Set insecure content status also when there are other security issues.

chrome/browser/ssl/ssl_browser_tests.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/command_line.h"
 #include "base/path_service.h"
 #include "base/prefs/pref_service.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/strings/utf_string_conversions.h"
@@ skipping 128 matching lines @@
   void CheckAuthenticatedState(WebContents* tab,
                                bool expected_displayed_insecure_content) {
     CheckState(tab, content::SECURITY_STYLE_AUTHENTICATED,
                expected_displayed_insecure_content, false);
   }
 
   void CheckUnauthenticatedState(WebContents* tab) {
     CheckState(tab, content::SECURITY_STYLE_UNAUTHENTICATED, false, false);
   }
 
-  void CheckBrokenAuthenticatedState(WebContents* tab) {
-    CheckState(tab, content::SECURITY_STYLE_AUTHENTICATION_BROKEN, false, true);
+  void CheckBrokenAuthenticatedState(WebContents* tab,
+                                     bool expected_displayed_insecure_content) {
+    CheckState(tab, content::SECURITY_STYLE_AUTHENTICATION_BROKEN,
+               expected_displayed_insecure_content, true);
   }
 
   void CheckAuthenticationBrokenState(WebContents* tab,
                                       net::CertStatus error,
+                                      bool displayed_insecure_content,
                                       bool ran_insecure_content,
                                       bool interstitial) {

[Ryan Sleevi, 2014/03/11 01:46:55]

I'm wondering whether we should change these three bools into more symbolic
enums.

CheckAuthenticationBrokenState(blah, error, false, true, false);
CheckAuthenticationBrokenState(blah, error, true, true, true);

vs

CheckAuthenticationBrokenState(blah, error, RAN_INSECURE_CONTENT);
CheckAuthenticationBrokenState(blah, error,
                               DISPLAYED_INSECURE_CONTENT |
                               RAN_INSECURE_CONTENT |
                               SHOWING_INTERSTITIAL);

     ASSERT_FALSE(tab->IsCrashed());
     NavigationEntry* entry = tab->GetController().GetActiveEntry();
     ASSERT_TRUE(entry);
     EXPECT_EQ(interstitial ?
                   content::PAGE_TYPE_INTERSTITIAL : content::PAGE_TYPE_NORMAL,
               entry->GetPageType());
     EXPECT_EQ(content::SECURITY_STYLE_AUTHENTICATION_BROKEN,
               entry->GetSSL().security_style);
     // CERT_STATUS_UNABLE_TO_CHECK_REVOCATION doesn't lower the security style
     // to SECURITY_STYLE_AUTHENTICATION_BROKEN.
     ASSERT_NE(net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION, error);
     EXPECT_EQ(error, entry->GetSSL().cert_status & error);
-    EXPECT_FALSE(!!(entry->GetSSL().content_status &
-                    SSLStatus::DISPLAYED_INSECURE_CONTENT));
+    EXPECT_EQ(displayed_insecure_content,
+              !!(entry->GetSSL().content_status &
+                 SSLStatus::DISPLAYED_INSECURE_CONTENT));
     EXPECT_EQ(ran_insecure_content,
         !!(entry->GetSSL().content_status & SSLStatus::RAN_INSECURE_CONTENT));
     net::CertStatus extra_cert_errors = error ^ (entry->GetSSL().cert_status &
                                                  net::CERT_STATUS_ALL_ERRORS);
     if (extra_cert_errors)
       LOG(WARNING) << "Got unexpected cert error: " << extra_cert_errors;
   }
 
   void CheckWorkerLoadResult(WebContents* tab, bool expected_load) {
     // Workers are async and we don't have notifications for them passing
@@ skipping 177 matching lines @@
       https_server_expired_.host_port_pair(),
       &replacement_path));
 
   ui_test_utils::NavigateToURL(
       browser(), test_server()->GetURL(replacement_path));
 
   CheckUnauthenticatedState(
       browser()->tab_strip_model()->GetActiveWebContents());
 }
 
