search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Pin Chrome's shortcut to the Win10 Start menu on install and OS upgrade.
[chromium-blink-merge.git] / chrome / browser / ssl / ssl_browser_tests.cc
blob78ae5a0adb0cf96135f68ec236b8a64753c9f3d4
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "base/bind.h"
6 #include "base/bind_helpers.h"
7 #include "base/callback.h"
8 #include "base/command_line.h"
9 #include "base/location.h"
10 #include "base/metrics/field_trial.h"
11 #include "base/prefs/pref_service.h"
12 #include "base/single_thread_task_runner.h"
13 #include "base/strings/string_util.h"
14 #include "base/strings/stringprintf.h"
15 #include "base/strings/utf_string_conversions.h"
16 #include "base/thread_task_runner_handle.h"
17 #include "base/time/time.h"
18 #include "chrome/app/chrome_command_ids.h"
19 #include "chrome/browser/browser_process.h"
20 #include "chrome/browser/chrome_notification_types.h"
21 #include "chrome/browser/interstitials/security_interstitial_page_test_utils.h"
22 #include "chrome/browser/net/certificate_error_reporter.h"
23 #include "chrome/browser/profiles/profile.h"
24 #include "chrome/browser/ssl/cert_logger.pb.h"
25 #include "chrome/browser/ssl/cert_report_helper.h"
26 #include "chrome/browser/ssl/certificate_error_report.h"
27 #include "chrome/browser/ssl/certificate_reporting_test_utils.h"
28 #include "chrome/browser/ssl/chrome_ssl_host_state_delegate.h"
29 #include "chrome/browser/ssl/ssl_blocking_page.h"
30 #include "chrome/browser/ui/browser.h"
31 #include "chrome/browser/ui/browser_commands.h"
32 #include "chrome/browser/ui/browser_navigator.h"
33 #include "chrome/browser/ui/browser_tabstrip.h"
34 #include "chrome/browser/ui/tabs/tab_strip_model.h"
35 #include "chrome/common/chrome_paths.h"
36 #include "chrome/common/chrome_switches.h"
37 #include "chrome/common/pref_names.h"
38 #include "chrome/test/base/in_process_browser_test.h"
39 #include "chrome/test/base/ui_test_utils.h"
40 #include "components/content_settings/core/browser/host_content_settings_map.h"
41 #include "components/variations/variations_associated_data.h"
42 #include "components/web_modal/web_contents_modal_dialog_manager.h"
43 #include "content/public/browser/browser_context.h"
44 #include "content/public/browser/interstitial_page.h"
45 #include "content/public/browser/navigation_controller.h"
46 #include "content/public/browser/navigation_entry.h"
47 #include "content/public/browser/notification_service.h"
48 #include "content/public/browser/render_frame_host.h"
49 #include "content/public/browser/render_view_host.h"
50 #include "content/public/browser/render_widget_host_view.h"
51 #include "content/public/browser/web_contents.h"
52 #include "content/public/browser/web_contents_observer.h"
53 #include "content/public/common/security_style.h"
54 #include "content/public/common/ssl_status.h"
55 #include "content/public/test/browser_test_utils.h"
56 #include "content/public/test/download_test_observer.h"
57 #include "content/public/test/test_renderer_host.h"
58 #include "net/base/host_port_pair.h"
59 #include "net/base/net_errors.h"
60 #include "net/base/test_data_directory.h"
61 #include "net/cert/cert_status_flags.h"
62 #include "net/cert/x509_certificate.h"
63 #include "net/ssl/ssl_info.h"
64 #include "net/test/spawned_test_server/spawned_test_server.h"
65 #include "net/url_request/url_request_context.h"
66
67 #if defined(USE_NSS_CERTS)
68 #include "chrome/browser/net/nss_context.h"
69 #include "net/base/crypto_module.h"
70 #include "net/cert/nss_cert_database.h"
71 #endif // defined(USE_NSS_CERTS)
72
73 using base::ASCIIToUTF16;
74 using chrome_browser_interstitials::SecurityInterstitialIDNTest;
75 using chrome_browser_net::CertificateErrorReporter;
76 using content::InterstitialPage;
77 using content::NavigationController;
78 using content::NavigationEntry;
79 using content::SSLStatus;
80 using content::WebContents;
81 using web_modal::WebContentsModalDialogManager;
82
83 const base::FilePath::CharType kDocRoot[] =
84 FILE_PATH_LITERAL("chrome/test/data");
85
86 namespace {
87
88 class ProvisionalLoadWaiter : public content::WebContentsObserver {
89 public:
90 explicit ProvisionalLoadWaiter(WebContents* tab)
91 : WebContentsObserver(tab), waiting_(false), seen_(false) {}
92
93 void Wait() {
94 if (seen_)
95 return;
96
97 waiting_ = true;
98 content::RunMessageLoop();
99 }
100
101 void DidFailProvisionalLoad(
102 content::RenderFrameHost* render_frame_host,
103 const GURL& validated_url,
104 int error_code,
105 const base::string16& error_description,
106 bool was_ignored_by_handler) override {
107 seen_ = true;
108 if (waiting_)
109 base::MessageLoopForUI::current()->Quit();
110 }
111
112 private:
113 bool waiting_;
114 bool seen_;
115 };
116
117 namespace AuthState {
118
119 enum AuthStateFlags {
120 NONE = 0,
121 DISPLAYED_INSECURE_CONTENT = 1 << 0,
122 RAN_INSECURE_CONTENT = 1 << 1,
123 SHOWING_INTERSTITIAL = 1 << 2,
124 SHOWING_ERROR = 1 << 3
125 };
126
127 void Check(const NavigationEntry& entry, int expected_authentication_state) {
128 if (expected_authentication_state == AuthState::SHOWING_ERROR) {
129 EXPECT_EQ(content::PAGE_TYPE_ERROR, entry.GetPageType());
130 } else {
131 EXPECT_EQ(
132 !!(expected_authentication_state & AuthState::SHOWING_INTERSTITIAL)
133 ? content::PAGE_TYPE_INTERSTITIAL
134 : content::PAGE_TYPE_NORMAL,
135 entry.GetPageType());
136 }
137
138 bool displayed_insecure_content =
139 !!(entry.GetSSL().content_status & SSLStatus::DISPLAYED_INSECURE_CONTENT);
140 EXPECT_EQ(
141 !!(expected_authentication_state & AuthState::DISPLAYED_INSECURE_CONTENT),
142 displayed_insecure_content);
143
144 bool ran_insecure_content =
145 !!(entry.GetSSL().content_status & SSLStatus::RAN_INSECURE_CONTENT);
146 EXPECT_EQ(!!(expected_authentication_state & AuthState::RAN_INSECURE_CONTENT),
147 ran_insecure_content);
148 }
149
150 } // namespace AuthState
151
152 namespace SecurityStyle {
153
154 void Check(const NavigationEntry& entry,
155 content::SecurityStyle expected_security_style) {
156 EXPECT_EQ(expected_security_style, entry.GetSSL().security_style);
157 }
158
159 } // namespace SecurityStyle
160
161 namespace CertError {
162
163 enum CertErrorFlags {
164 NONE = 0
165 };
166
167 void Check(const NavigationEntry& entry, net::CertStatus error) {
168 if (error) {
169 EXPECT_EQ(error, entry.GetSSL().cert_status & error);
170 net::CertStatus extra_cert_errors =
171 error ^ (entry.GetSSL().cert_status & net::CERT_STATUS_ALL_ERRORS);
172 if (extra_cert_errors)
173 LOG(WARNING) << "Got unexpected cert error: " << extra_cert_errors;
174 } else {
175 EXPECT_EQ(0U, entry.GetSSL().cert_status & net::CERT_STATUS_ALL_ERRORS);
176 }
177 }
178
179 } // namespace CertError
180
181 void CheckSecurityState(WebContents* tab,
182 net::CertStatus error,
183 content::SecurityStyle expected_security_style,
184 int expected_authentication_state) {
185 ASSERT_FALSE(tab->IsCrashed());
186 NavigationEntry* entry = tab->GetController().GetActiveEntry();
187 ASSERT_TRUE(entry);
188 CertError::Check(*entry, error);
189 SecurityStyle::Check(*entry, expected_security_style);
190 AuthState::Check(*entry, expected_authentication_state);
191 }
192
193 } // namespace
194
195 class SSLUITest
196 : public CertificateReportingTestUtils::CertificateReportingTest {
197 public:
198 SSLUITest()
199 : https_server_(net::SpawnedTestServer::TYPE_HTTPS,
200 SSLOptions(SSLOptions::CERT_OK),
201 base::FilePath(kDocRoot)),
202 https_server_expired_(net::SpawnedTestServer::TYPE_HTTPS,
203 SSLOptions(SSLOptions::CERT_EXPIRED),
204 base::FilePath(kDocRoot)),
205 https_server_mismatched_(net::SpawnedTestServer::TYPE_HTTPS,
206 SSLOptions(SSLOptions::CERT_MISMATCHED_NAME),
207 base::FilePath(kDocRoot)),
208 wss_server_expired_(net::SpawnedTestServer::TYPE_WSS,
209 SSLOptions(SSLOptions::CERT_EXPIRED),
210 net::GetWebSocketTestDataDirectory()) {}
211
212 void SetUpCommandLine(base::CommandLine* command_line) override {
213 // Browser will both run and display insecure content.
214 command_line->AppendSwitch(switches::kAllowRunningInsecureContent);
215 // Use process-per-site so that navigating to a same-site page in a
216 // new tab will use the same process.
217 command_line->AppendSwitch(switches::kProcessPerSite);
218 }
219
220 void CheckAuthenticatedState(WebContents* tab,
221 int expected_authentication_state) {
222 CheckSecurityState(tab,
223 CertError::NONE,
224 content::SECURITY_STYLE_AUTHENTICATED,
225 expected_authentication_state);
226 }
227
228 void CheckUnauthenticatedState(WebContents* tab,
229 int expected_authentication_state) {
230 CheckSecurityState(tab,
231 CertError::NONE,
232 content::SECURITY_STYLE_UNAUTHENTICATED,
233 expected_authentication_state);
234 }
235
236 void CheckAuthenticationBrokenState(WebContents* tab,
237 net::CertStatus error,
238 int expected_authentication_state) {
239 CheckSecurityState(tab,
240 error,
241 content::SECURITY_STYLE_AUTHENTICATION_BROKEN,
242 expected_authentication_state);
243 // CERT_STATUS_UNABLE_TO_CHECK_REVOCATION doesn't lower the security style
244 // to SECURITY_STYLE_AUTHENTICATION_BROKEN.
245 ASSERT_NE(net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION, error);
246 }
247
248 void CheckWorkerLoadResult(WebContents* tab, bool expected_load) {
249 // Workers are async and we don't have notifications for them passing
250 // messages since they do it between renderer and worker processes.
251 // So have a polling loop, check every 200ms, timeout at 30s.
252 const int kTimeoutMS = 200;
253 base::Time time_to_quit = base::Time::Now() +
254 base::TimeDelta::FromMilliseconds(30000);
255
256 while (base::Time::Now() < time_to_quit) {
257 bool worker_finished = false;
258 ASSERT_TRUE(content::ExecuteScriptAndExtractBool(
259 tab,
260 "window.domAutomationController.send(IsWorkerFinished());",
261 &worker_finished));
262
263 if (worker_finished)
264 break;
265
266 // Wait a bit.
