OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "components/security_state/core/security_state.h" | 5 #include "components/security_state/core/security_state.h" |
6 | 6 |
7 #include <stdint.h> | 7 #include <stdint.h> |
8 | 8 |
9 #include "base/command_line.h" | 9 #include "base/command_line.h" |
10 #include "base/metrics/field_trial.h" | 10 #include "base/metrics/field_trial.h" |
(...skipping 129 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
140 bool is_cryptographic_with_certificate = | 140 bool is_cryptographic_with_certificate = |
141 (url.SchemeIsCryptographic() && visible_security_state.certificate); | 141 (url.SchemeIsCryptographic() && visible_security_state.certificate); |
142 | 142 |
143 // Set the security level to DANGEROUS for major certificate errors. | 143 // Set the security level to DANGEROUS for major certificate errors. |
144 if (is_cryptographic_with_certificate && | 144 if (is_cryptographic_with_certificate && |
145 net::IsCertStatusError(visible_security_state.cert_status) && | 145 net::IsCertStatusError(visible_security_state.cert_status) && |
146 !net::IsCertStatusMinorError(visible_security_state.cert_status)) { | 146 !net::IsCertStatusMinorError(visible_security_state.cert_status)) { |
147 return DANGEROUS; | 147 return DANGEROUS; |
148 } | 148 } |
149 | 149 |
| 150 // data: URLs don't define a secure context, and are a vector for spoofing. |
| 151 // Display a "Not secure" badge for all data URLs, regardless of whether |
| 152 // they show a password or credit card field. |
| 153 if (url.SchemeIs(url::kDataScheme)) |
| 154 return SecurityLevel::HTTP_SHOW_WARNING; |
| 155 |
150 // Choose the appropriate security level for HTTP requests. | 156 // Choose the appropriate security level for HTTP requests. |
151 if (!is_cryptographic_with_certificate) { | 157 if (!is_cryptographic_with_certificate) { |
152 if (!is_origin_secure_callback.Run(url) && url.IsStandard()) { | 158 if (!is_origin_secure_callback.Run(url) && url.IsStandard()) { |
153 return GetSecurityLevelForNonSecureFieldTrial( | 159 return GetSecurityLevelForNonSecureFieldTrial( |
154 visible_security_state.displayed_password_field_on_http || | 160 visible_security_state.displayed_password_field_on_http || |
155 visible_security_state.displayed_credit_card_field_on_http); | 161 visible_security_state.displayed_credit_card_field_on_http); |
156 } | 162 } |
157 return NONE; | 163 return NONE; |
158 } | 164 } |
159 | 165 |
(...skipping 164 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
324 pkp_bypassed == other.pkp_bypassed && | 330 pkp_bypassed == other.pkp_bypassed && |
325 displayed_password_field_on_http == | 331 displayed_password_field_on_http == |
326 other.displayed_password_field_on_http && | 332 other.displayed_password_field_on_http && |
327 displayed_credit_card_field_on_http == | 333 displayed_credit_card_field_on_http == |
328 other.displayed_credit_card_field_on_http && | 334 other.displayed_credit_card_field_on_http && |
329 display_sha1_from_local_anchors_as_neutral == | 335 display_sha1_from_local_anchors_as_neutral == |
330 other.display_sha1_from_local_anchors_as_neutral); | 336 other.display_sha1_from_local_anchors_as_neutral); |
331 } | 337 } |
332 | 338 |
333 } // namespace security_state | 339 } // namespace security_state |
OLD | NEW |