1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
6 #include "base/bind_helpers.h"
7 #include "base/callback.h"
8 #include "base/command_line.h"
9 #include "base/location.h"
10 #include "base/metrics/field_trial.h"
11 #include "base/prefs/pref_service.h"
12 #include "base/single_thread_task_runner.h"
13 #include "base/strings/string_util.h"
14 #include "base/strings/stringprintf.h"
15 #include "base/strings/utf_string_conversions.h"
16 #include "base/test/histogram_tester.h"
17 #include "base/test/simple_test_clock.h"
18 #include "base/thread_task_runner_handle.h"
19 #include "base/time/time.h"
20 #include "chrome/app/chrome_command_ids.h"
21 #include "chrome/browser/browser_process.h"
22 #include "chrome/browser/chrome_notification_types.h"
23 #include "chrome/browser/interstitials/security_interstitial_page_test_utils.h"
24 #include "chrome/browser/profiles/profile.h"
25 #include "chrome/browser/ssl/bad_clock_blocking_page.h"
26 #include "chrome/browser/ssl/cert_report_helper.h"
27 #include "chrome/browser/ssl/cert_verifier_browser_test.h"
28 #include "chrome/browser/ssl/certificate_reporting_test_utils.h"
29 #include "chrome/browser/ssl/chrome_ssl_host_state_delegate.h"
30 #include "chrome/browser/ssl/common_name_mismatch_handler.h"
31 #include "chrome/browser/ssl/connection_security.h"
32 #include "chrome/browser/ssl/ssl_blocking_page.h"
33 #include "chrome/browser/ssl/ssl_error_classification.h"
34 #include "chrome/browser/ssl/ssl_error_handler.h"
35 #include "chrome/browser/ui/browser.h"
36 #include "chrome/browser/ui/browser_commands.h"
37 #include "chrome/browser/ui/browser_navigator.h"
38 #include "chrome/browser/ui/browser_tabstrip.h"
39 #include "chrome/browser/ui/tabs/tab_strip_model.h"
40 #include "chrome/common/chrome_paths.h"
41 #include "chrome/common/chrome_switches.h"
42 #include "chrome/common/pref_names.h"
43 #include "chrome/test/base/in_process_browser_test.h"
44 #include "chrome/test/base/ui_test_utils.h"
45 #include "components/content_settings/core/browser/host_content_settings_map.h"
46 #include "components/security_interstitials/core/metrics_helper.h"
47 #include "components/variations/variations_associated_data.h"
48 #include "components/web_modal/web_contents_modal_dialog_manager.h"
49 #include "content/public/browser/browser_context.h"
50 #include "content/public/browser/interstitial_page.h"
51 #include "content/public/browser/navigation_controller.h"
52 #include "content/public/browser/navigation_entry.h"
53 #include "content/public/browser/notification_service.h"
54 #include "content/public/browser/render_frame_host.h"
55 #include "content/public/browser/render_view_host.h"
56 #include "content/public/browser/render_widget_host_view.h"
57 #include "content/public/browser/web_contents.h"
58 #include "content/public/browser/web_contents_observer.h"
59 #include "content/public/common/security_style.h"
60 #include "content/public/common/ssl_status.h"
61 #include "content/public/test/browser_test_utils.h"
62 #include "content/public/test/download_test_observer.h"
63 #include "content/public/test/test_navigation_observer.h"
64 #include "content/public/test/test_renderer_host.h"
65 #include "net/base/host_port_pair.h"
66 #include "net/base/net_errors.h"
67 #include "net/base/test_data_directory.h"
68 #include "net/cert/cert_status_flags.h"
69 #include "net/cert/mock_cert_verifier.h"
70 #include "net/cert/x509_certificate.h"
71 #include "net/dns/mock_host_resolver.h"
72 #include "net/ssl/ssl_info.h"
73 #include "net/test/cert_test_util.h"
74 #include "net/test/spawned_test_server/spawned_test_server.h"
75 #include "net/test/test_certificate_data.h"
76 #include "net/url_request/url_request_context.h"
78 #if defined(USE_NSS_CERTS)
79 #include "chrome/browser/net/nss_context.h"
80 #include "net/base/crypto_module.h"
81 #include "net/cert/nss_cert_database.h"
82 #endif // defined(USE_NSS_CERTS)
84 using base::ASCIIToUTF16
;
85 using chrome_browser_interstitials::SecurityInterstitialIDNTest
;
86 using content::InterstitialPage
;
87 using content::NavigationController
;
88 using content::NavigationEntry
;
89 using content::SSLStatus
;
90 using content::WebContents
;
91 using web_modal::WebContentsModalDialogManager
;
93 const base::FilePath::CharType kDocRoot
[] =
94 FILE_PATH_LITERAL("chrome/test/data");
98 enum ProceedDecision
{
99 SSL_INTERSTITIAL_PROCEED
,
100 SSL_INTERSTITIAL_DO_NOT_PROCEED
103 class ProvisionalLoadWaiter
: public content::WebContentsObserver
{
105 explicit ProvisionalLoadWaiter(WebContents
* tab
)
106 : WebContentsObserver(tab
), waiting_(false), seen_(false) {}
113 content::RunMessageLoop();
116 void DidFailProvisionalLoad(
117 content::RenderFrameHost
* render_frame_host
,
118 const GURL
& validated_url
,
120 const base::string16
& error_description
,
121 bool was_ignored_by_handler
) override
{
124 base::MessageLoopForUI::current()->Quit();
132 namespace AuthState
{
134 enum AuthStateFlags
{
136 DISPLAYED_INSECURE_CONTENT
= 1 << 0,
137 RAN_INSECURE_CONTENT
= 1 << 1,
138 SHOWING_INTERSTITIAL
= 1 << 2,
139 SHOWING_ERROR
= 1 << 3
142 void Check(const NavigationEntry
& entry
, int expected_authentication_state
) {
143 if (expected_authentication_state
== AuthState::SHOWING_ERROR
) {
144 EXPECT_EQ(content::PAGE_TYPE_ERROR
, entry
.GetPageType());
147 !!(expected_authentication_state
& AuthState::SHOWING_INTERSTITIAL
)
148 ? content::PAGE_TYPE_INTERSTITIAL
149 : content::PAGE_TYPE_NORMAL
,
150 entry
.GetPageType());
153 bool displayed_insecure_content
=
154 !!(entry
.GetSSL().content_status
& SSLStatus::DISPLAYED_INSECURE_CONTENT
);
156 !!(expected_authentication_state
& AuthState::DISPLAYED_INSECURE_CONTENT
),
157 displayed_insecure_content
);
159 bool ran_insecure_content
=
160 !!(entry
.GetSSL().content_status
& SSLStatus::RAN_INSECURE_CONTENT
);
161 EXPECT_EQ(!!(expected_authentication_state
& AuthState::RAN_INSECURE_CONTENT
),
162 ran_insecure_content
);
165 } // namespace AuthState
167 namespace SecurityStyle
{
169 void Check(const NavigationEntry
& entry
,
170 content::SecurityStyle expected_security_style
) {
171 EXPECT_EQ(expected_security_style
, entry
.GetSSL().security_style
);
174 } // namespace SecurityStyle
176 namespace CertError
{
178 enum CertErrorFlags
{
182 void Check(const NavigationEntry
& entry
, net::CertStatus error
) {
184 EXPECT_EQ(error
, entry
.GetSSL().cert_status
& error
);
185 net::CertStatus extra_cert_errors
=
186 error
^ (entry
.GetSSL().cert_status
& net::CERT_STATUS_ALL_ERRORS
);
187 if (extra_cert_errors
)
188 LOG(WARNING
) << "Got unexpected cert error: " << extra_cert_errors
;
190 EXPECT_EQ(0U, entry
.GetSSL().cert_status
& net::CERT_STATUS_ALL_ERRORS
);
194 } // namespace CertError
196 void CheckSecurityState(WebContents
* tab
,
197 net::CertStatus error
,
198 content::SecurityStyle expected_security_style
,
199 int expected_authentication_state
) {
200 ASSERT_FALSE(tab
->IsCrashed());
201 NavigationEntry
* entry
= tab
->GetController().GetActiveEntry();
203 CertError::Check(*entry
, error
);
204 SecurityStyle::Check(*entry
, expected_security_style
);
205 AuthState::Check(*entry
, expected_authentication_state
);
208 // This observer waits for the SSLErrorHandler to start an interstitial timer
209 // for the given web contents.
210 class SSLInterstitialTimerObserver
{
212 explicit SSLInterstitialTimerObserver(content::WebContents
* web_contents
)
213 : web_contents_(web_contents
), message_loop_runner_(new base::RunLoop
) {
214 callback_
= base::Bind(&SSLInterstitialTimerObserver::OnTimerStarted
,
215 base::Unretained(this));
216 SSLErrorHandler::SetInterstitialTimerStartedCallbackForTest(&callback_
);
219 ~SSLInterstitialTimerObserver() {
220 SSLErrorHandler::SetInterstitialTimerStartedCallbackForTest(nullptr);
223 // Waits until the interstitial delay timer in SSLErrorHandler is started.
224 void WaitForTimerStarted() { message_loop_runner_
->Run(); }
227 void OnTimerStarted(content::WebContents
* web_contents
) {
228 if (web_contents_
== web_contents
)
229 message_loop_runner_
->Quit();
232 const content::WebContents
* web_contents_
;
233 SSLErrorHandler::TimerStartedCallback callback_
;
235 scoped_ptr
<base::RunLoop
> message_loop_runner_
;
237 DISALLOW_COPY_AND_ASSIGN(SSLInterstitialTimerObserver
);
243 : public certificate_reporting_test_utils::CertificateReportingTest
{
246 : https_server_(net::SpawnedTestServer::TYPE_HTTPS
,
247 SSLOptions(SSLOptions::CERT_OK
),
248 base::FilePath(kDocRoot
)),
249 https_server_expired_(net::SpawnedTestServer::TYPE_HTTPS
,
250 SSLOptions(SSLOptions::CERT_EXPIRED
),
251 base::FilePath(kDocRoot
)),
252 https_server_mismatched_(net::SpawnedTestServer::TYPE_HTTPS
,
253 SSLOptions(SSLOptions::CERT_MISMATCHED_NAME
),
254 base::FilePath(kDocRoot
)),
255 wss_server_expired_(net::SpawnedTestServer::TYPE_WSS
,
256 SSLOptions(SSLOptions::CERT_EXPIRED
),
257 net::GetWebSocketTestDataDirectory()) {}
259 void SetUpCommandLine(base::CommandLine
* command_line
) override
{
260 // Browser will both run and display insecure content.
261 command_line
->AppendSwitch(switches::kAllowRunningInsecureContent
);
262 // Use process-per-site so that navigating to a same-site page in a
263 // new tab will use the same process.
264 command_line
->AppendSwitch(switches::kProcessPerSite
);
267 void CheckAuthenticatedState(WebContents
* tab
,
268 int expected_authentication_state
) {
269 CheckSecurityState(tab
,
271 content::SECURITY_STYLE_AUTHENTICATED
,
272 expected_authentication_state
);
275 void CheckUnauthenticatedState(WebContents
* tab
,
276 int expected_authentication_state
) {
277 CheckSecurityState(tab
,
279 content::SECURITY_STYLE_UNAUTHENTICATED
,
280 expected_authentication_state
);
283 void CheckAuthenticationBrokenState(WebContents
* tab
,
284 net::CertStatus error
,
285 int expected_authentication_state
) {
286 CheckSecurityState(tab
,
288 content::SECURITY_STYLE_AUTHENTICATION_BROKEN
,
289 expected_authentication_state
);
290 // CERT_STATUS_UNABLE_TO_CHECK_REVOCATION doesn't lower the security style
291 // to SECURITY_STYLE_AUTHENTICATION_BROKEN.
292 ASSERT_NE(net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION
, error
);
295 void CheckWorkerLoadResult(WebContents
* tab
, bool expected_load
) {
296 // Workers are async and we don't have notifications for them passing
297 // messages since they do it between renderer and worker processes.
298 // So have a polling loop, check every 200ms, timeout at 30s.
299 const int kTimeoutMS
= 200;
300 base::Time time_to_quit
= base::Time::Now() +
301 base::TimeDelta::FromMilliseconds(30000);
303 while (base::Time::Now() < time_to_quit
) {
304 bool worker_finished
= false;
305 ASSERT_TRUE(content::ExecuteScriptAndExtractBool(
307 "window.domAutomationController.send(IsWorkerFinished());",
314 base::ThreadTaskRunnerHandle::Get()->PostDelayedTask(
315 FROM_HERE
, base::MessageLoop::QuitClosure(),
316 base::TimeDelta::FromMilliseconds(kTimeoutMS
));
317 content::RunMessageLoop();
320 bool actually_loaded_content
= false;
321 ASSERT_TRUE(content::ExecuteScriptAndExtractBool(
323 "window.domAutomationController.send(IsContentLoaded());",
324 &actually_loaded_content
));
325 EXPECT_EQ(expected_load
, actually_loaded_content
);
328 void ProceedThroughInterstitial(WebContents
* tab
) {
329 InterstitialPage
* interstitial_page
= tab
->GetInterstitialPage();
330 ASSERT_TRUE(interstitial_page
);
331 ASSERT_EQ(SSLBlockingPage::kTypeForTesting
,
332 interstitial_page
->GetDelegateForTesting()->GetTypeForTesting());
333 content::WindowedNotificationObserver
observer(
334 content::NOTIFICATION_LOAD_STOP
,
335 content::Source
<NavigationController
>(&tab
->GetController()));
336 interstitial_page
->Proceed();
340 bool IsShowingWebContentsModalDialog() const {
341 return WebContentsModalDialogManager::FromWebContents(
342 browser()->tab_strip_model()->GetActiveWebContents())->
346 static bool GetFilePathWithHostAndPortReplacement(
347 const std::string
& original_file_path
,
348 const net::HostPortPair
& host_port_pair
,
349 std::string
* replacement_path
) {
350 std::vector
<net::SpawnedTestServer::StringPair
> replacement_text
;
351 replacement_text
.push_back(
352 make_pair("REPLACE_WITH_HOST_AND_PORT", host_port_pair
.ToString()));
353 return net::SpawnedTestServer::GetFilePathWithReplacements(
354 original_file_path
, replacement_text
, replacement_path
);
357 static bool GetTopFramePath(const net::SpawnedTestServer
& http_server
,
358 const net::SpawnedTestServer
& good_https_server
,
359 const net::SpawnedTestServer
& bad_https_server
,
360 std::string
* top_frame_path
) {
361 // The "frame_left.html" page contained in the top_frame.html page contains
362 // <a href>'s to three different servers. This sets up all of the
363 // replacement text to work with test servers which listen on ephemeral
365 GURL http_url
= http_server
.GetURL("files/ssl/google.html");
366 GURL good_https_url
= good_https_server
.GetURL("files/ssl/google.html");
367 GURL bad_https_url
= bad_https_server
.GetURL(
368 "files/ssl/bad_iframe.html");
370 std::vector
<net::SpawnedTestServer::StringPair
> replacement_text_frame_left
;
371 replacement_text_frame_left
.push_back(
372 make_pair("REPLACE_WITH_HTTP_PAGE", http_url
.spec()));
373 replacement_text_frame_left
.push_back(
374 make_pair("REPLACE_WITH_GOOD_HTTPS_PAGE", good_https_url
.spec()));
375 replacement_text_frame_left
.push_back(
376 make_pair("REPLACE_WITH_BAD_HTTPS_PAGE", bad_https_url
.spec()));
377 std::string frame_left_path
;
378 if (!net::SpawnedTestServer::GetFilePathWithReplacements(
380 replacement_text_frame_left
,
384 // Substitute the generated frame_left URL into the top_frame page.