267 base::ThreadTaskRunnerHandle::Get()->PostDelayedTask(
268 FROM_HERE, base::MessageLoop::QuitClosure(),
269 base::TimeDelta::FromMilliseconds(kTimeoutMS));
270 content::RunMessageLoop();
271 }
272
273 bool actually_loaded_content = false;
274 ASSERT_TRUE(content::ExecuteScriptAndExtractBool(
275 tab,
276 "window.domAutomationController.send(IsContentLoaded());",
277 &actually_loaded_content));
278 EXPECT_EQ(expected_load, actually_loaded_content);
279 }
280
281 void ProceedThroughInterstitial(WebContents* tab) {
282 InterstitialPage* interstitial_page = tab->GetInterstitialPage();
283 ASSERT_TRUE(interstitial_page);
284 ASSERT_EQ(SSLBlockingPage::kTypeForTesting,
285 interstitial_page->GetDelegateForTesting()->GetTypeForTesting());
286 content::WindowedNotificationObserver observer(
287 content::NOTIFICATION_LOAD_STOP,
288 content::Source<NavigationController>(&tab->GetController()));
289 interstitial_page->Proceed();
290 observer.Wait();
291 }
292
293 bool IsShowingWebContentsModalDialog() const {
294 return WebContentsModalDialogManager::FromWebContents(
295 browser()->tab_strip_model()->GetActiveWebContents())->
296 IsDialogActive();
297 }
298
299 static bool GetFilePathWithHostAndPortReplacement(
300 const std::string& original_file_path,
301 const net::HostPortPair& host_port_pair,
302 std::string* replacement_path) {
303 std::vector<net::SpawnedTestServer::StringPair> replacement_text;
304 replacement_text.push_back(
305 make_pair("REPLACE_WITH_HOST_AND_PORT", host_port_pair.ToString()));
306 return net::SpawnedTestServer::GetFilePathWithReplacements(
307 original_file_path, replacement_text, replacement_path);
308 }
309
310 static bool GetTopFramePath(const net::SpawnedTestServer& http_server,
311 const net::SpawnedTestServer& good_https_server,
312 const net::SpawnedTestServer& bad_https_server,
313 std::string* top_frame_path) {
314 // The "frame_left.html" page contained in the top_frame.html page contains
315 // <a href>'s to three different servers. This sets up all of the
316 // replacement text to work with test servers which listen on ephemeral
317 // ports.
318 GURL http_url = http_server.GetURL("files/ssl/google.html");
319 GURL good_https_url = good_https_server.GetURL("files/ssl/google.html");
320 GURL bad_https_url = bad_https_server.GetURL(
321 "files/ssl/bad_iframe.html");
322
323 std::vector<net::SpawnedTestServer::StringPair> replacement_text_frame_left;
324 replacement_text_frame_left.push_back(
325 make_pair("REPLACE_WITH_HTTP_PAGE", http_url.spec()));
326 replacement_text_frame_left.push_back(
327 make_pair("REPLACE_WITH_GOOD_HTTPS_PAGE", good_https_url.spec()));
328 replacement_text_frame_left.push_back(
329 make_pair("REPLACE_WITH_BAD_HTTPS_PAGE", bad_https_url.spec()));
330 std::string frame_left_path;
331 if (!net::SpawnedTestServer::GetFilePathWithReplacements(
332 "frame_left.html",
333 replacement_text_frame_left,
334 &frame_left_path))
335 return false;
336
337 // Substitute the generated frame_left URL into the top_frame page.
338 std::vector<net::SpawnedTestServer::StringPair> replacement_text_top_frame;
339 replacement_text_top_frame.push_back(
340 make_pair("REPLACE_WITH_FRAME_LEFT_PATH", frame_left_path));
341 return net::SpawnedTestServer::GetFilePathWithReplacements(
342 "files/ssl/top_frame.html",
343 replacement_text_top_frame,
344 top_frame_path);
345 }
346
347 static bool GetPageWithUnsafeWorkerPath(
348 const net::SpawnedTestServer& https_server,
349 std::string* page_with_unsafe_worker_path) {
350 // Get the "imported.js" URL from the expired https server and
351 // substitute it into the unsafe_worker.js file.
352 GURL imported_js_url = https_server.GetURL("files/ssl/imported.js");
353 std::vector<net::SpawnedTestServer::StringPair>
354 replacement_text_for_unsafe_worker;
355 replacement_text_for_unsafe_worker.push_back(
356 make_pair("REPLACE_WITH_IMPORTED_JS_URL", imported_js_url.spec()));
357 std::string unsafe_worker_path;
358 if (!net::SpawnedTestServer::GetFilePathWithReplacements(
359 "unsafe_worker.js",
360 replacement_text_for_unsafe_worker,
361 &unsafe_worker_path))
362 return false;
363
364 // Now, substitute this into the page with unsafe worker.
365 std::vector<net::SpawnedTestServer::StringPair>
366 replacement_text_for_page_with_unsafe_worker;
367 replacement_text_for_page_with_unsafe_worker.push_back(
368 make_pair("REPLACE_WITH_UNSAFE_WORKER_PATH", unsafe_worker_path));
369 return net::SpawnedTestServer::GetFilePathWithReplacements(
370 "files/ssl/page_with_unsafe_worker.html",
371 replacement_text_for_page_with_unsafe_worker,
372 page_with_unsafe_worker_path);
373 }
374
375 // Helper function for testing invalid certificate chain reporting.
376 void TestBrokenHTTPSReporting(
377 CertificateReportingTestUtils::OptIn opt_in,
378 CertificateReportingTestUtils::Proceed proceed,
379 CertificateReportingTestUtils::ExpectReport expect_report,
380 Browser* browser) {
381 base::RunLoop run_loop;
382 ASSERT_TRUE(https_server_expired_.Start());
383
384 ASSERT_NO_FATAL_FAILURE(SetUpMockReporter());
385
386 // Opt in to sending reports for invalid certificate chains.
387 CertificateReportingTestUtils::SetCertReportingOptIn(browser, opt_in);
388
389 ui_test_utils::NavigateToURL(browser, https_server_expired_.GetURL("/"));
390
391 WebContents* tab = browser->tab_strip_model()->GetActiveWebContents();
392 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_DATE_INVALID,
393 AuthState::SHOWING_INTERSTITIAL);
394
395 scoped_ptr<SSLCertReporter> ssl_cert_reporter =
396 CertificateReportingTestUtils::SetUpMockSSLCertReporter(&run_loop,
397 expect_report);
398
399 SSLBlockingPage* interstitial_page = static_cast<SSLBlockingPage*>(
400 tab->GetInterstitialPage()->GetDelegateForTesting());
401 interstitial_page->SetSSLCertReporterForTesting(ssl_cert_reporter.Pass());
402
403 EXPECT_EQ(std::string(), GetLatestHostnameReported());
404
405 // Leave the interstitial (either by proceeding or going back)
406 if (proceed == CertificateReportingTestUtils::SSL_INTERSTITIAL_PROCEED) {
407 ProceedThroughInterstitial(tab);
408 } else {
409 // Click "Take me back"
410 InterstitialPage* interstitial_page = tab->GetInterstitialPage();
411 ASSERT_TRUE(interstitial_page);
412 interstitial_page->DontProceed();
413 }
414
415 if (expect_report == CertificateReportingTestUtils::CERT_REPORT_EXPECTED) {
416 // Check that the mock reporter received a request to send a report.
417 run_loop.Run();
418 EXPECT_EQ(https_server_expired_.GetURL("/").host(),
419 GetLatestHostnameReported());
420 } else {
421 EXPECT_EQ(std::string(), GetLatestHostnameReported());
422 }
423 }
424
425 net::SpawnedTestServer https_server_;
426 net::SpawnedTestServer https_server_expired_;
427 net::SpawnedTestServer https_server_mismatched_;
428 net::SpawnedTestServer wss_server_expired_;
429
430 private:
431 typedef net::SpawnedTestServer::SSLOptions SSLOptions;
432
433 DISALLOW_COPY_AND_ASSIGN(SSLUITest);
434 };
435
436 class SSLUITestBlock : public SSLUITest {
437 public:
438 SSLUITestBlock() : SSLUITest() {}
439
440 // Browser will neither run nor display insecure content.
441 void SetUpCommandLine(base::CommandLine* command_line) override {
442 command_line->AppendSwitch(switches::kNoDisplayingInsecureContent);
443 }
444 };
445
446 class SSLUITestIgnoreCertErrors : public SSLUITest {
447 public:
448 SSLUITestIgnoreCertErrors() : SSLUITest() {}
449
450 void SetUpCommandLine(base::CommandLine* command_line) override {
451 // Browser will ignore certificate errors.
452 command_line->AppendSwitch(switches::kIgnoreCertificateErrors);
453 }
454 };
455
456 class SSLUITestIgnoreLocalhostCertErrors : public SSLUITest {
457 public:
458 SSLUITestIgnoreLocalhostCertErrors() : SSLUITest() {}
459
460 void SetUpCommandLine(base::CommandLine* command_line) override {
461 // Browser will ignore certificate errors on localhost.
462 command_line->AppendSwitch(switches::kAllowInsecureLocalhost);
463 }
464 };
465
466 class SSLUITestWithExtendedReporting : public SSLUITest {
467 public:
468 SSLUITestWithExtendedReporting() : SSLUITest() {}
469 };
470
471 // Visits a regular page over http.
472 IN_PROC_BROWSER_TEST_F(SSLUITest, TestHTTP) {
473 ASSERT_TRUE(test_server()->Start());
474
475 ui_test_utils::NavigateToURL(browser(),
476 test_server()->GetURL("files/ssl/google.html"));
477
478 CheckUnauthenticatedState(
479 browser()->tab_strip_model()->GetActiveWebContents(), AuthState::NONE);
480 }
481
482 // Visits a page over http which includes broken https resources (status should
483 // be OK).
484 // TODO(jcampan): test that bad HTTPS content is blocked (otherwise we'll give
485 // the secure cookies away!).
486 IN_PROC_BROWSER_TEST_F(SSLUITest, TestHTTPWithBrokenHTTPSResource) {
487 ASSERT_TRUE(test_server()->Start());
488 ASSERT_TRUE(https_server_expired_.Start());
489
490 std::string replacement_path;
491 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
492 "files/ssl/page_with_unsafe_contents.html",
493 https_server_expired_.host_port_pair(),
494 &replacement_path));
495
496 ui_test_utils::NavigateToURL(
497 browser(), test_server()->GetURL(replacement_path));
498
499 CheckUnauthenticatedState(
500 browser()->tab_strip_model()->GetActiveWebContents(), AuthState::NONE);
501 }
502
503 IN_PROC_BROWSER_TEST_F(SSLUITest, TestBrokenHTTPSWithInsecureContent) {
504 ASSERT_TRUE(test_server()->Start());
505 ASSERT_TRUE(https_server_expired_.Start());
506
507 std::string replacement_path;
508 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
509 "files/ssl/page_displays_insecure_content.html",
510 test_server()->host_port_pair(),
511 &replacement_path));
512
513 ui_test_utils::NavigateToURL(browser(),
514 https_server_expired_.GetURL(replacement_path));
515
516 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
517 CheckAuthenticationBrokenState(
518 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
519
520 ProceedThroughInterstitial(tab);
521
522 CheckAuthenticationBrokenState(tab,
523 net::CERT_STATUS_DATE_INVALID,
524 AuthState::DISPLAYED_INSECURE_CONTENT);
525 }
526
527 // http://crbug.com/91745
528 #if defined(OS_CHROMEOS)
529 #define MAYBE_TestOKHTTPS DISABLED_TestOKHTTPS
530 #else
531 #define MAYBE_TestOKHTTPS TestOKHTTPS
532 #endif
533
534 // Visits a page over OK https:
535 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestOKHTTPS) {
536 ASSERT_TRUE(https_server_.Start());
537
538 ui_test_utils::NavigateToURL(browser(),
539 https_server_.GetURL("files/ssl/google.html"));
540
541 CheckAuthenticatedState(browser()->tab_strip_model()->GetActiveWebContents(),
542 AuthState::NONE);
543 }
544
545 // Visits a page with https error and proceed:
546 #if defined(OS_LINUX)
547 // flaky http://crbug.com/396462
548 #define MAYBE_TestHTTPSExpiredCertAndProceed \
549 DISABLED_TestHTTPSExpiredCertAndProceed
550 #else
551 #define MAYBE_TestHTTPSExpiredCertAndProceed TestHTTPSExpiredCertAndProceed
552 #endif
553 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestHTTPSExpiredCertAndProceed) {
554 ASSERT_TRUE(https_server_expired_.Start());
555
556 ui_test_utils::NavigateToURL(browser(),
557 https_server_expired_.GetURL("files/ssl/google.html"));
558
559 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
560 CheckAuthenticationBrokenState(
561 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
562
563 ProceedThroughInterstitial(tab);
564
565 CheckAuthenticationBrokenState(
566 tab, net::CERT_STATUS_DATE_INVALID, AuthState::NONE);
567 }
568
569 #ifndef NEDBUG
570 // Flaky on Windows debug (http://crbug.com/280537).
571 #define MAYBE_TestHTTPSExpiredCertAndDontProceed \
572 DISABLED_TestHTTPSExpiredCertAndDontProceed
573 #else
574 #define MAYBE_TestHTTPSExpiredCertAndDontProceed \
575 TestHTTPSExpiredCertAndDontProceed
576 #endif
577
578 // Visits a page with https error and don't proceed (and ensure we can still
579 // navigate at that point):
580 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestHTTPSExpiredCertAndDontProceed) {
581 ASSERT_TRUE(test_server()->Start());
582 ASSERT_TRUE(https_server_.Start());
583 ASSERT_TRUE(https_server_expired_.Start());
584
585 // First navigate to an OK page.
