Chromium Code Reviews Chromium Code Reviews
Issue 2643083003:
Show form not secure warnings for blob and filesystem URLs. (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/ssl/security_state_tab_helper.h" | 5 #include "chrome/browser/ssl/security_state_tab_helper.h" |
| 6 | 6 |
| 7 #include "base/command_line.h" | 7 #include "base/command_line.h" |
| 8 #include "base/files/file_path.h" | 8 #include "base/files/file_path.h" |
| 9 #include "base/macros.h" | 9 #include "base/macros.h" |
| 10 #include "base/strings/string_split.h" | 10 #include "base/strings/string_split.h" |
| (...skipping 937 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 948 security_state::SecurityInfo security_info; | 948 security_state::SecurityInfo security_info; |
| 949 helper->GetSecurityInfo(&security_info); | 949 helper->GetSecurityInfo(&security_info); |
| 950 EXPECT_EQ(security_state::HTTP_SHOW_WARNING, security_info.security_level); | 950 EXPECT_EQ(security_state::HTTP_SHOW_WARNING, security_info.security_level); |
| 951 | 951 |
| 952 content::NavigationEntry* entry = contents->GetController().GetVisibleEntry(); | 952 content::NavigationEntry* entry = contents->GetController().GetVisibleEntry(); |
| 953 ASSERT_TRUE(entry); | 953 ASSERT_TRUE(entry); |
| 954 EXPECT_TRUE(entry->GetSSL().content_status & | 954 EXPECT_TRUE(entry->GetSSL().content_status & |
| 955 content::SSLStatus::DISPLAYED_PASSWORD_FIELD_ON_HTTP); | 955 content::SSLStatus::DISPLAYED_PASSWORD_FIELD_ON_HTTP); |
| 956 } | 956 } |
| 957 | 957 |
| 958 // Tests that when a visible password field is detected on a data URL, and when | |
|
estark
2017/01/19 22:42:51
Could you add one more test case that data URLs *w
meacer
2017/01/20 00:06:26
Done for all urls. Refactored a bit as well.
| |
| 959 // the command-line flag is set, the security level is downgraded to | |
| 960 // HTTP_SHOW_WARNING. | |
| 961 IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTestWithPasswordCcSwitch, | |
| 962 PasswordSecurityLevelDowngradedOnDataUrl) { | |
| 963 content::WebContents* contents = | |
| 964 browser()->tab_strip_model()->GetActiveWebContents(); | |
| 965 ASSERT_TRUE(contents); | |
| 966 | |
| 967 SecurityStateTabHelper* helper = | |
| 968 SecurityStateTabHelper::FromWebContents(contents); | |
| 969 ASSERT_TRUE(helper); | |
| 970 | |
| 971 ui_test_utils::NavigateToURL( | |
| 972 browser(), | |
| 973 GURL("data:text/html,<html><form><input type=password></form></html>")); | |
| 974 InjectScript(contents); | |
| 975 security_state::SecurityInfo security_info; | |
| 976 helper->GetSecurityInfo(&security_info); | |
| 977 EXPECT_EQ(security_state::HTTP_SHOW_WARNING, security_info.security_level); | |
| 978 | |
| 979 content::NavigationEntry* entry = contents->GetController().GetVisibleEntry(); | |
| 980 ASSERT_TRUE(entry); | |
| 981 EXPECT_TRUE(entry->GetSSL().content_status & | |
| 982 content::SSLStatus::DISPLAYED_PASSWORD_FIELD_ON_HTTP); | |
| 983 } | |
| 984 | |
| 985 // Tests that when a visible password field is detected on a blob URL, and when | |
| 986 // the command-line flag is set, the security level is downgraded to | |
| 987 // HTTP_SHOW_WARNING. | |
| 988 IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTestWithPasswordCcSwitch, | |
| 989 PasswordSecurityLevelDowngradedOnBlobUrl) { | |
| 990 content::WebContents* contents = | |
| 991 browser()->tab_strip_model()->GetActiveWebContents(); | |
| 992 ASSERT_TRUE(contents); | |
| 993 | |
| 994 SecurityStateTabHelper* helper = | |
| 995 SecurityStateTabHelper::FromWebContents(contents); | |
| 996 ASSERT_TRUE(helper); | |
| 997 | |
| 998 ui_test_utils::NavigateToURL( | |
| 999 browser(), | |
| 1000 GetURLWithNonLocalHostname(embedded_test_server(), "empty.html")); | |
| 1001 | |
| 1002 // Create a blob URL and navigate to it. | |
| 1003 std::string blob_url; | |
| 1004 EXPECT_TRUE(content::ExecuteScriptAndExtractString( | |
| 1005 contents, | |
| 1006 "var blob = new Blob(['<html><form><input type=password></form></html>']," | |
| 1007 " {type: 'text/html'});" | |
| 1008 "window.domAutomationController.send(URL.createObjectURL(blob));", | |
| 1009 &blob_url)); | |
| 1010 EXPECT_TRUE(GURL(blob_url).SchemeIs("blob")); | |
| 1011 | |
| 1012 ui_test_utils::NavigateToURL(browser(), GURL(blob_url)); | |
| 1013 InjectScript(contents); | |
| 1014 security_state::SecurityInfo security_info; | |
| 1015 helper->GetSecurityInfo(&security_info); | |
| 1016 EXPECT_EQ(security_state::HTTP_SHOW_WARNING, security_info.security_level); | |
| 1017 | |
| 1018 content::NavigationEntry* entry = contents->GetController().GetVisibleEntry(); | |
| 1019 ASSERT_TRUE(entry); | |
| 1020 EXPECT_TRUE(entry->GetSSL().content_status & | |
| 1021 content::SSLStatus::DISPLAYED_PASSWORD_FIELD_ON_HTTP); | |
| 1022 } | |
| 1023 | |
| 1024 // Same as above, but instead of a blob URL, this creates a filesystem URL. | |
|
estark
2017/01/19 22:42:51
nit: instead of "above", use the name of the test
meacer
2017/01/20 00:06:26
Done.
