| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/security_state/core/security_state.h" | 5 #include "components/security_state/core/security_state.h" |
| 6 | 6 |
| 7 #include <stdint.h> | 7 #include <stdint.h> |
| 8 | 8 |
| 9 #include "base/bind.h" | 9 #include "base/bind.h" |
| 10 #include "base/command_line.h" | 10 #include "base/command_line.h" |
| 11 #include "base/memory/ptr_util.h" | 11 #include "base/memory/ptr_util.h" |
| 12 #include "base/test/histogram_tester.h" | 12 #include "base/test/histogram_tester.h" |
| 13 #include "components/security_state/core/switches.h" | 13 #include "components/security_state/core/switches.h" |
| 14 #include "net/cert/x509_certificate.h" | 14 #include "net/cert/x509_certificate.h" |
| 15 #include "net/ssl/ssl_cipher_suite_names.h" | 15 #include "net/ssl/ssl_cipher_suite_names.h" |
| 16 #include "net/ssl/ssl_connection_status_flags.h" | 16 #include "net/ssl/ssl_connection_status_flags.h" |
| 17 #include "net/test/cert_test_util.h" | 17 #include "net/test/cert_test_util.h" |
| 18 #include "net/test/test_certificate_data.h" | 18 #include "net/test/test_certificate_data.h" |
| 19 #include "net/test/test_data_directory.h" | 19 #include "net/test/test_data_directory.h" |
| 20 #include "testing/gtest/include/gtest/gtest.h" | 20 #include "testing/gtest/include/gtest/gtest.h" |
| 21 | 21 |
| 22 namespace security_state { | 22 namespace security_state { |
| 23 | 23 |
| 24 namespace { | 24 namespace { |
| 25 | 25 |
| 26 const char kHttpsUrl[] = "https://foo.test/"; | 26 const char kHttpsUrl[] = "https://foo.test/"; |
| 27 const char kHttpUrl[] = "http://foo.test/"; | 27 const char kHttpUrl[] = "http://foo.test/"; |
| 28 | 28 |
| 29 // This list doesn't include data: URL, as data: URLs will be explicitly marked |
| 30 // as not secure. |
| 31 const char* const kPseudoUrls[] = { |
| 32 "blob:http://test/some-guid", "filesystem:http://test/some-guid", |
| 33 }; |
| 34 |
| 29 bool IsOriginSecure(const GURL& url) { | 35 bool IsOriginSecure(const GURL& url) { |
| 30 return url == kHttpsUrl; | 36 return url == kHttpsUrl; |
| 31 } | 37 } |
| 32 | 38 |
| 33 class TestSecurityStateHelper { | 39 class TestSecurityStateHelper { |
| 34 public: | 40 public: |
| 35 TestSecurityStateHelper() | 41 TestSecurityStateHelper() |
| 36 : url_(kHttpsUrl), | 42 : url_(kHttpsUrl), |
| 37 cert_(net::ImportCertFromFile(net::GetTestCertsDirectory(), | 43 cert_(net::ImportCertFromFile(net::GetTestCertsDirectory(), |
| 38 "sha1_2016.pem")), | 44 "sha1_2016.pem")), |
| (...skipping 227 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 266 switches::kMarkHttpAs, switches::kMarkHttpWithPasswordsOrCcWithChip); | 272 switches::kMarkHttpAs, switches::kMarkHttpWithPasswordsOrCcWithChip); |
| 267 TestSecurityStateHelper helper; | 273 TestSecurityStateHelper helper; |
| 268 helper.SetUrl(GURL(kHttpUrl)); | 274 helper.SetUrl(GURL(kHttpUrl)); |
| 269 helper.set_displayed_password_field_on_http(true); | 275 helper.set_displayed_password_field_on_http(true); |
| 270 SecurityInfo security_info; | 276 SecurityInfo security_info; |
| 271 helper.GetSecurityInfo(&security_info); | 277 helper.GetSecurityInfo(&security_info); |
| 272 EXPECT_TRUE(security_info.displayed_password_field_on_http); | 278 EXPECT_TRUE(security_info.displayed_password_field_on_http); |
| 273 EXPECT_EQ(HTTP_SHOW_WARNING, security_info.security_level); | 279 EXPECT_EQ(HTTP_SHOW_WARNING, security_info.security_level); |
| 274 } | 280 } |
| 275 | 281 |
| 282 // Tests that password fields cause the security level to be downgraded |
| 283 // to HTTP_SHOW_WARNING on pseudo URLs when the command-line switch is set. |
| 284 TEST(SecurityStateTest, PasswordFieldWarningOnPseudoUrls) { |