586 ui_test_utils::NavigateToURL(browser(),
587 https_server_.GetURL("files/ssl/google.html"));
588
589 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
590 NavigationEntry* entry = tab->GetController().GetActiveEntry();
591 ASSERT_TRUE(entry);
592
593 GURL cross_site_url =
594 https_server_expired_.GetURL("files/ssl/google.html");
595 // Change the host name from 127.0.0.1 to localhost so it triggers a
596 // cross-site navigation so we can test http://crbug.com/5800 is gone.
597 ASSERT_EQ("127.0.0.1", cross_site_url.host());
598 GURL::Replacements replacements;
599 replacements.SetHostStr("localhost");
600 cross_site_url = cross_site_url.ReplaceComponents(replacements);
601
602 // Now go to a bad HTTPS page.
603 ui_test_utils::NavigateToURL(browser(), cross_site_url);
604
605 // An interstitial should be showing.
606 CheckAuthenticationBrokenState(tab,
607 net::CERT_STATUS_COMMON_NAME_INVALID,
608 AuthState::SHOWING_INTERSTITIAL);
609
610 // Simulate user clicking "Take me back".
611 InterstitialPage* interstitial_page = tab->GetInterstitialPage();
612 ASSERT_TRUE(interstitial_page);
613 ASSERT_EQ(SSLBlockingPage::kTypeForTesting,
614 interstitial_page->GetDelegateForTesting()->GetTypeForTesting());
615 interstitial_page->DontProceed();
616
617 // We should be back to the original good page.
618 CheckAuthenticatedState(tab, AuthState::NONE);
619
620 // Try to navigate to a new page. (to make sure bug 5800 is fixed).
621 ui_test_utils::NavigateToURL(browser(),
622 test_server()->GetURL("files/ssl/google.html"));
623 CheckUnauthenticatedState(tab, AuthState::NONE);
624 }
625
626 // Test that localhost pages don't show an interstitial.
627 IN_PROC_BROWSER_TEST_F(SSLUITestIgnoreLocalhostCertErrors,
628 TestNoInterstitialOnLocalhost) {
629 ASSERT_TRUE(https_server_.Start());
630
631 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
632
633 // Navigate to a localhost page.
634 GURL url = https_server_.GetURL("files/ssl/page_with_subresource.html");
635 GURL::Replacements replacements;
636 std::string new_host("localhost");
637 replacements.SetHostStr(new_host);
638 url = url.ReplaceComponents(replacements);
639
640 ui_test_utils::NavigateToURL(browser(), url);
641
642 // We should see no interstitial, but we should have an error
643 // (red-crossed-out-https) in the URL bar.
644 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID,
645 AuthState::NONE);
646
647 // We should see that the script tag in the page loaded and ran (and
648 // wasn't blocked by the certificate error).
649 base::string16 title;
650 base::string16 expected_title = base::ASCIIToUTF16("This script has loaded");
651 ui_test_utils::GetCurrentTabTitle(browser(), &title);
652 EXPECT_EQ(title, expected_title);
653 }
654
655 // Visits a page with https error and then goes back using Browser::GoBack.
656 IN_PROC_BROWSER_TEST_F(SSLUITest,
657 TestHTTPSExpiredCertAndGoBackViaButton) {
658 ASSERT_TRUE(test_server()->Start());
659 ASSERT_TRUE(https_server_expired_.Start());
660
661 // First navigate to an HTTP page.
662 ui_test_utils::NavigateToURL(browser(),
663 test_server()->GetURL("files/ssl/google.html"));
664 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
665 NavigationEntry* entry = tab->GetController().GetActiveEntry();
666 ASSERT_TRUE(entry);
667
668 // Now go to a bad HTTPS page that shows an interstitial.
669 ui_test_utils::NavigateToURL(browser(),
670 https_server_expired_.GetURL("files/ssl/google.html"));
671 CheckAuthenticationBrokenState(
672 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
673
674 ProvisionalLoadWaiter load_failed_observer(tab);
675
676 // Simulate user clicking on back button (crbug.com/39248).
677 chrome::GoBack(browser(), CURRENT_TAB);
678
679 // Wait until we hear the load failure, and make sure we haven't swapped out
680 // the previous page. Prevents regression of http://crbug.com/82667.
681 // TODO(creis/nick): Move the swapped-out part of this test into content
682 // and remove IsRenderViewHostSwappedOut from the public API.
683 load_failed_observer.Wait();
684 EXPECT_FALSE(content::RenderFrameHostTester::IsRenderFrameHostSwappedOut(
685 tab->GetMainFrame()));
686
687 // We should be back at the original good page.
688 EXPECT_FALSE(browser()->tab_strip_model()->GetActiveWebContents()->
689 GetInterstitialPage());
690 CheckUnauthenticatedState(tab, AuthState::NONE);
691 }
692
693 // Visits a page with https error and then goes back using GoToOffset.
694 // Disabled because its flaky: http://crbug.com/40932, http://crbug.com/43575.
695 IN_PROC_BROWSER_TEST_F(SSLUITest,
696 TestHTTPSExpiredCertAndGoBackViaMenu) {
697 ASSERT_TRUE(test_server()->Start());
698 ASSERT_TRUE(https_server_expired_.Start());
699
700 // First navigate to an HTTP page.
701 ui_test_utils::NavigateToURL(browser(),
702 test_server()->GetURL("files/ssl/google.html"));
703 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
704 NavigationEntry* entry = tab->GetController().GetActiveEntry();
705 ASSERT_TRUE(entry);
706
707 // Now go to a bad HTTPS page that shows an interstitial.
708 ui_test_utils::NavigateToURL(browser(),
709 https_server_expired_.GetURL("files/ssl/google.html"));
710 CheckAuthenticationBrokenState(
711 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
712
713 // Simulate user clicking and holding on back button (crbug.com/37215).
714 tab->GetController().GoToOffset(-1);
715
716 // We should be back at the original good page.
717 EXPECT_FALSE(browser()->tab_strip_model()->GetActiveWebContents()->
718 GetInterstitialPage());
719 CheckUnauthenticatedState(tab, AuthState::NONE);
720 }
721
722 // Visits a page with https error and then goes forward using GoToOffset.
723 IN_PROC_BROWSER_TEST_F(SSLUITest, TestHTTPSExpiredCertAndGoForward) {
724 ASSERT_TRUE(test_server()->Start());
725 ASSERT_TRUE(https_server_expired_.Start());
726
727 // First navigate to two HTTP pages.
728 ui_test_utils::NavigateToURL(browser(),
729 test_server()->GetURL("files/ssl/google.html"));
730 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
731 NavigationEntry* entry1 = tab->GetController().GetActiveEntry();
732 ASSERT_TRUE(entry1);
733 ui_test_utils::NavigateToURL(browser(),
734 test_server()->GetURL("files/ssl/blank_page.html"));
735 NavigationEntry* entry2 = tab->GetController().GetActiveEntry();
736 ASSERT_TRUE(entry2);
737
738 // Now go back so that a page is in the forward history.
739 {
740 content::WindowedNotificationObserver observer(
741 content::NOTIFICATION_LOAD_STOP,
742 content::Source<NavigationController>(&tab->GetController()));
743 tab->GetController().GoBack();
744 observer.Wait();
745 }
746 ASSERT_TRUE(tab->GetController().CanGoForward());
747 NavigationEntry* entry3 = tab->GetController().GetActiveEntry();
748 ASSERT_TRUE(entry1 == entry3);
749
750 // Now go to a bad HTTPS page that shows an interstitial.
751 ui_test_utils::NavigateToURL(browser(),
752 https_server_expired_.GetURL("files/ssl/google.html"));
753 CheckAuthenticationBrokenState(
754 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
755
756 // Simulate user clicking and holding on forward button.
757 {
758 content::WindowedNotificationObserver observer(
759 content::NOTIFICATION_LOAD_STOP,
760 content::Source<NavigationController>(&tab->GetController()));
761 tab->GetController().GoToOffset(1);
762 observer.Wait();
763 }
764
765 // We should be showing the second good page.
766 EXPECT_FALSE(browser()->tab_strip_model()->GetActiveWebContents()->
767 GetInterstitialPage());
768 CheckUnauthenticatedState(tab, AuthState::NONE);
769 EXPECT_FALSE(tab->GetController().CanGoForward());
770 NavigationEntry* entry4 = tab->GetController().GetActiveEntry();
771 EXPECT_TRUE(entry2 == entry4);
772 }
773
774 // Visit a HTTP page which request WSS connection to a server providing invalid
775 // certificate. Close the page while WSS connection waits for SSLManager's
776 // response from UI thread.
777 // Disabled on Windows because it was flaking on XP Tests (1). crbug.com/165258
778 #if defined(OS_WIN)
779 #define MAYBE_TestWSSInvalidCertAndClose DISABLED_TestWSSInvalidCertAndClose
780 #else
781 #define MAYBE_TestWSSInvalidCertAndClose TestWSSInvalidCertAndClose
782 #endif
783 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestWSSInvalidCertAndClose) {
784 ASSERT_TRUE(test_server()->Start());
785 ASSERT_TRUE(wss_server_expired_.Start());
786
787 // Setup page title observer.
788 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
789 content::TitleWatcher watcher(tab, ASCIIToUTF16("PASS"));
790 watcher.AlsoWaitForTitle(ASCIIToUTF16("FAIL"));
791
792 // Create GURLs to test pages.
793 std::string master_url_path = base::StringPrintf("%s?%d",
794 test_server()->GetURL("files/ssl/wss_close.html").spec().c_str(),
795 wss_server_expired_.host_port_pair().port());
796 GURL master_url(master_url_path);
797 std::string slave_url_path = base::StringPrintf("%s?%d",
798 test_server()->GetURL("files/ssl/wss_close_slave.html").spec().c_str(),
799 wss_server_expired_.host_port_pair().port());
800 GURL slave_url(slave_url_path);
801
802 // Create tabs and visit pages which keep on creating wss connections.
803 WebContents* tabs[16];
804 for (int i = 0; i < 16; ++i) {
805 tabs[i] = chrome::AddSelectedTabWithURL(browser(), slave_url,
806 ui::PAGE_TRANSITION_LINK);
807 }
808 chrome::SelectNextTab(browser());
809
810 // Visit a page which waits for one TLS handshake failure.
811 // The title will be changed to 'PASS'.
812 ui_test_utils::NavigateToURL(browser(), master_url);
813 const base::string16 result = watcher.WaitAndGetTitle();
814 EXPECT_TRUE(base::LowerCaseEqualsASCII(result, "pass"));
815
816 // Close tabs which contains the test page.
817 for (int i = 0; i < 16; ++i)
818 chrome::CloseWebContents(browser(), tabs[i], false);
819 chrome::CloseWebContents(browser(), tab, false);
820 }
821
822 // Visit a HTTPS page and proceeds despite an invalid certificate. The page
823 // requests WSS connection to the same origin host to check if WSS connection
824 // share certificates policy with HTTPS correcly.
825 IN_PROC_BROWSER_TEST_F(SSLUITest, TestWSSInvalidCertAndGoForward) {
826 ASSERT_TRUE(test_server()->Start());
827 ASSERT_TRUE(wss_server_expired_.Start());
828
829 // Setup page title observer.
830 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
831 content::TitleWatcher watcher(tab, ASCIIToUTF16("PASS"));
832 watcher.AlsoWaitForTitle(ASCIIToUTF16("FAIL"));
833
834 // Visit bad HTTPS page.
835 GURL::Replacements replacements;
836 replacements.SetSchemeStr("https");
837 ui_test_utils::NavigateToURL(
838 browser(),
839 wss_server_expired_.GetURL(
840 "connect_check.html").ReplaceComponents(replacements));
841 CheckAuthenticationBrokenState(
842 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
843
844 // Proceed anyway.
845 ProceedThroughInterstitial(tab);
846
847 // Test page run a WebSocket wss connection test. The result will be shown
848 // as page title.