+IN_PROC_BROWSER_TEST_F(SSLUITest, TestBrokenHTTPSWithInsecureContent) {
+  ASSERT_TRUE(test_server()->Start());
+  ASSERT_TRUE(https_server_expired_.Start());
+
+  std::string replacement_path;
+  ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
+      "files/ssl/page_displays_insecure_content.html",
+      test_server()->host_port_pair(),
+      &replacement_path));
+
+  ui_test_utils::NavigateToURL(browser(),
+                               https_server_expired_.GetURL(replacement_path));
+
+  WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
+  CheckAuthenticationBrokenState(tab, net::CERT_STATUS_DATE_INVALID,
+                                 false, false, true);
+
+  ProceedThroughInterstitial(tab);
+
+  CheckAuthenticationBrokenState(tab, net::CERT_STATUS_DATE_INVALID,
+                                 true, false, false);
+}
+
 // http://crbug.com/91745
 #if defined(OS_CHROMEOS)
 #define MAYBE_TestOKHTTPS DISABLED_TestOKHTTPS
 #else
 #define MAYBE_TestOKHTTPS TestOKHTTPS
 #endif
 
 // Visits a page over OK https:
 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestOKHTTPS) {
   ASSERT_TRUE(https_server_.Start());
 
   ui_test_utils::NavigateToURL(browser(),
                                https_server_.GetURL("files/ssl/google.html"));
 
   CheckAuthenticatedState(
       browser()->tab_strip_model()->GetActiveWebContents(), false);
 }
 
 // Visits a page with https error and proceed:
 IN_PROC_BROWSER_TEST_F(SSLUITest, TestHTTPSExpiredCertAndProceed) {
   ASSERT_TRUE(https_server_expired_.Start());
 
   ui_test_utils::NavigateToURL(browser(),
       https_server_expired_.GetURL("files/ssl/google.html"));
 
   WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
   CheckAuthenticationBrokenState(tab, net::CERT_STATUS_DATE_INVALID, false,
-                                 true);  // Interstitial showing
+                                 false, true);  // Interstitial showing
 
   ProceedThroughInterstitial(tab);
 
   CheckAuthenticationBrokenState(tab, net::CERT_STATUS_DATE_INVALID, false,
-                                 false);  // No interstitial showing
+                                 false, false);  // No interstitial showing
 }
 
 #ifndef NEDBUG
 // Flaky on Windows debug (http://crbug.com/280537).
 #define MAYBE_TestHTTPSExpiredCertAndDontProceed \
         DISABLED_TestHTTPSExpiredCertAndDontProceed
 #else
 #define MAYBE_TestHTTPSExpiredCertAndDontProceed \
         TestHTTPSExpiredCertAndDontProceed
 #endif
@@ skipping 21 matching lines @@
   GURL::Replacements replacements;
   std::string new_host("localhost");
   replacements.SetHostStr(new_host);
   cross_site_url = cross_site_url.ReplaceComponents(replacements);
 
   // Now go to a bad HTTPS page.
   ui_test_utils::NavigateToURL(browser(), cross_site_url);
 
   // An interstitial should be showing.
   CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID,
-                                 false, true);
+                                 false, false, true);
 
   // Simulate user clicking "Take me back".
   InterstitialPage* interstitial_page = tab->GetInterstitialPage();
   ASSERT_TRUE(interstitial_page);
   interstitial_page->DontProceed();
 
   // We should be back to the original good page.
   CheckAuthenticatedState(tab, false);
 
   // Try to navigate to a new page. (to make sure bug 5800 is fixed).
@@ skipping 12 matching lines @@
   ui_test_utils::NavigateToURL(browser(),
       test_server()->GetURL("files/ssl/google.html"));
   WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
   NavigationEntry* entry = tab->GetController().GetActiveEntry();
   ASSERT_TRUE(entry);
 
   // Now go to a bad HTTPS page that shows an interstitial.
   ui_test_utils::NavigateToURL(browser(),
       https_server_expired_.GetURL("files/ssl/google.html"));
   CheckAuthenticationBrokenState(tab, net::CERT_STATUS_DATE_INVALID, false,
-                                 true);  // Interstitial showing
+                                 false, true);  // Interstitial showing
 
