search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ExtensionSyncService: listen for relevant changes instead of being explicitly called...
[chromium-blink-merge.git] / chrome / browser / ssl / ssl_browser_tests.cc
blob5a39a1fabea959d710e5e5aa0382e6174812e5ef
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "base/bind.h"
6 #include "base/bind_helpers.h"
7 #include "base/callback.h"
8 #include "base/command_line.h"
9 #include "base/location.h"
10 #include "base/metrics/field_trial.h"
11 #include "base/prefs/pref_service.h"
12 #include "base/single_thread_task_runner.h"
13 #include "base/strings/string_util.h"
14 #include "base/strings/stringprintf.h"
15 #include "base/strings/utf_string_conversions.h"
16 #include "base/test/histogram_tester.h"
17 #include "base/thread_task_runner_handle.h"
18 #include "base/time/time.h"
19 #include "chrome/app/chrome_command_ids.h"
20 #include "chrome/browser/browser_process.h"
21 #include "chrome/browser/chrome_notification_types.h"
22 #include "chrome/browser/interstitials/security_interstitial_page_test_utils.h"
23 #include "chrome/browser/net/certificate_error_reporter.h"
24 #include "chrome/browser/profiles/profile.h"
25 #include "chrome/browser/ssl/cert_logger.pb.h"
26 #include "chrome/browser/ssl/cert_report_helper.h"
27 #include "chrome/browser/ssl/cert_verifier_browser_test.h"
28 #include "chrome/browser/ssl/certificate_error_report.h"
29 #include "chrome/browser/ssl/certificate_reporting_test_utils.h"
30 #include "chrome/browser/ssl/chrome_ssl_host_state_delegate.h"
31 #include "chrome/browser/ssl/common_name_mismatch_handler.h"
32 #include "chrome/browser/ssl/ssl_blocking_page.h"
33 #include "chrome/browser/ssl/ssl_error_handler.h"
34 #include "chrome/browser/ui/browser.h"
35 #include "chrome/browser/ui/browser_commands.h"
36 #include "chrome/browser/ui/browser_navigator.h"
37 #include "chrome/browser/ui/browser_tabstrip.h"
38 #include "chrome/browser/ui/tabs/tab_strip_model.h"
39 #include "chrome/common/chrome_paths.h"
40 #include "chrome/common/chrome_switches.h"
41 #include "chrome/common/pref_names.h"
42 #include "chrome/test/base/in_process_browser_test.h"
43 #include "chrome/test/base/ui_test_utils.h"
44 #include "components/content_settings/core/browser/host_content_settings_map.h"
45 #include "components/security_interstitials/core/metrics_helper.h"
46 #include "components/variations/variations_associated_data.h"
47 #include "components/web_modal/web_contents_modal_dialog_manager.h"
48 #include "content/public/browser/browser_context.h"
49 #include "content/public/browser/interstitial_page.h"
50 #include "content/public/browser/navigation_controller.h"
51 #include "content/public/browser/navigation_entry.h"
52 #include "content/public/browser/notification_service.h"
53 #include "content/public/browser/render_frame_host.h"
54 #include "content/public/browser/render_view_host.h"
55 #include "content/public/browser/render_widget_host_view.h"
56 #include "content/public/browser/web_contents.h"
57 #include "content/public/browser/web_contents_observer.h"
58 #include "content/public/common/security_style.h"
59 #include "content/public/common/ssl_status.h"
60 #include "content/public/test/browser_test_utils.h"
61 #include "content/public/test/download_test_observer.h"
62 #include "content/public/test/test_navigation_observer.h"
63 #include "content/public/test/test_renderer_host.h"
64 #include "net/base/host_port_pair.h"
65 #include "net/base/net_errors.h"
66 #include "net/base/test_data_directory.h"
67 #include "net/cert/cert_status_flags.h"
68 #include "net/cert/mock_cert_verifier.h"
69 #include "net/cert/x509_certificate.h"
70 #include "net/dns/mock_host_resolver.h"
71 #include "net/ssl/ssl_info.h"
72 #include "net/test/cert_test_util.h"
73 #include "net/test/spawned_test_server/spawned_test_server.h"
74 #include "net/test/test_certificate_data.h"
75 #include "net/url_request/url_request_context.h"
76
77 #if defined(USE_NSS_CERTS)
78 #include "chrome/browser/net/nss_context.h"
79 #include "net/base/crypto_module.h"
80 #include "net/cert/nss_cert_database.h"
81 #endif // defined(USE_NSS_CERTS)
82
83 using base::ASCIIToUTF16;
84 using chrome_browser_interstitials::SecurityInterstitialIDNTest;
85 using chrome_browser_net::CertificateErrorReporter;
86 using content::InterstitialPage;
87 using content::NavigationController;
88 using content::NavigationEntry;
89 using content::SSLStatus;
90 using content::WebContents;
91 using web_modal::WebContentsModalDialogManager;
92
93 const base::FilePath::CharType kDocRoot[] =
94 FILE_PATH_LITERAL("chrome/test/data");
95
96 namespace {
97
98 enum ProceedDecision {
99 SSL_INTERSTITIAL_PROCEED,
100 SSL_INTERSTITIAL_DO_NOT_PROCEED
101 };
102
103 class ProvisionalLoadWaiter : public content::WebContentsObserver {
104 public:
105 explicit ProvisionalLoadWaiter(WebContents* tab)
106 : WebContentsObserver(tab), waiting_(false), seen_(false) {}
107
108 void Wait() {
109 if (seen_)
110 return;
111
112 waiting_ = true;
113 content::RunMessageLoop();
114 }
115
116 void DidFailProvisionalLoad(
117 content::RenderFrameHost* render_frame_host,
118 const GURL& validated_url,
119 int error_code,
120 const base::string16& error_description,
121 bool was_ignored_by_handler) override {
122 seen_ = true;
123 if (waiting_)
124 base::MessageLoopForUI::current()->Quit();
125 }
126
127 private:
128 bool waiting_;
129 bool seen_;
130 };
131
132 namespace AuthState {
133
134 enum AuthStateFlags {
135 NONE = 0,
136 DISPLAYED_INSECURE_CONTENT = 1 << 0,
137 RAN_INSECURE_CONTENT = 1 << 1,
138 SHOWING_INTERSTITIAL = 1 << 2,
139 SHOWING_ERROR = 1 << 3
140 };
141
142 void Check(const NavigationEntry& entry, int expected_authentication_state) {
143 if (expected_authentication_state == AuthState::SHOWING_ERROR) {
144 EXPECT_EQ(content::PAGE_TYPE_ERROR, entry.GetPageType());
145 } else {
146 EXPECT_EQ(
147 !!(expected_authentication_state & AuthState::SHOWING_INTERSTITIAL)
148 ? content::PAGE_TYPE_INTERSTITIAL
149 : content::PAGE_TYPE_NORMAL,
150 entry.GetPageType());
151 }
152
153 bool displayed_insecure_content =
154 !!(entry.GetSSL().content_status & SSLStatus::DISPLAYED_INSECURE_CONTENT);
155 EXPECT_EQ(
156 !!(expected_authentication_state & AuthState::DISPLAYED_INSECURE_CONTENT),
157 displayed_insecure_content);
158
159 bool ran_insecure_content =
160 !!(entry.GetSSL().content_status & SSLStatus::RAN_INSECURE_CONTENT);
161 EXPECT_EQ(!!(expected_authentication_state & AuthState::RAN_INSECURE_CONTENT),
162 ran_insecure_content);
163 }
164
165 } // namespace AuthState
166
167 namespace SecurityStyle {
168
169 void Check(const NavigationEntry& entry,
170 content::SecurityStyle expected_security_style) {
171 EXPECT_EQ(expected_security_style, entry.GetSSL().security_style);
172 }
173
174 } // namespace SecurityStyle
175
176 namespace CertError {
177
178 enum CertErrorFlags {
179 NONE = 0
180 };
181
182 void Check(const NavigationEntry& entry, net::CertStatus error) {
183 if (error) {
184 EXPECT_EQ(error, entry.GetSSL().cert_status & error);
185 net::CertStatus extra_cert_errors =
186 error ^ (entry.GetSSL().cert_status & net::CERT_STATUS_ALL_ERRORS);
187 if (extra_cert_errors)
188 LOG(WARNING) << "Got unexpected cert error: " << extra_cert_errors;
189 } else {
190 EXPECT_EQ(0U, entry.GetSSL().cert_status & net::CERT_STATUS_ALL_ERRORS);
191 }
192 }
193
194 } // namespace CertError
195
196 void CheckSecurityState(WebContents* tab,
197 net::CertStatus error,
198 content::SecurityStyle expected_security_style,
199 int expected_authentication_state) {
200 ASSERT_FALSE(tab->IsCrashed());
201 NavigationEntry* entry = tab->GetController().GetActiveEntry();
202 ASSERT_TRUE(entry);
203 CertError::Check(*entry, error);
204 SecurityStyle::Check(*entry, expected_security_style);
205 AuthState::Check(*entry, expected_authentication_state);
206 }
207
208 // This observer waits for the SSLErrorHandler to start an interstitial timer
209 // for the given web contents.
210 class SSLInterstitialTimerObserver {
211 public:
212 explicit SSLInterstitialTimerObserver(content::WebContents* web_contents)
213 : web_contents_(web_contents), message_loop_runner_(new base::RunLoop) {
214 callback_ = base::Bind(&SSLInterstitialTimerObserver::OnTimerStarted,
215 base::Unretained(this));
216 SSLErrorHandler::SetInterstitialTimerStartedCallbackForTest(&callback_);
217 }
218
219 ~SSLInterstitialTimerObserver() {
220 SSLErrorHandler::SetInterstitialTimerStartedCallbackForTest(nullptr);
221 }
222
223 // Waits until the interstitial delay timer in SSLErrorHandler is started.
224 void WaitForTimerStarted() { message_loop_runner_->Run(); }
225
226 private:
227 void OnTimerStarted(content::WebContents* web_contents) {
228 if (web_contents_ == web_contents)
229 message_loop_runner_->Quit();
230 }
231
232 const content::WebContents* web_contents_;
233 SSLErrorHandler::TimerStartedCallback callback_;
234
235 scoped_ptr<base::RunLoop> message_loop_runner_;
236
237 DISALLOW_COPY_AND_ASSIGN(SSLInterstitialTimerObserver);
238 };
239
240 } // namespace
241
242 class SSLUITest
243 : public certificate_reporting_test_utils::CertificateReportingTest {
244 public:
245 SSLUITest()
246 : https_server_(net::SpawnedTestServer::TYPE_HTTPS,
247 SSLOptions(SSLOptions::CERT_OK),
248 base::FilePath(kDocRoot)),
249 https_server_expired_(net::SpawnedTestServer::TYPE_HTTPS,
250 SSLOptions(SSLOptions::CERT_EXPIRED),
251 base::FilePath(kDocRoot)),
252 https_server_mismatched_(net::SpawnedTestServer::TYPE_HTTPS,
253 SSLOptions(SSLOptions::CERT_MISMATCHED_NAME),
254 base::FilePath(kDocRoot)),
255 wss_server_expired_(net::SpawnedTestServer::TYPE_WSS,
256 SSLOptions(SSLOptions::CERT_EXPIRED),
257 net::GetWebSocketTestDataDirectory()) {}
258
259 void SetUpCommandLine(base::CommandLine* command_line) override {
260 // Browser will both run and display insecure content.
261 command_line->AppendSwitch(switches::kAllowRunningInsecureContent);
262 // Use process-per-site so that navigating to a same-site page in a
263 // new tab will use the same process.
264 command_line->AppendSwitch(switches::kProcessPerSite);
265 }
266
267 void CheckAuthenticatedState(WebContents* tab,
268 int expected_authentication_state) {
269 CheckSecurityState(tab,
270 CertError::NONE,
271 content::SECURITY_STYLE_AUTHENTICATED,
272 expected_authentication_state);
273 }
274
275 void CheckUnauthenticatedState(WebContents* tab,
276 int expected_authentication_state) {
277 CheckSecurityState(tab,
278 CertError::NONE,
279 content::SECURITY_STYLE_UNAUTHENTICATED,
280 expected_authentication_state);
281 }
282
283 void CheckAuthenticationBrokenState(WebContents* tab,
284 net::CertStatus error,
285 int expected_authentication_state) {
286 CheckSecurityState(tab,
287 error,
288 content::SECURITY_STYLE_AUTHENTICATION_BROKEN,
289 expected_authentication_state);
290 // CERT_STATUS_UNABLE_TO_CHECK_REVOCATION doesn't lower the security style
291 // to SECURITY_STYLE_AUTHENTICATION_BROKEN.
292 ASSERT_NE(net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION, error);
293 }
294
295 void CheckWorkerLoadResult(WebContents* tab, bool expected_load) {
296 // Workers are async and we don't have notifications for them passing
297 // messages since they do it between renderer and worker processes.
298 // So have a polling loop, check every 200ms, timeout at 30s.
299 const int kTimeoutMS = 200;
300 base::Time time_to_quit = base::Time::Now() +
301 base::TimeDelta::FromMilliseconds(30000);
302
303 while (base::Time::Now() < time_to_quit) {
304 bool worker_finished = false;
305 ASSERT_TRUE(content::ExecuteScriptAndExtractBool(
306 tab,
307 "window.domAutomationController.send(IsWorkerFinished());",
308 &worker_finished));
309
310 if (worker_finished)
311 break;
312
313 // Wait a bit.
314 base::ThreadTaskRunnerHandle::Get()->PostDelayedTask(
315 FROM_HERE, base::MessageLoop::QuitClosure(),
316 base::TimeDelta::FromMilliseconds(kTimeoutMS));
317 content::RunMessageLoop();
318 }
319
320 bool actually_loaded_content = false;
321 ASSERT_TRUE(content::ExecuteScriptAndExtractBool(
322 tab,
323 "window.domAutomationController.send(IsContentLoaded());",
324 &actually_loaded_content));
325 EXPECT_EQ(expected_load, actually_loaded_content);
326 }
327
328 void ProceedThroughInterstitial(WebContents* tab) {
329 InterstitialPage* interstitial_page = tab->GetInterstitialPage();
330 ASSERT_TRUE(interstitial_page);
331 ASSERT_EQ(SSLBlockingPage::kTypeForTesting,
332 interstitial_page->GetDelegateForTesting()->GetTypeForTesting());
333 content::WindowedNotificationObserver observer(
334 content::NOTIFICATION_LOAD_STOP,
335 content::Source<NavigationController>(&tab->GetController()));
336 interstitial_page->Proceed();
337 observer.Wait();
338 }
339
340 bool IsShowingWebContentsModalDialog() const {
341 return WebContentsModalDialogManager::FromWebContents(
342 browser()->tab_strip_model()->GetActiveWebContents())->
343 IsDialogActive();
344 }
345
346 static bool GetFilePathWithHostAndPortReplacement(
347 const std::string& original_file_path,
348 const net::HostPortPair& host_port_pair,
349 std::string* replacement_path) {
350 std::vector<net::SpawnedTestServer::StringPair> replacement_text;
351 replacement_text.push_back(
352 make_pair("REPLACE_WITH_HOST_AND_PORT", host_port_pair.ToString()));
353 return net::SpawnedTestServer::GetFilePathWithReplacements(
354 original_file_path, replacement_text, replacement_path);
355 }
356
357 static bool GetTopFramePath(const net::SpawnedTestServer& http_server,
358 const net::SpawnedTestServer& good_https_server,
359 const net::SpawnedTestServer& bad_https_server,
360 std::string* top_frame_path) {
361 // The "frame_left.html" page contained in the top_frame.html page contains
362 // <a href>'s to three different servers. This sets up all of the
363 // replacement text to work with test servers which listen on ephemeral
364 // ports.
