546 EXPECT_EQ(std::string(), GetLatestHostnameReported()); |
| 547 } | 547 } |
| 548 } | 548 } |
| 549 | 549 |
| 550 net::EmbeddedTestServer https_server_; | 550 net::EmbeddedTestServer https_server_; |
| 551 net::EmbeddedTestServer https_server_expired_; | 551 net::EmbeddedTestServer https_server_expired_; |
| 552 net::EmbeddedTestServer https_server_mismatched_; | 552 net::EmbeddedTestServer https_server_mismatched_; |
| 553 net::SpawnedTestServer wss_server_expired_; | 553 net::SpawnedTestServer wss_server_expired_; |
| 554 | 554 |
| 555 protected: | |
| 556 // Navigates to an interstitial and clicks through the certificate | |
| 557 // error; then navigates to a page at |path| that loads unsafe content. | |
| 558 void SetUpUnsafeContentsWithUserException(const std::string& path) { | |
| 559 ASSERT_TRUE(https_server_.Start()); | |
| 560 // Note that it is necessary to user https_server_mismatched_ here over the | |
| 561 // other invalid cert servers. This is because the test relies on the two | |
| 562 // servers having different hosts since SSL exceptions are per-host, not per | |
| 563 // origin, and https_server_mismatched_ uses 'localhost' rather than | |
| 564 // '127.0.0.1'. | |
| 565 ASSERT_TRUE(https_server_mismatched_.Start()); | |
| 566 | |
| 567 // Navigate to an unsafe site. Proceed with interstitial page to indicate | |
| 568 // the user approves the bad certificate. | |
| 569 ui_test_utils::NavigateToURL( | |
| 570 browser(), https_server_mismatched_.GetURL("/ssl/blank_page.html")); | |
| 571 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); | |
| 572 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID, | |
| 573 AuthState::SHOWING_INTERSTITIAL); | |
| 574 ProceedThroughInterstitial(tab); | |
| 575 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID, | |
| 576 AuthState::NONE); | |
| 577 | |
| 578 std::string replacement_path; | |
| 579 GetFilePathWithHostAndPortReplacement( | |
| 580 path, https_server_mismatched_.host_port_pair(), &replacement_path); | |
| 581 ui_test_utils::NavigateToURL(browser(), | |
| 582 https_server_.GetURL(replacement_path)); | |
| 583 } | |
| 584 | |
| 585 private: | 555 private: |
| 586 typedef net::SpawnedTestServer::SSLOptions SSLOptions; | 556 typedef net::SpawnedTestServer::SSLOptions SSLOptions; |
| 587 | 557 |
| 588 DISALLOW_COPY_AND_ASSIGN(SSLUITest); | 558 DISALLOW_COPY_AND_ASSIGN(SSLUITest); |
| 589 }; | 559 }; |
| 590 | 560 |
| 591 class SSLUITestBlock : public SSLUITest { | 561 class SSLUITestBlock : public SSLUITest { |
| 592 public: | 562 public: |
| 593 SSLUITestBlock() : SSLUITest() {} | 563 SSLUITestBlock() : SSLUITest() {} |
| 594 | 564 |
| (...skipping 1550 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2145 page_with_unsafe_worker_path)); | 2115 page_with_unsafe_worker_path)); |
| 2146 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); | 2116 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); |
| 2147 // Expect Worker not to load insecure content. | 2117 // Expect Worker not to load insecure content. |
| 2148 CheckWorkerLoadResult(tab, false); | 2118 CheckWorkerLoadResult(tab, false); |
| 2149 // The bad content is filtered, expect the state to be authenticated. | 2119 // The bad content is filtered, expect the state to be authenticated. |
| 2150 CheckAuthenticatedState(tab, AuthState::NONE); | 2120 CheckAuthenticatedState(tab, AuthState::NONE); |
| 2151 } | 2121 } |
| 2152 | 2122 |
| 2153 // This test, and the related test TestUnsafeContentsWithUserException, verify | 2123 // This test, and the related test TestUnsafeContentsWithUserException, verify |
| 2154 // that if unsafe content is loaded but the host of that unsafe content has a | 2124 // that if unsafe content is loaded but the host of that unsafe content has a |
