Show form not secure warnings for blob and filesystem URLs.

components/security_state/core/security_state_unittest.cc

Index: components/security_state/core/security_state_unittest.cc
diff --git a/components/security_state/core/security_state_unittest.cc b/components/security_state/core/security_state_unittest.cc
index f6a899cf4491611c51cfea36038bff00111226ea..07de5d8eba2c9e21c8d189dbe1cb2559a16e8136 100644
--- a/components/security_state/core/security_state_unittest.cc
+++ b/components/security_state/core/security_state_unittest.cc
@@ -26,6 +26,11 @@ namespace {
 const char kHttpsUrl[] = "https://foo.test/";
 const char kHttpUrl[] = "http://foo.test/";
 
+const char* const kPseudoUrls[] = {
+    "data:text/html,<html>test</html>", "blob:http://test/some-guid",
+    "filesystem:http://test/some-guid",
+};
+
 bool IsOriginSecure(const GURL& url) {
   return url == kHttpsUrl;
 }
@@ -34,6 +39,8 @@ class TestSecurityStateHelper {
  public:
   TestSecurityStateHelper()
       : url_(kHttpsUrl),
+        cert_(net::ImportCertFromFile(net::GetTestCertsDirectory(),
+                                      "sha1_2016.pem")),
         connection_status_(net::SSL_CONNECTION_VERSION_TLS1_2
                            << net::SSL_CONNECTION_VERSION_SHIFT),
         cert_status_(net::CERT_STATUS_SHA1_SIGNATURE_PRESENT),
@@ -41,10 +48,7 @@ class TestSecurityStateHelper {
         ran_mixed_content_(false),
         malicious_content_status_(MALICIOUS_CONTENT_STATUS_NONE),
         displayed_password_field_on_http_(false),
-        displayed_credit_card_field_on_http_(false) {
-    cert_ =
-        net::ImportCertFromFile(net::GetTestCertsDirectory(), "sha1_2016.pem");
-  }
+        displayed_credit_card_field_on_http_(false) {}
   virtual ~TestSecurityStateHelper() {}
 
   void set_connection_status(int connection_status) {
@@ -75,9 +79,9 @@ class TestSecurityStateHelper {
     displayed_credit_card_field_on_http_ = displayed_credit_card_field_on_http;
   }
 
-  void UseHttpUrl() { url_ = GURL(kHttpUrl); }
+  void SetUrl(const GURL& url) { url_ = url; }
 
-  std::unique_ptr<VisibleSecurityState> GetVisibleSecurityState() {
+  std::unique_ptr<VisibleSecurityState> GetVisibleSecurityState() const {
     auto state = base::MakeUnique<VisibleSecurityState>();
     state->connection_info_initialized = true;
     state->url = url_;
@@ -94,7 +98,7 @@ class TestSecurityStateHelper {
     return state;
   }
 
-  void GetSecurityInfo(SecurityInfo* security_info) {
+  void GetSecurityInfo(SecurityInfo* security_info) const {

[estark, 2017/01/19 22:42:51]

thanks :)

[meacer, 2017/01/20 00:06:26]

You're welcome :)

     security_state::GetSecurityInfo(
         GetVisibleSecurityState(),
         false /* used policy installed certificate */,
@@ -103,7 +107,7 @@ class TestSecurityStateHelper {
 
  private:
   GURL url_;
-  scoped_refptr<net::X509Certificate> cert_;
+  const scoped_refptr<net::X509Certificate> cert_;
   int connection_status_;
   net::CertStatus cert_status_;
   bool displayed_mixed_content_;
@@ -252,7 +256,7 @@ TEST(SecurityStateTest, PasswordFieldWarning) {
   base::CommandLine::ForCurrentProcess()->AppendSwitchASCII(
       switches::kMarkHttpAs, switches::kMarkHttpWithPasswordsOrCcWithChip);
   TestSecurityStateHelper helper;
-  helper.UseHttpUrl();
+  helper.SetUrl(GURL(kHttpUrl));
   helper.set_displayed_password_field_on_http(true);
   SecurityInfo security_info;
   helper.GetSecurityInfo(&security_info);
@@ -260,13 +264,29 @@ TEST(SecurityStateTest, PasswordFieldWarning) {
   EXPECT_EQ(HTTP_SHOW_WARNING, security_info.security_level);
 }
 
+// Tests that password fields cause the security level to be downgraded
+// to HTTP_SHOW_WARNING on pseudo URLs when the command-line switch is set.
+TEST(SecurityStateTest, PasswordFieldWarningOnPseudoUrls) {
+  base::CommandLine::ForCurrentProcess()->AppendSwitchASCII(
+      switches::kMarkHttpAs, switches::kMarkHttpWithPasswordsOrCcWithChip);
+  for (const char* const url : kPseudoUrls) {
+    TestSecurityStateHelper helper;
+    helper.SetUrl(GURL(url));
+    helper.set_displayed_password_field_on_http(true);
+    SecurityInfo security_info;
+    helper.GetSecurityInfo(&security_info);
+    EXPECT_TRUE(security_info.displayed_password_field_on_http);
+    EXPECT_EQ(HTTP_SHOW_WARNING, security_info.security_level);
+  }
+}
+
 // Tests that credit card fields cause the security level to be downgraded
 // to HTTP_SHOW_WARNING when the command-line switch is set.
 TEST(SecurityStateTest, CreditCardFieldWarning) {
   base::CommandLine::ForCurrentProcess()->AppendSwitchASCII(
       switches::kMarkHttpAs, switches::kMarkHttpWithPasswordsOrCcWithChip);
   TestSecurityStateHelper helper;
-  helper.UseHttpUrl();
+  helper.SetUrl(GURL(kHttpUrl));
   helper.set_displayed_credit_card_field_on_http(true);
   SecurityInfo security_info;
   helper.GetSecurityInfo(&security_info);
@@ -274,12 +294,28 @@ TEST(SecurityStateTest, CreditCardFieldWarning) {
   EXPECT_EQ(HTTP_SHOW_WARNING, security_info.security_level);
 }
 