365 GURL http_url = http_server.GetURL("files/ssl/google.html");
366 GURL good_https_url = good_https_server.GetURL("files/ssl/google.html");
367 GURL bad_https_url = bad_https_server.GetURL(
368 "files/ssl/bad_iframe.html");
369
370 std::vector<net::SpawnedTestServer::StringPair> replacement_text_frame_left;
371 replacement_text_frame_left.push_back(
372 make_pair("REPLACE_WITH_HTTP_PAGE", http_url.spec()));
373 replacement_text_frame_left.push_back(
374 make_pair("REPLACE_WITH_GOOD_HTTPS_PAGE", good_https_url.spec()));
375 replacement_text_frame_left.push_back(
376 make_pair("REPLACE_WITH_BAD_HTTPS_PAGE", bad_https_url.spec()));
377 std::string frame_left_path;
378 if (!net::SpawnedTestServer::GetFilePathWithReplacements(
379 "frame_left.html",
380 replacement_text_frame_left,
381 &frame_left_path))
382 return false;
383
384 // Substitute the generated frame_left URL into the top_frame page.
385 std::vector<net::SpawnedTestServer::StringPair> replacement_text_top_frame;
386 replacement_text_top_frame.push_back(
387 make_pair("REPLACE_WITH_FRAME_LEFT_PATH", frame_left_path));
388 return net::SpawnedTestServer::GetFilePathWithReplacements(
389 "files/ssl/top_frame.html",
390 replacement_text_top_frame,
391 top_frame_path);
392 }
393
394 static bool GetPageWithUnsafeWorkerPath(
395 const net::SpawnedTestServer& https_server,
396 std::string* page_with_unsafe_worker_path) {
397 // Get the "imported.js" URL from the expired https server and
398 // substitute it into the unsafe_worker.js file.
399 GURL imported_js_url = https_server.GetURL("files/ssl/imported.js");
400 std::vector<net::SpawnedTestServer::StringPair>
401 replacement_text_for_unsafe_worker;
402 replacement_text_for_unsafe_worker.push_back(
403 make_pair("REPLACE_WITH_IMPORTED_JS_URL", imported_js_url.spec()));
404 std::string unsafe_worker_path;
405 if (!net::SpawnedTestServer::GetFilePathWithReplacements(
406 "unsafe_worker.js",
407 replacement_text_for_unsafe_worker,
408 &unsafe_worker_path))
409 return false;
410
411 // Now, substitute this into the page with unsafe worker.
412 std::vector<net::SpawnedTestServer::StringPair>
413 replacement_text_for_page_with_unsafe_worker;
414 replacement_text_for_page_with_unsafe_worker.push_back(
415 make_pair("REPLACE_WITH_UNSAFE_WORKER_PATH", unsafe_worker_path));
416 return net::SpawnedTestServer::GetFilePathWithReplacements(
417 "files/ssl/page_with_unsafe_worker.html",
418 replacement_text_for_page_with_unsafe_worker,
419 page_with_unsafe_worker_path);
420 }
421
422 // Helper function for testing invalid certificate chain reporting.
423 void TestBrokenHTTPSReporting(
424 certificate_reporting_test_utils::OptIn opt_in,
425 ProceedDecision proceed,
426 certificate_reporting_test_utils::ExpectReport expect_report,
427 Browser* browser) {
428 base::RunLoop run_loop;
429 ASSERT_TRUE(https_server_expired_.Start());
430
431 ASSERT_NO_FATAL_FAILURE(SetUpMockReporter());
432
433 // Opt in to sending reports for invalid certificate chains.
434 certificate_reporting_test_utils::SetCertReportingOptIn(browser, opt_in);
435
436 ui_test_utils::NavigateToURL(browser, https_server_expired_.GetURL("/"));
437
438 WebContents* tab = browser->tab_strip_model()->GetActiveWebContents();
439 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_DATE_INVALID,
440 AuthState::SHOWING_INTERSTITIAL);
441
442 scoped_ptr<SSLCertReporter> ssl_cert_reporter =
443 certificate_reporting_test_utils::SetUpMockSSLCertReporter(
444 &run_loop, expect_report);
445
446 SSLBlockingPage* interstitial_page = static_cast<SSLBlockingPage*>(
447 tab->GetInterstitialPage()->GetDelegateForTesting());
448 interstitial_page->SetSSLCertReporterForTesting(ssl_cert_reporter.Pass());
449
450 EXPECT_EQ(std::string(), GetLatestHostnameReported());
451
452 // Leave the interstitial (either by proceeding or going back)
453 if (proceed == SSL_INTERSTITIAL_PROCEED) {
454 ProceedThroughInterstitial(tab);
455 } else {
456 // Click "Take me back"
457 InterstitialPage* interstitial_page = tab->GetInterstitialPage();
458 ASSERT_TRUE(interstitial_page);
459 interstitial_page->DontProceed();
460 }
461
462 if (expect_report ==
463 certificate_reporting_test_utils::CERT_REPORT_EXPECTED) {
464 // Check that the mock reporter received a request to send a report.
465 run_loop.Run();
466 EXPECT_EQ(https_server_expired_.GetURL("/").host(),
467 GetLatestHostnameReported());
468 } else {
469 EXPECT_EQ(std::string(), GetLatestHostnameReported());
470 }
471 }
472
473 net::SpawnedTestServer https_server_;
474 net::SpawnedTestServer https_server_expired_;
475 net::SpawnedTestServer https_server_mismatched_;
476 net::SpawnedTestServer wss_server_expired_;
477
478 private:
479 typedef net::SpawnedTestServer::SSLOptions SSLOptions;
480
481 DISALLOW_COPY_AND_ASSIGN(SSLUITest);
482 };
483
484 class SSLUITestBlock : public SSLUITest {
485 public:
486 SSLUITestBlock() : SSLUITest() {}
487
488 // Browser will neither run nor display insecure content.
489 void SetUpCommandLine(base::CommandLine* command_line) override {
490 command_line->AppendSwitch(switches::kNoDisplayingInsecureContent);
491 }
492 };
493
494 class SSLUITestIgnoreCertErrors : public SSLUITest {
495 public:
496 SSLUITestIgnoreCertErrors() : SSLUITest() {}
497
498 void SetUpCommandLine(base::CommandLine* command_line) override {
499 // Browser will ignore certificate errors.
500 command_line->AppendSwitch(switches::kIgnoreCertificateErrors);
501 }
502 };
503
504 class SSLUITestIgnoreLocalhostCertErrors : public SSLUITest {
505 public:
506 SSLUITestIgnoreLocalhostCertErrors() : SSLUITest() {}
507
508 void SetUpCommandLine(base::CommandLine* command_line) override {
509 // Browser will ignore certificate errors on localhost.
510 command_line->AppendSwitch(switches::kAllowInsecureLocalhost);
511 }
512 };
513
514 class SSLUITestWithExtendedReporting : public SSLUITest {
515 public:
516 SSLUITestWithExtendedReporting() : SSLUITest() {}
517 };
518
519 // Visits a regular page over http.
520 IN_PROC_BROWSER_TEST_F(SSLUITest, TestHTTP) {
521 ASSERT_TRUE(test_server()->Start());
522
523 ui_test_utils::NavigateToURL(browser(),
524 test_server()->GetURL("files/ssl/google.html"));
525
526 CheckUnauthenticatedState(
527 browser()->tab_strip_model()->GetActiveWebContents(), AuthState::NONE);
528 }
529
530 // Visits a page over http which includes broken https resources (status should
531 // be OK).
532 // TODO(jcampan): test that bad HTTPS content is blocked (otherwise we'll give
533 // the secure cookies away!).
534 IN_PROC_BROWSER_TEST_F(SSLUITest, TestHTTPWithBrokenHTTPSResource) {
535 ASSERT_TRUE(test_server()->Start());
536 ASSERT_TRUE(https_server_expired_.Start());
537
538 std::string replacement_path;
539 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
540 "files/ssl/page_with_unsafe_contents.html",
541 https_server_expired_.host_port_pair(),
542 &replacement_path));
543
544 ui_test_utils::NavigateToURL(
545 browser(), test_server()->GetURL(replacement_path));
546
547 CheckUnauthenticatedState(
548 browser()->tab_strip_model()->GetActiveWebContents(), AuthState::NONE);
549 }
550
551 IN_PROC_BROWSER_TEST_F(SSLUITest, TestBrokenHTTPSWithInsecureContent) {
552 ASSERT_TRUE(test_server()->Start());
553 ASSERT_TRUE(https_server_expired_.Start());
554
555 std::string replacement_path;
556 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
557 "files/ssl/page_displays_insecure_content.html",
558 test_server()->host_port_pair(),
559 &replacement_path));
560
561 ui_test_utils::NavigateToURL(browser(),
562 https_server_expired_.GetURL(replacement_path));
563
564 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
565 CheckAuthenticationBrokenState(
566 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
567
568 ProceedThroughInterstitial(tab);
569
570 CheckAuthenticationBrokenState(tab,
571 net::CERT_STATUS_DATE_INVALID,
572 AuthState::DISPLAYED_INSECURE_CONTENT);
573 }
574
575 IN_PROC_BROWSER_TEST_F(SSLUITest, TestBrokenHTTPSMetricsReporting_Proceed) {
576 ASSERT_TRUE(https_server_expired_.Start());
577 ASSERT_NO_FATAL_FAILURE(SetUpMockReporter());
578 base::HistogramTester histograms;
579 const std::string decision_histogram =
580 "interstitial.ssl_overridable.decision";
581 const std::string interaction_histogram =
582 "interstitial.ssl_overridable.interaction";
583
584 // Histograms should start off empty.
585 histograms.ExpectTotalCount(decision_histogram, 0);
586 histograms.ExpectTotalCount(interaction_histogram, 0);
587
588 // After navigating to the page, the totals should be set.
589 ui_test_utils::NavigateToURL(browser(), https_server_expired_.GetURL("/"));
590 content::WaitForInterstitialAttach(
591 browser()->tab_strip_model()->GetActiveWebContents());
592 histograms.ExpectTotalCount(decision_histogram, 1);
593 histograms.ExpectBucketCount(decision_histogram,
594 security_interstitials::MetricsHelper::SHOW, 1);
595 histograms.ExpectTotalCount(interaction_histogram, 1);
596 histograms.ExpectBucketCount(
597 interaction_histogram,
598 security_interstitials::MetricsHelper::TOTAL_VISITS, 1);
599
600 // Decision should be recorded.
601 ProceedThroughInterstitial(
602 browser()->tab_strip_model()->GetActiveWebContents());
603 histograms.ExpectTotalCount(decision_histogram, 2);
604 histograms.ExpectBucketCount(
605 decision_histogram, security_interstitials::MetricsHelper::PROCEED, 1);
606 histograms.ExpectTotalCount(interaction_histogram, 1);
607 histograms.ExpectBucketCount(
608 interaction_histogram,
609 security_interstitials::MetricsHelper::TOTAL_VISITS, 1);
610 }
611
612 IN_PROC_BROWSER_TEST_F(SSLUITest, TestBrokenHTTPSMetricsReporting_DontProceed) {
613 ASSERT_TRUE(https_server_expired_.Start());
614 ASSERT_NO_FATAL_FAILURE(SetUpMockReporter());
615 base::HistogramTester histograms;
616 const std::string decision_histogram =
617 "interstitial.ssl_overridable.decision";
618 const std::string interaction_histogram =
619 "interstitial.ssl_overridable.interaction";
620
621 // Histograms should start off empty.
622 histograms.ExpectTotalCount(decision_histogram, 0);
623 histograms.ExpectTotalCount(interaction_histogram, 0);
624
625 // After navigating to the page, the totals should be set.
626 ui_test_utils::NavigateToURL(browser(), https_server_expired_.GetURL("/"));
627 content::WaitForInterstitialAttach(
628 browser()->tab_strip_model()->GetActiveWebContents());
629 histograms.ExpectTotalCount(decision_histogram, 1);
630 histograms.ExpectBucketCount(decision_histogram,
631 security_interstitials::MetricsHelper::SHOW, 1);
632 histograms.ExpectTotalCount(interaction_histogram, 1);
633 histograms.ExpectBucketCount(
634 interaction_histogram,
635 security_interstitials::MetricsHelper::TOTAL_VISITS, 1);
636
637 // Decision should be recorded.
638 InterstitialPage* interstitial_page = browser()
639 ->tab_strip_model()
640 ->GetActiveWebContents()
641 ->GetInterstitialPage();
642 interstitial_page->DontProceed();
643 histograms.ExpectTotalCount(decision_histogram, 2);
644 histograms.ExpectBucketCount(
645 decision_histogram, security_interstitials::MetricsHelper::DONT_PROCEED,
646 1);
647 histograms.ExpectTotalCount(interaction_histogram, 1);
648 histograms.ExpectBucketCount(
649 interaction_histogram,
650 security_interstitials::MetricsHelper::TOTAL_VISITS, 1);
651 }
652
653 // http://crbug.com/91745
654 #if defined(OS_CHROMEOS)
655 #define MAYBE_TestOKHTTPS DISABLED_TestOKHTTPS
656 #else
657 #define MAYBE_TestOKHTTPS TestOKHTTPS
658 #endif
659
660 // Visits a page over OK https:
661 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestOKHTTPS) {
662 ASSERT_TRUE(https_server_.Start());
663
664 ui_test_utils::NavigateToURL(browser(),
665 https_server_.GetURL("files/ssl/google.html"));
666
667 CheckAuthenticatedState(browser()->tab_strip_model()->GetActiveWebContents(),
668 AuthState::NONE);
669 }
670
671 // Visits a page with https error and proceed:
672 #if defined(OS_LINUX)
673 // flaky http://crbug.com/396462
674 #define MAYBE_TestHTTPSExpiredCertAndProceed \
675 DISABLED_TestHTTPSExpiredCertAndProceed
676 #else
677 #define MAYBE_TestHTTPSExpiredCertAndProceed TestHTTPSExpiredCertAndProceed
678 #endif
679 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestHTTPSExpiredCertAndProceed) {
680 ASSERT_TRUE(https_server_expired_.Start());
681
682 ui_test_utils::NavigateToURL(browser(),
683 https_server_expired_.GetURL("files/ssl/google.html"));
684
685 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
686 CheckAuthenticationBrokenState(
687 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
688
689 ProceedThroughInterstitial(tab);
690
691 CheckAuthenticationBrokenState(
692 tab, net::CERT_STATUS_DATE_INVALID, AuthState::NONE);
693 }
694
695 #ifndef NEDBUG
696 // Flaky on Windows debug (http://crbug.com/280537).
697 #define MAYBE_TestHTTPSExpiredCertAndDontProceed \
698 DISABLED_TestHTTPSExpiredCertAndDontProceed
699 #else
700 #define MAYBE_TestHTTPSExpiredCertAndDontProceed \
701 TestHTTPSExpiredCertAndDontProceed
702 #endif
703
704 // Visits a page with https error and don't proceed (and ensure we can still
705 // navigate at that point):
706 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestHTTPSExpiredCertAndDontProceed) {
707 ASSERT_TRUE(test_server()->Start());
708 ASSERT_TRUE(https_server_.Start());
709 ASSERT_TRUE(https_server_expired_.Start());
710
711 // First navigate to an OK page.
