Only grant permissions to new extensions from sync if they have the expected version
[chromium-blink-merge.git] / chrome / browser / ssl / ssl_browser_tests.cc
blobbe0c1bbc6854a70aaf0d626bffba6840eb8bdebc
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "base/bind.h"
6 #include "base/bind_helpers.h"
7 #include "base/callback.h"
8 #include "base/command_line.h"
9 #include "base/location.h"
10 #include "base/metrics/field_trial.h"
11 #include "base/prefs/pref_service.h"
12 #include "base/single_thread_task_runner.h"
13 #include "base/strings/string_util.h"
14 #include "base/strings/stringprintf.h"
15 #include "base/strings/utf_string_conversions.h"
16 #include "base/test/histogram_tester.h"
17 #include "base/test/simple_test_clock.h"
18 #include "base/thread_task_runner_handle.h"
19 #include "base/time/time.h"
20 #include "chrome/app/chrome_command_ids.h"
21 #include "chrome/browser/browser_process.h"
22 #include "chrome/browser/chrome_notification_types.h"
23 #include "chrome/browser/interstitials/security_interstitial_page_test_utils.h"
24 #include "chrome/browser/profiles/profile.h"
25 #include "chrome/browser/ssl/bad_clock_blocking_page.h"
26 #include "chrome/browser/ssl/cert_report_helper.h"
27 #include "chrome/browser/ssl/cert_verifier_browser_test.h"
28 #include "chrome/browser/ssl/certificate_reporting_test_utils.h"
29 #include "chrome/browser/ssl/chrome_ssl_host_state_delegate.h"
30 #include "chrome/browser/ssl/common_name_mismatch_handler.h"
31 #include "chrome/browser/ssl/connection_security.h"
32 #include "chrome/browser/ssl/ssl_blocking_page.h"
33 #include "chrome/browser/ssl/ssl_error_classification.h"
34 #include "chrome/browser/ssl/ssl_error_handler.h"
35 #include "chrome/browser/ui/browser.h"
36 #include "chrome/browser/ui/browser_commands.h"
37 #include "chrome/browser/ui/browser_navigator.h"
38 #include "chrome/browser/ui/browser_tabstrip.h"
39 #include "chrome/browser/ui/tabs/tab_strip_model.h"
40 #include "chrome/common/chrome_paths.h"
41 #include "chrome/common/chrome_switches.h"
42 #include "chrome/common/pref_names.h"
43 #include "chrome/test/base/in_process_browser_test.h"
44 #include "chrome/test/base/ui_test_utils.h"
45 #include "components/content_settings/core/browser/host_content_settings_map.h"
46 #include "components/security_interstitials/core/metrics_helper.h"
47 #include "components/variations/variations_associated_data.h"
48 #include "components/web_modal/web_contents_modal_dialog_manager.h"
49 #include "content/public/browser/browser_context.h"
50 #include "content/public/browser/interstitial_page.h"
51 #include "content/public/browser/navigation_controller.h"
52 #include "content/public/browser/navigation_entry.h"
53 #include "content/public/browser/notification_service.h"
54 #include "content/public/browser/render_frame_host.h"
55 #include "content/public/browser/render_view_host.h"
56 #include "content/public/browser/render_widget_host_view.h"
57 #include "content/public/browser/web_contents.h"
58 #include "content/public/browser/web_contents_observer.h"
59 #include "content/public/common/security_style.h"
60 #include "content/public/common/ssl_status.h"
61 #include "content/public/test/browser_test_utils.h"
62 #include "content/public/test/download_test_observer.h"
63 #include "content/public/test/test_navigation_observer.h"
64 #include "content/public/test/test_renderer_host.h"
65 #include "net/base/host_port_pair.h"
66 #include "net/base/net_errors.h"
67 #include "net/base/test_data_directory.h"
68 #include "net/cert/cert_status_flags.h"
69 #include "net/cert/mock_cert_verifier.h"
70 #include "net/cert/x509_certificate.h"
71 #include "net/dns/mock_host_resolver.h"
72 #include "net/ssl/ssl_info.h"
73 #include "net/test/cert_test_util.h"
74 #include "net/test/spawned_test_server/spawned_test_server.h"
75 #include "net/test/test_certificate_data.h"
76 #include "net/url_request/url_request_context.h"
78 #if defined(USE_NSS_CERTS)
79 #include "chrome/browser/net/nss_context.h"
80 #include "net/base/crypto_module.h"
81 #include "net/cert/nss_cert_database.h"
82 #endif // defined(USE_NSS_CERTS)
84 using base::ASCIIToUTF16;
85 using chrome_browser_interstitials::SecurityInterstitialIDNTest;
86 using content::InterstitialPage;
87 using content::NavigationController;
88 using content::NavigationEntry;
89 using content::SSLStatus;
90 using content::WebContents;
91 using web_modal::WebContentsModalDialogManager;
93 const base::FilePath::CharType kDocRoot[] =
94 FILE_PATH_LITERAL("chrome/test/data");
96 namespace {
98 enum ProceedDecision {
99 SSL_INTERSTITIAL_PROCEED,
100 SSL_INTERSTITIAL_DO_NOT_PROCEED
103 class ProvisionalLoadWaiter : public content::WebContentsObserver {
104 public:
105 explicit ProvisionalLoadWaiter(WebContents* tab)
106 : WebContentsObserver(tab), waiting_(false), seen_(false) {}
108 void Wait() {
109 if (seen_)
110 return;
112 waiting_ = true;
113 content::RunMessageLoop();
116 void DidFailProvisionalLoad(
117 content::RenderFrameHost* render_frame_host,
118 const GURL& validated_url,
119 int error_code,
120 const base::string16& error_description,
121 bool was_ignored_by_handler) override {
122 seen_ = true;
123 if (waiting_)
124 base::MessageLoopForUI::current()->Quit();
127 private:
128 bool waiting_;
129 bool seen_;
132 namespace AuthState {
134 enum AuthStateFlags {
135 NONE = 0,
136 DISPLAYED_INSECURE_CONTENT = 1 << 0,
137 RAN_INSECURE_CONTENT = 1 << 1,
138 SHOWING_INTERSTITIAL = 1 << 2,
139 SHOWING_ERROR = 1 << 3
142 void Check(const NavigationEntry& entry, int expected_authentication_state) {
143 if (expected_authentication_state == AuthState::SHOWING_ERROR) {
144 EXPECT_EQ(content::PAGE_TYPE_ERROR, entry.GetPageType());
145 } else {
146 EXPECT_EQ(
147 !!(expected_authentication_state & AuthState::SHOWING_INTERSTITIAL)
148 ? content::PAGE_TYPE_INTERSTITIAL
149 : content::PAGE_TYPE_NORMAL,
150 entry.GetPageType());
153 bool displayed_insecure_content =
154 !!(entry.GetSSL().content_status & SSLStatus::DISPLAYED_INSECURE_CONTENT);
155 EXPECT_EQ(
156 !!(expected_authentication_state & AuthState::DISPLAYED_INSECURE_CONTENT),
157 displayed_insecure_content);
159 bool ran_insecure_content =
160 !!(entry.GetSSL().content_status & SSLStatus::RAN_INSECURE_CONTENT);
161 EXPECT_EQ(!!(expected_authentication_state & AuthState::RAN_INSECURE_CONTENT),
162 ran_insecure_content);
165 } // namespace AuthState
167 namespace SecurityStyle {
169 void Check(const NavigationEntry& entry,
170 content::SecurityStyle expected_security_style) {
171 EXPECT_EQ(expected_security_style, entry.GetSSL().security_style);
174 } // namespace SecurityStyle
176 namespace CertError {
178 enum CertErrorFlags {
179 NONE = 0
182 void Check(const NavigationEntry& entry, net::CertStatus error) {
183 if (error) {
184 EXPECT_EQ(error, entry.GetSSL().cert_status & error);
185 net::CertStatus extra_cert_errors =
186 error ^ (entry.GetSSL().cert_status & net::CERT_STATUS_ALL_ERRORS);
187 if (extra_cert_errors)
188 LOG(WARNING) << "Got unexpected cert error: " << extra_cert_errors;
189 } else {
190 EXPECT_EQ(0U, entry.GetSSL().cert_status & net::CERT_STATUS_ALL_ERRORS);
194 } // namespace CertError
196 void CheckSecurityState(WebContents* tab,
197 net::CertStatus error,
198 content::SecurityStyle expected_security_style,
199 int expected_authentication_state) {
200 ASSERT_FALSE(tab->IsCrashed());
201 NavigationEntry* entry = tab->GetController().GetActiveEntry();
202 ASSERT_TRUE(entry);
203 CertError::Check(*entry, error);
204 SecurityStyle::Check(*entry, expected_security_style);
205 AuthState::Check(*entry, expected_authentication_state);
208 // This observer waits for the SSLErrorHandler to start an interstitial timer
209 // for the given web contents.
210 class SSLInterstitialTimerObserver {
211 public:
212 explicit SSLInterstitialTimerObserver(content::WebContents* web_contents)
213 : web_contents_(web_contents), message_loop_runner_(new base::RunLoop) {
214 callback_ = base::Bind(&SSLInterstitialTimerObserver::OnTimerStarted,
215 base::Unretained(this));
216 SSLErrorHandler::SetInterstitialTimerStartedCallbackForTest(&callback_);
219 ~SSLInterstitialTimerObserver() {
220 SSLErrorHandler::SetInterstitialTimerStartedCallbackForTest(nullptr);
223 // Waits until the interstitial delay timer in SSLErrorHandler is started.
224 void WaitForTimerStarted() { message_loop_runner_->Run(); }
226 private:
227 void OnTimerStarted(content::WebContents* web_contents) {
228 if (web_contents_ == web_contents)
229 message_loop_runner_->Quit();
232 const content::WebContents* web_contents_;
233 SSLErrorHandler::TimerStartedCallback callback_;
235 scoped_ptr<base::RunLoop> message_loop_runner_;
237 DISALLOW_COPY_AND_ASSIGN(SSLInterstitialTimerObserver);
240 } // namespace
242 class SSLUITest
243 : public certificate_reporting_test_utils::CertificateReportingTest {
244 public:
245 SSLUITest()
246 : https_server_(net::SpawnedTestServer::TYPE_HTTPS,
247 SSLOptions(SSLOptions::CERT_OK),
248 base::FilePath(kDocRoot)),
249 https_server_expired_(net::SpawnedTestServer::TYPE_HTTPS,
250 SSLOptions(SSLOptions::CERT_EXPIRED),
251 base::FilePath(kDocRoot)),
252 https_server_mismatched_(net::SpawnedTestServer::TYPE_HTTPS,
253 SSLOptions(SSLOptions::CERT_MISMATCHED_NAME),
254 base::FilePath(kDocRoot)),
255 wss_server_expired_(net::SpawnedTestServer::TYPE_WSS,
256 SSLOptions(SSLOptions::CERT_EXPIRED),
257 net::GetWebSocketTestDataDirectory()) {}
259 void SetUpCommandLine(base::CommandLine* command_line) override {
260 // Browser will both run and display insecure content.
261 command_line->AppendSwitch(switches::kAllowRunningInsecureContent);
262 // Use process-per-site so that navigating to a same-site page in a
263 // new tab will use the same process.
264 command_line->AppendSwitch(switches::kProcessPerSite);
267 void CheckAuthenticatedState(WebContents* tab,
268 int expected_authentication_state) {
269 CheckSecurityState(tab,
270 CertError::NONE,
271 content::SECURITY_STYLE_AUTHENTICATED,
272 expected_authentication_state);
275 void CheckUnauthenticatedState(WebContents* tab,
276 int expected_authentication_state) {
277 CheckSecurityState(tab,
278 CertError::NONE,
279 content::SECURITY_STYLE_UNAUTHENTICATED,
280 expected_authentication_state);
283 void CheckAuthenticationBrokenState(WebContents* tab,
284 net::CertStatus error,
285 int expected_authentication_state) {
286 CheckSecurityState(tab,
287 error,
288 content::SECURITY_STYLE_AUTHENTICATION_BROKEN,
289 expected_authentication_state);
290 // CERT_STATUS_UNABLE_TO_CHECK_REVOCATION doesn't lower the security style
291 // to SECURITY_STYLE_AUTHENTICATION_BROKEN.
292 ASSERT_NE(net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION, error);
295 void CheckWorkerLoadResult(WebContents* tab, bool expected_load) {
296 // Workers are async and we don't have notifications for them passing
297 // messages since they do it between renderer and worker processes.
298 // So have a polling loop, check every 200ms, timeout at 30s.
299 const int kTimeoutMS = 200;
300 base::Time time_to_quit = base::Time::Now() +
301 base::TimeDelta::FromMilliseconds(30000);
303 while (base::Time::Now() < time_to_quit) {
304 bool worker_finished = false;
305 ASSERT_TRUE(content::ExecuteScriptAndExtractBool(
306 tab,
307 "window.domAutomationController.send(IsWorkerFinished());",
308 &worker_finished));
310 if (worker_finished)
311 break;
313 // Wait a bit.