849 const base::string16 result = watcher.WaitAndGetTitle();
850 EXPECT_TRUE(base::LowerCaseEqualsASCII(result, "pass"));
851 }
852
853 #if defined(USE_NSS_CERTS)
854 class SSLUITestWithClientCert : public SSLUITest {
855 public:
856 SSLUITestWithClientCert() : cert_db_(NULL) {}
857
858 void SetUpOnMainThread() override {
859 SSLUITest::SetUpOnMainThread();
860
861 base::RunLoop loop;
862 GetNSSCertDatabaseForProfile(
863 browser()->profile(),
864 base::Bind(&SSLUITestWithClientCert::DidGetCertDatabase,
865 base::Unretained(this),
866 &loop));
867 loop.Run();
868 }
869
870 protected:
871 void DidGetCertDatabase(base::RunLoop* loop, net::NSSCertDatabase* cert_db) {
872 cert_db_ = cert_db;
873 loop->Quit();
874 }
875
876 net::NSSCertDatabase* cert_db_;
877 };
878
879 // SSL client certificate tests are only enabled when using NSS for private key
880 // storage, as only NSS can avoid modifying global machine state when testing.
881 // See http://crbug.com/51132
882
883 // Visit a HTTPS page which requires client cert authentication. The client
884 // cert will be selected automatically, then a test which uses WebSocket runs.
885 IN_PROC_BROWSER_TEST_F(SSLUITestWithClientCert, TestWSSClientCert) {
886 // Import a client cert for test.
887 scoped_refptr<net::CryptoModule> crypt_module = cert_db_->GetPublicModule();
888 std::string pkcs12_data;
889 base::FilePath cert_path = net::GetTestCertsDirectory().Append(
890 FILE_PATH_LITERAL("websocket_client_cert.p12"));
891 EXPECT_TRUE(base::ReadFileToString(cert_path, &pkcs12_data));
892 EXPECT_EQ(net::OK,
893 cert_db_->ImportFromPKCS12(
894 crypt_module.get(), pkcs12_data, base::string16(), true, NULL));
895
896 // Start WebSocket test server with TLS and client cert authentication.
897 net::SpawnedTestServer::SSLOptions options(
898 net::SpawnedTestServer::SSLOptions::CERT_OK);
899 options.request_client_certificate = true;
900 base::FilePath ca_path = net::GetTestCertsDirectory().Append(
901 FILE_PATH_LITERAL("websocket_cacert.pem"));
902 options.client_authorities.push_back(ca_path);
903 net::SpawnedTestServer wss_server(net::SpawnedTestServer::TYPE_WSS,
904 options,
905 net::GetWebSocketTestDataDirectory());
906 ASSERT_TRUE(wss_server.Start());
907 GURL::Replacements replacements;
908 replacements.SetSchemeStr("https");
909 GURL url = wss_server.GetURL("connect_check.html").ReplaceComponents(
910 replacements);
911
912 // Setup page title observer.
913 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
914 content::TitleWatcher watcher(tab, ASCIIToUTF16("PASS"));
915 watcher.AlsoWaitForTitle(ASCIIToUTF16("FAIL"));
916
917 // Add an entry into AutoSelectCertificateForUrls policy for automatic client
918 // cert selection.
919 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
920 DCHECK(profile);
921 scoped_ptr<base::DictionaryValue> dict(new base::DictionaryValue());
922 dict->SetString("ISSUER.CN", "pywebsocket");
923 profile->GetHostContentSettingsMap()->SetWebsiteSetting(
924 ContentSettingsPattern::FromURL(url),
925 ContentSettingsPattern::FromURL(url),
926 CONTENT_SETTINGS_TYPE_AUTO_SELECT_CERTIFICATE,
927 std::string(),
928 dict.release());
929
930 // Visit a HTTPS page which requires client certs.
931 ui_test_utils::NavigateToURL(browser(), url);
932 CheckAuthenticatedState(tab, AuthState::NONE);
933
934 // Test page runs a WebSocket wss connection test. The result will be shown
935 // as page title.
936 const base::string16 result = watcher.WaitAndGetTitle();
937 EXPECT_TRUE(base::LowerCaseEqualsASCII(result, "pass"));
938 }
939 #endif // defined(USE_NSS_CERTS)
940
941 // Flaky on CrOS http://crbug.com/92292
942 #if defined(OS_CHROMEOS)
943 #define MAYBE_TestHTTPSErrorWithNoNavEntry \
944 DISABLED_TestHTTPSErrorWithNoNavEntry
945 #else
946 #define MAYBE_TestHTTPSErrorWithNoNavEntry TestHTTPSErrorWithNoNavEntry
947 #endif // defined(OS_CHROMEOS)
948
949 // Open a page with a HTTPS error in a tab with no prior navigation (through a
950 // link with a blank target). This is to test that the lack of navigation entry
951 // does not cause any problems (it was causing a crasher, see
952 // http://crbug.com/19941).
953 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestHTTPSErrorWithNoNavEntry) {
954 ASSERT_TRUE(https_server_expired_.Start());
955
956 GURL url = https_server_expired_.GetURL("files/ssl/google.htm");
957 WebContents* tab2 = chrome::AddSelectedTabWithURL(
958 browser(), url, ui::PAGE_TRANSITION_TYPED);
959 content::WaitForLoadStop(tab2);
960
961 // Verify our assumption that there was no prior navigation.
962 EXPECT_FALSE(chrome::CanGoBack(browser()));
963
964 // We should have an interstitial page showing.
965 ASSERT_TRUE(tab2->GetInterstitialPage());
966 ASSERT_EQ(SSLBlockingPage::kTypeForTesting, tab2->GetInterstitialPage()
967 ->GetDelegateForTesting()
968 ->GetTypeForTesting());
969 }
970
971 IN_PROC_BROWSER_TEST_F(SSLUITest, TestBadHTTPSDownload) {
972 ASSERT_TRUE(test_server()->Start());
973 ASSERT_TRUE(https_server_expired_.Start());
974 GURL url_non_dangerous = test_server()->GetURL(std::string());
975 GURL url_dangerous =
976 https_server_expired_.GetURL("files/downloads/dangerous/dangerous.exe");
977 base::ScopedTempDir downloads_directory_;
978
979 // Need empty temp dir to avoid having Chrome ask us for a new filename
980 // when we've downloaded dangerous.exe one hundred times.
981 ASSERT_TRUE(downloads_directory_.CreateUniqueTempDir());
982
983 browser()->profile()->GetPrefs()->SetFilePath(
984 prefs::kDownloadDefaultDirectory,
985 downloads_directory_.path());
986
987 // Visit a non-dangerous page.
988 ui_test_utils::NavigateToURL(browser(), url_non_dangerous);
989
990 // Now, start a transition to dangerous download.
991 {
992 content::WindowedNotificationObserver observer(
993 content::NOTIFICATION_LOAD_STOP,
994 content::NotificationService::AllSources());
995 chrome::NavigateParams navigate_params(browser(), url_dangerous,
996 ui::PAGE_TRANSITION_TYPED);
997 chrome::Navigate(&navigate_params);
998 observer.Wait();
999 }
1000
1001 // To exit the browser cleanly (and this test) we need to complete the
1002 // download after completing this test.
1003 content::DownloadTestObserverTerminal dangerous_download_observer(
1004 content::BrowserContext::GetDownloadManager(browser()->profile()),
1005 1,
1006 content::DownloadTestObserver::ON_DANGEROUS_DOWNLOAD_ACCEPT);
1007
1008 // Proceed through the SSL interstitial. This doesn't use
1009 // |ProceedThroughInterstitial| since no page load will commit.
1010 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1011 ASSERT_TRUE(tab != NULL);
1012 ASSERT_TRUE(tab->GetInterstitialPage() != NULL);
1013 ASSERT_EQ(
1014 SSLBlockingPage::kTypeForTesting,
1015 tab->GetInterstitialPage()->GetDelegateForTesting()->GetTypeForTesting());
1016 {
1017 content::WindowedNotificationObserver observer(
1018 chrome::NOTIFICATION_DOWNLOAD_INITIATED,
1019 content::NotificationService::AllSources());
1020 tab->GetInterstitialPage()->Proceed();
1021 observer.Wait();
1022 }
1023
1024 // There should still be an interstitial at this point. Press the
1025 // back button on the browser. Note that this doesn't wait for a
1026 // NAV_ENTRY_COMMITTED notification because going back with an
1027 // active interstitial simply hides the interstitial.
1028 ASSERT_TRUE(tab->GetInterstitialPage() != NULL);
1029 ASSERT_EQ(
1030 SSLBlockingPage::kTypeForTesting,
1031 tab->GetInterstitialPage()->GetDelegateForTesting()->GetTypeForTesting());
1032 EXPECT_TRUE(chrome::CanGoBack(browser()));
1033 chrome::GoBack(browser(), CURRENT_TAB);
1034
1035 dangerous_download_observer.WaitForFinished();
1036 }
1037
1038 //
1039 // Insecure content
1040 //
1041
1042 #if defined(OS_WIN)
1043 // http://crbug.com/152940 Flaky on win.
1044 #define MAYBE_TestDisplaysInsecureContent DISABLED_TestDisplaysInsecureContent
1045 #else
1046 #define MAYBE_TestDisplaysInsecureContent TestDisplaysInsecureContent
1047 #endif
1048
1049 // Visits a page that displays insecure content.
1050 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestDisplaysInsecureContent) {
1051 ASSERT_TRUE(test_server()->Start());
1052 ASSERT_TRUE(https_server_.Start());
1053
1054 std::string replacement_path;
1055 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1056 "files/ssl/page_displays_insecure_content.html",
1057 test_server()->host_port_pair(),
1058 &replacement_path));
1059
1060 // Load a page that displays insecure content.
1061 ui_test_utils::NavigateToURL(browser(),
1062 https_server_.GetURL(replacement_path));
1063
1064 CheckAuthenticatedState(browser()->tab_strip_model()->GetActiveWebContents(),
1065 AuthState::DISPLAYED_INSECURE_CONTENT);
1066 }
1067
1068 // Test that if the user proceeds and the checkbox is checked, a report
1069 // is sent or not sent depending on the Finch config.
1070 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
1071 TestBrokenHTTPSProceedReporting) {
1072 CertificateReportingTestUtils::ExpectReport expect_report =
1073 CertificateReportingTestUtils::GetReportExpectedFromFinch();
1074 TestBrokenHTTPSReporting(
1075 CertificateReportingTestUtils::EXTENDED_REPORTING_OPT_IN,
1076 CertificateReportingTestUtils::SSL_INTERSTITIAL_PROCEED, expect_report,
1077 browser());
1078 }
1079
1080 // Test that if the user goes back and the checkbox is checked, a report
1081 // is sent or not sent depending on the Finch config.
1082 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
1083 TestBrokenHTTPSGoBackReporting) {
1084 CertificateReportingTestUtils::ExpectReport expect_report =
1085 CertificateReportingTestUtils::GetReportExpectedFromFinch();
1086 TestBrokenHTTPSReporting(
1087 CertificateReportingTestUtils::EXTENDED_REPORTING_OPT_IN,
1088 CertificateReportingTestUtils::SSL_INTERSTITIAL_DO_NOT_PROCEED,
1089 expect_report, browser());
1090 }
1091
1092 // User proceeds, checkbox is shown but unchecked. Reports should never
1093 // be sent, regardless of Finch config.
1094 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
1095 TestBrokenHTTPSProceedReportingWithNoOptIn) {
1096 TestBrokenHTTPSReporting(
1097 CertificateReportingTestUtils::EXTENDED_REPORTING_DO_NOT_OPT_IN,
1098 CertificateReportingTestUtils::SSL_INTERSTITIAL_PROCEED,
1099 CertificateReportingTestUtils::CERT_REPORT_NOT_EXPECTED, browser());
1100 }
1101
1102 // User goes back, checkbox is shown but unchecked. Reports should never
1103 // be sent, regardless of Finch config.
1104 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
1105 TestBrokenHTTPSGoBackShowYesCheckNoParamYesReportNo) {
1106 TestBrokenHTTPSReporting(
1107 CertificateReportingTestUtils::EXTENDED_REPORTING_DO_NOT_OPT_IN,
1108 CertificateReportingTestUtils::SSL_INTERSTITIAL_DO_NOT_PROCEED,
1109 CertificateReportingTestUtils::CERT_REPORT_NOT_EXPECTED, browser());
1110 }
1111
1112 // User proceeds, checkbox is not shown but checked -> we expect no
1113 // report.
