Move mixed content settings histograms into browser

chrome/browser/content_settings/tab_specific_content_settings.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/content_settings/tab_specific_content_settings.h"
 
 #include <list>
 
 #include "base/command_line.h"
 #include "base/lazy_instance.h"
+#include "base/metrics/histogram.h"
 #include "base/prefs/pref_service.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "build/build_config.h"
 #include "chrome/browser/browsing_data/browsing_data_appcache_helper.h"
 #include "chrome/browser/browsing_data/browsing_data_cookie_helper.h"
 #include "chrome/browser/browsing_data/browsing_data_database_helper.h"
 #include "chrome/browser/browsing_data/browsing_data_file_system_helper.h"
 #include "chrome/browser/browsing_data/browsing_data_indexed_db_helper.h"
 #include "chrome/browser/browsing_data/browsing_data_local_storage_helper.h"
@@ skipping 29 matching lines @@
 
 using content::BrowserThread;
 using content::NavigationController;
 using content::NavigationEntry;
 using content::WebContents;
 
 DEFINE_WEB_CONTENTS_USER_DATA_KEY(TabSpecificContentSettings);
 
 namespace {
 
+enum {
+  INSECURE_CONTENT_DISPLAY = 0,
+  INSECURE_CONTENT_DISPLAY_HOST_GOOGLE,
+  INSECURE_CONTENT_DISPLAY_HOST_WWW_GOOGLE,
+  INSECURE_CONTENT_DISPLAY_HTML,
+  INSECURE_CONTENT_RUN,
+  INSECURE_CONTENT_RUN_HOST_GOOGLE,
+  INSECURE_CONTENT_RUN_HOST_WWW_GOOGLE,
+  INSECURE_CONTENT_RUN_TARGET_YOUTUBE,
+  INSECURE_CONTENT_RUN_JS,
+  INSECURE_CONTENT_RUN_CSS,
+  INSECURE_CONTENT_RUN_SWF,
+  INSECURE_CONTENT_DISPLAY_HOST_YOUTUBE,
+  INSECURE_CONTENT_RUN_HOST_YOUTUBE,
+  INSECURE_CONTENT_RUN_HOST_GOOGLEUSERCONTENT,
+  INSECURE_CONTENT_DISPLAY_HOST_MAIL_GOOGLE,
+  INSECURE_CONTENT_RUN_HOST_MAIL_GOOGLE,
+  INSECURE_CONTENT_DISPLAY_HOST_PLUS_GOOGLE,
+  INSECURE_CONTENT_RUN_HOST_PLUS_GOOGLE,
+  INSECURE_CONTENT_DISPLAY_HOST_DOCS_GOOGLE,
+  INSECURE_CONTENT_RUN_HOST_DOCS_GOOGLE,
+  INSECURE_CONTENT_DISPLAY_HOST_SITES_GOOGLE,
+  INSECURE_CONTENT_RUN_HOST_SITES_GOOGLE,
+  INSECURE_CONTENT_DISPLAY_HOST_PICASAWEB_GOOGLE,
+  INSECURE_CONTENT_RUN_HOST_PICASAWEB_GOOGLE,
+  INSECURE_CONTENT_DISPLAY_HOST_GOOGLE_READER,
+  INSECURE_CONTENT_RUN_HOST_GOOGLE_READER,
+  INSECURE_CONTENT_DISPLAY_HOST_CODE_GOOGLE,
+  INSECURE_CONTENT_RUN_HOST_CODE_GOOGLE,
+  INSECURE_CONTENT_DISPLAY_HOST_GROUPS_GOOGLE,
+  INSECURE_CONTENT_RUN_HOST_GROUPS_GOOGLE,
+  INSECURE_CONTENT_DISPLAY_HOST_MAPS_GOOGLE,
+  INSECURE_CONTENT_RUN_HOST_MAPS_GOOGLE,
+  INSECURE_CONTENT_DISPLAY_HOST_GOOGLE_SUPPORT,
+  INSECURE_CONTENT_RUN_HOST_GOOGLE_SUPPORT,
+  INSECURE_CONTENT_DISPLAY_HOST_GOOGLE_INTL,
+  INSECURE_CONTENT_RUN_HOST_GOOGLE_INTL,
+  INSECURE_CONTENT_NUM_EVENTS
+};
+
+// Constants for UMA statistic collection.
+static const char kWWWDotGoogleDotCom[] = "www.google.com";
+static const char kMailDotGoogleDotCom[] = "mail.google.com";
+static const char kPlusDotGoogleDotCom[] = "plus.google.com";
+static const char kDocsDotGoogleDotCom[] = "docs.google.com";
+static const char kSitesDotGoogleDotCom[] = "sites.google.com";
+static const char kPicasawebDotGoogleDotCom[] = "picasaweb.google.com";
+static const char kCodeDotGoogleDotCom[] = "code.google.com";
+static const char kGroupsDotGoogleDotCom[] = "groups.google.com";
+static const char kMapsDotGoogleDotCom[] = "maps.google.com";
+static const char kWWWDotYoutubeDotCom[] = "www.youtube.com";
+static const char kDotGoogleUserContentDotCom[] = ".googleusercontent.com";
+static const char kGoogleReaderPathPrefix[] = "/reader/";
+static const char kGoogleSupportPathPrefix[] = "/support/";
+static const char kGoogleIntlPathPrefix[] = "/intl/";
+static const char kDotJS[] = ".js";
+static const char kDotCSS[] = ".css";
+static const char kDotSWF[] = ".swf";
+static const char kDotHTML[] = ".html";
+
+// Constants for mixed-content blocking.
+static const char kGoogleDotCom[] = "google.com";
+
+static bool IsHostInDomain(const std::string& host, const std::string& domain) {
+  return (base::EndsWith(host, domain, base::CompareCase::INSENSITIVE_ASCII) &&
+          (host.length() == domain.length() ||
+           (host.length() > domain.length() &&
+            host[host.length() - domain.length() - 1] == '.')));
+}
+
+static void SendInsecureContentSignal(int signal) {
+  UMA_HISTOGRAM_ENUMERATION("SSL.InsecureContent", signal,
+                            INSECURE_CONTENT_NUM_EVENTS);
+}
+
 ContentSettingsUsagesState::CommittedDetails GetCommittedDetails(
     const content::LoadCommittedDetails& details) {
   ContentSettingsUsagesState::CommittedDetails committed_details;
   committed_details.current_url_valid = !!details.entry;
   if (details.entry)
     committed_details.current_url = details.entry->GetURL();
   committed_details.previous_url = details.previous_url;
   return committed_details;
 }
 