314 base::ThreadTaskRunnerHandle::Get()->PostDelayedTask(
315 FROM_HERE, base::MessageLoop::QuitClosure(),
316 base::TimeDelta::FromMilliseconds(kTimeoutMS));
317 content::RunMessageLoop();
320 bool actually_loaded_content = false;
321 ASSERT_TRUE(content::ExecuteScriptAndExtractBool(
322 tab,
323 "window.domAutomationController.send(IsContentLoaded());",
324 &actually_loaded_content));
325 EXPECT_EQ(expected_load, actually_loaded_content);
328 void ProceedThroughInterstitial(WebContents* tab) {
329 InterstitialPage* interstitial_page = tab->GetInterstitialPage();
330 ASSERT_TRUE(interstitial_page);
331 ASSERT_EQ(SSLBlockingPage::kTypeForTesting,
332 interstitial_page->GetDelegateForTesting()->GetTypeForTesting());
333 content::WindowedNotificationObserver observer(
334 content::NOTIFICATION_LOAD_STOP,
335 content::Source<NavigationController>(&tab->GetController()));
336 interstitial_page->Proceed();
337 observer.Wait();
340 bool IsShowingWebContentsModalDialog() const {
341 return WebContentsModalDialogManager::FromWebContents(
342 browser()->tab_strip_model()->GetActiveWebContents())->
343 IsDialogActive();
346 static bool GetFilePathWithHostAndPortReplacement(
347 const std::string& original_file_path,
348 const net::HostPortPair& host_port_pair,
349 std::string* replacement_path) {
350 std::vector<net::SpawnedTestServer::StringPair> replacement_text;
351 replacement_text.push_back(
352 make_pair("REPLACE_WITH_HOST_AND_PORT", host_port_pair.ToString()));
353 return net::SpawnedTestServer::GetFilePathWithReplacements(
354 original_file_path, replacement_text, replacement_path);
357 static bool GetTopFramePath(const net::SpawnedTestServer& http_server,
358 const net::SpawnedTestServer& good_https_server,
359 const net::SpawnedTestServer& bad_https_server,
360 std::string* top_frame_path) {
361 // The "frame_left.html" page contained in the top_frame.html page contains
362 // <a href>'s to three different servers. This sets up all of the
363 // replacement text to work with test servers which listen on ephemeral
364 // ports.
365 GURL http_url = http_server.GetURL("files/ssl/google.html");
366 GURL good_https_url = good_https_server.GetURL("files/ssl/google.html");
367 GURL bad_https_url = bad_https_server.GetURL(
368 "files/ssl/bad_iframe.html");
370 std::vector<net::SpawnedTestServer::StringPair> replacement_text_frame_left;
371 replacement_text_frame_left.push_back(
372 make_pair("REPLACE_WITH_HTTP_PAGE", http_url.spec()));
373 replacement_text_frame_left.push_back(
374 make_pair("REPLACE_WITH_GOOD_HTTPS_PAGE", good_https_url.spec()));
375 replacement_text_frame_left.push_back(
376 make_pair("REPLACE_WITH_BAD_HTTPS_PAGE", bad_https_url.spec()));
377 std::string frame_left_path;
378 if (!net::SpawnedTestServer::GetFilePathWithReplacements(
379 "frame_left.html",
380 replacement_text_frame_left,
381 &frame_left_path))
382 return false;
384 // Substitute the generated frame_left URL into the top_frame page.
385 std::vector<net::SpawnedTestServer::StringPair> replacement_text_top_frame;
386 replacement_text_top_frame.push_back(
387 make_pair("REPLACE_WITH_FRAME_LEFT_PATH", frame_left_path));
388 return net::SpawnedTestServer::GetFilePathWithReplacements(
389 "files/ssl/top_frame.html",
390 replacement_text_top_frame,
391 top_frame_path);
394 static bool GetPageWithUnsafeWorkerPath(
395 const net::SpawnedTestServer& https_server,
396 std::string* page_with_unsafe_worker_path) {
397 // Get the "imported.js" URL from the expired https server and
398 // substitute it into the unsafe_worker.js file.
399 GURL imported_js_url = https_server.GetURL("files/ssl/imported.js");
400 std::vector<net::SpawnedTestServer::StringPair>
401 replacement_text_for_unsafe_worker;
402 replacement_text_for_unsafe_worker.push_back(
403 make_pair("REPLACE_WITH_IMPORTED_JS_URL", imported_js_url.spec()));
404 std::string unsafe_worker_path;
405 if (!net::SpawnedTestServer::GetFilePathWithReplacements(
406 "unsafe_worker.js",
407 replacement_text_for_unsafe_worker,
408 &unsafe_worker_path))
409 return false;
411 // Now, substitute this into the page with unsafe worker.
412 std::vector<net::SpawnedTestServer::StringPair>
413 replacement_text_for_page_with_unsafe_worker;
414 replacement_text_for_page_with_unsafe_worker.push_back(
415 make_pair("REPLACE_WITH_UNSAFE_WORKER_PATH", unsafe_worker_path));
416 return net::SpawnedTestServer::GetFilePathWithReplacements(
417 "files/ssl/page_with_unsafe_worker.html",
418 replacement_text_for_page_with_unsafe_worker,
419 page_with_unsafe_worker_path);
422 // Helper function for testing invalid certificate chain reporting.
423 void TestBrokenHTTPSReporting(
424 certificate_reporting_test_utils::OptIn opt_in,
425 ProceedDecision proceed,
426 certificate_reporting_test_utils::ExpectReport expect_report,
427 Browser* browser) {
428 base::RunLoop run_loop;
429 ASSERT_TRUE(https_server_expired_.Start());
431 ASSERT_NO_FATAL_FAILURE(SetUpMockReporter());
433 // Opt in to sending reports for invalid certificate chains.
434 certificate_reporting_test_utils::SetCertReportingOptIn(browser, opt_in);
436 ui_test_utils::NavigateToURL(browser, https_server_expired_.GetURL("/"));
438 WebContents* tab = browser->tab_strip_model()->GetActiveWebContents();
439 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_DATE_INVALID,
440 AuthState::SHOWING_INTERSTITIAL);
442 scoped_ptr<SSLCertReporter> ssl_cert_reporter =
443 certificate_reporting_test_utils::SetUpMockSSLCertReporter(
444 &run_loop, expect_report);
446 SSLBlockingPage* interstitial_page = static_cast<SSLBlockingPage*>(
447 tab->GetInterstitialPage()->GetDelegateForTesting());
448 interstitial_page->SetSSLCertReporterForTesting(ssl_cert_reporter.Pass());
450 EXPECT_EQ(std::string(), GetLatestHostnameReported());
452 // Leave the interstitial (either by proceeding or going back)
453 if (proceed == SSL_INTERSTITIAL_PROCEED) {
454 ProceedThroughInterstitial(tab);
455 } else {
456 // Click "Take me back"
457 InterstitialPage* interstitial_page = tab->GetInterstitialPage();
458 ASSERT_TRUE(interstitial_page);
459 interstitial_page->DontProceed();
462 if (expect_report ==
463 certificate_reporting_test_utils::CERT_REPORT_EXPECTED) {
464 // Check that the mock reporter received a request to send a report.
465 run_loop.Run();
466 EXPECT_EQ(https_server_expired_.GetURL("/").host(),
467 GetLatestHostnameReported());
468 } else {
469 EXPECT_EQ(std::string(), GetLatestHostnameReported());
473 net::SpawnedTestServer https_server_;
474 net::SpawnedTestServer https_server_expired_;
475 net::SpawnedTestServer https_server_mismatched_;
476 net::SpawnedTestServer wss_server_expired_;
478 private:
479 typedef net::SpawnedTestServer::SSLOptions SSLOptions;
481 DISALLOW_COPY_AND_ASSIGN(SSLUITest);
484 class SSLUITestBlock : public SSLUITest {
485 public:
486 SSLUITestBlock() : SSLUITest() {}
488 // Browser will neither run nor display insecure content.
489 void SetUpCommandLine(base::CommandLine* command_line) override {
490 command_line->AppendSwitch(switches::kNoDisplayingInsecureContent);
494 class SSLUITestIgnoreCertErrors : public SSLUITest {
495 public:
496 SSLUITestIgnoreCertErrors() : SSLUITest() {}
498 void SetUpCommandLine(base::CommandLine* command_line) override {
499 // Browser will ignore certificate errors.
500 command_line->AppendSwitch(switches::kIgnoreCertificateErrors);
504 class SSLUITestIgnoreLocalhostCertErrors : public SSLUITest {
505 public:
506 SSLUITestIgnoreLocalhostCertErrors() : SSLUITest() {}
508 void SetUpCommandLine(base::CommandLine* command_line) override {
509 // Browser will ignore certificate errors on localhost.
510 command_line->AppendSwitch(switches::kAllowInsecureLocalhost);
514 class SSLUITestWithExtendedReporting : public SSLUITest {
515 public:
516 SSLUITestWithExtendedReporting() : SSLUITest() {}
519 // Visits a regular page over http.
520 IN_PROC_BROWSER_TEST_F(SSLUITest, TestHTTP) {
521 ASSERT_TRUE(test_server()->Start());
523 ui_test_utils::NavigateToURL(browser(),
524 test_server()->GetURL("files/ssl/google.html"));
526 CheckUnauthenticatedState(
527 browser()->tab_strip_model()->GetActiveWebContents(), AuthState::NONE);
530 // Visits a page over http which includes broken https resources (status should
531 // be OK).
532 // TODO(jcampan): test that bad HTTPS content is blocked (otherwise we'll give
533 // the secure cookies away!).
534 IN_PROC_BROWSER_TEST_F(SSLUITest, TestHTTPWithBrokenHTTPSResource) {
535 ASSERT_TRUE(test_server()->Start());
536 ASSERT_TRUE(https_server_expired_.Start());
538 std::string replacement_path;
539 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
540 "files/ssl/page_with_unsafe_contents.html",
541 https_server_expired_.host_port_pair(),
542 &replacement_path));
544 ui_test_utils::NavigateToURL(
545 browser(), test_server()->GetURL(replacement_path));
547 CheckUnauthenticatedState(
548 browser()->tab_strip_model()->GetActiveWebContents(), AuthState::NONE);
551 IN_PROC_BROWSER_TEST_F(SSLUITest, TestBrokenHTTPSWithInsecureContent) {
552 ASSERT_TRUE(test_server()->Start());
553 ASSERT_TRUE(https_server_expired_.Start());
555 std::string replacement_path;
556 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
557 "files/ssl/page_displays_insecure_content.html",
558 test_server()->host_port_pair(),
559 &replacement_path));
561 ui_test_utils::NavigateToURL(browser(),
562 https_server_expired_.GetURL(replacement_path));
564 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
565 CheckAuthenticationBrokenState(
566 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
568 ProceedThroughInterstitial(tab);
570 CheckAuthenticationBrokenState(tab,
571 net::CERT_STATUS_DATE_INVALID,
572 AuthState::DISPLAYED_INSECURE_CONTENT);
575 IN_PROC_BROWSER_TEST_F(SSLUITest, TestBrokenHTTPSMetricsReporting_Proceed) {
576 ASSERT_TRUE(https_server_expired_.Start());
577 ASSERT_NO_FATAL_FAILURE(SetUpMockReporter());
578 base::HistogramTester histograms;
579 const std::string decision_histogram =
580 "interstitial.ssl_overridable.decision";
581 const std::string interaction_histogram =
582 "interstitial.ssl_overridable.interaction";
584 // Histograms should start off empty.
585 histograms.ExpectTotalCount(decision_histogram, 0);
586 histograms.ExpectTotalCount(interaction_histogram, 0);
588 // After navigating to the page, the totals should be set.
589 ui_test_utils::NavigateToURL(browser(), https_server_expired_.GetURL("/"));
590 content::WaitForInterstitialAttach(
591 browser()->tab_strip_model()->GetActiveWebContents());
592 histograms.ExpectTotalCount(decision_histogram, 1);
593 histograms.ExpectBucketCount(decision_histogram,
594 security_interstitials::MetricsHelper::SHOW, 1);
595 histograms.ExpectTotalCount(interaction_histogram, 1);
596 histograms.ExpectBucketCount(
597 interaction_histogram,
598 security_interstitials::MetricsHelper::TOTAL_VISITS, 1);
600 // Decision should be recorded.
