| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <utility> | 5 #include <utility> |
| 6 | 6 |
| 7 #include "base/base64.h" |
| 7 #include "base/base_switches.h" | 8 #include "base/base_switches.h" |
| 8 #include "base/bind.h" | 9 #include "base/bind.h" |
| 9 #include "base/bind_helpers.h" | 10 #include "base/bind_helpers.h" |
| 10 #include "base/callback.h" | 11 #include "base/callback.h" |
| 11 #include "base/command_line.h" | 12 #include "base/command_line.h" |
| 12 #include "base/location.h" | 13 #include "base/location.h" |
| 13 #include "base/macros.h" | 14 #include "base/macros.h" |
| 14 #include "base/message_loop/message_loop.h" | 15 #include "base/message_loop/message_loop.h" |
| 15 #include "base/metrics/field_trial.h" | 16 #include "base/metrics/field_trial.h" |
| 16 #include "base/single_thread_task_runner.h" | 17 #include "base/single_thread_task_runner.h" |
| (...skipping 30 matching lines...) Expand all Loading... |
| 47 #include "chrome/browser/ui/browser_commands.h" | 48 #include "chrome/browser/ui/browser_commands.h" |
| 48 #include "chrome/browser/ui/browser_finder.h" | 49 #include "chrome/browser/ui/browser_finder.h" |
| 49 #include "chrome/browser/ui/browser_navigator.h" | 50 #include "chrome/browser/ui/browser_navigator.h" |
| 50 #include "chrome/browser/ui/browser_navigator_params.h" | 51 #include "chrome/browser/ui/browser_navigator_params.h" |
| 51 #include "chrome/browser/ui/browser_tabstrip.h" | 52 #include "chrome/browser/ui/browser_tabstrip.h" |
| 52 #include "chrome/browser/ui/tabs/tab_strip_model.h" | 53 #include "chrome/browser/ui/tabs/tab_strip_model.h" |
| 53 #include "chrome/common/chrome_paths.h" | 54 #include "chrome/common/chrome_paths.h" |
| 54 #include "chrome/common/chrome_switches.h" | 55 #include "chrome/common/chrome_switches.h" |
| 55 #include "chrome/common/pref_names.h" | 56 #include "chrome/common/pref_names.h" |
| 56 #include "chrome/test/base/in_process_browser_test.h" | 57 #include "chrome/test/base/in_process_browser_test.h" |
| 58 #include "chrome/test/base/test_launcher_utils.h" |
| 57 #include "chrome/test/base/ui_test_utils.h" | 59 #include "chrome/test/base/ui_test_utils.h" |
| 58 #include "components/content_settings/core/browser/host_content_settings_map.h" | 60 #include "components/content_settings/core/browser/host_content_settings_map.h" |
| 59 #include "components/network_time/network_time_test_utils.h" | 61 #include "components/network_time/network_time_test_utils.h" |
| 60 #include "components/network_time/network_time_tracker.h" | 62 #include "components/network_time/network_time_tracker.h" |
| 61 #include "components/prefs/testing_pref_service.h" | 63 #include "components/prefs/testing_pref_service.h" |
| 62 #include "components/security_interstitials/core/controller_client.h" | 64 #include "components/security_interstitials/core/controller_client.h" |
| 63 #include "components/security_interstitials/core/metrics_helper.h" | 65 #include "components/security_interstitials/core/metrics_helper.h" |
| 64 #include "components/security_state/core/security_state.h" | 66 #include "components/security_state/core/security_state.h" |
| 65 #include "components/security_state/core/switches.h" | 67 #include "components/security_state/core/switches.h" |
| 66 #include "components/ssl_errors/error_classification.h" | 68 #include "components/ssl_errors/error_classification.h" |
