Implement 'Not secure' warning for non-secure pages in Incognito mode

chrome/browser/ssl/security_state_tab_helper.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/ssl/security_state_tab_helper.h"
 
 #include "base/bind.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/time/time.h"
 #include "build/build_config.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/safe_browsing/safe_browsing_service.h"
 #include "chrome/browser/safe_browsing/ui_manager.h"
 #include "components/prefs/pref_service.h"
 #include "components/security_state/content/content_utils.h"
 #include "components/ssl_config/ssl_config_prefs.h"
+#include "content/public/browser/browser_context.h"
 #include "content/public/browser/navigation_entry.h"
 #include "content/public/browser/navigation_handle.h"
 #include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/common/origin_util.h"
 #include "net/base/net_errors.h"
 #include "net/cert/x509_certificate.h"
 #include "net/ssl/ssl_cipher_suite_names.h"
 #include "net/ssl/ssl_connection_status_flags.h"
 #include "third_party/boringssl/src/include/openssl/ssl.h"
 #include "ui/base/l10n/l10n_util.h"
 
 #if defined(OS_CHROMEOS)
 #include "chrome/browser/chromeos/policy/policy_cert_service.h"
 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h"
 #endif  // defined(OS_CHROMEOS)
 
 DEFINE_WEB_CONTENTS_USER_DATA_KEY(SecurityStateTabHelper);
 
 using safe_browsing::SafeBrowsingUIManager;
 
 SecurityStateTabHelper::SecurityStateTabHelper(
     content::WebContents* web_contents)
     : content::WebContentsObserver(web_contents),
+      logged_incognito_warning_on_current_navigation_(false),
       logged_http_warning_on_current_navigation_(false) {}
 
 SecurityStateTabHelper::~SecurityStateTabHelper() {}
 
 void SecurityStateTabHelper::GetSecurityInfo(
     security_state::SecurityInfo* result) const {
   security_state::GetSecurityInfo(GetVisibleSecurityState(),
                                   UsedPolicyInstalledCertificate(),
                                   base::Bind(&content::IsOriginSecure), result);
 }
 
 void SecurityStateTabHelper::VisibleSecurityStateChanged() {
-  if (logged_http_warning_on_current_navigation_)
+  if (logged_incognito_warning_on_current_navigation_ &&
+      logged_http_warning_on_current_navigation_) {
     return;
+  }
 
   security_state::SecurityInfo security_info;
   GetSecurityInfo(&security_info);
-  if (!security_info.displayed_password_field_on_http &&
-      !security_info.displayed_credit_card_field_on_http) {
+
+  if (!logged_incognito_warning_on_current_navigation_ &&
+      security_info.is_incognito &&
+      security_info.security_level == security_state::HTTP_SHOW_WARNING) {
+    logged_incognito_warning_on_current_navigation_ = true;
+
+    web_contents()->GetMainFrame()->AddMessageToConsole(
+        content::CONSOLE_MESSAGE_LEVEL_WARNING,
+        "This page was loaded non-securely in an incognito mode browser. A "
+        "warning has been added to the URL bar. For more information, see "
+        "https://goo.gl/y8SRRv.");
+  }
+
+  if (logged_http_warning_on_current_navigation_ ||
+      (!security_info.displayed_password_field_on_http &&
+       !security_info.displayed_credit_card_field_on_http)) {
     return;
   }
 
   DCHECK(time_of_http_warning_on_current_navigation_.is_null());
   time_of_http_warning_on_current_navigation_ = base::Time::Now();
 
   logged_http_warning_on_current_navigation_ = true;
   web_contents()->GetMainFrame()->AddMessageToConsole(
       content::CONSOLE_MESSAGE_LEVEL_WARNING,
       "This page includes a password or credit card input in a non-secure "
@@ skipping 14 matching lines @@
   }
   if (security_info.displayed_password_field_on_http) {
     UMA_HISTOGRAM_BOOLEAN(
         "Security.HTTPBad.UserWarnedAboutSensitiveInput.Password",
         warning_is_user_visible);
   }
 }
 
 void SecurityStateTabHelper::DidStartNavigation(
     content::NavigationHandle* navigation_handle) {
-  if (time_of_http_warning_on_current_navigation_.is_null() ||
-      !navigation_handle->IsInMainFrame() ||
+  if (!navigation_handle->IsInMainFrame() ||
       navigation_handle->IsSameDocument()) {
     return;
   }
+
+  logged_incognito_warning_on_current_navigation_ = false;
+
+  if (time_of_http_warning_on_current_navigation_.is_null())
+    return;
   // Record how quickly a user leaves a site after encountering an
   // HTTP-bad warning. A navigation here only counts if it is a
   // main-frame, not-same-page navigation, since it aims to measure how
   // quickly a user leaves a site after seeing the HTTP warning.
   UMA_HISTOGRAM_LONG_TIMES(
       "Security.HTTPBad.NavigationStartedAfterUserWarnedAboutSensitiveInput",
       base::Time::Now() - time_of_http_warning_on_current_navigation_);
   // After recording the histogram, clear the time of the warning. A
   // timing histogram will not be recorded again on this page, because
   // the time is only set the first time the HTTP-bad warning is shown
@@ skipping 82 matching lines @@
 }
 
 std::unique_ptr<security_state::VisibleSecurityState>
 SecurityStateTabHelper::GetVisibleSecurityState() const {
   auto state = security_state::GetVisibleSecurityState(web_contents());
 
   // Malware status might already be known even if connection security
   // information is still being initialized, thus no need to check for that.
   state->malicious_content_status = GetMaliciousContentStatus();
 
+  if (!state->certificate &&
+      security_state::IsHttpWarningForIncognitoEnabled()) {
+    content::BrowserContext* context = web_contents()->GetBrowserContext();
+    if (context->IsOffTheRecord() &&
+        !Profile::FromBrowserContext(context)->IsGuestSession()) {
+      state->is_incognito = true;
+    }
+  }
   return state;
 }