Chromium Code Reviews Chromium Code Reviews
Issue 2270283002:
Downgrade security state after user clicks through SB interstitial (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: chrome/browser/safe_browsing/safe_browsing_blocking_page_test.cc |
| diff --git a/chrome/browser/safe_browsing/safe_browsing_blocking_page_test.cc b/chrome/browser/safe_browsing/safe_browsing_blocking_page_test.cc |
| index 1b92c1e0d4ca5252bea38c4fabd24ae4dc91a756..97ada326a4ce6b2067c1f378f37e55cc1b994fee 100644 |
| --- a/chrome/browser/safe_browsing/safe_browsing_blocking_page_test.cc |
| +++ b/chrome/browser/safe_browsing/safe_browsing_blocking_page_test.cc |
| @@ -25,6 +25,9 @@ |
| #include "chrome/browser/safe_browsing/test_safe_browsing_service.h" |
| #include "chrome/browser/safe_browsing/threat_details.h" |
| #include "chrome/browser/safe_browsing/ui_manager.h" |
| +#include "chrome/browser/ssl/cert_verifier_browser_test.h" |
| +#include "chrome/browser/ssl/chrome_security_state_model_client.h" |
| +#include "chrome/browser/ssl/ssl_blocking_page.h" |
| #include "chrome/browser/ui/browser.h" |
| #include "chrome/browser/ui/browser_tabstrip.h" |
| #include "chrome/browser/ui/tabs/tab_strip_model.h" |
| @@ -47,6 +50,9 @@ |
| #include "content/public/test/browser_test_utils.h" |
| #include "content/public/test/test_browser_thread.h" |
| #include "content/public/test/test_utils.h" |
| +#include "net/cert/cert_verify_result.h" |
| +#include "net/cert/mock_cert_verifier.h" |
| +#include "net/test/embedded_test_server/embedded_test_server.h" |
| #include "net/test/url_request/url_request_mock_http_job.h" |
| using chrome_browser_interstitials::SecurityInterstitialIDNTest; |
| @@ -61,6 +67,7 @@ namespace safe_browsing { |
| namespace { |
| const char kEmptyPage[] = "empty.html"; |
| +const char kHTTPSPage[] = "/ssl/google.html"; |
| const char kMalwarePage[] = "safe_browsing/malware.html"; |
| const char kCrossSiteMalwarePage[] = "safe_browsing/malware2.html"; |
| const char kMalwareIframe[] = "safe_browsing/malware_iframe.html"; |
| @@ -270,7 +277,7 @@ class TestSafeBrowsingBlockingPageFactory |
| // Tests the safe browsing blocking page in a browser. |
| class SafeBrowsingBlockingPageBrowserTest |
| - : public InProcessBrowserTest, |
| + : public CertVerifierBrowserTest, |
| public testing::WithParamInterface<testing::tuple<SBThreatType, bool>> { |
| public: |
| enum Visibility { |
| @@ -279,7 +286,8 @@ class SafeBrowsingBlockingPageBrowserTest |
| VISIBLE = 1 |
| }; |
| - SafeBrowsingBlockingPageBrowserTest() {} |
| + SafeBrowsingBlockingPageBrowserTest() |
| + : https_server_(net::EmbeddedTestServer::TYPE_HTTPS) {} |
| void SetUp() override { |
| // Test UI manager and test database manager should be set before |
| @@ -319,12 +327,53 @@ class SafeBrowsingBlockingPageBrowserTest |
| ->SetURLThreatType(url, threat_type); |
| } |
| + // The basic version of this method, which uses a HTTP test URL. |
| + GURL SetupWarningAndNavigate() { |
| + return SetupWarningAndNavigateToURL( |
| + net::URLRequestMockHTTPJob::GetMockUrl(kEmptyPage)); |
| + } |
| + |
| + // Navigates to a warning on a valid HTTPS website. |
| + GURL SetupWarningAndNavigateToValidHTTPS() { |
| + EXPECT_TRUE(https_server_.Start()); |
| + scoped_refptr<net::X509Certificate> cert(https_server_.GetCertificate()); |
| + net::CertVerifyResult verify_result; |
| + verify_result.is_issued_by_known_root = true; |
| + verify_result.verified_cert = cert; |
| + verify_result.cert_status = 0; |
| + mock_cert_verifier()->AddResultForCert(cert.get(), verify_result, net::OK); |
| + GURL url = https_server_.GetURL(kHTTPSPage); |
| + return SetupWarningAndNavigateToURL(url); |
| + } |
| + |
| + // Navigates through an HTTPS interstitial, then opens up a SB warning on that |
| + // same URL. |
| + GURL SetupWarningAndNavigateToInvalidHTTPS() { |
| + https_server_.SetSSLConfig(net::EmbeddedTestServer::CERT_EXPIRED); |
| + EXPECT_TRUE(https_server_.Start()); |
| + GURL url = https_server_.GetURL(kHTTPSPage); |
| + |
| + // Proceed through the HTTPS interstitial. |
| + ui_test_utils::NavigateToURL(browser(), url); |
| + EXPECT_TRUE(WaitForReady()); |
| + InterstitialPage* https_warning = browser() |
| + ->tab_strip_model() |
| + ->GetActiveWebContents() |
| + ->GetInterstitialPage(); |
| + EXPECT_EQ(SSLBlockingPage::kTypeForTesting, |
| + https_warning->GetDelegateForTesting()->GetTypeForTesting()); |
| + https_warning->Proceed(); |
| + content::WaitForInterstitialDetach( |
| + browser()->tab_strip_model()->GetActiveWebContents()); |
| + |
| + return SetupWarningAndNavigateToURL(url); |
| + } |
| + |
| // Adds a safebrowsing result of the current test threat to the fake |
| // safebrowsing service, navigates to that page, and returns the url. |
| - GURL SetupWarningAndNavigate() { |
| - GURL url = net::URLRequestMockHTTPJob::GetMockUrl(kEmptyPage); |
| + // The various wrappers supply different URLs. |
| + GURL SetupWarningAndNavigateToURL(GURL url) { |
|
estark
2016/08/24 22:30:39
nit: looks like this could be private
felt
2016/08/25 01:03:43
Done.