| (...skipping 244 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 311 } // namespace | 313 } // namespace |
| 312 | 314 |
| 313 class SSLUITest : public InProcessBrowserTest { | 315 class SSLUITest : public InProcessBrowserTest { |
| 314 public: | 316 public: |
| 315 SSLUITest() | 317 SSLUITest() |
| 316 : https_server_(net::EmbeddedTestServer::TYPE_HTTPS), | 318 : https_server_(net::EmbeddedTestServer::TYPE_HTTPS), |
| 317 https_server_expired_(net::EmbeddedTestServer::TYPE_HTTPS), | 319 https_server_expired_(net::EmbeddedTestServer::TYPE_HTTPS), |
| 318 https_server_mismatched_(net::EmbeddedTestServer::TYPE_HTTPS), | 320 https_server_mismatched_(net::EmbeddedTestServer::TYPE_HTTPS), |
| 319 wss_server_expired_(net::SpawnedTestServer::TYPE_WSS, | 321 wss_server_expired_(net::SpawnedTestServer::TYPE_WSS, |
| 320 SSLOptions(SSLOptions::CERT_EXPIRED), | 322 SSLOptions(SSLOptions::CERT_EXPIRED), |
| 321 net::GetWebSocketTestDataDirectory()) { | 323 net::GetWebSocketTestDataDirectory()), |
| 324 wss_server_mismatched_(net::SpawnedTestServer::TYPE_WSS, |
| 325 SSLOptions(SSLOptions::CERT_MISMATCHED_NAME), |
| 326 net::GetWebSocketTestDataDirectory()) { |
| 322 https_server_.AddDefaultHandlers(base::FilePath(kDocRoot)); | 327 https_server_.AddDefaultHandlers(base::FilePath(kDocRoot)); |
| 323 | 328 |
| 324 https_server_expired_.SetSSLConfig(net::EmbeddedTestServer::CERT_EXPIRED); | 329 https_server_expired_.SetSSLConfig(net::EmbeddedTestServer::CERT_EXPIRED); |
| 325 https_server_expired_.AddDefaultHandlers(base::FilePath(kDocRoot)); | 330 https_server_expired_.AddDefaultHandlers(base::FilePath(kDocRoot)); |
| 326 | 331 |
| 327 https_server_mismatched_.SetSSLConfig( | 332 https_server_mismatched_.SetSSLConfig( |
| 328 net::EmbeddedTestServer::CERT_MISMATCHED_NAME); | 333 net::EmbeddedTestServer::CERT_MISMATCHED_NAME); |
| 329 https_server_mismatched_.AddDefaultHandlers(base::FilePath(kDocRoot)); | 334 https_server_mismatched_.AddDefaultHandlers(base::FilePath(kDocRoot)); |
| 330 | 335 |
| 331 // Sometimes favicons load before tests check the authentication | 336 // Sometimes favicons load before tests check the authentication |
| (...skipping 293 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 625 } else { | 630 } else { |
| 626 base::RunLoop().RunUntilIdle(); | 631 base::RunLoop().RunUntilIdle(); |
| 627 EXPECT_EQ(std::string(), reporter_callback.GetLatestHostnameReported()); | 632 EXPECT_EQ(std::string(), reporter_callback.GetLatestHostnameReported()); |
| 628 } | 633 } |
| 629 } | 634 } |
| 630 | 635 |
| 631 net::EmbeddedTestServer https_server_; | 636 net::EmbeddedTestServer https_server_; |
| 632 net::EmbeddedTestServer https_server_expired_; | 637 net::EmbeddedTestServer https_server_expired_; |
| 633 net::EmbeddedTestServer https_server_mismatched_; | 638 net::EmbeddedTestServer https_server_mismatched_; |
| 634 net::SpawnedTestServer wss_server_expired_; | 639 net::SpawnedTestServer wss_server_expired_; |
| 640 net::SpawnedTestServer wss_server_mismatched_; |
| 635 | 641 |
| 636 protected: | 642 protected: |
| 637 // Navigates to an interstitial and clicks through the certificate | 643 // Navigates to an interstitial and clicks through the certificate |
| 638 // error; then navigates to a page at |path| that loads unsafe content. | 644 // error; then navigates to a page at |path| that loads unsafe content. |