385 std::vector
<net::SpawnedTestServer::StringPair
> replacement_text_top_frame
;
386 replacement_text_top_frame
.push_back(
387 make_pair("REPLACE_WITH_FRAME_LEFT_PATH", frame_left_path
));
388 return net::SpawnedTestServer::GetFilePathWithReplacements(
389 "files/ssl/top_frame.html",
390 replacement_text_top_frame
,
394 static bool GetPageWithUnsafeWorkerPath(
395 const net::SpawnedTestServer
& https_server
,
396 std::string
* page_with_unsafe_worker_path
) {
397 // Get the "imported.js" URL from the expired https server and
398 // substitute it into the unsafe_worker.js file.
399 GURL imported_js_url
= https_server
.GetURL("files/ssl/imported.js");
400 std::vector
<net::SpawnedTestServer::StringPair
>
401 replacement_text_for_unsafe_worker
;
402 replacement_text_for_unsafe_worker
.push_back(
403 make_pair("REPLACE_WITH_IMPORTED_JS_URL", imported_js_url
.spec()));
404 std::string unsafe_worker_path
;
405 if (!net::SpawnedTestServer::GetFilePathWithReplacements(
407 replacement_text_for_unsafe_worker
,
408 &unsafe_worker_path
))
411 // Now, substitute this into the page with unsafe worker.
412 std::vector
<net::SpawnedTestServer::StringPair
>
413 replacement_text_for_page_with_unsafe_worker
;
414 replacement_text_for_page_with_unsafe_worker
.push_back(
415 make_pair("REPLACE_WITH_UNSAFE_WORKER_PATH", unsafe_worker_path
));
416 return net::SpawnedTestServer::GetFilePathWithReplacements(
417 "files/ssl/page_with_unsafe_worker.html",
418 replacement_text_for_page_with_unsafe_worker
,
419 page_with_unsafe_worker_path
);
422 // Helper function for testing invalid certificate chain reporting.
423 void TestBrokenHTTPSReporting(
424 certificate_reporting_test_utils::OptIn opt_in
,
425 ProceedDecision proceed
,
426 certificate_reporting_test_utils::ExpectReport expect_report
,
428 base::RunLoop run_loop
;
429 ASSERT_TRUE(https_server_expired_
.Start());
431 ASSERT_NO_FATAL_FAILURE(SetUpMockReporter());
433 // Opt in to sending reports for invalid certificate chains.
434 certificate_reporting_test_utils::SetCertReportingOptIn(browser
, opt_in
);
436 ui_test_utils::NavigateToURL(browser
, https_server_expired_
.GetURL("/"));
438 WebContents
* tab
= browser
->tab_strip_model()->GetActiveWebContents();
439 CheckAuthenticationBrokenState(tab
, net::CERT_STATUS_DATE_INVALID
,
440 AuthState::SHOWING_INTERSTITIAL
);
442 scoped_ptr
<SSLCertReporter
> ssl_cert_reporter
=
443 certificate_reporting_test_utils::SetUpMockSSLCertReporter(
444 &run_loop
, expect_report
);
446 SSLBlockingPage
* interstitial_page
= static_cast<SSLBlockingPage
*>(
447 tab
->GetInterstitialPage()->GetDelegateForTesting());
448 interstitial_page
->SetSSLCertReporterForTesting(ssl_cert_reporter
.Pass());
450 EXPECT_EQ(std::string(), GetLatestHostnameReported());
452 // Leave the interstitial (either by proceeding or going back)
453 if (proceed
== SSL_INTERSTITIAL_PROCEED
) {
454 ProceedThroughInterstitial(tab
);
456 // Click "Take me back"
457 InterstitialPage
* interstitial_page
= tab
->GetInterstitialPage();
458 ASSERT_TRUE(interstitial_page
);
459 interstitial_page
->DontProceed();
463 certificate_reporting_test_utils::CERT_REPORT_EXPECTED
) {
464 // Check that the mock reporter received a request to send a report.
466 EXPECT_EQ(https_server_expired_
.GetURL("/").host(),
467 GetLatestHostnameReported());
469 EXPECT_EQ(std::string(), GetLatestHostnameReported());
473 net::SpawnedTestServer https_server_
;
474 net::SpawnedTestServer https_server_expired_
;
475 net::SpawnedTestServer https_server_mismatched_
;
476 net::SpawnedTestServer wss_server_expired_
;
479 typedef net::SpawnedTestServer::SSLOptions SSLOptions
;
481 DISALLOW_COPY_AND_ASSIGN(SSLUITest
);
484 class SSLUITestBlock
: public SSLUITest
{
486 SSLUITestBlock() : SSLUITest() {}
488 // Browser will neither run nor display insecure content.
489 void SetUpCommandLine(base::CommandLine
* command_line
) override
{
490 command_line
->AppendSwitch(switches::kNoDisplayingInsecureContent
);
494 class SSLUITestIgnoreCertErrors
: public SSLUITest
{
496 SSLUITestIgnoreCertErrors() : SSLUITest() {}
498 void SetUpCommandLine(base::CommandLine
* command_line
) override
{
499 // Browser will ignore certificate errors.
500 command_line
->AppendSwitch(switches::kIgnoreCertificateErrors
);
504 class SSLUITestIgnoreLocalhostCertErrors
: public SSLUITest
{
506 SSLUITestIgnoreLocalhostCertErrors() : SSLUITest() {}
508 void SetUpCommandLine(base::CommandLine
* command_line
) override
{
509 // Browser will ignore certificate errors on localhost.
510 command_line
->AppendSwitch(switches::kAllowInsecureLocalhost
);
514 class SSLUITestWithExtendedReporting
: public SSLUITest
{
516 SSLUITestWithExtendedReporting() : SSLUITest() {}
519 // Visits a regular page over http.
520 IN_PROC_BROWSER_TEST_F(SSLUITest
, TestHTTP
) {
521 ASSERT_TRUE(test_server()->Start());
523 ui_test_utils::NavigateToURL(browser(),
524 test_server()->GetURL("files/ssl/google.html"));
526 CheckUnauthenticatedState(
527 browser()->tab_strip_model()->GetActiveWebContents(), AuthState::NONE
);
530 // Visits a page over http which includes broken https resources (status should
532 // TODO(jcampan): test that bad HTTPS content is blocked (otherwise we'll give
533 // the secure cookies away!).
534 IN_PROC_BROWSER_TEST_F(SSLUITest
, TestHTTPWithBrokenHTTPSResource
) {
535 ASSERT_TRUE(test_server()->Start());
536 ASSERT_TRUE(https_server_expired_
.Start());
538 std::string replacement_path
;
539 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
540 "files/ssl/page_with_unsafe_contents.html",
541 https_server_expired_
.host_port_pair(),
544 ui_test_utils::NavigateToURL(
545 browser(), test_server()->GetURL(replacement_path
));
547 CheckUnauthenticatedState(
548 browser()->tab_strip_model()->GetActiveWebContents(), AuthState::NONE
);
551 IN_PROC_BROWSER_TEST_F(SSLUITest
, TestBrokenHTTPSWithInsecureContent
) {
552 ASSERT_TRUE(test_server()->Start());
553 ASSERT_TRUE(https_server_expired_
.Start());
555 std::string replacement_path
;
556 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
557 "files/ssl/page_displays_insecure_content.html",
558 test_server()->host_port_pair(),
561 ui_test_utils::NavigateToURL(browser(),
562 https_server_expired_
.GetURL(replacement_path
));
564 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
565 CheckAuthenticationBrokenState(
566 tab
, net::CERT_STATUS_DATE_INVALID
, AuthState::SHOWING_INTERSTITIAL
);
568 ProceedThroughInterstitial(tab
);
570 CheckAuthenticationBrokenState(tab
,
571 net::CERT_STATUS_DATE_INVALID
,
572 AuthState::DISPLAYED_INSECURE_CONTENT
);
575 IN_PROC_BROWSER_TEST_F(SSLUITest
, TestBrokenHTTPSMetricsReporting_Proceed
) {
576 ASSERT_TRUE(https_server_expired_
.Start());
577 ASSERT_NO_FATAL_FAILURE(SetUpMockReporter());
578 base::HistogramTester histograms
;
579 const std::string decision_histogram
=
580 "interstitial.ssl_overridable.decision";
581 const std::string interaction_histogram
=
582 "interstitial.ssl_overridable.interaction";
584 // Histograms should start off empty.
585 histograms
.ExpectTotalCount(decision_histogram
, 0);
586 histograms
.ExpectTotalCount(interaction_histogram
, 0);
588 // After navigating to the page, the totals should be set.
589 ui_test_utils::NavigateToURL(browser(), https_server_expired_
.GetURL("/"));
590 content::WaitForInterstitialAttach(
591 browser()->tab_strip_model()->GetActiveWebContents());
592 histograms
.ExpectTotalCount(decision_histogram
, 1);
593 histograms
.ExpectBucketCount(decision_histogram
,
594 security_interstitials::MetricsHelper::SHOW
, 1);
595 histograms
.ExpectTotalCount(interaction_histogram
, 1);
596 histograms
.ExpectBucketCount(
597 interaction_histogram
,
598 security_interstitials::MetricsHelper::TOTAL_VISITS
, 1);
600 // Decision should be recorded.
601 ProceedThroughInterstitial(
602 browser()->tab_strip_model()->GetActiveWebContents());
603 histograms
.ExpectTotalCount(decision_histogram
, 2);
604 histograms
.ExpectBucketCount(
605 decision_histogram
, security_interstitials::MetricsHelper::PROCEED
, 1);
606 histograms
.ExpectTotalCount(interaction_histogram
, 1);
607 histograms
.ExpectBucketCount(
608 interaction_histogram
,
609 security_interstitials::MetricsHelper::TOTAL_VISITS
, 1);
612 IN_PROC_BROWSER_TEST_F(SSLUITest
, TestBrokenHTTPSMetricsReporting_DontProceed
) {
613 ASSERT_TRUE(https_server_expired_
.Start());
614 ASSERT_NO_FATAL_FAILURE(SetUpMockReporter());
615 base::HistogramTester histograms
;
616 const std::string decision_histogram
=
617 "interstitial.ssl_overridable.decision";
618 const std::string interaction_histogram
=
619 "interstitial.ssl_overridable.interaction";
621 // Histograms should start off empty.
622 histograms
.ExpectTotalCount(decision_histogram
, 0);
623 histograms
.ExpectTotalCount(interaction_histogram
, 0);
625 // After navigating to the page, the totals should be set.
626 ui_test_utils::NavigateToURL(browser(), https_server_expired_
.GetURL("/"));
627 content::WaitForInterstitialAttach(
628 browser()->tab_strip_model()->GetActiveWebContents());
629 histograms
.ExpectTotalCount(decision_histogram
, 1);
630 histograms
.ExpectBucketCount(decision_histogram
,
631 security_interstitials::MetricsHelper::SHOW
, 1);
632 histograms
.ExpectTotalCount(interaction_histogram
, 1);
633 histograms
.ExpectBucketCount(
634 interaction_histogram
,
635 security_interstitials::MetricsHelper::TOTAL_VISITS
, 1);
637 // Decision should be recorded.
638 InterstitialPage
* interstitial_page
= browser()
640 ->GetActiveWebContents()
641 ->GetInterstitialPage();
642 interstitial_page
->DontProceed();
643 histograms
.ExpectTotalCount(decision_histogram
, 2);
644 histograms
.ExpectBucketCount(
645 decision_histogram
, security_interstitials::MetricsHelper::DONT_PROCEED
,
647 histograms
.ExpectTotalCount(interaction_histogram
, 1);
648 histograms
.ExpectBucketCount(
649 interaction_histogram
,
650 security_interstitials::MetricsHelper::TOTAL_VISITS
, 1);
653 // http://crbug.com/91745
654 #if defined(OS_CHROMEOS)
655 #define MAYBE_TestOKHTTPS DISABLED_TestOKHTTPS
657 #define MAYBE_TestOKHTTPS TestOKHTTPS
660 // Visits a page over OK https:
661 IN_PROC_BROWSER_TEST_F(SSLUITest
, MAYBE_TestOKHTTPS
) {
662 ASSERT_TRUE(https_server_
.Start());
664 ui_test_utils::NavigateToURL(browser(),
665 https_server_
.GetURL("files/ssl/google.html"));
667 CheckAuthenticatedState(browser()->tab_strip_model()->GetActiveWebContents(),
671 // Visits a page with https error and proceed:
672 #if defined(OS_LINUX)
673 // flaky http://crbug.com/396462
674 #define MAYBE_TestHTTPSExpiredCertAndProceed \
675 DISABLED_TestHTTPSExpiredCertAndProceed
677 #define MAYBE_TestHTTPSExpiredCertAndProceed TestHTTPSExpiredCertAndProceed
679 IN_PROC_BROWSER_TEST_F(SSLUITest
, MAYBE_TestHTTPSExpiredCertAndProceed
) {
680 ASSERT_TRUE(https_server_expired_
.Start());
682 ui_test_utils::NavigateToURL(browser(),
683 https_server_expired_
.GetURL("files/ssl/google.html"));
685 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
686 CheckAuthenticationBrokenState(
687 tab
, net::CERT_STATUS_DATE_INVALID
, AuthState::SHOWING_INTERSTITIAL
);
689 ProceedThroughInterstitial(tab
);
691 CheckAuthenticationBrokenState(
692 tab
, net::CERT_STATUS_DATE_INVALID
, AuthState::NONE
);
696 // Flaky on Windows debug (http://crbug.com/280537).
697 #define MAYBE_TestHTTPSExpiredCertAndDontProceed \
698 DISABLED_TestHTTPSExpiredCertAndDontProceed
700 #define MAYBE_TestHTTPSExpiredCertAndDontProceed \
701 TestHTTPSExpiredCertAndDontProceed
704 // Visits a page with https error and don't proceed (and ensure we can still
705 // navigate at that point):
706 IN_PROC_BROWSER_TEST_F(SSLUITest
, MAYBE_TestHTTPSExpiredCertAndDontProceed
) {
707 ASSERT_TRUE(test_server()->Start());
708 ASSERT_TRUE(https_server_
.Start());
709 ASSERT_TRUE(https_server_expired_
.Start());
711 // First navigate to an OK page.
712 ui_test_utils::NavigateToURL(browser(),
713 https_server_
.GetURL("files/ssl/google.html"));
715 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
716 NavigationEntry
* entry
= tab
->GetController().GetActiveEntry();
719 GURL cross_site_url
=
720 https_server_expired_
.GetURL("files/ssl/google.html");
721 // Change the host name from 127.0.0.1 to localhost so it triggers a
722 // cross-site navigation so we can test http://crbug.com/5800 is gone.
723 ASSERT_EQ("127.0.0.1", cross_site_url
.host());
724 GURL::Replacements replacements
;
725 replacements
.SetHostStr("localhost");
726 cross_site_url
= cross_site_url
.ReplaceComponents(replacements
);
728 // Now go to a bad HTTPS page.
729 ui_test_utils::NavigateToURL(browser(), cross_site_url
);
731 // An interstitial should be showing.
732 CheckAuthenticationBrokenState(tab
,
733 net::CERT_STATUS_COMMON_NAME_INVALID
,
734 AuthState::SHOWING_INTERSTITIAL
);
736 // Simulate user clicking "Take me back".
