New SSL blocking screen

chrome/browser/ssl/ssl_blocking_page.cc

Index: chrome/browser/ssl/ssl_blocking_page.cc
diff --git a/chrome/browser/ssl/ssl_blocking_page.cc b/chrome/browser/ssl/ssl_blocking_page.cc
index 8ed43633fc336659735411577deaf962fe319dd9..b0abf28a20ea481636e4c84106c92977c5c1e524 100644
--- a/chrome/browser/ssl/ssl_blocking_page.cc
+++ b/chrome/browser/ssl/ssl_blocking_page.cc
@@ -7,6 +7,7 @@
 #include "base/i18n/rtl.h"
 #include "base/metrics/field_trial.h"
 #include "base/metrics/histogram.h"
+#include "base/strings/string_number_conversions.h"
 #include "base/strings/string_piece.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/values.h"
@@ -51,7 +52,8 @@ enum SSLBlockingPageCommands {
   CMD_DONT_PROCEED,
   CMD_PROCEED,
   CMD_FOCUS,
-  CMD_MORE
+  CMD_MORE,
+  CMD_RELOAD,
 };
 
 // Events for UMA.
@@ -198,51 +200,135 @@ SSLBlockingPage::~SSLBlockingPage() {
 }
 
 std::string SSLBlockingPage::GetHTMLContents() {
-  // Let's build the html error page.
   DictionaryValue strings;
-  SSLErrorInfo error_info =
-      SSLErrorInfo::CreateError(SSLErrorInfo::NetErrorToErrorType(cert_error_),
-                                ssl_info_.cert.get(),
-                                request_url_);
-
-  int resource_id = IDR_SSL_ROAD_BLOCK_HTML;
-  strings.SetString("headLine", error_info.title());
-  strings.SetString("description", error_info.details());
-  strings.SetString("moreInfoTitle",
-      l10n_util::GetStringUTF16(IDS_CERT_ERROR_EXTRA_INFO_TITLE));
-  SetExtraInfo(&strings, error_info.extra_information());
-
-  strings.SetString("exit",
-                    l10n_util::GetStringUTF16(IDS_SSL_BLOCKING_PAGE_EXIT));
-
+  int resource_id;
   if (overridable_ && !strict_enforcement_) {
-    strings.SetString("title",
-                      l10n_util::GetStringUTF16(IDS_SSL_BLOCKING_PAGE_TITLE));
-    strings.SetString("proceed",
-                      l10n_util::GetStringUTF16(IDS_SSL_BLOCKING_PAGE_PROCEED));
-    strings.SetString("reasonForNotProceeding",
-                      l10n_util::GetStringUTF16(
-                          IDS_SSL_BLOCKING_PAGE_SHOULD_NOT_PROCEED));
+    // Let's build the overridable error page.
+    SSLErrorInfo error_info =
+        SSLErrorInfo::CreateError(
+            SSLErrorInfo::NetErrorToErrorType(cert_error_),
+            ssl_info_.cert.get(),
+            request_url_);
+
+    resource_id = IDR_SSL_ROAD_BLOCK_HTML;
+    strings.SetString("headLine", error_info.title());
+    strings.SetString("description", error_info.details());
+    strings.SetString("moreInfoTitle",
+        l10n_util::GetStringUTF16(IDS_CERT_ERROR_EXTRA_INFO_TITLE));
+    SetExtraInfo(&strings, error_info.extra_information());
+
+    strings.SetString(
+        "exit", l10n_util::GetStringUTF16(IDS_SSL_OVERRIDABLE_PAGE_EXIT));
+    strings.SetString(
+        "title", l10n_util::GetStringUTF16(IDS_SSL_OVERRIDABLE_PAGE_TITLE));
+    strings.SetString(
+        "proceed", l10n_util::GetStringUTF16(IDS_SSL_OVERRIDABLE_PAGE_PROCEED));
+    strings.SetString(
+        "reasonForNotProceeding", l10n_util::GetStringUTF16(
+            IDS_SSL_OVERRIDABLE_PAGE_SHOULD_NOT_PROCEED));