| 2155 // user exception, the content runs and the security style is downgraded. | 2125 // user exception, the content runs and the security style remains |
| 2126 // authenticated. This is not necessarily the behavior that should exist, but it |
| 2127 // is verification that it does behave that way. See https://crbug.com/477868 |
| 2128 // for more inforamtion on this. |
| 2156 IN_PROC_BROWSER_TEST_F(SSLUITest, TestUnsafeContentsInWorkerWithUserException) { | 2129 IN_PROC_BROWSER_TEST_F(SSLUITest, TestUnsafeContentsInWorkerWithUserException) { |
| 2157 ASSERT_TRUE(https_server_.Start()); | 2130 ASSERT_TRUE(https_server_.Start()); |
| 2158 // Note that it is necessary to user https_server_mismatched_ here over the | 2131 // Note that it is necessary to user https_server_mismatched_ here over the |
| 2159 // other invalid cert servers. This is because the test relies on the two | 2132 // other invalid cert servers. This is because the test relies on the two |
| 2160 // servers having different hosts since SSL exceptions are per-host, not per | 2133 // servers having different hosts since SSL exceptions are per-host, not per |
| 2161 // origin, and https_server_mismatched_ uses 'localhost' rather than | 2134 // origin, and https_server_mismatched_ uses 'localhost' rather than |
| 2162 // '127.0.0.1'. | 2135 // '127.0.0.1'. |
| 2163 ASSERT_TRUE(https_server_mismatched_.Start()); | 2136 ASSERT_TRUE(https_server_mismatched_.Start()); |
| 2164 | 2137 |
| 2165 // Navigate to an unsafe site. Proceed with interstitial page to indicate | 2138 // Navigate to an unsafe site. Proceed with interstitial page to indicate |
| 2166 // the user approves the bad certificate. | 2139 // the user approves the bad certificate. |
| 2167 ui_test_utils::NavigateToURL( | 2140 ui_test_utils::NavigateToURL( |
| 2168 browser(), https_server_mismatched_.GetURL("/ssl/blank_page.html")); | 2141 browser(), https_server_mismatched_.GetURL("/ssl/blank_page.html")); |
| 2169 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); | 2142 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); |
| 2170 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID, | 2143 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID, |
| 2171 AuthState::SHOWING_INTERSTITIAL); | 2144 AuthState::SHOWING_INTERSTITIAL); |
| 2172 ProceedThroughInterstitial(tab); | 2145 ProceedThroughInterstitial(tab); |
| 2173 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID, | 2146 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID, |
| 2174 AuthState::NONE); | 2147 AuthState::NONE); |
| 2175 | 2148 |
| 2176 // Navigate to safe page that has Worker loading unsafe content. | 2149 // Navigate to safe page that has Worker loading unsafe content. |
| 2177 // Expect content to load but be marked as auth broken due to running insecure | 2150 // Expect content to load but be marked as auth broken due to running insecure |
| 2178 // content. | 2151 // content. |
| 2179 std::string page_with_unsafe_worker_path; | 2152 std::string page_with_unsafe_worker_path; |
| 2180 GetPageWithUnsafeWorkerPath(https_server_mismatched_, | 2153 GetPageWithUnsafeWorkerPath(https_server_mismatched_, |
| 2181 &page_with_unsafe_worker_path); | 2154 &page_with_unsafe_worker_path); |
| 2182 ui_test_utils::NavigateToURL( | 2155 ui_test_utils::NavigateToURL( |
| 2183 browser(), https_server_.GetURL(page_with_unsafe_worker_path)); | 2156 browser(), https_server_.GetURL(page_with_unsafe_worker_path)); |
| 2184 CheckWorkerLoadResult(tab, true); // Worker loads insecure content | 2157 CheckWorkerLoadResult(tab, true); // Worker loads insecure content |
| 2185 CheckAuthenticationBrokenState(tab, CertError::NONE, | 2158 CheckAuthenticatedState(tab, CertError::NONE); |