   ProvisionalLoadWaiter load_failed_observer(tab);
 
   // Simulate user clicking on back button (crbug.com/39248).
   chrome::GoBack(browser(), CURRENT_TAB);
 
   // Wait until we hear the load failure, and make sure we haven't swapped out
   // the previous page.  Prevents regression of http://crbug.com/82667.
   load_failed_observer.Wait();
   EXPECT_FALSE(content::RenderViewHostTester::IsRenderViewHostSwappedOut(
@@ skipping 16 matching lines @@
   ui_test_utils::NavigateToURL(browser(),
       test_server()->GetURL("files/ssl/google.html"));
   WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
   NavigationEntry* entry = tab->GetController().GetActiveEntry();
   ASSERT_TRUE(entry);
 
   // Now go to a bad HTTPS page that shows an interstitial.
   ui_test_utils::NavigateToURL(browser(),
       https_server_expired_.GetURL("files/ssl/google.html"));
   CheckAuthenticationBrokenState(tab, net::CERT_STATUS_DATE_INVALID, false,
-                                 true);  // Interstitial showing
+                                 false, true);  // Interstitial showing
 
   // Simulate user clicking and holding on back button (crbug.com/37215).
   tab->GetController().GoToOffset(-1);
 
   // We should be back at the original good page.
   EXPECT_FALSE(browser()->tab_strip_model()->GetActiveWebContents()->
                    GetInterstitialPage());
   CheckUnauthenticatedState(tab);
 }
 
@@ skipping 22 matching lines @@
     observer.Wait();
   }
   ASSERT_TRUE(tab->GetController().CanGoForward());
   NavigationEntry* entry3 = tab->GetController().GetActiveEntry();
   ASSERT_TRUE(entry1 == entry3);
 
   // Now go to a bad HTTPS page that shows an interstitial.
   ui_test_utils::NavigateToURL(browser(),
       https_server_expired_.GetURL("files/ssl/google.html"));
   CheckAuthenticationBrokenState(tab, net::CERT_STATUS_DATE_INVALID, false,
-                                 true);  // Interstitial showing
+                                 false, true);  // Interstitial showing
 
   // Simulate user clicking and holding on forward button.
   {
     content::WindowedNotificationObserver observer(
         content::NOTIFICATION_LOAD_STOP,
         content::Source<NavigationController>(&tab->GetController()));
     tab->GetController().GoToOffset(1);
     observer.Wait();
   }
 
@@ skipping 68 matching lines @@
 
   // Visit bad HTTPS page.
   std::string scheme("https");
   GURL::Replacements replacements;
   replacements.SetSchemeStr(scheme);
   ui_test_utils::NavigateToURL(
       browser(),
       wss_server_expired_.GetURL(
           "connect_check.html").ReplaceComponents(replacements));
   CheckAuthenticationBrokenState(tab, net::CERT_STATUS_DATE_INVALID, false,
-                                 true);  // Interstitial showing
+                                 false, true);  // Interstitial showing
 
   // Proceed anyway.
   ProceedThroughInterstitial(tab);
 
   // Test page run a WebSocket wss connection test. The result will be shown
   // as page title.
   const base::string16 result = watcher.WaitAndGetTitle();
   EXPECT_TRUE(LowerCaseEqualsASCII(result, "pass"));
 }
 
@@ skipping 190 matching lines @@
 // Based on http://crbug.com/8706
 IN_PROC_BROWSER_TEST_F(SSLUITest,
                        TestRunsInsecuredContentRandomizeHash) {
   ASSERT_TRUE(test_server()->Start());
   ASSERT_TRUE(https_server_.Start());
 
   ui_test_utils::NavigateToURL(browser(), https_server_.GetURL(
       "files/ssl/page_runs_insecure_content.html"));
 
   CheckAuthenticationBrokenState(
-      browser()->tab_strip_model()->GetActiveWebContents(), 0, true, false);
+      browser()->tab_strip_model()->GetActiveWebContents(),
+      0, true, true, false);
 }
 