     strings.SetString("errorType", "overridable");
+    strings.SetString("textdirection", base::i18n::IsRTL() ? "rtl" : "ltr");
   } else {
-    strings.SetString("title",
-                      l10n_util::GetStringUTF16(IDS_SSL_ERROR_PAGE_TITLE));
+    // Let's build the blocking error page.
+    resource_id = IDR_SSL_BLOCKING_HTML;
+
+    // Strings that are not dependent on the URL.
+    strings.SetString(
+        "title", l10n_util::GetStringUTF16(IDS_SSL_BLOCKING_PAGE_TITLE));
+    strings.SetString(
+        "secondPar",
+        l10n_util::GetStringUTF16(IDS_SSL_BLOCKING_PAGE_SECOND_PAR));
+    strings.SetString(
+        "reloadMsg", l10n_util::GetStringUTF16(IDS_ERRORPAGES_BUTTON_RELOAD));
+    strings.SetString(
+        "more", l10n_util::GetStringUTF16(IDS_ERRORPAGES_BUTTON_MORE));
+    strings.SetString(
+        "less", l10n_util::GetStringUTF16(IDS_ERRORPAGES_BUTTON_LESS));
+    strings.SetString(
+        "moreTitle",
+        l10n_util::GetStringUTF16(IDS_SSL_BLOCKING_PAGE_MORE_TITLE));
+    strings.SetString(
+        "moreContentSecond",
+        l10n_util::GetStringUTF16(IDS_SSL_BLOCKING_PAGE_MORE_SECOND_PAR));
+    strings.SetString(
+        "techTitle",
+        l10n_util::GetStringUTF16(IDS_SSL_BLOCKING_PAGE_TECH_TITLE));
+
+    // Strings that are dependent on the URL.
+    string16 url(ASCIIToUTF16(request_url_.host()));
+    bool rtl = base::i18n::IsRTL();
+    strings.SetString("textDirection", rtl ? "rtl" : "ltr");
+    if (rtl)
+      base::i18n::WrapStringWithLTRFormatting(&url);
+    strings.SetString(
+        "headline", l10n_util::GetStringFUTF16(IDS_SSL_BLOCKING_PAGE_HEADLINE,
+                                               url.c_str()));
+    strings.SetString(
+        "firstPar", l10n_util::GetStringFUTF16(IDS_SSL_BLOCKING_PAGE_FIRST_PAR,
+                                               url.c_str()));
+    strings.SetString(
+        "thirdPar", l10n_util::GetStringFUTF16(IDS_SSL_BLOCKING_PAGE_THIRD_PAR,
+                                               url.c_str()));
+    strings.SetString(
+        "moreContentFirst",
+        l10n_util::GetStringFUTF16(IDS_SSL_BLOCKING_PAGE_MORE_FIRST_PAR,
+                                   url.c_str()));
+    strings.SetString("reloadUrl", request_url_.spec());
+
+    // Strings that are dependent on the error type.
+    SSLErrorInfo::ErrorType type =
+        SSLErrorInfo::NetErrorToErrorType(cert_error_);
+    string16 errorType;
     if (strict_enforcement_) {
-      strings.SetString("reasonForNotProceeding",
-                        l10n_util::GetStringUTF16(
-                            IDS_SSL_ERROR_PAGE_CANNOT_PROCEED));
+      errorType = string16(ASCIIToUTF16("HSTS failure"));

[palmer, 2013/09/06 17:01:33]

This string bothers me a tiny bit, because even when HSTS is not in use, pin
validation failures are also non-overridable. So "HSTS" isn't strictly correct.
Maybe "Strict authentication failure" or something? FWIW.

[felt, 2013/09/06 17:37:47]

At the present time, only HSTS can trigger this case as far as I can tell. When
I modify* cert pinning errors to go through this warning, the cases will be
split up to differentiate between the two.