712 ui_test_utils::NavigateToURL(browser(),
713 https_server_.GetURL("files/ssl/google.html"));
714
715 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
716 NavigationEntry* entry = tab->GetController().GetActiveEntry();
717 ASSERT_TRUE(entry);
718
719 GURL cross_site_url =
720 https_server_expired_.GetURL("files/ssl/google.html");
721 // Change the host name from 127.0.0.1 to localhost so it triggers a
722 // cross-site navigation so we can test http://crbug.com/5800 is gone.
723 ASSERT_EQ("127.0.0.1", cross_site_url.host());
724 GURL::Replacements replacements;
725 replacements.SetHostStr("localhost");
726 cross_site_url = cross_site_url.ReplaceComponents(replacements);
727
728 // Now go to a bad HTTPS page.
729 ui_test_utils::NavigateToURL(browser(), cross_site_url);
730
731 // An interstitial should be showing.
732 CheckAuthenticationBrokenState(tab,
733 net::CERT_STATUS_COMMON_NAME_INVALID,
734 AuthState::SHOWING_INTERSTITIAL);
735
736 // Simulate user clicking "Take me back".
737 InterstitialPage* interstitial_page = tab->GetInterstitialPage();
738 ASSERT_TRUE(interstitial_page);
739 ASSERT_EQ(SSLBlockingPage::kTypeForTesting,
740 interstitial_page->GetDelegateForTesting()->GetTypeForTesting());
741 interstitial_page->DontProceed();
742
743 // We should be back to the original good page.
744 CheckAuthenticatedState(tab, AuthState::NONE);
745
746 // Try to navigate to a new page. (to make sure bug 5800 is fixed).
747 ui_test_utils::NavigateToURL(browser(),
748 test_server()->GetURL("files/ssl/google.html"));
749 CheckUnauthenticatedState(tab, AuthState::NONE);
750 }
751
752 // Test that localhost pages don't show an interstitial.
753 IN_PROC_BROWSER_TEST_F(SSLUITestIgnoreLocalhostCertErrors,
754 TestNoInterstitialOnLocalhost) {
755 ASSERT_TRUE(https_server_.Start());
756
757 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
758
759 // Navigate to a localhost page.
760 GURL url = https_server_.GetURL("files/ssl/page_with_subresource.html");
761 GURL::Replacements replacements;
762 std::string new_host("localhost");
763 replacements.SetHostStr(new_host);
764 url = url.ReplaceComponents(replacements);
765
766 ui_test_utils::NavigateToURL(browser(), url);
767
768 // We should see no interstitial, but we should have an error
769 // (red-crossed-out-https) in the URL bar.
770 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID,
771 AuthState::NONE);
772
773 // We should see that the script tag in the page loaded and ran (and
774 // wasn't blocked by the certificate error).
775 base::string16 title;
776 base::string16 expected_title = base::ASCIIToUTF16("This script has loaded");
777 ui_test_utils::GetCurrentTabTitle(browser(), &title);
778 EXPECT_EQ(title, expected_title);
779 }
780
781 // Visits a page with https error and then goes back using Browser::GoBack.
782 IN_PROC_BROWSER_TEST_F(SSLUITest,
783 TestHTTPSExpiredCertAndGoBackViaButton) {
784 ASSERT_TRUE(test_server()->Start());
785 ASSERT_TRUE(https_server_expired_.Start());
786
787 // First navigate to an HTTP page.
788 ui_test_utils::NavigateToURL(browser(),
789 test_server()->GetURL("files/ssl/google.html"));
790 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
791 NavigationEntry* entry = tab->GetController().GetActiveEntry();
792 ASSERT_TRUE(entry);
793
794 // Now go to a bad HTTPS page that shows an interstitial.
795 ui_test_utils::NavigateToURL(browser(),
796 https_server_expired_.GetURL("files/ssl/google.html"));
797 CheckAuthenticationBrokenState(
798 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
799
800 ProvisionalLoadWaiter load_failed_observer(tab);
801
802 // Simulate user clicking on back button (crbug.com/39248).
803 chrome::GoBack(browser(), CURRENT_TAB);
804
805 // Wait until we hear the load failure, and make sure we haven't swapped out
806 // the previous page. Prevents regression of http://crbug.com/82667.
807 // TODO(creis/nick): Move the swapped-out part of this test into content
808 // and remove IsRenderViewHostSwappedOut from the public API.
809 load_failed_observer.Wait();
810 EXPECT_FALSE(content::RenderFrameHostTester::IsRenderFrameHostSwappedOut(
811 tab->GetMainFrame()));
812
813 // We should be back at the original good page.
814 EXPECT_FALSE(browser()->tab_strip_model()->GetActiveWebContents()->
815 GetInterstitialPage());
816 CheckUnauthenticatedState(tab, AuthState::NONE);
817 }
818
819 // Visits a page with https error and then goes back using GoToOffset.
820 // Disabled because its flaky: http://crbug.com/40932, http://crbug.com/43575.
821 IN_PROC_BROWSER_TEST_F(SSLUITest,
822 TestHTTPSExpiredCertAndGoBackViaMenu) {
823 ASSERT_TRUE(test_server()->Start());
824 ASSERT_TRUE(https_server_expired_.Start());
825
826 // First navigate to an HTTP page.
827 ui_test_utils::NavigateToURL(browser(),
828 test_server()->GetURL("files/ssl/google.html"));
829 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
830 NavigationEntry* entry = tab->GetController().GetActiveEntry();
831 ASSERT_TRUE(entry);
832
833 // Now go to a bad HTTPS page that shows an interstitial.
834 ui_test_utils::NavigateToURL(browser(),
835 https_server_expired_.GetURL("files/ssl/google.html"));
836 CheckAuthenticationBrokenState(
837 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
838
839 // Simulate user clicking and holding on back button (crbug.com/37215).
840 tab->GetController().GoToOffset(-1);
841
842 // We should be back at the original good page.
843 EXPECT_FALSE(browser()->tab_strip_model()->GetActiveWebContents()->
844 GetInterstitialPage());
845 CheckUnauthenticatedState(tab, AuthState::NONE);
846 }
847
848 // Visits a page with https error and then goes forward using GoToOffset.
849 IN_PROC_BROWSER_TEST_F(SSLUITest, TestHTTPSExpiredCertAndGoForward) {
850 ASSERT_TRUE(test_server()->Start());
851 ASSERT_TRUE(https_server_expired_.Start());
852
853 // First navigate to two HTTP pages.
854 ui_test_utils::NavigateToURL(browser(),
855 test_server()->GetURL("files/ssl/google.html"));
856 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
857 NavigationEntry* entry1 = tab->GetController().GetActiveEntry();
858 ASSERT_TRUE(entry1);
859 ui_test_utils::NavigateToURL(browser(),
860 test_server()->GetURL("files/ssl/blank_page.html"));
861 NavigationEntry* entry2 = tab->GetController().GetActiveEntry();
862 ASSERT_TRUE(entry2);
863
864 // Now go back so that a page is in the forward history.
865 {
866 content::WindowedNotificationObserver observer(
867 content::NOTIFICATION_LOAD_STOP,
868 content::Source<NavigationController>(&tab->GetController()));
869 tab->GetController().GoBack();
870 observer.Wait();
871 }
872 ASSERT_TRUE(tab->GetController().CanGoForward());
873 NavigationEntry* entry3 = tab->GetController().GetActiveEntry();
874 ASSERT_TRUE(entry1 == entry3);
875
876 // Now go to a bad HTTPS page that shows an interstitial.
877 ui_test_utils::NavigateToURL(browser(),
878 https_server_expired_.GetURL("files/ssl/google.html"));
879 CheckAuthenticationBrokenState(
880 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
881
882 // Simulate user clicking and holding on forward button.
883 {
884 content::WindowedNotificationObserver observer(
885 content::NOTIFICATION_LOAD_STOP,
886 content::Source<NavigationController>(&tab->GetController()));
887 tab->GetController().GoToOffset(1);
888 observer.Wait();
889 }
890
891 // We should be showing the second good page.
892 EXPECT_FALSE(browser()->tab_strip_model()->GetActiveWebContents()->
893 GetInterstitialPage());
894 CheckUnauthenticatedState(tab, AuthState::NONE);
895 EXPECT_FALSE(tab->GetController().CanGoForward());
896 NavigationEntry* entry4 = tab->GetController().GetActiveEntry();
897 EXPECT_TRUE(entry2 == entry4);
898 }
899
900 // Visit a HTTP page which request WSS connection to a server providing invalid
901 // certificate. Close the page while WSS connection waits for SSLManager's
902 // response from UI thread.
903 // Disabled on Windows because it was flaking on XP Tests (1). crbug.com/165258
904 #if defined(OS_WIN)
905 #define MAYBE_TestWSSInvalidCertAndClose DISABLED_TestWSSInvalidCertAndClose
906 #else
907 #define MAYBE_TestWSSInvalidCertAndClose TestWSSInvalidCertAndClose
908 #endif
909 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestWSSInvalidCertAndClose) {
910 ASSERT_TRUE(test_server()->Start());
911 ASSERT_TRUE(wss_server_expired_.Start());
912
913 // Setup page title observer.
914 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
915 content::TitleWatcher watcher(tab, ASCIIToUTF16("PASS"));
916 watcher.AlsoWaitForTitle(ASCIIToUTF16("FAIL"));
917
918 // Create GURLs to test pages.
919 std::string master_url_path = base::StringPrintf("%s?%d",
920 test_server()->GetURL("files/ssl/wss_close.html").spec().c_str(),
921 wss_server_expired_.host_port_pair().port());
922 GURL master_url(master_url_path);
923 std::string slave_url_path = base::StringPrintf("%s?%d",
924 test_server()->GetURL("files/ssl/wss_close_slave.html").spec().c_str(),
925 wss_server_expired_.host_port_pair().port());
926 GURL slave_url(slave_url_path);
927
928 // Create tabs and visit pages which keep on creating wss connections.
929 WebContents* tabs[16];
930 for (int i = 0; i < 16; ++i) {
931 tabs[i] = chrome::AddSelectedTabWithURL(browser(), slave_url,
932 ui::PAGE_TRANSITION_LINK);
933 }
934 chrome::SelectNextTab(browser());
935
936 // Visit a page which waits for one TLS handshake failure.
937 // The title will be changed to 'PASS'.
938 ui_test_utils::NavigateToURL(browser(), master_url);
939 const base::string16 result = watcher.WaitAndGetTitle();
940 EXPECT_TRUE(base::LowerCaseEqualsASCII(result, "pass"));
941
942 // Close tabs which contains the test page.
943 for (int i = 0; i < 16; ++i)
944 chrome::CloseWebContents(browser(), tabs[i], false);
945 chrome::CloseWebContents(browser(), tab, false);
946 }
947
948 // Visit a HTTPS page and proceeds despite an invalid certificate. The page
949 // requests WSS connection to the same origin host to check if WSS connection
950 // share certificates policy with HTTPS correcly.
951 IN_PROC_BROWSER_TEST_F(SSLUITest, TestWSSInvalidCertAndGoForward) {
952 ASSERT_TRUE(test_server()->Start());
953 ASSERT_TRUE(wss_server_expired_.Start());
954
955 // Setup page title observer.
956 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
957 content::TitleWatcher watcher(tab, ASCIIToUTF16("PASS"));
958 watcher.AlsoWaitForTitle(ASCIIToUTF16("FAIL"));
959
960 // Visit bad HTTPS page.
961 GURL::Replacements replacements;
962 replacements.SetSchemeStr("https");
963 ui_test_utils::NavigateToURL(
964 browser(),
965 wss_server_expired_.GetURL(
966 "connect_check.html").ReplaceComponents(replacements));
967 CheckAuthenticationBrokenState(
968 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
969
970 // Proceed anyway.
971 ProceedThroughInterstitial(tab);
972
973 // Test page run a WebSocket wss connection test. The result will be shown
974 // as page title.
975 const base::string16 result = watcher.WaitAndGetTitle();
976 EXPECT_TRUE(base::LowerCaseEqualsASCII(result, "pass"));
977 }
978
979 #if defined(USE_NSS_CERTS)
980 class SSLUITestWithClientCert : public SSLUITest {
981 public:
982 SSLUITestWithClientCert() : cert_db_(NULL) {}
983
984 void SetUpOnMainThread() override {
985 SSLUITest::SetUpOnMainThread();
986
987 base::RunLoop loop;
988 GetNSSCertDatabaseForProfile(
989 browser()->profile(),
990 base::Bind(&SSLUITestWithClientCert::DidGetCertDatabase,
991 base::Unretained(this),
992 &loop));
993 loop.Run();
994 }
995
996 protected:
997 void DidGetCertDatabase(base::RunLoop* loop, net::NSSCertDatabase* cert_db) {
998 cert_db_ = cert_db;
999 loop->Quit();
1000 }
1001
1002 net::NSSCertDatabase* cert_db_;
1003 };
1004
1005 // SSL client certificate tests are only enabled when using NSS for private key
1006 // storage, as only NSS can avoid modifying global machine state when testing.
1007 // See http://crbug.com/51132
1008
1009 // Visit a HTTPS page which requires client cert authentication. The client
1010 // cert will be selected automatically, then a test which uses WebSocket runs.
1011 IN_PROC_BROWSER_TEST_F(SSLUITestWithClientCert, TestWSSClientCert) {
1012 // Import a client cert for test.
1013 scoped_refptr<net::CryptoModule> crypt_module = cert_db_->GetPublicModule();
1014 std::string pkcs12_data;
1015 base::FilePath cert_path = net::GetTestCertsDirectory().Append(
1016 FILE_PATH_LITERAL("websocket_client_cert.p12"));
1017 EXPECT_TRUE(base::ReadFileToString(cert_path, &pkcs12_data));
1018 EXPECT_EQ(net::OK,
1019 cert_db_->ImportFromPKCS12(
1020 crypt_module.get(), pkcs12_data, base::string16(), true, NULL));
1021
1022 // Start WebSocket test server with TLS and client cert authentication.
1023 net::SpawnedTestServer::SSLOptions options(
1024 net::SpawnedTestServer::SSLOptions::CERT_OK);
1025 options.request_client_certificate = true;
1026 base::FilePath ca_path = net::GetTestCertsDirectory().Append(
1027 FILE_PATH_LITERAL("websocket_cacert.pem"));
1028 options.client_authorities.push_back(ca_path);
1029 net::SpawnedTestServer wss_server(net::SpawnedTestServer::TYPE_WSS,
1030 options,
1031 net::GetWebSocketTestDataDirectory());
1032 ASSERT_TRUE(wss_server.Start());
1033 GURL::Replacements replacements;
1034 replacements.SetSchemeStr("https");
1035 GURL url = wss_server.GetURL("connect_check.html").ReplaceComponents(
1036 replacements);
1037
1038 // Setup page title observer.
1039 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1040 content::TitleWatcher watcher(tab, ASCIIToUTF16("PASS"));
1041 watcher.AlsoWaitForTitle(ASCIIToUTF16("FAIL"));
1042
1043 // Add an entry into AutoSelectCertificateForUrls policy for automatic client
1044 // cert selection.