| 639 void SetUpUnsafeContentsWithUserException(const std::string& path) { | 645 void SetUpUnsafeContentsWithUserException(const std::string& path) { |
| 640 ASSERT_TRUE(https_server_.Start()); | 646 ASSERT_TRUE(https_server_.Start()); |
| 641 // Note that it is necessary to user https_server_mismatched_ here over the | 647 // Note that it is necessary to user https_server_mismatched_ here over the |
| 642 // other invalid cert servers. This is because the test relies on the two | 648 // other invalid cert servers. This is because the test relies on the two |
| 643 // servers having different hosts since SSL exceptions are per-host, not per | 649 // servers having different hosts since SSL exceptions are per-host, not per |
| 644 // origin, and https_server_mismatched_ uses 'localhost' rather than | 650 // origin, and https_server_mismatched_ uses 'localhost' rather than |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 683 class SSLUITestIgnoreCertErrors : public SSLUITest { | 689 class SSLUITestIgnoreCertErrors : public SSLUITest { |
| 684 public: | 690 public: |
| 685 SSLUITestIgnoreCertErrors() : SSLUITest() {} | 691 SSLUITestIgnoreCertErrors() : SSLUITest() {} |
| 686 | 692 |
| 687 void SetUpCommandLine(base::CommandLine* command_line) override { | 693 void SetUpCommandLine(base::CommandLine* command_line) override { |
| 688 // Browser will ignore certificate errors. | 694 // Browser will ignore certificate errors. |
| 689 command_line->AppendSwitch(switches::kIgnoreCertificateErrors); | 695 command_line->AppendSwitch(switches::kIgnoreCertificateErrors); |
| 690 } | 696 } |
| 691 }; | 697 }; |
| 692 | 698 |
| 699 static std::string MakeCertSPKIFingerprint(net::X509Certificate* cert) { |
| 700 net::HashValue hash = GetSPKIHash(cert); |
| 701 std::string hash_base64; |
| 702 base::Base64Encode( |
| 703 base::StringPiece(reinterpret_cast<const char*>(hash.data()), |
| 704 hash.size()), |
| 705 &hash_base64); |
| 706 return hash_base64; |
| 707 } |
| 708 |
| 709 class SSLUITestIgnoreCertErrorsBySPKIHTTPS : public SSLUITest { |
| 710 protected: |
| 711 void SetUpCommandLine(base::CommandLine* command_line) override { |
| 712 std::string whitelist_flag = MakeCertSPKIFingerprint( |
| 713 https_server_mismatched_.GetCertificate().get()); |
| 714 // Browser will ignore certificate errors for chains matching one of the |
| 715 // public keys from the list. |
| 716 command_line->AppendSwitchASCII(switches::kIgnoreCertificateErrorsSPKIList, |
| 717 whitelist_flag); |
| 718 } |
| 719 }; |
| 720 |
| 721 class SSLUITestIgnoreCertErrorsBySPKIWSS : public SSLUITest { |
| 722 public: |
| 723 SSLUITestIgnoreCertErrorsBySPKIWSS() : SSLUITest() {} |
| 724 |
| 725 void SetUpCommandLine(base::CommandLine* command_line) override { |
| 726 std::string whitelist_flag = |
| 727 MakeCertSPKIFingerprint(wss_server_expired_.GetCertificate().get()); |
| 728 // Browser will ignore certificate errors for chains matching one of the |
| 729 // public keys from the list. |
| 730 command_line->AppendSwitchASCII(switches::kIgnoreCertificateErrorsSPKIList, |
| 731 whitelist_flag); |
| 732 } |
| 733 }; |
| 734 |
| 693 class SSLUITestIgnoreLocalhostCertErrors : public SSLUITest { | 735 class SSLUITestIgnoreLocalhostCertErrors : public SSLUITest { |
| 694 public: | 736 public: |
| 695 SSLUITestIgnoreLocalhostCertErrors() : SSLUITest() {} | 737 SSLUITestIgnoreLocalhostCertErrors() : SSLUITest() {} |
| 696 | 738 |
