Re-subimission of https://codereview.chromium.org/1041213003/
[chromium-blink-merge.git] / content / browser / ssl / ssl_policy.cc
blob610f741dd98f65e6dd77777a0f63a98029536393
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "content/browser/ssl/ssl_policy.h"
7 #include "base/base_switches.h"
8 #include "base/bind.h"
9 #include "base/command_line.h"
10 #include "base/memory/singleton.h"
11 #include "base/strings/string_piece.h"
12 #include "base/strings/string_util.h"
13 #include "content/browser/frame_host/navigation_entry_impl.h"
14 #include "content/browser/renderer_host/render_process_host_impl.h"
15 #include "content/browser/renderer_host/render_view_host_impl.h"
16 #include "content/browser/site_instance_impl.h"
17 #include "content/browser/ssl/ssl_cert_error_handler.h"
18 #include "content/browser/ssl/ssl_request_info.h"
19 #include "content/browser/web_contents/web_contents_impl.h"
20 #include "content/public/browser/content_browser_client.h"
21 #include "content/public/common/resource_type.h"
22 #include "content/public/common/ssl_status.h"
23 #include "content/public/common/url_constants.h"
24 #include "net/ssl/ssl_info.h"
27 namespace content {
29 SSLPolicy::SSLPolicy(SSLPolicyBackend* backend)
30 : backend_(backend) {
31 DCHECK(backend_);
34 void SSLPolicy::OnCertError(SSLCertErrorHandler* handler) {
35 bool expired_previous_decision;
36 // First we check if we know the policy for this error.
37 DCHECK(handler->ssl_info().is_valid());
38 SSLHostStateDelegate::CertJudgment judgment =
39 backend_->QueryPolicy(*handler->ssl_info().cert.get(),
40 handler->request_url().host(),
41 handler->cert_error(),
42 &expired_previous_decision);
44 if (judgment == SSLHostStateDelegate::ALLOWED) {
45 handler->ContinueRequest();
46 return;
49 // For all other hosts, which must be DENIED, a blocking page is shown to the
50 // user every time they come back to the page.
51 int options_mask = 0;
52 switch (handler->cert_error()) {
53 case net::ERR_CERT_COMMON_NAME_INVALID:
54 case net::ERR_CERT_DATE_INVALID:
55 case net::ERR_CERT_AUTHORITY_INVALID:
56 case net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM:
57 case net::ERR_CERT_WEAK_KEY:
58 case net::ERR_CERT_NAME_CONSTRAINT_VIOLATION:
59 case net::ERR_CERT_VALIDITY_TOO_LONG:
60 if (!handler->fatal())
61 options_mask |= OVERRIDABLE;
62 else
63 options_mask |= STRICT_ENFORCEMENT;
64 if (expired_previous_decision)
65 options_mask |= EXPIRED_PREVIOUS_DECISION;
66 OnCertErrorInternal(handler, options_mask);
67 break;
68 case net::ERR_CERT_NO_REVOCATION_MECHANISM:
69 // Ignore this error.
70 handler->ContinueRequest();
71 break;
72 case net::ERR_CERT_UNABLE_TO_CHECK_REVOCATION:
73 // We ignore this error but will show a warning status in the location
74 // bar.
75 handler->ContinueRequest();
76 break;
77 case net::ERR_CERT_CONTAINS_ERRORS:
78 case net::ERR_CERT_REVOKED:
79 case net::ERR_CERT_INVALID:
80 case net::ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY:
81 case net::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN:
82 if (handler->fatal())
83 options_mask |= STRICT_ENFORCEMENT;
84 if (expired_previous_decision)
85 options_mask |= EXPIRED_PREVIOUS_DECISION;
86 OnCertErrorInternal(handler, options_mask);
87 break;
88 default:
89 NOTREACHED();
90 handler->CancelRequest();
91 break;
95 void SSLPolicy::DidRunInsecureContent(NavigationEntryImpl* entry,
96 const std::string& security_origin) {
97 if (!entry)
98 return;
100 SiteInstance* site_instance = entry->site_instance();
101 if (!site_instance)
102 return;
104 backend_->HostRanInsecureContent(GURL(security_origin).host(),
105 site_instance->GetProcess()->GetID());
108 void SSLPolicy::OnRequestStarted(SSLRequestInfo* info) {
109 // TODO(abarth): This mechanism is wrong. What we should be doing is sending
110 // this information back through WebKit and out some FrameLoaderClient
111 // methods.
113 if (net::IsCertStatusError(info->ssl_cert_status()))
114 backend_->HostRanInsecureContent(info->url().host(), info->child_id());
117 void SSLPolicy::UpdateEntry(NavigationEntryImpl* entry,
118 WebContentsImpl* web_contents) {
119 DCHECK(entry);
121 InitializeEntryIfNeeded(entry);
123 if (!entry->GetURL().SchemeIsSecure())
124 return;
126 if (!web_contents->DisplayedInsecureContent())
127 entry->GetSSL().content_status &= ~SSLStatus::DISPLAYED_INSECURE_CONTENT;
129 // An HTTPS response may not have a certificate for some reason. When that
130 // happens, use the unauthenticated (HTTP) rather than the authentication
131 // broken security style so that we can detect this error condition.