 // Visits a page with unsafe content and make sure that:
 // - frames content is replaced with warning
 // - images and scripts are filtered out entirely
 IN_PROC_BROWSER_TEST_F(SSLUITest, TestUnsafeContents) {
   ASSERT_TRUE(https_server_.Start());
   ASSERT_TRUE(https_server_expired_.Start());
 
   std::string replacement_path;
@@ skipping 136 matching lines @@
       content::NOTIFICATION_LOAD_STOP,
       content::NotificationService::AllSources());
   chrome::Navigate(&params);
   WebContents* tab2 = params.target_contents;
   observer.Wait();
 
   // Both tabs should have the same process.
   EXPECT_EQ(tab1->GetRenderProcessHost(), tab2->GetRenderProcessHost());
 
   // The new tab has insecure content.
-  CheckAuthenticationBrokenState(tab2, 0, true, false);
+  CheckAuthenticationBrokenState(tab2, 0, true, true, false);
 
   // Which means the origin for the first tab has also been contaminated with
   // insecure content.
-  CheckAuthenticationBrokenState(tab1, 0, true, false);
+  CheckAuthenticationBrokenState(tab1, 0, false, true, false);

[joleksy, 2014/03/03 11:22:45]

Note: RAN_INSECURE_CONTENT is stored at host level, see
SSLHostState::HostRanInsecureContent.
DISPLAYED_INSECURE_CONTENT is stored in WebContents, this is why it is not set
here.

Looks fine to me, but could anyone verify that this is ok?

[Ryan Sleevi, 2014/03/11 01:46:55]

Right. Active content has the potential of corrupting the renderer / JS
environment, which is why it's stored at the host level.

Passive content (eg: images) is only on a per-page level, and doesn't affect the
overall renderer security (mod popping libtiff / libpng or the like). That's at
least the logic behind the asymmetry.

 }
 
 // Visits a page with an image over http.  Visits another page over https
 // referencing that same image over http (hoping it is coming from the webcore
 // memory cache).
 IN_PROC_BROWSER_TEST_F(SSLUITest, TestDisplaysCachedInsecureContent) {
   ASSERT_TRUE(test_server()->Start());
   ASSERT_TRUE(https_server_.Start());
 
   std::string replacement_path;
@@ skipping 39 matching lines @@
   // Load original page over HTTP.
   const GURL url_http = test_server()->GetURL(replacement_path);
   ui_test_utils::NavigateToURL(browser(), url_http);
   WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
   CheckUnauthenticatedState(tab);
 
   // Load again but over SSL.  It should be marked as displaying insecure
   // content (even though the image comes from the WebCore memory cache).
   const GURL url_https = https_server_.GetURL(replacement_path);
   ui_test_utils::NavigateToURL(browser(), url_https);
-  CheckAuthenticationBrokenState(tab, 0, true, false);
+  CheckAuthenticationBrokenState(tab, 0, true, true, false);
 }
 
 // This test ensures the CN invalid status does not 'stick' to a certificate
 // (see bug #1044942) and that it depends on the host-name.
 IN_PROC_BROWSER_TEST_F(SSLUITest, TestCNInvalidStickiness) {
   ASSERT_TRUE(https_server_.Start());
   ASSERT_TRUE(https_server_mismatched_.Start());
 
   // First we hit the server with hostname, this generates an invalid policy
   // error.
   ui_test_utils::NavigateToURL(browser(),
       https_server_mismatched_.GetURL("files/ssl/google.html"));
 
   // We get an interstitial page as a result.
   WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
   CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID,
-                                 false, true);  // Interstitial showing.
+                                 false, false, true);  // Interstitial showing.
   ProceedThroughInterstitial(tab);
   CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID,
-                                 false, false);  // No interstitial showing.
+                                 false, false, false);  // No interstitial.
 