601 ProceedThroughInterstitial(
602 browser()->tab_strip_model()->GetActiveWebContents());
603 histograms.ExpectTotalCount(decision_histogram, 2);
604 histograms.ExpectBucketCount(
605 decision_histogram, security_interstitials::MetricsHelper::PROCEED, 1);
606 histograms.ExpectTotalCount(interaction_histogram, 1);
607 histograms.ExpectBucketCount(
608 interaction_histogram,
609 security_interstitials::MetricsHelper::TOTAL_VISITS, 1);
612 IN_PROC_BROWSER_TEST_F(SSLUITest, TestBrokenHTTPSMetricsReporting_DontProceed) {
613 ASSERT_TRUE(https_server_expired_.Start());
614 ASSERT_NO_FATAL_FAILURE(SetUpMockReporter());
615 base::HistogramTester histograms;
616 const std::string decision_histogram =
617 "interstitial.ssl_overridable.decision";
618 const std::string interaction_histogram =
619 "interstitial.ssl_overridable.interaction";
621 // Histograms should start off empty.
622 histograms.ExpectTotalCount(decision_histogram, 0);
623 histograms.ExpectTotalCount(interaction_histogram, 0);
625 // After navigating to the page, the totals should be set.
626 ui_test_utils::NavigateToURL(browser(), https_server_expired_.GetURL("/"));
627 content::WaitForInterstitialAttach(
628 browser()->tab_strip_model()->GetActiveWebContents());
629 histograms.ExpectTotalCount(decision_histogram, 1);
630 histograms.ExpectBucketCount(decision_histogram,
631 security_interstitials::MetricsHelper::SHOW, 1);
632 histograms.ExpectTotalCount(interaction_histogram, 1);
633 histograms.ExpectBucketCount(
634 interaction_histogram,
635 security_interstitials::MetricsHelper::TOTAL_VISITS, 1);
637 // Decision should be recorded.
638 InterstitialPage* interstitial_page = browser()
639 ->tab_strip_model()
640 ->GetActiveWebContents()
641 ->GetInterstitialPage();
642 interstitial_page->DontProceed();
643 histograms.ExpectTotalCount(decision_histogram, 2);
644 histograms.ExpectBucketCount(
645 decision_histogram, security_interstitials::MetricsHelper::DONT_PROCEED,
647 histograms.ExpectTotalCount(interaction_histogram, 1);
648 histograms.ExpectBucketCount(
649 interaction_histogram,
650 security_interstitials::MetricsHelper::TOTAL_VISITS, 1);
653 // http://crbug.com/91745
654 #if defined(OS_CHROMEOS)
655 #define MAYBE_TestOKHTTPS DISABLED_TestOKHTTPS
656 #else
657 #define MAYBE_TestOKHTTPS TestOKHTTPS
658 #endif
660 // Visits a page over OK https:
661 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestOKHTTPS) {
662 ASSERT_TRUE(https_server_.Start());
664 ui_test_utils::NavigateToURL(browser(),
665 https_server_.GetURL("files/ssl/google.html"));
667 CheckAuthenticatedState(browser()->tab_strip_model()->GetActiveWebContents(),
668 AuthState::NONE);
671 // Visits a page with https error and proceed:
672 #if defined(OS_LINUX)
673 // flaky http://crbug.com/396462
674 #define MAYBE_TestHTTPSExpiredCertAndProceed \
675 DISABLED_TestHTTPSExpiredCertAndProceed
676 #else
677 #define MAYBE_TestHTTPSExpiredCertAndProceed TestHTTPSExpiredCertAndProceed
678 #endif
679 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestHTTPSExpiredCertAndProceed) {
680 ASSERT_TRUE(https_server_expired_.Start());
682 ui_test_utils::NavigateToURL(browser(),
683 https_server_expired_.GetURL("files/ssl/google.html"));
685 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
686 CheckAuthenticationBrokenState(
687 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
689 ProceedThroughInterstitial(tab);
691 CheckAuthenticationBrokenState(
692 tab, net::CERT_STATUS_DATE_INVALID, AuthState::NONE);
695 #ifndef NEDBUG
696 // Flaky on Windows debug (http://crbug.com/280537).
697 #define MAYBE_TestHTTPSExpiredCertAndDontProceed \
698 DISABLED_TestHTTPSExpiredCertAndDontProceed
699 #else
700 #define MAYBE_TestHTTPSExpiredCertAndDontProceed \
701 TestHTTPSExpiredCertAndDontProceed
702 #endif
704 // Visits a page with https error and don't proceed (and ensure we can still
705 // navigate at that point):
706 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestHTTPSExpiredCertAndDontProceed) {
707 ASSERT_TRUE(test_server()->Start());
708 ASSERT_TRUE(https_server_.Start());
709 ASSERT_TRUE(https_server_expired_.Start());
711 // First navigate to an OK page.
712 ui_test_utils::NavigateToURL(browser(),
713 https_server_.GetURL("files/ssl/google.html"));
715 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
716 NavigationEntry* entry = tab->GetController().GetActiveEntry();
717 ASSERT_TRUE(entry);
719 GURL cross_site_url =
720 https_server_expired_.GetURL("files/ssl/google.html");
721 // Change the host name from 127.0.0.1 to localhost so it triggers a
722 // cross-site navigation so we can test http://crbug.com/5800 is gone.
723 ASSERT_EQ("127.0.0.1", cross_site_url.host());
724 GURL::Replacements replacements;
725 replacements.SetHostStr("localhost");
726 cross_site_url = cross_site_url.ReplaceComponents(replacements);
728 // Now go to a bad HTTPS page.
729 ui_test_utils::NavigateToURL(browser(), cross_site_url);
731 // An interstitial should be showing.
732 CheckAuthenticationBrokenState(tab,
733 net::CERT_STATUS_COMMON_NAME_INVALID,
734 AuthState::SHOWING_INTERSTITIAL);
736 // Simulate user clicking "Take me back".
737 InterstitialPage* interstitial_page = tab->GetInterstitialPage();
738 ASSERT_TRUE(interstitial_page);
739 ASSERT_EQ(SSLBlockingPage::kTypeForTesting,
740 interstitial_page->GetDelegateForTesting()->GetTypeForTesting());
741 interstitial_page->DontProceed();
743 // We should be back to the original good page.
744 CheckAuthenticatedState(tab, AuthState::NONE);
746 // Try to navigate to a new page. (to make sure bug 5800 is fixed).
747 ui_test_utils::NavigateToURL(browser(),
748 test_server()->GetURL("files/ssl/google.html"));
749 CheckUnauthenticatedState(tab, AuthState::NONE);
752 // Test that localhost pages don't show an interstitial.
753 IN_PROC_BROWSER_TEST_F(SSLUITestIgnoreLocalhostCertErrors,
754 TestNoInterstitialOnLocalhost) {
755 ASSERT_TRUE(https_server_.Start());
757 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
759 // Navigate to a localhost page.
760 GURL url = https_server_.GetURL("files/ssl/page_with_subresource.html");
761 GURL::Replacements replacements;
762 std::string new_host("localhost");
763 replacements.SetHostStr(new_host);
764 url = url.ReplaceComponents(replacements);
766 ui_test_utils::NavigateToURL(browser(), url);
768 // We should see no interstitial, but we should have an error
769 // (red-crossed-out-https) in the URL bar.
770 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID,
771 AuthState::NONE);
773 // We should see that the script tag in the page loaded and ran (and
774 // wasn't blocked by the certificate error).
775 base::string16 title;
776 base::string16 expected_title = base::ASCIIToUTF16("This script has loaded");
777 ui_test_utils::GetCurrentTabTitle(browser(), &title);
778 EXPECT_EQ(title, expected_title);
781 IN_PROC_BROWSER_TEST_F(SSLUITest, TestHTTPSErrorCausedByClock) {
782 ASSERT_TRUE(https_server_expired_.Start());
784 // Set up the build and current clock times to be more than a year apart.
785 scoped_ptr<base::SimpleTestClock> mock_clock(new base::SimpleTestClock());
786 mock_clock->SetNow(base::Time::NowFromSystemTime());
787 mock_clock->Advance(base::TimeDelta::FromDays(367));
788 SSLErrorHandler::SetClockForTest(mock_clock.get());
789 SSLErrorClassification::SetBuildTimeForTesting(
790 base::Time::NowFromSystemTime());
792 ui_test_utils::NavigateToURL(browser(), https_server_expired_.GetURL("/"));
793 WebContents* clock_tab = browser()->tab_strip_model()->GetActiveWebContents();
794 content::WaitForInterstitialAttach(clock_tab);
795 InterstitialPage* clock_interstitial = clock_tab->GetInterstitialPage();
796 ASSERT_TRUE(clock_interstitial);
797 EXPECT_EQ(BadClockBlockingPage::kTypeForTesting,
798 clock_interstitial->GetDelegateForTesting()->GetTypeForTesting());
801 // Visits a page with https error and then goes back using Browser::GoBack.
802 IN_PROC_BROWSER_TEST_F(SSLUITest,
803 TestHTTPSExpiredCertAndGoBackViaButton) {
804 ASSERT_TRUE(test_server()->Start());
805 ASSERT_TRUE(https_server_expired_.Start());
807 // First navigate to an HTTP page.
808 ui_test_utils::NavigateToURL(browser(),
809 test_server()->GetURL("files/ssl/google.html"));
810 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
811 NavigationEntry* entry = tab->GetController().GetActiveEntry();
812 ASSERT_TRUE(entry);
814 // Now go to a bad HTTPS page that shows an interstitial.
815 ui_test_utils::NavigateToURL(browser(),
816 https_server_expired_.GetURL("files/ssl/google.html"));
817 CheckAuthenticationBrokenState(
818 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
820 ProvisionalLoadWaiter load_failed_observer(tab);
822 // Simulate user clicking on back button (crbug.com/39248).
823 chrome::GoBack(browser(), CURRENT_TAB);
825 // Wait until we hear the load failure, and make sure we haven't swapped out
826 // the previous page. Prevents regression of http://crbug.com/82667.
827 // TODO(creis/nick): Move the swapped-out part of this test into content
828 // and remove IsRenderViewHostSwappedOut from the public API.
829 load_failed_observer.Wait();
830 EXPECT_FALSE(content::RenderFrameHostTester::IsRenderFrameHostSwappedOut(
831 tab->GetMainFrame()));
833 // We should be back at the original good page.
834 EXPECT_FALSE(browser()->tab_strip_model()->GetActiveWebContents()->
835 GetInterstitialPage());
836 CheckUnauthenticatedState(tab, AuthState::NONE);
839 // Visits a page with https error and then goes back using GoToOffset.
840 // Disabled because its flaky: http://crbug.com/40932, http://crbug.com/43575.
841 IN_PROC_BROWSER_TEST_F(SSLUITest,
842 TestHTTPSExpiredCertAndGoBackViaMenu) {
843 ASSERT_TRUE(test_server()->Start());
844 ASSERT_TRUE(https_server_expired_.Start());
846 // First navigate to an HTTP page.
847 ui_test_utils::NavigateToURL(browser(),
848 test_server()->GetURL("files/ssl/google.html"));
849 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
850 NavigationEntry* entry = tab->GetController().GetActiveEntry();
851 ASSERT_TRUE(entry);
853 // Now go to a bad HTTPS page that shows an interstitial.
854 ui_test_utils::NavigateToURL(browser(),
855 https_server_expired_.GetURL("files/ssl/google.html"));
856 CheckAuthenticationBrokenState(
857 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
859 // Simulate user clicking and holding on back button (crbug.com/37215).
860 tab->GetController().GoToOffset(-1);
862 // We should be back at the original good page.
863 EXPECT_FALSE(browser()->tab_strip_model()->GetActiveWebContents()->
864 GetInterstitialPage());
865 CheckUnauthenticatedState(tab, AuthState::NONE);
868 // Visits a page with https error and then goes forward using GoToOffset.
869 IN_PROC_BROWSER_TEST_F(SSLUITest, TestHTTPSExpiredCertAndGoForward) {
870 ASSERT_TRUE(test_server()->Start());
871 ASSERT_TRUE(https_server_expired_.Start());
873 // First navigate to two HTTP pages.
874 ui_test_utils::NavigateToURL(browser(),
875 test_server()->GetURL("files/ssl/google.html"));
876 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
877 NavigationEntry* entry1 = tab->GetController().GetActiveEntry();
878 ASSERT_TRUE(entry1);
879 ui_test_utils::NavigateToURL(browser(),
880 test_server()->GetURL("files/ssl/blank_page.html"));
881 NavigationEntry* entry2 = tab->GetController().GetActiveEntry();
882 ASSERT_TRUE(entry2);
884 // Now go back so that a page is in the forward history.
886 content::WindowedNotificationObserver observer(
887 content::NOTIFICATION_LOAD_STOP,
888 content::Source<NavigationController>(&tab->GetController()));
889 tab->GetController().GoBack();
890 observer.Wait();
892 ASSERT_TRUE(tab->GetController().CanGoForward());
893 NavigationEntry* entry3 = tab->GetController().GetActiveEntry();
894 ASSERT_TRUE(entry1 == entry3);
896 // Now go to a bad HTTPS page that shows an interstitial.
897 ui_test_utils::NavigateToURL(browser(),
898 https_server_expired_.GetURL("files/ssl/google.html"));
899 CheckAuthenticationBrokenState(
900 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
902 // Simulate user clicking and holding on forward button.