737 InterstitialPage
* interstitial_page
= tab
->GetInterstitialPage();
738 ASSERT_TRUE(interstitial_page
);
739 ASSERT_EQ(SSLBlockingPage::kTypeForTesting
,
740 interstitial_page
->GetDelegateForTesting()->GetTypeForTesting());
741 interstitial_page
->DontProceed();
743 // We should be back to the original good page.
744 CheckAuthenticatedState(tab
, AuthState::NONE
);
746 // Try to navigate to a new page. (to make sure bug 5800 is fixed).
747 ui_test_utils::NavigateToURL(browser(),
748 test_server()->GetURL("files/ssl/google.html"));
749 CheckUnauthenticatedState(tab
, AuthState::NONE
);
752 // Test that localhost pages don't show an interstitial.
753 IN_PROC_BROWSER_TEST_F(SSLUITestIgnoreLocalhostCertErrors
,
754 TestNoInterstitialOnLocalhost
) {
755 ASSERT_TRUE(https_server_
.Start());
757 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
759 // Navigate to a localhost page.
760 GURL url
= https_server_
.GetURL("files/ssl/page_with_subresource.html");
761 GURL::Replacements replacements
;
762 std::string
new_host("localhost");
763 replacements
.SetHostStr(new_host
);
764 url
= url
.ReplaceComponents(replacements
);
766 ui_test_utils::NavigateToURL(browser(), url
);
768 // We should see no interstitial, but we should have an error
769 // (red-crossed-out-https) in the URL bar.
770 CheckAuthenticationBrokenState(tab
, net::CERT_STATUS_COMMON_NAME_INVALID
,
773 // We should see that the script tag in the page loaded and ran (and
774 // wasn't blocked by the certificate error).
775 base::string16 title
;
776 base::string16 expected_title
= base::ASCIIToUTF16("This script has loaded");
777 ui_test_utils::GetCurrentTabTitle(browser(), &title
);
778 EXPECT_EQ(title
, expected_title
);
781 IN_PROC_BROWSER_TEST_F(SSLUITest
, TestHTTPSErrorCausedByClock
) {
782 ASSERT_TRUE(https_server_expired_
.Start());
784 // Set up the build and current clock times to be more than a year apart.
785 scoped_ptr
<base::SimpleTestClock
> mock_clock(new base::SimpleTestClock());
786 mock_clock
->SetNow(base::Time::NowFromSystemTime());
787 mock_clock
->Advance(base::TimeDelta::FromDays(367));
788 SSLErrorHandler::SetClockForTest(mock_clock
.get());
789 SSLErrorClassification::SetBuildTimeForTesting(
790 base::Time::NowFromSystemTime());
792 ui_test_utils::NavigateToURL(browser(), https_server_expired_
.GetURL("/"));
793 WebContents
* clock_tab
= browser()->tab_strip_model()->GetActiveWebContents();
794 content::WaitForInterstitialAttach(clock_tab
);
795 InterstitialPage
* clock_interstitial
= clock_tab
->GetInterstitialPage();
796 ASSERT_TRUE(clock_interstitial
);
797 EXPECT_EQ(BadClockBlockingPage::kTypeForTesting
,
798 clock_interstitial
->GetDelegateForTesting()->GetTypeForTesting());
801 // Visits a page with https error and then goes back using Browser::GoBack.
802 IN_PROC_BROWSER_TEST_F(SSLUITest
,
803 TestHTTPSExpiredCertAndGoBackViaButton
) {
804 ASSERT_TRUE(test_server()->Start());
805 ASSERT_TRUE(https_server_expired_
.Start());
807 // First navigate to an HTTP page.
808 ui_test_utils::NavigateToURL(browser(),
809 test_server()->GetURL("files/ssl/google.html"));
810 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
811 NavigationEntry
* entry
= tab
->GetController().GetActiveEntry();
814 // Now go to a bad HTTPS page that shows an interstitial.
815 ui_test_utils::NavigateToURL(browser(),
816 https_server_expired_
.GetURL("files/ssl/google.html"));
817 CheckAuthenticationBrokenState(
818 tab
, net::CERT_STATUS_DATE_INVALID
, AuthState::SHOWING_INTERSTITIAL
);
820 ProvisionalLoadWaiter
load_failed_observer(tab
);
822 // Simulate user clicking on back button (crbug.com/39248).
823 chrome::GoBack(browser(), CURRENT_TAB
);
825 // Wait until we hear the load failure, and make sure we haven't swapped out
826 // the previous page. Prevents regression of http://crbug.com/82667.
827 // TODO(creis/nick): Move the swapped-out part of this test into content
828 // and remove IsRenderViewHostSwappedOut from the public API.
829 load_failed_observer
.Wait();
830 EXPECT_FALSE(content::RenderFrameHostTester::IsRenderFrameHostSwappedOut(
831 tab
->GetMainFrame()));
833 // We should be back at the original good page.
834 EXPECT_FALSE(browser()->tab_strip_model()->GetActiveWebContents()->
835 GetInterstitialPage());
836 CheckUnauthenticatedState(tab
, AuthState::NONE
);
839 // Visits a page with https error and then goes back using GoToOffset.
840 // Disabled because its flaky: http://crbug.com/40932, http://crbug.com/43575.
841 IN_PROC_BROWSER_TEST_F(SSLUITest
,
842 TestHTTPSExpiredCertAndGoBackViaMenu
) {
843 ASSERT_TRUE(test_server()->Start());
844 ASSERT_TRUE(https_server_expired_
.Start());
846 // First navigate to an HTTP page.
847 ui_test_utils::NavigateToURL(browser(),
848 test_server()->GetURL("files/ssl/google.html"));
849 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
850 NavigationEntry
* entry
= tab
->GetController().GetActiveEntry();
853 // Now go to a bad HTTPS page that shows an interstitial.
854 ui_test_utils::NavigateToURL(browser(),
855 https_server_expired_
.GetURL("files/ssl/google.html"));
856 CheckAuthenticationBrokenState(
857 tab
, net::CERT_STATUS_DATE_INVALID
, AuthState::SHOWING_INTERSTITIAL
);
859 // Simulate user clicking and holding on back button (crbug.com/37215).
860 tab
->GetController().GoToOffset(-1);
862 // We should be back at the original good page.
863 EXPECT_FALSE(browser()->tab_strip_model()->GetActiveWebContents()->
864 GetInterstitialPage());
865 CheckUnauthenticatedState(tab
, AuthState::NONE
);
868 // Visits a page with https error and then goes forward using GoToOffset.
869 IN_PROC_BROWSER_TEST_F(SSLUITest
, TestHTTPSExpiredCertAndGoForward
) {
870 ASSERT_TRUE(test_server()->Start());
871 ASSERT_TRUE(https_server_expired_
.Start());
873 // First navigate to two HTTP pages.
874 ui_test_utils::NavigateToURL(browser(),
875 test_server()->GetURL("files/ssl/google.html"));
876 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
877 NavigationEntry
* entry1
= tab
->GetController().GetActiveEntry();
879 ui_test_utils::NavigateToURL(browser(),
880 test_server()->GetURL("files/ssl/blank_page.html"));
881 NavigationEntry
* entry2
= tab
->GetController().GetActiveEntry();
884 // Now go back so that a page is in the forward history.
886 content::WindowedNotificationObserver
observer(
887 content::NOTIFICATION_LOAD_STOP
,
888 content::Source
<NavigationController
>(&tab
->GetController()));
889 tab
->GetController().GoBack();
892 ASSERT_TRUE(tab
->GetController().CanGoForward());
893 NavigationEntry
* entry3
= tab
->GetController().GetActiveEntry();
894 ASSERT_TRUE(entry1
== entry3
);
896 // Now go to a bad HTTPS page that shows an interstitial.
897 ui_test_utils::NavigateToURL(browser(),
898 https_server_expired_
.GetURL("files/ssl/google.html"));
899 CheckAuthenticationBrokenState(
900 tab
, net::CERT_STATUS_DATE_INVALID
, AuthState::SHOWING_INTERSTITIAL
);
902 // Simulate user clicking and holding on forward button.
904 content::WindowedNotificationObserver
observer(
905 content::NOTIFICATION_LOAD_STOP
,
906 content::Source
<NavigationController
>(&tab
->GetController()));
907 tab
->GetController().GoToOffset(1);
911 // We should be showing the second good page.
912 EXPECT_FALSE(browser()->tab_strip_model()->GetActiveWebContents()->
913 GetInterstitialPage());
914 CheckUnauthenticatedState(tab
, AuthState::NONE
);
915 EXPECT_FALSE(tab
->GetController().CanGoForward());
916 NavigationEntry
* entry4
= tab
->GetController().GetActiveEntry();
917 EXPECT_TRUE(entry2
== entry4
);
920 // Visit a HTTP page which request WSS connection to a server providing invalid
921 // certificate. Close the page while WSS connection waits for SSLManager's
922 // response from UI thread.
923 // Disabled on Windows because it was flaking on XP Tests (1). crbug.com/165258
925 #define MAYBE_TestWSSInvalidCertAndClose DISABLED_TestWSSInvalidCertAndClose
927 #define MAYBE_TestWSSInvalidCertAndClose TestWSSInvalidCertAndClose
929 IN_PROC_BROWSER_TEST_F(SSLUITest
, MAYBE_TestWSSInvalidCertAndClose
) {
930 ASSERT_TRUE(test_server()->Start());
931 ASSERT_TRUE(wss_server_expired_
.Start());
933 // Setup page title observer.
934 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
935 content::TitleWatcher
watcher(tab
, ASCIIToUTF16("PASS"));
936 watcher
.AlsoWaitForTitle(ASCIIToUTF16("FAIL"));
938 // Create GURLs to test pages.
939 std::string master_url_path
= base::StringPrintf("%s?%d",
940 test_server()->GetURL("files/ssl/wss_close.html").spec().c_str(),
941 wss_server_expired_
.host_port_pair().port());
942 GURL
master_url(master_url_path
);
943 std::string slave_url_path
= base::StringPrintf("%s?%d",
944 test_server()->GetURL("files/ssl/wss_close_slave.html").spec().c_str(),
945 wss_server_expired_
.host_port_pair().port());
946 GURL
slave_url(slave_url_path
);
948 // Create tabs and visit pages which keep on creating wss connections.
949 WebContents
* tabs
[16];
950 for (int i
= 0; i
< 16; ++i
) {
951 tabs
[i
] = chrome::AddSelectedTabWithURL(browser(), slave_url
,
952 ui::PAGE_TRANSITION_LINK
);
954 chrome::SelectNextTab(browser());
956 // Visit a page which waits for one TLS handshake failure.
957 // The title will be changed to 'PASS'.
958 ui_test_utils::NavigateToURL(browser(), master_url
);
959 const base::string16 result
= watcher
.WaitAndGetTitle();
960 EXPECT_TRUE(base::LowerCaseEqualsASCII(result
, "pass"));
962 // Close tabs which contains the test page.
963 for (int i
= 0; i
< 16; ++i
)
964 chrome::CloseWebContents(browser(), tabs
[i
], false);
965 chrome::CloseWebContents(browser(), tab
, false);
968 // Visit a HTTPS page and proceeds despite an invalid certificate. The page
969 // requests WSS connection to the same origin host to check if WSS connection
970 // share certificates policy with HTTPS correcly.
971 IN_PROC_BROWSER_TEST_F(SSLUITest
, TestWSSInvalidCertAndGoForward
) {
972 ASSERT_TRUE(test_server()->Start());
973 ASSERT_TRUE(wss_server_expired_
.Start());
975 // Setup page title observer.
976 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
977 content::TitleWatcher
watcher(tab
, ASCIIToUTF16("PASS"));
978 watcher
.AlsoWaitForTitle(ASCIIToUTF16("FAIL"));
980 // Visit bad HTTPS page.
981 GURL::Replacements replacements
;
982 replacements
.SetSchemeStr("https");
983 ui_test_utils::NavigateToURL(
985 wss_server_expired_
.GetURL(
986 "connect_check.html").ReplaceComponents(replacements
));
987 CheckAuthenticationBrokenState(
988 tab
, net::CERT_STATUS_DATE_INVALID
, AuthState::SHOWING_INTERSTITIAL
);
991 ProceedThroughInterstitial(tab
);
993 // Test page run a WebSocket wss connection test. The result will be shown
995 const base::string16 result
= watcher
.WaitAndGetTitle();
996 EXPECT_TRUE(base::LowerCaseEqualsASCII(result
, "pass"));
999 // Ensure that non-standard origins are marked correctly when the
1000 // MarkNonSecureAs field trial is enabled.
1001 IN_PROC_BROWSER_TEST_F(SSLUITest
, TestMarkNonSecureAs
) {
1002 scoped_refptr
<base::FieldTrial
> trial
=
1003 base::FieldTrialList::CreateFieldTrial(
1004 "MarkNonSecureAs", switches::kMarkNonSecureAsNonSecure
);
1006 ui_test_utils::NavigateToURL(browser(), GURL("file:/"));
1007 EXPECT_EQ(connection_security::NONE
,
1008 connection_security::GetSecurityLevelForWebContents(
1009 browser()->tab_strip_model()->GetActiveWebContents()));
1011 ui_test_utils::NavigateToURL(browser(), GURL("about:blank"));
1012 EXPECT_EQ(connection_security::NONE
,
1013 connection_security::GetSecurityLevelForWebContents(
1014 browser()->tab_strip_model()->GetActiveWebContents()));
1016 ui_test_utils::NavigateToURL(browser(), GURL("data:text/plain,hello"));
1017 EXPECT_EQ(connection_security::NONE
,
1018 connection_security::GetSecurityLevelForWebContents(
1019 browser()->tab_strip_model()->GetActiveWebContents()));
1021 ui_test_utils::NavigateToURL(
1023 GURL("blob:chrome%3A//newtab/49a463bb-fac8-476c-97bf-5d7076c3ea1a"));
1024 EXPECT_EQ(connection_security::NONE
,
1025 connection_security::GetSecurityLevelForWebContents(
1026 browser()->tab_strip_model()->GetActiveWebContents()));
1029 #if defined(USE_NSS_CERTS)
1030 class SSLUITestWithClientCert
: public SSLUITest
{
1032 SSLUITestWithClientCert() : cert_db_(NULL
) {}
1034 void SetUpOnMainThread() override
{
1035 SSLUITest::SetUpOnMainThread();
1038 GetNSSCertDatabaseForProfile(
1039 browser()->profile(),
1040 base::Bind(&SSLUITestWithClientCert::DidGetCertDatabase
,
1041 base::Unretained(this),
1047 void DidGetCertDatabase(base::RunLoop
* loop
, net::NSSCertDatabase
* cert_db
) {
1052 net::NSSCertDatabase
* cert_db_
;
1055 // SSL client certificate tests are only enabled when using NSS for private key
1056 // storage, as only NSS can avoid modifying global machine state when testing.
1057 // See http://crbug.com/51132
1059 // Visit a HTTPS page which requires client cert authentication. The client
1060 // cert will be selected automatically, then a test which uses WebSocket runs.
1061 IN_PROC_BROWSER_TEST_F(SSLUITestWithClientCert
, TestWSSClientCert
) {
1062 // Import a client cert for test.