@@ skipping 717 matching lines @@
                                                   bool blocked_by_policy) {
   if (blocked_by_policy) {
     blocked_local_shared_objects_.appcaches()->AddAppCache(manifest_url);
     OnContentBlocked(CONTENT_SETTINGS_TYPE_COOKIES);
   } else {
     allowed_local_shared_objects_.appcaches()->AddAppCache(manifest_url);
     OnContentAllowed(CONTENT_SETTINGS_TYPE_COOKIES);
   }
 }
 
+void TabSpecificContentSettings::OnTriedDisplayingInsecureContent(
+    content::RenderFrameHost* rfh,
+    const GURL& origin,
+    const GURL& url) {

[alexmos, 2016/01/09 01:39:02]

It's a little unclear what origin and url refer to (here and elsewhere).  Maybe
something like mixed_frame_origin and resource_url?  Although mixed_frame_origin
is probably also confusing and would need to be explained.

+  std::string origin_host(origin.host());
+  GURL frame_gurl(rfh->GetLastCommittedURL());
+  DCHECK_EQ(frame_gurl.host(), origin_host);

[alexmos, 2016/01/09 01:39:02]

Hmm, I'm thinking there may be a race here, where the top frame is navigating to
a new URL in parallel to mixed content occurring.  In that case,
GetLastCommittedURL might return the new URL, whereas the origin from the
renderer is old and thus may not match.  

