search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add new certificateProvider extension API.
[chromium-blink-merge.git] / chrome / browser / ui / website_settings / website_settings.cc
blob49433553528035d0b0e473b64cebc8aae2fadb5b
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "chrome/browser/ui/website_settings/website_settings.h"
6
7 #include <string>
8 #include <vector>
9
10 #include "base/command_line.h"
11 #include "base/i18n/time_formatting.h"
12 #include "base/metrics/field_trial.h"
13 #include "base/metrics/histogram.h"
14 #include "base/strings/string_number_conversions.h"
15 #include "base/strings/stringprintf.h"
16 #include "base/strings/utf_string_conversions.h"
17 #include "base/values.h"
18 #include "chrome/browser/browser_process.h"
19 #include "chrome/browser/browsing_data/browsing_data_channel_id_helper.h"
20 #include "chrome/browser/browsing_data/browsing_data_cookie_helper.h"
21 #include "chrome/browser/browsing_data/browsing_data_database_helper.h"
22 #include "chrome/browser/browsing_data/browsing_data_file_system_helper.h"
23 #include "chrome/browser/browsing_data/browsing_data_indexed_db_helper.h"
24 #include "chrome/browser/browsing_data/browsing_data_local_storage_helper.h"
25 #include "chrome/browser/history/history_service_factory.h"
26 #include "chrome/browser/infobars/infobar_service.h"
27 #include "chrome/browser/profiles/profile.h"
28 #include "chrome/browser/ssl/chrome_ssl_host_state_delegate.h"
29 #include "chrome/browser/ssl/chrome_ssl_host_state_delegate_factory.h"
30 #include "chrome/browser/ssl/ssl_error_info.h"
31 #include "chrome/browser/ui/website_settings/website_settings_ui.h"
32 #include "chrome/common/chrome_switches.h"
33 #include "chrome/common/url_constants.h"
34 #include "chrome/grit/chromium_strings.h"
35 #include "chrome/grit/generated_resources.h"
36 #include "components/content_settings/core/browser/content_settings_utils.h"
37 #include "components/content_settings/core/browser/host_content_settings_map.h"
38 #include "components/content_settings/core/browser/local_shared_objects_counter.h"
39 #include "components/content_settings/core/common/content_settings.h"
40 #include "components/content_settings/core/common/content_settings_pattern.h"
41 #include "components/rappor/rappor_utils.h"
42 #include "content/public/browser/browser_thread.h"
43 #include "content/public/browser/cert_store.h"
44 #include "content/public/browser/user_metrics.h"
45 #include "content/public/common/content_switches.h"
46 #include "content/public/common/ssl_status.h"
47 #include "content/public/common/url_constants.h"
48 #include "net/cert/cert_status_flags.h"
49 #include "net/cert/x509_certificate.h"
50 #include "net/ssl/ssl_cipher_suite_names.h"
51 #include "net/ssl/ssl_connection_status_flags.h"
52 #include "ui/base/l10n/l10n_util.h"
53
54 #if defined(OS_CHROMEOS)
55 #include "chrome/browser/chromeos/policy/policy_cert_service.h"
56 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h"
57 #endif
58
59 #if !defined(OS_ANDROID)
60 #include "chrome/browser/ui/website_settings/website_settings_infobar_delegate.h"
61 #endif
62
63 using base::ASCIIToUTF16;
64 using base::UTF8ToUTF16;
65 using base::UTF16ToUTF8;
66 using content::BrowserThread;
67
68 namespace {
69
70 // Events for UMA. Do not reorder or change!
71 enum SSLCertificateDecisionsDidRevoke {
72 USER_CERT_DECISIONS_NOT_REVOKED = 0,
73 USER_CERT_DECISIONS_REVOKED,
74 END_OF_SSL_CERTIFICATE_DECISIONS_DID_REVOKE_ENUM
75 };
76
77 // The list of content settings types to display on the Website Settings UI. THE
78 // ORDER OF THESE ITEMS IS IMPORTANT. To propose changing it, email
79 // security-dev@chromium.org.
