| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/browser/ssl/ssl_policy.h" | 5 #include "content/browser/ssl/ssl_policy.h" |
| 6 | 6 |
| 7 #include "base/base_switches.h" | 7 #include "base/base_switches.h" |
| 8 #include "base/bind.h" | 8 #include "base/bind.h" |
| 9 #include "base/command_line.h" | 9 #include "base/command_line.h" |
| 10 #include "base/memory/singleton.h" | 10 #include "base/memory/singleton.h" |
| (...skipping 14 matching lines...) Expand all Loading... |
| 25 | 25 |
| 26 | 26 |
| 27 namespace content { | 27 namespace content { |
| 28 | 28 |
| 29 SSLPolicy::SSLPolicy(SSLPolicyBackend* backend) | 29 SSLPolicy::SSLPolicy(SSLPolicyBackend* backend) |
| 30 : backend_(backend) { | 30 : backend_(backend) { |
| 31 DCHECK(backend_); | 31 DCHECK(backend_); |
| 32 } | 32 } |
| 33 | 33 |
| 34 void SSLPolicy::OnCertError(SSLCertErrorHandler* handler) { | 34 void SSLPolicy::OnCertError(SSLCertErrorHandler* handler) { |
| 35 bool expired_previous_decision; |
| 35 // First we check if we know the policy for this error. | 36 // First we check if we know the policy for this error. |
| 36 net::CertPolicy::Judgment judgment = | 37 net::CertPolicy::Judgment judgment = |
| 37 backend_->QueryPolicy(handler->ssl_info().cert.get(), | 38 backend_->QueryPolicy(handler->ssl_info().cert.get(), |
| 38 handler->request_url().host(), | 39 handler->request_url().host(), |
| 39 handler->cert_error()); | 40 handler->cert_error(), |
| 41 &expired_previous_decision); |
| 40 | 42 |
| 41 if (judgment == net::CertPolicy::ALLOWED) { | 43 if (judgment == net::CertPolicy::ALLOWED) { |
| 42 handler->ContinueRequest(); | 44 handler->ContinueRequest(); |
| 43 return; | 45 return; |
| 44 } | 46 } |
| 45 | 47 |
| 46 // The judgment is either DENIED or UNKNOWN. | 48 // The judgment is either DENIED or UNKNOWN. |
| 47 // For now we handle the DENIED as the UNKNOWN, which means a blocking | 49 // For now we handle the DENIED as the UNKNOWN, which means a blocking |
| 48 // page is shown to the user every time he comes back to the page. | 50 // page is shown to the user every time he comes back to the page. |
| 49 | 51 |
| 52 int options_mask = 0; |
| 50 switch (handler->cert_error()) { | 53 switch (handler->cert_error()) { |
| 51 case net::ERR_CERT_COMMON_NAME_INVALID: | 54 case net::ERR_CERT_COMMON_NAME_INVALID: |
| 52 case net::ERR_CERT_DATE_INVALID: | 55 case net::ERR_CERT_DATE_INVALID: |
| 53 case net::ERR_CERT_AUTHORITY_INVALID: | 56 case net::ERR_CERT_AUTHORITY_INVALID: |
| 54 case net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM: | 57 case net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM: |
| 55 case net::ERR_CERT_WEAK_KEY: | 58 case net::ERR_CERT_WEAK_KEY: |
| 56 case net::ERR_CERT_NAME_CONSTRAINT_VIOLATION: | 59 case net::ERR_CERT_NAME_CONSTRAINT_VIOLATION: |
| 57 OnCertErrorInternal(handler, !handler->fatal(), handler->fatal()); | 60 if (!handler->fatal()) |
| 61 options_mask |= OVERRIDABLE; |
| 62 else |
| 63 options_mask |= STRICT_ENFORCEMENT; |
| 64 if (expired_previous_decision) |
| 65 options_mask |= EXPIRED_PREVIOUS_DECISION; |
| 66 OnCertErrorInternal(handler, options_mask); |
| 58 break; | 67 break; |
| 59 case net::ERR_CERT_NO_REVOCATION_MECHANISM: | 68 case net::ERR_CERT_NO_REVOCATION_MECHANISM: |
| 60 // Ignore this error. | 69 // Ignore this error. |
| 61 handler->ContinueRequest(); | 70 handler->ContinueRequest(); |
| 62 break; | 71 break; |
| 63 case net::ERR_CERT_UNABLE_TO_CHECK_REVOCATION: | 72 case net::ERR_CERT_UNABLE_TO_CHECK_REVOCATION: |
| 64 // We ignore this error but will show a warning status in the location | 73 // We ignore this error but will show a warning status in the location |
| 65 // bar. | 74 // bar. |
| 66 handler->ContinueRequest(); | 75 handler->ContinueRequest(); |
| 67 break; | 76 break; |
| 68 case net::ERR_CERT_CONTAINS_ERRORS: | 77 case net::ERR_CERT_CONTAINS_ERRORS: |
| 69 case net::ERR_CERT_REVOKED: | 78 case net::ERR_CERT_REVOKED: |
| 70 case net::ERR_CERT_INVALID: | 79 case net::ERR_CERT_INVALID: |
| 71 case net::ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY: | 80 case net::ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY: |
| 72 case net::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN: | 81 case net::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN: |