1045 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
1046 DCHECK(profile);
1047 scoped_ptr<base::DictionaryValue> dict(new base::DictionaryValue());
1048 dict->SetString("ISSUER.CN", "pywebsocket");
1049 profile->GetHostContentSettingsMap()->SetWebsiteSetting(
1050 ContentSettingsPattern::FromURL(url),
1051 ContentSettingsPattern::FromURL(url),
1052 CONTENT_SETTINGS_TYPE_AUTO_SELECT_CERTIFICATE,
1053 std::string(),
1054 dict.release());
1055
1056 // Visit a HTTPS page which requires client certs.
1057 ui_test_utils::NavigateToURL(browser(), url);
1058 CheckAuthenticatedState(tab, AuthState::NONE);
1059
1060 // Test page runs a WebSocket wss connection test. The result will be shown
1061 // as page title.
1062 const base::string16 result = watcher.WaitAndGetTitle();
1063 EXPECT_TRUE(base::LowerCaseEqualsASCII(result, "pass"));
1064 }
1065 #endif // defined(USE_NSS_CERTS)
1066
1067 // Flaky on CrOS http://crbug.com/92292
1068 #if defined(OS_CHROMEOS)
1069 #define MAYBE_TestHTTPSErrorWithNoNavEntry \
1070 DISABLED_TestHTTPSErrorWithNoNavEntry
1071 #else
1072 #define MAYBE_TestHTTPSErrorWithNoNavEntry TestHTTPSErrorWithNoNavEntry
1073 #endif // defined(OS_CHROMEOS)
1074
1075 // Open a page with a HTTPS error in a tab with no prior navigation (through a
1076 // link with a blank target). This is to test that the lack of navigation entry
1077 // does not cause any problems (it was causing a crasher, see
1078 // http://crbug.com/19941).
1079 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestHTTPSErrorWithNoNavEntry) {
1080 ASSERT_TRUE(https_server_expired_.Start());
1081
1082 GURL url = https_server_expired_.GetURL("files/ssl/google.htm");
1083 WebContents* tab2 = chrome::AddSelectedTabWithURL(
1084 browser(), url, ui::PAGE_TRANSITION_TYPED);
1085 content::WaitForLoadStop(tab2);
1086
1087 // Verify our assumption that there was no prior navigation.
1088 EXPECT_FALSE(chrome::CanGoBack(browser()));
1089
1090 // We should have an interstitial page showing.
1091 ASSERT_TRUE(tab2->GetInterstitialPage());
1092 ASSERT_EQ(SSLBlockingPage::kTypeForTesting, tab2->GetInterstitialPage()
1093 ->GetDelegateForTesting()
1094 ->GetTypeForTesting());
1095 }
1096
1097 IN_PROC_BROWSER_TEST_F(SSLUITest, TestBadHTTPSDownload) {
1098 ASSERT_TRUE(test_server()->Start());
1099 ASSERT_TRUE(https_server_expired_.Start());
1100 GURL url_non_dangerous = test_server()->GetURL(std::string());
1101 GURL url_dangerous =
1102 https_server_expired_.GetURL("files/downloads/dangerous/dangerous.exe");
1103 base::ScopedTempDir downloads_directory_;
1104
1105 // Need empty temp dir to avoid having Chrome ask us for a new filename
1106 // when we've downloaded dangerous.exe one hundred times.
1107 ASSERT_TRUE(downloads_directory_.CreateUniqueTempDir());
1108
1109 browser()->profile()->GetPrefs()->SetFilePath(
1110 prefs::kDownloadDefaultDirectory,
1111 downloads_directory_.path());
1112
1113 // Visit a non-dangerous page.
1114 ui_test_utils::NavigateToURL(browser(), url_non_dangerous);
1115
1116 // Now, start a transition to dangerous download.
1117 {
1118 content::WindowedNotificationObserver observer(
1119 content::NOTIFICATION_LOAD_STOP,
1120 content::NotificationService::AllSources());
1121 chrome::NavigateParams navigate_params(browser(), url_dangerous,
1122 ui::PAGE_TRANSITION_TYPED);
1123 chrome::Navigate(&navigate_params);
1124 observer.Wait();
1125 }
1126
1127 // To exit the browser cleanly (and this test) we need to complete the
1128 // download after completing this test.
1129 content::DownloadTestObserverTerminal dangerous_download_observer(
1130 content::BrowserContext::GetDownloadManager(browser()->profile()),
1131 1,
1132 content::DownloadTestObserver::ON_DANGEROUS_DOWNLOAD_ACCEPT);
1133
1134 // Proceed through the SSL interstitial. This doesn't use
1135 // |ProceedThroughInterstitial| since no page load will commit.
1136 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1137 ASSERT_TRUE(tab != NULL);
1138 ASSERT_TRUE(tab->GetInterstitialPage() != NULL);
1139 ASSERT_EQ(
1140 SSLBlockingPage::kTypeForTesting,
1141 tab->GetInterstitialPage()->GetDelegateForTesting()->GetTypeForTesting());
1142 {
1143 content::WindowedNotificationObserver observer(
1144 chrome::NOTIFICATION_DOWNLOAD_INITIATED,
1145 content::NotificationService::AllSources());
1146 tab->GetInterstitialPage()->Proceed();
1147 observer.Wait();
1148 }
1149
1150 // There should still be an interstitial at this point. Press the
1151 // back button on the browser. Note that this doesn't wait for a
1152 // NAV_ENTRY_COMMITTED notification because going back with an
1153 // active interstitial simply hides the interstitial.
1154 ASSERT_TRUE(tab->GetInterstitialPage() != NULL);
1155 ASSERT_EQ(
1156 SSLBlockingPage::kTypeForTesting,
1157 tab->GetInterstitialPage()->GetDelegateForTesting()->GetTypeForTesting());
1158 EXPECT_TRUE(chrome::CanGoBack(browser()));
1159 chrome::GoBack(browser(), CURRENT_TAB);
1160
1161 dangerous_download_observer.WaitForFinished();
1162 }
1163
1164 //
1165 // Insecure content
1166 //
1167
1168 #if defined(OS_WIN)
1169 // http://crbug.com/152940 Flaky on win.
1170 #define MAYBE_TestDisplaysInsecureContent DISABLED_TestDisplaysInsecureContent
1171 #else
1172 #define MAYBE_TestDisplaysInsecureContent TestDisplaysInsecureContent
1173 #endif
1174
1175 // Visits a page that displays insecure content.
1176 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestDisplaysInsecureContent) {
1177 ASSERT_TRUE(test_server()->Start());
1178 ASSERT_TRUE(https_server_.Start());
1179
1180 std::string replacement_path;
1181 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1182 "files/ssl/page_displays_insecure_content.html",
1183 test_server()->host_port_pair(),
1184 &replacement_path));
1185
1186 // Load a page that displays insecure content.
1187 ui_test_utils::NavigateToURL(browser(),
1188 https_server_.GetURL(replacement_path));
1189
1190 CheckAuthenticatedState(browser()->tab_strip_model()->GetActiveWebContents(),
1191 AuthState::DISPLAYED_INSECURE_CONTENT);
1192 }
1193
1194 // Test that if the user proceeds and the checkbox is checked, a report
1195 // is sent or not sent depending on the Finch config.
1196 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
1197 TestBrokenHTTPSProceedReporting) {
1198 certificate_reporting_test_utils::ExpectReport expect_report =
1199 certificate_reporting_test_utils::GetReportExpectedFromFinch();
1200 TestBrokenHTTPSReporting(
1201 certificate_reporting_test_utils::EXTENDED_REPORTING_OPT_IN,
1202 SSL_INTERSTITIAL_PROCEED, expect_report, browser());
1203 }
1204
1205 // Test that if the user goes back and the checkbox is checked, a report
1206 // is sent or not sent depending on the Finch config.
1207 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
1208 TestBrokenHTTPSGoBackReporting) {
1209 certificate_reporting_test_utils::ExpectReport expect_report =
1210 certificate_reporting_test_utils::GetReportExpectedFromFinch();
1211 TestBrokenHTTPSReporting(
1212 certificate_reporting_test_utils::EXTENDED_REPORTING_OPT_IN,
1213 SSL_INTERSTITIAL_DO_NOT_PROCEED, expect_report, browser());
1214 }
1215
1216 // User proceeds, checkbox is shown but unchecked. Reports should never
1217 // be sent, regardless of Finch config.
1218 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
1219 TestBrokenHTTPSProceedReportingWithNoOptIn) {
1220 TestBrokenHTTPSReporting(
1221 certificate_reporting_test_utils::EXTENDED_REPORTING_DO_NOT_OPT_IN,
1222 SSL_INTERSTITIAL_PROCEED,
1223 certificate_reporting_test_utils::CERT_REPORT_NOT_EXPECTED, browser());
1224 }
1225
1226 // User goes back, checkbox is shown but unchecked. Reports should never
1227 // be sent, regardless of Finch config.
1228 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
1229 TestBrokenHTTPSGoBackShowYesCheckNoParamYesReportNo) {
1230 TestBrokenHTTPSReporting(
1231 certificate_reporting_test_utils::EXTENDED_REPORTING_DO_NOT_OPT_IN,
1232 SSL_INTERSTITIAL_DO_NOT_PROCEED,
1233 certificate_reporting_test_utils::CERT_REPORT_NOT_EXPECTED, browser());
1234 }
1235
1236 // User proceeds, checkbox is not shown but checked -> we expect no
1237 // report.
1238 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
1239 TestBrokenHTTPSProceedShowNoCheckYesReportNo) {
1240 if (base::FieldTrialList::FindFullName(
1241 CertReportHelper::kFinchExperimentName) ==
1242 CertReportHelper::kFinchGroupDontShowDontSend) {
1243 TestBrokenHTTPSReporting(
1244 certificate_reporting_test_utils::EXTENDED_REPORTING_OPT_IN,
1245 SSL_INTERSTITIAL_PROCEED,
1246 certificate_reporting_test_utils::CERT_REPORT_NOT_EXPECTED, browser());
1247 }
1248 }
1249
1250 // Browser is incognito, user proceeds, checkbox has previously opted in
1251 // -> no report, regardless of Finch config.
1252 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
1253 TestBrokenHTTPSInIncognitoReportNo) {
1254 TestBrokenHTTPSReporting(
1255 certificate_reporting_test_utils::EXTENDED_REPORTING_OPT_IN,
1256 SSL_INTERSTITIAL_PROCEED,
1257 certificate_reporting_test_utils::CERT_REPORT_NOT_EXPECTED,
1258 CreateIncognitoBrowser());
1259 }
1260
1261 // Test that reports don't get sent when extended reporting opt-in is
1262 // disabled by policy.
1263 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
1264 TestBrokenHTTPSNoReportingWhenDisallowed) {
1265 browser()->profile()->GetPrefs()->SetBoolean(
1266 prefs::kSafeBrowsingExtendedReportingOptInAllowed, false);
1267 TestBrokenHTTPSReporting(
1268 certificate_reporting_test_utils::EXTENDED_REPORTING_OPT_IN,
1269 SSL_INTERSTITIAL_PROCEED,
1270 certificate_reporting_test_utils::CERT_REPORT_NOT_EXPECTED, browser());
1271 }
1272
1273 // Visits a page that runs insecure content and tries to suppress the insecure
1274 // content warnings by randomizing location.hash.
1275 // Based on http://crbug.com/8706
1276 IN_PROC_BROWSER_TEST_F(SSLUITest,
1277 TestRunsInsecuredContentRandomizeHash) {
1278 ASSERT_TRUE(test_server()->Start());
1279 ASSERT_TRUE(https_server_.Start());
1280
1281 ui_test_utils::NavigateToURL(browser(), https_server_.GetURL(
1282 "files/ssl/page_runs_insecure_content.html"));
1283
1284 CheckAuthenticationBrokenState(
1285 browser()->tab_strip_model()->GetActiveWebContents(),
1286 CertError::NONE,
1287 AuthState::DISPLAYED_INSECURE_CONTENT | AuthState::RAN_INSECURE_CONTENT);
1288 }
1289
1290 // Visits a page with unsafe content and make sure that:
1291 // - frames content is replaced with warning
1292 // - images and scripts are filtered out entirely
1293 IN_PROC_BROWSER_TEST_F(SSLUITest, TestUnsafeContents) {
1294 ASSERT_TRUE(https_server_.Start());
1295 ASSERT_TRUE(https_server_expired_.Start());
1296
1297 std::string replacement_path;
1298 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1299 "files/ssl/page_with_unsafe_contents.html",
1300 https_server_expired_.host_port_pair(),
1301 &replacement_path));
1302 ui_test_utils::NavigateToURL(browser(),
1303 https_server_.GetURL(replacement_path));
1304
1305 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1306 // When the bad content is filtered, the state is expected to be
1307 // authenticated.
1308 CheckAuthenticatedState(tab, AuthState::NONE);
1309
1310 // Because of cross-frame scripting restrictions, we cannot access the iframe
1311 // content. So to know if the frame was loaded, we just check if a popup was
1312 // opened (the iframe content opens one).
1313 // Note: because of bug 1115868, no web contents modal dialog is opened right
1314 // now. Once the bug is fixed, this will do the real check.
1315 EXPECT_FALSE(IsShowingWebContentsModalDialog());
1316
1317 int img_width;
1318 EXPECT_TRUE(content::ExecuteScriptAndExtractInt(
1319 tab,
1320 "window.domAutomationController.send(ImageWidth());",
1321 &img_width));
1322 // In order to check that the image was not loaded, we check its width.
1323 // The actual image (Google logo) is 114 pixels wide, we assume the broken
1324 // image is less than 100.
1325 EXPECT_LT(img_width, 100);
1326
1327 bool js_result = false;
1328 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1329 tab,
1330 "window.domAutomationController.send(IsFooSet());",
1331 &js_result));
1332 EXPECT_FALSE(js_result);
1333 }
1334
1335 // Visits a page with insecure content loaded by JS (after the initial page
1336 // load).
1337 #if defined(OS_LINUX)
1338 // flaky http://crbug.com/396462
1339 #define MAYBE_TestDisplaysInsecureContentLoadedFromJS \
1340 DISABLED_TestDisplaysInsecureContentLoadedFromJS
1341 #else
1342 #define MAYBE_TestDisplaysInsecureContentLoadedFromJS \
1343 TestDisplaysInsecureContentLoadedFromJS
1344 #endif
1345 IN_PROC_BROWSER_TEST_F(SSLUITest,
1346 MAYBE_TestDisplaysInsecureContentLoadedFromJS) {
1347 ASSERT_TRUE(test_server()->Start());
1348 ASSERT_TRUE(https_server_.Start());
1349
1350 std::string replacement_path;
1351 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1352 "files/ssl/page_with_dynamic_insecure_content.html",
1353 test_server()->host_port_pair(),
1354 &replacement_path));
1355 ui_test_utils::NavigateToURL(browser(), https_server_.GetURL(
1356 replacement_path));
1357
1358 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1359 CheckAuthenticatedState(tab, AuthState::NONE);
1360
1361 // Load the insecure image.
1362 bool js_result = false;
1363 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1364 tab,
1365 "loadBadImage();",
1366 &js_result));
1367 EXPECT_TRUE(js_result);
1368
1369 // We should now have insecure content.
1370 CheckAuthenticatedState(tab, AuthState::DISPLAYED_INSECURE_CONTENT);
1371 }
1372
1373 // Visits two pages from the same origin: one that displays insecure content and
1374 // one that doesn't. The test checks that we do not propagate the insecure
1375 // content state from one to the other.