| 285 base::CommandLine::ForCurrentProcess()->AppendSwitchASCII( |
| 286 switches::kMarkHttpAs, switches::kMarkHttpWithPasswordsOrCcWithChip); |
| 287 for (const char* const url : kPseudoUrls) { |
| 288 TestSecurityStateHelper helper; |
| 289 helper.SetUrl(GURL(url)); |
| 290 helper.set_displayed_password_field_on_http(true); |
| 291 SecurityInfo security_info; |
| 292 helper.GetSecurityInfo(&security_info); |
| 293 EXPECT_TRUE(security_info.displayed_password_field_on_http); |
| 294 EXPECT_EQ(HTTP_SHOW_WARNING, security_info.security_level); |
| 295 } |
| 296 } |
| 297 |
| 276 // Tests that credit card fields cause the security level to be downgraded | 298 // Tests that credit card fields cause the security level to be downgraded |
| 277 // to HTTP_SHOW_WARNING when the command-line switch is set. | 299 // to HTTP_SHOW_WARNING when the command-line switch is set. |
| 278 TEST(SecurityStateTest, CreditCardFieldWarning) { | 300 TEST(SecurityStateTest, CreditCardFieldWarning) { |
| 279 base::CommandLine::ForCurrentProcess()->AppendSwitchASCII( | 301 base::CommandLine::ForCurrentProcess()->AppendSwitchASCII( |
| 280 switches::kMarkHttpAs, switches::kMarkHttpWithPasswordsOrCcWithChip); | 302 switches::kMarkHttpAs, switches::kMarkHttpWithPasswordsOrCcWithChip); |
| 281 TestSecurityStateHelper helper; | 303 TestSecurityStateHelper helper; |
| 282 helper.SetUrl(GURL(kHttpUrl)); | 304 helper.SetUrl(GURL(kHttpUrl)); |
| 283 helper.set_displayed_credit_card_field_on_http(true); | 305 helper.set_displayed_credit_card_field_on_http(true); |
| 284 SecurityInfo security_info; | 306 SecurityInfo security_info; |
| 285 helper.GetSecurityInfo(&security_info); | 307 helper.GetSecurityInfo(&security_info); |
| 286 EXPECT_TRUE(security_info.displayed_credit_card_field_on_http); | 308 EXPECT_TRUE(security_info.displayed_credit_card_field_on_http); |
| 287 EXPECT_EQ(HTTP_SHOW_WARNING, security_info.security_level); | 309 EXPECT_EQ(HTTP_SHOW_WARNING, security_info.security_level); |
| 288 } | 310 } |
| 289 | 311 |
| 312 // Tests that credit card fields cause the security level to be downgraded |
| 313 // to HTTP_SHOW_WARNING on pseudo URLs when the command-line switch is set. |
| 314 TEST(SecurityStateTest, CreditCardFieldWarningOnPseudoUrls) { |
| 315 base::CommandLine::ForCurrentProcess()->AppendSwitchASCII( |
| 316 switches::kMarkHttpAs, switches::kMarkHttpWithPasswordsOrCcWithChip); |
| 317 for (const char* const url : kPseudoUrls) { |
| 318 TestSecurityStateHelper helper; |
| 319 helper.SetUrl(GURL(url)); |
| 320 helper.set_displayed_credit_card_field_on_http(true); |
| 321 SecurityInfo security_info; |
| 322 helper.GetSecurityInfo(&security_info); |
| 323 EXPECT_TRUE(security_info.displayed_credit_card_field_on_http); |
| 324 EXPECT_EQ(HTTP_SHOW_WARNING, security_info.security_level); |
| 325 } |
| 326 } |
| 327 |
| 290 // Tests that neither |displayed_password_field_on_http| nor | 328 // Tests that neither |displayed_password_field_on_http| nor |
| 291 // |displayed_credit_card_field_on_http| is set when the corresponding | 329 // |displayed_credit_card_field_on_http| is set when the corresponding |
| 292 // VisibleSecurityState flags are not set. | 330 // VisibleSecurityState flags are not set. |
| 293 TEST(SecurityStateTest, PrivateUserDataNotSet) { | 331 TEST(SecurityStateTest, PrivateUserDataNotSet) { |
| 294 TestSecurityStateHelper helper; | 332 TestSecurityStateHelper helper; |
| 295 helper.SetUrl(GURL(kHttpUrl)); | 333 helper.SetUrl(GURL(kHttpUrl)); |
| 296 SecurityInfo security_info; | 334 SecurityInfo security_info; |
| 297 helper.GetSecurityInfo(&security_info); | 335 helper.GetSecurityInfo(&security_info); |
