chrome/browser/ssl/chrome_security_state_model_client.cc - Issue 2432933004: Adjust HTTP-bad console messages

Side by Side Diff: chrome/browser/ssl/chrome_security_state_model_client.cc

Issue 2432933004: Adjust HTTP-bad console messages (Closed)

Patch Set: Created 4 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« no previous file with comments | « no previous file | chrome/browser/ssl/chrome_security_state_model_client_browser_tests.cc » ('j') | chrome/browser/ssl/chrome_security_state_model_client_browser_tests.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2015 The Chromium Authors. All rights reserved.	1 // Copyright 2015 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "chrome/browser/ssl/chrome_security_state_model_client.h"	5 #include "chrome/browser/ssl/chrome_security_state_model_client.h"

6	6

7 #include <openssl/ssl.h>	7 #include <openssl/ssl.h>

8	8

9 #include <vector>	9 #include <vector>

10	10

(...skipping 317 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
328 security_state_model_->GetSecurityInfo(result);	328 security_state_model_->GetSecurityInfo(result);

329 }	329 }

330	330

331 void ChromeSecurityStateModelClient::VisibleSSLStateChanged() {	331 void ChromeSecurityStateModelClient::VisibleSSLStateChanged() {

332 if (logged_http_warning_on_current_navigation_)	332 if (logged_http_warning_on_current_navigation_)

333 return;	333 return;

334	334

335 security_state::SecurityStateModel::SecurityInfo security_info;	335 security_state::SecurityStateModel::SecurityInfo security_info;

336 GetSecurityInfo(&security_info);	336 GetSecurityInfo(&security_info);

337 if (security_info.security_level ==	337 if (security_info.security_level ==

338 security_state::SecurityStateModel::HTTP_SHOW_WARNING) {	338 security_state::SecurityStateModel::HTTP_SHOW_WARNING) {
	elawrence 2016/10/20 17:18:29 Is the reason that we don't check displayed_privat Is the reason that we don't check displayed_private_user_data_input_on_http here that the only way we light up HTTP_SHOW_WARNING today is when that's set? If so, will this change in the future? Should we assert that expectation e.g. DCHECK(displayed_private_user_data_input_on_http)? estark 2016/10/20 17:45:03 It initially seemed redundant to me, but I think y Show quoted text On 2016/10/20 17:18:29, elawrence wrote: > Is the reason that we don't check displayed_private_user_data_input_on_http here > that the only way we light up HTTP_SHOW_WARNING today is when that's set? If so, > will this change in the future? > > Should we assert that expectation e.g. > DCHECK(displayed_private_user_data_input_on_http)? It initially seemed redundant to me, but I think you're right that we should check it to be future-proof. Now I'm early-returning if displayed_private_user_data_input_on_http is false.
339 web_contents_->GetMainFrame()->AddMessageToConsole(	339 web_contents_->GetMainFrame()->AddMessageToConsole(

340 content::CONSOLE_MESSAGE_LEVEL_WARNING,	340 content::CONSOLE_MESSAGE_LEVEL_WARNING,

341 "In Chrome M56 (Jan 2017), this page will be marked "	341 "This page includes a password or credit card input over HTTP. A "
	elawrence 2016/10/20 17:18:29 I worry that "over HTTP" is unnecessarily specific I worry that "over HTTP" is unnecessarily specific; maybe "in a non-secure context" to cover cases of an HTTPS iframe hosted by a HTTP/FTP/FILE/DATA-sourced page? estark 2016/10/20 17:45:03 Done. Show quoted text On 2016/10/20 17:18:29, elawrence wrote: > I worry that "over HTTP" is unnecessarily specific; maybe "in a non-secure > context" to cover cases of an HTTPS iframe hosted by a > HTTP/FTP/FILE/DATA-sourced page? Done.
342 "as \"not secure\" in the URL bar. For more "	342 "warning has been added to the URL bar. For more information, see "

343 "information, see https://goo.gl/zmWq3m");	343 "https://goo.gl/zmWq3m. For feedback, please use "
	elawrence 2016/10/20 17:18:29 What kind of "feedback" are we looking for here? L What kind of "feedback" are we looking for here? Leaving it open could well mean the bug immediately gets spammed with all manner of junk and we have to close it for comments? As I understand things from EmilySch, we're going to point the goo.gl link at the Developer Guidance doc, and we can update that to include the link to the CRBug? estark 2016/10/20 17:45:03 So you mean that we should delete the bug link bec Show quoted text On 2016/10/20 17:18:29, elawrence wrote: > What kind of "feedback" are we looking for here? Leaving it open could well mean > the bug immediately gets spammed with all manner of junk and we have to close it > for comments? > > As I understand things from EmilySch, we're going to point the goo.gl link at > the Developer Guidance doc, and we can update that to include the link to the > CRBug? So you mean that we should delete the bug link because the goo.gl link will link to it? If so, done.
	344 "https://crbug.com/578317");

	345 logged_http_warning_on_current_navigation_ = true;

	346 } else if (security_info.security_level ==

	347 security_state::SecurityStateModel::NONE &&

	348 security_info.displayed_private_user_data_input_on_http) {

	349 web_contents_->GetMainFrame()->AddMessageToConsole(

	350 content::CONSOLE_MESSAGE_LEVEL_WARNING,

	351 "This page includes a password or credit card input over HTTP. A "

	352 "warning will be added to the URL bar in Chrome 56 (Jan 2017). For "

	353 "more information, see https://goo.gl/zmWq3m. For feedback, please use "

	354 "https://crbug.com/578317");

344 logged_http_warning_on_current_navigation_ = true;	355 logged_http_warning_on_current_navigation_ = true;

345 }	356 }

346 }	357 }

347	358

348 void ChromeSecurityStateModelClient::DidFinishNavigation(	359 void ChromeSecurityStateModelClient::DidFinishNavigation(

349 content::NavigationHandle* navigation_handle) {	360 content::NavigationHandle* navigation_handle) {

350 if (navigation_handle->IsInMainFrame() &&	361 if (navigation_handle->IsInMainFrame() &&

351 !navigation_handle->IsSynchronousNavigation()) {	362 !navigation_handle->IsSynchronousNavigation()) {

352 // Only reset the console message flag for main-frame navigations,	363 // Only reset the console message flag for main-frame navigations,

353 // and not for synchronous navigations like reference fragments and	364 // and not for synchronous navigations like reference fragments and

(...skipping 58 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
412 !!(ssl.content_status & content::SSLStatus::RAN_CONTENT_WITH_CERT_ERRORS);	423 !!(ssl.content_status & content::SSLStatus::RAN_CONTENT_WITH_CERT_ERRORS);

413 state->displayed_password_field_on_http =	424 state->displayed_password_field_on_http =

414 !!(ssl.content_status &	425 !!(ssl.content_status &

415 content::SSLStatus::DISPLAYED_PASSWORD_FIELD_ON_HTTP);	426 content::SSLStatus::DISPLAYED_PASSWORD_FIELD_ON_HTTP);

416 state->displayed_credit_card_field_on_http =	427 state->displayed_credit_card_field_on_http =

417 !!(ssl.content_status &	428 !!(ssl.content_status &

418 content::SSLStatus::DISPLAYED_CREDIT_CARD_FIELD_ON_HTTP);	429 content::SSLStatus::DISPLAYED_CREDIT_CARD_FIELD_ON_HTTP);

419	430

420 CheckSafeBrowsingStatus(entry, web_contents_, state);	431 CheckSafeBrowsingStatus(entry, web_contents_, state);

421 }	432 }

OLD	NEW