Adjust WebsiteSettings statuses for subresources with cert errors

chrome/browser/ui/website_settings/website_settings.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/ui/website_settings/website_settings.h"
 
 #include <stddef.h>
 #include <stdint.h>
 
 #include <string>
@@ skipping 115 matching lines @@
   // Fullscreen and mouselock settings are no longer shown (always allow).
   if (type == CONTENT_SETTINGS_TYPE_FULLSCREEN ||
       type == CONTENT_SETTINGS_TYPE_MOUSELOCK) {
     return false;
   }
 #endif
 
   return true;
 }
 
+void CheckContentStatus(SecurityStateModel::ContentStatus content_status,
+                        bool* displayed,
+                        bool* ran) {
+  switch (content_status) {
+    case SecurityStateModel::CONTENT_STATUS_DISPLAYED:
+      *displayed = true;
+      break;
+    case SecurityStateModel::CONTENT_STATUS_RAN:
+      *ran = true;
+      break;
+    case SecurityStateModel::CONTENT_STATUS_DISPLAYED_AND_RAN:
+      *displayed = true;
+      *ran = true;
+      break;
+    case SecurityStateModel::CONTENT_STATUS_UNKNOWN:
+    case SecurityStateModel::CONTENT_STATUS_NONE:
+      break;
+  }
+}
+
+void CheckForInsecureContent(
+    const SecurityStateModel::SecurityInfo& security_info,
+    bool* displayed,
+    bool* ran) {
+  CheckContentStatus(security_info.mixed_content_status, displayed, ran);
+  // Only consider subresources with certificate errors if the main
+  // resource was loaded over HTTPS without major certificate errors. If
+  // the main resource had a certificate error, then it would not be
+  // that useful (and would potentially be confusing) to warn about
+  // subesources that had certificate errors too.
+  if (net::IsCertStatusError(security_info.cert_status) &&
+      !net::IsCertStatusMinorError(security_info.cert_status)) {
+    return;
+  }
+  CheckContentStatus(security_info.content_with_cert_errors_status, displayed,
+                     ran);
+}
+
 // Returns true if any of the given statuses match |status|.
 bool CertificateTransparencyStatusMatchAny(
     const std::vector<net::ct::SCTVerifyStatus>& sct_verify_statuses,
     net::ct::SCTVerifyStatus status) {
   for (const auto& verify_status : sct_verify_statuses) {
     if (verify_status == status)
       return true;
   }
   return false;
 }
@@ skipping 406 matching lines @@
     if (security_info.is_secure_protocol_and_ciphersuite) {
       site_connection_details_.assign(l10n_util::GetStringFUTF16(
           IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_CONNECTION_TEXT,
           subject_name));
     } else {
       site_connection_details_.assign(l10n_util::GetStringFUTF16(
           IDS_PAGE_INFO_SECURITY_TAB_WEAK_ENCRYPTION_CONNECTION_TEXT,
           subject_name));
     }
 
-    if (security_info.mixed_content_status !=
-        SecurityStateModel::CONTENT_STATUS_NONE) {
-      bool ran_insecure_content =
-          (security_info.mixed_content_status ==
-               SecurityStateModel::CONTENT_STATUS_RAN ||
-           security_info.mixed_content_status ==
-               SecurityStateModel::CONTENT_STATUS_DISPLAYED_AND_RAN);
-      site_connection_status_ = ran_insecure_content
-                                    ? SITE_CONNECTION_STATUS_MIXED_SCRIPT
-                                    : SITE_CONNECTION_STATUS_MIXED_CONTENT;
+    bool ran_insecure_content = false;
+    bool displayed_insecure_content = false;
+    CheckForInsecureContent(security_info, &displayed_insecure_content,
+                            &ran_insecure_content);
+    if (ran_insecure_content || displayed_insecure_content) {
+      site_connection_status_ =
+          ran_insecure_content
+              ? SITE_CONNECTION_STATUS_INSECURE_ACTIVE_SUBRESOURCE
+              : SITE_CONNECTION_STATUS_INSECURE_PASSIVE_SUBRESOURCE;
       site_connection_details_.assign(l10n_util::GetStringFUTF16(
           IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_SENTENCE_LINK,
           site_connection_details_,
-          l10n_util::GetStringUTF16(ran_insecure_content ?
-              IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_INSECURE_CONTENT_ERROR :
-              IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_INSECURE_CONTENT_WARNING)));
+          l10n_util::GetStringUTF16(
+              ran_insecure_content
+                  ? IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_INSECURE_CONTENT_ERROR
+                  : IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_INSECURE_CONTENT_WARNING)));
     }
   }
 