| 298 EXPECT_FALSE(security_info.displayed_password_field_on_http); | 336 EXPECT_FALSE(security_info.displayed_password_field_on_http); |
| 299 EXPECT_FALSE(security_info.displayed_credit_card_field_on_http); | 337 EXPECT_FALSE(security_info.displayed_credit_card_field_on_http); |
| 300 EXPECT_EQ(NONE, security_info.security_level); | 338 EXPECT_EQ(NONE, security_info.security_level); |
| 301 } | 339 } |
| 302 | 340 |
| 341 // Tests that neither |displayed_password_field_on_http| nor |
| 342 // |displayed_credit_card_field_on_http| is set on pseudo URLs when the |
| 343 // corresponding VisibleSecurityState flags are not set. |
| 344 TEST(SecurityStateTest, PrivateUserDataNotSetOnPseudoUrls) { |
| 345 for (const char* const url : kPseudoUrls) { |
| 346 TestSecurityStateHelper helper; |
| 347 helper.SetUrl(GURL(url)); |
| 348 SecurityInfo security_info; |
| 349 helper.GetSecurityInfo(&security_info); |
| 350 EXPECT_FALSE(security_info.displayed_password_field_on_http); |
| 351 EXPECT_FALSE(security_info.displayed_credit_card_field_on_http); |
| 352 EXPECT_EQ(NONE, security_info.security_level); |
| 353 } |
| 354 } |
| 355 |
| 303 // Tests that SSL.MarkHttpAsStatus histogram is updated when security state is | 356 // Tests that SSL.MarkHttpAsStatus histogram is updated when security state is |
| 304 // computed for a page. | 357 // computed for a page. |
| 305 TEST(SecurityStateTest, MarkHttpAsStatusHistogram) { | 358 TEST(SecurityStateTest, MarkHttpAsStatusHistogram) { |
| 306 const char* kHistogramName = "SSL.MarkHttpAsStatus"; | 359 const char* kHistogramName = "SSL.MarkHttpAsStatus"; |
| 307 base::HistogramTester histograms; | 360 base::HistogramTester histograms; |
| 308 base::CommandLine::ForCurrentProcess()->AppendSwitchASCII( | 361 base::CommandLine::ForCurrentProcess()->AppendSwitchASCII( |
| 309 switches::kMarkHttpAs, switches::kMarkHttpWithPasswordsOrCcWithChip); | 362 switches::kMarkHttpAs, switches::kMarkHttpWithPasswordsOrCcWithChip); |
| 310 TestSecurityStateHelper helper; | 363 TestSecurityStateHelper helper; |
| 311 helper.SetUrl(GURL(kHttpUrl)); | 364 helper.SetUrl(GURL(kHttpUrl)); |
| 312 | 365 |
| 313 // Ensure histogram recorded correctly when a non-secure password input is | 366 // Ensure histogram recorded correctly when a non-secure password input is |
| 314 // found on the page. | 367 // found on the page. |
| 315 helper.set_displayed_password_field_on_http(true); | 368 helper.set_displayed_password_field_on_http(true); |
| 316 SecurityInfo security_info; | 369 SecurityInfo security_info; |
| 317 histograms.ExpectTotalCount(kHistogramName, 0); | 370 histograms.ExpectTotalCount(kHistogramName, 0); |
| 318 helper.GetSecurityInfo(&security_info); | 371 helper.GetSecurityInfo(&security_info); |
| 319 histograms.ExpectUniqueSample(kHistogramName, 2 /* HTTP_SHOW_WARNING */, 1); | 372 histograms.ExpectUniqueSample(kHistogramName, 2 /* HTTP_SHOW_WARNING */, 1); |
| 320 | 373 |
| 321 // Ensure histogram recorded correctly even without a password input. | 374 // Ensure histogram recorded correctly even without a password input. |
| 322 helper.set_displayed_password_field_on_http(false); | 375 helper.set_displayed_password_field_on_http(false); |
| 323 helper.GetSecurityInfo(&security_info); | 376 helper.GetSecurityInfo(&security_info); |
| 324 histograms.ExpectUniqueSample(kHistogramName, 2 /* HTTP_SHOW_WARNING */, 2); | 377 histograms.ExpectUniqueSample(kHistogramName, 2 /* HTTP_SHOW_WARNING */, 2); |
| 325 } | 378 } |
| 326 | 379 |
| 327 } // namespace security_state | 380 } // namespace security_state |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2643083003:
Show form not secure warnings for blob and filesystem URLs. (Closed)
