Show form not secure warnings for blob and filesystem URLs.

components/security_state/core/security_state_unittest.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/security_state/core/security_state.h"
 
 #include <stdint.h>
 
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "base/memory/ptr_util.h"
 #include "base/test/histogram_tester.h"
 #include "components/security_state/core/switches.h"
 #include "net/cert/x509_certificate.h"
 #include "net/ssl/ssl_cipher_suite_names.h"
 #include "net/ssl/ssl_connection_status_flags.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/test_certificate_data.h"
 #include "net/test/test_data_directory.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace security_state {
 
 namespace {
 
 const char kHttpsUrl[] = "https://foo.test/";
 const char kHttpUrl[] = "http://foo.test/";
 
+const char* const kPseudoUrls[] = {
+    "data:text/html,<html>test</html>", "blob:http://test/some-guid",
+    "filesystem:http://test/some-guid",
+};
+
 bool IsOriginSecure(const GURL& url) {
   return url == kHttpsUrl;
 }
 
 class TestSecurityStateHelper {
  public:
   TestSecurityStateHelper()
       : url_(kHttpsUrl),
+        cert_(net::ImportCertFromFile(net::GetTestCertsDirectory(),
+                                      "sha1_2016.pem")),
         connection_status_(net::SSL_CONNECTION_VERSION_TLS1_2
                            << net::SSL_CONNECTION_VERSION_SHIFT),
         cert_status_(net::CERT_STATUS_SHA1_SIGNATURE_PRESENT),
         displayed_mixed_content_(false),
         ran_mixed_content_(false),
         malicious_content_status_(MALICIOUS_CONTENT_STATUS_NONE),
         displayed_password_field_on_http_(false),
-        displayed_credit_card_field_on_http_(false) {
-    cert_ =
-        net::ImportCertFromFile(net::GetTestCertsDirectory(), "sha1_2016.pem");
-  }
+        displayed_credit_card_field_on_http_(false) {}
   virtual ~TestSecurityStateHelper() {}
 
   void set_connection_status(int connection_status) {
     connection_status_ = connection_status;
   }
   void SetCipherSuite(uint16_t ciphersuite) {
     net::SSLConnectionStatusSetCipherSuite(ciphersuite, &connection_status_);
   }
   void AddCertStatus(net::CertStatus cert_status) {
     cert_status_ |= cert_status;
@@ skipping 10 matching lines @@
   }
   void set_displayed_password_field_on_http(
       bool displayed_password_field_on_http) {
     displayed_password_field_on_http_ = displayed_password_field_on_http;
   }
   void set_displayed_credit_card_field_on_http(
       bool displayed_credit_card_field_on_http) {
     displayed_credit_card_field_on_http_ = displayed_credit_card_field_on_http;
   }
 
-  void UseHttpUrl() { url_ = GURL(kHttpUrl); }
+  void SetUrl(const GURL& url) { url_ = url; }
 
-  std::unique_ptr<VisibleSecurityState> GetVisibleSecurityState() {
+  std::unique_ptr<VisibleSecurityState> GetVisibleSecurityState() const {
     auto state = base::MakeUnique<VisibleSecurityState>();
     state->connection_info_initialized = true;
     state->url = url_;
     state->certificate = cert_;
     state->cert_status = cert_status_;
     state->connection_status = connection_status_;
     state->security_bits = 256;
     state->displayed_mixed_content = displayed_mixed_content_;
     state->ran_mixed_content = ran_mixed_content_;
     state->malicious_content_status = malicious_content_status_;
     state->displayed_password_field_on_http = displayed_password_field_on_http_;
     state->displayed_credit_card_field_on_http =
         displayed_credit_card_field_on_http_;
     return state;
   }
 
-  void GetSecurityInfo(SecurityInfo* security_info) {
+  void GetSecurityInfo(SecurityInfo* security_info) const {

[estark, 2017/01/19 22:42:51]

thanks :)

[meacer, 2017/01/20 00:06:26]

You're welcome :)

     security_state::GetSecurityInfo(
         GetVisibleSecurityState(),
         false /* used policy installed certificate */,
         base::Bind(&IsOriginSecure), security_info);
   }
 
  private:
   GURL url_;
-  scoped_refptr<net::X509Certificate> cert_;
+  const scoped_refptr<net::X509Certificate> cert_;
   int connection_status_;
   net::CertStatus cert_status_;
   bool displayed_mixed_content_;
   bool ran_mixed_content_;
   MaliciousContentStatus malicious_content_status_;
   bool displayed_password_field_on_http_;
   bool displayed_credit_card_field_on_http_;
 };
 