1063 scoped_refptr
<net::CryptoModule
> crypt_module
= cert_db_
->GetPublicModule();
1064 std::string pkcs12_data
;
1065 base::FilePath cert_path
= net::GetTestCertsDirectory().Append(
1066 FILE_PATH_LITERAL("websocket_client_cert.p12"));
1067 EXPECT_TRUE(base::ReadFileToString(cert_path
, &pkcs12_data
));
1069 cert_db_
->ImportFromPKCS12(
1070 crypt_module
.get(), pkcs12_data
, base::string16(), true, NULL
));
1072 // Start WebSocket test server with TLS and client cert authentication.
1073 net::SpawnedTestServer::SSLOptions
options(
1074 net::SpawnedTestServer::SSLOptions::CERT_OK
);
1075 options
.request_client_certificate
= true;
1076 base::FilePath ca_path
= net::GetTestCertsDirectory().Append(
1077 FILE_PATH_LITERAL("websocket_cacert.pem"));
1078 options
.client_authorities
.push_back(ca_path
);
1079 net::SpawnedTestServer
wss_server(net::SpawnedTestServer::TYPE_WSS
,
1081 net::GetWebSocketTestDataDirectory());
1082 ASSERT_TRUE(wss_server
.Start());
1083 GURL::Replacements replacements
;
1084 replacements
.SetSchemeStr("https");
1085 GURL url
= wss_server
.GetURL("connect_check.html").ReplaceComponents(
1088 // Setup page title observer.
1089 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
1090 content::TitleWatcher
watcher(tab
, ASCIIToUTF16("PASS"));
1091 watcher
.AlsoWaitForTitle(ASCIIToUTF16("FAIL"));
1093 // Add an entry into AutoSelectCertificateForUrls policy for automatic client
1095 Profile
* profile
= Profile::FromBrowserContext(tab
->GetBrowserContext());
1097 scoped_ptr
<base::DictionaryValue
> dict(new base::DictionaryValue());
1098 dict
->SetString("ISSUER.CN", "pywebsocket");
1099 profile
->GetHostContentSettingsMap()->SetWebsiteSetting(
1100 ContentSettingsPattern::FromURL(url
),
1101 ContentSettingsPattern::FromURL(url
),
1102 CONTENT_SETTINGS_TYPE_AUTO_SELECT_CERTIFICATE
,
1106 // Visit a HTTPS page which requires client certs.
1107 ui_test_utils::NavigateToURL(browser(), url
);
1108 CheckAuthenticatedState(tab
, AuthState::NONE
);
1110 // Test page runs a WebSocket wss connection test. The result will be shown
1112 const base::string16 result
= watcher
.WaitAndGetTitle();
1113 EXPECT_TRUE(base::LowerCaseEqualsASCII(result
, "pass"));
1115 #endif // defined(USE_NSS_CERTS)
1117 // Flaky on CrOS http://crbug.com/92292
1118 #if defined(OS_CHROMEOS)
1119 #define MAYBE_TestHTTPSErrorWithNoNavEntry \
1120 DISABLED_TestHTTPSErrorWithNoNavEntry
1122 #define MAYBE_TestHTTPSErrorWithNoNavEntry TestHTTPSErrorWithNoNavEntry
1123 #endif // defined(OS_CHROMEOS)
1125 // Open a page with a HTTPS error in a tab with no prior navigation (through a
1126 // link with a blank target). This is to test that the lack of navigation entry
1127 // does not cause any problems (it was causing a crasher, see
1128 // http://crbug.com/19941).
1129 IN_PROC_BROWSER_TEST_F(SSLUITest
, MAYBE_TestHTTPSErrorWithNoNavEntry
) {
1130 ASSERT_TRUE(https_server_expired_
.Start());
1132 GURL url
= https_server_expired_
.GetURL("files/ssl/google.htm");
1133 WebContents
* tab2
= chrome::AddSelectedTabWithURL(
1134 browser(), url
, ui::PAGE_TRANSITION_TYPED
);
1135 content::WaitForLoadStop(tab2
);
1137 // Verify our assumption that there was no prior navigation.
1138 EXPECT_FALSE(chrome::CanGoBack(browser()));
1140 // We should have an interstitial page showing.
1141 ASSERT_TRUE(tab2
->GetInterstitialPage());
1142 ASSERT_EQ(SSLBlockingPage::kTypeForTesting
, tab2
->GetInterstitialPage()
1143 ->GetDelegateForTesting()
1144 ->GetTypeForTesting());
1147 IN_PROC_BROWSER_TEST_F(SSLUITest
, TestBadHTTPSDownload
) {
1148 ASSERT_TRUE(test_server()->Start());
1149 ASSERT_TRUE(https_server_expired_
.Start());
1150 GURL url_non_dangerous
= test_server()->GetURL(std::string());
1151 GURL url_dangerous
=
1152 https_server_expired_
.GetURL("files/downloads/dangerous/dangerous.exe");
1153 base::ScopedTempDir downloads_directory_
;
1155 // Need empty temp dir to avoid having Chrome ask us for a new filename
1156 // when we've downloaded dangerous.exe one hundred times.
1157 ASSERT_TRUE(downloads_directory_
.CreateUniqueTempDir());
1159 browser()->profile()->GetPrefs()->SetFilePath(
1160 prefs::kDownloadDefaultDirectory
,
1161 downloads_directory_
.path());
1163 // Visit a non-dangerous page.
1164 ui_test_utils::NavigateToURL(browser(), url_non_dangerous
);
1166 // Now, start a transition to dangerous download.
1168 content::WindowedNotificationObserver
observer(
1169 content::NOTIFICATION_LOAD_STOP
,
1170 content::NotificationService::AllSources());
1171 chrome::NavigateParams
navigate_params(browser(), url_dangerous
,
1172 ui::PAGE_TRANSITION_TYPED
);
1173 chrome::Navigate(&navigate_params
);
1177 // To exit the browser cleanly (and this test) we need to complete the
1178 // download after completing this test.
1179 content::DownloadTestObserverTerminal
dangerous_download_observer(
1180 content::BrowserContext::GetDownloadManager(browser()->profile()),
1182 content::DownloadTestObserver::ON_DANGEROUS_DOWNLOAD_ACCEPT
);
1184 // Proceed through the SSL interstitial. This doesn't use
1185 // |ProceedThroughInterstitial| since no page load will commit.
1186 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
1187 ASSERT_TRUE(tab
!= NULL
);
1188 ASSERT_TRUE(tab
->GetInterstitialPage() != NULL
);
1190 SSLBlockingPage::kTypeForTesting
,
1191 tab
->GetInterstitialPage()->GetDelegateForTesting()->GetTypeForTesting());
1193 content::WindowedNotificationObserver
observer(
1194 chrome::NOTIFICATION_DOWNLOAD_INITIATED
,
1195 content::NotificationService::AllSources());
1196 tab
->GetInterstitialPage()->Proceed();
1200 // There should still be an interstitial at this point. Press the
1201 // back button on the browser. Note that this doesn't wait for a
1202 // NAV_ENTRY_COMMITTED notification because going back with an
1203 // active interstitial simply hides the interstitial.
1204 ASSERT_TRUE(tab
->GetInterstitialPage() != NULL
);
1206 SSLBlockingPage::kTypeForTesting
,
1207 tab
->GetInterstitialPage()->GetDelegateForTesting()->GetTypeForTesting());
1208 EXPECT_TRUE(chrome::CanGoBack(browser()));
1209 chrome::GoBack(browser(), CURRENT_TAB
);
1211 dangerous_download_observer
.WaitForFinished();
1219 // http://crbug.com/152940 Flaky on win.
1220 #define MAYBE_TestDisplaysInsecureContent DISABLED_TestDisplaysInsecureContent
1222 #define MAYBE_TestDisplaysInsecureContent TestDisplaysInsecureContent
1225 // Visits a page that displays insecure content.
1226 IN_PROC_BROWSER_TEST_F(SSLUITest
, MAYBE_TestDisplaysInsecureContent
) {
1227 ASSERT_TRUE(test_server()->Start());
1228 ASSERT_TRUE(https_server_
.Start());
1230 std::string replacement_path
;
1231 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1232 "files/ssl/page_displays_insecure_content.html",
1233 test_server()->host_port_pair(),
1234 &replacement_path
));
1236 // Load a page that displays insecure content.
1237 ui_test_utils::NavigateToURL(browser(),
1238 https_server_
.GetURL(replacement_path
));
1240 CheckAuthenticatedState(browser()->tab_strip_model()->GetActiveWebContents(),
1241 AuthState::DISPLAYED_INSECURE_CONTENT
);
1244 // Test that if the user proceeds and the checkbox is checked, a report
1245 // is sent or not sent depending on the Finch config.
1246 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting
,
1247 TestBrokenHTTPSProceedReporting
) {
1248 certificate_reporting_test_utils::ExpectReport expect_report
=
1249 certificate_reporting_test_utils::GetReportExpectedFromFinch();
1250 TestBrokenHTTPSReporting(
1251 certificate_reporting_test_utils::EXTENDED_REPORTING_OPT_IN
,
1252 SSL_INTERSTITIAL_PROCEED
, expect_report
, browser());
1255 // Test that if the user goes back and the checkbox is checked, a report
1256 // is sent or not sent depending on the Finch config.
1257 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting
,
1258 TestBrokenHTTPSGoBackReporting
) {
1259 certificate_reporting_test_utils::ExpectReport expect_report
=
1260 certificate_reporting_test_utils::GetReportExpectedFromFinch();
1261 TestBrokenHTTPSReporting(
1262 certificate_reporting_test_utils::EXTENDED_REPORTING_OPT_IN
,
1263 SSL_INTERSTITIAL_DO_NOT_PROCEED
, expect_report
, browser());
1266 // User proceeds, checkbox is shown but unchecked. Reports should never
1267 // be sent, regardless of Finch config.
1268 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting
,
1269 TestBrokenHTTPSProceedReportingWithNoOptIn
) {
1270 TestBrokenHTTPSReporting(
1271 certificate_reporting_test_utils::EXTENDED_REPORTING_DO_NOT_OPT_IN
,
1272 SSL_INTERSTITIAL_PROCEED
,
1273 certificate_reporting_test_utils::CERT_REPORT_NOT_EXPECTED
, browser());
1276 // User goes back, checkbox is shown but unchecked. Reports should never
1277 // be sent, regardless of Finch config.
1278 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting
,
1279 TestBrokenHTTPSGoBackShowYesCheckNoParamYesReportNo
) {
1280 TestBrokenHTTPSReporting(
1281 certificate_reporting_test_utils::EXTENDED_REPORTING_DO_NOT_OPT_IN
,
1282 SSL_INTERSTITIAL_DO_NOT_PROCEED
,
1283 certificate_reporting_test_utils::CERT_REPORT_NOT_EXPECTED
, browser());
1286 // User proceeds, checkbox is not shown but checked -> we expect no
1288 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting
,
1289 TestBrokenHTTPSProceedShowNoCheckYesReportNo
) {
1290 if (base::FieldTrialList::FindFullName(
1291 CertReportHelper::kFinchExperimentName
) ==
1292 CertReportHelper::kFinchGroupDontShowDontSend
) {
1293 TestBrokenHTTPSReporting(
1294 certificate_reporting_test_utils::EXTENDED_REPORTING_OPT_IN
,
1295 SSL_INTERSTITIAL_PROCEED
,
1296 certificate_reporting_test_utils::CERT_REPORT_NOT_EXPECTED
, browser());
1300 // Browser is incognito, user proceeds, checkbox has previously opted in
1301 // -> no report, regardless of Finch config.
1302 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting
,
1303 TestBrokenHTTPSInIncognitoReportNo
) {
1304 TestBrokenHTTPSReporting(
1305 certificate_reporting_test_utils::EXTENDED_REPORTING_OPT_IN
,
1306 SSL_INTERSTITIAL_PROCEED
,
1307 certificate_reporting_test_utils::CERT_REPORT_NOT_EXPECTED
,
1308 CreateIncognitoBrowser());
1311 // Test that reports don't get sent when extended reporting opt-in is
1312 // disabled by policy.
1313 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting
,
1314 TestBrokenHTTPSNoReportingWhenDisallowed
) {
1315 browser()->profile()->GetPrefs()->SetBoolean(
1316 prefs::kSafeBrowsingExtendedReportingOptInAllowed
, false);
1317 TestBrokenHTTPSReporting(
1318 certificate_reporting_test_utils::EXTENDED_REPORTING_OPT_IN
,
1319 SSL_INTERSTITIAL_PROCEED
,
1320 certificate_reporting_test_utils::CERT_REPORT_NOT_EXPECTED
, browser());
1323 // Visits a page that runs insecure content and tries to suppress the insecure
1324 // content warnings by randomizing location.hash.
1325 // Based on http://crbug.com/8706
1326 IN_PROC_BROWSER_TEST_F(SSLUITest
,
1327 TestRunsInsecuredContentRandomizeHash
) {
1328 ASSERT_TRUE(test_server()->Start());
1329 ASSERT_TRUE(https_server_
.Start());
1331 ui_test_utils::NavigateToURL(browser(), https_server_
.GetURL(
1332 "files/ssl/page_runs_insecure_content.html"));
1334 CheckAuthenticationBrokenState(
1335 browser()->tab_strip_model()->GetActiveWebContents(),
1337 AuthState::DISPLAYED_INSECURE_CONTENT
| AuthState::RAN_INSECURE_CONTENT
);
1340 // Visits a page with unsafe content and make sure that:
1341 // - frames content is replaced with warning
1342 // - images and scripts are filtered out entirely
1343 IN_PROC_BROWSER_TEST_F(SSLUITest
, TestUnsafeContents
) {
1344 ASSERT_TRUE(https_server_
.Start());
1345 ASSERT_TRUE(https_server_expired_
.Start());
1347 std::string replacement_path
;
1348 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1349 "files/ssl/page_with_unsafe_contents.html",
1350 https_server_expired_
.host_port_pair(),
1351 &replacement_path
));
1352 ui_test_utils::NavigateToURL(browser(),
1353 https_server_
.GetURL(replacement_path
));
1355 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
1356 // When the bad content is filtered, the state is expected to be
1358 CheckAuthenticatedState(tab
, AuthState::NONE
);
1360 // Because of cross-frame scripting restrictions, we cannot access the iframe
1361 // content. So to know if the frame was loaded, we just check if a popup was
1362 // opened (the iframe content opens one).
1363 // Note: because of bug 1115868, no web contents modal dialog is opened right
1364 // now. Once the bug is fixed, this will do the real check.
1365 EXPECT_FALSE(IsShowingWebContentsModalDialog());
1368 EXPECT_TRUE(content::ExecuteScriptAndExtractInt(
1370 "window.domAutomationController.send(ImageWidth());",
1372 // In order to check that the image was not loaded, we check its width.
1373 // The actual image (Google logo) is 114 pixels wide, we assume the broken
1374 // image is less than 100.
1375 EXPECT_LT(img_width
, 100);
1377 bool js_result
= false;
1378 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1380 "window.domAutomationController.send(IsFooSet());",
1382 EXPECT_FALSE(js_result
);
1385 // Visits a page with insecure content loaded by JS (after the initial page
1387 #if defined(OS_LINUX)
1388 // flaky http://crbug.com/396462
1389 #define MAYBE_TestDisplaysInsecureContentLoadedFromJS \
1390 DISABLED_TestDisplaysInsecureContentLoadedFromJS
1392 #define MAYBE_TestDisplaysInsecureContentLoadedFromJS \
1393 TestDisplaysInsecureContentLoadedFromJS
1395 IN_PROC_BROWSER_TEST_F(SSLUITest
,
1396 MAYBE_TestDisplaysInsecureContentLoadedFromJS
) {
1397 ASSERT_TRUE(test_server()->Start());
1398 ASSERT_TRUE(https_server_
.Start());
1400 std::string replacement_path
;
1401 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1402 "files/ssl/page_with_dynamic_insecure_content.html",
1403 test_server()->host_port_pair(),
1404 &replacement_path
));
1405 ui_test_utils::NavigateToURL(browser(), https_server_
.GetURL(
1408 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
1409 CheckAuthenticatedState(tab
, AuthState::NONE
);
1411 // Load the insecure image.