   // Now we try again with the right host name this time.
   GURL url(https_server_.GetURL("files/ssl/google.html"));
   ui_test_utils::NavigateToURL(browser(), url);
 
   // Security state should be OK.
   CheckAuthenticatedState(tab, false);
 
   // Now try again the broken one to make sure it is still broken.
   ui_test_utils::NavigateToURL(browser(),
       https_server_mismatched_.GetURL("files/ssl/google.html"));
 
   // Since we OKed the interstitial last time, we get right to the page.
   CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID,
-                                 false, false);  // No interstitial showing.
+                                 false, false, false);  // No interstitial.
 }
 
 #if defined(OS_CHROMEOS)
 // This test seems to be flaky and hang on chromiumos.
 // http://crbug.com/84419
 #define MAYBE_TestRefNavigation DISABLED_TestRefNavigation
 #else
 #define MAYBE_TestRefNavigation TestRefNavigation
 #endif
 
 // Test that navigating to a #ref does not change a bad security state.
 IN_PROC_BROWSER_TEST_F(SSLUITest, TestRefNavigation) {
   ASSERT_TRUE(https_server_expired_.Start());
 
   ui_test_utils::NavigateToURL(browser(),
       https_server_expired_.GetURL("files/ssl/page_with_refs.html"));
 
   WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
   CheckAuthenticationBrokenState(tab, net::CERT_STATUS_DATE_INVALID, false,
-                                 true);  // Interstitial showing.
+                                 false, true);  // Interstitial showing.
 
   ProceedThroughInterstitial(tab);
 
   CheckAuthenticationBrokenState(tab, net::CERT_STATUS_DATE_INVALID, false,
-                                 false);  // No interstitial showing.
+                                 false, false);  // No interstitial showing.
 
   // Now navigate to a ref in the page, the security state should not have
   // changed.
   ui_test_utils::NavigateToURL(browser(),
       https_server_expired_.GetURL("files/ssl/page_with_refs.html#jp"));
 
   CheckAuthenticationBrokenState(tab, net::CERT_STATUS_DATE_INVALID, false,
-                                 false);  // No interstitial showing.
+                                 false, false);  // No interstitial showing.
 }
 
 // Tests that closing a page that has a unsafe pop-up does not crash the
 // browser (bug #1966).
 // TODO(jcampan): http://crbug.com/2136 disabled because the popup is not
 //                opened as it is not initiated by a user gesture.
 IN_PROC_BROWSER_TEST_F(SSLUITest, DISABLED_TestCloseTabWithUnsafePopup) {
   ASSERT_TRUE(test_server()->Start());
   ASSERT_TRUE(https_server_expired_.Start());
 
@@ skipping 39 matching lines @@
   ASSERT_TRUE(https_server_expired_.Start());
 
   GURL url1 = https_server_expired_.GetURL("server-redirect?");
   GURL url2 = https_server_.GetURL("files/ssl/google.html");
 
   ui_test_utils::NavigateToURL(browser(), GURL(url1.spec() + url2.spec()));
 
   WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
 
   CheckAuthenticationBrokenState(tab, net::CERT_STATUS_DATE_INVALID, false,
-                                 true);  // Interstitial showing.
+                                 false, true);  // Interstitial showing.
 
   ProceedThroughInterstitial(tab);
 
   // We have been redirected to the good page.
   CheckAuthenticatedState(tab, false);
 }
 
 // Visit a page over good https that is a redirect to a page with bad https.
 IN_PROC_BROWSER_TEST_F(SSLUITest, TestRedirectGoodToBadHTTPS) {
   ASSERT_TRUE(https_server_.Start());
   ASSERT_TRUE(https_server_expired_.Start());
 
   GURL url1 = https_server_.GetURL("server-redirect?");
   GURL url2 = https_server_expired_.GetURL("files/ssl/google.html");
   ui_test_utils::NavigateToURL(browser(), GURL(url1.spec() + url2.spec()));
 
   WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
   CheckAuthenticationBrokenState(tab, net::CERT_STATUS_DATE_INVALID, false,
-                                 true);  // Interstitial showing.
+                                 false, true);  // Interstitial showing.
 