80 ContentSettingsType kPermissionType[] = {
81 CONTENT_SETTINGS_TYPE_GEOLOCATION,
82 CONTENT_SETTINGS_TYPE_MEDIASTREAM_CAMERA,
83 CONTENT_SETTINGS_TYPE_MEDIASTREAM_MIC,
84 CONTENT_SETTINGS_TYPE_NOTIFICATIONS,
85 CONTENT_SETTINGS_TYPE_IMAGES,
86 CONTENT_SETTINGS_TYPE_JAVASCRIPT,
87 CONTENT_SETTINGS_TYPE_POPUPS,
88 CONTENT_SETTINGS_TYPE_FULLSCREEN,
89 CONTENT_SETTINGS_TYPE_AUTOMATIC_DOWNLOADS,
90 CONTENT_SETTINGS_TYPE_PLUGINS,
91 CONTENT_SETTINGS_TYPE_MOUSELOCK,
92 CONTENT_SETTINGS_TYPE_MIDI_SYSEX,
93 #if defined(OS_ANDROID)
94 CONTENT_SETTINGS_TYPE_PUSH_MESSAGING,
95 #endif
96 };
97
98 bool CertificateTransparencyStatusMatch(
99 const content::SignedCertificateTimestampIDStatusList& scts,
100 net::ct::SCTVerifyStatus status) {
101 for (content::SignedCertificateTimestampIDStatusList::const_iterator it =
102 scts.begin();
103 it != scts.end();
104 ++it) {
105 if (it->status == status)
106 return true;
107 }
108
109 return false;
110 }
111
112 int GetSiteIdentityDetailsMessageByCTInfo(
113 const content::SignedCertificateTimestampIDStatusList& scts,
114 bool is_ev) {
115 // No SCTs - no CT information.
116 if (scts.empty())
117 return (is_ev ? IDS_PAGE_INFO_SECURITY_TAB_SECURE_IDENTITY_EV_NO_CT
118 : IDS_PAGE_INFO_SECURITY_TAB_SECURE_IDENTITY_NO_CT);
119
120 if (CertificateTransparencyStatusMatch(scts, net::ct::SCT_STATUS_OK))
121 return (is_ev ? IDS_PAGE_INFO_SECURITY_TAB_SECURE_IDENTITY_EV_CT_VERIFIED
122 : IDS_PAGE_INFO_SECURITY_TAB_SECURE_IDENTITY_CT_VERIFIED);
123
124 if (CertificateTransparencyStatusMatch(scts, net::ct::SCT_STATUS_INVALID))
125 return (is_ev ? IDS_PAGE_INFO_SECURITY_TAB_SECURE_IDENTITY_EV_CT_INVALID
126 : IDS_PAGE_INFO_SECURITY_TAB_SECURE_IDENTITY_CT_INVALID);
127
128 // status is SCT_STATUS_LOG_UNKNOWN
129 return (is_ev ? IDS_PAGE_INFO_SECURITY_TAB_SECURE_IDENTITY_EV_CT_UNVERIFIED
130 : IDS_PAGE_INFO_SECURITY_TAB_SECURE_IDENTITY_CT_UNVERIFIED);
131 }
132
133 // This function will return SITE_IDENTITY_STATUS_CERT or
134 // SITE_IDENTITY_STATUS_EV_CERT depending on |is_ev| unless there are SCTs
135 // which failed verification, in which case it will return
136 // SITE_IDENTITY_STATUS_ERROR.
137 WebsiteSettings::SiteIdentityStatus GetSiteIdentityStatusByCTInfo(
138 const content::SignedCertificateTimestampIDStatusList& scts,
139 bool is_ev) {
140 if (CertificateTransparencyStatusMatch(scts, net::ct::SCT_STATUS_INVALID))
141 return WebsiteSettings::SITE_IDENTITY_STATUS_ERROR;
142
143 return is_ev ? WebsiteSettings::SITE_IDENTITY_STATUS_EV_CERT
144 : WebsiteSettings::SITE_IDENTITY_STATUS_CERT;
145 }
146
147 } // namespace
148
149 WebsiteSettings::WebsiteSettings(
150 WebsiteSettingsUI* ui,
151 Profile* profile,
152 TabSpecificContentSettings* tab_specific_content_settings,
153 content::WebContents* web_contents,
154 const GURL& url,
155 const content::SSLStatus& ssl,
156 content::CertStore* cert_store)
157 : TabSpecificContentSettings::SiteDataObserver(
158 tab_specific_content_settings),
159 ui_(ui),
160 web_contents_(web_contents),
161 show_info_bar_(false),
162 site_url_(url),
163 site_identity_status_(SITE_IDENTITY_STATUS_UNKNOWN),
164 cert_id_(0),
165 site_connection_status_(SITE_CONNECTION_STATUS_UNKNOWN),
166 cert_store_(cert_store),
167 content_settings_(profile->GetHostContentSettingsMap()),
168 chrome_ssl_host_state_delegate_(
169 ChromeSSLHostStateDelegateFactory::GetForProfile(profile)),
170 did_revoke_user_ssl_decisions_(false) {
171 Init(profile, url, ssl);
172
173 PresentSitePermissions();
174 PresentSiteData();
175 PresentSiteIdentity();
176
177 // Every time the Website Settings UI is opened a |WebsiteSettings| object is
178 // created. So this counts how ofter the Website Settings UI is opened.