1412 bool js_result
= false;
1413 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1417 EXPECT_TRUE(js_result
);
1419 // We should now have insecure content.
1420 CheckAuthenticatedState(tab
, AuthState::DISPLAYED_INSECURE_CONTENT
);
1423 // Visits two pages from the same origin: one that displays insecure content and
1424 // one that doesn't. The test checks that we do not propagate the insecure
1425 // content state from one to the other.
1426 IN_PROC_BROWSER_TEST_F(SSLUITest
, TestDisplaysInsecureContentTwoTabs
) {
1427 ASSERT_TRUE(test_server()->Start());
1428 ASSERT_TRUE(https_server_
.Start());
1430 ui_test_utils::NavigateToURL(browser(),
1431 https_server_
.GetURL("files/ssl/blank_page.html"));
1433 WebContents
* tab1
= browser()->tab_strip_model()->GetActiveWebContents();
1435 // This tab should be fine.
1436 CheckAuthenticatedState(tab1
, AuthState::NONE
);
1438 // Create a new tab.
1439 std::string replacement_path
;
1440 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1441 "files/ssl/page_displays_insecure_content.html",
1442 test_server()->host_port_pair(),
1443 &replacement_path
));
1445 GURL url
= https_server_
.GetURL(replacement_path
);
1446 chrome::NavigateParams
params(browser(), url
, ui::PAGE_TRANSITION_TYPED
);
1447 params
.disposition
= NEW_FOREGROUND_TAB
;
1448 params
.tabstrip_index
= 0;
1449 params
.source_contents
= tab1
;
1450 content::WindowedNotificationObserver
observer(
1451 content::NOTIFICATION_LOAD_STOP
,
1452 content::NotificationService::AllSources());
1453 chrome::Navigate(¶ms
);
1454 WebContents
* tab2
= params
.target_contents
;
1457 // The new tab has insecure content.
1458 CheckAuthenticatedState(tab2
, AuthState::DISPLAYED_INSECURE_CONTENT
);
1460 // The original tab should not be contaminated.
1461 CheckAuthenticatedState(tab1
, AuthState::NONE
);
1464 // Visits two pages from the same origin: one that runs insecure content and one
1465 // that doesn't. The test checks that we propagate the insecure content state
1466 // from one to the other.
1467 IN_PROC_BROWSER_TEST_F(SSLUITest
, TestRunsInsecureContentTwoTabs
) {
1468 ASSERT_TRUE(test_server()->Start());
1469 ASSERT_TRUE(https_server_
.Start());
1471 ui_test_utils::NavigateToURL(browser(),
1472 https_server_
.GetURL("files/ssl/blank_page.html"));
1474 WebContents
* tab1
= browser()->tab_strip_model()->GetActiveWebContents();
1476 // This tab should be fine.
1477 CheckAuthenticatedState(tab1
, AuthState::NONE
);
1479 std::string replacement_path
;
1480 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1481 "files/ssl/page_runs_insecure_content.html",
1482 test_server()->host_port_pair(),
1483 &replacement_path
));
1485 // Create a new tab in the same process. Using a NEW_FOREGROUND_TAB
1486 // disposition won't usually stay in the same process, but this works
1487 // because we are using process-per-site in SetUpCommandLine.
1488 GURL url
= https_server_
.GetURL(replacement_path
);
1489 chrome::NavigateParams
params(browser(), url
, ui::PAGE_TRANSITION_TYPED
);
1490 params
.disposition
= NEW_FOREGROUND_TAB
;
1491 params
.source_contents
= tab1
;
1492 content::WindowedNotificationObserver
observer(
1493 content::NOTIFICATION_LOAD_STOP
,
1494 content::NotificationService::AllSources());
1495 chrome::Navigate(¶ms
);
1496 WebContents
* tab2
= params
.target_contents
;
1499 // Both tabs should have the same process.
1500 EXPECT_EQ(tab1
->GetRenderProcessHost(), tab2
->GetRenderProcessHost());
1502 // The new tab has insecure content.
1503 CheckAuthenticationBrokenState(
1506 AuthState::DISPLAYED_INSECURE_CONTENT
| AuthState::RAN_INSECURE_CONTENT
);
1508 // Which means the origin for the first tab has also been contaminated with
1509 // insecure content.
1510 CheckAuthenticationBrokenState(
1511 tab1
, CertError::NONE
, AuthState::RAN_INSECURE_CONTENT
);
1514 // Visits a page with an image over http. Visits another page over https
1515 // referencing that same image over http (hoping it is coming from the webcore
1517 IN_PROC_BROWSER_TEST_F(SSLUITest
, TestDisplaysCachedInsecureContent
) {
1518 ASSERT_TRUE(test_server()->Start());
1519 ASSERT_TRUE(https_server_
.Start());
1521 std::string replacement_path
;
1522 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1523 "files/ssl/page_displays_insecure_content.html",
1524 test_server()->host_port_pair(),
1525 &replacement_path
));
1527 // Load original page over HTTP.
1528 const GURL url_http
= test_server()->GetURL(replacement_path
);
1529 ui_test_utils::NavigateToURL(browser(), url_http
);
1530 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
1531 CheckUnauthenticatedState(tab
, AuthState::NONE
);
1533 // Load again but over SSL. It should be marked as displaying insecure
1534 // content (even though the image comes from the WebCore memory cache).
1535 const GURL url_https
= https_server_
.GetURL(replacement_path
);
1536 ui_test_utils::NavigateToURL(browser(), url_https
);
1537 CheckAuthenticatedState(tab
, AuthState::DISPLAYED_INSECURE_CONTENT
);
1540 // http://crbug.com/84729
1541 #if defined(OS_CHROMEOS)
1542 #define MAYBE_TestRunsCachedInsecureContent \
1543 DISABLED_TestRunsCachedInsecureContent
1545 #define MAYBE_TestRunsCachedInsecureContent TestRunsCachedInsecureContent
1546 #endif // defined(OS_CHROMEOS)
1548 // Visits a page with script over http. Visits another page over https
1549 // referencing that same script over http (hoping it is coming from the webcore
1551 IN_PROC_BROWSER_TEST_F(SSLUITest
, MAYBE_TestRunsCachedInsecureContent
) {
1552 ASSERT_TRUE(test_server()->Start());
1553 ASSERT_TRUE(https_server_
.Start());
1555 std::string replacement_path
;
1556 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1557 "files/ssl/page_runs_insecure_content.html",
1558 test_server()->host_port_pair(),
1559 &replacement_path
));
1561 // Load original page over HTTP.
1562 const GURL url_http
= test_server()->GetURL(replacement_path
);
1563 ui_test_utils::NavigateToURL(browser(), url_http
);
1564 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
1565 CheckUnauthenticatedState(tab
, AuthState::NONE
);
1567 // Load again but over SSL. It should be marked as displaying insecure
1568 // content (even though the image comes from the WebCore memory cache).
1569 const GURL url_https
= https_server_
.GetURL(replacement_path
);
1570 ui_test_utils::NavigateToURL(browser(), url_https
);
1571 CheckAuthenticationBrokenState(
1574 AuthState::DISPLAYED_INSECURE_CONTENT
| AuthState::RAN_INSECURE_CONTENT
);
1577 // This test ensures the CN invalid status does not 'stick' to a certificate
1578 // (see bug #1044942) and that it depends on the host-name.
1579 // Test if disabled due to flakiness http://crbug.com/368280 .
1580 IN_PROC_BROWSER_TEST_F(SSLUITest
, DISABLED_TestCNInvalidStickiness
) {
1581 ASSERT_TRUE(https_server_
.Start());
1582 ASSERT_TRUE(https_server_mismatched_
.Start());
1584 // First we hit the server with hostname, this generates an invalid policy
1586 ui_test_utils::NavigateToURL(browser(),
1587 https_server_mismatched_
.GetURL("files/ssl/google.html"));
1589 // We get an interstitial page as a result.
1590 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
1591 CheckAuthenticationBrokenState(tab
,
1592 net::CERT_STATUS_COMMON_NAME_INVALID
,
1593 AuthState::SHOWING_INTERSTITIAL
);
1594 ProceedThroughInterstitial(tab
);
1595 CheckAuthenticationBrokenState(
1596 tab
, net::CERT_STATUS_COMMON_NAME_INVALID
, AuthState::NONE
);
1598 // Now we try again with the right host name this time.
1599 GURL
url(https_server_
.GetURL("files/ssl/google.html"));
1600 ui_test_utils::NavigateToURL(browser(), url
);
1602 // Security state should be OK.
1603 CheckAuthenticatedState(tab
, AuthState::NONE
);
1605 // Now try again the broken one to make sure it is still broken.
1606 ui_test_utils::NavigateToURL(browser(),
1607 https_server_mismatched_
.GetURL("files/ssl/google.html"));
1609 // Since we OKed the interstitial last time, we get right to the page.
1610 CheckAuthenticationBrokenState(
1611 tab
, net::CERT_STATUS_COMMON_NAME_INVALID
, AuthState::NONE
);
1614 #if defined(OS_CHROMEOS)
1615 // This test seems to be flaky and hang on chromiumos.
1616 // http://crbug.com/84419
1617 #define MAYBE_TestRefNavigation DISABLED_TestRefNavigation
1619 #define MAYBE_TestRefNavigation TestRefNavigation
1622 // Test that navigating to a #ref does not change a bad security state.
1623 IN_PROC_BROWSER_TEST_F(SSLUITest
, TestRefNavigation
) {
1624 ASSERT_TRUE(https_server_expired_
.Start());
1626 ui_test_utils::NavigateToURL(browser(),
1627 https_server_expired_
.GetURL("files/ssl/page_with_refs.html"));
1629 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
1630 CheckAuthenticationBrokenState(
1631 tab
, net::CERT_STATUS_DATE_INVALID
, AuthState::SHOWING_INTERSTITIAL
);
1633 ProceedThroughInterstitial(tab
);
1635 CheckAuthenticationBrokenState(
1636 tab
, net::CERT_STATUS_DATE_INVALID
, AuthState::NONE
);
1637 // Now navigate to a ref in the page, the security state should not have
1639 ui_test_utils::NavigateToURL(browser(),
1640 https_server_expired_
.GetURL("files/ssl/page_with_refs.html#jp"));
1642 CheckAuthenticationBrokenState(
1643 tab
, net::CERT_STATUS_DATE_INVALID
, AuthState::NONE
);
1646 // Tests that closing a page that has a unsafe pop-up does not crash the
1647 // browser (bug #1966).
1648 // TODO(jcampan): http://crbug.com/2136 disabled because the popup is not
1649 // opened as it is not initiated by a user gesture.
1650 IN_PROC_BROWSER_TEST_F(SSLUITest
, DISABLED_TestCloseTabWithUnsafePopup
) {
1651 ASSERT_TRUE(test_server()->Start());
1652 ASSERT_TRUE(https_server_expired_
.Start());
1654 std::string replacement_path
;
1655 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1656 "files/ssl/page_with_unsafe_popup.html",
1657 https_server_expired_
.host_port_pair(),
1658 &replacement_path
));
1660 ui_test_utils::NavigateToURL(browser(),
1661 test_server()->GetURL(replacement_path
));
1663 WebContents
* tab1
= browser()->tab_strip_model()->GetActiveWebContents();
1664 // It is probably overkill to add a notification for a popup-opening, let's
1666 for (int i
= 0; i
< 10; i
++) {
1667 if (IsShowingWebContentsModalDialog())
1669 base::ThreadTaskRunnerHandle::Get()->PostDelayedTask(
1670 FROM_HERE
, base::MessageLoop::QuitClosure(),
1671 base::TimeDelta::FromSeconds(1));
1672 content::RunMessageLoop();
1674 ASSERT_TRUE(IsShowingWebContentsModalDialog());
1676 // Let's add another tab to make sure the browser does not exit when we close
1678 GURL url
= test_server()->GetURL("files/ssl/google.html");
1679 content::WindowedNotificationObserver
observer(
1680 content::NOTIFICATION_LOAD_STOP
,
1681 content::NotificationService::AllSources());
1682 chrome::AddSelectedTabWithURL(browser(), url
, ui::PAGE_TRANSITION_TYPED
);
1685 // Close the first tab.
1686 chrome::CloseWebContents(browser(), tab1
, false);
1689 // Visit a page over bad https that is a redirect to a page with good https.
1690 IN_PROC_BROWSER_TEST_F(SSLUITest
, TestRedirectBadToGoodHTTPS
) {
1691 ASSERT_TRUE(https_server_
.Start());
1692 ASSERT_TRUE(https_server_expired_
.Start());
1694 GURL url1
= https_server_expired_
.GetURL("server-redirect?");
1695 GURL url2
= https_server_
.GetURL("files/ssl/google.html");
1697 ui_test_utils::NavigateToURL(browser(), GURL(url1
.spec() + url2
.spec()));
1699 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
1701 CheckAuthenticationBrokenState(
1702 tab
, net::CERT_STATUS_DATE_INVALID
, AuthState::SHOWING_INTERSTITIAL
);
1704 ProceedThroughInterstitial(tab
);
1706 // We have been redirected to the good page.
1707 CheckAuthenticatedState(tab
, AuthState::NONE
);
1710 // Flaky on Linux. http://crbug.com/368280.
1711 #if defined(OS_LINUX)
1712 #define MAYBE_TestRedirectGoodToBadHTTPS DISABLED_TestRedirectGoodToBadHTTPS
1714 #define MAYBE_TestRedirectGoodToBadHTTPS TestRedirectGoodToBadHTTPS
1717 // Visit a page over good https that is a redirect to a page with bad https.
1718 IN_PROC_BROWSER_TEST_F(SSLUITest
, MAYBE_TestRedirectGoodToBadHTTPS
) {
1719 ASSERT_TRUE(https_server_
.Start());
1720 ASSERT_TRUE(https_server_expired_
.Start());
1722 GURL url1
= https_server_
.GetURL("server-redirect?");
1723 GURL url2
= https_server_expired_
.GetURL("files/ssl/google.html");
1724 ui_test_utils::NavigateToURL(browser(), GURL(url1
.spec() + url2
.spec()));
1726 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
1727 CheckAuthenticationBrokenState(
1728 tab
, net::CERT_STATUS_DATE_INVALID
, AuthState::SHOWING_INTERSTITIAL
);
1730 ProceedThroughInterstitial(tab
);
1732 CheckAuthenticationBrokenState(
1733 tab
, net::CERT_STATUS_DATE_INVALID
, AuthState::NONE
);
1736 // Visit a page over http that is a redirect to a page with good HTTPS.
1737 IN_PROC_BROWSER_TEST_F(SSLUITest
, TestRedirectHTTPToGoodHTTPS
) {
1738 ASSERT_TRUE(test_server()->Start());
1739 ASSERT_TRUE(https_server_
.Start());
1741 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
1743 // HTTP redirects to good HTTPS.