   ProceedThroughInterstitial(tab);
 
   CheckAuthenticationBrokenState(tab, net::CERT_STATUS_DATE_INVALID, false,
-                                 false);  // No interstitial showing.
+                                 false, false);  // No interstitial showing.
 }
 
 // Visit a page over http that is a redirect to a page with good HTTPS.
 IN_PROC_BROWSER_TEST_F(SSLUITest, TestRedirectHTTPToGoodHTTPS) {
   ASSERT_TRUE(test_server()->Start());
   ASSERT_TRUE(https_server_.Start());
 
   WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
 
   // HTTP redirects to good HTTPS.
@@ skipping 12 matching lines @@
   ASSERT_TRUE(https_server_expired_.Start());
 
   WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
 
   GURL http_url = test_server()->GetURL("server-redirect?");
   GURL bad_https_url =
       https_server_expired_.GetURL("files/ssl/google.html");
   ui_test_utils::NavigateToURL(browser(),
                                GURL(http_url.spec() + bad_https_url.spec()));
   CheckAuthenticationBrokenState(tab, net::CERT_STATUS_DATE_INVALID, false,
-                                 true);  // Interstitial showing.
+                                 false, true);  // Interstitial showing.
 
   ProceedThroughInterstitial(tab);
 
   CheckAuthenticationBrokenState(tab, net::CERT_STATUS_DATE_INVALID, false,
-                                 false);  // No interstitial showing.
+                                 false, false);  // No interstitial showing.
 }
 
 // Visit a page over https that is a redirect to a page with http (to make sure
 // we don't keep the secure state).
 IN_PROC_BROWSER_TEST_F(SSLUITest, TestRedirectHTTPSToHTTP) {
   ASSERT_TRUE(test_server()->Start());
   ASSERT_TRUE(https_server_.Start());
 
   GURL https_url = https_server_.GetURL("server-redirect?");
   GURL http_url = test_server()->GetURL("files/ssl/google.html");
@@ skipping 105 matching lines @@
         content::Source<NavigationController>(&tab->GetController()));
     EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
         tab,
         "window.domAutomationController.send(clickLink('HTTPLink'));",
         &success));
     ASSERT_TRUE(success);
     observer.Wait();
   }
 
   // Our state should be unathenticated (in the ran mixed script sense)
-  CheckBrokenAuthenticatedState(tab);
+  CheckBrokenAuthenticatedState(tab, true);
 
   // Go back, our state should be unchanged.
   {
     content::WindowedNotificationObserver observer(
         content::NOTIFICATION_LOAD_STOP,
         content::Source<NavigationController>(&tab->GetController()));
     tab->GetController().GoBack();
     observer.Wait();
   }
 
-  CheckBrokenAuthenticatedState(tab);
+  CheckBrokenAuthenticatedState(tab, true);
 }
 
 // From a bad HTTPS top frame:
 // - navigate to an OK HTTPS frame (expected to be still authentication broken).
 IN_PROC_BROWSER_TEST_F(SSLUITest, TestBadFrameNavigation) {
   ASSERT_TRUE(https_server_.Start());
   ASSERT_TRUE(https_server_expired_.Start());
 
   std::string top_frame_path;
   ASSERT_TRUE(GetTopFramePath(*test_server(),
                               https_server_,
                               https_server_expired_,
                               &top_frame_path));
 
   WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
   ui_test_utils::NavigateToURL(browser(),
                                https_server_expired_.GetURL(top_frame_path));
   CheckAuthenticationBrokenState(tab, net::CERT_STATUS_DATE_INVALID, false,
-                                 true);  // Interstitial showing
+                                 false, true);  // Interstitial showing
 
   ProceedThroughInterstitial(tab);
 
   // Navigate to a good frame.
   bool success = false;
   content::WindowedNotificationObserver observer(
         content::NOTIFICATION_LOAD_STOP,
         content::Source<NavigationController>(&tab->GetController()));
   EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
       tab,
       "window.domAutomationController.send(clickLink('goodHTTPSLink'));",
       &success));
   ASSERT_TRUE(success);
   observer.Wait();
 
   // We should still be authentication broken.
   CheckAuthenticationBrokenState(tab, net::CERT_STATUS_DATE_INVALID, false,
-                                 false);
+                                 false, false);
 }
 
