Set SSL info when an HTTP auth dialog is triggered by direct navigation.

chrome/browser/ui/login/login_interstitial_delegate.cc

Index: chrome/browser/ui/login/login_interstitial_delegate.cc
diff --git a/chrome/browser/ui/login/login_interstitial_delegate.cc b/chrome/browser/ui/login/login_interstitial_delegate.cc
index b4b8dfb73603b29875f008970ff1a631bd76a40a..238b542e6d461972652c756683722b4041872440 100644
--- a/chrome/browser/ui/login/login_interstitial_delegate.cc
+++ b/chrome/browser/ui/login/login_interstitial_delegate.cc
@@ -4,11 +4,26 @@
 
 #include "chrome/browser/ui/login/login_interstitial_delegate.h"
 
+#include "chrome/browser/ssl/ssl_error_info.h"
+#include "chrome/browser/ui/login/login_prompt.h"
+#include "content/public/browser/cert_store.h"
+#include "content/public/browser/navigation_entry.h"
+#include "content/public/browser/render_process_host.h"
+#include "content/public/browser/signed_certificate_timestamp_store.h"
+#include "content/public/browser/web_contents.h"
+#include "content/public/common/security_style.h"
+#include "content/public/common/signed_certificate_timestamp_id_and_status.h"
+#include "content/public/common/ssl_status.h"
+#include "net/ssl/ssl_info.h"

[meacer, 2014/07/22 22:07:09]

Some of these will be removed.

+
 LoginInterstitialDelegate::LoginInterstitialDelegate(
     content::WebContents* web_contents,
     const GURL& request_url,
-    base::Closure& callback)
-    : callback_(callback) {
+    base::Closure& callback,
+    const net::SSLInfo& ssl_info)
+    : web_contents_(web_contents),
+      callback_(callback),
+      ssl_info_(ssl_info) {
   // The interstitial page owns us.
   content::InterstitialPage* interstitial_page =
       content::InterstitialPage::Create(web_contents,
@@ -37,3 +52,12 @@ std::string LoginInterstitialDelegate::GetHTMLContents() {
       "window.domAutomationController.send('1');"
       "</script></body></html>");
 }
+
+void LoginInterstitialDelegate::OverrideEntry(content::NavigationEntry* entry) {
+  entry->GetSSL().security_style = content::SECURITY_STYLE_UNKNOWN;
+  // LoginHandler::UpdateSSLState doesn't set the mixed content state, but the

[Charlie Reis, 2014/07/22 22:01:21]

This concerns me.  Are you saying that there could be a mixed content warning
that is missed while the login prompt is showing?  That sounds bad.

You could imagine a case where something like window.opener is on the same HTTPS
origin and has mixed content.  Once the user logs into what looked like a safe
prompt, the mixed content opener reaches in and has access to the
now-authenticated page.

[meacer, 2014/07/22 22:07:09]

Ah, I didn't consider the "mixed content on the same origin" case. I was
assuming that the check was per page rather than per origin, but it makes sense
for it to be per origin.

The main problem here is that I can't seem to use SSLManager from UI code. If I
can, then I won't need to duplicate the logic. Not sure if it's possible though.

[Charlie Reis, 2014/07/22 23:23:18]

Yeah, it would be good to find a way to expose the info that you need, because
duplicating it outside of content/ will certainly lead to unfixed bugs.  Not
sure what content/public surface is the right place for it, so adding John to
see if he has ideas.

+  // navigation entry for this interstitial will be discarded once the login
+  // prompt is closed anyways, and the SSL state will be updated correctly once
+  // the pending navigation will commit.
+  LoginHandler::UpdateSSLState(entry, web_contents_, ssl_info_);
+}