| 697 void SetUpCommandLine(base::CommandLine* command_line) override { | 739 void SetUpCommandLine(base::CommandLine* command_line) override { |
| 698 // Browser will ignore certificate errors on localhost. | 740 // Browser will ignore certificate errors on localhost. |
| 699 command_line->AppendSwitch(switches::kAllowInsecureLocalhost); | 741 command_line->AppendSwitch(switches::kAllowInsecureLocalhost); |
| 700 } | 742 } |
| 701 }; | 743 }; |
| 702 | 744 |
| (...skipping 1955 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2658 .ReplaceComponents(replacements)); | 2700 .ReplaceComponents(replacements)); |
| 2659 | 2701 |
| 2660 // We shouldn't have an interstitial page showing here. | 2702 // We shouldn't have an interstitial page showing here. |
| 2661 | 2703 |
| 2662 // Test page run a WebSocket wss connection test. The result will be shown | 2704 // Test page run a WebSocket wss connection test. The result will be shown |
| 2663 // as page title. | 2705 // as page title. |
| 2664 const base::string16 result = watcher.WaitAndGetTitle(); | 2706 const base::string16 result = watcher.WaitAndGetTitle(); |
| 2665 EXPECT_TRUE(base::LowerCaseEqualsASCII(result, "pass")); | 2707 EXPECT_TRUE(base::LowerCaseEqualsASCII(result, "pass")); |
| 2666 } | 2708 } |
| 2667 | 2709 |
| 2710 // Visit a page and establish a WebSocket connection over bad https with |
| 2711 // --ignore-certificate-errors-spki-list. The connection should be established |
| 2712 // without interstitial page showing. |
| 2713 #if !defined(OS_CHROMEOS) // Chrome OS does not support the flag. |
| 2714 IN_PROC_BROWSER_TEST_F(SSLUITestIgnoreCertErrorsBySPKIWSS, TestWSSExpired) { |
| 2715 ASSERT_TRUE(wss_server_expired_.Start()); |
| 2716 |
| 2717 // Setup page title observer. |
| 2718 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); |
| 2719 content::TitleWatcher watcher(tab, ASCIIToUTF16("PASS")); |
| 2720 watcher.AlsoWaitForTitle(ASCIIToUTF16("FAIL")); |
| 2721 |
| 2722 // Visit bad HTTPS page. |
| 2723 GURL::Replacements replacements; |
| 2724 replacements.SetSchemeStr("https"); |
| 2725 ui_test_utils::NavigateToURL(browser(), |
| 2726 wss_server_expired_.GetURL("connect_check.html") |
| 2727 .ReplaceComponents(replacements)); |
| 2728 |
| 2729 // We shouldn't have an interstitial page showing here. |
| 2730 |
| 2731 // Test page run a WebSocket wss connection test. The result will be shown |
| 2732 // as page title. |
| 2733 const base::string16 result = watcher.WaitAndGetTitle(); |
| 2734 EXPECT_TRUE(base::LowerCaseEqualsASCII(result, "pass")); |
| 2735 } |
| 2736 #endif // !defined(OS_CHROMEOS) |
| 2737 |
| 2738 // Test that HTTPS pages with a bad certificate don't show an interstitial if |
| 2739 // the public key matches a value from --ignore-certificate-errors-spki-list. |
| 2740 #if !defined(OS_CHROMEOS) // Chrome OS does not support the flag. |
| 2741 IN_PROC_BROWSER_TEST_F(SSLUITestIgnoreCertErrorsBySPKIHTTPS, TestHTTPS) { |
| 2742 ASSERT_TRUE(https_server_mismatched_.Start()); |
| 2743 |
| 2744 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); |
| 2745 |
| 2746 ui_test_utils::NavigateToURL( |
| 2747 browser(), |
| 2748 https_server_mismatched_.GetURL("/ssl/page_with_subresource.html")); |
| 2749 |
| 2750 // We should see no interstitial. The script tag in the page should have |
| 2751 // loaded and ran (and wasn't blocked by the certificate error). |