1114 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
1115 TestBrokenHTTPSProceedShowNoCheckYesReportNo) {
1116 if (base::FieldTrialList::FindFullName(
1117 CertReportHelper::kFinchExperimentName) ==
1118 CertReportHelper::kFinchGroupDontShowDontSend) {
1119 TestBrokenHTTPSReporting(
1120 CertificateReportingTestUtils::EXTENDED_REPORTING_OPT_IN,
1121 CertificateReportingTestUtils::SSL_INTERSTITIAL_PROCEED,
1122 CertificateReportingTestUtils::CERT_REPORT_NOT_EXPECTED, browser());
1123 }
1124 }
1125
1126 // Browser is incognito, user proceeds, checkbox has previously opted in
1127 // -> no report, regardless of Finch config.
1128 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
1129 TestBrokenHTTPSInIncognitoReportNo) {
1130 TestBrokenHTTPSReporting(
1131 CertificateReportingTestUtils::EXTENDED_REPORTING_OPT_IN,
1132 CertificateReportingTestUtils::SSL_INTERSTITIAL_PROCEED,
1133 CertificateReportingTestUtils::CERT_REPORT_NOT_EXPECTED,
1134 CreateIncognitoBrowser());
1135 }
1136
1137 // Test that reports don't get sent when extended reporting opt-in is
1138 // disabled by policy.
1139 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
1140 TestBrokenHTTPSNoReportingWhenDisallowed) {
1141 browser()->profile()->GetPrefs()->SetBoolean(
1142 prefs::kSafeBrowsingExtendedReportingOptInAllowed, false);
1143 TestBrokenHTTPSReporting(
1144 CertificateReportingTestUtils::EXTENDED_REPORTING_OPT_IN,
1145 CertificateReportingTestUtils::SSL_INTERSTITIAL_PROCEED,
1146 CertificateReportingTestUtils::CERT_REPORT_NOT_EXPECTED, browser());
1147 }
1148
1149 // Visits a page that runs insecure content and tries to suppress the insecure
1150 // content warnings by randomizing location.hash.
1151 // Based on http://crbug.com/8706
1152 IN_PROC_BROWSER_TEST_F(SSLUITest,
1153 TestRunsInsecuredContentRandomizeHash) {
1154 ASSERT_TRUE(test_server()->Start());
1155 ASSERT_TRUE(https_server_.Start());
1156
1157 ui_test_utils::NavigateToURL(browser(), https_server_.GetURL(
1158 "files/ssl/page_runs_insecure_content.html"));
1159
1160 CheckAuthenticationBrokenState(
1161 browser()->tab_strip_model()->GetActiveWebContents(),
1162 CertError::NONE,
1163 AuthState::DISPLAYED_INSECURE_CONTENT | AuthState::RAN_INSECURE_CONTENT);
1164 }
1165
1166 // Visits a page with unsafe content and make sure that:
1167 // - frames content is replaced with warning
1168 // - images and scripts are filtered out entirely
1169 IN_PROC_BROWSER_TEST_F(SSLUITest, TestUnsafeContents) {
1170 ASSERT_TRUE(https_server_.Start());
1171 ASSERT_TRUE(https_server_expired_.Start());
1172
1173 std::string replacement_path;
1174 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1175 "files/ssl/page_with_unsafe_contents.html",
1176 https_server_expired_.host_port_pair(),
1177 &replacement_path));
1178 ui_test_utils::NavigateToURL(browser(),
1179 https_server_.GetURL(replacement_path));
1180
1181 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1182 // When the bad content is filtered, the state is expected to be
1183 // authenticated.
1184 CheckAuthenticatedState(tab, AuthState::NONE);
1185
1186 // Because of cross-frame scripting restrictions, we cannot access the iframe
1187 // content. So to know if the frame was loaded, we just check if a popup was
1188 // opened (the iframe content opens one).
1189 // Note: because of bug 1115868, no web contents modal dialog is opened right
1190 // now. Once the bug is fixed, this will do the real check.
1191 EXPECT_FALSE(IsShowingWebContentsModalDialog());
1192
1193 int img_width;
1194 EXPECT_TRUE(content::ExecuteScriptAndExtractInt(
1195 tab,
1196 "window.domAutomationController.send(ImageWidth());",
1197 &img_width));
1198 // In order to check that the image was not loaded, we check its width.
1199 // The actual image (Google logo) is 114 pixels wide, we assume the broken
1200 // image is less than 100.
1201 EXPECT_LT(img_width, 100);
1202
1203 bool js_result = false;
1204 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1205 tab,
1206 "window.domAutomationController.send(IsFooSet());",
1207 &js_result));
1208 EXPECT_FALSE(js_result);
1209 }
1210
1211 // Visits a page with insecure content loaded by JS (after the initial page
1212 // load).
1213 #if defined(OS_LINUX)
1214 // flaky http://crbug.com/396462
1215 #define MAYBE_TestDisplaysInsecureContentLoadedFromJS \
1216 DISABLED_TestDisplaysInsecureContentLoadedFromJS
1217 #else
1218 #define MAYBE_TestDisplaysInsecureContentLoadedFromJS \
1219 TestDisplaysInsecureContentLoadedFromJS
1220 #endif
1221 IN_PROC_BROWSER_TEST_F(SSLUITest,
1222 MAYBE_TestDisplaysInsecureContentLoadedFromJS) {
1223 ASSERT_TRUE(test_server()->Start());
1224 ASSERT_TRUE(https_server_.Start());
1225
1226 std::string replacement_path;
1227 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1228 "files/ssl/page_with_dynamic_insecure_content.html",
1229 test_server()->host_port_pair(),
1230 &replacement_path));
1231 ui_test_utils::NavigateToURL(browser(), https_server_.GetURL(
1232 replacement_path));
1233
1234 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1235 CheckAuthenticatedState(tab, AuthState::NONE);
1236
1237 // Load the insecure image.
1238 bool js_result = false;
1239 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1240 tab,
1241 "loadBadImage();",
1242 &js_result));
1243 EXPECT_TRUE(js_result);
1244
1245 // We should now have insecure content.
1246 CheckAuthenticatedState(tab, AuthState::DISPLAYED_INSECURE_CONTENT);
1247 }
1248
1249 // Visits two pages from the same origin: one that displays insecure content and
1250 // one that doesn't. The test checks that we do not propagate the insecure
1251 // content state from one to the other.
1252 IN_PROC_BROWSER_TEST_F(SSLUITest, TestDisplaysInsecureContentTwoTabs) {
1253 ASSERT_TRUE(test_server()->Start());
1254 ASSERT_TRUE(https_server_.Start());
1255
1256 ui_test_utils::NavigateToURL(browser(),
1257 https_server_.GetURL("files/ssl/blank_page.html"));
1258
1259 WebContents* tab1 = browser()->tab_strip_model()->GetActiveWebContents();
1260
1261 // This tab should be fine.
1262 CheckAuthenticatedState(tab1, AuthState::NONE);
1263
1264 // Create a new tab.
1265 std::string replacement_path;
1266 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1267 "files/ssl/page_displays_insecure_content.html",
1268 test_server()->host_port_pair(),
1269 &replacement_path));
1270
1271 GURL url = https_server_.GetURL(replacement_path);
1272 chrome::NavigateParams params(browser(), url, ui::PAGE_TRANSITION_TYPED);
1273 params.disposition = NEW_FOREGROUND_TAB;
1274 params.tabstrip_index = 0;
1275 params.source_contents = tab1;
1276 content::WindowedNotificationObserver observer(
1277 content::NOTIFICATION_LOAD_STOP,
1278 content::NotificationService::AllSources());
1279 chrome::Navigate(&params);
1280 WebContents* tab2 = params.target_contents;
1281 observer.Wait();
1282
1283 // The new tab has insecure content.
1284 CheckAuthenticatedState(tab2, AuthState::DISPLAYED_INSECURE_CONTENT);
1285
1286 // The original tab should not be contaminated.
1287 CheckAuthenticatedState(tab1, AuthState::NONE);
1288 }
1289
1290 // Visits two pages from the same origin: one that runs insecure content and one
1291 // that doesn't. The test checks that we propagate the insecure content state
1292 // from one to the other.
1293 IN_PROC_BROWSER_TEST_F(SSLUITest, TestRunsInsecureContentTwoTabs) {
1294 ASSERT_TRUE(test_server()->Start());
1295 ASSERT_TRUE(https_server_.Start());
1296
1297 ui_test_utils::NavigateToURL(browser(),
1298 https_server_.GetURL("files/ssl/blank_page.html"));
1299
1300 WebContents* tab1 = browser()->tab_strip_model()->GetActiveWebContents();
1301
1302 // This tab should be fine.
1303 CheckAuthenticatedState(tab1, AuthState::NONE);
1304
1305 std::string replacement_path;
1306 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1307 "files/ssl/page_runs_insecure_content.html",
1308 test_server()->host_port_pair(),
1309 &replacement_path));
1310
1311 // Create a new tab in the same process. Using a NEW_FOREGROUND_TAB
1312 // disposition won't usually stay in the same process, but this works
1313 // because we are using process-per-site in SetUpCommandLine.
1314 GURL url = https_server_.GetURL(replacement_path);
1315 chrome::NavigateParams params(browser(), url, ui::PAGE_TRANSITION_TYPED);
1316 params.disposition = NEW_FOREGROUND_TAB;
1317 params.source_contents = tab1;
1318 content::WindowedNotificationObserver observer(
1319 content::NOTIFICATION_LOAD_STOP,
1320 content::NotificationService::AllSources());
1321 chrome::Navigate(&params);
1322 WebContents* tab2 = params.target_contents;
1323 observer.Wait();
1324
1325 // Both tabs should have the same process.
1326 EXPECT_EQ(tab1->GetRenderProcessHost(), tab2->GetRenderProcessHost());
1327
1328 // The new tab has insecure content.
1329 CheckAuthenticationBrokenState(
1330 tab2,
1331 CertError::NONE,
1332 AuthState::DISPLAYED_INSECURE_CONTENT | AuthState::RAN_INSECURE_CONTENT);
1333
1334 // Which means the origin for the first tab has also been contaminated with
1335 // insecure content.
1336 CheckAuthenticationBrokenState(
1337 tab1, CertError::NONE, AuthState::RAN_INSECURE_CONTENT);
1338 }
1339
1340 // Visits a page with an image over http. Visits another page over https
1341 // referencing that same image over http (hoping it is coming from the webcore
1342 // memory cache).
1343 IN_PROC_BROWSER_TEST_F(SSLUITest, TestDisplaysCachedInsecureContent) {
1344 ASSERT_TRUE(test_server()->Start());
1345 ASSERT_TRUE(https_server_.Start());
1346
1347 std::string replacement_path;
1348 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1349 "files/ssl/page_displays_insecure_content.html",
1350 test_server()->host_port_pair(),
1351 &replacement_path));
1352
1353 // Load original page over HTTP.
1354 const GURL url_http = test_server()->GetURL(replacement_path);
1355 ui_test_utils::NavigateToURL(browser(), url_http);
1356 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1357 CheckUnauthenticatedState(tab, AuthState::NONE);
1358
1359 // Load again but over SSL. It should be marked as displaying insecure
1360 // content (even though the image comes from the WebCore memory cache).
1361 const GURL url_https = https_server_.GetURL(replacement_path);
1362 ui_test_utils::NavigateToURL(browser(), url_https);
1363 CheckAuthenticatedState(tab, AuthState::DISPLAYED_INSECURE_CONTENT);
1364 }
1365
1366 // http://crbug.com/84729
1367 #if defined(OS_CHROMEOS)
1368 #define MAYBE_TestRunsCachedInsecureContent \
1369 DISABLED_TestRunsCachedInsecureContent
1370 #else
1371 #define MAYBE_TestRunsCachedInsecureContent TestRunsCachedInsecureContent
1372 #endif // defined(OS_CHROMEOS)
1373
1374 // Visits a page with script over http. Visits another page over https
1375 // referencing that same script over http (hoping it is coming from the webcore
1376 // memory cache).
1377 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestRunsCachedInsecureContent) {
1378 ASSERT_TRUE(test_server()->Start());
1379 ASSERT_TRUE(https_server_.Start());
1380
1381 std::string replacement_path;
1382 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1383 "files/ssl/page_runs_insecure_content.html",
1384 test_server()->host_port_pair(),
1385 &replacement_path));
1386
1387 // Load original page over HTTP.
1388 const GURL url_http = test_server()->GetURL(replacement_path);
1389 ui_test_utils::NavigateToURL(browser(), url_http);
1390 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1391 CheckUnauthenticatedState(tab, AuthState::NONE);
1392
1393 // Load again but over SSL. It should be marked as displaying insecure
1394 // content (even though the image comes from the WebCore memory cache).
