Remember user's decisions on SSL errors.

android_webview/browser/aw_ssl_host_state_delegate.h

+// Copyright (c) 2012 The Chromium Authors. All rights reserved.

[jww, 2014/12/12 01:48:41]

nit: I think this should be "Copyright (c) 2014"

[hush (inactive), 2014/12/12 02:42:37]

Done.

+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef ANDROID_WEBVIEW_BROWSER_AW_SSL_HOST_STATE_DELEGATE_H_
+#define ANDROID_WEBVIEW_BROWSER_AW_SSL_HOST_STATE_DELEGATE_H_
+
+#include <map>
+#include <set>
+#include <string>
+
+#include "content/public/browser/ssl_host_state_delegate.h"
+#include "net/base/hash_value.h"
+#include "net/cert/cert_status_flags.h"
+#include "net/cert/x509_certificate.h"
+
+namespace android_webview {
+namespace {
+// This class is useful for maintaining policies about which certificates are
+// permitted for a particular purpose.
+class CertPolicy {
+ public:
+  CertPolicy();
+  ~CertPolicy();
+  // Returns true if the user has decided to proceed through the ssl error
+  // before. For a certificate to be allowed, it must not have any
+  // *additional* errors from when it was allowed.
+  bool Check(const net::X509Certificate& cert, net::CertStatus error) const;
+
+  // Causes the policy to allow this certificate for a given |error|. And
+  // remember the user's choice.
+  void Allow(const net::X509Certificate& cert, net::CertStatus error);
+
+ private:
+  // The set of fingerprints of allowed certificates.
+  std::map<net::SHA1HashValue, net::CertStatus, net::SHA1HashValueLessThan>

[jww, 2014/12/12 01:48:41]

As a rule, we should never use SHA1 hashes for security decisions as they are
know to be weak. Fortunately, we have SHA256 fingerprints on cert chains in net/
now. See
https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/ssl...
to see how this is implemented for the main browser.

[hush (inactive), 2014/12/12 02:42:37]

Done.

+      allowed_;
+};
+}
+
+class AwSSLHostStateDelegate : public content::SSLHostStateDelegate {
+ public:
+  AwSSLHostStateDelegate();
+  virtual ~AwSSLHostStateDelegate();
+
+  // Records that |cert| is permitted to be used for |host| in the future, for
+  // a specified |error| type.
+  void AllowCert(const std::string& host,
+                 const net::X509Certificate& cert,
+                 net::CertStatus error) override;
+
+  void Clear() override;
+
+  // Queries whether |cert| is allowed or denied for |host| and |error|.
+  content::SSLHostStateDelegate::CertJudgment QueryPolicy(
+      const std::string& host,
+      const net::X509Certificate& cert,
+      net::CertStatus error,
+      bool* expired_previous_decision) override;
+
+  // Records that a host has run insecure content.
+  void HostRanInsecureContent(const std::string& host, int pid) override;
+
+  // Returns whether the specified host ran insecure content.
+  bool DidHostRunInsecureContent(const std::string& host,
+                                 int pid) const override;
+
+ private:
+  // A BrokenHostEntry is a pair of (host, process_id) that indicates the host
+  // contains insecure content in that renderer process.
+  typedef std::pair<std::string, int> BrokenHostEntry;
+
+  // Hosts which have been contaminated with insecure content in the
+  // specified process.  Note that insecure content can travel between
+  // same-origin frames in one processs but cannot jump between processes.
+  std::set<BrokenHostEntry> ran_insecure_content_hosts_;
+
+  // Certificate policies for each host.
+  std::map<std::string, CertPolicy> cert_policy_for_host_;
+
+  DISALLOW_COPY_AND_ASSIGN(AwSSLHostStateDelegate);
+};
+
+}  // namespace android_webview
+
+#endif  // ANDROID_WEBVIEW_BROWSER_AW_SSL_HOST_STATE_DELEGATE_H_