1376 IN_PROC_BROWSER_TEST_F(SSLUITest, TestDisplaysInsecureContentTwoTabs) {
1377 ASSERT_TRUE(test_server()->Start());
1378 ASSERT_TRUE(https_server_.Start());
1379
1380 ui_test_utils::NavigateToURL(browser(),
1381 https_server_.GetURL("files/ssl/blank_page.html"));
1382
1383 WebContents* tab1 = browser()->tab_strip_model()->GetActiveWebContents();
1384
1385 // This tab should be fine.
1386 CheckAuthenticatedState(tab1, AuthState::NONE);
1387
1388 // Create a new tab.
1389 std::string replacement_path;
1390 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1391 "files/ssl/page_displays_insecure_content.html",
1392 test_server()->host_port_pair(),
1393 &replacement_path));
1394
1395 GURL url = https_server_.GetURL(replacement_path);
1396 chrome::NavigateParams params(browser(), url, ui::PAGE_TRANSITION_TYPED);
1397 params.disposition = NEW_FOREGROUND_TAB;
1398 params.tabstrip_index = 0;
1399 params.source_contents = tab1;
1400 content::WindowedNotificationObserver observer(
1401 content::NOTIFICATION_LOAD_STOP,
1402 content::NotificationService::AllSources());
1403 chrome::Navigate(&params);
1404 WebContents* tab2 = params.target_contents;
1405 observer.Wait();
1406
1407 // The new tab has insecure content.
1408 CheckAuthenticatedState(tab2, AuthState::DISPLAYED_INSECURE_CONTENT);
1409
1410 // The original tab should not be contaminated.
1411 CheckAuthenticatedState(tab1, AuthState::NONE);
1412 }
1413
1414 // Visits two pages from the same origin: one that runs insecure content and one
1415 // that doesn't. The test checks that we propagate the insecure content state
1416 // from one to the other.
1417 IN_PROC_BROWSER_TEST_F(SSLUITest, TestRunsInsecureContentTwoTabs) {
1418 ASSERT_TRUE(test_server()->Start());
1419 ASSERT_TRUE(https_server_.Start());
1420
1421 ui_test_utils::NavigateToURL(browser(),
1422 https_server_.GetURL("files/ssl/blank_page.html"));
1423
1424 WebContents* tab1 = browser()->tab_strip_model()->GetActiveWebContents();
1425
1426 // This tab should be fine.
1427 CheckAuthenticatedState(tab1, AuthState::NONE);
1428
1429 std::string replacement_path;
1430 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1431 "files/ssl/page_runs_insecure_content.html",
1432 test_server()->host_port_pair(),
1433 &replacement_path));
1434
1435 // Create a new tab in the same process. Using a NEW_FOREGROUND_TAB
1436 // disposition won't usually stay in the same process, but this works
1437 // because we are using process-per-site in SetUpCommandLine.
1438 GURL url = https_server_.GetURL(replacement_path);
1439 chrome::NavigateParams params(browser(), url, ui::PAGE_TRANSITION_TYPED);
1440 params.disposition = NEW_FOREGROUND_TAB;
1441 params.source_contents = tab1;
1442 content::WindowedNotificationObserver observer(
1443 content::NOTIFICATION_LOAD_STOP,
1444 content::NotificationService::AllSources());
1445 chrome::Navigate(&params);
1446 WebContents* tab2 = params.target_contents;
1447 observer.Wait();
1448
1449 // Both tabs should have the same process.
1450 EXPECT_EQ(tab1->GetRenderProcessHost(), tab2->GetRenderProcessHost());
1451
1452 // The new tab has insecure content.
1453 CheckAuthenticationBrokenState(
1454 tab2,
1455 CertError::NONE,
1456 AuthState::DISPLAYED_INSECURE_CONTENT | AuthState::RAN_INSECURE_CONTENT);
1457
1458 // Which means the origin for the first tab has also been contaminated with
1459 // insecure content.
1460 CheckAuthenticationBrokenState(
1461 tab1, CertError::NONE, AuthState::RAN_INSECURE_CONTENT);
1462 }
1463
1464 // Visits a page with an image over http. Visits another page over https
1465 // referencing that same image over http (hoping it is coming from the webcore
1466 // memory cache).
1467 IN_PROC_BROWSER_TEST_F(SSLUITest, TestDisplaysCachedInsecureContent) {
1468 ASSERT_TRUE(test_server()->Start());
1469 ASSERT_TRUE(https_server_.Start());
1470
1471 std::string replacement_path;
1472 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1473 "files/ssl/page_displays_insecure_content.html",
1474 test_server()->host_port_pair(),
1475 &replacement_path));
1476
1477 // Load original page over HTTP.
1478 const GURL url_http = test_server()->GetURL(replacement_path);
1479 ui_test_utils::NavigateToURL(browser(), url_http);
1480 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1481 CheckUnauthenticatedState(tab, AuthState::NONE);
1482
1483 // Load again but over SSL. It should be marked as displaying insecure
1484 // content (even though the image comes from the WebCore memory cache).
1485 const GURL url_https = https_server_.GetURL(replacement_path);
1486 ui_test_utils::NavigateToURL(browser(), url_https);
1487 CheckAuthenticatedState(tab, AuthState::DISPLAYED_INSECURE_CONTENT);
1488 }
1489
1490 // http://crbug.com/84729
1491 #if defined(OS_CHROMEOS)
1492 #define MAYBE_TestRunsCachedInsecureContent \
1493 DISABLED_TestRunsCachedInsecureContent
1494 #else
1495 #define MAYBE_TestRunsCachedInsecureContent TestRunsCachedInsecureContent
1496 #endif // defined(OS_CHROMEOS)
1497
1498 // Visits a page with script over http. Visits another page over https
1499 // referencing that same script over http (hoping it is coming from the webcore
1500 // memory cache).
1501 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestRunsCachedInsecureContent) {
1502 ASSERT_TRUE(test_server()->Start());
1503 ASSERT_TRUE(https_server_.Start());
1504
1505 std::string replacement_path;
1506 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1507 "files/ssl/page_runs_insecure_content.html",
1508 test_server()->host_port_pair(),
1509 &replacement_path));
1510
1511 // Load original page over HTTP.
1512 const GURL url_http = test_server()->GetURL(replacement_path);
1513 ui_test_utils::NavigateToURL(browser(), url_http);
1514 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1515 CheckUnauthenticatedState(tab, AuthState::NONE);
1516
1517 // Load again but over SSL. It should be marked as displaying insecure
1518 // content (even though the image comes from the WebCore memory cache).
1519 const GURL url_https = https_server_.GetURL(replacement_path);
1520 ui_test_utils::NavigateToURL(browser(), url_https);
1521 CheckAuthenticationBrokenState(
1522 tab,
1523 CertError::NONE,
1524 AuthState::DISPLAYED_INSECURE_CONTENT | AuthState::RAN_INSECURE_CONTENT);
1525 }
1526
1527 // This test ensures the CN invalid status does not 'stick' to a certificate
1528 // (see bug #1044942) and that it depends on the host-name.
1529 // Test if disabled due to flakiness http://crbug.com/368280 .
1530 IN_PROC_BROWSER_TEST_F(SSLUITest, DISABLED_TestCNInvalidStickiness) {
1531 ASSERT_TRUE(https_server_.Start());
1532 ASSERT_TRUE(https_server_mismatched_.Start());
1533
1534 // First we hit the server with hostname, this generates an invalid policy
1535 // error.
1536 ui_test_utils::NavigateToURL(browser(),
1537 https_server_mismatched_.GetURL("files/ssl/google.html"));
1538
1539 // We get an interstitial page as a result.
1540 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1541 CheckAuthenticationBrokenState(tab,
1542 net::CERT_STATUS_COMMON_NAME_INVALID,
1543 AuthState::SHOWING_INTERSTITIAL);
1544 ProceedThroughInterstitial(tab);
1545 CheckAuthenticationBrokenState(
1546 tab, net::CERT_STATUS_COMMON_NAME_INVALID, AuthState::NONE);
1547
1548 // Now we try again with the right host name this time.
1549 GURL url(https_server_.GetURL("files/ssl/google.html"));
1550 ui_test_utils::NavigateToURL(browser(), url);
1551
1552 // Security state should be OK.
1553 CheckAuthenticatedState(tab, AuthState::NONE);
1554
1555 // Now try again the broken one to make sure it is still broken.
1556 ui_test_utils::NavigateToURL(browser(),
1557 https_server_mismatched_.GetURL("files/ssl/google.html"));
1558
1559 // Since we OKed the interstitial last time, we get right to the page.
1560 CheckAuthenticationBrokenState(
1561 tab, net::CERT_STATUS_COMMON_NAME_INVALID, AuthState::NONE);
1562 }
1563
1564 #if defined(OS_CHROMEOS)
1565 // This test seems to be flaky and hang on chromiumos.
1566 // http://crbug.com/84419
1567 #define MAYBE_TestRefNavigation DISABLED_TestRefNavigation
1568 #else
1569 #define MAYBE_TestRefNavigation TestRefNavigation
1570 #endif
1571
1572 // Test that navigating to a #ref does not change a bad security state.
1573 IN_PROC_BROWSER_TEST_F(SSLUITest, TestRefNavigation) {
1574 ASSERT_TRUE(https_server_expired_.Start());
1575
1576 ui_test_utils::NavigateToURL(browser(),
1577 https_server_expired_.GetURL("files/ssl/page_with_refs.html"));
1578
1579 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1580 CheckAuthenticationBrokenState(
1581 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
1582
1583 ProceedThroughInterstitial(tab);
1584
1585 CheckAuthenticationBrokenState(
1586 tab, net::CERT_STATUS_DATE_INVALID, AuthState::NONE);
1587 // Now navigate to a ref in the page, the security state should not have
1588 // changed.
1589 ui_test_utils::NavigateToURL(browser(),
1590 https_server_expired_.GetURL("files/ssl/page_with_refs.html#jp"));
1591
1592 CheckAuthenticationBrokenState(
1593 tab, net::CERT_STATUS_DATE_INVALID, AuthState::NONE);
1594 }
1595
1596 // Tests that closing a page that has a unsafe pop-up does not crash the
1597 // browser (bug #1966).
1598 // TODO(jcampan): http://crbug.com/2136 disabled because the popup is not
1599 // opened as it is not initiated by a user gesture.
1600 IN_PROC_BROWSER_TEST_F(SSLUITest, DISABLED_TestCloseTabWithUnsafePopup) {
1601 ASSERT_TRUE(test_server()->Start());
1602 ASSERT_TRUE(https_server_expired_.Start());
1603
1604 std::string replacement_path;
1605 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1606 "files/ssl/page_with_unsafe_popup.html",
1607 https_server_expired_.host_port_pair(),
1608 &replacement_path));
1609
1610 ui_test_utils::NavigateToURL(browser(),
1611 test_server()->GetURL(replacement_path));
1612
1613 WebContents* tab1 = browser()->tab_strip_model()->GetActiveWebContents();
1614 // It is probably overkill to add a notification for a popup-opening, let's
1615 // just poll.
1616 for (int i = 0; i < 10; i++) {
1617 if (IsShowingWebContentsModalDialog())
1618 break;
1619 base::ThreadTaskRunnerHandle::Get()->PostDelayedTask(
1620 FROM_HERE, base::MessageLoop::QuitClosure(),
1621 base::TimeDelta::FromSeconds(1));
1622 content::RunMessageLoop();
1623 }
1624 ASSERT_TRUE(IsShowingWebContentsModalDialog());
1625
1626 // Let's add another tab to make sure the browser does not exit when we close
1627 // the first tab.
1628 GURL url = test_server()->GetURL("files/ssl/google.html");
1629 content::WindowedNotificationObserver observer(
1630 content::NOTIFICATION_LOAD_STOP,
1631 content::NotificationService::AllSources());
1632 chrome::AddSelectedTabWithURL(browser(), url, ui::PAGE_TRANSITION_TYPED);
1633 observer.Wait();
1634
1635 // Close the first tab.
1636 chrome::CloseWebContents(browser(), tab1, false);
1637 }
1638
1639 // Visit a page over bad https that is a redirect to a page with good https.
1640 IN_PROC_BROWSER_TEST_F(SSLUITest, TestRedirectBadToGoodHTTPS) {
1641 ASSERT_TRUE(https_server_.Start());
1642 ASSERT_TRUE(https_server_expired_.Start());
1643
1644 GURL url1 = https_server_expired_.GetURL("server-redirect?");
1645 GURL url2 = https_server_.GetURL("files/ssl/google.html");
1646
1647 ui_test_utils::NavigateToURL(browser(), GURL(url1.spec() + url2.spec()));
1648
1649 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1650
1651 CheckAuthenticationBrokenState(
1652 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
1653
1654 ProceedThroughInterstitial(tab);
1655
1656 // We have been redirected to the good page.
1657 CheckAuthenticatedState(tab, AuthState::NONE);
1658 }
1659
1660 // Flaky on Linux. http://crbug.com/368280.
1661 #if defined(OS_LINUX)
1662 #define MAYBE_TestRedirectGoodToBadHTTPS DISABLED_TestRedirectGoodToBadHTTPS
1663 #else
1664 #define MAYBE_TestRedirectGoodToBadHTTPS TestRedirectGoodToBadHTTPS
1665 #endif
1666
1667 // Visit a page over good https that is a redirect to a page with bad https.
1668 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestRedirectGoodToBadHTTPS) {
1669 ASSERT_TRUE(https_server_.Start());
1670 ASSERT_TRUE(https_server_expired_.Start());
1671
1672 GURL url1 = https_server_.GetURL("server-redirect?");
1673 GURL url2 = https_server_expired_.GetURL("files/ssl/google.html");
1674 ui_test_utils::NavigateToURL(browser(), GURL(url1.spec() + url2.spec()));
1675
1676 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1677 CheckAuthenticationBrokenState(
1678 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
1679
1680 ProceedThroughInterstitial(tab);
1681
1682 CheckAuthenticationBrokenState(
1683 tab, net::CERT_STATUS_DATE_INVALID, AuthState::NONE);
1684 }
1685
1686 // Visit a page over http that is a redirect to a page with good HTTPS.
1687 IN_PROC_BROWSER_TEST_F(SSLUITest, TestRedirectHTTPToGoodHTTPS) {
1688 ASSERT_TRUE(test_server()->Start());
1689 ASSERT_TRUE(https_server_.Start());
1690
1691 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1692
1693 // HTTP redirects to good HTTPS.
1694 GURL http_url = test_server()->GetURL("server-redirect?");
1695 GURL good_https_url =
1696 https_server_.GetURL("files/ssl/google.html");
1697
1698 ui_test_utils::NavigateToURL(browser(),
1699 GURL(http_url.spec() + good_https_url.spec()));
1700 CheckAuthenticatedState(tab, AuthState::NONE);
1701 }
1702
1703 // Flaky on Linux. http://crbug.com/368280.
1704 #if defined(OS_LINUX)
1705 #define MAYBE_TestRedirectHTTPToBadHTTPS DISABLED_TestRedirectHTTPToBadHTTPS
1706 #else
1707 #define MAYBE_TestRedirectHTTPToBadHTTPS TestRedirectHTTPToBadHTTPS
1708 #endif
1709
1710 // Visit a page over http that is a redirect to a page with bad HTTPS.