| |
| 1025 IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTestWithPasswordCcSwitch, | |
| 1026 PasswordSecurityLevelDowngradedOnFilesystemUrl) { | |
| 1027 content::WebContents* contents = | |
| 1028 browser()->tab_strip_model()->GetActiveWebContents(); | |
| 1029 ASSERT_TRUE(contents); | |
| 1030 | |
| 1031 SecurityStateTabHelper* helper = | |
| 1032 SecurityStateTabHelper::FromWebContents(contents); | |
| 1033 ASSERT_TRUE(helper); | |
| 1034 | |
| 1035 ui_test_utils::NavigateToURL( | |
| 1036 browser(), | |
| 1037 GetURLWithNonLocalHostname(embedded_test_server(), "empty.html")); | |
| 1038 | |
| 1039 // Create a filesystem URL and navigate to it. | |
| 1040 std::string filesystem_url; | |
| 1041 EXPECT_TRUE(content::ExecuteScriptAndExtractString( | |
| 1042 contents, | |
| 1043 "window.webkitRequestFileSystem(window.TEMPORARY, 4096, function(fs) {" | |
| 1044 " fs.root.getFile('test.html', {create: true}, function(fileEntry) {" | |
| 1045 " fileEntry.createWriter(function(writer) {" | |
| 1046 " writer.onwriteend = function(e) {" | |
| 1047 " window.domAutomationController.send(fileEntry.toURL());" | |
| 1048 " };" | |
| 1049 " var blob =" | |
| 1050 " new Blob(['<html><form><input type=password></form></html>']," | |
| 1051 " {type: 'text/html'});" | |
| 1052 " writer.write(blob);" | |
| 1053 " });" | |
| 1054 " });" | |
| 1055 "});", | |
| 1056 &filesystem_url)); | |
| 1057 EXPECT_TRUE(GURL(filesystem_url).SchemeIs("filesystem")); | |
| 1058 | |
| 1059 ui_test_utils::NavigateToURL(browser(), GURL(filesystem_url)); | |
| 1060 InjectScript(contents); | |
| 1061 security_state::SecurityInfo security_info; | |
| 1062 helper->GetSecurityInfo(&security_info); | |
| 1063 EXPECT_EQ(security_state::HTTP_SHOW_WARNING, security_info.security_level); | |
| 1064 | |
| 1065 content::NavigationEntry* entry = contents->GetController().GetVisibleEntry(); | |
| 1066 ASSERT_TRUE(entry); | |
| 1067 EXPECT_TRUE(entry->GetSSL().content_status & | |
| 1068 content::SSLStatus::DISPLAYED_PASSWORD_FIELD_ON_HTTP); | |
| 1069 } | |
| 1070 | |
| 958 // Tests that when an invisible password field is present on an HTTP page | 1071 // Tests that when an invisible password field is present on an HTTP page |
| 959 // load, and when the command-line flag is set, the security level is | 1072 // load, and when the command-line flag is set, the security level is |
| 960 // *not* downgraded to HTTP_SHOW_WARNING. | 1073 // *not* downgraded to HTTP_SHOW_WARNING. |
| 961 IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTestWithPasswordCcSwitch, | 1074 IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTestWithPasswordCcSwitch, |
| 962 PasswordSecurityLevelNotDowngradedForInvisibleInput) { | 1075 PasswordSecurityLevelNotDowngradedForInvisibleInput) { |
| 963 content::WebContents* contents = | 1076 content::WebContents* contents = |
| 964 browser()->tab_strip_model()->GetActiveWebContents(); | 1077 browser()->tab_strip_model()->GetActiveWebContents(); |
| 965 ASSERT_TRUE(contents); | 1078 ASSERT_TRUE(contents); |
| 966 | 1079 |
| 967 SecurityStateTabHelper* helper = | 1080 SecurityStateTabHelper* helper = |
| (...skipping 1086 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2054 SecurityStateTabHelper* helper = | 2167 SecurityStateTabHelper* helper = |
| 2055 SecurityStateTabHelper::FromWebContents(web_contents); | 2168 SecurityStateTabHelper::FromWebContents(web_contents); |
| 2056 ASSERT_TRUE(helper); | 2169 ASSERT_TRUE(helper); |
| 2057 security_state::SecurityInfo security_info; | 2170 security_state::SecurityInfo security_info; |
| 2058 helper->GetSecurityInfo(&security_info); | 2171 helper->GetSecurityInfo(&security_info); |
| 2059 EXPECT_EQ(security_state::SECURE, security_info.security_level); | 2172 EXPECT_EQ(security_state::SECURE, security_info.security_level); |
| 2060 EXPECT_EQ(kTestSCTStatuses, security_info.sct_verify_statuses); | 2173 EXPECT_EQ(kTestSCTStatuses, security_info.sct_verify_statuses); |
| 2061 } | 2174 } |
| 2062 | 2175 |
| 2063 } // namespace | 2176 } // namespace |
| OLD | NEW |