   uint16_t cipher_suite =
       net::SSLConnectionStatusToCipherSuite(security_info.connection_status);
   if (security_info.security_bits > 0 && cipher_suite) {
     int ssl_version =
         net::SSLConnectionStatusToVersion(security_info.connection_status);
     const char* ssl_version_str;
     net::SSLVersionToString(&ssl_version_str, ssl_version);
@@ skipping 15 matching lines @@
       site_connection_details_ += l10n_util::GetStringFUTF16(
           IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTION_DETAILS_AEAD,
           ASCIIToUTF16(cipher), ASCIIToUTF16(key_exchange));
     } else {
       site_connection_details_ += l10n_util::GetStringFUTF16(
           IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTION_DETAILS,
           ASCIIToUTF16(cipher), ASCIIToUTF16(mac), ASCIIToUTF16(key_exchange));
     }
 
     if (ssl_version == net::SSL_CONNECTION_VERSION_SSL3 &&
-        site_connection_status_ < SITE_CONNECTION_STATUS_MIXED_CONTENT) {
+        site_connection_status_ <
+            SITE_CONNECTION_STATUS_INSECURE_PASSIVE_SUBRESOURCE) {
       site_connection_status_ = SITE_CONNECTION_STATUS_ENCRYPTED_ERROR;
     }
 
     const bool did_fallback = (security_info.connection_status &
                                net::SSL_CONNECTION_VERSION_FALLBACK) != 0;
     if (did_fallback) {
       site_connection_details_ += ASCIIToUTF16("\n\n");
       site_connection_details_ += l10n_util::GetStringUTF16(
           IDS_PAGE_INFO_SECURITY_TAB_FALLBACK_MESSAGE);
     }
@@ skipping 15 matching lines @@
   show_ssl_decision_revoke_button_ = delegate->HasAllowException(url.host());
 
   // By default select the Permissions Tab that displays all the site
   // permissions. In case of a connection error or an issue with the certificate
   // presented by the website, select the Connection Tab to draw the user's
   // attention to the issue. If the site does not provide a certificate because
   // it was loaded over an unencrypted connection, don't select the Connection
   // Tab.
   WebsiteSettingsUI::TabId tab_id = WebsiteSettingsUI::TAB_ID_PERMISSIONS;
   if (site_connection_status_ == SITE_CONNECTION_STATUS_ENCRYPTED_ERROR ||
-      site_connection_status_ == SITE_CONNECTION_STATUS_MIXED_CONTENT ||
-      site_connection_status_ == SITE_CONNECTION_STATUS_MIXED_SCRIPT ||
+      site_connection_status_ ==
+          SITE_CONNECTION_STATUS_INSECURE_PASSIVE_SUBRESOURCE ||
+      site_connection_status_ ==
+          SITE_CONNECTION_STATUS_INSECURE_ACTIVE_SUBRESOURCE ||
       site_identity_status_ == SITE_IDENTITY_STATUS_ERROR ||
       site_identity_status_ == SITE_IDENTITY_STATUS_CT_ERROR ||
       site_identity_status_ == SITE_IDENTITY_STATUS_CERT_REVOCATION_UNKNOWN ||
       site_identity_status_ == SITE_IDENTITY_STATUS_ADMIN_PROVIDED_CERT ||
       site_identity_status_ ==
           SITE_IDENTITY_STATUS_DEPRECATED_SIGNATURE_ALGORITHM_MINOR ||
       site_identity_status_ ==
           SITE_IDENTITY_STATUS_DEPRECATED_SIGNATURE_ALGORITHM_MAJOR) {
     tab_id = WebsiteSettingsUI::TAB_ID_CONNECTION;
     RecordWebsiteSettingsAction(
@@ skipping 98 matching lines @@
   info.connection_status = site_connection_status_;
   info.connection_status_description =
       UTF16ToUTF8(site_connection_details_);
   info.identity_status = site_identity_status_;
   info.identity_status_description =
       UTF16ToUTF8(site_identity_details_);
   info.cert_id = cert_id_;
   info.show_ssl_decision_revoke_button = show_ssl_decision_revoke_button_;
   ui_->SetIdentityInfo(info);
 }