*in a CL coming soon to a code review near you

[felt, 2013/09/09 14:34:12]

However, I did add the strings to the grd file so you can see them if you want.

+      strings.SetString(
+          "failure",
+          l10n_util::GetStringFUTF16(IDS_SSL_BLOCKING_PAGE_HSTS, url.c_str()));
+    } else if (type == SSLErrorInfo::CERT_REVOKED) {
+      errorType = string16(ASCIIToUTF16("Key revocation"));
+      strings.SetString(
+          "failure",
+          l10n_util::GetStringUTF16(IDS_SSL_BLOCKING_PAGE_REVOKED));
     } else {
-      strings.SetString("reasonForNotProceeding", std::string());
+      // This is SSLErrorInfo::CERT_INVALID and any other corner case.
+      errorType = string16(ASCIIToUTF16("Malformed certificate"));
+      strings.SetString(
+          "failure",
+          l10n_util::GetStringUTF16(IDS_SSL_BLOCKING_PAGE_FORMATTED));
     }
-    strings.SetString("errorType", "notoverridable");
+    if (rtl)
+      base::i18n::WrapStringWithLTRFormatting(&errorType);
+    strings.SetString(
+        "errorType", l10n_util::GetStringFUTF16(IDS_SSL_BLOCKING_PAGE_ERROR,
+                                                errorType.c_str()));
+
+    // Strings that display the invalid cert.
+    string16 subject(ASCIIToUTF16(ssl_info_.cert->subject().GetDisplayName()));
+    string16 issuer(ASCIIToUTF16(ssl_info_.cert->issuer().GetDisplayName()));
+    string16 fingerprint(ASCIIToUTF16(
+        base::HexEncode(ssl_info_.cert->fingerprint().data,

[palmer, 2013/09/06 17:01:33]

Ahh, so answering my previous question: The fingerprint of the whole
certificate, not just the SPKI. I am not sure which is best; how do you hope
users will use the fingerprint?

[felt, 2013/09/06 17:37:47]

Someone (either you or Sleevi) asked me to put the fingerprint so that people
could copy and paste it and share it in a help forum if they needed to. I
figured this would be the right one, but I am honestly not sure. Do you have an
opinion?

[felt, 2013/09/09 14:34:12]

Updated this to SPKI hashes.

+                        sizeof(ssl_info_.cert->fingerprint().data))));
+    if (rtl) {
+      // These are always going to be LTR.
+      base::i18n::WrapStringWithLTRFormatting(&subject);
+      base::i18n::WrapStringWithLTRFormatting(&issuer);
+      base::i18n::WrapStringWithLTRFormatting(&fingerprint);
+    }
+    strings.SetString(
+        "subject", l10n_util::GetStringFUTF16(IDS_SSL_BLOCKING_PAGE_SUBJECT,
+                                              subject.c_str()));
+    strings.SetString(
+        "issuer", l10n_util::GetStringFUTF16(IDS_SSL_BLOCKING_PAGE_ISSUER,
+                                             issuer.c_str()));
+    strings.SetString(
+        "fingerprint",
+        l10n_util::GetStringFUTF16(IDS_SSL_BLOCKING_PAGE_FINGERPRINT,
+                                   fingerprint.c_str()));
   }
 
-  strings.SetString("textdirection", base::i18n::IsRTL() ? "rtl" : "ltr");
-
   base::StringPiece html(
       ResourceBundle::GetSharedInstance().GetRawDataResource(
           resource_id));
-
   return webui::GetI18nTemplateHtml(html, &strings);
 }
 
@@ -274,6 +360,10 @@ void SSLBlockingPage::CommandReceived(const std::string& command) {
     display_start_time_ = base::TimeTicks::Now();
   } else if (cmd == CMD_MORE) {
     RecordSSLBlockingPageEventStats(MORE);
+  } else if (cmd == CMD_RELOAD) {
+    // The interstitial can't refresh itself.
+    content::NavigationController* controller = &web_contents_->GetController();
+    controller->Reload(true);
   }
 }