+// Tests that credit card fields cause the security level to be downgraded
+// to HTTP_SHOW_WARNING on pseudo URLs when the command-line switch is set.
+TEST(SecurityStateTest, CreditCardFieldWarningOnPseudoUrls) {
+  base::CommandLine::ForCurrentProcess()->AppendSwitchASCII(
+      switches::kMarkHttpAs, switches::kMarkHttpWithPasswordsOrCcWithChip);
+  for (const char* const url : kPseudoUrls) {
+    TestSecurityStateHelper helper;
+    helper.SetUrl(GURL(url));
+    helper.set_displayed_credit_card_field_on_http(true);
+    SecurityInfo security_info;
+    helper.GetSecurityInfo(&security_info);
+    EXPECT_TRUE(security_info.displayed_credit_card_field_on_http);
+    EXPECT_EQ(HTTP_SHOW_WARNING, security_info.security_level);
+  }
+}
+
 // Tests that neither password nor credit fields cause the security
 // level to be downgraded to HTTP_SHOW_WARNING when the command-line switch
 // is NOT set.
 TEST(SecurityStateTest, HttpWarningNotSetWithoutSwitch) {
   TestSecurityStateHelper helper;
-  helper.UseHttpUrl();
+  helper.SetUrl(GURL(kHttpUrl));
   helper.set_displayed_password_field_on_http(true);
   SecurityInfo security_info;
   helper.GetSecurityInfo(&security_info);
@@ -292,12 +328,32 @@ TEST(SecurityStateTest, HttpWarningNotSetWithoutSwitch) {
   EXPECT_EQ(NONE, security_info.security_level);
 }
 
+// Tests that neither password nor credit fields cause the security
+// level to be downgraded to HTTP_SHOW_WARNING on pseudo URLs when the
+// command-line switch is NOT set.

[estark, 2017/01/19 22:42:51]

This will probably conflict with https://codereview.chromium.org/2635423002/
which is in the CQ and enables HTTP-bad by default for all platforms but iOS. In
that CL I removed the tests of this nature (tests that test what happens when
the flag is not set) so you could probably just remove this one too.

[meacer, 2017/01/20 00:06:26]

Thanks for the heads up. I'll wait for that CL to land and then rebase this.

+TEST(SecurityStateTest, HttpWarningNotSetWithoutSwitchOnPseudoUrls) {
+  for (const char* const url : kPseudoUrls) {
+    TestSecurityStateHelper helper;
+    helper.SetUrl(GURL(url));
+    helper.set_displayed_password_field_on_http(true);
+    SecurityInfo security_info;
+    helper.GetSecurityInfo(&security_info);
+    EXPECT_TRUE(security_info.displayed_password_field_on_http);
+    EXPECT_EQ(NONE, security_info.security_level);
+
+    helper.set_displayed_credit_card_field_on_http(true);
+    helper.GetSecurityInfo(&security_info);
+    EXPECT_TRUE(security_info.displayed_credit_card_field_on_http);
+    EXPECT_EQ(NONE, security_info.security_level);
+  }
+}
+
 // Tests that neither |displayed_password_field_on_http| nor
 // |displayed_credit_card_field_on_http| is set when the corresponding
 // VisibleSecurityState flags are not set.
 TEST(SecurityStateTest, PrivateUserDataNotSet) {
   TestSecurityStateHelper helper;
-  helper.UseHttpUrl();
+  helper.SetUrl(GURL(kHttpUrl));
   SecurityInfo security_info;
   helper.GetSecurityInfo(&security_info);
   EXPECT_FALSE(security_info.displayed_password_field_on_http);
@@ -305,6 +361,21 @@ TEST(SecurityStateTest, PrivateUserDataNotSet) {
   EXPECT_EQ(NONE, security_info.security_level);
 }
 
+// Tests that neither |displayed_password_field_on_http| nor
+// |displayed_credit_card_field_on_http| is set on pseudo URLs when the
+// corresponding VisibleSecurityState flags are not set.
+TEST(SecurityStateTest, PrivateUserDataNotSetOnPseudoUrls) {
+  for (const char* const url : kPseudoUrls) {
+    TestSecurityStateHelper helper;
+    helper.SetUrl(GURL(url));
+    SecurityInfo security_info;
+    helper.GetSecurityInfo(&security_info);
+    EXPECT_FALSE(security_info.displayed_password_field_on_http);
+    EXPECT_FALSE(security_info.displayed_credit_card_field_on_http);
+    EXPECT_EQ(NONE, security_info.security_level);
+  }
+}
+
 // Tests that SSL.MarkHttpAsStatus histogram is updated when security state is
 // computed for a page.
 TEST(SecurityStateTest, MarkHttpAsStatusHistogram) {
@@ -313,7 +384,7 @@ TEST(SecurityStateTest, MarkHttpAsStatusHistogram) {
   base::CommandLine::ForCurrentProcess()->AppendSwitchASCII(
       switches::kMarkHttpAs, switches::kMarkHttpWithPasswordsOrCcWithChip);
   TestSecurityStateHelper helper;
-  helper.UseHttpUrl();
+  helper.SetUrl(GURL(kHttpUrl));
 
   // Ensure histogram recorded correctly when a non-secure password input is
   // found on the page.