Chromium Code Reviews Chromium Code Reviews
Issue 2643083003:
Show form not secure warnings for blob and filesystem URLs. (Closed)
| Index: chrome/browser/ssl/security_state_tab_helper_browser_tests.cc |
| diff --git a/chrome/browser/ssl/security_state_tab_helper_browser_tests.cc b/chrome/browser/ssl/security_state_tab_helper_browser_tests.cc |
| index cf2101d1aea1a9f60342ebfcd4a8fbb2e28c4ad9..2079b303df3e9baf6b2690611d7c3292b32c67b6 100644 |
| --- a/chrome/browser/ssl/security_state_tab_helper_browser_tests.cc |
| +++ b/chrome/browser/ssl/security_state_tab_helper_browser_tests.cc |
| @@ -955,6 +955,119 @@ IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTestWithPasswordCcSwitch, |
| content::SSLStatus::DISPLAYED_PASSWORD_FIELD_ON_HTTP); |
| } |
| +// Tests that when a visible password field is detected on a data URL, and when |
|
estark
2017/01/19 22:42:51
Could you add one more test case that data URLs *w
meacer
2017/01/20 00:06:26
Done for all urls. Refactored a bit as well.
|
| +// the command-line flag is set, the security level is downgraded to |
| +// HTTP_SHOW_WARNING. |
| +IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTestWithPasswordCcSwitch, |
| + PasswordSecurityLevelDowngradedOnDataUrl) { |
| + content::WebContents* contents = |
| + browser()->tab_strip_model()->GetActiveWebContents(); |
| + ASSERT_TRUE(contents); |
| + |
| + SecurityStateTabHelper* helper = |
| + SecurityStateTabHelper::FromWebContents(contents); |
| + ASSERT_TRUE(helper); |
| + |
| + ui_test_utils::NavigateToURL( |
| + browser(), |
| + GURL("data:text/html,<html><form><input type=password></form></html>")); |
| + InjectScript(contents); |
| + security_state::SecurityInfo security_info; |
| + helper->GetSecurityInfo(&security_info); |
| + EXPECT_EQ(security_state::HTTP_SHOW_WARNING, security_info.security_level); |
| + |
| + content::NavigationEntry* entry = contents->GetController().GetVisibleEntry(); |
| + ASSERT_TRUE(entry); |
| + EXPECT_TRUE(entry->GetSSL().content_status & |
| + content::SSLStatus::DISPLAYED_PASSWORD_FIELD_ON_HTTP); |
| +} |
| + |
| +// Tests that when a visible password field is detected on a blob URL, and when |
| +// the command-line flag is set, the security level is downgraded to |
| +// HTTP_SHOW_WARNING. |
| +IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTestWithPasswordCcSwitch, |
| + PasswordSecurityLevelDowngradedOnBlobUrl) { |
| + content::WebContents* contents = |
| + browser()->tab_strip_model()->GetActiveWebContents(); |
| + ASSERT_TRUE(contents); |
| + |
| + SecurityStateTabHelper* helper = |
| + SecurityStateTabHelper::FromWebContents(contents); |
| + ASSERT_TRUE(helper); |
| + |
| + ui_test_utils::NavigateToURL( |
| + browser(), |
| + GetURLWithNonLocalHostname(embedded_test_server(), "empty.html")); |
| + |
| + // Create a blob URL and navigate to it. |
| + std::string blob_url; |
| + EXPECT_TRUE(content::ExecuteScriptAndExtractString( |
| + contents, |
| + "var blob = new Blob(['<html><form><input type=password></form></html>']," |
| + " {type: 'text/html'});" |
| + "window.domAutomationController.send(URL.createObjectURL(blob));", |
| + &blob_url)); |
| + EXPECT_TRUE(GURL(blob_url).SchemeIs("blob")); |
| + |
| + ui_test_utils::NavigateToURL(browser(), GURL(blob_url)); |
| + InjectScript(contents); |
| + security_state::SecurityInfo security_info; |
| + helper->GetSecurityInfo(&security_info); |
| + EXPECT_EQ(security_state::HTTP_SHOW_WARNING, security_info.security_level); |
| + |
| + content::NavigationEntry* entry = contents->GetController().GetVisibleEntry(); |
| + ASSERT_TRUE(entry); |
| + EXPECT_TRUE(entry->GetSSL().content_status & |
| + content::SSLStatus::DISPLAYED_PASSWORD_FIELD_ON_HTTP); |
| +} |
| + |
| +// Same as above, but instead of a blob URL, this creates a filesystem URL. |
|
estark
2017/01/19 22:42:51
nit: instead of "above", use the name of the test
meacer
2017/01/20 00:06:26
Done.
|
| +IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTestWithPasswordCcSwitch, |
| + PasswordSecurityLevelDowngradedOnFilesystemUrl) { |
| + content::WebContents* contents = |
| + browser()->tab_strip_model()->GetActiveWebContents(); |
| + ASSERT_TRUE(contents); |
| + |
| + SecurityStateTabHelper* helper = |
| + SecurityStateTabHelper::FromWebContents(contents); |
| + ASSERT_TRUE(helper); |
| + |
| + ui_test_utils::NavigateToURL( |
| + browser(), |
| + GetURLWithNonLocalHostname(embedded_test_server(), "empty.html")); |
| + |
| + // Create a filesystem URL and navigate to it. |
| + std::string filesystem_url; |
| + EXPECT_TRUE(content::ExecuteScriptAndExtractString( |
| + contents, |
| + "window.webkitRequestFileSystem(window.TEMPORARY, 4096, function(fs) {" |
| + " fs.root.getFile('test.html', {create: true}, function(fileEntry) {" |
| + " fileEntry.createWriter(function(writer) {" |
| + " writer.onwriteend = function(e) {" |
| + " window.domAutomationController.send(fileEntry.toURL());" |
| + " };" |
| + " var blob =" |
| + " new Blob(['<html><form><input type=password></form></html>']," |
| + " {type: 'text/html'});" |
| + " writer.write(blob);" |
| + " });" |
| + " });" |
| + "});", |
| + &filesystem_url)); |
| + EXPECT_TRUE(GURL(filesystem_url).SchemeIs("filesystem")); |
| + |
| + ui_test_utils::NavigateToURL(browser(), GURL(filesystem_url)); |
| + InjectScript(contents); |
| + security_state::SecurityInfo security_info; |
| + helper->GetSecurityInfo(&security_info); |
| + EXPECT_EQ(security_state::HTTP_SHOW_WARNING, security_info.security_level); |
| + |
| + content::NavigationEntry* entry = contents->GetController().GetVisibleEntry(); |
| + ASSERT_TRUE(entry); |
| + EXPECT_TRUE(entry->GetSSL().content_status & |
| + content::SSLStatus::DISPLAYED_PASSWORD_FIELD_ON_HTTP); |
| +} |
| + |
| // Tests that when an invisible password field is present on an HTTP page |
| // load, and when the command-line flag is set, the security level is |
| // *not* downgraded to HTTP_SHOW_WARNING. |
