| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "chrome/browser/ssl/security_state_tab_helper.h" |
| 6 |
| 7 #include "base/bind.h" |
| 8 #include "base/metrics/histogram_macros.h" |
| 9 #include "build/build_config.h" |
| 10 #include "chrome/browser/browser_process.h" |
| 11 #include "chrome/browser/chromeos/policy/policy_cert_service.h" |
| 12 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h" |
| 13 #include "chrome/browser/profiles/profile.h" |
| 14 #include "chrome/browser/safe_browsing/safe_browsing_service.h" |
| 15 #include "chrome/browser/safe_browsing/ui_manager.h" |
| 16 #include "components/security_state/content/content_utils.h" |
| 17 #include "content/public/browser/navigation_entry.h" |
| 18 #include "content/public/browser/navigation_handle.h" |
| 19 #include "content/public/browser/render_frame_host.h" |
| 20 #include "content/public/browser/web_contents.h" |
| 21 #include "content/public/common/origin_util.h" |
| 22 #include "net/base/net_errors.h" |
| 23 #include "net/cert/x509_certificate.h" |
| 24 #include "net/ssl/ssl_cipher_suite_names.h" |
| 25 #include "net/ssl/ssl_connection_status_flags.h" |
| 26 #include "third_party/boringssl/src/include/openssl/ssl.h" |
| 27 #include "ui/base/l10n/l10n_util.h" |
| 28 |
| 29 DEFINE_WEB_CONTENTS_USER_DATA_KEY(SecurityStateTabHelper); |
| 30 |
| 31 using safe_browsing::SafeBrowsingUIManager; |
| 32 |
| 33 SecurityStateTabHelper::SecurityStateTabHelper( |
| 34 content::WebContents* web_contents) |
| 35 : content::WebContentsObserver(web_contents), |
| 36 logged_http_warning_on_current_navigation_(false) {} |
| 37 |
| 38 SecurityStateTabHelper::~SecurityStateTabHelper() {} |
| 39 |
| 40 void SecurityStateTabHelper::GetSecurityInfo( |
| 41 security_state::SecurityInfo* result) const { |
| 42 security_state::GetSecurityInfo(GetVisibleSecurityState(), |
| 43 UsedPolicyInstalledCertificate(), |
| 44 base::Bind(&content::IsOriginSecure), result); |
| 45 } |
| 46 |
| 47 void SecurityStateTabHelper::VisibleSecurityStateChanged() { |
| 48 if (logged_http_warning_on_current_navigation_) |
| 49 return; |
| 50 |
| 51 security_state::SecurityInfo security_info; |
| 52 GetSecurityInfo(&security_info); |
| 53 if (!security_info.displayed_password_field_on_http && |
| 54 !security_info.displayed_credit_card_field_on_http) { |
| 55 return; |
| 56 } |
| 57 |
| 58 std::string warning; |
| 59 bool warning_is_user_visible = false; |
| 60 switch (security_info.security_level) { |
| 61 case security_state::HTTP_SHOW_WARNING: |
| 62 warning = |
| 63 "This page includes a password or credit card input in a non-secure " |
| 64 "context. A warning has been added to the URL bar. For more " |
| 65 "information, see https://goo.gl/zmWq3m."; |
| 66 warning_is_user_visible = true; |
| 67 break; |
| 68 case security_state::NONE: |
| 69 case security_state::DANGEROUS: |
| 70 warning = |
| 71 "This page includes a password or credit card input in a non-secure " |
| 72 "context. A warning will be added to the URL bar in Chrome 56 (Jan " |
| 73 "2017). For more information, see https://goo.gl/zmWq3m."; |
| 74 break; |
| 75 default: |
| 76 return; |
| 77 } |
| 78 |
| 79 logged_http_warning_on_current_navigation_ = true; |
| 80 web_contents()->GetMainFrame()->AddMessageToConsole( |
| 81 content::CONSOLE_MESSAGE_LEVEL_WARNING, warning); |
| 82 |
| 83 if (security_info.displayed_credit_card_field_on_http) { |
| 84 UMA_HISTOGRAM_BOOLEAN( |
| 85 "Security.HTTPBad.UserWarnedAboutSensitiveInput.CreditCard", |
| 86 warning_is_user_visible); |
| 87 } |
| 88 if (security_info.displayed_password_field_on_http) { |
| 89 UMA_HISTOGRAM_BOOLEAN( |