| 2752 CheckAuthenticatedState(tab, AuthState::NONE); |
| 2753 base::string16 title; |
| 2754 ui_test_utils::GetCurrentTabTitle(browser(), &title); |
| 2755 EXPECT_EQ(title, base::ASCIIToUTF16("This script has loaded")); |
| 2756 } |
| 2757 #endif // !defined(OS_CHROMEOS) |
| 2758 |
| 2759 // Test subresources from an origin with a bad certificate are loaded if the |
| 2760 // public key matches a value from --ignore-certificate-errors-spki-list. |
| 2761 #if !defined(OS_CHROMEOS) // Chrome OS does not support the flag. |
| 2762 IN_PROC_BROWSER_TEST_F(SSLUITestIgnoreCertErrorsBySPKIHTTPS, |
| 2763 TestInsecureSubresource) { |
| 2764 ASSERT_TRUE(https_server_.Start()); |
| 2765 ASSERT_TRUE(https_server_mismatched_.Start()); |
| 2766 |
| 2767 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); |
| 2768 |
| 2769 std::string replacement_path; |
| 2770 GetFilePathWithHostAndPortReplacement( |
| 2771 "/ssl/page_with_unsafe_image.html", |
| 2772 https_server_mismatched_.host_port_pair(), &replacement_path); |
| 2773 ui_test_utils::NavigateToURL(browser(), |
| 2774 https_server_.GetURL(replacement_path)); |
| 2775 |
| 2776 // We should see no interstitial. |
| 2777 CheckAuthenticatedState(tab, AuthState::NONE); |
| 2778 // In order to check that the image was loaded, check its width. |
| 2779 // The actual image (Google logo) is 276 pixels wide. |
| 2780 int img_width = 0; |
| 2781 EXPECT_TRUE(content::ExecuteScriptAndExtractInt( |
| 2782 tab, "window.domAutomationController.send(ImageWidth());", &img_width)); |
| 2783 EXPECT_GT(img_width, 200); |
| 2784 } |
| 2785 #endif // !defined(OS_CHROMEOS) |
| 2786 |
| 2668 // Verifies that the interstitial can proceed, even if JavaScript is disabled. | 2787 // Verifies that the interstitial can proceed, even if JavaScript is disabled. |
| 2669 // http://crbug.com/322948 | 2788 // http://crbug.com/322948 |
| 2670 #if defined(OS_LINUX) | 2789 #if defined(OS_LINUX) |
| 2671 // flaky http://crbug.com/396458 | 2790 // flaky http://crbug.com/396458 |
| 2672 #define MAYBE_TestInterstitialJavaScriptProceeds \ | 2791 #define MAYBE_TestInterstitialJavaScriptProceeds \ |
| 2673 DISABLED_TestInterstitialJavaScriptProceeds | 2792 DISABLED_TestInterstitialJavaScriptProceeds |
| 2674 #else | 2793 #else |
| 2675 #define MAYBE_TestInterstitialJavaScriptProceeds \ | 2794 #define MAYBE_TestInterstitialJavaScriptProceeds \ |
| 2676 TestInterstitialJavaScriptProceeds | 2795 TestInterstitialJavaScriptProceeds |
| 2677 #endif | 2796 #endif |
| (...skipping 1730 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 4408 | 4527 |
| 4409 // Visit a page over https that contains a frame with a redirect. | 4528 // Visit a page over https that contains a frame with a redirect. |
| 4410 | 4529 |
| 4411 // XMLHttpRequest insecure content in synchronous mode. | 4530 // XMLHttpRequest insecure content in synchronous mode. |
| 4412 | 4531 |
| 4413 // XMLHttpRequest insecure content in asynchronous mode. | 4532 // XMLHttpRequest insecure content in asynchronous mode. |
| 4414 | 4533 |
| 4415 // XMLHttpRequest over bad ssl in synchronous mode. | 4534 // XMLHttpRequest over bad ssl in synchronous mode. |
| 4416 | 4535 |
| 4417 // XMLHttpRequest over OK ssl in synchronous mode. | 4536 // XMLHttpRequest over OK ssl in synchronous mode. |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2753123002:
Add --ignore-certificate-errors-spki-list switch and UMA histogram. (Closed)