1395 const GURL url_https = https_server_.GetURL(replacement_path);
1396 ui_test_utils::NavigateToURL(browser(), url_https);
1397 CheckAuthenticationBrokenState(
1398 tab,
1399 CertError::NONE,
1400 AuthState::DISPLAYED_INSECURE_CONTENT | AuthState::RAN_INSECURE_CONTENT);
1401 }
1402
1403 // This test ensures the CN invalid status does not 'stick' to a certificate
1404 // (see bug #1044942) and that it depends on the host-name.
1405 // Test if disabled due to flakiness http://crbug.com/368280 .
1406 IN_PROC_BROWSER_TEST_F(SSLUITest, DISABLED_TestCNInvalidStickiness) {
1407 ASSERT_TRUE(https_server_.Start());
1408 ASSERT_TRUE(https_server_mismatched_.Start());
1409
1410 // First we hit the server with hostname, this generates an invalid policy
1411 // error.
1412 ui_test_utils::NavigateToURL(browser(),
1413 https_server_mismatched_.GetURL("files/ssl/google.html"));
1414
1415 // We get an interstitial page as a result.
1416 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1417 CheckAuthenticationBrokenState(tab,
1418 net::CERT_STATUS_COMMON_NAME_INVALID,
1419 AuthState::SHOWING_INTERSTITIAL);
1420 ProceedThroughInterstitial(tab);
1421 CheckAuthenticationBrokenState(
1422 tab, net::CERT_STATUS_COMMON_NAME_INVALID, AuthState::NONE);
1423
1424 // Now we try again with the right host name this time.
1425 GURL url(https_server_.GetURL("files/ssl/google.html"));
1426 ui_test_utils::NavigateToURL(browser(), url);
1427
1428 // Security state should be OK.
1429 CheckAuthenticatedState(tab, AuthState::NONE);
1430
1431 // Now try again the broken one to make sure it is still broken.
1432 ui_test_utils::NavigateToURL(browser(),
1433 https_server_mismatched_.GetURL("files/ssl/google.html"));
1434
1435 // Since we OKed the interstitial last time, we get right to the page.
1436 CheckAuthenticationBrokenState(
1437 tab, net::CERT_STATUS_COMMON_NAME_INVALID, AuthState::NONE);
1438 }
1439
1440 #if defined(OS_CHROMEOS)
1441 // This test seems to be flaky and hang on chromiumos.
1442 // http://crbug.com/84419
1443 #define MAYBE_TestRefNavigation DISABLED_TestRefNavigation
1444 #else
1445 #define MAYBE_TestRefNavigation TestRefNavigation
1446 #endif
1447
1448 // Test that navigating to a #ref does not change a bad security state.
1449 IN_PROC_BROWSER_TEST_F(SSLUITest, TestRefNavigation) {
1450 ASSERT_TRUE(https_server_expired_.Start());
1451
1452 ui_test_utils::NavigateToURL(browser(),
1453 https_server_expired_.GetURL("files/ssl/page_with_refs.html"));
1454
1455 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1456 CheckAuthenticationBrokenState(
1457 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
1458
1459 ProceedThroughInterstitial(tab);
1460
1461 CheckAuthenticationBrokenState(
1462 tab, net::CERT_STATUS_DATE_INVALID, AuthState::NONE);
1463 // Now navigate to a ref in the page, the security state should not have
1464 // changed.
1465 ui_test_utils::NavigateToURL(browser(),
1466 https_server_expired_.GetURL("files/ssl/page_with_refs.html#jp"));
1467
1468 CheckAuthenticationBrokenState(
1469 tab, net::CERT_STATUS_DATE_INVALID, AuthState::NONE);
1470 }
1471
1472 // Tests that closing a page that has a unsafe pop-up does not crash the
1473 // browser (bug #1966).
1474 // TODO(jcampan): http://crbug.com/2136 disabled because the popup is not
1475 // opened as it is not initiated by a user gesture.
1476 IN_PROC_BROWSER_TEST_F(SSLUITest, DISABLED_TestCloseTabWithUnsafePopup) {
1477 ASSERT_TRUE(test_server()->Start());
1478 ASSERT_TRUE(https_server_expired_.Start());
1479
1480 std::string replacement_path;
1481 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1482 "files/ssl/page_with_unsafe_popup.html",
1483 https_server_expired_.host_port_pair(),
1484 &replacement_path));
1485
1486 ui_test_utils::NavigateToURL(browser(),
1487 test_server()->GetURL(replacement_path));
1488
1489 WebContents* tab1 = browser()->tab_strip_model()->GetActiveWebContents();
1490 // It is probably overkill to add a notification for a popup-opening, let's
1491 // just poll.
1492 for (int i = 0; i < 10; i++) {
1493 if (IsShowingWebContentsModalDialog())
1494 break;
1495 base::ThreadTaskRunnerHandle::Get()->PostDelayedTask(
1496 FROM_HERE, base::MessageLoop::QuitClosure(),
1497 base::TimeDelta::FromSeconds(1));
1498 content::RunMessageLoop();
1499 }
1500 ASSERT_TRUE(IsShowingWebContentsModalDialog());
1501
1502 // Let's add another tab to make sure the browser does not exit when we close
1503 // the first tab.
1504 GURL url = test_server()->GetURL("files/ssl/google.html");
1505 content::WindowedNotificationObserver observer(
1506 content::NOTIFICATION_LOAD_STOP,
1507 content::NotificationService::AllSources());
1508 chrome::AddSelectedTabWithURL(browser(), url, ui::PAGE_TRANSITION_TYPED);
1509 observer.Wait();
1510
1511 // Close the first tab.
1512 chrome::CloseWebContents(browser(), tab1, false);
1513 }
1514
1515 // Visit a page over bad https that is a redirect to a page with good https.
1516 IN_PROC_BROWSER_TEST_F(SSLUITest, TestRedirectBadToGoodHTTPS) {
1517 ASSERT_TRUE(https_server_.Start());
1518 ASSERT_TRUE(https_server_expired_.Start());
1519
1520 GURL url1 = https_server_expired_.GetURL("server-redirect?");
1521 GURL url2 = https_server_.GetURL("files/ssl/google.html");
1522
1523 ui_test_utils::NavigateToURL(browser(), GURL(url1.spec() + url2.spec()));
1524
1525 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1526
1527 CheckAuthenticationBrokenState(
1528 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
1529
1530 ProceedThroughInterstitial(tab);
1531
1532 // We have been redirected to the good page.
1533 CheckAuthenticatedState(tab, AuthState::NONE);
1534 }
1535
1536 // Flaky on Linux. http://crbug.com/368280.
1537 #if defined(OS_LINUX)
1538 #define MAYBE_TestRedirectGoodToBadHTTPS DISABLED_TestRedirectGoodToBadHTTPS
1539 #else
1540 #define MAYBE_TestRedirectGoodToBadHTTPS TestRedirectGoodToBadHTTPS
1541 #endif
1542
1543 // Visit a page over good https that is a redirect to a page with bad https.
1544 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestRedirectGoodToBadHTTPS) {
1545 ASSERT_TRUE(https_server_.Start());
1546 ASSERT_TRUE(https_server_expired_.Start());
1547
1548 GURL url1 = https_server_.GetURL("server-redirect?");
1549 GURL url2 = https_server_expired_.GetURL("files/ssl/google.html");
1550 ui_test_utils::NavigateToURL(browser(), GURL(url1.spec() + url2.spec()));
1551
1552 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1553 CheckAuthenticationBrokenState(
1554 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
1555
1556 ProceedThroughInterstitial(tab);
1557
1558 CheckAuthenticationBrokenState(
1559 tab, net::CERT_STATUS_DATE_INVALID, AuthState::NONE);
1560 }
1561
1562 // Visit a page over http that is a redirect to a page with good HTTPS.
1563 IN_PROC_BROWSER_TEST_F(SSLUITest, TestRedirectHTTPToGoodHTTPS) {
1564 ASSERT_TRUE(test_server()->Start());
1565 ASSERT_TRUE(https_server_.Start());
1566
1567 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1568
1569 // HTTP redirects to good HTTPS.
1570 GURL http_url = test_server()->GetURL("server-redirect?");
1571 GURL good_https_url =
1572 https_server_.GetURL("files/ssl/google.html");
1573
1574 ui_test_utils::NavigateToURL(browser(),
1575 GURL(http_url.spec() + good_https_url.spec()));
1576 CheckAuthenticatedState(tab, AuthState::NONE);
1577 }
1578
1579 // Flaky on Linux. http://crbug.com/368280.
1580 #if defined(OS_LINUX)
1581 #define MAYBE_TestRedirectHTTPToBadHTTPS DISABLED_TestRedirectHTTPToBadHTTPS
1582 #else
1583 #define MAYBE_TestRedirectHTTPToBadHTTPS TestRedirectHTTPToBadHTTPS
1584 #endif
1585
1586 // Visit a page over http that is a redirect to a page with bad HTTPS.
1587 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestRedirectHTTPToBadHTTPS) {
1588 ASSERT_TRUE(test_server()->Start());
1589 ASSERT_TRUE(https_server_expired_.Start());
1590
1591 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1592
1593 GURL http_url = test_server()->GetURL("server-redirect?");
1594 GURL bad_https_url =
1595 https_server_expired_.GetURL("files/ssl/google.html");
1596 ui_test_utils::NavigateToURL(browser(),
1597 GURL(http_url.spec() + bad_https_url.spec()));
1598 CheckAuthenticationBrokenState(
1599 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
1600
1601 ProceedThroughInterstitial(tab);
1602
1603 CheckAuthenticationBrokenState(
1604 tab, net::CERT_STATUS_DATE_INVALID, AuthState::NONE);
1605 }
1606
1607 // Visit a page over https that is a redirect to a page with http (to make sure
1608 // we don't keep the secure state).
1609 IN_PROC_BROWSER_TEST_F(SSLUITest, TestRedirectHTTPSToHTTP) {
1610 ASSERT_TRUE(test_server()->Start());
1611 ASSERT_TRUE(https_server_.Start());
1612
1613 GURL https_url = https_server_.GetURL("server-redirect?");
1614 GURL http_url = test_server()->GetURL("files/ssl/google.html");
1615
1616 ui_test_utils::NavigateToURL(browser(),
1617 GURL(https_url.spec() + http_url.spec()));
1618 CheckUnauthenticatedState(
1619 browser()->tab_strip_model()->GetActiveWebContents(), AuthState::NONE);
1620 }
1621
1622 // Visits a page to which we could not connect (bad port) over http and https
1623 // and make sure the security style is correct.
1624 IN_PROC_BROWSER_TEST_F(SSLUITest, TestConnectToBadPort) {
1625 ui_test_utils::NavigateToURL(browser(), GURL("http://localhost:17"));
1626 CheckUnauthenticatedState(
1627 browser()->tab_strip_model()->GetActiveWebContents(),
1628 AuthState::SHOWING_ERROR);
1629
1630 // Same thing over HTTPS.
1631 ui_test_utils::NavigateToURL(browser(), GURL("https://localhost:17"));
1632 CheckUnauthenticatedState(
1633 browser()->tab_strip_model()->GetActiveWebContents(),
1634 AuthState::SHOWING_ERROR);
1635 }
1636
1637 //
1638 // Frame navigation
1639 //
1640
1641 // From a good HTTPS top frame:
1642 // - navigate to an OK HTTPS frame
1643 // - navigate to a bad HTTPS (expect unsafe content and filtered frame), then
1644 // back
1645 // - navigate to HTTP (expect insecure content), then back
1646 IN_PROC_BROWSER_TEST_F(SSLUITest, TestGoodFrameNavigation) {
1647 ASSERT_TRUE(test_server()->Start());
1648 ASSERT_TRUE(https_server_.Start());
1649 ASSERT_TRUE(https_server_expired_.Start());
1650
1651 std::string top_frame_path;
1652 ASSERT_TRUE(GetTopFramePath(*test_server(),
1653 https_server_,
1654 https_server_expired_,
1655 &top_frame_path));
1656
1657 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1658 ui_test_utils::NavigateToURL(browser(),
1659 https_server_.GetURL(top_frame_path));
1660
1661 CheckAuthenticatedState(tab, AuthState::NONE);
1662
1663 bool success = false;
1664 // Now navigate inside the frame.