904 content::WindowedNotificationObserver observer(
905 content::NOTIFICATION_LOAD_STOP,
906 content::Source<NavigationController>(&tab->GetController()));
907 tab->GetController().GoToOffset(1);
908 observer.Wait();
911 // We should be showing the second good page.
912 EXPECT_FALSE(browser()->tab_strip_model()->GetActiveWebContents()->
913 GetInterstitialPage());
914 CheckUnauthenticatedState(tab, AuthState::NONE);
915 EXPECT_FALSE(tab->GetController().CanGoForward());
916 NavigationEntry* entry4 = tab->GetController().GetActiveEntry();
917 EXPECT_TRUE(entry2 == entry4);
920 // Visit a HTTP page which request WSS connection to a server providing invalid
921 // certificate. Close the page while WSS connection waits for SSLManager's
922 // response from UI thread.
923 // Disabled on Windows because it was flaking on XP Tests (1). crbug.com/165258
924 #if defined(OS_WIN)
925 #define MAYBE_TestWSSInvalidCertAndClose DISABLED_TestWSSInvalidCertAndClose
926 #else
927 #define MAYBE_TestWSSInvalidCertAndClose TestWSSInvalidCertAndClose
928 #endif
929 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestWSSInvalidCertAndClose) {
930 ASSERT_TRUE(test_server()->Start());
931 ASSERT_TRUE(wss_server_expired_.Start());
933 // Setup page title observer.
934 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
935 content::TitleWatcher watcher(tab, ASCIIToUTF16("PASS"));
936 watcher.AlsoWaitForTitle(ASCIIToUTF16("FAIL"));
938 // Create GURLs to test pages.
939 std::string master_url_path = base::StringPrintf("%s?%d",
940 test_server()->GetURL("files/ssl/wss_close.html").spec().c_str(),
941 wss_server_expired_.host_port_pair().port());
942 GURL master_url(master_url_path);
943 std::string slave_url_path = base::StringPrintf("%s?%d",
944 test_server()->GetURL("files/ssl/wss_close_slave.html").spec().c_str(),
945 wss_server_expired_.host_port_pair().port());
946 GURL slave_url(slave_url_path);
948 // Create tabs and visit pages which keep on creating wss connections.
949 WebContents* tabs[16];
950 for (int i = 0; i < 16; ++i) {
951 tabs[i] = chrome::AddSelectedTabWithURL(browser(), slave_url,
952 ui::PAGE_TRANSITION_LINK);
954 chrome::SelectNextTab(browser());
956 // Visit a page which waits for one TLS handshake failure.
957 // The title will be changed to 'PASS'.
958 ui_test_utils::NavigateToURL(browser(), master_url);
959 const base::string16 result = watcher.WaitAndGetTitle();
960 EXPECT_TRUE(base::LowerCaseEqualsASCII(result, "pass"));
962 // Close tabs which contains the test page.
963 for (int i = 0; i < 16; ++i)
964 chrome::CloseWebContents(browser(), tabs[i], false);
965 chrome::CloseWebContents(browser(), tab, false);
968 // Visit a HTTPS page and proceeds despite an invalid certificate. The page
969 // requests WSS connection to the same origin host to check if WSS connection
970 // share certificates policy with HTTPS correcly.
971 IN_PROC_BROWSER_TEST_F(SSLUITest, TestWSSInvalidCertAndGoForward) {
972 ASSERT_TRUE(test_server()->Start());
973 ASSERT_TRUE(wss_server_expired_.Start());
975 // Setup page title observer.
976 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
977 content::TitleWatcher watcher(tab, ASCIIToUTF16("PASS"));
978 watcher.AlsoWaitForTitle(ASCIIToUTF16("FAIL"));
980 // Visit bad HTTPS page.
981 GURL::Replacements replacements;
982 replacements.SetSchemeStr("https");
983 ui_test_utils::NavigateToURL(
984 browser(),
985 wss_server_expired_.GetURL(
986 "connect_check.html").ReplaceComponents(replacements));
987 CheckAuthenticationBrokenState(
988 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
990 // Proceed anyway.
991 ProceedThroughInterstitial(tab);
993 // Test page run a WebSocket wss connection test. The result will be shown
994 // as page title.
995 const base::string16 result = watcher.WaitAndGetTitle();
996 EXPECT_TRUE(base::LowerCaseEqualsASCII(result, "pass"));
999 // Ensure that non-standard origins are marked correctly when the
1000 // MarkNonSecureAs field trial is enabled.
1001 IN_PROC_BROWSER_TEST_F(SSLUITest, TestMarkNonSecureAs) {
1002 scoped_refptr<base::FieldTrial> trial =
1003 base::FieldTrialList::CreateFieldTrial(
1004 "MarkNonSecureAs", switches::kMarkNonSecureAsNonSecure);
1006 ui_test_utils::NavigateToURL(browser(), GURL("file:/"));
1007 EXPECT_EQ(connection_security::NONE,
1008 connection_security::GetSecurityLevelForWebContents(
1009 browser()->tab_strip_model()->GetActiveWebContents()));
1011 ui_test_utils::NavigateToURL(browser(), GURL("about:blank"));
1012 EXPECT_EQ(connection_security::NONE,
1013 connection_security::GetSecurityLevelForWebContents(
1014 browser()->tab_strip_model()->GetActiveWebContents()));
1016 ui_test_utils::NavigateToURL(browser(), GURL("data:text/plain,hello"));
1017 EXPECT_EQ(connection_security::NONE,
1018 connection_security::GetSecurityLevelForWebContents(
1019 browser()->tab_strip_model()->GetActiveWebContents()));
1021 ui_test_utils::NavigateToURL(
1022 browser(),
1023 GURL("blob:chrome%3A//newtab/49a463bb-fac8-476c-97bf-5d7076c3ea1a"));
1024 EXPECT_EQ(connection_security::NONE,
1025 connection_security::GetSecurityLevelForWebContents(
1026 browser()->tab_strip_model()->GetActiveWebContents()));
1029 #if defined(USE_NSS_CERTS)
1030 class SSLUITestWithClientCert : public SSLUITest {
1031 public:
1032 SSLUITestWithClientCert() : cert_db_(NULL) {}
1034 void SetUpOnMainThread() override {
1035 SSLUITest::SetUpOnMainThread();
1037 base::RunLoop loop;
1038 GetNSSCertDatabaseForProfile(
1039 browser()->profile(),
1040 base::Bind(&SSLUITestWithClientCert::DidGetCertDatabase,
1041 base::Unretained(this),
1042 &loop));
1043 loop.Run();
1046 protected:
1047 void DidGetCertDatabase(base::RunLoop* loop, net::NSSCertDatabase* cert_db) {
1048 cert_db_ = cert_db;
1049 loop->Quit();
1052 net::NSSCertDatabase* cert_db_;
1055 // SSL client certificate tests are only enabled when using NSS for private key
1056 // storage, as only NSS can avoid modifying global machine state when testing.
1057 // See http://crbug.com/51132
1059 // Visit a HTTPS page which requires client cert authentication. The client
1060 // cert will be selected automatically, then a test which uses WebSocket runs.
1061 IN_PROC_BROWSER_TEST_F(SSLUITestWithClientCert, TestWSSClientCert) {
1062 // Import a client cert for test.
1063 scoped_refptr<net::CryptoModule> crypt_module = cert_db_->GetPublicModule();
1064 std::string pkcs12_data;
1065 base::FilePath cert_path = net::GetTestCertsDirectory().Append(
1066 FILE_PATH_LITERAL("websocket_client_cert.p12"));
1067 EXPECT_TRUE(base::ReadFileToString(cert_path, &pkcs12_data));
1068 EXPECT_EQ(net::OK,
1069 cert_db_->ImportFromPKCS12(
1070 crypt_module.get(), pkcs12_data, base::string16(), true, NULL));
1072 // Start WebSocket test server with TLS and client cert authentication.
1073 net::SpawnedTestServer::SSLOptions options(
1074 net::SpawnedTestServer::SSLOptions::CERT_OK);
1075 options.request_client_certificate = true;
1076 base::FilePath ca_path = net::GetTestCertsDirectory().Append(
1077 FILE_PATH_LITERAL("websocket_cacert.pem"));
1078 options.client_authorities.push_back(ca_path);
1079 net::SpawnedTestServer wss_server(net::SpawnedTestServer::TYPE_WSS,
1080 options,
1081 net::GetWebSocketTestDataDirectory());
1082 ASSERT_TRUE(wss_server.Start());
1083 GURL::Replacements replacements;
1084 replacements.SetSchemeStr("https");
1085 GURL url = wss_server.GetURL("connect_check.html").ReplaceComponents(
1086 replacements);
1088 // Setup page title observer.
1089 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1090 content::TitleWatcher watcher(tab, ASCIIToUTF16("PASS"));
1091 watcher.AlsoWaitForTitle(ASCIIToUTF16("FAIL"));
1093 // Add an entry into AutoSelectCertificateForUrls policy for automatic client
1094 // cert selection.
1095 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
1096 DCHECK(profile);
1097 scoped_ptr<base::DictionaryValue> dict(new base::DictionaryValue());
1098 dict->SetString("ISSUER.CN", "pywebsocket");
1099 profile->GetHostContentSettingsMap()->SetWebsiteSetting(
1100 ContentSettingsPattern::FromURL(url),
1101 ContentSettingsPattern::FromURL(url),
1102 CONTENT_SETTINGS_TYPE_AUTO_SELECT_CERTIFICATE,
1103 std::string(),
1104 dict.release());
1106 // Visit a HTTPS page which requires client certs.
1107 ui_test_utils::NavigateToURL(browser(), url);
1108 CheckAuthenticatedState(tab, AuthState::NONE);
1110 // Test page runs a WebSocket wss connection test. The result will be shown
1111 // as page title.
1112 const base::string16 result = watcher.WaitAndGetTitle();
1113 EXPECT_TRUE(base::LowerCaseEqualsASCII(result, "pass"));
1115 #endif // defined(USE_NSS_CERTS)
1117 // Flaky on CrOS http://crbug.com/92292
1118 #if defined(OS_CHROMEOS)
1119 #define MAYBE_TestHTTPSErrorWithNoNavEntry \
1120 DISABLED_TestHTTPSErrorWithNoNavEntry
1121 #else
1122 #define MAYBE_TestHTTPSErrorWithNoNavEntry TestHTTPSErrorWithNoNavEntry
1123 #endif // defined(OS_CHROMEOS)
1125 // Open a page with a HTTPS error in a tab with no prior navigation (through a
1126 // link with a blank target). This is to test that the lack of navigation entry
1127 // does not cause any problems (it was causing a crasher, see
1128 // http://crbug.com/19941).
1129 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestHTTPSErrorWithNoNavEntry) {
1130 ASSERT_TRUE(https_server_expired_.Start());
1132 GURL url = https_server_expired_.GetURL("files/ssl/google.htm");
1133 WebContents* tab2 = chrome::AddSelectedTabWithURL(
1134 browser(), url, ui::PAGE_TRANSITION_TYPED);
1135 content::WaitForLoadStop(tab2);
1137 // Verify our assumption that there was no prior navigation.
1138 EXPECT_FALSE(chrome::CanGoBack(browser()));
1140 // We should have an interstitial page showing.
1141 ASSERT_TRUE(tab2->GetInterstitialPage());
1142 ASSERT_EQ(SSLBlockingPage::kTypeForTesting, tab2->GetInterstitialPage()
1143 ->GetDelegateForTesting()
1144 ->GetTypeForTesting());
1147 IN_PROC_BROWSER_TEST_F(SSLUITest, TestBadHTTPSDownload) {
1148 ASSERT_TRUE(test_server()->Start());
1149 ASSERT_TRUE(https_server_expired_.Start());
1150 GURL url_non_dangerous = test_server()->GetURL(std::string());
1151 GURL url_dangerous =
1152 https_server_expired_.GetURL("files/downloads/dangerous/dangerous.exe");
1153 base::ScopedTempDir downloads_directory_;
1155 // Need empty temp dir to avoid having Chrome ask us for a new filename
1156 // when we've downloaded dangerous.exe one hundred times.
1157 ASSERT_TRUE(downloads_directory_.CreateUniqueTempDir());
1159 browser()->profile()->GetPrefs()->SetFilePath(
1160 prefs::kDownloadDefaultDirectory,
1161 downloads_directory_.path());
1163 // Visit a non-dangerous page.
1164 ui_test_utils::NavigateToURL(browser(), url_non_dangerous);
1166 // Now, start a transition to dangerous download.
1168 content::WindowedNotificationObserver observer(
1169 content::NOTIFICATION_LOAD_STOP,
1170 content::NotificationService::AllSources());
1171 chrome::NavigateParams navigate_params(browser(), url_dangerous,
1172 ui::PAGE_TRANSITION_TYPED);
1173 chrome::Navigate(&navigate_params);
1174 observer.Wait();
1177 // To exit the browser cleanly (and this test) we need to complete the
1178 // download after completing this test.
