Add SSLStatus flags to feed HTTP_WARNING security level

components/security_state/security_state_model.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/security_state/security_state_model.h"
 
 #include <stdint.h>
 
 #include "base/command_line.h"
 #include "base/metrics/field_trial.h"
 #include "base/metrics/histogram_macros.h"
 #include "components/security_state/security_state_model_client.h"
 #include "components/security_state/switches.h"
 #include "net/ssl/ssl_cipher_suite_names.h"
 #include "net/ssl/ssl_connection_status_flags.h"
 
 namespace security_state {
 
 namespace {
 
-SecurityStateModel::SecurityLevel GetSecurityLevelForNonSecureFieldTrial() {
+// Do not change or reorder this enum, and add new values at the end. It is used
+// in the MarkNonSecureAs histogram.
+enum MarkNonSecureStatus {
+  NEUTRAL,
+  DUBIOUS,

[felt, 2016/09/20 06:09:41]

since you're updating the histogram anyway, what do you think of making a new
one (replacement histogram) without DUBIOUS?

[estark, 2016/09/20 17:53:33]

Done.

+  NON_SECURE,
+  HTTP_WARNING,
+  LAST_STATUS
+};
+
+// If |switch_or_field_trial_group| corresponds to a valid
+// MarkNonSecureAs group, sets |*level| and |*histogram_status| to the
+// appropriate values and returns true. Otherwise, returns false.
+bool GetSecurityLevelAndHistogramValueForNonSecureFieldTrial(
+    std::string switch_or_field_trial_group,
+    bool displayed_nonsecure_password_field,
+    bool displayed_nonsecure_credit_card_field,
+    SecurityStateModel::SecurityLevel* level,
+    MarkNonSecureStatus* histogram_status) {
+  if (switch_or_field_trial_group == switches::kMarkNonSecureAsNeutral) {
+    *level = SecurityStateModel::NONE;
+    *histogram_status = NEUTRAL;
+    return true;
+  }
+
+  if (switch_or_field_trial_group == switches::kMarkNonSecureAsNonSecure) {
+    *level = SecurityStateModel::SECURITY_ERROR;
+    *histogram_status = NON_SECURE;
+    return true;
+  }
+
+  if (switch_or_field_trial_group ==
+      switches::kMarkNonSecureWithPasswordsOrCcAsNonSecure) {
+    if (displayed_nonsecure_password_field ||
+        displayed_nonsecure_credit_card_field) {
+      *level = SecurityStateModel::HTTP_WARNING;
+      *histogram_status = HTTP_WARNING;
+    } else {
+      *level = SecurityStateModel::NONE;
+      *histogram_status = NEUTRAL;
+    }
+    return true;
+  }
+
+  return false;
+}
+
+SecurityStateModel::SecurityLevel GetSecurityLevelForNonSecureFieldTrial(
+    bool displayed_nonsecure_password_field,
+    bool displayed_nonsecure_credit_card_field) {
   std::string choice =
       base::CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
           switches::kMarkNonSecureAs);
   std::string group = base::FieldTrialList::FindFullName("MarkNonSecureAs");
 
-  // Do not change this enum. It is used in the histogram.
-  enum MarkNonSecureStatus { NEUTRAL, DUBIOUS, NON_SECURE, LAST_STATUS };
   const char kEnumeration[] = "MarkNonSecureAs";
 
   SecurityStateModel::SecurityLevel level = SecurityStateModel::NONE;
   MarkNonSecureStatus status;
 
