Enforce HTTPS URLs to show app banners.

chrome/browser/android/banners/app_banner_manager.cc

Index: chrome/browser/android/banners/app_banner_manager.cc
diff --git a/chrome/browser/android/banners/app_banner_manager.cc b/chrome/browser/android/banners/app_banner_manager.cc
index b3f1f565a84e9d924593074472abcee91177f957..56a954143f32a26ecbb06cbff117773e610d10ed 100644
--- a/chrome/browser/android/banners/app_banner_manager.cc
+++ b/chrome/browser/android/banners/app_banner_manager.cc
@@ -44,6 +44,7 @@ using base::android::ConvertUTF16ToJavaString;
 namespace {
 const char kBannerTag[] = "google-play-id";
 base::TimeDelta gTimeDeltaForTesting;
+bool gDisableSecureCheckForTesting = false;
 }  // namespace
 
 namespace banners {
@@ -132,6 +133,11 @@ void AppBannerManager::DidFinishLoad(
     return;
   validated_url_ = validated_url;
 
+  // A secure scheme is required to show banners, so exit early if we see the
+  // URL is invalid.
+  if (!validated_url_.SchemeIsSecure() && !gDisableSecureCheckForTesting)
+    return;
+
   // See if the page has a manifest. Using Unretained(this) here is safe as the
   // lifetime of this object extends beyond the lifetime of the web_contents(),
   // and when web_contents() is destroyed it will call OnDidGetManifest.
@@ -363,6 +369,10 @@ void SetTimeDeltaForTesting(JNIEnv* env, jclass clazz, jint days) {
   gTimeDeltaForTesting = base::TimeDelta::FromDays(days);
 }
 
+void DisableSecureSchemeCheckForTesting(JNIEnv* env, jclass clazz) {
+  gDisableSecureCheckForTesting = true;
+}
+
 // Register native methods
 bool RegisterAppBannerManager(JNIEnv* env) {
   return RegisterNativesImpl(env);