179 RecordWebsiteSettingsAction(WEBSITE_SETTINGS_OPENED);
180 }
181
182 WebsiteSettings::~WebsiteSettings() {
183 }
184
185 void WebsiteSettings::RecordWebsiteSettingsAction(
186 WebsiteSettingsAction action) {
187 UMA_HISTOGRAM_ENUMERATION("WebsiteSettings.Action",
188 action,
189 WEBSITE_SETTINGS_COUNT);
190
191 // Use a separate histogram to record actions if they are done on a page with
192 // an HTTPS URL. Note that this *disregards* security status.
193 //
194
195 // TODO(palmer): Consider adding a new histogram for
196 // GURL::SchemeIsCryptographic. (We don't want to replace this call with a
197 // call to that function because we don't want to change the meanings of
198 // existing metrics.) This would inform the decision to mark non-secure
199 // origins as Dubious or Non-Secure; the overall bug for that is
200 // crbug.com/454579.
201 if (site_url_.SchemeIs(url::kHttpsScheme)) {
202 UMA_HISTOGRAM_ENUMERATION("WebsiteSettings.Action.HttpsUrl",
203 action,
204 WEBSITE_SETTINGS_COUNT);
205 }
206 }
207
208 // Get corresponding Rappor Metric.
209 const std::string GetRapporMetric(ContentSettingsType permission) {
210 std::string permission_str;
211 switch (permission) {
212 case CONTENT_SETTINGS_TYPE_GEOLOCATION:
213 permission_str = "Geolocation";
214 break;
215 case CONTENT_SETTINGS_TYPE_NOTIFICATIONS:
216 permission_str = "Notifications";
217 break;
218 case CONTENT_SETTINGS_TYPE_MEDIASTREAM_MIC:
219 permission_str = "Mic";
220 break;
221 case CONTENT_SETTINGS_TYPE_MEDIASTREAM_CAMERA:
222 permission_str = "Camera";
223 break;
224 default:
225 return "";
226 }
227
228 return base::StringPrintf("ContentSettings.PermissionActions_%s.Revoked.Url",
229 permission_str.c_str());
230 }
231
232 void WebsiteSettings::OnSitePermissionChanged(ContentSettingsType type,
233 ContentSetting setting) {
234 // Count how often a permission for a specific content type is changed using
235 // the Website Settings UI.
236 size_t num_values;
237 int histogram_value = ContentSettingTypeToHistogramValue(type, &num_values);
238 UMA_HISTOGRAM_ENUMERATION("WebsiteSettings.OriginInfo.PermissionChanged",
239 histogram_value, num_values);
240
241 if (setting == ContentSetting::CONTENT_SETTING_ALLOW) {
242 UMA_HISTOGRAM_ENUMERATION(
243 "WebsiteSettings.OriginInfo.PermissionChanged.Allowed", histogram_value,
244 num_values);
245 } else if (setting == ContentSetting::CONTENT_SETTING_BLOCK) {
246 UMA_HISTOGRAM_ENUMERATION(
247 "WebsiteSettings.OriginInfo.PermissionChanged.Blocked", histogram_value,
248 num_values);
249 // Trigger Rappor sampling if it is a permission revoke action.
250 const std::string& rappor_metric = GetRapporMetric(type);
251 if (!rappor_metric.empty()) {
252 rappor::SampleDomainAndRegistryFromGURL(
253 g_browser_process->rappor_service(), rappor_metric, this->site_url_);
254 }
255 }
256
257 // This is technically redundant given the histogram above, but putting the
258 // total count of permission changes in another histogram makes it easier to
259 // compare it against other kinds of actions in WebsiteSettings[PopupView].
260 RecordWebsiteSettingsAction(WEBSITE_SETTINGS_CHANGED_PERMISSION);
261
262 ContentSettingsPattern primary_pattern;
263 ContentSettingsPattern secondary_pattern;
264 switch (type) {
265 case CONTENT_SETTINGS_TYPE_GEOLOCATION:
266 case CONTENT_SETTINGS_TYPE_MIDI_SYSEX:
267 case CONTENT_SETTINGS_TYPE_FULLSCREEN:
268 // TODO(markusheintz): The rule we create here should also change the
269 // location permission for iframed content.
