Downgrade page security if an inline has invalid certificate.

chrome/browser/ssl/ssl_browser_tests.cc

Index: chrome/browser/ssl/ssl_browser_tests.cc
diff --git a/chrome/browser/ssl/ssl_browser_tests.cc b/chrome/browser/ssl/ssl_browser_tests.cc
index bcf8cf123c4db3449f87c32ae54814fd4562e198..a995e9178c21972a38c755aef5cd00215f4c70b2 100644
--- a/chrome/browser/ssl/ssl_browser_tests.cc
+++ b/chrome/browser/ssl/ssl_browser_tests.cc
@@ -1076,6 +1076,43 @@ IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestRunsCachedInsecureContent) {
   CheckAuthenticationBrokenState(tab, 0, true, false);
 }
 
+IN_PROC_BROWSER_TEST_F(SSLUITest, TestDisplaysInlineUsingInvalidCertificate) {
+  ASSERT_TRUE(https_server_mismatched_.Start());
+  ASSERT_TRUE(https_server_.Start());
+
+  // Load the image using insecure server.
+  GURL url(https_server_mismatched_.GetURL("files/ssl/google_files/logo.gif"));
+  ui_test_utils::NavigateToURL(browser(), url);
+
+  WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
+  CheckAuthenticationBrokenState(
+      tab, net::CERT_STATUS_COMMON_NAME_INVALID, false, true);
+  ProceedThroughInterstitial(tab);
+  CheckAuthenticationBrokenState(
+      tab, net::CERT_STATUS_COMMON_NAME_INVALID, false, false);
+
+  // Load the webpage using secure server.
+  std::string replacement_path;
+  ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
+      "files/ssl/page_with_dynamic_insecure_content.html",
+      https_server_mismatched_.host_port_pair(),
+      &replacement_path));
+  ui_test_utils::NavigateToURL(browser(),
+                               https_server_.GetURL(replacement_path));
+  CheckAuthenticatedState(tab, false);
+  EXPECT_FALSE(tab->DisplayedInsecureContent());
+
+  // Load the inline image using insecure server.
+  bool js_result = false;
+  EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
+      tab, "loadBadImage('https');", &js_result));
+  EXPECT_TRUE(js_result);
+
+  // Page security should be downgraded.
+  CheckAuthenticatedState(tab, true);
+  EXPECT_TRUE(tab->DisplayedInsecureContent());
+}

[Ryan Sleevi, 2014/03/11 01:39:39]

Can you add an additional test to test for 'intranet' names, so that we can make
sure the behaviour is as expected?

On internal host names, we don't force an interstitial, but do degrade the UI.
Ideally, we'd propagate that brokenness (eg: if good.com included a resource
from myinternalhost.invalid)

We can accomplish this with a MockCertVerifier (to set the desired status for
given certificate/hostnames) and a RuleBasedHostResolverProc (IIRC)

+
 // This test ensures the CN invalid status does not 'stick' to a certificate
 // (see bug #1044942) and that it depends on the host-name.
 IN_PROC_BROWSER_TEST_F(SSLUITest, TestCNInvalidStickiness) {