 }  // namespace
@@ skipping 128 matching lines @@
             security_info.malicious_content_status);
   EXPECT_EQ(DANGEROUS, security_info.security_level);
 }
 
 // Tests that password fields cause the security level to be downgraded
 // to HTTP_SHOW_WARNING when the command-line switch is set.
 TEST(SecurityStateTest, PasswordFieldWarning) {
   base::CommandLine::ForCurrentProcess()->AppendSwitchASCII(
       switches::kMarkHttpAs, switches::kMarkHttpWithPasswordsOrCcWithChip);
   TestSecurityStateHelper helper;
-  helper.UseHttpUrl();
+  helper.SetUrl(GURL(kHttpUrl));
   helper.set_displayed_password_field_on_http(true);
   SecurityInfo security_info;
   helper.GetSecurityInfo(&security_info);
   EXPECT_TRUE(security_info.displayed_password_field_on_http);
   EXPECT_EQ(HTTP_SHOW_WARNING, security_info.security_level);
 }
 
+// Tests that password fields cause the security level to be downgraded
+// to HTTP_SHOW_WARNING on pseudo URLs when the command-line switch is set.
+TEST(SecurityStateTest, PasswordFieldWarningOnPseudoUrls) {
+  base::CommandLine::ForCurrentProcess()->AppendSwitchASCII(
+      switches::kMarkHttpAs, switches::kMarkHttpWithPasswordsOrCcWithChip);
+  for (const char* const url : kPseudoUrls) {
+    TestSecurityStateHelper helper;
+    helper.SetUrl(GURL(url));
+    helper.set_displayed_password_field_on_http(true);
+    SecurityInfo security_info;
+    helper.GetSecurityInfo(&security_info);
+    EXPECT_TRUE(security_info.displayed_password_field_on_http);
+    EXPECT_EQ(HTTP_SHOW_WARNING, security_info.security_level);
+  }
+}
+
 // Tests that credit card fields cause the security level to be downgraded
 // to HTTP_SHOW_WARNING when the command-line switch is set.
 TEST(SecurityStateTest, CreditCardFieldWarning) {
   base::CommandLine::ForCurrentProcess()->AppendSwitchASCII(
       switches::kMarkHttpAs, switches::kMarkHttpWithPasswordsOrCcWithChip);
   TestSecurityStateHelper helper;
-  helper.UseHttpUrl();
+  helper.SetUrl(GURL(kHttpUrl));
   helper.set_displayed_credit_card_field_on_http(true);
   SecurityInfo security_info;
   helper.GetSecurityInfo(&security_info);
   EXPECT_TRUE(security_info.displayed_credit_card_field_on_http);
   EXPECT_EQ(HTTP_SHOW_WARNING, security_info.security_level);
 }
 
+// Tests that credit card fields cause the security level to be downgraded
+// to HTTP_SHOW_WARNING on pseudo URLs when the command-line switch is set.
+TEST(SecurityStateTest, CreditCardFieldWarningOnPseudoUrls) {
+  base::CommandLine::ForCurrentProcess()->AppendSwitchASCII(
+      switches::kMarkHttpAs, switches::kMarkHttpWithPasswordsOrCcWithChip);
+  for (const char* const url : kPseudoUrls) {
+    TestSecurityStateHelper helper;
+    helper.SetUrl(GURL(url));
+    helper.set_displayed_credit_card_field_on_http(true);
+    SecurityInfo security_info;
+    helper.GetSecurityInfo(&security_info);
+    EXPECT_TRUE(security_info.displayed_credit_card_field_on_http);
+    EXPECT_EQ(HTTP_SHOW_WARNING, security_info.security_level);
+  }
+}
+
 // Tests that neither password nor credit fields cause the security
 // level to be downgraded to HTTP_SHOW_WARNING when the command-line switch
 // is NOT set.
 TEST(SecurityStateTest, HttpWarningNotSetWithoutSwitch) {
   TestSecurityStateHelper helper;
-  helper.UseHttpUrl();
+  helper.SetUrl(GURL(kHttpUrl));
   helper.set_displayed_password_field_on_http(true);
   SecurityInfo security_info;
   helper.GetSecurityInfo(&security_info);
   EXPECT_TRUE(security_info.displayed_password_field_on_http);
   EXPECT_EQ(NONE, security_info.security_level);
 
   helper.set_displayed_credit_card_field_on_http(true);
   helper.GetSecurityInfo(&security_info);
   EXPECT_TRUE(security_info.displayed_credit_card_field_on_http);
   EXPECT_EQ(NONE, security_info.security_level);
 }
 
+// Tests that neither password nor credit fields cause the security
+// level to be downgraded to HTTP_SHOW_WARNING on pseudo URLs when the
+// command-line switch is NOT set.