270 primary_pattern = ContentSettingsPattern::FromURLNoWildcard(site_url_);
271 secondary_pattern = ContentSettingsPattern::FromURLNoWildcard(site_url_);
272 break;
273 case CONTENT_SETTINGS_TYPE_NOTIFICATIONS:
274 primary_pattern = ContentSettingsPattern::FromURLNoWildcard(site_url_);
275 secondary_pattern = ContentSettingsPattern::Wildcard();
276 break;
277 case CONTENT_SETTINGS_TYPE_IMAGES:
278 case CONTENT_SETTINGS_TYPE_JAVASCRIPT:
279 case CONTENT_SETTINGS_TYPE_PLUGINS:
280 case CONTENT_SETTINGS_TYPE_POPUPS:
281 case CONTENT_SETTINGS_TYPE_MOUSELOCK:
282 case CONTENT_SETTINGS_TYPE_AUTOMATIC_DOWNLOADS:
283 case CONTENT_SETTINGS_TYPE_PUSH_MESSAGING:
284 primary_pattern = ContentSettingsPattern::FromURL(site_url_);
285 secondary_pattern = ContentSettingsPattern::Wildcard();
286 break;
287 case CONTENT_SETTINGS_TYPE_MEDIASTREAM_MIC:
288 case CONTENT_SETTINGS_TYPE_MEDIASTREAM_CAMERA:
289 primary_pattern = ContentSettingsPattern::FromURLNoWildcard(site_url_);
290 secondary_pattern = ContentSettingsPattern::Wildcard();
291 break;
292 default:
293 NOTREACHED() << "ContentSettingsType " << type << "is not supported.";
294 break;
295 }
296
297 // Permission settings are specified via rules. There exists always at least
298 // one rule for the default setting. Get the rule that currently defines
299 // the permission for the given permission |type|. Then test whether the
300 // existing rule is more specific than the rule we are about to create. If
301 // the existing rule is more specific, than change the existing rule instead
302 // of creating a new rule that would be hidden behind the existing rule.
303 content_settings::SettingInfo info;
304 scoped_ptr<base::Value> v =
305 content_settings_->GetWebsiteSetting(
306 site_url_, site_url_, type, std::string(), &info);
307 content_settings_->SetNarrowestWebsiteSetting(
308 primary_pattern, secondary_pattern, type, std::string(), setting, info);
309
310 show_info_bar_ = true;
311
312 // TODO(markusheintz): This is a temporary hack to fix issue:
313 // http://crbug.com/144203.
314 #if defined(OS_MACOSX)
315 // Refresh the UI to reflect the new setting.
316 PresentSitePermissions();
317 #endif
318 }
319
320 void WebsiteSettings::OnSiteDataAccessed() {
321 PresentSiteData();
322 }
323
324 void WebsiteSettings::OnUIClosing() {
325 #if defined(OS_ANDROID)
326 NOTREACHED();
327 #else
328 if (show_info_bar_ && web_contents_) {
329 InfoBarService* infobar_service =
330 InfoBarService::FromWebContents(web_contents_);
331 if (infobar_service)
332 WebsiteSettingsInfoBarDelegate::Create(infobar_service);
333 }
334
335 SSLCertificateDecisionsDidRevoke user_decision =
336 did_revoke_user_ssl_decisions_ ? USER_CERT_DECISIONS_REVOKED
337 : USER_CERT_DECISIONS_NOT_REVOKED;
338
339 UMA_HISTOGRAM_ENUMERATION("interstitial.ssl.did_user_revoke_decisions",
340 user_decision,
341 END_OF_SSL_CERTIFICATE_DECISIONS_DID_REVOKE_ENUM);
342 #endif
343 }
344
345 void WebsiteSettings::OnRevokeSSLErrorBypassButtonPressed() {
346 DCHECK(chrome_ssl_host_state_delegate_);
347 chrome_ssl_host_state_delegate_->RevokeUserAllowExceptionsHard(
348 site_url().host());
349 did_revoke_user_ssl_decisions_ = true;
350 }
351
352 void WebsiteSettings::Init(Profile* profile,
353 const GURL& url,
354 const content::SSLStatus& ssl) {
355 bool isChromeUINativeScheme = false;
356 #if defined(OS_ANDROID)
357 isChromeUINativeScheme = url.SchemeIs(chrome::kChromeUINativeScheme);
358 #endif
359
360 if (url.SchemeIs(content::kChromeUIScheme) ||
361 url.SchemeIs(url::kAboutScheme) || isChromeUINativeScheme) {
362 site_identity_status_ = SITE_IDENTITY_STATUS_INTERNAL_PAGE;
363 site_identity_details_ =
364 l10n_util::GetStringUTF16(IDS_PAGE_INFO_INTERNAL_PAGE);
365 site_connection_status_ = SITE_CONNECTION_STATUS_INTERNAL_PAGE;
366 return;
367 }
368
369 scoped_refptr<net::X509Certificate> cert;
370
371 // Identity section.
372 base::string16 subject_name(UTF8ToUTF16(url.host()));
373 if (subject_name.empty()) {
374 subject_name.assign(
375 l10n_util::GetStringUTF16(IDS_PAGE_INFO_SECURITY_TAB_UNKNOWN_PARTY));
376 }
377
378 cert_id_ = ssl.cert_id;
379
380 if (ssl.cert_id &&
381 cert_store_->RetrieveCert(ssl.cert_id, &cert) &&
382 (!net::IsCertStatusError(ssl.cert_status) ||
383 net::IsCertStatusMinorError(ssl.cert_status))) {
384 // There are no major errors. Check for minor errors.