1179 content::DownloadTestObserverTerminal dangerous_download_observer(
1180 content::BrowserContext::GetDownloadManager(browser()->profile()),
1182 content::DownloadTestObserver::ON_DANGEROUS_DOWNLOAD_ACCEPT);
1184 // Proceed through the SSL interstitial. This doesn't use
1185 // |ProceedThroughInterstitial| since no page load will commit.
1186 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1187 ASSERT_TRUE(tab != NULL);
1188 ASSERT_TRUE(tab->GetInterstitialPage() != NULL);
1189 ASSERT_EQ(
1190 SSLBlockingPage::kTypeForTesting,
1191 tab->GetInterstitialPage()->GetDelegateForTesting()->GetTypeForTesting());
1193 content::WindowedNotificationObserver observer(
1194 chrome::NOTIFICATION_DOWNLOAD_INITIATED,
1195 content::NotificationService::AllSources());
1196 tab->GetInterstitialPage()->Proceed();
1197 observer.Wait();
1200 // There should still be an interstitial at this point. Press the
1201 // back button on the browser. Note that this doesn't wait for a
1202 // NAV_ENTRY_COMMITTED notification because going back with an
1203 // active interstitial simply hides the interstitial.
1204 ASSERT_TRUE(tab->GetInterstitialPage() != NULL);
1205 ASSERT_EQ(
1206 SSLBlockingPage::kTypeForTesting,
1207 tab->GetInterstitialPage()->GetDelegateForTesting()->GetTypeForTesting());
1208 EXPECT_TRUE(chrome::CanGoBack(browser()));
1209 chrome::GoBack(browser(), CURRENT_TAB);
1211 dangerous_download_observer.WaitForFinished();
1215 // Insecure content
1218 #if defined(OS_WIN)
1219 // http://crbug.com/152940 Flaky on win.
1220 #define MAYBE_TestDisplaysInsecureContent DISABLED_TestDisplaysInsecureContent
1221 #else
1222 #define MAYBE_TestDisplaysInsecureContent TestDisplaysInsecureContent
1223 #endif
1225 // Visits a page that displays insecure content.
1226 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestDisplaysInsecureContent) {
1227 ASSERT_TRUE(test_server()->Start());
1228 ASSERT_TRUE(https_server_.Start());
1230 std::string replacement_path;
1231 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1232 "files/ssl/page_displays_insecure_content.html",
1233 test_server()->host_port_pair(),
1234 &replacement_path));
1236 // Load a page that displays insecure content.
1237 ui_test_utils::NavigateToURL(browser(),
1238 https_server_.GetURL(replacement_path));
1240 CheckAuthenticatedState(browser()->tab_strip_model()->GetActiveWebContents(),
1241 AuthState::DISPLAYED_INSECURE_CONTENT);
1244 // Test that if the user proceeds and the checkbox is checked, a report
1245 // is sent or not sent depending on the Finch config.
1246 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
1247 TestBrokenHTTPSProceedReporting) {
1248 certificate_reporting_test_utils::ExpectReport expect_report =
1249 certificate_reporting_test_utils::GetReportExpectedFromFinch();
1250 TestBrokenHTTPSReporting(
1251 certificate_reporting_test_utils::EXTENDED_REPORTING_OPT_IN,
1252 SSL_INTERSTITIAL_PROCEED, expect_report, browser());
1255 // Test that if the user goes back and the checkbox is checked, a report
1256 // is sent or not sent depending on the Finch config.
1257 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
1258 TestBrokenHTTPSGoBackReporting) {
1259 certificate_reporting_test_utils::ExpectReport expect_report =
1260 certificate_reporting_test_utils::GetReportExpectedFromFinch();
1261 TestBrokenHTTPSReporting(
1262 certificate_reporting_test_utils::EXTENDED_REPORTING_OPT_IN,
1263 SSL_INTERSTITIAL_DO_NOT_PROCEED, expect_report, browser());
1266 // User proceeds, checkbox is shown but unchecked. Reports should never
1267 // be sent, regardless of Finch config.
1268 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
1269 TestBrokenHTTPSProceedReportingWithNoOptIn) {
1270 TestBrokenHTTPSReporting(
1271 certificate_reporting_test_utils::EXTENDED_REPORTING_DO_NOT_OPT_IN,
1272 SSL_INTERSTITIAL_PROCEED,
1273 certificate_reporting_test_utils::CERT_REPORT_NOT_EXPECTED, browser());
1276 // User goes back, checkbox is shown but unchecked. Reports should never
1277 // be sent, regardless of Finch config.
1278 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
1279 TestBrokenHTTPSGoBackShowYesCheckNoParamYesReportNo) {
1280 TestBrokenHTTPSReporting(
1281 certificate_reporting_test_utils::EXTENDED_REPORTING_DO_NOT_OPT_IN,
1282 SSL_INTERSTITIAL_DO_NOT_PROCEED,
1283 certificate_reporting_test_utils::CERT_REPORT_NOT_EXPECTED, browser());
1286 // User proceeds, checkbox is not shown but checked -> we expect no
1287 // report.
1288 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
1289 TestBrokenHTTPSProceedShowNoCheckYesReportNo) {
1290 if (base::FieldTrialList::FindFullName(
1291 CertReportHelper::kFinchExperimentName) ==
1292 CertReportHelper::kFinchGroupDontShowDontSend) {
1293 TestBrokenHTTPSReporting(
1294 certificate_reporting_test_utils::EXTENDED_REPORTING_OPT_IN,
1295 SSL_INTERSTITIAL_PROCEED,
1296 certificate_reporting_test_utils::CERT_REPORT_NOT_EXPECTED, browser());
1300 // Browser is incognito, user proceeds, checkbox has previously opted in
1301 // -> no report, regardless of Finch config.
1302 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
1303 TestBrokenHTTPSInIncognitoReportNo) {
1304 TestBrokenHTTPSReporting(
1305 certificate_reporting_test_utils::EXTENDED_REPORTING_OPT_IN,
1306 SSL_INTERSTITIAL_PROCEED,
1307 certificate_reporting_test_utils::CERT_REPORT_NOT_EXPECTED,
1308 CreateIncognitoBrowser());
1311 // Test that reports don't get sent when extended reporting opt-in is
1312 // disabled by policy.
1313 IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
1314 TestBrokenHTTPSNoReportingWhenDisallowed) {
1315 browser()->profile()->GetPrefs()->SetBoolean(
1316 prefs::kSafeBrowsingExtendedReportingOptInAllowed, false);
1317 TestBrokenHTTPSReporting(
1318 certificate_reporting_test_utils::EXTENDED_REPORTING_OPT_IN,
1319 SSL_INTERSTITIAL_PROCEED,
1320 certificate_reporting_test_utils::CERT_REPORT_NOT_EXPECTED, browser());
1323 // Visits a page that runs insecure content and tries to suppress the insecure
1324 // content warnings by randomizing location.hash.
1325 // Based on http://crbug.com/8706
1326 IN_PROC_BROWSER_TEST_F(SSLUITest,
1327 TestRunsInsecuredContentRandomizeHash) {
1328 ASSERT_TRUE(test_server()->Start());
1329 ASSERT_TRUE(https_server_.Start());
1331 ui_test_utils::NavigateToURL(browser(), https_server_.GetURL(
1332 "files/ssl/page_runs_insecure_content.html"));
1334 CheckAuthenticationBrokenState(
1335 browser()->tab_strip_model()->GetActiveWebContents(),
1336 CertError::NONE,
1337 AuthState::DISPLAYED_INSECURE_CONTENT | AuthState::RAN_INSECURE_CONTENT);
1340 // Visits a page with unsafe content and make sure that:
1341 // - frames content is replaced with warning
1342 // - images and scripts are filtered out entirely
1343 IN_PROC_BROWSER_TEST_F(SSLUITest, TestUnsafeContents) {
1344 ASSERT_TRUE(https_server_.Start());
1345 ASSERT_TRUE(https_server_expired_.Start());
1347 std::string replacement_path;
1348 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1349 "files/ssl/page_with_unsafe_contents.html",
1350 https_server_expired_.host_port_pair(),
1351 &replacement_path));
1352 ui_test_utils::NavigateToURL(browser(),
1353 https_server_.GetURL(replacement_path));
1355 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1356 // When the bad content is filtered, the state is expected to be
1357 // authenticated.
1358 CheckAuthenticatedState(tab, AuthState::NONE);
1360 // Because of cross-frame scripting restrictions, we cannot access the iframe
1361 // content. So to know if the frame was loaded, we just check if a popup was
1362 // opened (the iframe content opens one).
1363 // Note: because of bug 1115868, no web contents modal dialog is opened right
1364 // now. Once the bug is fixed, this will do the real check.
1365 EXPECT_FALSE(IsShowingWebContentsModalDialog());
1367 int img_width;
1368 EXPECT_TRUE(content::ExecuteScriptAndExtractInt(
1369 tab,
1370 "window.domAutomationController.send(ImageWidth());",
1371 &img_width));
1372 // In order to check that the image was not loaded, we check its width.
1373 // The actual image (Google logo) is 114 pixels wide, we assume the broken
1374 // image is less than 100.
1375 EXPECT_LT(img_width, 100);
1377 bool js_result = false;
1378 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1379 tab,
1380 "window.domAutomationController.send(IsFooSet());",
1381 &js_result));
1382 EXPECT_FALSE(js_result);
1385 // Visits a page with insecure content loaded by JS (after the initial page
1386 // load).
1387 #if defined(OS_LINUX)
1388 // flaky http://crbug.com/396462
1389 #define MAYBE_TestDisplaysInsecureContentLoadedFromJS \
1390 DISABLED_TestDisplaysInsecureContentLoadedFromJS
1391 #else
1392 #define MAYBE_TestDisplaysInsecureContentLoadedFromJS \
1393 TestDisplaysInsecureContentLoadedFromJS
1394 #endif
1395 IN_PROC_BROWSER_TEST_F(SSLUITest,
1396 MAYBE_TestDisplaysInsecureContentLoadedFromJS) {
1397 ASSERT_TRUE(test_server()->Start());
1398 ASSERT_TRUE(https_server_.Start());
1400 std::string replacement_path;
1401 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1402 "files/ssl/page_with_dynamic_insecure_content.html",
1403 test_server()->host_port_pair(),
1404 &replacement_path));
1405 ui_test_utils::NavigateToURL(browser(), https_server_.GetURL(
1406 replacement_path));
1408 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1409 CheckAuthenticatedState(tab, AuthState::NONE);
1411 // Load the insecure image.
1412 bool js_result = false;
1413 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1414 tab,
1415 "loadBadImage();",
1416 &js_result));
1417 EXPECT_TRUE(js_result);
1419 // We should now have insecure content.
1420 CheckAuthenticatedState(tab, AuthState::DISPLAYED_INSECURE_CONTENT);
1423 // Visits two pages from the same origin: one that displays insecure content and
1424 // one that doesn't. The test checks that we do not propagate the insecure
1425 // content state from one to the other.
1426 IN_PROC_BROWSER_TEST_F(SSLUITest, TestDisplaysInsecureContentTwoTabs) {
1427 ASSERT_TRUE(test_server()->Start());
1428 ASSERT_TRUE(https_server_.Start());
1430 ui_test_utils::NavigateToURL(browser(),
1431 https_server_.GetURL("files/ssl/blank_page.html"));
1433 WebContents* tab1 = browser()->tab_strip_model()->GetActiveWebContents();
1435 // This tab should be fine.
1436 CheckAuthenticatedState(tab1, AuthState::NONE);
1438 // Create a new tab.
1439 std::string replacement_path;
1440 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1441 "files/ssl/page_displays_insecure_content.html",
1442 test_server()->host_port_pair(),
1443 &replacement_path));
1445 GURL url = https_server_.GetURL(replacement_path);
1446 chrome::NavigateParams params(browser(), url, ui::PAGE_TRANSITION_TYPED);
1447 params.disposition = NEW_FOREGROUND_TAB;
1448 params.tabstrip_index = 0;
1449 params.source_contents = tab1;
1450 content::WindowedNotificationObserver observer(
1451 content::NOTIFICATION_LOAD_STOP,
1452 content::NotificationService::AllSources());
1453 chrome::Navigate(&params);
1454 WebContents* tab2 = params.target_contents;
1455 observer.Wait();
1457 // The new tab has insecure content.
1458 CheckAuthenticatedState(tab2, AuthState::DISPLAYED_INSECURE_CONTENT);
1460 // The original tab should not be contaminated.
1461 CheckAuthenticatedState(tab1, AuthState::NONE);
1464 // Visits two pages from the same origin: one that runs insecure content and one
1465 // that doesn't. The test checks that we propagate the insecure content state
1466 // from one to the other.