1744 GURL http_url
= test_server()->GetURL("server-redirect?");
1745 GURL good_https_url
=
1746 https_server_
.GetURL("files/ssl/google.html");
1748 ui_test_utils::NavigateToURL(browser(),
1749 GURL(http_url
.spec() + good_https_url
.spec()));
1750 CheckAuthenticatedState(tab
, AuthState::NONE
);
1753 // Flaky on Linux. http://crbug.com/368280.
1754 #if defined(OS_LINUX)
1755 #define MAYBE_TestRedirectHTTPToBadHTTPS DISABLED_TestRedirectHTTPToBadHTTPS
1757 #define MAYBE_TestRedirectHTTPToBadHTTPS TestRedirectHTTPToBadHTTPS
1760 // Visit a page over http that is a redirect to a page with bad HTTPS.
1761 IN_PROC_BROWSER_TEST_F(SSLUITest
, MAYBE_TestRedirectHTTPToBadHTTPS
) {
1762 ASSERT_TRUE(test_server()->Start());
1763 ASSERT_TRUE(https_server_expired_
.Start());
1765 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
1767 GURL http_url
= test_server()->GetURL("server-redirect?");
1768 GURL bad_https_url
=
1769 https_server_expired_
.GetURL("files/ssl/google.html");
1770 ui_test_utils::NavigateToURL(browser(),
1771 GURL(http_url
.spec() + bad_https_url
.spec()));
1772 CheckAuthenticationBrokenState(
1773 tab
, net::CERT_STATUS_DATE_INVALID
, AuthState::SHOWING_INTERSTITIAL
);
1775 ProceedThroughInterstitial(tab
);
1777 CheckAuthenticationBrokenState(
1778 tab
, net::CERT_STATUS_DATE_INVALID
, AuthState::NONE
);
1781 // Visit a page over https that is a redirect to a page with http (to make sure
1782 // we don't keep the secure state).
1783 IN_PROC_BROWSER_TEST_F(SSLUITest
, TestRedirectHTTPSToHTTP
) {
1784 ASSERT_TRUE(test_server()->Start());
1785 ASSERT_TRUE(https_server_
.Start());
1787 GURL https_url
= https_server_
.GetURL("server-redirect?");
1788 GURL http_url
= test_server()->GetURL("files/ssl/google.html");
1790 ui_test_utils::NavigateToURL(browser(),
1791 GURL(https_url
.spec() + http_url
.spec()));
1792 CheckUnauthenticatedState(
1793 browser()->tab_strip_model()->GetActiveWebContents(), AuthState::NONE
);
1796 // Visits a page to which we could not connect (bad port) over http and https
1797 // and make sure the security style is correct.
1798 IN_PROC_BROWSER_TEST_F(SSLUITest
, TestConnectToBadPort
) {
1799 ui_test_utils::NavigateToURL(browser(), GURL("http://localhost:17"));
1800 CheckUnauthenticatedState(
1801 browser()->tab_strip_model()->GetActiveWebContents(),
1802 AuthState::SHOWING_ERROR
);
1804 // Same thing over HTTPS.
1805 ui_test_utils::NavigateToURL(browser(), GURL("https://localhost:17"));
1806 CheckUnauthenticatedState(
1807 browser()->tab_strip_model()->GetActiveWebContents(),
1808 AuthState::SHOWING_ERROR
);
1815 // From a good HTTPS top frame:
1816 // - navigate to an OK HTTPS frame
1817 // - navigate to a bad HTTPS (expect unsafe content and filtered frame), then
1819 // - navigate to HTTP (expect insecure content), then back
1820 IN_PROC_BROWSER_TEST_F(SSLUITest
, TestGoodFrameNavigation
) {
1821 ASSERT_TRUE(test_server()->Start());
1822 ASSERT_TRUE(https_server_
.Start());
1823 ASSERT_TRUE(https_server_expired_
.Start());
1825 std::string top_frame_path
;
1826 ASSERT_TRUE(GetTopFramePath(*test_server(),
1828 https_server_expired_
,
1831 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
1832 ui_test_utils::NavigateToURL(browser(),
1833 https_server_
.GetURL(top_frame_path
));
1835 CheckAuthenticatedState(tab
, AuthState::NONE
);
1837 bool success
= false;
1838 // Now navigate inside the frame.
1840 content::WindowedNotificationObserver
observer(
1841 content::NOTIFICATION_LOAD_STOP
,
1842 content::Source
<NavigationController
>(&tab
->GetController()));
1843 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1845 "window.domAutomationController.send(clickLink('goodHTTPSLink'));",
1847 ASSERT_TRUE(success
);
1851 // We should still be fine.
1852 CheckAuthenticatedState(tab
, AuthState::NONE
);
1854 // Now let's hit a bad page.
1856 content::WindowedNotificationObserver
observer(
1857 content::NOTIFICATION_LOAD_STOP
,
1858 content::Source
<NavigationController
>(&tab
->GetController()));
1859 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1861 "window.domAutomationController.send(clickLink('badHTTPSLink'));",
1863 ASSERT_TRUE(success
);
1867 // The security style should still be secure.
1868 CheckAuthenticatedState(tab
, AuthState::NONE
);
1870 // And the frame should be blocked.
1871 bool is_content_evil
= true;
1872 content::RenderFrameHost
* content_frame
= content::FrameMatchingPredicate(
1873 tab
, base::Bind(&content::FrameMatchesName
, "contentFrame"));
1874 std::string
is_evil_js("window.domAutomationController.send("
1875 "document.getElementById('evilDiv') != null);");
1876 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(content_frame
,
1879 EXPECT_FALSE(is_content_evil
);
1881 // Now go back, our state should still be OK.
1883 content::WindowedNotificationObserver
observer(
1884 content::NOTIFICATION_LOAD_STOP
,
1885 content::Source
<NavigationController
>(&tab
->GetController()));
1886 tab
->GetController().GoBack();
1889 CheckAuthenticatedState(tab
, AuthState::NONE
);
1891 // Navigate to a page served over HTTP.
1893 content::WindowedNotificationObserver
observer(
1894 content::NOTIFICATION_LOAD_STOP
,
1895 content::Source
<NavigationController
>(&tab
->GetController()));
1896 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1898 "window.domAutomationController.send(clickLink('HTTPLink'));",
1900 ASSERT_TRUE(success
);
1904 // Our state should be unathenticated (in the ran mixed script sense)
1905 CheckAuthenticationBrokenState(
1908 AuthState::DISPLAYED_INSECURE_CONTENT
| AuthState::RAN_INSECURE_CONTENT
);
1910 // Go back, our state should be unchanged.
1912 content::WindowedNotificationObserver
observer(
1913 content::NOTIFICATION_LOAD_STOP
,
1914 content::Source
<NavigationController
>(&tab
->GetController()));
1915 tab
->GetController().GoBack();
1919 CheckAuthenticationBrokenState(
1922 AuthState::DISPLAYED_INSECURE_CONTENT
| AuthState::RAN_INSECURE_CONTENT
);
1925 // From a bad HTTPS top frame:
1926 // - navigate to an OK HTTPS frame (expected to be still authentication broken).
1927 IN_PROC_BROWSER_TEST_F(SSLUITest
, TestBadFrameNavigation
) {
1928 ASSERT_TRUE(https_server_
.Start());
1929 ASSERT_TRUE(https_server_expired_
.Start());
1931 std::string top_frame_path
;
1932 ASSERT_TRUE(GetTopFramePath(*test_server(),
1934 https_server_expired_
,
1937 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
1938 ui_test_utils::NavigateToURL(browser(),
1939 https_server_expired_
.GetURL(top_frame_path
));
1940 CheckAuthenticationBrokenState(
1941 tab
, net::CERT_STATUS_DATE_INVALID
, AuthState::SHOWING_INTERSTITIAL
);
1943 ProceedThroughInterstitial(tab
);
1945 // Navigate to a good frame.
1946 bool success
= false;
1947 content::WindowedNotificationObserver
observer(
1948 content::NOTIFICATION_LOAD_STOP
,
1949 content::Source
<NavigationController
>(&tab
->GetController()));
1950 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1952 "window.domAutomationController.send(clickLink('goodHTTPSLink'));",
1954 ASSERT_TRUE(success
);
1957 // We should still be authentication broken.
1958 CheckAuthenticationBrokenState(
1959 tab
, net::CERT_STATUS_DATE_INVALID
, AuthState::NONE
);
1962 // From an HTTP top frame, navigate to good and bad HTTPS (security state should
1963 // stay unauthenticated).
1964 // Disabled, flakily exceeds test timeout, http://crbug.com/43437.
1965 IN_PROC_BROWSER_TEST_F(SSLUITest
, DISABLED_TestUnauthenticatedFrameNavigation
) {
1966 ASSERT_TRUE(test_server()->Start());
1967 ASSERT_TRUE(https_server_
.Start());
1968 ASSERT_TRUE(https_server_expired_
.Start());
1970 std::string top_frame_path
;
1971 ASSERT_TRUE(GetTopFramePath(*test_server(),
1973 https_server_expired_
,
1976 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
1977 ui_test_utils::NavigateToURL(browser(),
1978 test_server()->GetURL(top_frame_path
));
1979 CheckUnauthenticatedState(tab
, AuthState::NONE
);
1981 // Now navigate inside the frame to a secure HTTPS frame.
1983 bool success
= false;
1984 content::WindowedNotificationObserver
observer(
1985 content::NOTIFICATION_LOAD_STOP
,
1986 content::Source
<NavigationController
>(&tab
->GetController()));
1987 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1989 "window.domAutomationController.send(clickLink('goodHTTPSLink'));",
1991 ASSERT_TRUE(success
);
1995 // We should still be unauthenticated.
1996 CheckUnauthenticatedState(tab
, AuthState::NONE
);
1998 // Now navigate to a bad HTTPS frame.
2000 bool success
= false;
2001 content::WindowedNotificationObserver
observer(
2002 content::NOTIFICATION_LOAD_STOP
,
2003 content::Source
<NavigationController
>(&tab
->GetController()));
2004 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
2006 "window.domAutomationController.send(clickLink('badHTTPSLink'));",
2008 ASSERT_TRUE(success
);
2012 // State should not have changed.
2013 CheckUnauthenticatedState(tab
, AuthState::NONE
);
2015 // And the frame should have been blocked (see bug #2316).
2016 bool is_content_evil
= true;
2017 content::RenderFrameHost
* content_frame
= content::FrameMatchingPredicate(
2018 tab
, base::Bind(&content::FrameMatchesName
, "contentFrame"));
2019 std::string
is_evil_js("window.domAutomationController.send("
2020 "document.getElementById('evilDiv') != null);");
2021 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(content_frame
,
2024 EXPECT_FALSE(is_content_evil
);
2027 IN_PROC_BROWSER_TEST_F(SSLUITest
, TestUnsafeContentsInWorkerFiltered
) {
2028 ASSERT_TRUE(https_server_
.Start());
2029 ASSERT_TRUE(https_server_expired_
.Start());
2031 // This page will spawn a Worker which will try to load content from
2033 std::string page_with_unsafe_worker_path
;
2034 ASSERT_TRUE(GetPageWithUnsafeWorkerPath(https_server_expired_
,
2035 &page_with_unsafe_worker_path
));
2036 ui_test_utils::NavigateToURL(browser(), https_server_
.GetURL(
2037 page_with_unsafe_worker_path
));
2038 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
2039 // Expect Worker not to load insecure content.
2040 CheckWorkerLoadResult(tab
, false);
2041 // The bad content is filtered, expect the state to be authenticated.
2042 CheckAuthenticatedState(tab
, AuthState::NONE
);
2045 // This test, and the related test TestUnsafeContentsWithUserException, verify
2046 // that if unsafe content is loaded but the host of that unsafe content has a
2047 // user exception, the content runs and the security style remains
2048 // authenticated. This is not necessarily the behavior that should exist, but it
2049 // is verification that it does behave that way. See https://crbug.com/477868
2050 // for more inforamtion on this.
2051 IN_PROC_BROWSER_TEST_F(SSLUITest
, TestUnsafeContentsInWorkerWithUserException
) {
2052 ASSERT_TRUE(https_server_
.Start());
2053 // Note that it is necessary to user https_server_mismatched_ here over the
2054 // other invalid cert servers. This is because the test relies on the two
2055 // servers having different hosts since SSL exceptions are per-host, not per
2056 // origin, and https_server_mismatched_ uses 'localhost' rather than
2058 ASSERT_TRUE(https_server_mismatched_
.Start());
2060 // Navigate to an unsafe site. Proceed with interstitial page to indicate
2061 // the user approves the bad certificate.
2062 ui_test_utils::NavigateToURL(
2063 browser(), https_server_mismatched_
.GetURL("files/ssl/blank_page.html"));
2064 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
2065 CheckAuthenticationBrokenState(tab
, net::CERT_STATUS_COMMON_NAME_INVALID
,
2066 AuthState::SHOWING_INTERSTITIAL
);
2067 ProceedThroughInterstitial(tab
);
2068 CheckAuthenticationBrokenState(tab
, net::CERT_STATUS_COMMON_NAME_INVALID
,
2071 // Navigate to safe page that has Worker loading unsafe content.
2072 // Expect content to load but be marked as auth broken due to running insecure
2074 std::string page_with_unsafe_worker_path
;
2075 ASSERT_TRUE(GetPageWithUnsafeWorkerPath(https_server_mismatched_
,
2076 &page_with_unsafe_worker_path
));
2077 ui_test_utils::NavigateToURL(
2078 browser(), https_server_
.GetURL(page_with_unsafe_worker_path
));
2079 CheckWorkerLoadResult(tab
, true); // Worker loads insecure content
2080 CheckAuthenticatedState(tab
, CertError::NONE
);
2083 // Visits a page with unsafe content and makes sure that if a user exception to
2084 // the certificate error is present, the image is loaded and script executes.
2086 // See the comment above SSLUITest.TestUnsafeContentsInWorkerWithUserException
2087 // for a discussion about the desired behavior.
2088 IN_PROC_BROWSER_TEST_F(SSLUITest
, TestUnsafeContentsWithUserException
) {
2089 ASSERT_TRUE(https_server_
.Start());
2090 // Note that it is necessary to user https_server_mismatched_ here over the
2091 // other invalid cert servers. This is because the test relies on the two
2092 // servers having different hosts since SSL exceptions are per-host, not per
2093 // origin, and https_server_mismatched_ uses 'localhost' rather than
2095 ASSERT_TRUE(https_server_mismatched_
.Start());
2097 // Navigate to an unsafe site. Proceed with interstitial page to indicate
2098 // the user approves the bad certificate.
2099 ui_test_utils::NavigateToURL(
2100 browser(), https_server_mismatched_
.GetURL("files/ssl/blank_page.html"));
2101 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
2102 CheckAuthenticationBrokenState(tab
, net::CERT_STATUS_COMMON_NAME_INVALID
,
2103 AuthState::SHOWING_INTERSTITIAL
);
2104 ProceedThroughInterstitial(tab
);
2105 CheckAuthenticationBrokenState(tab
, net::CERT_STATUS_COMMON_NAME_INVALID
,
2108 std::string replacement_path
;
2109 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
2110 "files/ssl/page_with_unsafe_contents.html",
2111 https_server_mismatched_
.host_port_pair(), &replacement_path
));
2112 ui_test_utils::NavigateToURL(browser(),
2113 https_server_
.GetURL(replacement_path
));
2115 // When the bad content is filtered, the state is expected to be
2117 CheckAuthenticatedState(tab
, AuthState::NONE
);
2120 EXPECT_TRUE(content::ExecuteScriptAndExtractInt(
2121 tab
, "window.domAutomationController.send(ImageWidth());", &img_width
));
2122 // In order to check that the image was loaded, we check its width.