Charlie, I know you know about many such races - is such a situation possible? 
The context here is A-embed-B, B has a mixed image, and B sends up an IPC to A's
RFPH, which ends up here (rfh is for A) to record histograms.

Also, couldn't we just get the origin on the browser side as well, rather than
passing it from the renderer?  We now have
RenderFrameHost::GetLastCommittedOrigin.  This would at least make the origin
and URL consistent, though possibly out of sync with the renderer due to race
above, but maybe that's ok for histograms?   This also wouldn't let the renderer
lie about the origin.

All that said, I think the DCHECK is still problematic, because the origin and
URL may be inconsistent in certain scenarios (e.g., when origin is inherited
from parent for about:blank).

[Charlie Reis, 2016/01/12 18:10:47]

Yes, this race is possible.  See the documentation for both GetLastCommittedURL
and GetLastCommittedOrigin on RenderFrameHost-- those methods are confusing
because they actually return the FrameTreeNode's current RenderFrameHost's
URL/origin, even when you call them on a different RenderFrameHost (e.g., one
that has just been replaced during a cross-process navigation).  We're looking
at ways to improve them, but it's tricky since FrameTreeNode isn't exposed
publicly.

Here, you could receive this OnTriedDisplayingInsecureContent IPC from a RFH
that was just replaced by a new RFH, and both the last committed URL and origin
would be from the new RFH.

+  SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY);
+
+  if (IsHostInDomain(origin_host, kGoogleDotCom)) {
+    SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_GOOGLE);
+    if (base::StartsWith(frame_gurl.path(), kGoogleSupportPathPrefix,
+                         base::CompareCase::INSENSITIVE_ASCII)) {
+      SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_GOOGLE_SUPPORT);
+    } else if (base::StartsWith(frame_gurl.path(), kGoogleIntlPathPrefix,
+                                base::CompareCase::INSENSITIVE_ASCII)) {
+      SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_GOOGLE_INTL);
+    }
+  }
+
+  if (origin_host == kWWWDotGoogleDotCom) {
+    SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_WWW_GOOGLE);
+    if (base::StartsWith(frame_gurl.path(), kGoogleReaderPathPrefix,

[alexmos, 2016/01/09 01:39:02]

Another thought: there are three uses of frame_gurl.path().  Do we know that we
still need to record histograms for all three?  I'd bet this Reader one isn't
needed anymore, but unsure about others.  Maybe we could avoid needing the
remote frame's URL if we can deprecate these three stats?

