OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "components/security_state/core/security_state.h" | 5 #include "components/security_state/core/security_state.h" |
6 | 6 |
7 #include <stdint.h> | 7 #include <stdint.h> |
8 | 8 |
9 #include "base/command_line.h" | 9 #include "base/command_line.h" |
10 #include "base/metrics/field_trial.h" | 10 #include "base/metrics/field_trial.h" |
(...skipping 114 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
125 bool is_cryptographic_with_certificate = | 125 bool is_cryptographic_with_certificate = |
126 (url.SchemeIsCryptographic() && visible_security_state.certificate); | 126 (url.SchemeIsCryptographic() && visible_security_state.certificate); |
127 | 127 |
128 // Set the security level to DANGEROUS for major certificate errors. | 128 // Set the security level to DANGEROUS for major certificate errors. |
129 if (is_cryptographic_with_certificate && | 129 if (is_cryptographic_with_certificate && |
130 net::IsCertStatusError(visible_security_state.cert_status) && | 130 net::IsCertStatusError(visible_security_state.cert_status) && |
131 !net::IsCertStatusMinorError(visible_security_state.cert_status)) { | 131 !net::IsCertStatusMinorError(visible_security_state.cert_status)) { |
132 return DANGEROUS; | 132 return DANGEROUS; |
133 } | 133 } |
134 | 134 |
| 135 // data: URLs don't define a secure context, and are a vector for spoofing. |
| 136 // Display a "Not secure" badge for all data URLs, regardless of whether |
| 137 // they show a password or credit card field. |
| 138 if (url.SchemeIs(url::kDataScheme)) |
| 139 return SecurityLevel::HTTP_SHOW_WARNING; |
| 140 |
135 // Choose the appropriate security level for HTTP requests. | 141 // Choose the appropriate security level for HTTP requests. |
136 if (!is_cryptographic_with_certificate) { | 142 if (!is_cryptographic_with_certificate) { |
137 if (!is_origin_secure_callback.Run(url) && url.IsStandard()) { | 143 if (!is_origin_secure_callback.Run(url) && url.IsStandard()) { |
138 return GetSecurityLevelForNonSecureFieldTrial( | 144 return GetSecurityLevelForNonSecureFieldTrial( |
139 visible_security_state.displayed_password_field_on_http || | 145 visible_security_state.displayed_password_field_on_http || |
140 visible_security_state.displayed_credit_card_field_on_http); | 146 visible_security_state.displayed_credit_card_field_on_http); |
141 } | 147 } |
142 return NONE; | 148 return NONE; |
143 } | 149 } |
144 | 150 |
(...skipping 166 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
311 other.displayed_content_with_cert_errors && | 317 other.displayed_content_with_cert_errors && |
312 ran_content_with_cert_errors == other.ran_content_with_cert_errors && | 318 ran_content_with_cert_errors == other.ran_content_with_cert_errors && |
313 pkp_bypassed == other.pkp_bypassed && | 319 pkp_bypassed == other.pkp_bypassed && |
314 displayed_password_field_on_http == | 320 displayed_password_field_on_http == |
315 other.displayed_password_field_on_http && | 321 other.displayed_password_field_on_http && |
316 displayed_credit_card_field_on_http == | 322 displayed_credit_card_field_on_http == |
317 other.displayed_credit_card_field_on_http); | 323 other.displayed_credit_card_field_on_http); |
318 } | 324 } |
319 | 325 |
320 } // namespace security_state | 326 } // namespace security_state |
OLD | NEW |