Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(102)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: chrome/browser/ssl/chrome_security_state_model_client_browser_tests.cc

Issue 2362523003: Add (some) password detection for HTTP-bad (Closed)
Patch Set: trigger the downgrade from OnPasswordFormsParsed Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | chrome/browser/ui/cocoa/location_bar/location_bar_view_mac.mm » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: chrome/browser/ssl/chrome_security_state_model_client_browser_tests.cc
diff --git a/chrome/browser/ssl/chrome_security_state_model_client_browser_tests.cc b/chrome/browser/ssl/chrome_security_state_model_client_browser_tests.cc
index 995d4fe6d8f4a826f42477b442c43c96b456f664..09efcb16d05947ae42d3e8db99b451cc8a3efcbc 100644
--- a/chrome/browser/ssl/chrome_security_state_model_client_browser_tests.cc
+++ b/chrome/browser/ssl/chrome_security_state_model_client_browser_tests.cc
@@ -24,6 +24,7 @@
#include "chrome/test/base/in_process_browser_test.h"
#include "chrome/test/base/ui_test_utils.h"
#include "components/prefs/pref_service.h"
+#include "components/security_state/switches.h"
#include "content/public/browser/interstitial_page.h"
#include "content/public/browser/navigation_controller.h"
#include "content/public/browser/navigation_entry.h"
@@ -302,6 +303,38 @@ class ChromeSecurityStateModelClientTest : public CertVerifierBrowserTest {
DISALLOW_COPY_AND_ASSIGN(ChromeSecurityStateModelClientTest);
};
+GURL GetURLWithNonLocalHostname(net::EmbeddedTestServer* server,
+ const std::string& path) {
+ GURL::Replacements replace_host;
+ replace_host.SetHostStr("example.test");
+ return server->GetURL(path).ReplaceComponents(replace_host);
+}
+
+class ChromeSecurityStateModelClientTestWithPasswordCcSwitch
+ : public ChromeSecurityStateModelClientTest {
+ public:
+ ChromeSecurityStateModelClientTestWithPasswordCcSwitch()
+ : ChromeSecurityStateModelClientTest() {}
+
+ void SetUpOnMainThread() override {
+ ASSERT_TRUE(embedded_test_server()->Start());
+ ASSERT_TRUE(https_server_.Start());
+ host_resolver()->AddRule("*", embedded_test_server()->GetURL("/").host());
+ SetUpMockCertVerifierForHttpsServer(0, net::OK);
+ }
+
+ void SetUpCommandLine(base::CommandLine* command_line) override {
+ ChromeSecurityStateModelClientTest::SetUpCommandLine(command_line);
+ command_line->AppendSwitchASCII(
+ security_state::switches::kMarkHttpAs,
+ security_state::switches::kMarkHttpWithPasswordsOrCcWithChip);
+ }
+
+ private:
+ DISALLOW_COPY_AND_ASSIGN(
+ ChromeSecurityStateModelClientTestWithPasswordCcSwitch);
+};
+
class SecurityStyleChangedTest : public InProcessBrowserTest {
public:
SecurityStyleChangedTest()
@@ -904,6 +937,191 @@ IN_PROC_BROWSER_TEST_F(ChromeSecurityStateModelClientTest,
.displayed_credit_card_field_on_http);
}
+// Tests that when a visible password field is detected on an HTTP page
+// load, and when the command-line flag is set, the security level is
+// downgraded to HTTP_SHOW_WARNING.
+IN_PROC_BROWSER_TEST_F(ChromeSecurityStateModelClientTestWithPasswordCcSwitch,
+ PasswordSecurityLevelDowngraded) {
+ content::WebContents* contents =
+ browser()->tab_strip_model()->GetActiveWebContents();
+ ASSERT_TRUE(contents);
+
+ ChromeSecurityStateModelClient* model_client =
+ ChromeSecurityStateModelClient::FromWebContents(contents);
+ ASSERT_TRUE(model_client);
+
+ ui_test_utils::NavigateToURL(
+ browser(), GetURLWithNonLocalHostname(embedded_test_server(),
+ "/password/simple_password.html"));
+ security_state::SecurityStateModel::SecurityInfo security_info;
+ model_client->GetSecurityInfo(&security_info);
+ EXPECT_EQ(security_state::SecurityStateModel::HTTP_SHOW_WARNING,
+ security_info.security_level);
+
+ content::NavigationEntry* entry = contents->GetController().GetVisibleEntry();
+ ASSERT_TRUE(entry);
+ EXPECT_TRUE(entry->GetSSL().content_status &
+ content::SSLStatus::DISPLAYED_PASSWORD_FIELD_ON_HTTP);
+}
+
+// Tests that when an invisible password field is present on an HTTP page
+// load, and when the command-line flag is set, the security level is
+// downgraded to HTTP_SHOW_WARNING.