1711 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestRedirectHTTPToBadHTTPS) {
1712 ASSERT_TRUE(test_server()->Start());
1713 ASSERT_TRUE(https_server_expired_.Start());
1714
1715 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1716
1717 GURL http_url = test_server()->GetURL("server-redirect?");
1718 GURL bad_https_url =
1719 https_server_expired_.GetURL("files/ssl/google.html");
1720 ui_test_utils::NavigateToURL(browser(),
1721 GURL(http_url.spec() + bad_https_url.spec()));
1722 CheckAuthenticationBrokenState(
1723 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
1724
1725 ProceedThroughInterstitial(tab);
1726
1727 CheckAuthenticationBrokenState(
1728 tab, net::CERT_STATUS_DATE_INVALID, AuthState::NONE);
1729 }
1730
1731 // Visit a page over https that is a redirect to a page with http (to make sure
1732 // we don't keep the secure state).
1733 IN_PROC_BROWSER_TEST_F(SSLUITest, TestRedirectHTTPSToHTTP) {
1734 ASSERT_TRUE(test_server()->Start());
1735 ASSERT_TRUE(https_server_.Start());
1736
1737 GURL https_url = https_server_.GetURL("server-redirect?");
1738 GURL http_url = test_server()->GetURL("files/ssl/google.html");
1739
1740 ui_test_utils::NavigateToURL(browser(),
1741 GURL(https_url.spec() + http_url.spec()));
1742 CheckUnauthenticatedState(
1743 browser()->tab_strip_model()->GetActiveWebContents(), AuthState::NONE);
1744 }
1745
1746 // Visits a page to which we could not connect (bad port) over http and https
1747 // and make sure the security style is correct.
1748 IN_PROC_BROWSER_TEST_F(SSLUITest, TestConnectToBadPort) {
1749 ui_test_utils::NavigateToURL(browser(), GURL("http://localhost:17"));
1750 CheckUnauthenticatedState(
1751 browser()->tab_strip_model()->GetActiveWebContents(),
1752 AuthState::SHOWING_ERROR);
1753
1754 // Same thing over HTTPS.
1755 ui_test_utils::NavigateToURL(browser(), GURL("https://localhost:17"));
1756 CheckUnauthenticatedState(
1757 browser()->tab_strip_model()->GetActiveWebContents(),
1758 AuthState::SHOWING_ERROR);
1759 }
1760
1761 //
1762 // Frame navigation
1763 //
1764
1765 // From a good HTTPS top frame:
1766 // - navigate to an OK HTTPS frame
1767 // - navigate to a bad HTTPS (expect unsafe content and filtered frame), then
1768 // back
1769 // - navigate to HTTP (expect insecure content), then back
1770 IN_PROC_BROWSER_TEST_F(SSLUITest, TestGoodFrameNavigation) {
1771 ASSERT_TRUE(test_server()->Start());
1772 ASSERT_TRUE(https_server_.Start());
1773 ASSERT_TRUE(https_server_expired_.Start());
1774
1775 std::string top_frame_path;
1776 ASSERT_TRUE(GetTopFramePath(*test_server(),
1777 https_server_,
1778 https_server_expired_,
1779 &top_frame_path));
1780
1781 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1782 ui_test_utils::NavigateToURL(browser(),
1783 https_server_.GetURL(top_frame_path));
1784
1785 CheckAuthenticatedState(tab, AuthState::NONE);
1786
1787 bool success = false;
1788 // Now navigate inside the frame.
1789 {
1790 content::WindowedNotificationObserver observer(
1791 content::NOTIFICATION_LOAD_STOP,
1792 content::Source<NavigationController>(&tab->GetController()));
1793 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1794 tab,
1795 "window.domAutomationController.send(clickLink('goodHTTPSLink'));",
1796 &success));
1797 ASSERT_TRUE(success);
1798 observer.Wait();
1799 }
1800
1801 // We should still be fine.
1802 CheckAuthenticatedState(tab, AuthState::NONE);
1803
1804 // Now let's hit a bad page.
1805 {
1806 content::WindowedNotificationObserver observer(
1807 content::NOTIFICATION_LOAD_STOP,
1808 content::Source<NavigationController>(&tab->GetController()));
1809 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1810 tab,
1811 "window.domAutomationController.send(clickLink('badHTTPSLink'));",
1812 &success));
1813 ASSERT_TRUE(success);
1814 observer.Wait();
1815 }
1816
1817 // The security style should still be secure.
1818 CheckAuthenticatedState(tab, AuthState::NONE);
1819
1820 // And the frame should be blocked.
1821 bool is_content_evil = true;
1822 content::RenderFrameHost* content_frame = content::FrameMatchingPredicate(
1823 tab, base::Bind(&content::FrameMatchesName, "contentFrame"));
1824 std::string is_evil_js("window.domAutomationController.send("
1825 "document.getElementById('evilDiv') != null);");
1826 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(content_frame,
1827 is_evil_js,
1828 &is_content_evil));
1829 EXPECT_FALSE(is_content_evil);
1830
1831 // Now go back, our state should still be OK.
1832 {
1833 content::WindowedNotificationObserver observer(
1834 content::NOTIFICATION_LOAD_STOP,
1835 content::Source<NavigationController>(&tab->GetController()));
1836 tab->GetController().GoBack();
1837 observer.Wait();
1838 }
1839 CheckAuthenticatedState(tab, AuthState::NONE);
1840
1841 // Navigate to a page served over HTTP.
1842 {
1843 content::WindowedNotificationObserver observer(
1844 content::NOTIFICATION_LOAD_STOP,
1845 content::Source<NavigationController>(&tab->GetController()));
1846 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1847 tab,
1848 "window.domAutomationController.send(clickLink('HTTPLink'));",
1849 &success));
1850 ASSERT_TRUE(success);
1851 observer.Wait();
1852 }
1853
1854 // Our state should be unathenticated (in the ran mixed script sense)
1855 CheckAuthenticationBrokenState(
1856 tab,
1857 CertError::NONE,
1858 AuthState::DISPLAYED_INSECURE_CONTENT | AuthState::RAN_INSECURE_CONTENT);
1859
1860 // Go back, our state should be unchanged.
1861 {
1862 content::WindowedNotificationObserver observer(
1863 content::NOTIFICATION_LOAD_STOP,
1864 content::Source<NavigationController>(&tab->GetController()));
1865 tab->GetController().GoBack();
1866 observer.Wait();
1867 }
1868
1869 CheckAuthenticationBrokenState(
1870 tab,
1871 CertError::NONE,
1872 AuthState::DISPLAYED_INSECURE_CONTENT | AuthState::RAN_INSECURE_CONTENT);
1873 }
1874
1875 // From a bad HTTPS top frame:
1876 // - navigate to an OK HTTPS frame (expected to be still authentication broken).
1877 IN_PROC_BROWSER_TEST_F(SSLUITest, TestBadFrameNavigation) {
1878 ASSERT_TRUE(https_server_.Start());
1879 ASSERT_TRUE(https_server_expired_.Start());
1880
1881 std::string top_frame_path;
1882 ASSERT_TRUE(GetTopFramePath(*test_server(),
1883 https_server_,
1884 https_server_expired_,
1885 &top_frame_path));
1886
1887 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1888 ui_test_utils::NavigateToURL(browser(),
1889 https_server_expired_.GetURL(top_frame_path));
1890 CheckAuthenticationBrokenState(
1891 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
1892
1893 ProceedThroughInterstitial(tab);
1894
1895 // Navigate to a good frame.
1896 bool success = false;
1897 content::WindowedNotificationObserver observer(
1898 content::NOTIFICATION_LOAD_STOP,
1899 content::Source<NavigationController>(&tab->GetController()));
1900 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1901 tab,
1902 "window.domAutomationController.send(clickLink('goodHTTPSLink'));",
1903 &success));
1904 ASSERT_TRUE(success);
1905 observer.Wait();
1906
1907 // We should still be authentication broken.
1908 CheckAuthenticationBrokenState(
1909 tab, net::CERT_STATUS_DATE_INVALID, AuthState::NONE);
1910 }
1911
1912 // From an HTTP top frame, navigate to good and bad HTTPS (security state should
1913 // stay unauthenticated).
1914 // Disabled, flakily exceeds test timeout, http://crbug.com/43437.
1915 IN_PROC_BROWSER_TEST_F(SSLUITest, DISABLED_TestUnauthenticatedFrameNavigation) {
1916 ASSERT_TRUE(test_server()->Start());
1917 ASSERT_TRUE(https_server_.Start());
1918 ASSERT_TRUE(https_server_expired_.Start());
1919
1920 std::string top_frame_path;
1921 ASSERT_TRUE(GetTopFramePath(*test_server(),
1922 https_server_,
1923 https_server_expired_,
1924 &top_frame_path));
1925
1926 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1927 ui_test_utils::NavigateToURL(browser(),
1928 test_server()->GetURL(top_frame_path));
1929 CheckUnauthenticatedState(tab, AuthState::NONE);
1930
1931 // Now navigate inside the frame to a secure HTTPS frame.
1932 {
1933 bool success = false;
1934 content::WindowedNotificationObserver observer(
1935 content::NOTIFICATION_LOAD_STOP,
1936 content::Source<NavigationController>(&tab->GetController()));
1937 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1938 tab,
1939 "window.domAutomationController.send(clickLink('goodHTTPSLink'));",
1940 &success));
1941 ASSERT_TRUE(success);
1942 observer.Wait();
1943 }
1944
1945 // We should still be unauthenticated.
1946 CheckUnauthenticatedState(tab, AuthState::NONE);
1947
1948 // Now navigate to a bad HTTPS frame.
1949 {
1950 bool success = false;
1951 content::WindowedNotificationObserver observer(
1952 content::NOTIFICATION_LOAD_STOP,
1953 content::Source<NavigationController>(&tab->GetController()));
1954 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1955 tab,
1956 "window.domAutomationController.send(clickLink('badHTTPSLink'));",
1957 &success));
1958 ASSERT_TRUE(success);
1959 observer.Wait();
1960 }
1961
1962 // State should not have changed.
1963 CheckUnauthenticatedState(tab, AuthState::NONE);
1964
1965 // And the frame should have been blocked (see bug #2316).
1966 bool is_content_evil = true;
1967 content::RenderFrameHost* content_frame = content::FrameMatchingPredicate(
1968 tab, base::Bind(&content::FrameMatchesName, "contentFrame"));
1969 std::string is_evil_js("window.domAutomationController.send("
1970 "document.getElementById('evilDiv') != null);");
1971 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(content_frame,
1972 is_evil_js,
1973 &is_content_evil));
1974 EXPECT_FALSE(is_content_evil);
1975 }
1976
1977 IN_PROC_BROWSER_TEST_F(SSLUITest, TestUnsafeContentsInWorkerFiltered) {
1978 ASSERT_TRUE(https_server_.Start());
1979 ASSERT_TRUE(https_server_expired_.Start());
1980
1981 // This page will spawn a Worker which will try to load content from
1982 // BadCertServer.
1983 std::string page_with_unsafe_worker_path;
1984 ASSERT_TRUE(GetPageWithUnsafeWorkerPath(https_server_expired_,
1985 &page_with_unsafe_worker_path));
1986 ui_test_utils::NavigateToURL(browser(), https_server_.GetURL(
1987 page_with_unsafe_worker_path));
1988 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1989 // Expect Worker not to load insecure content.
1990 CheckWorkerLoadResult(tab, false);
1991 // The bad content is filtered, expect the state to be authenticated.
1992 CheckAuthenticatedState(tab, AuthState::NONE);
1993 }
1994
1995 // This test, and the related test TestUnsafeContentsWithUserException, verify
1996 // that if unsafe content is loaded but the host of that unsafe content has a
1997 // user exception, the content runs and the security style remains
1998 // authenticated. This is not necessarily the behavior that should exist, but it
1999 // is verification that it does behave that way. See https://crbug.com/477868
2000 // for more inforamtion on this.
2001 IN_PROC_BROWSER_TEST_F(SSLUITest, TestUnsafeContentsInWorkerWithUserException) {
2002 ASSERT_TRUE(https_server_.Start());
2003 // Note that it is necessary to user https_server_mismatched_ here over the
2004 // other invalid cert servers. This is because the test relies on the two
2005 // servers having different hosts since SSL exceptions are per-host, not per
2006 // origin, and https_server_mismatched_ uses 'localhost' rather than
2007 // '127.0.0.1'.
2008 ASSERT_TRUE(https_server_mismatched_.Start());
2009
2010 // Navigate to an unsafe site. Proceed with interstitial page to indicate
2011 // the user approves the bad certificate.
2012 ui_test_utils::NavigateToURL(
2013 browser(), https_server_mismatched_.GetURL("files/ssl/blank_page.html"));
2014 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
2015 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID,
2016 AuthState::SHOWING_INTERSTITIAL);
2017 ProceedThroughInterstitial(tab);
2018 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID,
2019 AuthState::NONE);
2020
2021 // Navigate to safe page that has Worker loading unsafe content.
2022 // Expect content to load but be marked as auth broken due to running insecure
2023 // content.
2024 std::string page_with_unsafe_worker_path;
2025 ASSERT_TRUE(GetPageWithUnsafeWorkerPath(https_server_mismatched_,
2026 &page_with_unsafe_worker_path));
2027 ui_test_utils::NavigateToURL(
2028 browser(), https_server_.GetURL(page_with_unsafe_worker_path));
2029 CheckWorkerLoadResult(tab, true); // Worker loads insecure content
2030 CheckAuthenticatedState(tab, CertError::NONE);
2031 }
2032
2033 // Visits a page with unsafe content and makes sure that if a user exception to
2034 // the certificate error is present, the image is loaded and script executes.
2035 //
2036 // See the comment above SSLUITest.TestUnsafeContentsInWorkerWithUserException
2037 // for a discussion about the desired behavior.
2038 IN_PROC_BROWSER_TEST_F(SSLUITest, TestUnsafeContentsWithUserException) {
2039 ASSERT_TRUE(https_server_.Start());
2040 // Note that it is necessary to user https_server_mismatched_ here over the
2041 // other invalid cert servers. This is because the test relies on the two
2042 // servers having different hosts since SSL exceptions are per-host, not per
2043 // origin, and https_server_mismatched_ uses 'localhost' rather than
2044 // '127.0.0.1'.
2045 ASSERT_TRUE(https_server_mismatched_.Start());
2046
2047 // Navigate to an unsafe site. Proceed with interstitial page to indicate
2048 // the user approves the bad certificate.
2049 ui_test_utils::NavigateToURL(
2050 browser(), https_server_mismatched_.GetURL("files/ssl/blank_page.html"));
2051 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
2052 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID,
2053 AuthState::SHOWING_INTERSTITIAL);
2054 ProceedThroughInterstitial(tab);
2055 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID,
2056 AuthState::NONE);
2057
2058 std::string replacement_path;
2059 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
2060 "files/ssl/page_with_unsafe_contents.html",
2061 https_server_mismatched_.host_port_pair(), &replacement_path));
2062 ui_test_utils::NavigateToURL(browser(),
2063 https_server_.GetURL(replacement_path));
2064
2065 // When the bad content is filtered, the state is expected to be
2066 // authenticated.