+                         base::CompareCase::INSENSITIVE_ASCII))
+      SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_GOOGLE_READER);
+  } else if (origin_host == kMailDotGoogleDotCom) {
+    SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_MAIL_GOOGLE);
+  } else if (origin_host == kPlusDotGoogleDotCom) {
+    SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_PLUS_GOOGLE);
+  } else if (origin_host == kDocsDotGoogleDotCom) {
+    SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_DOCS_GOOGLE);
+  } else if (origin_host == kSitesDotGoogleDotCom) {
+    SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_SITES_GOOGLE);
+  } else if (origin_host == kPicasawebDotGoogleDotCom) {
+    SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_PICASAWEB_GOOGLE);
+  } else if (origin_host == kCodeDotGoogleDotCom) {
+    SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_CODE_GOOGLE);
+  } else if (origin_host == kGroupsDotGoogleDotCom) {
+    SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_GROUPS_GOOGLE);
+  } else if (origin_host == kMapsDotGoogleDotCom) {
+    SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_MAPS_GOOGLE);
+  } else if (origin_host == kWWWDotYoutubeDotCom) {
+    SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_YOUTUBE);
+  }
+
+  if (base::EndsWith(url.path(), kDotHTML,
+                     base::CompareCase::INSENSITIVE_ASCII))
+    SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HTML);
+}
+
+void TabSpecificContentSettings::OnTriedRunningInsecureContent(
+    content::RenderFrameHost* rfh,
+    const GURL& origin,
+    const GURL& url) {
+  std::string origin_host(origin.host());
+  GURL frame_gurl(rfh->GetLastCommittedURL());
+  DCHECK_EQ(frame_gurl.host(), origin_host);
+
+  bool is_google = IsHostInDomain(origin_host, kGoogleDotCom);
+  if (is_google) {
+    SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_GOOGLE);
+    if (base::StartsWith(frame_gurl.path(), kGoogleSupportPathPrefix,
+                         base::CompareCase::INSENSITIVE_ASCII)) {
+      SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_GOOGLE_SUPPORT);
+    } else if (base::StartsWith(frame_gurl.path(), kGoogleIntlPathPrefix,
+                                base::CompareCase::INSENSITIVE_ASCII)) {
+      SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_GOOGLE_INTL);
+    }
+  }
+
+  if (origin_host == kWWWDotGoogleDotCom) {
+    SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_WWW_GOOGLE);
+    if (base::StartsWith(frame_gurl.path(), kGoogleReaderPathPrefix,
+                         base::CompareCase::INSENSITIVE_ASCII))
+      SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_GOOGLE_READER);
+  } else if (origin_host == kMailDotGoogleDotCom) {
+    SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_MAIL_GOOGLE);
+  } else if (origin_host == kPlusDotGoogleDotCom) {
+    SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_PLUS_GOOGLE);
+  } else if (origin_host == kDocsDotGoogleDotCom) {
+    SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_DOCS_GOOGLE);
+  } else if (origin_host == kSitesDotGoogleDotCom) {
+    SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_SITES_GOOGLE);
+  } else if (origin_host == kPicasawebDotGoogleDotCom) {
+    SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_PICASAWEB_GOOGLE);
+  } else if (origin_host == kCodeDotGoogleDotCom) {
+    SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_CODE_GOOGLE);
+  } else if (origin_host == kGroupsDotGoogleDotCom) {
+    SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_GROUPS_GOOGLE);
+  } else if (origin_host == kMapsDotGoogleDotCom) {
+    SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_MAPS_GOOGLE);
+  } else if (origin_host == kWWWDotYoutubeDotCom) {
+    SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_YOUTUBE);
+  } else if (base::EndsWith(origin_host, kDotGoogleUserContentDotCom,
+                            base::CompareCase::INSENSITIVE_ASCII)) {
+    SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_GOOGLEUSERCONTENT);
+  }
+
+  if (url.host() == kWWWDotYoutubeDotCom)
+    SendInsecureContentSignal(INSECURE_CONTENT_RUN_TARGET_YOUTUBE);
+
+  if (base::EndsWith(url.path(), kDotJS, base::CompareCase::INSENSITIVE_ASCII))
+    SendInsecureContentSignal(INSECURE_CONTENT_RUN_JS);
+  else if (base::EndsWith(url.path(), kDotCSS,
+                          base::CompareCase::INSENSITIVE_ASCII))
+    SendInsecureContentSignal(INSECURE_CONTENT_RUN_CSS);
+  else if (base::EndsWith(url.path(), kDotSWF,
+                          base::CompareCase::INSENSITIVE_ASCII))
+    SendInsecureContentSignal(INSECURE_CONTENT_RUN_SWF);
+}
+
 void TabSpecificContentSettings::AddSiteDataObserver(
     SiteDataObserver* observer) {
   observer_list_.AddObserver(observer);
 }
 
 void TabSpecificContentSettings::RemoveSiteDataObserver(
     SiteDataObserver* observer) {
   observer_list_.RemoveObserver(observer);
 }
 
@@ skipping 38 matching lines @@
       static_cast<MicrophoneCameraStateFlags>(
           TabSpecificContentSettings::MICROPHONE_ACCESSED |
           TabSpecificContentSettings::MICROPHONE_BLOCKED |
           TabSpecificContentSettings::CAMERA_ACCESSED |
           TabSpecificContentSettings::CAMERA_BLOCKED);
   OnMediaStreamPermissionSet(
       web_contents()->GetLastCommittedURL(),
       media_blocked,
       std::string(), std::string(), std::string(), std::string());
 }