Surface SCT (Signed Certificate Timestamp) counts in the Security panel.

chrome/browser/ui/browser.cc

Index: chrome/browser/ui/browser.cc
diff --git a/chrome/browser/ui/browser.cc b/chrome/browser/ui/browser.cc
index 717381dfc44ad34716308ce06f5a11385705195a..dc7dddb6d45e8a4ab24b07f9fbe03960d41ff83d 100644
--- a/chrome/browser/ui/browser.cc
+++ b/chrome/browser/ui/browser.cc
@@ -1414,6 +1414,34 @@ content::SecurityStyle Browser::GetSecurityStyle(
   return security_style;
 }
 
+void Browser::GetCertificateTransparencySummary(bool is_valid_ev,

[pfeldman, 2016/01/23 01:04:55]

So we are introducing remote debugging method so that we could format the string
here? Provided that this is low level info and we don't localize devtools,
cloning this message format would make more sense.

[lgarron, 2016/01/23 01:20:15]

Yes, exactly. :-/
My impression (Ryan, feel free to chip in) is that this strictly a
//chrome-layer policy, and that lower levels should not make any assumptions
about the specific policy.
We can talk to the networking team about what they're comfortable with if you'd
prefer. Perhaps there's a way to do it near `web_url_loader_impl`.

[Ryan Sleevi, 2016/01/23 01:24:34]

I'm not sure I understand what you're asking.

[lgarron, 2016/01/26 02:33:26]

Fundamentally, this CL is about calculating a string using the logic right below
this comment.

Two questions:
1) Does this logic need to live in //chrome?
2) If not, does this logic still need to live in the browser process?


{1: no, 2: no}
We can do what Pavel wants and implement this logic in SecurityPanel.js.


{1: no, 2: yes}
We can place the logic in `web_url_loader_impl` (specifically,
`content/child/web_url_loader_impl.cc::SetSecurityStyleAndDetails ()`).
This is the place where we deserialize security info and stick it into the
request's ResourceResponse, conditional on DevTools asking for us to attach this
info. [1]

(InspectorResourceAgent takes this ResourceResponse and uses it to send
information to DevTools at [1].)


{1: yes, 2: yes}
- a) Attach the string to the serialized security info for every request
(inefficient).
- b) Call up to `//chrome` before sending security info for a request to
DevTools (e.g. in `web_url_loader_impl`).
- c) Call up to `//chrome` using a new DevTools protocol command (current
approach in this CL).


My impression is that the answers are {1: yes, 2: yes}, and that c) is the most
idiomatic way to do this.


Here's what I meant with "near `web_url_loader_impl`":
- If the answer is {1: no, 2: yes}, then this is straightforward.
- If we want option b) for {1: yes, 2: yes} we need to find a way to call up to
//chrome from  `web_url_loader_impl`
- If I didn't quite lay out the options correctly, it may be appropriate to do
something else at `web_url_loader_impl`.


Ryan, which of these options seem acceptable to you?


[1]
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit...

+                                                int num_unknown_scts,
+                                                int num_invalid_scts,
+                                                int num_valid_scts,
+                                                std::string* summary) {
+  if (num_unknown_scts == 0 && num_invalid_scts == 0 && num_valid_scts == 0) {
+    // No SCTs - no CT information.
+    *summary =
+        l10n_util::GetStringUTF8(IDS_SIGNED_CERTIFICATE_TIMESTAMPS_NOT_PRESENT);
+  } else if (num_valid_scts > 0) {
+    // Any valid SCT.
+    if (is_valid_ev)
+      *summary =
+          l10n_util::GetStringUTF8(IDS_SIGNED_CERTIFICATE_TIMESTAMPS_VALID_EV);
+    else
+      *summary =
+          l10n_util::GetStringUTF8(IDS_SIGNED_CERTIFICATE_TIMESTAMPS_VALID);
+  } else if (num_invalid_scts > 0) {
+    // Any invalid SCT.
+    *summary =
+        l10n_util::GetStringUTF8(IDS_SIGNED_CERTIFICATE_TIMESTAMPS_INVALID);
+  } else {
+    // All SCTs are from unknown logs.
+    *summary =
+        l10n_util::GetStringUTF8(IDS_SIGNED_CERTIFICATE_TIMESTAMPS_UNKNOWN);
+  }
+}
+
 void Browser::ShowCertificateViewerInDevTools(
     content::WebContents* web_contents, int cert_id) {
   DevToolsWindow* devtools_window =