2123 // The actual image (Google logo) is 114 pixels wide, so we assume a good
2124 // image is greater than 100.
2125 EXPECT_GT(img_width
, 100);
2127 bool js_result
= false;
2128 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
2129 tab
, "window.domAutomationController.send(IsFooSet());", &js_result
));
2130 EXPECT_TRUE(js_result
);
2131 CheckAuthenticatedState(tab
, CertError::NONE
);
2134 // Test that when the browser blocks displaying insecure content (images), the
2135 // indicator shows a secure page, because the blocking made the otherwise
2136 // unsafe page safe (the notification of this state is handled by other means).
2137 IN_PROC_BROWSER_TEST_F(SSLUITestBlock
, TestBlockDisplayingInsecureImage
) {
2138 ASSERT_TRUE(test_server()->Start());
2139 ASSERT_TRUE(https_server_
.Start());
2141 std::string replacement_path
;
2142 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
2143 "files/ssl/page_displays_insecure_content.html",
2144 test_server()->host_port_pair(),
2145 &replacement_path
));
2147 ui_test_utils::NavigateToURL(browser(),
2148 https_server_
.GetURL(replacement_path
));
2150 CheckAuthenticatedState(browser()->tab_strip_model()->GetActiveWebContents(),
2154 // Test that when the browser blocks displaying insecure content (iframes), the
2155 // indicator shows a secure page, because the blocking made the otherwise
2156 // unsafe page safe (the notification of this state is handled by other means)
2157 IN_PROC_BROWSER_TEST_F(SSLUITestBlock
, TestBlockDisplayingInsecureIframe
) {
2158 ASSERT_TRUE(test_server()->Start());
2159 ASSERT_TRUE(https_server_
.Start());
2161 std::string replacement_path
;
2162 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
2163 "files/ssl/page_displays_insecure_iframe.html",
2164 test_server()->host_port_pair(),
2165 &replacement_path
));
2167 ui_test_utils::NavigateToURL(browser(),
2168 https_server_
.GetURL(replacement_path
));
2170 CheckAuthenticatedState(browser()->tab_strip_model()->GetActiveWebContents(),
2174 // Test that when the browser blocks running insecure content, the
2175 // indicator shows a secure page, because the blocking made the otherwise
2176 // unsafe page safe (the notification of this state is handled by other means).
2177 IN_PROC_BROWSER_TEST_F(SSLUITestBlock
, TestBlockRunningInsecureContent
) {
2178 ASSERT_TRUE(test_server()->Start());
2179 ASSERT_TRUE(https_server_
.Start());
2181 std::string replacement_path
;
2182 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
2183 "files/ssl/page_runs_insecure_content.html",
2184 test_server()->host_port_pair(),
2185 &replacement_path
));
2187 ui_test_utils::NavigateToURL(browser(),
2188 https_server_
.GetURL(replacement_path
));
2190 CheckAuthenticatedState(browser()->tab_strip_model()->GetActiveWebContents(),
2194 // Visit a page and establish a WebSocket connection over bad https with
2195 // --ignore-certificate-errors. The connection should be established without
2196 // interstitial page showing.
2197 IN_PROC_BROWSER_TEST_F(SSLUITestIgnoreCertErrors
, TestWSS
) {
2198 ASSERT_TRUE(test_server()->Start());
2199 ASSERT_TRUE(wss_server_expired_
.Start());
2201 // Setup page title observer.
2202 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
2203 content::TitleWatcher
watcher(tab
, ASCIIToUTF16("PASS"));
2204 watcher
.AlsoWaitForTitle(ASCIIToUTF16("FAIL"));
2206 // Visit bad HTTPS page.
2207 GURL::Replacements replacements
;
2208 replacements
.SetSchemeStr("https");
2209 ui_test_utils::NavigateToURL(
2211 wss_server_expired_
.GetURL(
2212 "connect_check.html").ReplaceComponents(replacements
));
2214 // We shouldn't have an interstitial page showing here.
2216 // Test page run a WebSocket wss connection test. The result will be shown
2218 const base::string16 result
= watcher
.WaitAndGetTitle();
2219 EXPECT_TRUE(base::LowerCaseEqualsASCII(result
, "pass"));
2222 // Verifies that the interstitial can proceed, even if JavaScript is disabled.
2223 // http://crbug.com/322948
2224 #if defined(OS_LINUX)
2225 // flaky http://crbug.com/396458
2226 #define MAYBE_TestInterstitialJavaScriptProceeds \
2227 DISABLED_TestInterstitialJavaScriptProceeds
2229 #define MAYBE_TestInterstitialJavaScriptProceeds \
2230 TestInterstitialJavaScriptProceeds
2232 IN_PROC_BROWSER_TEST_F(SSLUITest
, MAYBE_TestInterstitialJavaScriptProceeds
) {
2233 browser()->profile()->GetHostContentSettingsMap()->SetDefaultContentSetting(
2234 CONTENT_SETTINGS_TYPE_JAVASCRIPT
, CONTENT_SETTING_BLOCK
);
2236 ASSERT_TRUE(https_server_expired_
.Start());
2237 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
2238 ui_test_utils::NavigateToURL(browser(),
2239 https_server_expired_
.GetURL("files/ssl/google.html"));
2240 CheckAuthenticationBrokenState(
2241 tab
, net::CERT_STATUS_DATE_INVALID
, AuthState::SHOWING_INTERSTITIAL
);
2243 content::WindowedNotificationObserver
observer(
2244 content::NOTIFICATION_LOAD_STOP
,
2245 content::Source
<NavigationController
>(&tab
->GetController()));
2246 InterstitialPage
* interstitial_page
= tab
->GetInterstitialPage();
2247 ASSERT_EQ(SSLBlockingPage::kTypeForTesting
,
2248 interstitial_page
->GetDelegateForTesting()->GetTypeForTesting());
2249 content::RenderViewHost
* interstitial_rvh
=
2250 interstitial_page
->GetMainFrame()->GetRenderViewHost();
2252 std::string javascript
= base::StringPrintf(
2253 "window.domAutomationController.send(%d);",
2254 SecurityInterstitialPage::CMD_PROCEED
);
2255 ASSERT_TRUE(content::ExecuteScriptAndExtractInt(
2256 interstitial_rvh
, javascript
, &result
));
2257 // The above will hang without the fix.
2258 EXPECT_EQ(1, result
);
2260 CheckAuthenticationBrokenState(
2261 tab
, net::CERT_STATUS_DATE_INVALID
, AuthState::NONE
);
2264 // Verifies that the interstitial can go back, even if JavaScript is disabled.
2265 // http://crbug.com/322948
2266 IN_PROC_BROWSER_TEST_F(SSLUITest
, TestInterstitialJavaScriptGoesBack
) {
2267 browser()->profile()->GetHostContentSettingsMap()->SetDefaultContentSetting(
2268 CONTENT_SETTINGS_TYPE_JAVASCRIPT
, CONTENT_SETTING_BLOCK
);
2270 ASSERT_TRUE(https_server_expired_
.Start());
2271 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
2272 ui_test_utils::NavigateToURL(browser(),
2273 https_server_expired_
.GetURL("files/ssl/google.html"));
2274 CheckAuthenticationBrokenState(
2275 tab
, net::CERT_STATUS_DATE_INVALID
, AuthState::SHOWING_INTERSTITIAL
);
2277 content::WindowedNotificationObserver
observer(
2278 content::NOTIFICATION_RENDER_WIDGET_HOST_DESTROYED
,
2279 content::NotificationService::AllSources());
2280 InterstitialPage
* interstitial_page
= tab
->GetInterstitialPage();
2281 ASSERT_EQ(SSLBlockingPage::kTypeForTesting
,
2282 interstitial_page
->GetDelegateForTesting()->GetTypeForTesting());
2283 content::RenderViewHost
* interstitial_rvh
=
2284 interstitial_page
->GetMainFrame()->GetRenderViewHost();
2286 std::string javascript
= base::StringPrintf(
2287 "window.domAutomationController.send(%d);",
2288 SecurityInterstitialPage::CMD_DONT_PROCEED
);
2289 ASSERT_TRUE(content::ExecuteScriptAndExtractInt(
2290 interstitial_rvh
, javascript
, &result
));
2291 // The above will hang without the fix.
2292 EXPECT_EQ(0, result
);
2294 EXPECT_EQ("about:blank", tab
->GetVisibleURL().spec());
2297 // Verifies that switching tabs, while showing interstitial page, will not
2298 // affect the visibility of the interestitial.
2299 // https://crbug.com/381439
2300 IN_PROC_BROWSER_TEST_F(SSLUITest
, InterstitialNotAffectedByHideShow
) {
2301 ASSERT_TRUE(https_server_expired_
.Start());
2302 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
2303 EXPECT_TRUE(tab
->GetRenderWidgetHostView()->IsShowing());
2304 ui_test_utils::NavigateToURL(
2305 browser(), https_server_expired_
.GetURL("files/ssl/google.html"));
2306 CheckAuthenticationBrokenState(
2307 tab
, net::CERT_STATUS_DATE_INVALID
, AuthState::SHOWING_INTERSTITIAL
);
2308 EXPECT_TRUE(tab
->GetRenderWidgetHostView()->IsShowing());
2311 https_server_
.GetURL("files/ssl/google.html"),
2312 ui::PAGE_TRANSITION_TYPED
);
2313 EXPECT_EQ(2, browser()->tab_strip_model()->count());
2314 EXPECT_EQ(0, browser()->tab_strip_model()->active_index());
2315 EXPECT_EQ(tab
, browser()->tab_strip_model()->GetWebContentsAt(1));
2316 EXPECT_FALSE(tab
->GetRenderWidgetHostView()->IsShowing());
2318 browser()->tab_strip_model()->ActivateTabAt(1, true);
2319 EXPECT_TRUE(tab
->GetRenderWidgetHostView()->IsShowing());
2322 // Verifies that if a bad certificate is seen for a host and the user proceeds
2323 // through the interstitial, the decision to proceed is initially remembered.
2324 // However, if this is followed by another visit, and a good certificate
2325 // is seen for the same host, the original exception is forgotten.
2326 IN_PROC_BROWSER_TEST_F(SSLUITest
, BadCertFollowedByGoodCert
) {
2327 // It is necessary to use |https_server_expired_| rather than
2328 // |https_server_mismatched| because the former shares a host with
2329 // |https_server_| and cert exceptions are per host.
2330 ASSERT_TRUE(https_server_expired_
.Start());
2331 ASSERT_TRUE(https_server_
.Start());
2333 std::string https_server_expired_host
=
2334 https_server_
.GetURL("files/ssl/google.html").host();
2335 std::string https_server_host
=
2336 https_server_
.GetURL("files/ssl/google.html").host();
2337 ASSERT_EQ(https_server_expired_host
, https_server_host
);
2339 WebContents
* tab
= browser()->tab_strip_model()->GetActiveWebContents();
2341 Profile
* profile
= Profile::FromBrowserContext(tab
->GetBrowserContext());
2342 ChromeSSLHostStateDelegate
* state
=
2343 reinterpret_cast<ChromeSSLHostStateDelegate
*>(
2344 profile
->GetSSLHostStateDelegate());
2346 ui_test_utils::NavigateToURL(
2347 browser(), https_server_expired_
.GetURL("files/ssl/google.html"));
2349 ProceedThroughInterstitial(tab
);
2350 EXPECT_TRUE(state
->HasAllowException(https_server_host
));
2352 ui_test_utils::NavigateToURL(browser(),
2353 https_server_
.GetURL("files/ssl/google.html"));
2354 ASSERT_FALSE(tab
->GetInterstitialPage());
2355 EXPECT_FALSE(state
->HasAllowException(https_server_host
));
2358 class CommonNameMismatchBrowserTest
: public CertVerifierBrowserTest
{
2360 CommonNameMismatchBrowserTest() : CertVerifierBrowserTest() {}
2361 ~CommonNameMismatchBrowserTest() override
{}
2363 void SetUpCommandLine(base::CommandLine
* command_line
) override
{
2364 // Enable finch experiment for SSL common name mismatch handling.
2365 command_line
->AppendSwitchASCII(switches::kForceFieldTrials
,
2366 "SSLCommonNameMismatchHandling/Enabled/");
2370 // Visit the URL www.mail.example.com on a server that presents a valid
2371 // certificate for mail.example.com. Verify that the page navigates to
2372 // mail.example.com.
2373 IN_PROC_BROWSER_TEST_F(CommonNameMismatchBrowserTest
,
2374 ShouldShowWWWSubdomainMismatchInterstitial
) {
2375 net::SpawnedTestServer
https_server_example_domain_(
2376 net::SpawnedTestServer::TYPE_HTTPS
,
2377 net::SpawnedTestServer::SSLOptions(
2378 net::SpawnedTestServer::SSLOptions::CERT_OK
),
2379 base::FilePath(kDocRoot
));
2380 ASSERT_TRUE(https_server_example_domain_
.Start());
2382 host_resolver()->AddRule(
2383 "mail.example.com", https_server_example_domain_
.host_port_pair().host());
2384 host_resolver()->AddRule(
2385 "www.mail.example.com",
2386 https_server_example_domain_
.host_port_pair().host());
2388 scoped_refptr
<net::X509Certificate
> cert
=
2389 https_server_example_domain_
.GetCertificate();
2391 // Use the "spdy_pooling.pem" cert which has "mail.example.com"
2392 // as one of its SANs.
2393 net::CertVerifyResult verify_result
;
2394 verify_result
.verified_cert
=
2395 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2396 verify_result
.cert_status
= net::CERT_STATUS_COMMON_NAME_INVALID
;
2398 // Request to "www.mail.example.com" should result in
2399 // |net::ERR_CERT_COMMON_NAME_INVALID| error.
2400 mock_cert_verifier()->AddResultForCertAndHost(
2401 cert
.get(), "www.mail.example.com", verify_result
,
2402 net::ERR_CERT_COMMON_NAME_INVALID
);
2404 net::CertVerifyResult verify_result_valid
;
2405 verify_result_valid
.verified_cert
=
2406 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2407 // Request to "www.mail.example.com" should not result in any error.
2408 mock_cert_verifier()->AddResultForCertAndHost(cert
.get(), "mail.example.com",
2409 verify_result_valid
, net::OK
);
2411 // Use a complex URL to ensure the path, etc., are preserved. The path itself
2413 GURL https_server_url
=
2414 https_server_example_domain_
.GetURL("files/ssl/google.html?a=b#anchor");
2415 GURL::Replacements replacements
;
2416 replacements
.SetHostStr("www.mail.example.com");
2417 GURL https_server_mismatched_url
=
2418 https_server_url
.ReplaceComponents(replacements
);
2420 WebContents
* contents
= browser()->tab_strip_model()->GetActiveWebContents();
2421 content::TestNavigationObserver
observer(contents
, 2);
2422 ui_test_utils::NavigateToURL(browser(), https_server_mismatched_url
);
2425 CheckSecurityState(contents
, CertError::NONE
,
2426 content::SECURITY_STYLE_AUTHENTICATED
, AuthState::NONE
);
2427 replacements
.SetHostStr("mail.example.com");
2428 GURL https_server_new_url
= https_server_url
.ReplaceComponents(replacements
);
2429 // Verify that the current URL is the suggested URL.