-  if (choice == switches::kMarkNonSecureAsNeutral) {
-    status = NEUTRAL;
-    level = SecurityStateModel::NONE;
-  } else if (choice == switches::kMarkNonSecureAsNonSecure) {
-    status = NON_SECURE;
-    level = SecurityStateModel::SECURITY_ERROR;
-  } else if (group == switches::kMarkNonSecureAsNeutral ||
-             group == switches::kMarkNonSecureWithPasswordsOrCcAsNonSecure) {
-    status = NEUTRAL;
-    level = SecurityStateModel::NONE;
-  } else if (group == switches::kMarkNonSecureAsNonSecure) {
-    status = NON_SECURE;
-    level = SecurityStateModel::SECURITY_ERROR;
-  } else {
-    status = NEUTRAL;
-    level = SecurityStateModel::NONE;
+  // If the command-line switch is set, then it takes precedence over
+  // the field trial group.
+  if (!GetSecurityLevelAndHistogramValueForNonSecureFieldTrial(
+          choice, displayed_nonsecure_password_field,
+          displayed_nonsecure_credit_card_field, &level, &status)) {
+    if (!GetSecurityLevelAndHistogramValueForNonSecureFieldTrial(
+            group, displayed_nonsecure_password_field,
+            displayed_nonsecure_credit_card_field, &level, &status)) {
+      // If neither the command-line switch nor field trial group is set, then
+      // nonsecure defaults to neutral.
+      status = NEUTRAL;
+      level = SecurityStateModel::NONE;
+    }
   }
 
   UMA_HISTOGRAM_ENUMERATION(kEnumeration, status, LAST_STATUS);
   return level;
 }
 
 SecurityStateModel::SHA1DeprecationStatus GetSHA1DeprecationStatus(
     scoped_refptr<net::X509Certificate> cert,
     const SecurityStateModel::VisibleSecurityState& visible_security_state) {
   if (!cert ||
@@ skipping 35 matching lines @@
 
   // Override the connection security information if the website failed the
   // browser's malware checks.
   if (visible_security_state.fails_malware_check)
     return SecurityStateModel::SECURITY_ERROR;
 
   GURL url = visible_security_state.url;
   switch (visible_security_state.initial_security_level) {
     case SecurityStateModel::NONE:
     case SecurityStateModel::HTTP_WARNING: {
-      if (!client->IsOriginSecure(url) && url.IsStandard())
-        return GetSecurityLevelForNonSecureFieldTrial();
+      if (!client->IsOriginSecure(url) && url.IsStandard()) {
+        return GetSecurityLevelForNonSecureFieldTrial(
+            visible_security_state.displayed_nonsecure_password_field,
+            visible_security_state.displayed_nonsecure_credit_card_field);
+      }
       return SecurityStateModel::NONE;
     }
 
     case SecurityStateModel::SECURITY_ERROR:
       return SecurityStateModel::SECURITY_ERROR;
 
     case SecurityStateModel::SECURITY_WARNING:
     case SecurityStateModel::SECURITY_POLICY_WARNING:
       return visible_security_state.initial_security_level;
 
@@ skipping 175 matching lines @@
       fails_malware_check(false),
       connection_info_initialized(false),
       cert_status(0),
       connection_status(0),
       key_exchange_group(0),
       security_bits(-1),
       displayed_mixed_content(false),
       ran_mixed_content(false),
       displayed_content_with_cert_errors(false),
       ran_content_with_cert_errors(false),
-      pkp_bypassed(false) {}
+      pkp_bypassed(false),
+      displayed_nonsecure_password_field(false),
+      displayed_nonsecure_credit_card_field(false) {}
 
 SecurityStateModel::VisibleSecurityState::~VisibleSecurityState() {}
 
 bool SecurityStateModel::VisibleSecurityState::operator==(
     const SecurityStateModel::VisibleSecurityState& other) const {
   return (url == other.url &&
           initial_security_level == other.initial_security_level &&
           fails_malware_check == other.fails_malware_check &&
           !!certificate == !!other.certificate &&
           (certificate ? certificate->Equals(other.certificate.get()) : true) &&
           connection_status == other.connection_status &&
           key_exchange_group == other.key_exchange_group &&
           security_bits == other.security_bits &&
           sct_verify_statuses == other.sct_verify_statuses &&
           displayed_mixed_content == other.displayed_mixed_content &&
           ran_mixed_content == other.ran_mixed_content &&
           displayed_content_with_cert_errors ==
               other.displayed_content_with_cert_errors &&
           ran_content_with_cert_errors == other.ran_content_with_cert_errors &&
-          pkp_bypassed == other.pkp_bypassed);
+          pkp_bypassed == other.pkp_bypassed &&
+          displayed_nonsecure_password_field ==
+              other.displayed_nonsecure_password_field &&
+          displayed_nonsecure_credit_card_field ==
+              other.displayed_nonsecure_credit_card_field);
 }
 
 }  // namespace security_state