| 73 OnCertErrorInternal(handler, false, handler->fatal()); | 82 if (handler->fatal()) |
| 83 options_mask |= STRICT_ENFORCEMENT; |
| 84 if (expired_previous_decision) |
| 85 options_mask |= EXPIRED_PREVIOUS_DECISION; |
| 86 OnCertErrorInternal(handler, options_mask); |
| 74 break; | 87 break; |
| 75 default: | 88 default: |
| 76 NOTREACHED(); | 89 NOTREACHED(); |
| 77 handler->CancelRequest(); | 90 handler->CancelRequest(); |
| 78 break; | 91 break; |
| 79 } | 92 } |
| 80 } | 93 } |
| 81 | 94 |
| 82 void SSLPolicy::DidRunInsecureContent(NavigationEntryImpl* entry, | 95 void SSLPolicy::DidRunInsecureContent(NavigationEntryImpl* entry, |
| 83 const std::string& security_origin) { | 96 const std::string& security_origin) { |
| (...skipping 91 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 175 handler->request_url().host(), | 188 handler->request_url().host(), |
| 176 handler->cert_error()); | 189 handler->cert_error()); |
| 177 handler->CancelRequest(); | 190 handler->CancelRequest(); |
| 178 } | 191 } |
| 179 } | 192 } |
| 180 | 193 |
| 181 //////////////////////////////////////////////////////////////////////////////// | 194 //////////////////////////////////////////////////////////////////////////////// |
| 182 // Certificate Error Routines | 195 // Certificate Error Routines |
| 183 | 196 |
| 184 void SSLPolicy::OnCertErrorInternal(SSLCertErrorHandler* handler, | 197 void SSLPolicy::OnCertErrorInternal(SSLCertErrorHandler* handler, |
| 185 bool overridable, | 198 int options_mask) { |
| 186 bool strict_enforcement) { | 199 bool overridable = options_mask & OVERRIDABLE; |
| 200 bool strict_enforcement = options_mask & STRICT_ENFORCEMENT; |
| 201 bool expired_previous_decision = options_mask & EXPIRED_PREVIOUS_DECISION; |
| 187 CertificateRequestResultType result = | 202 CertificateRequestResultType result = |
| 188 CERTIFICATE_REQUEST_RESULT_TYPE_CONTINUE; | 203 CERTIFICATE_REQUEST_RESULT_TYPE_CONTINUE; |
| 189 GetContentClient()->browser()->AllowCertificateError( | 204 GetContentClient()->browser()->AllowCertificateError( |
| 190 handler->render_process_id(), | 205 handler->render_process_id(), |
| 191 handler->render_frame_id(), | 206 handler->render_frame_id(), |
| 192 handler->cert_error(), | 207 handler->cert_error(), |
| 193 handler->ssl_info(), | 208 handler->ssl_info(), |
| 194 handler->request_url(), | 209 handler->request_url(), |
| 195 handler->resource_type(), | 210 handler->resource_type(), |
| 196 overridable, | 211 overridable, |
| 197 strict_enforcement, | 212 strict_enforcement, |
| 198 base::Bind(&SSLPolicy::OnAllowCertificate, base::Unretained(this), | 213 expired_previous_decision, |
| 214 base::Bind(&SSLPolicy::OnAllowCertificate, |
| 215 base::Unretained(this), |
| 199 make_scoped_refptr(handler)), | 216 make_scoped_refptr(handler)), |
| 200 &result); | 217 &result); |
| 201 switch (result) { | 218 switch (result) { |
| 202 case CERTIFICATE_REQUEST_RESULT_TYPE_CONTINUE: | 219 case CERTIFICATE_REQUEST_RESULT_TYPE_CONTINUE: |
| 203 break; | 220 break; |
| 204 case CERTIFICATE_REQUEST_RESULT_TYPE_CANCEL: | 221 case CERTIFICATE_REQUEST_RESULT_TYPE_CANCEL: |
| 205 handler->CancelRequest(); | 222 handler->CancelRequest(); |
| 206 break; | 223 break; |
| 207 case CERTIFICATE_REQUEST_RESULT_TYPE_DENY: | 224 case CERTIFICATE_REQUEST_RESULT_TYPE_DENY: |
| 208 handler->DenyRequest(); | 225 handler->DenyRequest(); |
| (...skipping 11 matching lines...) Expand all Loading... |
| 220 SECURITY_STYLE_AUTHENTICATED : SECURITY_STYLE_UNAUTHENTICATED; | 237 SECURITY_STYLE_AUTHENTICATED : SECURITY_STYLE_UNAUTHENTICATED; |
| 221 } | 238 } |
| 222 | 239 |
| 223 void SSLPolicy::OriginRanInsecureContent(const std::string& origin, int pid) { | 240 void SSLPolicy::OriginRanInsecureContent(const std::string& origin, int pid) { |
| 224 GURL parsed_origin(origin); | 241 GURL parsed_origin(origin); |
| 225 if (parsed_origin.SchemeIsSecure()) | 242 if (parsed_origin.SchemeIsSecure()) |
| 226 backend_->HostRanInsecureContent(parsed_origin.host(), pid); | 243 backend_->HostRanInsecureContent(parsed_origin.host(), pid); |
| 227 } | 244 } |
| 228 | 245 |
| 229 } // namespace content | 246 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 450833002:
Add additional UMA stats for remembering certificate decisions. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src