+//
+// TODO(estark): this will eventually be refined so that the warning
+// will not show up for invisible password
+// inputs. https://codereview.chromium.org/2378503002/
+IN_PROC_BROWSER_TEST_F(ChromeSecurityStateModelClientTestWithPasswordCcSwitch,
+ PasswordSecurityLevelDowngradedForInvisibleInput) {
+ content::WebContents* contents =
+ browser()->tab_strip_model()->GetActiveWebContents();
+ ASSERT_TRUE(contents);
+
+ ChromeSecurityStateModelClient* model_client =
+ ChromeSecurityStateModelClient::FromWebContents(contents);
+ ASSERT_TRUE(model_client);
+
+ ui_test_utils::NavigateToURL(
+ browser(),
+ GetURLWithNonLocalHostname(embedded_test_server(),
+ "/password/invisible_password.html"));
+ security_state::SecurityStateModel::SecurityInfo security_info;
+ model_client->GetSecurityInfo(&security_info);
+ EXPECT_EQ(security_state::SecurityStateModel::HTTP_SHOW_WARNING,
+ security_info.security_level);
+
+ content::NavigationEntry* entry = contents->GetController().GetVisibleEntry();
+ ASSERT_TRUE(entry);
+ EXPECT_TRUE(entry->GetSSL().content_status &
+ content::SSLStatus::DISPLAYED_PASSWORD_FIELD_ON_HTTP);
+}
+
+// Tests that when a visible password field is detected inside an iframe
+// on an HTTP page load, and when the command-line flag is set, the
+// security level is downgraded to HTTP_SHOW_WARNING.
+IN_PROC_BROWSER_TEST_F(ChromeSecurityStateModelClientTestWithPasswordCcSwitch,
+ PasswordSecurityLevelDowngradedFromIframe) {
+ content::WebContents* contents =
+ browser()->tab_strip_model()->GetActiveWebContents();
+ ASSERT_TRUE(contents);
+
+ ChromeSecurityStateModelClient* model_client =
+ ChromeSecurityStateModelClient::FromWebContents(contents);
+ ASSERT_TRUE(model_client);
+
+ ui_test_utils::NavigateToURL(
+ browser(),
+ GetURLWithNonLocalHostname(embedded_test_server(),
+ "/password/simple_password_in_iframe.html"));
+ security_state::SecurityStateModel::SecurityInfo security_info;
+ model_client->GetSecurityInfo(&security_info);
+ EXPECT_EQ(security_state::SecurityStateModel::HTTP_SHOW_WARNING,
+ security_info.security_level);
+
+ content::NavigationEntry* entry = contents->GetController().GetVisibleEntry();
+ ASSERT_TRUE(entry);
+ EXPECT_TRUE(entry->GetSSL().content_status &
+ content::SSLStatus::DISPLAYED_PASSWORD_FIELD_ON_HTTP);
+}
+
+// Tests that when a visible password field is detected inside an iframe
+// on an HTTP page load, and when the command-line flag is set, the
+// security level is downgraded to HTTP_SHOW_WARNING, even if the iframe
+// itself was loaded over HTTPS.
+IN_PROC_BROWSER_TEST_F(ChromeSecurityStateModelClientTestWithPasswordCcSwitch,
+ PasswordSecurityLevelDowngradedFromHttpsIframe) {
+ content::WebContents* contents =
+ browser()->tab_strip_model()->GetActiveWebContents();
+ ASSERT_TRUE(contents);
+
+ ChromeSecurityStateModelClient* model_client =
+ ChromeSecurityStateModelClient::FromWebContents(contents);
+ ASSERT_TRUE(model_client);
+
+ // Navigate to an HTTP URL, which loads an iframe using the host and port of
+ // |https_server_|.
