Remove SSLStatus::security_style member and content::SecurityStyle

content/child/web_url_loader_impl.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/child/web_url_loader_impl.h"
 
 #include <openssl/ssl.h>
 #include <stdint.h>
 
 #include <algorithm>
@@ skipping 16 matching lines @@
 #include "content/child/ftp_directory_listing_response_delegate.h"
 #include "content/child/request_extra_data.h"
 #include "content/child/resource_dispatcher.h"
 #include "content/child/shared_memory_data_consumer_handle.h"
 #include "content/child/sync_load_response.h"
 #include "content/child/web_url_request_util.h"
 #include "content/child/weburlresponse_extradata_impl.h"
 #include "content/common/resource_messages.h"
 #include "content/common/resource_request.h"
 #include "content/common/resource_request_body_impl.h"
-#include "content/common/security_style_util.h"
 #include "content/common/service_worker/service_worker_types.h"
 #include "content/common/url_loader.mojom.h"
 #include "content/public/child/fixed_received_data.h"
 #include "content/public/child/request_peer.h"
 #include "content/public/common/browser_side_navigation_policy.h"
 #include "net/base/data_url.h"
 #include "net/base/filename_util.h"
 #include "net/base/net_errors.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/ct_sct_to_string.h"
@@ skipping 43 matching lines @@
   "content-type",
   "content-length",
   "content-disposition",
   "content-range",
   "range",
   "set-cookie"
 };
 
 using HeadersVector = ResourceDevToolsInfo::HeadersVector;
 
+// TODO(estark): Figure out a way for the embedder to provide the
+// security style for a resource. Ideally, the logic for assigning
+// per-resource security styles should live in the same place as the
+// logic for assigning per-page security styles (which lives in the
+// embedder). It would also be nice for the embedder to have the chance
+// to control the per-resource security style beyond the simple logic
+// here. (For example, the embedder might want to mark certain resources
+// differently if they use SHA1 signatures.) https://crbug.com/648326

[felt, 2016/10/07 03:33:29]

Leaving this as a TODO feels a little squicky to me, but I don't have a better
suggestion at the moment.

[estark, 2016/10/07 06:34:31]

Yeah. :( What I really want to do is compute this value in
ResourceDispatcherHostImpl in the browser process (from which it would be easy
to reach into the embedder via ResourceDispatcherHostDelegate) and send it down
with the response, instead of computing it here in the renderer. But that would
interfere with jam's network servicification effort for which he painstakingly
removed SecurityStyles from the resource loader code in the browser process.
Anyway, after I polish this up a bit more I'll add him as an owners reviewer and
see if he has any suggestions for how to do this.

+SecurityStyle GetSecurityStyleForResource(const GURL& url,
+                                          net::CertStatus cert_status) {
+  if (!url.SchemeIsCryptographic())
+    return SECURITY_STYLE_UNAUTHENTICATED;
+
+  // Minor errors don't lower the security style to
+  // SECURITY_STYLE_AUTHENTICATION_BROKEN.
+  if (net::IsCertStatusError(cert_status) &&
+      !net::IsCertStatusMinorError(cert_status)) {
+    return SECURITY_STYLE_AUTHENTICATION_BROKEN;
+  }
+
+  return SECURITY_STYLE_AUTHENTICATED;
+}
+
 // Converts timing data from |load_timing| to the format used by WebKit.
 void PopulateURLLoadTiming(const net::LoadTimingInfo& load_timing,
                            WebURLLoadTiming* url_timing) {
   DCHECK(!load_timing.request_start.is_null());
 
   const TimeTicks kNullTicks;
   url_timing->initialize();
   url_timing->setRequestTime(
       (load_timing.request_start - kNullTicks).InSecondsF());
   url_timing->setProxyStart(
@@ skipping 139 matching lines @@
   const char* key_exchange_group = "";
   if (info.ssl_key_exchange_group != 0) {
     // Historically the field was named 'curve' rather than 'group'.
     key_exchange_group = SSL_get_curve_name(info.ssl_key_exchange_group);
     if (!key_exchange_group) {
       NOTREACHED();
       key_exchange_group = "";
     }
   }
 
-  SecurityStyle security_style = GetSecurityStyleForResource(
-      url, true, info.cert_status);
+  SecurityStyle security_style =
+      GetSecurityStyleForResource(url, info.cert_status);
 
   blink::WebURLResponse::SecurityStyle security_style_blink =
       WebURLResponse::SecurityStyleUnknown;
   switch (security_style) {
     case SECURITY_STYLE_UNKNOWN:
       security_style_blink = WebURLResponse::SecurityStyleUnknown;
       break;
     case SECURITY_STYLE_UNAUTHENTICATED:
       security_style_blink = WebURLResponse::SecurityStyleUnauthenticated;
       break;
@@ skipping 997 matching lines @@
     response->clearHTTPHeaderField(webStringName);
     while (response_headers->EnumerateHeader(&iterator, name, &value)) {
       response->addHTTPHeaderField(webStringName,
                                    WebString::fromLatin1(value));
     }
   }
   return true;
 }
 
 }  // namespace content