 // From an HTTP top frame, navigate to good and bad HTTPS (security state should
 // stay unauthenticated).
 // Disabled, flakily exceeds test timeout, http://crbug.com/43437.
 IN_PROC_BROWSER_TEST_F(SSLUITest, DISABLED_TestUnauthenticatedFrameNavigation) {
   ASSERT_TRUE(test_server()->Start());
   ASSERT_TRUE(https_server_.Start());
   ASSERT_TRUE(https_server_expired_.Start());
 
@@ skipping 76 matching lines @@
 IN_PROC_BROWSER_TEST_F(SSLUITest, TestUnsafeContentsInWorker) {
   ASSERT_TRUE(https_server_.Start());
   ASSERT_TRUE(https_server_expired_.Start());
 
   // Navigate to an unsafe site. Proceed with interstitial page to indicate
   // the user approves the bad certificate.
   ui_test_utils::NavigateToURL(browser(),
       https_server_expired_.GetURL("files/ssl/blank_page.html"));
   WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
   CheckAuthenticationBrokenState(tab, net::CERT_STATUS_DATE_INVALID, false,
-                                 true);  // Interstitial showing
+                                 false, true);  // Interstitial showing
   ProceedThroughInterstitial(tab);
   CheckAuthenticationBrokenState(tab, net::CERT_STATUS_DATE_INVALID, false,
-                                 false);  // No Interstitial
+                                 false, false);  // No Interstitial
 
   // Navigate to safe page that has Worker loading unsafe content.
   // Expect content to load but be marked as auth broken due to running insecure
   // content.
   std::string page_with_unsafe_worker_path;
   ASSERT_TRUE(GetPageWithUnsafeWorkerPath(https_server_expired_,
                                           &page_with_unsafe_worker_path));
   ui_test_utils::NavigateToURL(browser(), https_server_.GetURL(
       page_with_unsafe_worker_path));
   CheckWorkerLoadResult(tab, true);  // Worker loads insecure content
-  CheckAuthenticationBrokenState(tab, 0, true, false);
+  CheckAuthenticationBrokenState(tab, 0, false, true, false);
 }
 
 // Test that when the browser blocks displaying insecure content (images), the
 // indicator shows a secure page, because the blocking made the otherwise
 // unsafe page safe (the notification of this state is handled by other means).
 IN_PROC_BROWSER_TEST_F(SSLUITestBlock, TestBlockDisplayingInsecureImage) {
   ASSERT_TRUE(test_server()->Start());
   ASSERT_TRUE(https_server_.Start());
 
   std::string replacement_path;
@@ skipping 83 matching lines @@
 // http://crbug.com/322948
 IN_PROC_BROWSER_TEST_F(SSLUITest, InterstitialNotAffectedByContentSettings) {
   browser()->profile()->GetHostContentSettingsMap()->SetDefaultContentSetting(
       CONTENT_SETTINGS_TYPE_JAVASCRIPT, CONTENT_SETTING_BLOCK);
 
   ASSERT_TRUE(https_server_expired_.Start());
   WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
   ui_test_utils::NavigateToURL(browser(),
       https_server_expired_.GetURL("files/ssl/google.html"));
   CheckAuthenticationBrokenState(tab, net::CERT_STATUS_DATE_INVALID, false,
-                                 true);  // Interstitial showing
+                                 false, true);  // Interstitial showing
 
   InterstitialPage* interstitial_page = tab->GetInterstitialPage();
   content::RenderViewHost* interstitial_rvh =
       interstitial_page->GetRenderViewHostForTesting();
   bool result = false;
   ASSERT_TRUE(content::ExecuteScriptAndExtractBool(
               interstitial_rvh,
               "window.domAutomationController.send(true);",
               &result));
   // The above will hang without the fix.
   ASSERT_TRUE(result);
 }
 
 // TODO(jcampan): more tests to do below.
 
 // Visit a page over https that contains a frame with a redirect.
 
 // XMLHttpRequest insecure content in synchronous mode.
 
 // XMLHttpRequest insecure content in asynchronous mode.
 
 // XMLHttpRequest over bad ssl in synchronous mode.
 
 // XMLHttpRequest over OK ssl in synchronous mode.