1467 IN_PROC_BROWSER_TEST_F(SSLUITest, TestRunsInsecureContentTwoTabs) {
1468 ASSERT_TRUE(test_server()->Start());
1469 ASSERT_TRUE(https_server_.Start());
1471 ui_test_utils::NavigateToURL(browser(),
1472 https_server_.GetURL("files/ssl/blank_page.html"));
1474 WebContents* tab1 = browser()->tab_strip_model()->GetActiveWebContents();
1476 // This tab should be fine.
1477 CheckAuthenticatedState(tab1, AuthState::NONE);
1479 std::string replacement_path;
1480 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1481 "files/ssl/page_runs_insecure_content.html",
1482 test_server()->host_port_pair(),
1483 &replacement_path));
1485 // Create a new tab in the same process. Using a NEW_FOREGROUND_TAB
1486 // disposition won't usually stay in the same process, but this works
1487 // because we are using process-per-site in SetUpCommandLine.
1488 GURL url = https_server_.GetURL(replacement_path);
1489 chrome::NavigateParams params(browser(), url, ui::PAGE_TRANSITION_TYPED);
1490 params.disposition = NEW_FOREGROUND_TAB;
1491 params.source_contents = tab1;
1492 content::WindowedNotificationObserver observer(
1493 content::NOTIFICATION_LOAD_STOP,
1494 content::NotificationService::AllSources());
1495 chrome::Navigate(&params);
1496 WebContents* tab2 = params.target_contents;
1497 observer.Wait();
1499 // Both tabs should have the same process.
1500 EXPECT_EQ(tab1->GetRenderProcessHost(), tab2->GetRenderProcessHost());
1502 // The new tab has insecure content.
1503 CheckAuthenticationBrokenState(
1504 tab2,
1505 CertError::NONE,
1506 AuthState::DISPLAYED_INSECURE_CONTENT | AuthState::RAN_INSECURE_CONTENT);
1508 // Which means the origin for the first tab has also been contaminated with
1509 // insecure content.
1510 CheckAuthenticationBrokenState(
1511 tab1, CertError::NONE, AuthState::RAN_INSECURE_CONTENT);
1514 // Visits a page with an image over http. Visits another page over https
1515 // referencing that same image over http (hoping it is coming from the webcore
1516 // memory cache).
1517 IN_PROC_BROWSER_TEST_F(SSLUITest, TestDisplaysCachedInsecureContent) {
1518 ASSERT_TRUE(test_server()->Start());
1519 ASSERT_TRUE(https_server_.Start());
1521 std::string replacement_path;
1522 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1523 "files/ssl/page_displays_insecure_content.html",
1524 test_server()->host_port_pair(),
1525 &replacement_path));
1527 // Load original page over HTTP.
1528 const GURL url_http = test_server()->GetURL(replacement_path);
1529 ui_test_utils::NavigateToURL(browser(), url_http);
1530 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1531 CheckUnauthenticatedState(tab, AuthState::NONE);
1533 // Load again but over SSL. It should be marked as displaying insecure
1534 // content (even though the image comes from the WebCore memory cache).
1535 const GURL url_https = https_server_.GetURL(replacement_path);
1536 ui_test_utils::NavigateToURL(browser(), url_https);
1537 CheckAuthenticatedState(tab, AuthState::DISPLAYED_INSECURE_CONTENT);
1540 // http://crbug.com/84729
1541 #if defined(OS_CHROMEOS)
1542 #define MAYBE_TestRunsCachedInsecureContent \
1543 DISABLED_TestRunsCachedInsecureContent
1544 #else
1545 #define MAYBE_TestRunsCachedInsecureContent TestRunsCachedInsecureContent
1546 #endif // defined(OS_CHROMEOS)
1548 // Visits a page with script over http. Visits another page over https
1549 // referencing that same script over http (hoping it is coming from the webcore
1550 // memory cache).
1551 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestRunsCachedInsecureContent) {
1552 ASSERT_TRUE(test_server()->Start());
1553 ASSERT_TRUE(https_server_.Start());
1555 std::string replacement_path;
1556 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1557 "files/ssl/page_runs_insecure_content.html",
1558 test_server()->host_port_pair(),
1559 &replacement_path));
1561 // Load original page over HTTP.
1562 const GURL url_http = test_server()->GetURL(replacement_path);
1563 ui_test_utils::NavigateToURL(browser(), url_http);
1564 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1565 CheckUnauthenticatedState(tab, AuthState::NONE);
1567 // Load again but over SSL. It should be marked as displaying insecure
1568 // content (even though the image comes from the WebCore memory cache).
1569 const GURL url_https = https_server_.GetURL(replacement_path);
1570 ui_test_utils::NavigateToURL(browser(), url_https);
1571 CheckAuthenticationBrokenState(
1572 tab,
1573 CertError::NONE,
1574 AuthState::DISPLAYED_INSECURE_CONTENT | AuthState::RAN_INSECURE_CONTENT);
1577 // This test ensures the CN invalid status does not 'stick' to a certificate
1578 // (see bug #1044942) and that it depends on the host-name.
1579 // Test if disabled due to flakiness http://crbug.com/368280 .
1580 IN_PROC_BROWSER_TEST_F(SSLUITest, DISABLED_TestCNInvalidStickiness) {
1581 ASSERT_TRUE(https_server_.Start());
1582 ASSERT_TRUE(https_server_mismatched_.Start());
1584 // First we hit the server with hostname, this generates an invalid policy
1585 // error.
1586 ui_test_utils::NavigateToURL(browser(),
1587 https_server_mismatched_.GetURL("files/ssl/google.html"));
1589 // We get an interstitial page as a result.
1590 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1591 CheckAuthenticationBrokenState(tab,
1592 net::CERT_STATUS_COMMON_NAME_INVALID,
1593 AuthState::SHOWING_INTERSTITIAL);
1594 ProceedThroughInterstitial(tab);
1595 CheckAuthenticationBrokenState(
1596 tab, net::CERT_STATUS_COMMON_NAME_INVALID, AuthState::NONE);
1598 // Now we try again with the right host name this time.
1599 GURL url(https_server_.GetURL("files/ssl/google.html"));
1600 ui_test_utils::NavigateToURL(browser(), url);
1602 // Security state should be OK.
1603 CheckAuthenticatedState(tab, AuthState::NONE);
1605 // Now try again the broken one to make sure it is still broken.
1606 ui_test_utils::NavigateToURL(browser(),
1607 https_server_mismatched_.GetURL("files/ssl/google.html"));
1609 // Since we OKed the interstitial last time, we get right to the page.
1610 CheckAuthenticationBrokenState(
1611 tab, net::CERT_STATUS_COMMON_NAME_INVALID, AuthState::NONE);
1614 #if defined(OS_CHROMEOS)
1615 // This test seems to be flaky and hang on chromiumos.
1616 // http://crbug.com/84419
1617 #define MAYBE_TestRefNavigation DISABLED_TestRefNavigation
1618 #else
1619 #define MAYBE_TestRefNavigation TestRefNavigation
1620 #endif
1622 // Test that navigating to a #ref does not change a bad security state.
1623 IN_PROC_BROWSER_TEST_F(SSLUITest, TestRefNavigation) {
1624 ASSERT_TRUE(https_server_expired_.Start());
1626 ui_test_utils::NavigateToURL(browser(),
1627 https_server_expired_.GetURL("files/ssl/page_with_refs.html"));
1629 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1630 CheckAuthenticationBrokenState(
1631 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
1633 ProceedThroughInterstitial(tab);
1635 CheckAuthenticationBrokenState(
1636 tab, net::CERT_STATUS_DATE_INVALID, AuthState::NONE);
1637 // Now navigate to a ref in the page, the security state should not have
1638 // changed.
1639 ui_test_utils::NavigateToURL(browser(),
1640 https_server_expired_.GetURL("files/ssl/page_with_refs.html#jp"));
1642 CheckAuthenticationBrokenState(
1643 tab, net::CERT_STATUS_DATE_INVALID, AuthState::NONE);
1646 // Tests that closing a page that has a unsafe pop-up does not crash the
1647 // browser (bug #1966).
1648 // TODO(jcampan): http://crbug.com/2136 disabled because the popup is not
1649 // opened as it is not initiated by a user gesture.
1650 IN_PROC_BROWSER_TEST_F(SSLUITest, DISABLED_TestCloseTabWithUnsafePopup) {
1651 ASSERT_TRUE(test_server()->Start());
1652 ASSERT_TRUE(https_server_expired_.Start());
1654 std::string replacement_path;
1655 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
1656 "files/ssl/page_with_unsafe_popup.html",
1657 https_server_expired_.host_port_pair(),
1658 &replacement_path));
1660 ui_test_utils::NavigateToURL(browser(),
1661 test_server()->GetURL(replacement_path));
1663 WebContents* tab1 = browser()->tab_strip_model()->GetActiveWebContents();
1664 // It is probably overkill to add a notification for a popup-opening, let's
1665 // just poll.
1666 for (int i = 0; i < 10; i++) {
1667 if (IsShowingWebContentsModalDialog())
1668 break;
1669 base::ThreadTaskRunnerHandle::Get()->PostDelayedTask(
1670 FROM_HERE, base::MessageLoop::QuitClosure(),
1671 base::TimeDelta::FromSeconds(1));
1672 content::RunMessageLoop();
1674 ASSERT_TRUE(IsShowingWebContentsModalDialog());
1676 // Let's add another tab to make sure the browser does not exit when we close
1677 // the first tab.
1678 GURL url = test_server()->GetURL("files/ssl/google.html");
1679 content::WindowedNotificationObserver observer(
1680 content::NOTIFICATION_LOAD_STOP,
1681 content::NotificationService::AllSources());
1682 chrome::AddSelectedTabWithURL(browser(), url, ui::PAGE_TRANSITION_TYPED);
1683 observer.Wait();
1685 // Close the first tab.
1686 chrome::CloseWebContents(browser(), tab1, false);
1689 // Visit a page over bad https that is a redirect to a page with good https.
1690 IN_PROC_BROWSER_TEST_F(SSLUITest, TestRedirectBadToGoodHTTPS) {
1691 ASSERT_TRUE(https_server_.Start());
1692 ASSERT_TRUE(https_server_expired_.Start());
1694 GURL url1 = https_server_expired_.GetURL("server-redirect?");
1695 GURL url2 = https_server_.GetURL("files/ssl/google.html");
1697 ui_test_utils::NavigateToURL(browser(), GURL(url1.spec() + url2.spec()));
1699 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1701 CheckAuthenticationBrokenState(
1702 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
1704 ProceedThroughInterstitial(tab);
1706 // We have been redirected to the good page.
1707 CheckAuthenticatedState(tab, AuthState::NONE);
1710 // Flaky on Linux. http://crbug.com/368280.
1711 #if defined(OS_LINUX)
1712 #define MAYBE_TestRedirectGoodToBadHTTPS DISABLED_TestRedirectGoodToBadHTTPS
1713 #else
1714 #define MAYBE_TestRedirectGoodToBadHTTPS TestRedirectGoodToBadHTTPS
1715 #endif
1717 // Visit a page over good https that is a redirect to a page with bad https.
1718 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestRedirectGoodToBadHTTPS) {
1719 ASSERT_TRUE(https_server_.Start());
1720 ASSERT_TRUE(https_server_expired_.Start());
1722 GURL url1 = https_server_.GetURL("server-redirect?");
1723 GURL url2 = https_server_expired_.GetURL("files/ssl/google.html");
1724 ui_test_utils::NavigateToURL(browser(), GURL(url1.spec() + url2.spec()));
1726 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1727 CheckAuthenticationBrokenState(
1728 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
1730 ProceedThroughInterstitial(tab);
1732 CheckAuthenticationBrokenState(
1733 tab, net::CERT_STATUS_DATE_INVALID, AuthState::NONE);
1736 // Visit a page over http that is a redirect to a page with good HTTPS.
1737 IN_PROC_BROWSER_TEST_F(SSLUITest, TestRedirectHTTPToGoodHTTPS) {
1738 ASSERT_TRUE(test_server()->Start());
1739 ASSERT_TRUE(https_server_.Start());
1741 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1743 // HTTP redirects to good HTTPS.
1744 GURL http_url = test_server()->GetURL("server-redirect?");
1745 GURL good_https_url =
1746 https_server_.GetURL("files/ssl/google.html");
1748 ui_test_utils::NavigateToURL(browser(),
1749 GURL(http_url.spec() + good_https_url.spec()));
1750 CheckAuthenticatedState(tab, AuthState::NONE);
1753 // Flaky on Linux. http://crbug.com/368280.
1754 #if defined(OS_LINUX)
1755 #define MAYBE_TestRedirectHTTPToBadHTTPS DISABLED_TestRedirectHTTPToBadHTTPS
1756 #else
1757 #define MAYBE_TestRedirectHTTPToBadHTTPS TestRedirectHTTPToBadHTTPS
1758 #endif
1760 // Visit a page over http that is a redirect to a page with bad HTTPS.
