Display "Not secure" verbose state for data: URLs

chrome/browser/ssl/security_state_tab_helper_browser_tests.cc

Index: chrome/browser/ssl/security_state_tab_helper_browser_tests.cc
diff --git a/chrome/browser/ssl/security_state_tab_helper_browser_tests.cc b/chrome/browser/ssl/security_state_tab_helper_browser_tests.cc
index 21d269b570b18bd99b873ee7fbcc72f7ee8c4dc4..434bbd4127027f65893931f800b8449095356502 100644
--- a/chrome/browser/ssl/security_state_tab_helper_browser_tests.cc
+++ b/chrome/browser/ssl/security_state_tab_helper_browser_tests.cc
@@ -63,6 +63,18 @@ enum CertificateStatus { VALID_CERTIFICATE, INVALID_CERTIFICATE };
 const base::FilePath::CharType kDocRoot[] =
     FILE_PATH_LITERAL("chrome/test/data");
 
+// Inject a script into the page. Used by tests that check for visible
+// password fields to wait for notifications about these
+// fields. Notifications about visible password fields are queued at the
+// end of the event loop, so waiting for a dummy script to run ensures
+// that these notifcations have been sent.
+void InjectScript(content::WebContents* contents) {
+  bool js_result = false;
+  EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
+      contents, "window.domAutomationController.send(true);", &js_result));
+  EXPECT_TRUE(js_result);
+}
+
 // A WebContentsObserver useful for testing the DidChangeVisibleSecurityState()
 // method: it keeps track of the latest security style and explanation that was
 // fired.
@@ -762,6 +774,29 @@ IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTest, BrokenHTTPS) {
       true /* expect cert status error */);
 }
 
+// Tests that the security level of data: URLs is always downgraded to
+// HTTP_SHOW_WARNING.
+IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTest,
+                       SecurityLevelDowngradedOnDataUrl) {
+  content::WebContents* contents =
+      browser()->tab_strip_model()->GetActiveWebContents();
+  ASSERT_TRUE(contents);
+
+  SecurityStateTabHelper* helper =
+      SecurityStateTabHelper::FromWebContents(contents);
+  ASSERT_TRUE(helper);
+
+  ui_test_utils::NavigateToURL(browser(), GURL("data:text/html,<html></html>"));
+  InjectScript(contents);

[estark, 2017/01/26 22:46:28]

Is this necessary? I would think it's only necessary if HTTP_SHOW_WARNING is
triggered by a password field.

[meacer, 2017/01/26 23:49:24]

Done.

+  security_state::SecurityInfo security_info;
+  helper->GetSecurityInfo(&security_info);
+  EXPECT_EQ(security_state::HTTP_SHOW_WARNING, security_info.security_level);
+
+  content::NavigationEntry* entry = contents->GetController().GetVisibleEntry();
+  ASSERT_TRUE(entry);
+  EXPECT_EQ(content::SSLStatus::NORMAL_CONTENT, entry->GetSSL().content_status);
+}
+
 const char kReportURI[] = "https://report-hpkp.test";
 
 class PKPModelClientTest : public SecurityStateTabHelperTest {
@@ -916,18 +951,6 @@ IN_PROC_BROWSER_TEST_F(SecurityStateLoadingTest, NavigationStateChanges) {
       browser()->tab_strip_model()->GetActiveWebContents());
 }
 
-// Inject a script into the page. Used by tests that check for visible
-// password fields to wait for notifications about these
-// fields. Notifications about visible password fields are queued at the
-// end of the event loop, so waiting for a dummy script to run ensures
-// that these notifcations have been sent.
-void InjectScript(content::WebContents* contents) {
-  bool js_result = false;
-  EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
-      contents, "window.domAutomationController.send(true);", &js_result));
-  EXPECT_TRUE(js_result);
-}
-
 // Tests that when a visible password field is detected on an HTTP page
 // load, and when the command-line flag is set, the security level is
 // downgraded to HTTP_SHOW_WARNING.