385 #if defined(OS_CHROMEOS)
386 policy::PolicyCertService* service =
387 policy::PolicyCertServiceFactory::GetForProfile(profile);
388 const bool used_policy_certs = service && service->UsedPolicyCertificates();
389 #else
390 const bool used_policy_certs = false;
391 #endif
392 if (used_policy_certs) {
393 site_identity_status_ = SITE_IDENTITY_STATUS_ADMIN_PROVIDED_CERT;
394 site_identity_details_ = l10n_util::GetStringFUTF16(
395 IDS_CERT_POLICY_PROVIDED_CERT_MESSAGE, UTF8ToUTF16(url.host()));
396 } else if (net::IsCertStatusMinorError(ssl.cert_status)) {
397 site_identity_status_ = SITE_IDENTITY_STATUS_CERT_REVOCATION_UNKNOWN;
398 base::string16 issuer_name(UTF8ToUTF16(cert->issuer().GetDisplayName()));
399 if (issuer_name.empty()) {
400 issuer_name.assign(l10n_util::GetStringUTF16(
401 IDS_PAGE_INFO_SECURITY_TAB_UNKNOWN_PARTY));
402 }
403
404 site_identity_details_.assign(l10n_util::GetStringFUTF16(
405 GetSiteIdentityDetailsMessageByCTInfo(
406 ssl.signed_certificate_timestamp_ids, false /* not EV */),
407 issuer_name));
408
409 site_identity_details_ += ASCIIToUTF16("\n\n");
410 if (ssl.cert_status & net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION) {
411 site_identity_details_ += l10n_util::GetStringUTF16(
412 IDS_PAGE_INFO_SECURITY_TAB_UNABLE_TO_CHECK_REVOCATION);
413 } else if (ssl.cert_status & net::CERT_STATUS_NO_REVOCATION_MECHANISM) {
414 site_identity_details_ += l10n_util::GetStringUTF16(
415 IDS_PAGE_INFO_SECURITY_TAB_NO_REVOCATION_MECHANISM);
416 } else {
417 NOTREACHED() << "Need to specify string for this warning";
418 }
419 } else {
420 if (ssl.cert_status & net::CERT_STATUS_IS_EV) {
421 // EV HTTPS page.
422 site_identity_status_ = GetSiteIdentityStatusByCTInfo(
423 ssl.signed_certificate_timestamp_ids, true);
424 DCHECK(!cert->subject().organization_names.empty());
425 organization_name_ = UTF8ToUTF16(cert->subject().organization_names[0]);
426 // An EV Cert is required to have a city (localityName) and country but
427 // state is "if any".
428 DCHECK(!cert->subject().locality_name.empty());
429 DCHECK(!cert->subject().country_name.empty());
430 base::string16 locality;
431 if (!cert->subject().state_or_province_name.empty()) {
432 locality = l10n_util::GetStringFUTF16(
433 IDS_PAGEINFO_ADDRESS,
434 UTF8ToUTF16(cert->subject().locality_name),
435 UTF8ToUTF16(cert->subject().state_or_province_name),
436 UTF8ToUTF16(cert->subject().country_name));
437 } else {
438 locality = l10n_util::GetStringFUTF16(
439 IDS_PAGEINFO_PARTIAL_ADDRESS,
440 UTF8ToUTF16(cert->subject().locality_name),
441 UTF8ToUTF16(cert->subject().country_name));
442 }
443 DCHECK(!cert->subject().organization_names.empty());
444 site_identity_details_.assign(l10n_util::GetStringFUTF16(
445 GetSiteIdentityDetailsMessageByCTInfo(
446 ssl.signed_certificate_timestamp_ids, true /* is EV */),
447 UTF8ToUTF16(cert->subject().organization_names[0]),
448 locality,
449 UTF8ToUTF16(cert->issuer().GetDisplayName())));
450 } else {
451 // Non-EV OK HTTPS page.
452 site_identity_status_ = GetSiteIdentityStatusByCTInfo(
453 ssl.signed_certificate_timestamp_ids, false);
454 base::string16 issuer_name(
455 UTF8ToUTF16(cert->issuer().GetDisplayName()));
456 if (issuer_name.empty()) {
457 issuer_name.assign(l10n_util::GetStringUTF16(
458 IDS_PAGE_INFO_SECURITY_TAB_UNKNOWN_PARTY));
459 }
460
461 site_identity_details_.assign(l10n_util::GetStringFUTF16(
462 GetSiteIdentityDetailsMessageByCTInfo(
463 ssl.signed_certificate_timestamp_ids, false /* not EV */),
464 issuer_name));
465 }
466 // The date after which no new SHA-1 certificates may be issued.