1761 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestRedirectHTTPToBadHTTPS) {
1762 ASSERT_TRUE(test_server()->Start());
1763 ASSERT_TRUE(https_server_expired_.Start());
1765 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1767 GURL http_url = test_server()->GetURL("server-redirect?");
1768 GURL bad_https_url =
1769 https_server_expired_.GetURL("files/ssl/google.html");
1770 ui_test_utils::NavigateToURL(browser(),
1771 GURL(http_url.spec() + bad_https_url.spec()));
1772 CheckAuthenticationBrokenState(
1773 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
1775 ProceedThroughInterstitial(tab);
1777 CheckAuthenticationBrokenState(
1778 tab, net::CERT_STATUS_DATE_INVALID, AuthState::NONE);
1781 // Visit a page over https that is a redirect to a page with http (to make sure
1782 // we don't keep the secure state).
1783 IN_PROC_BROWSER_TEST_F(SSLUITest, TestRedirectHTTPSToHTTP) {
1784 ASSERT_TRUE(test_server()->Start());
1785 ASSERT_TRUE(https_server_.Start());
1787 GURL https_url = https_server_.GetURL("server-redirect?");
1788 GURL http_url = test_server()->GetURL("files/ssl/google.html");
1790 ui_test_utils::NavigateToURL(browser(),
1791 GURL(https_url.spec() + http_url.spec()));
1792 CheckUnauthenticatedState(
1793 browser()->tab_strip_model()->GetActiveWebContents(), AuthState::NONE);
1796 // Visits a page to which we could not connect (bad port) over http and https
1797 // and make sure the security style is correct.
1798 IN_PROC_BROWSER_TEST_F(SSLUITest, TestConnectToBadPort) {
1799 ui_test_utils::NavigateToURL(browser(), GURL("http://localhost:17"));
1800 CheckUnauthenticatedState(
1801 browser()->tab_strip_model()->GetActiveWebContents(),
1802 AuthState::SHOWING_ERROR);
1804 // Same thing over HTTPS.
1805 ui_test_utils::NavigateToURL(browser(), GURL("https://localhost:17"));
1806 CheckUnauthenticatedState(
1807 browser()->tab_strip_model()->GetActiveWebContents(),
1808 AuthState::SHOWING_ERROR);
1812 // Frame navigation
1815 // From a good HTTPS top frame:
1816 // - navigate to an OK HTTPS frame
1817 // - navigate to a bad HTTPS (expect unsafe content and filtered frame), then
1818 // back
1819 // - navigate to HTTP (expect insecure content), then back
1820 IN_PROC_BROWSER_TEST_F(SSLUITest, TestGoodFrameNavigation) {
1821 ASSERT_TRUE(test_server()->Start());
1822 ASSERT_TRUE(https_server_.Start());
1823 ASSERT_TRUE(https_server_expired_.Start());
1825 std::string top_frame_path;
1826 ASSERT_TRUE(GetTopFramePath(*test_server(),
1827 https_server_,
1828 https_server_expired_,
1829 &top_frame_path));
1831 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1832 ui_test_utils::NavigateToURL(browser(),
1833 https_server_.GetURL(top_frame_path));
1835 CheckAuthenticatedState(tab, AuthState::NONE);
1837 bool success = false;
1838 // Now navigate inside the frame.
1840 content::WindowedNotificationObserver observer(
1841 content::NOTIFICATION_LOAD_STOP,
1842 content::Source<NavigationController>(&tab->GetController()));
1843 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1844 tab,
1845 "window.domAutomationController.send(clickLink('goodHTTPSLink'));",
1846 &success));
1847 ASSERT_TRUE(success);
1848 observer.Wait();
1851 // We should still be fine.
1852 CheckAuthenticatedState(tab, AuthState::NONE);
1854 // Now let's hit a bad page.
1856 content::WindowedNotificationObserver observer(
1857 content::NOTIFICATION_LOAD_STOP,
1858 content::Source<NavigationController>(&tab->GetController()));
1859 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1860 tab,
1861 "window.domAutomationController.send(clickLink('badHTTPSLink'));",
1862 &success));
1863 ASSERT_TRUE(success);
1864 observer.Wait();
1867 // The security style should still be secure.
1868 CheckAuthenticatedState(tab, AuthState::NONE);
1870 // And the frame should be blocked.
1871 bool is_content_evil = true;
1872 content::RenderFrameHost* content_frame = content::FrameMatchingPredicate(
1873 tab, base::Bind(&content::FrameMatchesName, "contentFrame"));
1874 std::string is_evil_js("window.domAutomationController.send("
1875 "document.getElementById('evilDiv') != null);");
1876 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(content_frame,
1877 is_evil_js,
1878 &is_content_evil));
1879 EXPECT_FALSE(is_content_evil);
1881 // Now go back, our state should still be OK.
1883 content::WindowedNotificationObserver observer(
1884 content::NOTIFICATION_LOAD_STOP,
1885 content::Source<NavigationController>(&tab->GetController()));
1886 tab->GetController().GoBack();
1887 observer.Wait();
1889 CheckAuthenticatedState(tab, AuthState::NONE);
1891 // Navigate to a page served over HTTP.
1893 content::WindowedNotificationObserver observer(
1894 content::NOTIFICATION_LOAD_STOP,
1895 content::Source<NavigationController>(&tab->GetController()));
1896 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1897 tab,
1898 "window.domAutomationController.send(clickLink('HTTPLink'));",
1899 &success));
1900 ASSERT_TRUE(success);
1901 observer.Wait();
1904 // Our state should be unathenticated (in the ran mixed script sense)
1905 CheckAuthenticationBrokenState(
1906 tab,
1907 CertError::NONE,
1908 AuthState::DISPLAYED_INSECURE_CONTENT | AuthState::RAN_INSECURE_CONTENT);
1910 // Go back, our state should be unchanged.
1912 content::WindowedNotificationObserver observer(
1913 content::NOTIFICATION_LOAD_STOP,
1914 content::Source<NavigationController>(&tab->GetController()));
1915 tab->GetController().GoBack();
1916 observer.Wait();
1919 CheckAuthenticationBrokenState(
1920 tab,
1921 CertError::NONE,
1922 AuthState::DISPLAYED_INSECURE_CONTENT | AuthState::RAN_INSECURE_CONTENT);
1925 // From a bad HTTPS top frame:
1926 // - navigate to an OK HTTPS frame (expected to be still authentication broken).
1927 IN_PROC_BROWSER_TEST_F(SSLUITest, TestBadFrameNavigation) {
1928 ASSERT_TRUE(https_server_.Start());
1929 ASSERT_TRUE(https_server_expired_.Start());
1931 std::string top_frame_path;
1932 ASSERT_TRUE(GetTopFramePath(*test_server(),
1933 https_server_,
1934 https_server_expired_,
1935 &top_frame_path));
1937 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1938 ui_test_utils::NavigateToURL(browser(),
1939 https_server_expired_.GetURL(top_frame_path));
1940 CheckAuthenticationBrokenState(
1941 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
1943 ProceedThroughInterstitial(tab);
1945 // Navigate to a good frame.
1946 bool success = false;
1947 content::WindowedNotificationObserver observer(
1948 content::NOTIFICATION_LOAD_STOP,
1949 content::Source<NavigationController>(&tab->GetController()));
1950 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1951 tab,
1952 "window.domAutomationController.send(clickLink('goodHTTPSLink'));",
1953 &success));
1954 ASSERT_TRUE(success);
1955 observer.Wait();
1957 // We should still be authentication broken.
1958 CheckAuthenticationBrokenState(
1959 tab, net::CERT_STATUS_DATE_INVALID, AuthState::NONE);
1962 // From an HTTP top frame, navigate to good and bad HTTPS (security state should
1963 // stay unauthenticated).
1964 // Disabled, flakily exceeds test timeout, http://crbug.com/43437.
1965 IN_PROC_BROWSER_TEST_F(SSLUITest, DISABLED_TestUnauthenticatedFrameNavigation) {
1966 ASSERT_TRUE(test_server()->Start());
1967 ASSERT_TRUE(https_server_.Start());
1968 ASSERT_TRUE(https_server_expired_.Start());
1970 std::string top_frame_path;
1971 ASSERT_TRUE(GetTopFramePath(*test_server(),
1972 https_server_,
1973 https_server_expired_,
1974 &top_frame_path));
1976 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
1977 ui_test_utils::NavigateToURL(browser(),
1978 test_server()->GetURL(top_frame_path));
1979 CheckUnauthenticatedState(tab, AuthState::NONE);
1981 // Now navigate inside the frame to a secure HTTPS frame.
1983 bool success = false;
1984 content::WindowedNotificationObserver observer(
1985 content::NOTIFICATION_LOAD_STOP,
1986 content::Source<NavigationController>(&tab->GetController()));
1987 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
1988 tab,
1989 "window.domAutomationController.send(clickLink('goodHTTPSLink'));",
1990 &success));
1991 ASSERT_TRUE(success);
1992 observer.Wait();
1995 // We should still be unauthenticated.
1996 CheckUnauthenticatedState(tab, AuthState::NONE);
1998 // Now navigate to a bad HTTPS frame.
2000 bool success = false;
2001 content::WindowedNotificationObserver observer(
2002 content::NOTIFICATION_LOAD_STOP,
2003 content::Source<NavigationController>(&tab->GetController()));
2004 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
2005 tab,
2006 "window.domAutomationController.send(clickLink('badHTTPSLink'));",
2007 &success));
2008 ASSERT_TRUE(success);
2009 observer.Wait();
2012 // State should not have changed.
2013 CheckUnauthenticatedState(tab, AuthState::NONE);
2015 // And the frame should have been blocked (see bug #2316).
2016 bool is_content_evil = true;
2017 content::RenderFrameHost* content_frame = content::FrameMatchingPredicate(
2018 tab, base::Bind(&content::FrameMatchesName, "contentFrame"));
2019 std::string is_evil_js("window.domAutomationController.send("
2020 "document.getElementById('evilDiv') != null);");
2021 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(content_frame,
2022 is_evil_js,
2023 &is_content_evil));
2024 EXPECT_FALSE(is_content_evil);
2027 IN_PROC_BROWSER_TEST_F(SSLUITest, TestUnsafeContentsInWorkerFiltered) {
2028 ASSERT_TRUE(https_server_.Start());
2029 ASSERT_TRUE(https_server_expired_.Start());
2031 // This page will spawn a Worker which will try to load content from
2032 // BadCertServer.
2033 std::string page_with_unsafe_worker_path;
2034 ASSERT_TRUE(GetPageWithUnsafeWorkerPath(https_server_expired_,
2035 &page_with_unsafe_worker_path));
2036 ui_test_utils::NavigateToURL(browser(), https_server_.GetURL(
2037 page_with_unsafe_worker_path));
2038 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
2039 // Expect Worker not to load insecure content.
2040 CheckWorkerLoadResult(tab, false);
2041 // The bad content is filtered, expect the state to be authenticated.
2042 CheckAuthenticatedState(tab, AuthState::NONE);
2045 // This test, and the related test TestUnsafeContentsWithUserException, verify
2046 // that if unsafe content is loaded but the host of that unsafe content has a
2047 // user exception, the content runs and the security style remains
2048 // authenticated. This is not necessarily the behavior that should exist, but it
2049 // is verification that it does behave that way. See https://crbug.com/477868
2050 // for more inforamtion on this.
2051 IN_PROC_BROWSER_TEST_F(SSLUITest, TestUnsafeContentsInWorkerWithUserException) {
2052 ASSERT_TRUE(https_server_.Start());
2053 // Note that it is necessary to user https_server_mismatched_ here over the
2054 // other invalid cert servers. This is because the test relies on the two
2055 // servers having different hosts since SSL exceptions are per-host, not per
2056 // origin, and https_server_mismatched_ uses 'localhost' rather than
2057 // '127.0.0.1'.
2058 ASSERT_TRUE(https_server_mismatched_.Start());
2060 // Navigate to an unsafe site. Proceed with interstitial page to indicate
2061 // the user approves the bad certificate.
2062 ui_test_utils::NavigateToURL(
2063 browser(), https_server_mismatched_.GetURL("files/ssl/blank_page.html"));
2064 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
2065 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID,
2066 AuthState::SHOWING_INTERSTITIAL);
2067 ProceedThroughInterstitial(tab);
2068 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID,
2069 AuthState::NONE);
2071 // Navigate to safe page that has Worker loading unsafe content.
2072 // Expect content to load but be marked as auth broken due to running insecure
2073 // content.
2074 std::string page_with_unsafe_worker_path;
2075 ASSERT_TRUE(GetPageWithUnsafeWorkerPath(https_server_mismatched_,
2076 &page_with_unsafe_worker_path));
2077 ui_test_utils::NavigateToURL(
2078 browser(), https_server_.GetURL(page_with_unsafe_worker_path));
2079 CheckWorkerLoadResult(tab, true); // Worker loads insecure content
2080 CheckAuthenticatedState(tab, CertError::NONE);
2083 // Visits a page with unsafe content and makes sure that if a user exception to
2084 // the certificate error is present, the image is loaded and script executes.
