Implement 'Not secure' warning for non-secure pages in Incognito mode

chrome/browser/ssl/security_state_tab_helper.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/ssl/security_state_tab_helper.h"
 
 #include "base/bind.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/time/time.h"
 #include "build/build_config.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/safe_browsing/safe_browsing_service.h"
 #include "chrome/browser/safe_browsing/ui_manager.h"
 #include "components/prefs/pref_service.h"
 #include "components/security_state/content/content_utils.h"
 #include "components/ssl_config/ssl_config_prefs.h"
+#include "content/public/browser/browser_context.h"
 #include "content/public/browser/navigation_entry.h"
 #include "content/public/browser/navigation_handle.h"
 #include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/common/origin_util.h"
 #include "net/base/net_errors.h"
 #include "net/cert/x509_certificate.h"
 #include "net/ssl/ssl_cipher_suite_names.h"
 #include "net/ssl/ssl_connection_status_flags.h"
 #include "third_party/boringssl/src/include/openssl/ssl.h"
 #include "ui/base/l10n/l10n_util.h"
 
 #if defined(OS_CHROMEOS)
 #include "chrome/browser/chromeos/policy/policy_cert_service.h"
 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h"
 #endif  // defined(OS_CHROMEOS)
 
 DEFINE_WEB_CONTENTS_USER_DATA_KEY(SecurityStateTabHelper);
 
 using safe_browsing::SafeBrowsingUIManager;
 
 SecurityStateTabHelper::SecurityStateTabHelper(
     content::WebContents* web_contents)
     : content::WebContentsObserver(web_contents),
-      logged_http_warning_on_current_navigation_(false) {}
+      logged_http_warning_on_current_navigation_(false),
+      is_incognito_(false) {
+  content::BrowserContext* context = web_contents->GetBrowserContext();
+  if (context->IsOffTheRecord() &&
+      !Profile::FromBrowserContext(context)->IsGuestSession()) {
+    is_incognito_ = true;
+  }
+}
 
 SecurityStateTabHelper::~SecurityStateTabHelper() {}
 
 void SecurityStateTabHelper::GetSecurityInfo(
     security_state::SecurityInfo* result) const {
   security_state::GetSecurityInfo(GetVisibleSecurityState(),
                                   UsedPolicyInstalledCertificate(),
                                   base::Bind(&content::IsOriginSecure), result);
 }
 
@@ skipping 53 matching lines @@
       base::Time::Now() - time_of_http_warning_on_current_navigation_);
   // After recording the histogram, clear the time of the warning. A
   // timing histogram will not be recorded again on this page, because
   // the time is only set the first time the HTTP-bad warning is shown
   // per page.
   time_of_http_warning_on_current_navigation_ = base::Time();
 }
 
 void SecurityStateTabHelper::DidFinishNavigation(
     content::NavigationHandle* navigation_handle) {
-  if (navigation_handle->IsInMainFrame() &&
-      !navigation_handle->IsSameDocument()) {
-    // Only reset the console message flag for main-frame navigations,
-    // and not for same-document navigations like reference fragments and
-    // pushState.
-    logged_http_warning_on_current_navigation_ = false;
+  // Ignore subframe navigations, same-document navigations, and navigations
+  // that did not commit (e.g. HTTP/204 or file downloads).
+  if (!navigation_handle->IsInMainFrame() ||
+      navigation_handle->IsSameDocument() ||
+      !navigation_handle->HasCommitted()) {
+    return;
+  }
+
+  logged_http_warning_on_current_navigation_ = false;
+
+  security_state::SecurityInfo security_info;
+  GetSecurityInfo(&security_info);
+  if (security_info.incognito_downgraded_security_level) {
+    web_contents()->GetMainFrame()->AddMessageToConsole(
+        content::CONSOLE_MESSAGE_LEVEL_WARNING,
+        "This page was loaded non-securely in an incognito mode browser. A "
+        "warning has been added to the URL bar. For more information, see "
+        "https://goo.gl/y8SRRv.");
   }
 }
 
 void SecurityStateTabHelper::WebContentsDestroyed() {
   if (time_of_http_warning_on_current_navigation_.is_null()) {
     return;
   }
   // Record how quickly the tab is closed after a user encounters an
   // HTTP-bad warning. This histogram will only be recorded if the
   // WebContents is destroyed before another navigation begins.
@@ skipping 60 matching lines @@
 }
 
 std::unique_ptr<security_state::VisibleSecurityState>
 SecurityStateTabHelper::GetVisibleSecurityState() const {
   auto state = security_state::GetVisibleSecurityState(web_contents());
 
   // Malware status might already be known even if connection security
   // information is still being initialized, thus no need to check for that.
   state->malicious_content_status = GetMaliciousContentStatus();
 
+  state->is_incognito = is_incognito_;
+
   return state;
 }