| 2186 AuthState::RAN_INSECURE_CONTENT); | |
| 2187 } | 2159 } |
| 2188 | 2160 |
| 2189 // Visits a page with unsafe content and makes sure that if a user exception to | 2161 // Visits a page with unsafe content and makes sure that if a user exception to |
| 2190 // the certificate error is present, the image is loaded and script executes. | 2162 // the certificate error is present, the image is loaded and script executes. |
| 2163 // |
| 2164 // See the comment above SSLUITest.TestUnsafeContentsInWorkerWithUserException |
| 2165 // for a discussion about the desired behavior. |
| 2191 IN_PROC_BROWSER_TEST_F(SSLUITest, TestUnsafeContentsWithUserException) { | 2166 IN_PROC_BROWSER_TEST_F(SSLUITest, TestUnsafeContentsWithUserException) { |
| 2167 ASSERT_TRUE(https_server_.Start()); |
| 2168 // Note that it is necessary to user https_server_mismatched_ here over the |
| 2169 // other invalid cert servers. This is because the test relies on the two |
| 2170 // servers having different hosts since SSL exceptions are per-host, not per |
| 2171 // origin, and https_server_mismatched_ uses 'localhost' rather than |
| 2172 // '127.0.0.1'. |
| 2173 ASSERT_TRUE(https_server_mismatched_.Start()); |
| 2174 |
| 2175 // Navigate to an unsafe site. Proceed with interstitial page to indicate |
| 2176 // the user approves the bad certificate. |
| 2177 ui_test_utils::NavigateToURL( |
| 2178 browser(), https_server_mismatched_.GetURL("/ssl/blank_page.html")); |
| 2192 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); | 2179 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); |
| 2193 ASSERT_NO_FATAL_FAILURE(SetUpUnsafeContentsWithUserException( | 2180 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID, |
| 2194 "/ssl/page_with_unsafe_contents.html")); | 2181 AuthState::SHOWING_INTERSTITIAL); |
| 2195 CheckAuthenticationBrokenState( | 2182 ProceedThroughInterstitial(tab); |
| 2196 tab, CertError::NONE, | 2183 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID, |
| 2197 AuthState::RAN_INSECURE_CONTENT | AuthState::DISPLAYED_INSECURE_CONTENT); | 2184 AuthState::NONE); |
| 2198 | 2185 |
| 2199 int img_width; | |
| 2200 EXPECT_TRUE(content::ExecuteScriptAndExtractInt( | |
| 2201 tab, "window.domAutomationController.send(ImageWidth());", &img_width)); | |
| 2202 // In order to check that the image was loaded, we check its width. | |
| 2203 // The actual image (Google logo) is 114 pixels wide, so we assume a good | |
| 2204 // image is greater than 100. | |
| 2205 EXPECT_GT(img_width, 100); | |
| 2206 | |
| 2207 bool js_result = false; | |
| 2208 EXPECT_TRUE(content::ExecuteScriptAndExtractBool( | |
| 2209 tab, "window.domAutomationController.send(IsFooSet());", &js_result)); | |
| 2210 EXPECT_TRUE(js_result); | |
| 2211 | |
| 2212 // Test that active subresources with the same certificate errors as | |
| 2213 // the main resources don't cause mixed content UI downgrades. (Such | |
| 2214 // errors would be confusing and duplicative.) | |
| 2215 std::string replacement_path; | 2186 std::string replacement_path; |
| 2216 GetFilePathWithHostAndPortReplacement( | 2187 GetFilePathWithHostAndPortReplacement( |
| 2217 "/ssl/page_with_unsafe_contents.html", | 2188 "/ssl/page_with_unsafe_contents.html", |
| 2218 https_server_mismatched_.host_port_pair(), &replacement_path); | 2189 https_server_mismatched_.host_port_pair(), &replacement_path); |
| 2219 ui_test_utils::NavigateToURL( | 2190 ui_test_utils::NavigateToURL(browser(), |
| 2220 browser(), https_server_mismatched_.GetURL(replacement_path)); | 2191 https_server_.GetURL(replacement_path)); |
| 2221 js_result = false; | |
| 2222 EXPECT_TRUE(content::ExecuteScriptAndExtractBool( | |
| 2223 tab, "window.domAutomationController.send(IsFooSet());", &js_result)); | |
| 2224 EXPECT_TRUE(js_result); | |