1665 {
1666 content::WindowedNotificationObserver observer(
1667 content::NOTIFICATION_LOAD_STOP,
1668 content::Source<NavigationController>(&tab->GetController()));
1669 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1670 tab,
1671 "window.domAutomationController.send(clickLink('goodHTTPSLink'));",
1672 &success));
1673 ASSERT_TRUE(success);
1674 observer.Wait();
1675 }
1676
1677 // We should still be fine.
1678 CheckAuthenticatedState(tab, AuthState::NONE);
1679
1680 // Now let's hit a bad page.
1681 {
1682 content::WindowedNotificationObserver observer(
1683 content::NOTIFICATION_LOAD_STOP,
1684 content::Source<NavigationController>(&tab->GetController()));
1685 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1686 tab,
1687 "window.domAutomationController.send(clickLink('badHTTPSLink'));",
1688 &success));
1689 ASSERT_TRUE(success);
1690 observer.Wait();
1691 }
1692
1693 // The security style should still be secure.
1694 CheckAuthenticatedState(tab, AuthState::NONE);
1695
1696 // And the frame should be blocked.
1697 bool is_content_evil = true;
1698 content::RenderFrameHost* content_frame = content::FrameMatchingPredicate(
1699 tab, base::Bind(&content::FrameMatchesName, "contentFrame"));
1700 std::string is_evil_js("window.domAutomationController.send("
1701 "document.getElementById('evilDiv') != null);");
1702 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(content_frame,
1703 is_evil_js,
1704 &is_content_evil));
1705 EXPECT_FALSE(is_content_evil);
1706
1707 // Now go back, our state should still be OK.
1708 {
1709 content::WindowedNotificationObserver observer(
1710 content::NOTIFICATION_LOAD_STOP,
1711 content::Source<NavigationController>(&tab->GetController()));
1712 tab->GetController().GoBack();
1713 observer.Wait();
1714 }
1715 CheckAuthenticatedState(tab, AuthState::NONE);
1716
1717 // Navigate to a page served over HTTP.
1718 {
1719 content::WindowedNotificationObserver observer(
1720 content::NOTIFICATION_LOAD_STOP,
1721 content::Source<NavigationController>(&tab->GetController()));
1722 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1723 tab,
1724 "window.domAutomationController.send(clickLink('HTTPLink'));",
1725 &success));
1726 ASSERT_TRUE(success);
1727 observer.Wait();
1728 }
1729
1730 // Our state should be unathenticated (in the ran mixed script sense)
1731 CheckAuthenticationBrokenState(
1732 tab,
1733 CertError::NONE,
1734 AuthState::DISPLAYED_INSECURE_CONTENT | AuthState::RAN_INSECURE_CONTENT);
1735
1736 // Go back, our state should be unchanged.
1737 {
1738 content::WindowedNotificationObserver observer(
1739 content::NOTIFICATION_LOAD_STOP,
1740 content::Source<NavigationController>(&tab->GetController()));
1741 tab->GetController().GoBack();
1742 observer.Wait();
1743 }
1744
1745 CheckAuthenticationBrokenState(
1746 tab,
1747 CertError::NONE,
1748 AuthState::DISPLAYED_INSECURE_CONTENT | AuthState::RAN_INSECURE_CONTENT);
1749 }
1750
1751 // From a bad HTTPS top frame:
1752 // - navigate to an OK HTTPS frame (expected to be still authentication broken).
1753 IN_PROC_BROWSER_TEST_F(SSLUITest, TestBadFrameNavigation) {
1754 ASSERT_TRUE(https_server_.Start());
1755 ASSERT_TRUE(https_server_expired_.Start());
1756
1757 std::string top_frame_path;
1758 ASSERT_TRUE(GetTopFramePath(*test_server(),
1759 https_server_,
1760 https_server_expired_,
1761 &top_frame_path));
1762
1763 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1764 ui_test_utils::NavigateToURL(browser(),
1765 https_server_expired_.GetURL(top_frame_path));
1766 CheckAuthenticationBrokenState(
1767 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
1768
1769 ProceedThroughInterstitial(tab);
1770
1771 // Navigate to a good frame.
1772 bool success = false;
1773 content::WindowedNotificationObserver observer(
1774 content::NOTIFICATION_LOAD_STOP,
1775 content::Source<NavigationController>(&tab->GetController()));
1776 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1777 tab,
1778 "window.domAutomationController.send(clickLink('goodHTTPSLink'));",
1779 &success));
1780 ASSERT_TRUE(success);
1781 observer.Wait();
1782
1783 // We should still be authentication broken.
1784 CheckAuthenticationBrokenState(
1785 tab, net::CERT_STATUS_DATE_INVALID, AuthState::NONE);
1786 }
1787
1788 // From an HTTP top frame, navigate to good and bad HTTPS (security state should
1789 // stay unauthenticated).
1790 // Disabled, flakily exceeds test timeout, http://crbug.com/43437.
1791 IN_PROC_BROWSER_TEST_F(SSLUITest, DISABLED_TestUnauthenticatedFrameNavigation) {
1792 ASSERT_TRUE(test_server()->Start());
1793 ASSERT_TRUE(https_server_.Start());
1794 ASSERT_TRUE(https_server_expired_.Start());
1795
1796 std::string top_frame_path;
1797 ASSERT_TRUE(GetTopFramePath(*test_server(),
1798 https_server_,
1799 https_server_expired_,
1800 &top_frame_path));
1801
1802 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1803 ui_test_utils::NavigateToURL(browser(),
1804 test_server()->GetURL(top_frame_path));
1805 CheckUnauthenticatedState(tab, AuthState::NONE);
1806
1807 // Now navigate inside the frame to a secure HTTPS frame.
1808 {
1809 bool success = false;
1810 content::WindowedNotificationObserver observer(
1811 content::NOTIFICATION_LOAD_STOP,
1812 content::Source<NavigationController>(&tab->GetController()));
1813 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1814 tab,
1815 "window.domAutomationController.send(clickLink('goodHTTPSLink'));",
1816 &success));
1817 ASSERT_TRUE(success);
1818 observer.Wait();
1819 }
1820
1821 // We should still be unauthenticated.
1822 CheckUnauthenticatedState(tab, AuthState::NONE);
1823
1824 // Now navigate to a bad HTTPS frame.
1825 {
1826 bool success = false;
1827 content::WindowedNotificationObserver observer(
1828 content::NOTIFICATION_LOAD_STOP,
1829 content::Source<NavigationController>(&tab->GetController()));
1830 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1831 tab,
1832 "window.domAutomationController.send(clickLink('badHTTPSLink'));",
1833 &success));
1834 ASSERT_TRUE(success);
1835 observer.Wait();
1836 }
1837
1838 // State should not have changed.
1839 CheckUnauthenticatedState(tab, AuthState::NONE);
1840
1841 // And the frame should have been blocked (see bug #2316).
1842 bool is_content_evil = true;
1843 content::RenderFrameHost* content_frame = content::FrameMatchingPredicate(
1844 tab, base::Bind(&content::FrameMatchesName, "contentFrame"));
1845 std::string is_evil_js("window.domAutomationController.send("
1846 "document.getElementById('evilDiv') != null);");
1847 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(content_frame,
1848 is_evil_js,
1849 &is_content_evil));
1850 EXPECT_FALSE(is_content_evil);
1851 }
1852
1853 IN_PROC_BROWSER_TEST_F(SSLUITest, TestUnsafeContentsInWorkerFiltered) {
1854 ASSERT_TRUE(https_server_.Start());
1855 ASSERT_TRUE(https_server_expired_.Start());
1856
1857 // This page will spawn a Worker which will try to load content from
1858 // BadCertServer.
1859 std::string page_with_unsafe_worker_path;
1860 ASSERT_TRUE(GetPageWithUnsafeWorkerPath(https_server_expired_,
1861 &page_with_unsafe_worker_path));
1862 ui_test_utils::NavigateToURL(browser(), https_server_.GetURL(
1863 page_with_unsafe_worker_path));
1864 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1865 // Expect Worker not to load insecure content.
1866 CheckWorkerLoadResult(tab, false);
1867 // The bad content is filtered, expect the state to be authenticated.
1868 CheckAuthenticatedState(tab, AuthState::NONE);
1869 }
1870
1871 // This test, and the related test TestUnsafeContentsWithUserException, verify
1872 // that if unsafe content is loaded but the host of that unsafe content has a
1873 // user exception, the content runs and the security style remains
1874 // authenticated. This is not necessarily the behavior that should exist, but it
1875 // is verification that it does behave that way. See https://crbug.com/477868
1876 // for more inforamtion on this.
1877 IN_PROC_BROWSER_TEST_F(SSLUITest, TestUnsafeContentsInWorkerWithUserException) {
1878 ASSERT_TRUE(https_server_.Start());
1879 // Note that it is necessary to user https_server_mismatched_ here over the
1880 // other invalid cert servers. This is because the test relies on the two
1881 // servers having different hosts since SSL exceptions are per-host, not per
1882 // origin, and https_server_mismatched_ uses 'localhost' rather than
1883 // '127.0.0.1'.
1884 ASSERT_TRUE(https_server_mismatched_.Start());
1885
1886 // Navigate to an unsafe site. Proceed with interstitial page to indicate
1887 // the user approves the bad certificate.
1888 ui_test_utils::NavigateToURL(
1889 browser(), https_server_mismatched_.GetURL("files/ssl/blank_page.html"));
1890 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1891 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID,
1892 AuthState::SHOWING_INTERSTITIAL);
1893 ProceedThroughInterstitial(tab);
1894 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID,
1895 AuthState::NONE);
1896
1897 // Navigate to safe page that has Worker loading unsafe content.
1898 // Expect content to load but be marked as auth broken due to running insecure
1899 // content.
1900 std::string page_with_unsafe_worker_path;
1901 ASSERT_TRUE(GetPageWithUnsafeWorkerPath(https_server_mismatched_,
1902 &page_with_unsafe_worker_path));
1903 ui_test_utils::NavigateToURL(
1904 browser(), https_server_.GetURL(page_with_unsafe_worker_path));
1905 CheckWorkerLoadResult(tab, true); // Worker loads insecure content
1906 CheckAuthenticatedState(tab, CertError::NONE);
1907 }
1908
1909 // Visits a page with unsafe content and makes sure that if a user exception to
1910 // the certificate error is present, the image is loaded and script executes.
1911 //
1912 // See the comment above SSLUITest.TestUnsafeContentsInWorkerWithUserException
1913 // for a discussion about the desired behavior.
1914 IN_PROC_BROWSER_TEST_F(SSLUITest, TestUnsafeContentsWithUserException) {
1915 ASSERT_TRUE(https_server_.Start());
1916 // Note that it is necessary to user https_server_mismatched_ here over the
1917 // other invalid cert servers. This is because the test relies on the two
1918 // servers having different hosts since SSL exceptions are per-host, not per
1919 // origin, and https_server_mismatched_ uses 'localhost' rather than
1920 // '127.0.0.1'.
1921 ASSERT_TRUE(https_server_mismatched_.Start());
1922
1923 // Navigate to an unsafe site. Proceed with interstitial page to indicate
1924 // the user approves the bad certificate.
1925 ui_test_utils::NavigateToURL(
1926 browser(), https_server_mismatched_.GetURL("files/ssl/blank_page.html"));
1927 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1928 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID,
1929 AuthState::SHOWING_INTERSTITIAL);
1930 ProceedThroughInterstitial(tab);
1931 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID,
1932 AuthState::NONE);
1933
1934 std::string replacement_path;
1935 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1936 "files/ssl/page_with_unsafe_contents.html",
1937 https_server_mismatched_.host_port_pair(), &replacement_path));
1938 ui_test_utils::NavigateToURL(browser(),
1939 https_server_.GetURL(replacement_path));
1940
1941 // When the bad content is filtered, the state is expected to be
1942 // authenticated.
1943 CheckAuthenticatedState(tab, AuthState::NONE);
1944
1945 int img_width;
1946 EXPECT_TRUE(content::ExecuteScriptAndExtractInt(
1947 tab, "window.domAutomationController.send(ImageWidth());", &img_width));
1948 // In order to check that the image was loaded, we check its width.
1949 // The actual image (Google logo) is 114 pixels wide, so we assume a good
1950 // image is greater than 100.
1951 EXPECT_GT(img_width, 100);
1952
1953 bool js_result = false;
1954 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1955 tab, "window.domAutomationController.send(IsFooSet());", &js_result));
1956 EXPECT_TRUE(js_result);
1957 CheckAuthenticatedState(tab, CertError::NONE);
1958 }
1959
1960 // Test that when the browser blocks displaying insecure content (images), the
1961 // indicator shows a secure page, because the blocking made the otherwise
1962 // unsafe page safe (the notification of this state is handled by other means).