2067 CheckAuthenticatedState(tab, AuthState::NONE);
2068
2069 int img_width;
2070 EXPECT_TRUE(content::ExecuteScriptAndExtractInt(
2071 tab, "window.domAutomationController.send(ImageWidth());", &img_width));
2072 // In order to check that the image was loaded, we check its width.
2073 // The actual image (Google logo) is 114 pixels wide, so we assume a good
2074 // image is greater than 100.
2075 EXPECT_GT(img_width, 100);
2076
2077 bool js_result = false;
2078 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
2079 tab, "window.domAutomationController.send(IsFooSet());", &js_result));
2080 EXPECT_TRUE(js_result);
2081 CheckAuthenticatedState(tab, CertError::NONE);
2082 }
2083
2084 // Test that when the browser blocks displaying insecure content (images), the
2085 // indicator shows a secure page, because the blocking made the otherwise
2086 // unsafe page safe (the notification of this state is handled by other means).
2087 IN_PROC_BROWSER_TEST_F(SSLUITestBlock, TestBlockDisplayingInsecureImage) {
2088 ASSERT_TRUE(test_server()->Start());
2089 ASSERT_TRUE(https_server_.Start());
2090
2091 std::string replacement_path;
2092 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
2093 "files/ssl/page_displays_insecure_content.html",
2094 test_server()->host_port_pair(),
2095 &replacement_path));
2096
2097 ui_test_utils::NavigateToURL(browser(),
2098 https_server_.GetURL(replacement_path));
2099
2100 CheckAuthenticatedState(browser()->tab_strip_model()->GetActiveWebContents(),
2101 AuthState::NONE);
2102 }
2103
2104 // Test that when the browser blocks displaying insecure content (iframes), the
2105 // indicator shows a secure page, because the blocking made the otherwise
2106 // unsafe page safe (the notification of this state is handled by other means)
2107 IN_PROC_BROWSER_TEST_F(SSLUITestBlock, TestBlockDisplayingInsecureIframe) {
2108 ASSERT_TRUE(test_server()->Start());
2109 ASSERT_TRUE(https_server_.Start());
2110
2111 std::string replacement_path;
2112 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
2113 "files/ssl/page_displays_insecure_iframe.html",
2114 test_server()->host_port_pair(),
2115 &replacement_path));
2116
2117 ui_test_utils::NavigateToURL(browser(),
2118 https_server_.GetURL(replacement_path));
2119
2120 CheckAuthenticatedState(browser()->tab_strip_model()->GetActiveWebContents(),
2121 AuthState::NONE);
2122 }
2123
2124 // Test that when the browser blocks running insecure content, the
2125 // indicator shows a secure page, because the blocking made the otherwise
2126 // unsafe page safe (the notification of this state is handled by other means).
2127 IN_PROC_BROWSER_TEST_F(SSLUITestBlock, TestBlockRunningInsecureContent) {
2128 ASSERT_TRUE(test_server()->Start());
2129 ASSERT_TRUE(https_server_.Start());
2130
2131 std::string replacement_path;
2132 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
2133 "files/ssl/page_runs_insecure_content.html",
2134 test_server()->host_port_pair(),
2135 &replacement_path));
2136
2137 ui_test_utils::NavigateToURL(browser(),
2138 https_server_.GetURL(replacement_path));
2139
2140 CheckAuthenticatedState(browser()->tab_strip_model()->GetActiveWebContents(),
2141 AuthState::NONE);
2142 }
2143
2144 // Visit a page and establish a WebSocket connection over bad https with
2145 // --ignore-certificate-errors. The connection should be established without
2146 // interstitial page showing.
2147 IN_PROC_BROWSER_TEST_F(SSLUITestIgnoreCertErrors, TestWSS) {
2148 ASSERT_TRUE(test_server()->Start());
2149 ASSERT_TRUE(wss_server_expired_.Start());
2150
2151 // Setup page title observer.
2152 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
2153 content::TitleWatcher watcher(tab, ASCIIToUTF16("PASS"));
2154 watcher.AlsoWaitForTitle(ASCIIToUTF16("FAIL"));
2155
2156 // Visit bad HTTPS page.
2157 GURL::Replacements replacements;
2158 replacements.SetSchemeStr("https");
2159 ui_test_utils::NavigateToURL(
2160 browser(),
2161 wss_server_expired_.GetURL(
2162 "connect_check.html").ReplaceComponents(replacements));
2163
2164 // We shouldn't have an interstitial page showing here.
2165
2166 // Test page run a WebSocket wss connection test. The result will be shown
2167 // as page title.
2168 const base::string16 result = watcher.WaitAndGetTitle();
2169 EXPECT_TRUE(base::LowerCaseEqualsASCII(result, "pass"));
2170 }
2171
2172 // Verifies that the interstitial can proceed, even if JavaScript is disabled.
2173 // http://crbug.com/322948
2174 #if defined(OS_LINUX)
2175 // flaky http://crbug.com/396458
2176 #define MAYBE_TestInterstitialJavaScriptProceeds \
2177 DISABLED_TestInterstitialJavaScriptProceeds
2178 #else
2179 #define MAYBE_TestInterstitialJavaScriptProceeds \
2180 TestInterstitialJavaScriptProceeds
2181 #endif
2182 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestInterstitialJavaScriptProceeds) {
2183 browser()->profile()->GetHostContentSettingsMap()->SetDefaultContentSetting(
2184 CONTENT_SETTINGS_TYPE_JAVASCRIPT, CONTENT_SETTING_BLOCK);
2185
2186 ASSERT_TRUE(https_server_expired_.Start());
2187 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
2188 ui_test_utils::NavigateToURL(browser(),
2189 https_server_expired_.GetURL("files/ssl/google.html"));
2190 CheckAuthenticationBrokenState(
2191 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
2192
2193 content::WindowedNotificationObserver observer(
2194 content::NOTIFICATION_LOAD_STOP,
2195 content::Source<NavigationController>(&tab->GetController()));
2196 InterstitialPage* interstitial_page = tab->GetInterstitialPage();
2197 ASSERT_EQ(SSLBlockingPage::kTypeForTesting,
2198 interstitial_page->GetDelegateForTesting()->GetTypeForTesting());
2199 content::RenderViewHost* interstitial_rvh =
2200 interstitial_page->GetMainFrame()->GetRenderViewHost();
2201 int result = -1;
2202 std::string javascript = base::StringPrintf(
2203 "window.domAutomationController.send(%d);",
2204 SecurityInterstitialPage::CMD_PROCEED);
2205 ASSERT_TRUE(content::ExecuteScriptAndExtractInt(
2206 interstitial_rvh, javascript, &result));
2207 // The above will hang without the fix.
2208 EXPECT_EQ(1, result);
2209 observer.Wait();
2210 CheckAuthenticationBrokenState(
2211 tab, net::CERT_STATUS_DATE_INVALID, AuthState::NONE);
2212 }
2213
2214 // Verifies that the interstitial can go back, even if JavaScript is disabled.
2215 // http://crbug.com/322948
2216 IN_PROC_BROWSER_TEST_F(SSLUITest, TestInterstitialJavaScriptGoesBack) {
2217 browser()->profile()->GetHostContentSettingsMap()->SetDefaultContentSetting(
2218 CONTENT_SETTINGS_TYPE_JAVASCRIPT, CONTENT_SETTING_BLOCK);
2219
2220 ASSERT_TRUE(https_server_expired_.Start());
2221 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
2222 ui_test_utils::NavigateToURL(browser(),
2223 https_server_expired_.GetURL("files/ssl/google.html"));
2224 CheckAuthenticationBrokenState(
2225 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
2226
2227 content::WindowedNotificationObserver observer(
2228 content::NOTIFICATION_RENDER_WIDGET_HOST_DESTROYED,
2229 content::NotificationService::AllSources());
2230 InterstitialPage* interstitial_page = tab->GetInterstitialPage();
2231 ASSERT_EQ(SSLBlockingPage::kTypeForTesting,
2232 interstitial_page->GetDelegateForTesting()->GetTypeForTesting());
2233 content::RenderViewHost* interstitial_rvh =
2234 interstitial_page->GetMainFrame()->GetRenderViewHost();
2235 int result = -1;
2236 std::string javascript = base::StringPrintf(
2237 "window.domAutomationController.send(%d);",
2238 SecurityInterstitialPage::CMD_DONT_PROCEED);
2239 ASSERT_TRUE(content::ExecuteScriptAndExtractInt(
2240 interstitial_rvh, javascript, &result));
2241 // The above will hang without the fix.
2242 EXPECT_EQ(0, result);
2243 observer.Wait();
2244 EXPECT_EQ("about:blank", tab->GetVisibleURL().spec());
2245 }
2246
2247 // Verifies that switching tabs, while showing interstitial page, will not
2248 // affect the visibility of the interestitial.
2249 // https://crbug.com/381439
2250 IN_PROC_BROWSER_TEST_F(SSLUITest, InterstitialNotAffectedByHideShow) {
2251 ASSERT_TRUE(https_server_expired_.Start());
2252 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
2253 EXPECT_TRUE(tab->GetRenderWidgetHostView()->IsShowing());
2254 ui_test_utils::NavigateToURL(
2255 browser(), https_server_expired_.GetURL("files/ssl/google.html"));
2256 CheckAuthenticationBrokenState(
2257 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
2258 EXPECT_TRUE(tab->GetRenderWidgetHostView()->IsShowing());
2259
2260 AddTabAtIndex(0,
2261 https_server_.GetURL("files/ssl/google.html"),
2262 ui::PAGE_TRANSITION_TYPED);
2263 EXPECT_EQ(2, browser()->tab_strip_model()->count());
2264 EXPECT_EQ(0, browser()->tab_strip_model()->active_index());
2265 EXPECT_EQ(tab, browser()->tab_strip_model()->GetWebContentsAt(1));
2266 EXPECT_FALSE(tab->GetRenderWidgetHostView()->IsShowing());
2267
2268 browser()->tab_strip_model()->ActivateTabAt(1, true);
2269 EXPECT_TRUE(tab->GetRenderWidgetHostView()->IsShowing());
2270 }
2271
2272 // Verifies that if a bad certificate is seen for a host and the user proceeds
2273 // through the interstitial, the decision to proceed is initially remembered.
2274 // However, if this is followed by another visit, and a good certificate
2275 // is seen for the same host, the original exception is forgotten.
2276 IN_PROC_BROWSER_TEST_F(SSLUITest, BadCertFollowedByGoodCert) {
2277 // It is necessary to use |https_server_expired_| rather than
2278 // |https_server_mismatched| because the former shares a host with
2279 // |https_server_| and cert exceptions are per host.
2280 ASSERT_TRUE(https_server_expired_.Start());
2281 ASSERT_TRUE(https_server_.Start());
2282
2283 std::string https_server_expired_host =
2284 https_server_.GetURL("files/ssl/google.html").host();
2285 std::string https_server_host =
2286 https_server_.GetURL("files/ssl/google.html").host();
2287 ASSERT_EQ(https_server_expired_host, https_server_host);
2288
2289 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
2290
2291 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
2292 ChromeSSLHostStateDelegate* state =
2293 reinterpret_cast<ChromeSSLHostStateDelegate*>(
2294 profile->GetSSLHostStateDelegate());
2295
2296 ui_test_utils::NavigateToURL(
2297 browser(), https_server_expired_.GetURL("files/ssl/google.html"));
2298
2299 ProceedThroughInterstitial(tab);
2300 EXPECT_TRUE(state->HasAllowException(https_server_host));
2301
2302 ui_test_utils::NavigateToURL(browser(),
2303 https_server_.GetURL("files/ssl/google.html"));
2304 ASSERT_FALSE(tab->GetInterstitialPage());
2305 EXPECT_FALSE(state->HasAllowException(https_server_host));
2306 }
2307
2308 class CommonNameMismatchBrowserTest : public CertVerifierBrowserTest {
2309 public:
2310 CommonNameMismatchBrowserTest() : CertVerifierBrowserTest(){};
2311 ~CommonNameMismatchBrowserTest() override{};
2312
2313 void SetUpCommandLine(base::CommandLine* command_line) override {
2314 // Enable finch experiment for SSL common name mismatch handling.
2315 command_line->AppendSwitchASCII(switches::kForceFieldTrials,
2316 "SSLCommonNameMismatchHandling/Enabled/");
2317 }
2318 };
2319
2320 // Visit the URL www.mail.example.com on a server that presents a valid
2321 // certificate for mail.example.com. Verify that the page navigates to
2322 // mail.example.com.
2323 IN_PROC_BROWSER_TEST_F(CommonNameMismatchBrowserTest,
2324 ShouldShowWWWSubdomainMismatchInterstitial) {
2325 net::SpawnedTestServer https_server_example_domain_(
2326 net::SpawnedTestServer::TYPE_HTTPS,
2327 net::SpawnedTestServer::SSLOptions(
2328 net::SpawnedTestServer::SSLOptions::CERT_OK),
2329 base::FilePath(kDocRoot));
2330 ASSERT_TRUE(https_server_example_domain_.Start());
2331
2332 host_resolver()->AddRule(
2333 "mail.example.com", https_server_example_domain_.host_port_pair().host());
2334 host_resolver()->AddRule(
2335 "www.mail.example.com",
2336 https_server_example_domain_.host_port_pair().host());
2337
2338 scoped_refptr<net::X509Certificate> cert =
2339 https_server_example_domain_.GetCertificate();
2340
2341 // Use the "spdy_pooling.pem" cert which has "mail.example.com"
2342 // as one of its SANs.
2343 net::CertVerifyResult verify_result;
2344 verify_result.verified_cert =
2345 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2346 verify_result.cert_status = net::CERT_STATUS_COMMON_NAME_INVALID;
2347
2348 // Request to "www.mail.example.com" should result in
2349 // |net::ERR_CERT_COMMON_NAME_INVALID| error.
2350 mock_cert_verifier()->AddResultForCertAndHost(
2351 cert.get(), "www.mail.example.com", verify_result,
2352 net::ERR_CERT_COMMON_NAME_INVALID);
2353
2354 net::CertVerifyResult verify_result_valid;
2355 verify_result_valid.verified_cert =
2356 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2357 // Request to "www.mail.example.com" should not result in any error.
2358 mock_cert_verifier()->AddResultForCertAndHost(cert.get(), "mail.example.com",
2359 verify_result_valid, net::OK);
2360
2361 // Use a complex URL to ensure the path, etc., are preserved. The path itself
2362 // does not matter.
2363 GURL https_server_url =
2364 https_server_example_domain_.GetURL("files/ssl/google.html?a=b#anchor");
2365 GURL::Replacements replacements;
2366 replacements.SetHostStr("www.mail.example.com");
2367 GURL https_server_mismatched_url =
2368 https_server_url.ReplaceComponents(replacements);
2369
2370 WebContents* contents = browser()->tab_strip_model()->GetActiveWebContents();
2371 content::TestNavigationObserver observer(contents, 2);
2372 ui_test_utils::NavigateToURL(browser(), https_server_mismatched_url);
2373 observer.Wait();
2374
2375 CheckSecurityState(contents, CertError::NONE,
2376 content::SECURITY_STYLE_AUTHENTICATED, AuthState::NONE);
2377 replacements.SetHostStr("mail.example.com");
2378 GURL https_server_new_url = https_server_url.ReplaceComponents(replacements);
2379 // Verify that the current URL is the suggested URL.
2380 EXPECT_EQ(https_server_new_url.spec(),
2381 contents->GetLastCommittedURL().spec());
2382 }
2383
2384 // Visit the URL example.org on a server that presents a valid certificate
2385 // for www.example.org. Verify that the page redirects to www.example.org.