[estark, 2017/01/19 22:42:51]

This will probably conflict with https://codereview.chromium.org/2635423002/
which is in the CQ and enables HTTP-bad by default for all platforms but iOS. In
that CL I removed the tests of this nature (tests that test what happens when
the flag is not set) so you could probably just remove this one too.

[meacer, 2017/01/20 00:06:26]

Thanks for the heads up. I'll wait for that CL to land and then rebase this.

+TEST(SecurityStateTest, HttpWarningNotSetWithoutSwitchOnPseudoUrls) {
+  for (const char* const url : kPseudoUrls) {
+    TestSecurityStateHelper helper;
+    helper.SetUrl(GURL(url));
+    helper.set_displayed_password_field_on_http(true);
+    SecurityInfo security_info;
+    helper.GetSecurityInfo(&security_info);
+    EXPECT_TRUE(security_info.displayed_password_field_on_http);
+    EXPECT_EQ(NONE, security_info.security_level);
+
+    helper.set_displayed_credit_card_field_on_http(true);
+    helper.GetSecurityInfo(&security_info);
+    EXPECT_TRUE(security_info.displayed_credit_card_field_on_http);
+    EXPECT_EQ(NONE, security_info.security_level);
+  }
+}
+
 // Tests that neither |displayed_password_field_on_http| nor
 // |displayed_credit_card_field_on_http| is set when the corresponding
 // VisibleSecurityState flags are not set.
 TEST(SecurityStateTest, PrivateUserDataNotSet) {
   TestSecurityStateHelper helper;
-  helper.UseHttpUrl();
+  helper.SetUrl(GURL(kHttpUrl));
   SecurityInfo security_info;
   helper.GetSecurityInfo(&security_info);
   EXPECT_FALSE(security_info.displayed_password_field_on_http);
   EXPECT_FALSE(security_info.displayed_credit_card_field_on_http);
   EXPECT_EQ(NONE, security_info.security_level);
 }
 
+// Tests that neither |displayed_password_field_on_http| nor
+// |displayed_credit_card_field_on_http| is set on pseudo URLs when the
+// corresponding VisibleSecurityState flags are not set.
+TEST(SecurityStateTest, PrivateUserDataNotSetOnPseudoUrls) {
+  for (const char* const url : kPseudoUrls) {
+    TestSecurityStateHelper helper;
+    helper.SetUrl(GURL(url));
+    SecurityInfo security_info;
+    helper.GetSecurityInfo(&security_info);
+    EXPECT_FALSE(security_info.displayed_password_field_on_http);
+    EXPECT_FALSE(security_info.displayed_credit_card_field_on_http);
+    EXPECT_EQ(NONE, security_info.security_level);
+  }
+}
+
 // Tests that SSL.MarkHttpAsStatus histogram is updated when security state is
 // computed for a page.
 TEST(SecurityStateTest, MarkHttpAsStatusHistogram) {
   const char* kHistogramName = "SSL.MarkHttpAsStatus";
   base::HistogramTester histograms;
   base::CommandLine::ForCurrentProcess()->AppendSwitchASCII(
       switches::kMarkHttpAs, switches::kMarkHttpWithPasswordsOrCcWithChip);
   TestSecurityStateHelper helper;
-  helper.UseHttpUrl();
+  helper.SetUrl(GURL(kHttpUrl));
 
   // Ensure histogram recorded correctly when a non-secure password input is
   // found on the page.
   helper.set_displayed_password_field_on_http(true);
   SecurityInfo security_info;
   histograms.ExpectTotalCount(kHistogramName, 0);
   helper.GetSecurityInfo(&security_info);
   histograms.ExpectUniqueSample(kHistogramName, 2 /* HTTP_SHOW_WARNING */, 1);
 
   // Ensure histogram recorded correctly even without a password input.
   helper.set_displayed_password_field_on_http(false);
   helper.GetSecurityInfo(&security_info);
   histograms.ExpectUniqueSample(kHistogramName, 2 /* HTTP_SHOW_WARNING */, 2);
 }
 
 }  // namespace security_state