467 // 2016-01-01 00:00:00 UTC
468 static const int64_t kSHA1LastIssuanceDate = INT64_C(13096080000000000);
469 if ((ssl.cert_status & net::CERT_STATUS_SHA1_SIGNATURE_PRESENT) &&
470 cert->valid_expiry() >
471 base::Time::FromInternalValue(kSHA1LastIssuanceDate)) {
472 site_identity_status_ =
473 SITE_IDENTITY_STATUS_DEPRECATED_SIGNATURE_ALGORITHM;
474 site_identity_details_ +=
475 UTF8ToUTF16("\n\n") +
476 l10n_util::GetStringUTF16(
477 IDS_PAGE_INFO_SECURITY_TAB_DEPRECATED_SIGNATURE_ALGORITHM);
478 }
479 }
480 } else {
481 // HTTP or HTTPS with errors (not warnings).
482 site_identity_details_.assign(l10n_util::GetStringUTF16(
483 IDS_PAGE_INFO_SECURITY_TAB_INSECURE_IDENTITY));
484 if (ssl.security_style == content::SECURITY_STYLE_UNAUTHENTICATED)
485 site_identity_status_ = SITE_IDENTITY_STATUS_NO_CERT;
486 else
487 site_identity_status_ = SITE_IDENTITY_STATUS_ERROR;
488
489 const base::string16 bullet = UTF8ToUTF16("\n • ");
490 std::vector<SSLErrorInfo> errors;
491 SSLErrorInfo::GetErrorsForCertStatus(ssl.cert_id, ssl.cert_status,
492 url, &errors);
493 for (size_t i = 0; i < errors.size(); ++i) {
494 site_identity_details_ += bullet;
495 site_identity_details_ += errors[i].short_description();
496 }
497
498 if (ssl.cert_status & net::CERT_STATUS_NON_UNIQUE_NAME) {
499 site_identity_details_ += ASCIIToUTF16("\n\n");
500 site_identity_details_ += l10n_util::GetStringUTF16(
501 IDS_PAGE_INFO_SECURITY_TAB_NON_UNIQUE_NAME);
502 }
503 }
504
505 // Site Connection
506 // We consider anything less than 80 bits encryption to be weak encryption.
507 // TODO(wtc): Bug 1198735: report mixed/unsafe content for unencrypted and
508 // weakly encrypted connections.
509 site_connection_status_ = SITE_CONNECTION_STATUS_UNKNOWN;
510
511 if (ssl.security_style == content::SECURITY_STYLE_UNKNOWN) {
512 // Page is still loading, so SSL status is not yet available. Say nothing.
513 DCHECK_EQ(ssl.security_bits, -1);
514 site_connection_status_ = SITE_CONNECTION_STATUS_UNENCRYPTED;
515
516 site_connection_details_.assign(l10n_util::GetStringFUTF16(
517 IDS_PAGE_INFO_SECURITY_TAB_NOT_ENCRYPTED_CONNECTION_TEXT,
518 subject_name));
519 } else if (ssl.security_style == content::SECURITY_STYLE_UNAUTHENTICATED) {
520 // HTTPS without a certificate, or not HTTPS.
521 DCHECK(!ssl.cert_id);
522 site_connection_status_ = SITE_CONNECTION_STATUS_UNENCRYPTED;
523
524 site_connection_details_.assign(l10n_util::GetStringFUTF16(
525 IDS_PAGE_INFO_SECURITY_TAB_NOT_ENCRYPTED_CONNECTION_TEXT,
526 subject_name));
527 } else if (ssl.security_bits < 0) {
528 // Security strength is unknown. Say nothing.
529 site_connection_status_ = SITE_CONNECTION_STATUS_ENCRYPTED_ERROR;
530 } else if (ssl.security_bits == 0) {
531 DCHECK_NE(ssl.security_style, content::SECURITY_STYLE_UNAUTHENTICATED);
532 site_connection_status_ = SITE_CONNECTION_STATUS_ENCRYPTED_ERROR;
533 site_connection_details_.assign(l10n_util::GetStringFUTF16(
534 IDS_PAGE_INFO_SECURITY_TAB_NOT_ENCRYPTED_CONNECTION_TEXT,
535 subject_name));
536 } else {
537 site_connection_status_ = SITE_CONNECTION_STATUS_ENCRYPTED;
538
539 if (net::SSLConnectionStatusToVersion(ssl.connection_status) >=
540 net::SSL_CONNECTION_VERSION_TLS1_2 &&
541 net::IsSecureTLSCipherSuite(
542 net::SSLConnectionStatusToCipherSuite(ssl.connection_status))) {
543 site_connection_details_.assign(l10n_util::GetStringFUTF16(
544 IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_CONNECTION_TEXT,
545 subject_name));
546 } else {
547 site_connection_details_.assign(l10n_util::GetStringFUTF16(
548 IDS_PAGE_INFO_SECURITY_TAB_WEAK_ENCRYPTION_CONNECTION_TEXT,
549 subject_name));
550 }
551
552 if (ssl.content_status) {
553 bool ran_insecure_content =
554 !!(ssl.content_status & content::SSLStatus::RAN_INSECURE_CONTENT);
555 site_connection_status_ = ran_insecure_content
556 ? SITE_CONNECTION_STATUS_MIXED_SCRIPT
557 : SITE_CONNECTION_STATUS_MIXED_CONTENT;
558 site_connection_details_.assign(l10n_util::GetStringFUTF16(
559 IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_SENTENCE_LINK,
560 site_connection_details_,
561 l10n_util::GetStringUTF16(ran_insecure_content ?