2430 EXPECT_EQ(https_server_new_url
.spec(),
2431 contents
->GetLastCommittedURL().spec());
2434 // Visit the URL example.org on a server that presents a valid certificate
2435 // for www.example.org. Verify that the page redirects to www.example.org.
2436 IN_PROC_BROWSER_TEST_F(CommonNameMismatchBrowserTest
,
2437 CheckWWWSubdomainMismatchInverse
) {
2438 net::SpawnedTestServer
https_server_example_domain_(
2439 net::SpawnedTestServer::TYPE_HTTPS
,
2440 net::SpawnedTestServer::SSLOptions(
2441 net::SpawnedTestServer::SSLOptions::CERT_OK
),
2442 base::FilePath(kDocRoot
));
2443 ASSERT_TRUE(https_server_example_domain_
.Start());
2445 host_resolver()->AddRule(
2446 "www.example.org", https_server_example_domain_
.host_port_pair().host());
2447 host_resolver()->AddRule(
2448 "example.org", https_server_example_domain_
.host_port_pair().host());
2450 scoped_refptr
<net::X509Certificate
> cert
=
2451 https_server_example_domain_
.GetCertificate();
2453 net::CertVerifyResult verify_result
;
2454 verify_result
.verified_cert
=
2455 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2456 verify_result
.cert_status
= net::CERT_STATUS_COMMON_NAME_INVALID
;
2458 mock_cert_verifier()->AddResultForCertAndHost(
2459 cert
.get(), "example.org", verify_result
,
2460 net::ERR_CERT_COMMON_NAME_INVALID
);
2462 net::CertVerifyResult verify_result_valid
;
2463 verify_result_valid
.verified_cert
=
2464 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2465 mock_cert_verifier()->AddResultForCertAndHost(cert
.get(), "www.example.org",
2466 verify_result_valid
, net::OK
);
2468 GURL https_server_url
=
2469 https_server_example_domain_
.GetURL("files/ssl/google.html?a=b");
2470 GURL::Replacements replacements
;
2471 replacements
.SetHostStr("example.org");
2472 GURL https_server_mismatched_url
=
2473 https_server_url
.ReplaceComponents(replacements
);
2475 WebContents
* contents
= browser()->tab_strip_model()->GetActiveWebContents();
2476 content::TestNavigationObserver
observer(contents
, 2);
2477 ui_test_utils::NavigateToURL(browser(), https_server_mismatched_url
);
2480 CheckSecurityState(contents
, CertError::NONE
,
2481 content::SECURITY_STYLE_AUTHENTICATED
, AuthState::NONE
);
2484 // Tests this scenario:
2485 // - |CommonNameMismatchHandler| does not give a callback as it's set into the
2486 // state |IGNORE_REQUESTS_FOR_TESTING|. So no suggested URL check result can
2488 // - A cert error triggers an interstitial timer with a very long timeout.
2489 // - No suggested URL check results arrive, causing the tab to appear as loading
2490 // indefinitely (also because the timer has a long timeout).
2491 // - Stopping the page load shouldn't result in any interstitials.
2492 IN_PROC_BROWSER_TEST_F(CommonNameMismatchBrowserTest
,
2493 InterstitialStopNavigationWhileLoading
) {
2494 net::SpawnedTestServer
https_server_example_domain_(
2495 net::SpawnedTestServer::TYPE_HTTPS
,
2496 net::SpawnedTestServer::SSLOptions(
2497 net::SpawnedTestServer::SSLOptions::CERT_OK
),
2498 base::FilePath(kDocRoot
));
2499 ASSERT_TRUE(https_server_example_domain_
.Start());
2501 host_resolver()->AddRule(
2502 "mail.example.com", https_server_example_domain_
.host_port_pair().host());
2503 host_resolver()->AddRule(
2504 "www.mail.example.com",
2505 https_server_example_domain_
.host_port_pair().host());
2507 scoped_refptr
<net::X509Certificate
> cert
=
2508 https_server_example_domain_
.GetCertificate();
2510 net::CertVerifyResult verify_result
;
2511 verify_result
.verified_cert
=
2512 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2513 verify_result
.cert_status
= net::CERT_STATUS_COMMON_NAME_INVALID
;
2515 mock_cert_verifier()->AddResultForCertAndHost(
2516 cert
.get(), "www.mail.example.com", verify_result
,
2517 net::ERR_CERT_COMMON_NAME_INVALID
);
2519 net::CertVerifyResult verify_result_valid
;
2520 verify_result_valid
.verified_cert
=
2521 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2522 mock_cert_verifier()->AddResultForCertAndHost(cert
.get(), "mail.example.com",
2523 verify_result_valid
, net::OK
);
2525 GURL https_server_url
=
2526 https_server_example_domain_
.GetURL("files/ssl/google.html?a=b");
2527 GURL::Replacements replacements
;
2528 replacements
.SetHostStr("www.mail.example.com");
2529 GURL https_server_mismatched_url
=
2530 https_server_url
.ReplaceComponents(replacements
);
2532 WebContents
* contents
= browser()->tab_strip_model()->GetActiveWebContents();
2533 CommonNameMismatchHandler::set_state_for_testing(
2534 CommonNameMismatchHandler::IGNORE_REQUESTS_FOR_TESTING
);
2535 // Set delay long enough so that the page appears loading.
2536 SSLErrorHandler::SetInterstitialDelayForTest(base::TimeDelta::FromHours(1));
2537 SSLInterstitialTimerObserver
interstitial_timer_observer(contents
);
2539 ui_test_utils::NavigateToURLWithDisposition(
2540 browser(), https_server_mismatched_url
, CURRENT_TAB
,
2541 ui_test_utils::BROWSER_TEST_NONE
);
2542 interstitial_timer_observer
.WaitForTimerStarted();
2544 EXPECT_TRUE(contents
->IsLoading());
2545 content::WindowedNotificationObserver
observer(
2546 content::NOTIFICATION_LOAD_STOP
,
2547 content::NotificationService::AllSources());
2551 SSLErrorHandler
* ssl_error_handler
=
2552 SSLErrorHandler::FromWebContents(contents
);
2553 // Make sure that the |SSLErrorHandler| is deleted.
2554 EXPECT_FALSE(ssl_error_handler
);
2555 EXPECT_FALSE(contents
->ShowingInterstitialPage());
2556 EXPECT_FALSE(contents
->IsLoading());
2559 // Same as above, but instead of stopping, the loading page is reloaded. The end
2560 // result is the same. (i.e. page load stops, no interstitials shown)
2561 IN_PROC_BROWSER_TEST_F(CommonNameMismatchBrowserTest
,
2562 InterstitialReloadNavigationWhileLoading
) {
2563 net::SpawnedTestServer
https_server_example_domain_(
2564 net::SpawnedTestServer::TYPE_HTTPS
,
2565 net::SpawnedTestServer::SSLOptions(
2566 net::SpawnedTestServer::SSLOptions::CERT_OK
),
2567 base::FilePath(kDocRoot
));
2568 ASSERT_TRUE(https_server_example_domain_
.Start());
2570 host_resolver()->AddRule(
2571 "mail.example.com", https_server_example_domain_
.host_port_pair().host());
2572 host_resolver()->AddRule(
2573 "www.mail.example.com",
2574 https_server_example_domain_
.host_port_pair().host());
2576 scoped_refptr
<net::X509Certificate
> cert
=
2577 https_server_example_domain_
.GetCertificate();
2579 net::CertVerifyResult verify_result
;
2580 verify_result
.verified_cert
=
2581 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2582 verify_result
.cert_status
= net::CERT_STATUS_COMMON_NAME_INVALID
;
2584 mock_cert_verifier()->AddResultForCertAndHost(
2585 cert
.get(), "www.mail.example.com", verify_result
,
2586 net::ERR_CERT_COMMON_NAME_INVALID
);
2588 net::CertVerifyResult verify_result_valid
;
2589 verify_result_valid
.verified_cert
=
2590 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2591 mock_cert_verifier()->AddResultForCertAndHost(cert
.get(), "mail.example.com",
2592 verify_result_valid
, net::OK
);
2594 GURL https_server_url
=
2595 https_server_example_domain_
.GetURL("files/ssl/google.html?a=b");
2596 GURL::Replacements replacements
;
2597 replacements
.SetHostStr("www.mail.example.com");
2598 GURL https_server_mismatched_url
=
2599 https_server_url
.ReplaceComponents(replacements
);
2601 WebContents
* contents
= browser()->tab_strip_model()->GetActiveWebContents();
2602 CommonNameMismatchHandler::set_state_for_testing(
2603 CommonNameMismatchHandler::IGNORE_REQUESTS_FOR_TESTING
);
2604 // Set delay long enough so that the page appears loading.
2605 SSLErrorHandler::SetInterstitialDelayForTest(base::TimeDelta::FromHours(1));
2606 SSLInterstitialTimerObserver
interstitial_timer_observer(contents
);
2608 ui_test_utils::NavigateToURLWithDisposition(
2609 browser(), https_server_mismatched_url
, CURRENT_TAB
,
2610 ui_test_utils::BROWSER_TEST_NONE
);
2611 interstitial_timer_observer
.WaitForTimerStarted();
2613 EXPECT_TRUE(contents
->IsLoading());
2614 content::TestNavigationObserver
observer(contents
, 1);
2615 chrome::Reload(browser(), CURRENT_TAB
);
2618 SSLErrorHandler
* ssl_error_handler
=
2619 SSLErrorHandler::FromWebContents(contents
);
2620 // Make sure that the |SSLErrorHandler| is deleted.
2621 EXPECT_FALSE(ssl_error_handler
);
2622 EXPECT_FALSE(contents
->ShowingInterstitialPage());
2623 EXPECT_FALSE(contents
->IsLoading());
2626 // Same as above, but instead of reloading, the page is navigated away. The
2627 // new page should load, and no interstitials should be shown.
2628 IN_PROC_BROWSER_TEST_F(CommonNameMismatchBrowserTest
,
2629 InterstitialNavigateAwayWhileLoading
) {
2630 net::SpawnedTestServer
https_server_example_domain_(
2631 net::SpawnedTestServer::TYPE_HTTPS
,
2632 net::SpawnedTestServer::SSLOptions(
2633 net::SpawnedTestServer::SSLOptions::CERT_OK
),
2634 base::FilePath(kDocRoot
));
2635 ASSERT_TRUE(https_server_example_domain_
.Start());
2637 host_resolver()->AddRule(
2638 "mail.example.com", https_server_example_domain_
.host_port_pair().host());
2639 host_resolver()->AddRule(
2640 "www.mail.example.com",
2641 https_server_example_domain_
.host_port_pair().host());
2643 scoped_refptr
<net::X509Certificate
> cert
=
2644 https_server_example_domain_
.GetCertificate();
2646 net::CertVerifyResult verify_result
;
2647 verify_result
.verified_cert
=
2648 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2649 verify_result
.cert_status
= net::CERT_STATUS_COMMON_NAME_INVALID
;
2651 mock_cert_verifier()->AddResultForCertAndHost(
2652 cert
.get(), "www.mail.example.com", verify_result
,
2653 net::ERR_CERT_COMMON_NAME_INVALID
);
2655 net::CertVerifyResult verify_result_valid
;
2656 verify_result_valid
.verified_cert
=
2657 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2658 mock_cert_verifier()->AddResultForCertAndHost(cert
.get(), "mail.example.com",
2659 verify_result_valid
, net::OK
);
2661 GURL https_server_url
=
2662 https_server_example_domain_
.GetURL("files/ssl/google.html?a=b");
2663 GURL::Replacements replacements
;
2664 replacements
.SetHostStr("www.mail.example.com");
2665 GURL https_server_mismatched_url
=
2666 https_server_url
.ReplaceComponents(replacements
);
2668 WebContents
* contents
= browser()->tab_strip_model()->GetActiveWebContents();
2669 CommonNameMismatchHandler::set_state_for_testing(
2670 CommonNameMismatchHandler::IGNORE_REQUESTS_FOR_TESTING
);
2671 // Set delay long enough so that the page appears loading.
2672 SSLErrorHandler::SetInterstitialDelayForTest(base::TimeDelta::FromHours(1));
2673 SSLInterstitialTimerObserver
interstitial_timer_observer(contents
);
2675 ui_test_utils::NavigateToURLWithDisposition(
2676 browser(), https_server_mismatched_url
, CURRENT_TAB
,
2677 ui_test_utils::BROWSER_TEST_NONE
);
2678 interstitial_timer_observer
.WaitForTimerStarted();
2680 EXPECT_TRUE(contents
->IsLoading());
2681 content::TestNavigationObserver
observer(contents
, 1);
2682 browser()->OpenURL(content::OpenURLParams(GURL("https://google.com"),
2683 content::Referrer(), CURRENT_TAB
,
2684 ui::PAGE_TRANSITION_TYPED
, false));
2687 SSLErrorHandler
* ssl_error_handler
=
2688 SSLErrorHandler::FromWebContents(contents
);
2689 // Make sure that the |SSLErrorHandler| is deleted.
2690 EXPECT_FALSE(ssl_error_handler
);
2691 EXPECT_FALSE(contents
->ShowingInterstitialPage());
2692 EXPECT_FALSE(contents
->IsLoading());
2695 class SSLBlockingPageIDNTest
: public SecurityInterstitialIDNTest
{
2697 // SecurityInterstitialIDNTest implementation
2698 SecurityInterstitialPage
* CreateInterstitial(
2699 content::WebContents
* contents
,
2700 const GURL
& request_url
) const override
{
2701 net::SSLInfo ssl_info
;
2702 ssl_info
.cert
= new net::X509Certificate(
2703 request_url
.host(), "CA", base::Time::Max(), base::Time::Max());
2704 return new SSLBlockingPage(
2705 contents
, net::ERR_CERT_CONTAINS_ERRORS
, ssl_info
, request_url
, 0,
2706 base::Time::NowFromSystemTime(), nullptr, base::Callback
<void(bool)>());
2710 IN_PROC_BROWSER_TEST_F(SSLBlockingPageIDNTest
, SSLBlockingPageDecodesIDN
) {
2711 EXPECT_TRUE(VerifyIDNDecoded());
2714 IN_PROC_BROWSER_TEST_F(CertVerifierBrowserTest
, MockCertVerifierSmokeTest
) {
2715 net::SpawnedTestServer
https_server(
2716 net::SpawnedTestServer::TYPE_HTTPS
,
2717 net::SpawnedTestServer::SSLOptions(
2718 net::SpawnedTestServer::SSLOptions::CERT_OK
),
2719 base::FilePath(kDocRoot
));
2720 ASSERT_TRUE(https_server
.Start());
2722 mock_cert_verifier()->set_default_result(
2723 net::ERR_CERT_NAME_CONSTRAINT_VIOLATION
);
2725 ui_test_utils::NavigateToURL(browser(),
2726 https_server
.GetURL("files/ssl/google.html"));
2728 CheckSecurityState(browser()->tab_strip_model()->GetActiveWebContents(),
2729 net::CERT_STATUS_NAME_CONSTRAINT_VIOLATION
,
2730 content::SECURITY_STYLE_AUTHENTICATION_BROKEN
,
2731 AuthState::SHOWING_INTERSTITIAL
);
2734 // TODO(jcampan): more tests to do below.
2736 // Visit a page over https that contains a frame with a redirect.
2738 // XMLHttpRequest insecure content in synchronous mode.
2740 // XMLHttpRequest insecure content in asynchronous mode.
2742 // XMLHttpRequest over bad ssl in synchronous mode.
2744 // XMLHttpRequest over OK ssl in synchronous mode.