|
| SetURLThreatType(url, testing::get<0>(GetParam())); |
| - |
| ui_test_utils::NavigateToURL(browser(), url); |
| EXPECT_TRUE(WaitForReady()); |
| return url; |
| @@ -538,6 +587,7 @@ class SafeBrowsingBlockingPageBrowserTest |
| private: |
| TestSafeBrowsingServiceFactory factory_; |
| TestSafeBrowsingBlockingPageFactory blocking_page_factory_; |
| + net::EmbeddedTestServer https_server_; |
| DISALLOW_COPY_AND_ASSIGN(SafeBrowsingBlockingPageBrowserTest); |
| }; |
| @@ -993,6 +1043,57 @@ IN_PROC_BROWSER_TEST_P(SafeBrowsingBlockingPageBrowserTest, WhitelistUnsaved) { |
| AssertNoInterstitial(true); |
| } |
| +// Test that the security indicator is downgraded after clicking through a |
| +// Safe Browsing interstitial. |
| +IN_PROC_BROWSER_TEST_P(SafeBrowsingBlockingPageBrowserTest, |
| + SecurityState_HTTP) { |
| + SetupWarningAndNavigate(); |
| + EXPECT_TRUE(ClickAndWaitForDetach("proceed-link")); |
| + AssertNoInterstitial(true); |
| + |
| + WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); |
| + ASSERT_TRUE(tab); |
| + ChromeSecurityStateModelClient* model_client = |
| + ChromeSecurityStateModelClient::FromWebContents(tab); |
| + ASSERT_TRUE(model_client); |
| + EXPECT_EQ(security_state::SecurityStateModel::SECURITY_ERROR, |
|
estark
2016/08/24 22:30:39
nit: could also check that model_client->GetSecuri
felt
2016/08/25 01:03:43
Done.
|
| + model_client->GetSecurityInfo().security_level); |
| +} |
| + |
| +// Test that the security indicator is downgraded even if the website has valid |
| +// HTTPS (meaning that the SB state overrides the HTTPS state). |
| +IN_PROC_BROWSER_TEST_P(SafeBrowsingBlockingPageBrowserTest, |
| + SecurityState_ValidHTTPS) { |
| + SetupWarningAndNavigateToValidHTTPS(); |
| + EXPECT_TRUE(ClickAndWaitForDetach("proceed-link")); |
| + AssertNoInterstitial(true); |
| + |
| + WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); |
| + ASSERT_TRUE(tab); |
| + ChromeSecurityStateModelClient* model_client = |
| + ChromeSecurityStateModelClient::FromWebContents(tab); |
| + ASSERT_TRUE(model_client); |
| + EXPECT_EQ(security_state::SecurityStateModel::SECURITY_ERROR, |
| + model_client->GetSecurityInfo().security_level); |
|
estark
2016/08/24 22:30:39
nit: as a sanity check, you could do EXPECT_EQ(0,
felt
2016/08/25 01:03:43
Done.
|
| +} |
| + |
| +// Test that the security indicator is still downgraded after two interstitials |
| +// are shown in a row (one for Safe Browsing, one for invalid HTTPS). |
| +IN_PROC_BROWSER_TEST_P(SafeBrowsingBlockingPageBrowserTest, |
| + SecurityState_InvalidHTTPS) { |
| + SetupWarningAndNavigateToInvalidHTTPS(); |
| + EXPECT_TRUE(ClickAndWaitForDetach("proceed-link")); |
| + AssertNoInterstitial(true); |
| + |
| + WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); |
| + ASSERT_TRUE(tab); |
| + ChromeSecurityStateModelClient* model_client = |
| + ChromeSecurityStateModelClient::FromWebContents(tab); |
| + ASSERT_TRUE(model_client); |
| + EXPECT_EQ(security_state::SecurityStateModel::SECURITY_ERROR, |
| + model_client->GetSecurityInfo().security_level); |
| +} |
| + |
| INSTANTIATE_TEST_CASE_P( |
| SafeBrowsingBlockingPageBrowserTestWithThreatTypeAndIsolationSetting, |
| SafeBrowsingBlockingPageBrowserTest, |