2386 IN_PROC_BROWSER_TEST_F(CommonNameMismatchBrowserTest,
2387 CheckWWWSubdomainMismatchInverse) {
2388 net::SpawnedTestServer https_server_example_domain_(
2389 net::SpawnedTestServer::TYPE_HTTPS,
2390 net::SpawnedTestServer::SSLOptions(
2391 net::SpawnedTestServer::SSLOptions::CERT_OK),
2392 base::FilePath(kDocRoot));
2393 ASSERT_TRUE(https_server_example_domain_.Start());
2394
2395 host_resolver()->AddRule(
2396 "www.example.org", https_server_example_domain_.host_port_pair().host());
2397 host_resolver()->AddRule(
2398 "example.org", https_server_example_domain_.host_port_pair().host());
2399
2400 scoped_refptr<net::X509Certificate> cert =
2401 https_server_example_domain_.GetCertificate();
2402
2403 net::CertVerifyResult verify_result;
2404 verify_result.verified_cert =
2405 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2406 verify_result.cert_status = net::CERT_STATUS_COMMON_NAME_INVALID;
2407
2408 mock_cert_verifier()->AddResultForCertAndHost(
2409 cert.get(), "example.org", verify_result,
2410 net::ERR_CERT_COMMON_NAME_INVALID);
2411
2412 net::CertVerifyResult verify_result_valid;
2413 verify_result_valid.verified_cert =
2414 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2415 mock_cert_verifier()->AddResultForCertAndHost(cert.get(), "www.example.org",
2416 verify_result_valid, net::OK);
2417
2418 GURL https_server_url =
2419 https_server_example_domain_.GetURL("files/ssl/google.html?a=b");
2420 GURL::Replacements replacements;
2421 replacements.SetHostStr("example.org");
2422 GURL https_server_mismatched_url =
2423 https_server_url.ReplaceComponents(replacements);
2424
2425 WebContents* contents = browser()->tab_strip_model()->GetActiveWebContents();
2426 content::TestNavigationObserver observer(contents, 2);
2427 ui_test_utils::NavigateToURL(browser(), https_server_mismatched_url);
2428 observer.Wait();
2429
2430 CheckSecurityState(contents, CertError::NONE,
2431 content::SECURITY_STYLE_AUTHENTICATED, AuthState::NONE);
2432 }
2433
2434 // Tests this scenario:
2435 // - |CommonNameMismatchHandler| does not give a callback as it's set into the
2436 // state |IGNORE_REQUESTS_FOR_TESTING|. So no suggested URL check result can
2437 // arrive.
2438 // - A cert error triggers an interstitial timer with a very long timeout.
2439 // - No suggested URL check results arrive, causing the tab to appear as loading
2440 // indefinitely (also because the timer has a long timeout).
2441 // - Stopping the page load shouldn't result in any interstitials.
2442 IN_PROC_BROWSER_TEST_F(CommonNameMismatchBrowserTest,
2443 InterstitialStopNavigationWhileLoading) {
2444 net::SpawnedTestServer https_server_example_domain_(
2445 net::SpawnedTestServer::TYPE_HTTPS,
2446 net::SpawnedTestServer::SSLOptions(
2447 net::SpawnedTestServer::SSLOptions::CERT_OK),
2448 base::FilePath(kDocRoot));
2449 ASSERT_TRUE(https_server_example_domain_.Start());
2450
2451 host_resolver()->AddRule(
2452 "mail.example.com", https_server_example_domain_.host_port_pair().host());
2453 host_resolver()->AddRule(
2454 "www.mail.example.com",
2455 https_server_example_domain_.host_port_pair().host());
2456
2457 scoped_refptr<net::X509Certificate> cert =
2458 https_server_example_domain_.GetCertificate();
2459
2460 net::CertVerifyResult verify_result;
2461 verify_result.verified_cert =
2462 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2463 verify_result.cert_status = net::CERT_STATUS_COMMON_NAME_INVALID;
2464
2465 mock_cert_verifier()->AddResultForCertAndHost(
2466 cert.get(), "www.mail.example.com", verify_result,
2467 net::ERR_CERT_COMMON_NAME_INVALID);
2468
2469 net::CertVerifyResult verify_result_valid;
2470 verify_result_valid.verified_cert =
2471 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2472 mock_cert_verifier()->AddResultForCertAndHost(cert.get(), "mail.example.com",
2473 verify_result_valid, net::OK);
2474
2475 GURL https_server_url =
2476 https_server_example_domain_.GetURL("files/ssl/google.html?a=b");
2477 GURL::Replacements replacements;
2478 replacements.SetHostStr("www.mail.example.com");
2479 GURL https_server_mismatched_url =
2480 https_server_url.ReplaceComponents(replacements);
2481
2482 WebContents* contents = browser()->tab_strip_model()->GetActiveWebContents();
2483 CommonNameMismatchHandler::set_state_for_testing(
2484 CommonNameMismatchHandler::IGNORE_REQUESTS_FOR_TESTING);
2485 SSLErrorHandler::SetInterstitialDelayTypeForTest(SSLErrorHandler::LONG);
2486 SSLInterstitialTimerObserver interstitial_timer_observer(contents);
2487
2488 ui_test_utils::NavigateToURLWithDisposition(
2489 browser(), https_server_mismatched_url, CURRENT_TAB,
2490 ui_test_utils::BROWSER_TEST_NONE);
2491 interstitial_timer_observer.WaitForTimerStarted();
2492
2493 EXPECT_TRUE(contents->IsLoading());
2494 content::WindowedNotificationObserver observer(
2495 content::NOTIFICATION_LOAD_STOP,
2496 content::NotificationService::AllSources());
2497 contents->Stop();
2498 observer.Wait();
2499
2500 SSLErrorHandler* ssl_error_handler =
2501 SSLErrorHandler::FromWebContents(contents);
2502 // Make sure that the |SSLErrorHandler| is deleted.
2503 EXPECT_FALSE(ssl_error_handler);
2504 EXPECT_FALSE(contents->ShowingInterstitialPage());
2505 EXPECT_FALSE(contents->IsLoading());
2506 }
2507
2508 // Same as above, but instead of stopping, the loading page is reloaded. The end
2509 // result is the same. (i.e. page load stops, no interstitials shown)
2510 IN_PROC_BROWSER_TEST_F(CommonNameMismatchBrowserTest,
2511 InterstitialReloadNavigationWhileLoading) {
2512 net::SpawnedTestServer https_server_example_domain_(
2513 net::SpawnedTestServer::TYPE_HTTPS,
2514 net::SpawnedTestServer::SSLOptions(
2515 net::SpawnedTestServer::SSLOptions::CERT_OK),
2516 base::FilePath(kDocRoot));
2517 ASSERT_TRUE(https_server_example_domain_.Start());
2518
2519 host_resolver()->AddRule(
2520 "mail.example.com", https_server_example_domain_.host_port_pair().host());
2521 host_resolver()->AddRule(
2522 "www.mail.example.com",
2523 https_server_example_domain_.host_port_pair().host());
2524
2525 scoped_refptr<net::X509Certificate> cert =
2526 https_server_example_domain_.GetCertificate();
2527
2528 net::CertVerifyResult verify_result;
2529 verify_result.verified_cert =
2530 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2531 verify_result.cert_status = net::CERT_STATUS_COMMON_NAME_INVALID;
2532
2533 mock_cert_verifier()->AddResultForCertAndHost(
2534 cert.get(), "www.mail.example.com", verify_result,
2535 net::ERR_CERT_COMMON_NAME_INVALID);
2536
2537 net::CertVerifyResult verify_result_valid;
2538 verify_result_valid.verified_cert =
2539 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2540 mock_cert_verifier()->AddResultForCertAndHost(cert.get(), "mail.example.com",
2541 verify_result_valid, net::OK);
2542
2543 GURL https_server_url =
2544 https_server_example_domain_.GetURL("files/ssl/google.html?a=b");
2545 GURL::Replacements replacements;
2546 replacements.SetHostStr("www.mail.example.com");
2547 GURL https_server_mismatched_url =
2548 https_server_url.ReplaceComponents(replacements);
2549
2550 WebContents* contents = browser()->tab_strip_model()->GetActiveWebContents();
2551 CommonNameMismatchHandler::set_state_for_testing(
2552 CommonNameMismatchHandler::IGNORE_REQUESTS_FOR_TESTING);
2553 SSLErrorHandler::SetInterstitialDelayTypeForTest(SSLErrorHandler::LONG);
2554 SSLInterstitialTimerObserver interstitial_timer_observer(contents);
2555
2556 ui_test_utils::NavigateToURLWithDisposition(
2557 browser(), https_server_mismatched_url, CURRENT_TAB,
2558 ui_test_utils::BROWSER_TEST_NONE);
2559 interstitial_timer_observer.WaitForTimerStarted();
2560
2561 EXPECT_TRUE(contents->IsLoading());
2562 content::TestNavigationObserver observer(contents, 1);
2563 chrome::Reload(browser(), CURRENT_TAB);
2564 observer.Wait();
2565
2566 SSLErrorHandler* ssl_error_handler =
2567 SSLErrorHandler::FromWebContents(contents);
2568 // Make sure that the |SSLErrorHandler| is deleted.
2569 EXPECT_FALSE(ssl_error_handler);
2570 EXPECT_FALSE(contents->ShowingInterstitialPage());
2571 EXPECT_FALSE(contents->IsLoading());
2572 }
2573
2574 // Same as above, but instead of reloading, the page is navigated away. The
2575 // new page should load, and no interstitials should be shown.
2576 IN_PROC_BROWSER_TEST_F(CommonNameMismatchBrowserTest,
2577 InterstitialNavigateAwayWhileLoading) {
2578 net::SpawnedTestServer https_server_example_domain_(
2579 net::SpawnedTestServer::TYPE_HTTPS,
2580 net::SpawnedTestServer::SSLOptions(
2581 net::SpawnedTestServer::SSLOptions::CERT_OK),
2582 base::FilePath(kDocRoot));
2583 ASSERT_TRUE(https_server_example_domain_.Start());
2584
2585 host_resolver()->AddRule(
2586 "mail.example.com", https_server_example_domain_.host_port_pair().host());
2587 host_resolver()->AddRule(
2588 "www.mail.example.com",
2589 https_server_example_domain_.host_port_pair().host());
2590
2591 scoped_refptr<net::X509Certificate> cert =
2592 https_server_example_domain_.GetCertificate();
2593
2594 net::CertVerifyResult verify_result;
2595 verify_result.verified_cert =
2596 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2597 verify_result.cert_status = net::CERT_STATUS_COMMON_NAME_INVALID;
2598
2599 mock_cert_verifier()->AddResultForCertAndHost(
2600 cert.get(), "www.mail.example.com", verify_result,
2601 net::ERR_CERT_COMMON_NAME_INVALID);
2602
2603 net::CertVerifyResult verify_result_valid;
2604 verify_result_valid.verified_cert =
2605 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2606 mock_cert_verifier()->AddResultForCertAndHost(cert.get(), "mail.example.com",
2607 verify_result_valid, net::OK);
2608
2609 GURL https_server_url =
2610 https_server_example_domain_.GetURL("files/ssl/google.html?a=b");
2611 GURL::Replacements replacements;
2612 replacements.SetHostStr("www.mail.example.com");
2613 GURL https_server_mismatched_url =
2614 https_server_url.ReplaceComponents(replacements);
2615
2616 WebContents* contents = browser()->tab_strip_model()->GetActiveWebContents();
2617 CommonNameMismatchHandler::set_state_for_testing(
2618 CommonNameMismatchHandler::IGNORE_REQUESTS_FOR_TESTING);
2619 SSLErrorHandler::SetInterstitialDelayTypeForTest(SSLErrorHandler::LONG);
2620 SSLInterstitialTimerObserver interstitial_timer_observer(contents);
2621
2622 ui_test_utils::NavigateToURLWithDisposition(
2623 browser(), https_server_mismatched_url, CURRENT_TAB,
2624 ui_test_utils::BROWSER_TEST_NONE);
2625 interstitial_timer_observer.WaitForTimerStarted();
2626
2627 EXPECT_TRUE(contents->IsLoading());
2628 content::TestNavigationObserver observer(contents, 1);
2629 browser()->OpenURL(content::OpenURLParams(GURL("https://google.com"),
2630 content::Referrer(), CURRENT_TAB,
2631 ui::PAGE_TRANSITION_TYPED, false));
2632 observer.Wait();
2633
2634 SSLErrorHandler* ssl_error_handler =
2635 SSLErrorHandler::FromWebContents(contents);
2636 // Make sure that the |SSLErrorHandler| is deleted.
2637 EXPECT_FALSE(ssl_error_handler);
2638 EXPECT_FALSE(contents->ShowingInterstitialPage());
2639 EXPECT_FALSE(contents->IsLoading());
2640 }
2641
2642 class SSLBlockingPageIDNTest : public SecurityInterstitialIDNTest {
2643 protected:
2644 // SecurityInterstitialIDNTest implementation
2645 SecurityInterstitialPage* CreateInterstitial(
2646 content::WebContents* contents,
2647 const GURL& request_url) const override {
2648 net::SSLInfo ssl_info;
2649 ssl_info.cert = new net::X509Certificate(
2650 request_url.host(), "CA", base::Time::Max(), base::Time::Max());
2651 return new SSLBlockingPage(
2652 contents, net::ERR_CERT_CONTAINS_ERRORS, ssl_info, request_url, 0,
2653 base::Time::NowFromSystemTime(), nullptr, base::Callback<void(bool)>());
2654 }
2655 };
2656
2657 IN_PROC_BROWSER_TEST_F(SSLBlockingPageIDNTest, SSLBlockingPageDecodesIDN) {
2658 EXPECT_TRUE(VerifyIDNDecoded());
2659 }
2660
2661 IN_PROC_BROWSER_TEST_F(CertVerifierBrowserTest, MockCertVerifierSmokeTest) {
2662 net::SpawnedTestServer https_server(
2663 net::SpawnedTestServer::TYPE_HTTPS,
2664 net::SpawnedTestServer::SSLOptions(
2665 net::SpawnedTestServer::SSLOptions::CERT_OK),
2666 base::FilePath(kDocRoot));
2667 ASSERT_TRUE(https_server.Start());
2668
2669 mock_cert_verifier()->set_default_result(
2670 net::ERR_CERT_NAME_CONSTRAINT_VIOLATION);
2671
2672 ui_test_utils::NavigateToURL(browser(),
2673 https_server.GetURL("files/ssl/google.html"));
2674
2675 CheckSecurityState(browser()->tab_strip_model()->GetActiveWebContents(),
2676 net::CERT_STATUS_NAME_CONSTRAINT_VIOLATION,
2677 content::SECURITY_STYLE_AUTHENTICATION_BROKEN,
2678 AuthState::SHOWING_INTERSTITIAL);
2679 }
2680
2681 // TODO(jcampan): more tests to do below.
2682
2683 // Visit a page over https that contains a frame with a redirect.
2684
2685 // XMLHttpRequest insecure content in synchronous mode.
2686
2687 // XMLHttpRequest insecure content in asynchronous mode.
2688
2689 // XMLHttpRequest over bad ssl in synchronous mode.
2690
2691 // XMLHttpRequest over OK ssl in synchronous mode.