132 if (!entry->GetSSL().cert_id) {
133 entry->GetSSL().security_style = SECURITY_STYLE_UNAUTHENTICATED;
134 return;
137 if (web_contents->DisplayedInsecureContent())
138 entry->GetSSL().content_status |= SSLStatus::DISPLAYED_INSECURE_CONTENT;
140 if (net::IsCertStatusError(entry->GetSSL().cert_status)) {
141 // Minor errors don't lower the security style to
142 // SECURITY_STYLE_AUTHENTICATION_BROKEN.
143 if (!net::IsCertStatusMinorError(entry->GetSSL().cert_status)) {
144 entry->GetSSL().security_style =
145 SECURITY_STYLE_AUTHENTICATION_BROKEN;
147 return;
150 SiteInstance* site_instance = entry->site_instance();
151 // Note that |site_instance| can be NULL here because NavigationEntries don't
152 // necessarily have site instances. Without a process, the entry can't
153 // possibly have insecure content. See bug http://crbug.com/12423.
154 if (site_instance &&
155 backend_->DidHostRunInsecureContent(
156 entry->GetURL().host(), site_instance->GetProcess()->GetID())) {
157 entry->GetSSL().security_style =
158 SECURITY_STYLE_AUTHENTICATION_BROKEN;
159 entry->GetSSL().content_status |= SSLStatus::RAN_INSECURE_CONTENT;
160 return;
164 void SSLPolicy::OnAllowCertificate(scoped_refptr<SSLCertErrorHandler> handler,
165 bool allow) {
166 DCHECK(handler->ssl_info().is_valid());
167 if (allow) {
168 // Default behavior for accepting a certificate.
169 // Note that we should not call SetMaxSecurityStyle here, because the active
170 // NavigationEntry has just been deleted (in HideInterstitialPage) and the
171 // new NavigationEntry will not be set until DidNavigate. This is ok,
172 // because the new NavigationEntry will have its max security style set
173 // within DidNavigate.
175 // While AllowCertForHost() executes synchronously on this thread,
176 // ContinueRequest() gets posted to a different thread. Calling
177 // AllowCertForHost() first ensures deterministic ordering.
178 backend_->AllowCertForHost(*handler->ssl_info().cert.get(),
179 handler->request_url().host(),
180 handler->cert_error());
181 handler->ContinueRequest();
182 } else {
183 // Default behavior for rejecting a certificate.
184 handler->CancelRequest();
188 ////////////////////////////////////////////////////////////////////////////////
189 // Certificate Error Routines
191 void SSLPolicy::OnCertErrorInternal(SSLCertErrorHandler* handler,
192 int options_mask) {
193 bool overridable = (options_mask & OVERRIDABLE) != 0;
194 bool strict_enforcement = (options_mask & STRICT_ENFORCEMENT) != 0;
195 bool expired_previous_decision =
196 (options_mask & EXPIRED_PREVIOUS_DECISION) != 0;
197 CertificateRequestResultType result =
198 CERTIFICATE_REQUEST_RESULT_TYPE_CONTINUE;
199 GetContentClient()->browser()->AllowCertificateError(
200 handler->render_process_id(),
201 handler->render_frame_id(),
202 handler->cert_error(),
203 handler->ssl_info(),
204 handler->request_url(),
205 handler->resource_type(),
206 overridable,
207 strict_enforcement,
208 expired_previous_decision,
209 base::Bind(&SSLPolicy::OnAllowCertificate,
210 base::Unretained(this),
211 make_scoped_refptr(handler)),
212 &result);
213 switch (result) {
214 case CERTIFICATE_REQUEST_RESULT_TYPE_CONTINUE:
215 break;
216 case CERTIFICATE_REQUEST_RESULT_TYPE_CANCEL:
217 handler->CancelRequest();
218 break;
219 case CERTIFICATE_REQUEST_RESULT_TYPE_DENY:
220 handler->DenyRequest();
221 break;
222 default:
223 NOTREACHED();
227 void SSLPolicy::InitializeEntryIfNeeded(NavigationEntryImpl* entry) {
228 if (entry->GetSSL().security_style != SECURITY_STYLE_UNKNOWN)
229 return;
231 entry->GetSSL().security_style = entry->GetURL().SchemeIsSecure() ?
232 SECURITY_STYLE_AUTHENTICATED : SECURITY_STYLE_UNAUTHENTICATED;
235 void SSLPolicy::OriginRanInsecureContent(const std::string& origin, int pid) {
236 GURL parsed_origin(origin);
237 if (parsed_origin.SchemeIsSecure())
238 backend_->HostRanInsecureContent(parsed_origin.host(), pid);
241 } // namespace content