| 2225 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID, | |
| 2226 AuthState::NONE); | |
| 2227 } | |
| 2228 | 2192 |
| 2229 // Like the test above, but only displaying inactive content (an image). | 2193 // When the bad content is filtered, the state is expected to be |
| 2230 IN_PROC_BROWSER_TEST_F(SSLUITest, TestUnsafeImageWithUserException) { | 2194 // authenticated. |
| 2231 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); | 2195 CheckAuthenticatedState(tab, AuthState::NONE); |
| 2232 ASSERT_NO_FATAL_FAILURE( | |
| 2233 SetUpUnsafeContentsWithUserException("/ssl/page_with_unsafe_image.html")); | |
| 2234 CheckAuthenticatedState(tab, AuthState::DISPLAYED_INSECURE_CONTENT); | |
| 2235 | 2196 |
| 2236 int img_width; | 2197 int img_width; |
| 2237 EXPECT_TRUE(content::ExecuteScriptAndExtractInt( | 2198 EXPECT_TRUE(content::ExecuteScriptAndExtractInt( |
| 2238 tab, "window.domAutomationController.send(ImageWidth());", &img_width)); | 2199 tab, "window.domAutomationController.send(ImageWidth());", &img_width)); |
| 2239 // In order to check that the image was loaded, we check its width. | 2200 // In order to check that the image was loaded, we check its width. |
| 2240 // The actual image (Google logo) is 114 pixels wide, so we assume a good | 2201 // The actual image (Google logo) is 114 pixels wide, so we assume a good |
| 2241 // image is greater than 100. | 2202 // image is greater than 100. |
| 2242 EXPECT_GT(img_width, 100); | 2203 EXPECT_GT(img_width, 100); |
| 2204 |
| 2205 bool js_result = false; |
| 2206 EXPECT_TRUE(content::ExecuteScriptAndExtractBool( |
| 2207 tab, "window.domAutomationController.send(IsFooSet());", &js_result)); |
| 2208 EXPECT_TRUE(js_result); |
| 2209 CheckAuthenticatedState(tab, CertError::NONE); |
| 2243 } | 2210 } |
| 2244 | 2211 |
| 2245 // Test that when the browser blocks displaying insecure content (images), the | 2212 // Test that when the browser blocks displaying insecure content (images), the |
| 2246 // indicator shows a secure page, because the blocking made the otherwise | 2213 // indicator shows a secure page, because the blocking made the otherwise |
| 2247 // unsafe page safe (the notification of this state is handled by other means). | 2214 // unsafe page safe (the notification of this state is handled by other means). |
| 2248 IN_PROC_BROWSER_TEST_F(SSLUITestBlock, TestBlockDisplayingInsecureImage) { | 2215 IN_PROC_BROWSER_TEST_F(SSLUITestBlock, TestBlockDisplayingInsecureImage) { |
| 2249 ASSERT_TRUE(embedded_test_server()->Start()); | 2216 ASSERT_TRUE(embedded_test_server()->Start()); |
| 2250 ASSERT_TRUE(https_server_.Start()); | 2217 ASSERT_TRUE(https_server_.Start()); |
| 2251 | 2218 |
| 2252 std::string replacement_path; | 2219 std::string replacement_path; |
| (...skipping 661 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2914 | 2881 |
| 2915 // Visit a page over https that contains a frame with a redirect. | 2882 // Visit a page over https that contains a frame with a redirect. |
| 2916 | 2883 |
| 2917 // XMLHttpRequest insecure content in synchronous mode. | 2884 // XMLHttpRequest insecure content in synchronous mode. |
| 2918 | 2885 |
| 2919 // XMLHttpRequest insecure content in asynchronous mode. | 2886 // XMLHttpRequest insecure content in asynchronous mode. |
| 2920 | 2887 |
| 2921 // XMLHttpRequest over bad ssl in synchronous mode. | 2888 // XMLHttpRequest over bad ssl in synchronous mode. |
| 2922 | 2889 |
| 2923 // XMLHttpRequest over OK ssl in synchronous mode. | 2890 // XMLHttpRequest over OK ssl in synchronous mode. |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1497423002:
Revert of Downgrade lock icon for broken-HTTPS subresources (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master