562 IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_INSECURE_CONTENT_ERROR :
563 IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_INSECURE_CONTENT_WARNING)));
564 }
565 }
566
567 uint16 cipher_suite =
568 net::SSLConnectionStatusToCipherSuite(ssl.connection_status);
569 if (ssl.security_bits > 0 && cipher_suite) {
570 int ssl_version =
571 net::SSLConnectionStatusToVersion(ssl.connection_status);
572 const char* ssl_version_str;
573 net::SSLVersionToString(&ssl_version_str, ssl_version);
574 site_connection_details_ += ASCIIToUTF16("\n\n");
575 site_connection_details_ += l10n_util::GetStringFUTF16(
576 IDS_PAGE_INFO_SECURITY_TAB_SSL_VERSION,
577 ASCIIToUTF16(ssl_version_str));
578
579 bool no_renegotiation =
580 (ssl.connection_status &
581 net::SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION) != 0;
582 const char *key_exchange, *cipher, *mac;
583 bool is_aead;
584 net::SSLCipherSuiteToStrings(
585 &key_exchange, &cipher, &mac, &is_aead, cipher_suite);
586
587 site_connection_details_ += ASCIIToUTF16("\n\n");
588 if (is_aead) {
589 site_connection_details_ += l10n_util::GetStringFUTF16(
590 IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTION_DETAILS_AEAD,
591 ASCIIToUTF16(cipher), ASCIIToUTF16(key_exchange));
592 } else {
593 site_connection_details_ += l10n_util::GetStringFUTF16(
594 IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTION_DETAILS,
595 ASCIIToUTF16(cipher), ASCIIToUTF16(mac), ASCIIToUTF16(key_exchange));
596 }
597
598 if (ssl_version == net::SSL_CONNECTION_VERSION_SSL3 &&
599 site_connection_status_ < SITE_CONNECTION_STATUS_MIXED_CONTENT) {
600 site_connection_status_ = SITE_CONNECTION_STATUS_ENCRYPTED_ERROR;
601 }
602
603 const bool did_fallback =
604 (ssl.connection_status & net::SSL_CONNECTION_VERSION_FALLBACK) != 0;
605 if (did_fallback) {
606 site_connection_details_ += ASCIIToUTF16("\n\n");
607 site_connection_details_ += l10n_util::GetStringUTF16(
608 IDS_PAGE_INFO_SECURITY_TAB_FALLBACK_MESSAGE);
609 }
610
611 if (no_renegotiation) {
612 site_connection_details_ += ASCIIToUTF16("\n\n");
613 site_connection_details_ += l10n_util::GetStringUTF16(
614 IDS_PAGE_INFO_SECURITY_TAB_RENEGOTIATION_MESSAGE);
615 }
616 }
617
618 // Check if a user decision has been made to allow or deny certificates with
619 // errors on this site.
620 ChromeSSLHostStateDelegate* delegate =
621 ChromeSSLHostStateDelegateFactory::GetForProfile(profile);
622 DCHECK(delegate);
623 // Only show an SSL decision revoke button if the user has chosen to bypass
624 // SSL host errors for this host in the past.
625 show_ssl_decision_revoke_button_ = delegate->HasAllowException(url.host());
626
627 // By default select the permissions tab that displays all the site
628 // permissions. In case of a connection error or an issue with the
629 // certificate presented by the website, select the connection tab to draw
630 // the user's attention to the issue. If the site does not provide a
631 // certificate because it was loaded over an unencrypted connection, don't
632 // select the connection tab.