| 90 "Security.HTTPBad.UserWarnedAboutSensitiveInput.Password", |
| 91 warning_is_user_visible); |
| 92 } |
| 93 } |
| 94 |
| 95 void SecurityStateTabHelper::DidFinishNavigation( |
| 96 content::NavigationHandle* navigation_handle) { |
| 97 if (navigation_handle->IsInMainFrame() && !navigation_handle->IsSamePage()) { |
| 98 // Only reset the console message flag for main-frame navigations, |
| 99 // and not for same-page navigations like reference fragments and pushState. |
| 100 logged_http_warning_on_current_navigation_ = false; |
| 101 } |
| 102 } |
| 103 |
| 104 bool SecurityStateTabHelper::UsedPolicyInstalledCertificate() const { |
| 105 #if defined(OS_CHROMEOS) |
| 106 policy::PolicyCertService* service = |
| 107 policy::PolicyCertServiceFactory::GetForProfile( |
| 108 Profile::FromBrowserContext(web_contents()->GetBrowserContext())); |
| 109 if (service && service->UsedPolicyCertificates()) |
| 110 return true; |
| 111 #endif |
| 112 return false; |
| 113 } |
| 114 |
| 115 security_state::MaliciousContentStatus |
| 116 SecurityStateTabHelper::GetMaliciousContentStatus() const { |
| 117 content::NavigationEntry* entry = |
| 118 web_contents()->GetController().GetVisibleEntry(); |
| 119 if (!entry) |
| 120 return security_state::MALICIOUS_CONTENT_STATUS_NONE; |
| 121 safe_browsing::SafeBrowsingService* sb_service = |
| 122 g_browser_process->safe_browsing_service(); |
| 123 if (!sb_service) |
| 124 return security_state::MALICIOUS_CONTENT_STATUS_NONE; |
| 125 scoped_refptr<SafeBrowsingUIManager> sb_ui_manager = sb_service->ui_manager(); |
| 126 safe_browsing::SBThreatType threat_type; |
| 127 if (sb_ui_manager->IsUrlWhitelistedOrPendingForWebContents( |
| 128 entry->GetURL(), false, entry, web_contents(), false, &threat_type)) { |
| 129 switch (threat_type) { |
| 130 case safe_browsing::SB_THREAT_TYPE_SAFE: |
| 131 break; |
| 132 case safe_browsing::SB_THREAT_TYPE_URL_PHISHING: |
| 133 case safe_browsing::SB_THREAT_TYPE_CLIENT_SIDE_PHISHING_URL: |
| 134 return security_state::MALICIOUS_CONTENT_STATUS_SOCIAL_ENGINEERING; |
| 135 break; |
| 136 case safe_browsing::SB_THREAT_TYPE_URL_MALWARE: |
| 137 case safe_browsing::SB_THREAT_TYPE_CLIENT_SIDE_MALWARE_URL: |
| 138 return security_state::MALICIOUS_CONTENT_STATUS_MALWARE; |
| 139 break; |
| 140 case safe_browsing::SB_THREAT_TYPE_URL_UNWANTED: |
| 141 return security_state::MALICIOUS_CONTENT_STATUS_UNWANTED_SOFTWARE; |
| 142 break; |
| 143 case safe_browsing::SB_THREAT_TYPE_BINARY_MALWARE_URL: |
| 144 case safe_browsing::SB_THREAT_TYPE_EXTENSION: |
| 145 case safe_browsing::SB_THREAT_TYPE_BLACKLISTED_RESOURCE: |
| 146 case safe_browsing::SB_THREAT_TYPE_API_ABUSE: |
| 147 // These threat types are not currently associated with |
| 148 // interstitials, and thus resources with these threat types are |
| 149 // not ever whitelisted or pending whitelisting. |
| 150 NOTREACHED(); |
| 151 break; |
| 152 } |
| 153 } |
| 154 return security_state::MALICIOUS_CONTENT_STATUS_NONE; |
| 155 } |
| 156 |
| 157 std::unique_ptr<security_state::VisibleSecurityState> |
| 158 SecurityStateTabHelper::GetVisibleSecurityState() const { |
| 159 auto state = security_state::GetVisibleSecurityState(web_contents()); |
| 160 |
| 161 // Malware status might already be known even if connection security |
| 162 // information is still being initialized, thus no need to check for that. |
| 163 state->malicious_content_status = GetMaliciousContentStatus(); |
| 164 |
| 165 return state; |
| 166 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2448943002:
Refactor SecurityStateModel/Clients for simplicity and reusability. (Closed)
