Index: chrome/browser/policy/policy_browsertest.cc |
diff --git a/chrome/browser/policy/policy_browsertest.cc b/chrome/browser/policy/policy_browsertest.cc |
index 9d6f176ab51168a7a9737aaae81a55c1cb07627c..592f1149b100c1bb560c06069e55060b6346abcd 100644 |
--- a/chrome/browser/policy/policy_browsertest.cc |
+++ b/chrome/browser/policy/policy_browsertest.cc |
@@ -15,6 +15,7 @@ |
#include "base/bind.h" |
#include "base/bind_helpers.h" |
#include "base/callback.h" |
+#include "base/callback_helpers.h" |
#include "base/command_line.h" |
#include "base/files/file_enumerator.h" |
#include "base/files/file_path.h" |
@@ -170,6 +171,7 @@ |
#include "net/base/net_errors.h" |
#include "net/base/url_util.h" |
#include "net/http/http_stream_factory.h" |
+#include "net/http/transport_security_state.h" |
#include "net/ssl/ssl_config.h" |
#include "net/ssl/ssl_config_service.h" |
#include "net/test/embedded_test_server/embedded_test_server.h" |
@@ -3554,6 +3556,64 @@ IN_PROC_BROWSER_TEST_F(WebBluetoothPolicyTest, Block) { |
EXPECT_THAT(rejection, testing::MatchesRegex("NotFoundError: .*policy.*")); |
} |
+IN_PROC_BROWSER_TEST_F(PolicyTest, |
+ CertificateTransparencyEnforcementDisabledForUrls) { |
+ // Cleanup any globals even if the test fails. |
+ base::ScopedClosureRunner cleanup(base::Bind( |
+ base::IgnoreResult(&BrowserThread::PostTask), BrowserThread::IO, |
+ FROM_HERE, |
+ base::Bind(&net::TransportSecurityState::SetShouldRequireCTForTesting, |
+ nullptr))); |
+ |
+ net::EmbeddedTestServer https_server_ok(net::EmbeddedTestServer::TYPE_HTTPS); |
+ https_server_ok.SetSSLConfig(net::EmbeddedTestServer::CERT_OK); |
+ https_server_ok.ServeFilesFromSourceDirectory("chrome/test/data"); |
+ ASSERT_TRUE(https_server_ok.Start()); |
+ |
+ // Require CT for all hosts (in the absence of policy). |
+ BrowserThread::PostTask( |
+ BrowserThread::IO, FROM_HERE, |
+ base::Bind(net::TransportSecurityState::SetShouldRequireCTForTesting, |
+ base::Owned(new bool(true)))); |
+ |
+ ui_test_utils::NavigateToURL(browser(), https_server_ok.GetURL("/")); |
+ |
+ // The page should initially be blocked. |
+ const content::InterstitialPage* interstitial = |
+ content::InterstitialPage::GetInterstitialPage( |
+ browser()->tab_strip_model()->GetActiveWebContents()); |
+ ASSERT_TRUE(interstitial); |
+ ASSERT_TRUE(content::WaitForRenderFrameReady(interstitial->GetMainFrame())); |
+ |
+ EXPECT_TRUE(chrome_browser_interstitials::IsInterstitialDisplayingText( |
+ interstitial, "proceed-link")); |
+ EXPECT_NE(base::UTF8ToUTF16("OK"), |
+ browser()->tab_strip_model()->GetActiveWebContents()->GetTitle()); |
+ |
+ // Now exempt the URL from being blocked by setting policy. |
+ std::unique_ptr<base::ListValue> disabled_urls = |
+ base::MakeUnique<base::ListValue>(); |
+ disabled_urls->AppendString(https_server_ok.host_port_pair().HostForURL()); |
+ |
+ PolicyMap policies; |
+ policies.Set(key::kCertificateTransparencyEnforcementDisabledForUrls, |
+ POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER, POLICY_SOURCE_CLOUD, |
+ std::move(disabled_urls), nullptr); |
+ UpdateProviderPolicy(policies); |
+ FlushBlacklistPolicy(); |
+ |
+ ui_test_utils::NavigateToURL(browser(), |
+ https_server_ok.GetURL("/simple.html")); |
+ |
+ // There should be no interstitial after the page loads. |
+ interstitial = content::InterstitialPage::GetInterstitialPage( |
+ browser()->tab_strip_model()->GetActiveWebContents()); |
+ ASSERT_FALSE(interstitial); |
+ |
+ EXPECT_EQ(base::UTF8ToUTF16("OK"), |
+ browser()->tab_strip_model()->GetActiveWebContents()->GetTitle()); |
+} |
+ |
// Test that when extended reporting opt-in is disabled by policy, the |
// opt-in checkbox does not appear on SSL blocking pages. |
IN_PROC_BROWSER_TEST_F(PolicyTest, SafeBrowsingExtendedReportingOptInAllowed) { |