633 WebsiteSettingsUI::TabId tab_id = WebsiteSettingsUI::TAB_ID_PERMISSIONS;
634 if (site_connection_status_ == SITE_CONNECTION_STATUS_ENCRYPTED_ERROR ||
635 site_connection_status_ == SITE_CONNECTION_STATUS_MIXED_CONTENT ||
636 site_identity_status_ == SITE_IDENTITY_STATUS_ERROR ||
637 site_identity_status_ == SITE_IDENTITY_STATUS_CERT_REVOCATION_UNKNOWN ||
638 site_identity_status_ == SITE_IDENTITY_STATUS_ADMIN_PROVIDED_CERT ||
639 site_identity_status_ ==
640 SITE_IDENTITY_STATUS_DEPRECATED_SIGNATURE_ALGORITHM) {
641 tab_id = WebsiteSettingsUI::TAB_ID_CONNECTION;
642 RecordWebsiteSettingsAction(
643 WEBSITE_SETTINGS_CONNECTION_TAB_SHOWN_IMMEDIATELY);
644 }
645 ui_->SetSelectedTab(tab_id);
646 }
647
648 void WebsiteSettings::PresentSitePermissions() {
649 PermissionInfoList permission_info_list;
650
651 WebsiteSettingsUI::PermissionInfo permission_info;
652 for (size_t i = 0; i < arraysize(kPermissionType); ++i) {
653 permission_info.type = kPermissionType[i];
654
655 content_settings::SettingInfo info;
656 scoped_ptr<base::Value> value =
657 content_settings_->GetWebsiteSetting(
658 site_url_, site_url_, permission_info.type, std::string(), &info);
659 DCHECK(value.get());
660 if (value->GetType() == base::Value::TYPE_INTEGER) {
661 permission_info.setting =
662 content_settings::ValueToContentSetting(value.get());
663 } else {
664 NOTREACHED();
665 }
666
667 permission_info.source = info.source;
668
669 if (info.primary_pattern == ContentSettingsPattern::Wildcard() &&
670 info.secondary_pattern == ContentSettingsPattern::Wildcard()) {
671 permission_info.default_setting = permission_info.setting;
672 permission_info.setting = CONTENT_SETTING_DEFAULT;
673 } else {
674 permission_info.default_setting =
675 content_settings_->GetDefaultContentSetting(permission_info.type,
676 NULL);
677 }
678
679 if (permission_info.setting != CONTENT_SETTING_DEFAULT &&
680 permission_info.setting != permission_info.default_setting) {
681 permission_info_list.push_back(permission_info);
682 }
683 }
684
685 ui_->SetPermissionInfo(permission_info_list);
686 }
687
688 void WebsiteSettings::PresentSiteData() {
689 CookieInfoList cookie_info_list;
690 const LocalSharedObjectsCounter& allowed_objects =
691 tab_specific_content_settings()->allowed_local_shared_objects();
692 const LocalSharedObjectsCounter& blocked_objects =
693 tab_specific_content_settings()->blocked_local_shared_objects();
694
695 // Add first party cookie and site data counts.
696 WebsiteSettingsUI::CookieInfo cookie_info;
697 cookie_info.cookie_source =
698 l10n_util::GetStringUTF8(IDS_WEBSITE_SETTINGS_FIRST_PARTY_SITE_DATA);
699 cookie_info.allowed = allowed_objects.GetObjectCountForDomain(site_url_);
700 cookie_info.blocked = blocked_objects.GetObjectCountForDomain(site_url_);
701 cookie_info.is_first_party = true;
702 cookie_info_list.push_back(cookie_info);
703
704 // Add third party cookie counts.
705 cookie_info.cookie_source = l10n_util::GetStringUTF8(
706 IDS_WEBSITE_SETTINGS_THIRD_PARTY_SITE_DATA);
707 cookie_info.allowed = allowed_objects.GetObjectCount() - cookie_info.allowed;
708 cookie_info.blocked = blocked_objects.GetObjectCount() - cookie_info.blocked;
709 cookie_info.is_first_party = false;
710 cookie_info_list.push_back(cookie_info);
711
712 ui_->SetCookieInfo(cookie_info_list);
713 }
714
715 void WebsiteSettings::PresentSiteIdentity() {
716 // After initialization the status about the site's connection and its
717 // identity must be available.
718 DCHECK_NE(site_identity_status_, SITE_IDENTITY_STATUS_UNKNOWN);
719 DCHECK_NE(site_connection_status_, SITE_CONNECTION_STATUS_UNKNOWN);
720 WebsiteSettingsUI::IdentityInfo info;
721 if (site_identity_status_ == SITE_IDENTITY_STATUS_EV_CERT)
722 info.site_identity = UTF16ToUTF8(organization_name());
723 else
724 info.site_identity = site_url_.host();
725
726 info.connection_status = site_connection_status_;
727 info.connection_status_description =
728 UTF16ToUTF8(site_connection_details_);
729 info.identity_status = site_identity_status_;
730 info.identity_status_description =
731 UTF16ToUTF8(site_identity_details_);
732 info.cert_id = cert_id_;
733 info.show_ssl_decision_revoke_button = show_ssl_decision_revoke_button_;
734 ui_->SetIdentityInfo(info);
735 }