1963 IN_PROC_BROWSER_TEST_F(SSLUITestBlock, TestBlockDisplayingInsecureImage) {
1964 ASSERT_TRUE(test_server()->Start());
1965 ASSERT_TRUE(https_server_.Start());
1966
1967 std::string replacement_path;
1968 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1969 "files/ssl/page_displays_insecure_content.html",
1970 test_server()->host_port_pair(),
1971 &replacement_path));
1972
1973 ui_test_utils::NavigateToURL(browser(),
1974 https_server_.GetURL(replacement_path));
1975
1976 CheckAuthenticatedState(browser()->tab_strip_model()->GetActiveWebContents(),
1977 AuthState::NONE);
1978 }
1979
1980 // Test that when the browser blocks displaying insecure content (iframes), the
1981 // indicator shows a secure page, because the blocking made the otherwise
1982 // unsafe page safe (the notification of this state is handled by other means)
1983 IN_PROC_BROWSER_TEST_F(SSLUITestBlock, TestBlockDisplayingInsecureIframe) {
1984 ASSERT_TRUE(test_server()->Start());
1985 ASSERT_TRUE(https_server_.Start());
1986
1987 std::string replacement_path;
1988 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1989 "files/ssl/page_displays_insecure_iframe.html",
1990 test_server()->host_port_pair(),
1991 &replacement_path));
1992
1993 ui_test_utils::NavigateToURL(browser(),
1994 https_server_.GetURL(replacement_path));
1995
1996 CheckAuthenticatedState(browser()->tab_strip_model()->GetActiveWebContents(),
1997 AuthState::NONE);
1998 }
1999
2000 // Test that when the browser blocks running insecure content, the
2001 // indicator shows a secure page, because the blocking made the otherwise
2002 // unsafe page safe (the notification of this state is handled by other means).
2003 IN_PROC_BROWSER_TEST_F(SSLUITestBlock, TestBlockRunningInsecureContent) {
2004 ASSERT_TRUE(test_server()->Start());
2005 ASSERT_TRUE(https_server_.Start());
2006
2007 std::string replacement_path;
2008 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
2009 "files/ssl/page_runs_insecure_content.html",
2010 test_server()->host_port_pair(),
2011 &replacement_path));
2012
2013 ui_test_utils::NavigateToURL(browser(),
2014 https_server_.GetURL(replacement_path));
2015
2016 CheckAuthenticatedState(browser()->tab_strip_model()->GetActiveWebContents(),
2017 AuthState::NONE);
2018 }
2019
2020 // Visit a page and establish a WebSocket connection over bad https with
2021 // --ignore-certificate-errors. The connection should be established without
2022 // interstitial page showing.
2023 IN_PROC_BROWSER_TEST_F(SSLUITestIgnoreCertErrors, TestWSS) {
2024 ASSERT_TRUE(test_server()->Start());
2025 ASSERT_TRUE(wss_server_expired_.Start());
2026
2027 // Setup page title observer.
2028 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
2029 content::TitleWatcher watcher(tab, ASCIIToUTF16("PASS"));
2030 watcher.AlsoWaitForTitle(ASCIIToUTF16("FAIL"));
2031
2032 // Visit bad HTTPS page.
2033 GURL::Replacements replacements;
2034 replacements.SetSchemeStr("https");
2035 ui_test_utils::NavigateToURL(
2036 browser(),
2037 wss_server_expired_.GetURL(
2038 "connect_check.html").ReplaceComponents(replacements));
2039
2040 // We shouldn't have an interstitial page showing here.
2041
2042 // Test page run a WebSocket wss connection test. The result will be shown
2043 // as page title.
2044 const base::string16 result = watcher.WaitAndGetTitle();
2045 EXPECT_TRUE(base::LowerCaseEqualsASCII(result, "pass"));
2046 }
2047
2048 // Verifies that the interstitial can proceed, even if JavaScript is disabled.
2049 // http://crbug.com/322948
2050 #if defined(OS_LINUX)
2051 // flaky http://crbug.com/396458
2052 #define MAYBE_TestInterstitialJavaScriptProceeds \
2053 DISABLED_TestInterstitialJavaScriptProceeds
2054 #else
2055 #define MAYBE_TestInterstitialJavaScriptProceeds \
2056 TestInterstitialJavaScriptProceeds
2057 #endif
2058 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestInterstitialJavaScriptProceeds) {
2059 browser()->profile()->GetHostContentSettingsMap()->SetDefaultContentSetting(
2060 CONTENT_SETTINGS_TYPE_JAVASCRIPT, CONTENT_SETTING_BLOCK);
2061
2062 ASSERT_TRUE(https_server_expired_.Start());
2063 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
2064 ui_test_utils::NavigateToURL(browser(),
2065 https_server_expired_.GetURL("files/ssl/google.html"));
2066 CheckAuthenticationBrokenState(
2067 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
2068
2069 content::WindowedNotificationObserver observer(
2070 content::NOTIFICATION_LOAD_STOP,
2071 content::Source<NavigationController>(&tab->GetController()));
2072 InterstitialPage* interstitial_page = tab->GetInterstitialPage();
2073 ASSERT_EQ(SSLBlockingPage::kTypeForTesting,
2074 interstitial_page->GetDelegateForTesting()->GetTypeForTesting());
2075 content::RenderViewHost* interstitial_rvh =
2076 interstitial_page->GetMainFrame()->GetRenderViewHost();
2077 int result = -1;
2078 std::string javascript = base::StringPrintf(
2079 "window.domAutomationController.send(%d);",
2080 SecurityInterstitialPage::CMD_PROCEED);
2081 ASSERT_TRUE(content::ExecuteScriptAndExtractInt(
2082 interstitial_rvh, javascript, &result));
2083 // The above will hang without the fix.
2084 EXPECT_EQ(1, result);
2085 observer.Wait();
2086 CheckAuthenticationBrokenState(
2087 tab, net::CERT_STATUS_DATE_INVALID, AuthState::NONE);
2088 }
2089
2090 // Verifies that the interstitial can go back, even if JavaScript is disabled.
2091 // http://crbug.com/322948
2092 IN_PROC_BROWSER_TEST_F(SSLUITest, TestInterstitialJavaScriptGoesBack) {
2093 browser()->profile()->GetHostContentSettingsMap()->SetDefaultContentSetting(
2094 CONTENT_SETTINGS_TYPE_JAVASCRIPT, CONTENT_SETTING_BLOCK);
2095
2096 ASSERT_TRUE(https_server_expired_.Start());
2097 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
2098 ui_test_utils::NavigateToURL(browser(),
2099 https_server_expired_.GetURL("files/ssl/google.html"));
2100 CheckAuthenticationBrokenState(
2101 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
2102
2103 content::WindowedNotificationObserver observer(
2104 content::NOTIFICATION_RENDER_WIDGET_HOST_DESTROYED,
2105 content::NotificationService::AllSources());
2106 InterstitialPage* interstitial_page = tab->GetInterstitialPage();
2107 ASSERT_EQ(SSLBlockingPage::kTypeForTesting,
2108 interstitial_page->GetDelegateForTesting()->GetTypeForTesting());
2109 content::RenderViewHost* interstitial_rvh =
2110 interstitial_page->GetMainFrame()->GetRenderViewHost();
2111 int result = -1;
2112 std::string javascript = base::StringPrintf(
2113 "window.domAutomationController.send(%d);",
2114 SecurityInterstitialPage::CMD_DONT_PROCEED);
2115 ASSERT_TRUE(content::ExecuteScriptAndExtractInt(
2116 interstitial_rvh, javascript, &result));
2117 // The above will hang without the fix.
2118 EXPECT_EQ(0, result);
2119 observer.Wait();
2120 EXPECT_EQ("about:blank", tab->GetVisibleURL().spec());
2121 }
2122
2123 // Verifies that switching tabs, while showing interstitial page, will not
2124 // affect the visibility of the interestitial.
2125 // https://crbug.com/381439
2126 IN_PROC_BROWSER_TEST_F(SSLUITest, InterstitialNotAffectedByHideShow) {
2127 ASSERT_TRUE(https_server_expired_.Start());
2128 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
2129 EXPECT_TRUE(tab->GetRenderWidgetHostView()->IsShowing());
2130 ui_test_utils::NavigateToURL(
2131 browser(), https_server_expired_.GetURL("files/ssl/google.html"));
2132 CheckAuthenticationBrokenState(
2133 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
2134 EXPECT_TRUE(tab->GetRenderWidgetHostView()->IsShowing());
2135
2136 AddTabAtIndex(0,
2137 https_server_.GetURL("files/ssl/google.html"),
2138 ui::PAGE_TRANSITION_TYPED);
2139 EXPECT_EQ(2, browser()->tab_strip_model()->count());
2140 EXPECT_EQ(0, browser()->tab_strip_model()->active_index());
2141 EXPECT_EQ(tab, browser()->tab_strip_model()->GetWebContentsAt(1));
2142 EXPECT_FALSE(tab->GetRenderWidgetHostView()->IsShowing());
2143
2144 browser()->tab_strip_model()->ActivateTabAt(1, true);
2145 EXPECT_TRUE(tab->GetRenderWidgetHostView()->IsShowing());
2146 }
2147
2148 // Verifies that if a bad certificate is seen for a host and the user proceeds
2149 // through the interstitial, the decision to proceed is initially remembered.
2150 // However, if this is followed by another visit, and a good certificate
2151 // is seen for the same host, the original exception is forgotten.
2152 IN_PROC_BROWSER_TEST_F(SSLUITest, BadCertFollowedByGoodCert) {
2153 // It is necessary to use |https_server_expired_| rather than
2154 // |https_server_mismatched| because the former shares a host with
2155 // |https_server_| and cert exceptions are per host.
2156 ASSERT_TRUE(https_server_expired_.Start());
2157 ASSERT_TRUE(https_server_.Start());
2158
2159 std::string https_server_expired_host =
2160 https_server_.GetURL("files/ssl/google.html").host();
2161 std::string https_server_host =
2162 https_server_.GetURL("files/ssl/google.html").host();
2163 ASSERT_EQ(https_server_expired_host, https_server_host);
2164
2165 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
2166
2167 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
2168 ChromeSSLHostStateDelegate* state =
2169 reinterpret_cast<ChromeSSLHostStateDelegate*>(
2170 profile->GetSSLHostStateDelegate());
2171
2172 ui_test_utils::NavigateToURL(
2173 browser(), https_server_expired_.GetURL("files/ssl/google.html"));
2174
2175 ProceedThroughInterstitial(tab);
2176 EXPECT_TRUE(state->HasAllowException(https_server_host));
2177
2178 ui_test_utils::NavigateToURL(browser(),
2179 https_server_.GetURL("files/ssl/google.html"));
2180 ASSERT_FALSE(tab->GetInterstitialPage());
2181 EXPECT_FALSE(state->HasAllowException(https_server_host));
2182 }
2183
2184 class SSLBlockingPageIDNTest : public SecurityInterstitialIDNTest {
2185 protected:
2186 // SecurityInterstitialIDNTest implementation
2187 SecurityInterstitialPage* CreateInterstitial(
2188 content::WebContents* contents,
2189 const GURL& request_url) const override {
2190 net::SSLInfo ssl_info;
2191 ssl_info.cert = new net::X509Certificate(
2192 request_url.host(), "CA", base::Time::Max(), base::Time::Max());
2193 return new SSLBlockingPage(
2194 contents, net::ERR_CERT_CONTAINS_ERRORS, ssl_info, request_url, 0,
2195 base::Time::NowFromSystemTime(), nullptr, base::Callback<void(bool)>());
2196 }
2197 };
2198
2199 IN_PROC_BROWSER_TEST_F(SSLBlockingPageIDNTest, SSLBlockingPageDecodesIDN) {
2200 EXPECT_TRUE(VerifyIDNDecoded());
2201 }
2202
2203 // TODO(jcampan): more tests to do below.
2204
2205 // Visit a page over https that contains a frame with a redirect.
2206
2207 // XMLHttpRequest insecure content in synchronous mode.
2208
2209 // XMLHttpRequest insecure content in asynchronous mode.
2210
2211 // XMLHttpRequest over bad ssl in synchronous mode.
2212
2213 // XMLHttpRequest over OK ssl in synchronous mode.