Skip interstitials and don't block requests for localhost SSL errors

chrome/browser/ssl/chrome_ssl_host_state_delegate_test.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/ssl/chrome_ssl_host_state_delegate.h"
 
 #include <stdint.h>
 
 #include "base/command_line.h"
 #include "base/strings/string_number_conversions.h"
@@ skipping 607 matching lines @@
   // worth of browsing history and verify that the exception has been deleted.
   state->AllowCert(
       kGoogleHost, *google_cert.get(), net::CERT_STATUS_DATE_INVALID);
   RemoveAndWait(profile);
   EXPECT_EQ(content::SSLHostStateDelegate::DENIED,
             state->QueryPolicy(kGoogleHost,
                                *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &unused_value));
 }
+
+// Tests to make sure that localhost certificate errors are ignored or
+// treated as normal errors, depending on whether the
+// kAllowInsecureLocalhost flag is set.
+
+// When the flag isn't set, requests to localhost with invalid
+// certificates should be denied.
+IN_PROC_BROWSER_TEST_F(ChromeSSLHostStateDelegateTest,
+                       LocalhostErrorWithoutFlag) {
+  // Serve the Google cert for localhost to generate an error.
+  scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert();

[Ryan Sleevi, 2015/02/04 19:34:41]

Not your fault, other than I never noticed until this CL, but we (ideally)
should *not* be using a Google cert here. Those aren't automatically generated
and thus can be a pain to update.

If you're wanting bonus kudos, a (hopefully trivial) task would be to replace
the google cert w/ one of our "automatically" (well, script-maintained) certs,
such as ok_cert.pem or something. You can see which certs are which by looking
at
https://chromium.googlesource.com/chromium/src/+/master/net/data/ssl/certific...

[estark, 2015/02/05 03:02:38]

Done. Just to make sure I understand:
* The pain of using the manually updated cert is that if it expires (for
example), the tests could break until someone goes in and manually replaces it?
* I replaced the Google cert in these tests with ok_cert.pem, but I didn't
change the hostnames that the tests uses (google.com, www.google.com,
example.com). IIUC, that's okay because the code being tested doesn't actually
look at the names in the cert, so I think the hostnames used by the tests don't
actually have to have any relationship to the cert. But I just want to make sure
that the change didn't break the tests in such a way that they pass but are no
longer testing the thing they're supposed to be testing.

+  content::WebContents* tab =
+      browser()->tab_strip_model()->GetActiveWebContents();
+  Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
+  content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate();
+  bool unused_value;
+
+  EXPECT_EQ(content::SSLHostStateDelegate::DENIED,
+            state->QueryPolicy("localhost",
+                               *google_cert.get(),
+                               net::CERT_STATUS_COMMON_NAME_INVALID,
+                               &unused_value));
+}
+
+// When the flag is set, requests to localhost with invalid certificates
+// should be allowed.
+class AllowLocalhostErrorsSSLHostStateDelegateTest
+    : public ChromeSSLHostStateDelegateTest {
+ protected:
+  void SetUpCommandLine(base::CommandLine* command_line) override {
+    ChromeSSLHostStateDelegateTest::SetUpCommandLine(command_line);
+    command_line->AppendSwitch(switches::kAllowInsecureLocalhost);
+  }
+};
+
+IN_PROC_BROWSER_TEST_F(AllowLocalhostErrorsSSLHostStateDelegateTest,
+                       LocalhostErrorWithFlag) {
+  // Serve the Google cert for localhost to generate an error.
+  scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert();
+  content::WebContents* tab =
+      browser()->tab_strip_model()->GetActiveWebContents();
+  Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
+  content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate();
+  bool unused_value;
+
+  EXPECT_EQ(content::SSLHostStateDelegate::ALLOWED,
+            state->QueryPolicy("localhost",
+                               *google_cert.get(),
+                               net::CERT_STATUS_COMMON_NAME_INVALID,
+                               &unused_value));
+}