+ std::string replacement_path;
+ GetFilePathWithHostAndPortReplacement(
+ "/password/simple_password_in_https_iframe.html",
+ https_server_.host_port_pair(), &replacement_path);
+ ui_test_utils::NavigateToURL(
+ browser(),
+ GetURLWithNonLocalHostname(embedded_test_server(), replacement_path));
+ security_state::SecurityStateModel::SecurityInfo security_info;
+ model_client->GetSecurityInfo(&security_info);
+ EXPECT_EQ(security_state::SecurityStateModel::HTTP_SHOW_WARNING,
+ security_info.security_level);
+
+ content::NavigationEntry* entry = contents->GetController().GetVisibleEntry();
+ ASSERT_TRUE(entry);
+ EXPECT_TRUE(entry->GetSSL().content_status &
+ content::SSLStatus::DISPLAYED_PASSWORD_FIELD_ON_HTTP);
+}
+
+// Tests that when a visible password field is detected on an HTTP page
+// load, and when the command-line flag is *not* set, the security level is
+// *not* downgraded to HTTP_SHOW_WARNING.
+IN_PROC_BROWSER_TEST_F(ChromeSecurityStateModelClientTest,
+ PasswordSecurityLevelNotDowngradedWithoutSwitch) {
+ ASSERT_TRUE(embedded_test_server()->Start());
+ host_resolver()->AddRule("*", embedded_test_server()->GetURL("/").host());
+
+ content::WebContents* contents =
+ browser()->tab_strip_model()->GetActiveWebContents();
+ ASSERT_TRUE(contents);
+
+ ChromeSecurityStateModelClient* model_client =
+ ChromeSecurityStateModelClient::FromWebContents(contents);
+ ASSERT_TRUE(model_client);
+
+ ui_test_utils::NavigateToURL(
+ browser(), GetURLWithNonLocalHostname(embedded_test_server(),
+ "/password/simple_password.html"));
+ // The security level should not be HTTP_SHOW_WARNING, because the
+ // command-line switch was not set.
+ security_state::SecurityStateModel::SecurityInfo security_info;
+ model_client->GetSecurityInfo(&security_info);
+ EXPECT_EQ(security_state::SecurityStateModel::NONE,
+ security_info.security_level);
+
+ // The appropriate SSLStatus flags should be set, however.
+ content::NavigationEntry* entry = contents->GetController().GetVisibleEntry();
+ ASSERT_TRUE(entry);
+ EXPECT_TRUE(entry->GetSSL().content_status &
+ content::SSLStatus::DISPLAYED_PASSWORD_FIELD_ON_HTTP);
+}
+
+// Tests that when a visible password field is detected on an HTTPS page
+// load, and when the command-line flag is set, the security level is
+// *not* downgraded to HTTP_SHOW_WARNING.
+IN_PROC_BROWSER_TEST_F(ChromeSecurityStateModelClientTestWithPasswordCcSwitch,
+ PasswordSecurityLevelNotDowngradedOnHttps) {
+ content::WebContents* contents =
+ browser()->tab_strip_model()->GetActiveWebContents();
+ ASSERT_TRUE(contents);
+
+ ChromeSecurityStateModelClient* model_client =
+ ChromeSecurityStateModelClient::FromWebContents(contents);
+ ASSERT_TRUE(model_client);
+
+ GURL url = GetURLWithNonLocalHostname(&https_server_,
+ "/password/simple_password.html");
+ ui_test_utils::NavigateToURL(browser(), url);
+ // The security level should not be HTTP_SHOW_WARNING, because the page was
+ // HTTPS instead of HTTP.
+ security_state::SecurityStateModel::SecurityInfo security_info;
+ model_client->GetSecurityInfo(&security_info);
+ EXPECT_EQ(security_state::SecurityStateModel::SECURE,
+ security_info.security_level);
+
+ // The SSLStatus flags should only be set if the top-level page load was HTTP,
+ // which it was not in this case.
+ content::NavigationEntry* entry = contents->GetController().GetVisibleEntry();
+ ASSERT_TRUE(entry);
+ EXPECT_FALSE(entry->GetSSL().content_status &
+ content::SSLStatus::DISPLAYED_PASSWORD_FIELD_ON_HTTP);
+}
+
// Tests that the SecurityStateModel for a WebContents is up to date
// when the WebContents is inserted into a Browser's TabStripModel.
IN_PROC_BROWSER_TEST_F(ChromeSecurityStateModelClientTest, AddedTab) {
« no previous file with comments | « no previous file | chrome/browser/ui/cocoa/location_bar/location_bar_view_mac.mm » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698