2086 // See the comment above SSLUITest.TestUnsafeContentsInWorkerWithUserException
2087 // for a discussion about the desired behavior.
2088 IN_PROC_BROWSER_TEST_F(SSLUITest, TestUnsafeContentsWithUserException) {
2089 ASSERT_TRUE(https_server_.Start());
2090 // Note that it is necessary to user https_server_mismatched_ here over the
2091 // other invalid cert servers. This is because the test relies on the two
2092 // servers having different hosts since SSL exceptions are per-host, not per
2093 // origin, and https_server_mismatched_ uses 'localhost' rather than
2094 // '127.0.0.1'.
2095 ASSERT_TRUE(https_server_mismatched_.Start());
2097 // Navigate to an unsafe site. Proceed with interstitial page to indicate
2098 // the user approves the bad certificate.
2099 ui_test_utils::NavigateToURL(
2100 browser(), https_server_mismatched_.GetURL("files/ssl/blank_page.html"));
2101 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
2102 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID,
2103 AuthState::SHOWING_INTERSTITIAL);
2104 ProceedThroughInterstitial(tab);
2105 CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID,
2106 AuthState::NONE);
2108 std::string replacement_path;
2109 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
2110 "files/ssl/page_with_unsafe_contents.html",
2111 https_server_mismatched_.host_port_pair(), &replacement_path));
2112 ui_test_utils::NavigateToURL(browser(),
2113 https_server_.GetURL(replacement_path));
2115 // When the bad content is filtered, the state is expected to be
2116 // authenticated.
2117 CheckAuthenticatedState(tab, AuthState::NONE);
2119 int img_width;
2120 EXPECT_TRUE(content::ExecuteScriptAndExtractInt(
2121 tab, "window.domAutomationController.send(ImageWidth());", &img_width));
2122 // In order to check that the image was loaded, we check its width.
2123 // The actual image (Google logo) is 114 pixels wide, so we assume a good
2124 // image is greater than 100.
2125 EXPECT_GT(img_width, 100);
2127 bool js_result = false;
2128 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
2129 tab, "window.domAutomationController.send(IsFooSet());", &js_result));
2130 EXPECT_TRUE(js_result);
2131 CheckAuthenticatedState(tab, CertError::NONE);
2134 // Test that when the browser blocks displaying insecure content (images), the
2135 // indicator shows a secure page, because the blocking made the otherwise
2136 // unsafe page safe (the notification of this state is handled by other means).
2137 IN_PROC_BROWSER_TEST_F(SSLUITestBlock, TestBlockDisplayingInsecureImage) {
2138 ASSERT_TRUE(test_server()->Start());
2139 ASSERT_TRUE(https_server_.Start());
2141 std::string replacement_path;
2142 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
2143 "files/ssl/page_displays_insecure_content.html",
2144 test_server()->host_port_pair(),
2145 &replacement_path));
2147 ui_test_utils::NavigateToURL(browser(),
2148 https_server_.GetURL(replacement_path));
2150 CheckAuthenticatedState(browser()->tab_strip_model()->GetActiveWebContents(),
2151 AuthState::NONE);
2154 // Test that when the browser blocks displaying insecure content (iframes), the
2155 // indicator shows a secure page, because the blocking made the otherwise
2156 // unsafe page safe (the notification of this state is handled by other means)
2157 IN_PROC_BROWSER_TEST_F(SSLUITestBlock, TestBlockDisplayingInsecureIframe) {
2158 ASSERT_TRUE(test_server()->Start());
2159 ASSERT_TRUE(https_server_.Start());
2161 std::string replacement_path;
2162 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
2163 "files/ssl/page_displays_insecure_iframe.html",
2164 test_server()->host_port_pair(),
2165 &replacement_path));
2167 ui_test_utils::NavigateToURL(browser(),
2168 https_server_.GetURL(replacement_path));
2170 CheckAuthenticatedState(browser()->tab_strip_model()->GetActiveWebContents(),
2171 AuthState::NONE);
2174 // Test that when the browser blocks running insecure content, the
2175 // indicator shows a secure page, because the blocking made the otherwise
2176 // unsafe page safe (the notification of this state is handled by other means).
2177 IN_PROC_BROWSER_TEST_F(SSLUITestBlock, TestBlockRunningInsecureContent) {
2178 ASSERT_TRUE(test_server()->Start());
2179 ASSERT_TRUE(https_server_.Start());
2181 std::string replacement_path;
2182 ASSERT_TRUE(GetFilePathWithHostAndPortReplacement(
2183 "files/ssl/page_runs_insecure_content.html",
2184 test_server()->host_port_pair(),
2185 &replacement_path));
2187 ui_test_utils::NavigateToURL(browser(),
2188 https_server_.GetURL(replacement_path));
2190 CheckAuthenticatedState(browser()->tab_strip_model()->GetActiveWebContents(),
2191 AuthState::NONE);
2194 // Visit a page and establish a WebSocket connection over bad https with
2195 // --ignore-certificate-errors. The connection should be established without
2196 // interstitial page showing.
2197 IN_PROC_BROWSER_TEST_F(SSLUITestIgnoreCertErrors, TestWSS) {
2198 ASSERT_TRUE(test_server()->Start());
2199 ASSERT_TRUE(wss_server_expired_.Start());
2201 // Setup page title observer.
2202 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
2203 content::TitleWatcher watcher(tab, ASCIIToUTF16("PASS"));
2204 watcher.AlsoWaitForTitle(ASCIIToUTF16("FAIL"));
2206 // Visit bad HTTPS page.
2207 GURL::Replacements replacements;
2208 replacements.SetSchemeStr("https");
2209 ui_test_utils::NavigateToURL(
2210 browser(),
2211 wss_server_expired_.GetURL(
2212 "connect_check.html").ReplaceComponents(replacements));
2214 // We shouldn't have an interstitial page showing here.
2216 // Test page run a WebSocket wss connection test. The result will be shown
2217 // as page title.
2218 const base::string16 result = watcher.WaitAndGetTitle();
2219 EXPECT_TRUE(base::LowerCaseEqualsASCII(result, "pass"));
2222 // Verifies that the interstitial can proceed, even if JavaScript is disabled.
2223 // http://crbug.com/322948
2224 #if defined(OS_LINUX)
2225 // flaky http://crbug.com/396458
2226 #define MAYBE_TestInterstitialJavaScriptProceeds \
2227 DISABLED_TestInterstitialJavaScriptProceeds
2228 #else
2229 #define MAYBE_TestInterstitialJavaScriptProceeds \
2230 TestInterstitialJavaScriptProceeds
2231 #endif
2232 IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestInterstitialJavaScriptProceeds) {
2233 browser()->profile()->GetHostContentSettingsMap()->SetDefaultContentSetting(
2234 CONTENT_SETTINGS_TYPE_JAVASCRIPT, CONTENT_SETTING_BLOCK);
2236 ASSERT_TRUE(https_server_expired_.Start());
2237 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
2238 ui_test_utils::NavigateToURL(browser(),
2239 https_server_expired_.GetURL("files/ssl/google.html"));
2240 CheckAuthenticationBrokenState(
2241 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
2243 content::WindowedNotificationObserver observer(
2244 content::NOTIFICATION_LOAD_STOP,
2245 content::Source<NavigationController>(&tab->GetController()));
2246 InterstitialPage* interstitial_page = tab->GetInterstitialPage();
2247 ASSERT_EQ(SSLBlockingPage::kTypeForTesting,
2248 interstitial_page->GetDelegateForTesting()->GetTypeForTesting());
2249 content::RenderViewHost* interstitial_rvh =
2250 interstitial_page->GetMainFrame()->GetRenderViewHost();
2251 int result = -1;
2252 std::string javascript = base::StringPrintf(
2253 "window.domAutomationController.send(%d);",
2254 SecurityInterstitialPage::CMD_PROCEED);
2255 ASSERT_TRUE(content::ExecuteScriptAndExtractInt(
2256 interstitial_rvh, javascript, &result));
2257 // The above will hang without the fix.
2258 EXPECT_EQ(1, result);
2259 observer.Wait();
2260 CheckAuthenticationBrokenState(
2261 tab, net::CERT_STATUS_DATE_INVALID, AuthState::NONE);
2264 // Verifies that the interstitial can go back, even if JavaScript is disabled.
2265 // http://crbug.com/322948
2266 IN_PROC_BROWSER_TEST_F(SSLUITest, TestInterstitialJavaScriptGoesBack) {
2267 browser()->profile()->GetHostContentSettingsMap()->SetDefaultContentSetting(
2268 CONTENT_SETTINGS_TYPE_JAVASCRIPT, CONTENT_SETTING_BLOCK);
2270 ASSERT_TRUE(https_server_expired_.Start());
2271 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
2272 ui_test_utils::NavigateToURL(browser(),
2273 https_server_expired_.GetURL("files/ssl/google.html"));
2274 CheckAuthenticationBrokenState(
2275 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
2277 content::WindowedNotificationObserver observer(
2278 content::NOTIFICATION_RENDER_WIDGET_HOST_DESTROYED,
2279 content::NotificationService::AllSources());
2280 InterstitialPage* interstitial_page = tab->GetInterstitialPage();
2281 ASSERT_EQ(SSLBlockingPage::kTypeForTesting,
2282 interstitial_page->GetDelegateForTesting()->GetTypeForTesting());
2283 content::RenderViewHost* interstitial_rvh =
2284 interstitial_page->GetMainFrame()->GetRenderViewHost();
2285 int result = -1;
2286 std::string javascript = base::StringPrintf(
2287 "window.domAutomationController.send(%d);",
2288 SecurityInterstitialPage::CMD_DONT_PROCEED);
2289 ASSERT_TRUE(content::ExecuteScriptAndExtractInt(
2290 interstitial_rvh, javascript, &result));
2291 // The above will hang without the fix.
2292 EXPECT_EQ(0, result);
2293 observer.Wait();
2294 EXPECT_EQ("about:blank", tab->GetVisibleURL().spec());
2297 // Verifies that switching tabs, while showing interstitial page, will not
2298 // affect the visibility of the interestitial.
2299 // https://crbug.com/381439
2300 IN_PROC_BROWSER_TEST_F(SSLUITest, InterstitialNotAffectedByHideShow) {
2301 ASSERT_TRUE(https_server_expired_.Start());
2302 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
2303 EXPECT_TRUE(tab->GetRenderWidgetHostView()->IsShowing());
2304 ui_test_utils::NavigateToURL(
2305 browser(), https_server_expired_.GetURL("files/ssl/google.html"));
2306 CheckAuthenticationBrokenState(
2307 tab, net::CERT_STATUS_DATE_INVALID, AuthState::SHOWING_INTERSTITIAL);
2308 EXPECT_TRUE(tab->GetRenderWidgetHostView()->IsShowing());
2310 AddTabAtIndex(0,
2311 https_server_.GetURL("files/ssl/google.html"),
2312 ui::PAGE_TRANSITION_TYPED);
2313 EXPECT_EQ(2, browser()->tab_strip_model()->count());
2314 EXPECT_EQ(0, browser()->tab_strip_model()->active_index());
2315 EXPECT_EQ(tab, browser()->tab_strip_model()->GetWebContentsAt(1));
2316 EXPECT_FALSE(tab->GetRenderWidgetHostView()->IsShowing());
2318 browser()->tab_strip_model()->ActivateTabAt(1, true);
2319 EXPECT_TRUE(tab->GetRenderWidgetHostView()->IsShowing());
2322 // Verifies that if a bad certificate is seen for a host and the user proceeds
2323 // through the interstitial, the decision to proceed is initially remembered.
2324 // However, if this is followed by another visit, and a good certificate
2325 // is seen for the same host, the original exception is forgotten.
2326 IN_PROC_BROWSER_TEST_F(SSLUITest, BadCertFollowedByGoodCert) {
2327 // It is necessary to use |https_server_expired_| rather than
2328 // |https_server_mismatched| because the former shares a host with
2329 // |https_server_| and cert exceptions are per host.
2330 ASSERT_TRUE(https_server_expired_.Start());
2331 ASSERT_TRUE(https_server_.Start());
2333 std::string https_server_expired_host =
2334 https_server_.GetURL("files/ssl/google.html").host();
2335 std::string https_server_host =
2336 https_server_.GetURL("files/ssl/google.html").host();
2337 ASSERT_EQ(https_server_expired_host, https_server_host);
2339 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
2341 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
2342 ChromeSSLHostStateDelegate* state =
2343 reinterpret_cast<ChromeSSLHostStateDelegate*>(
2344 profile->GetSSLHostStateDelegate());
2346 ui_test_utils::NavigateToURL(
2347 browser(), https_server_expired_.GetURL("files/ssl/google.html"));
2349 ProceedThroughInterstitial(tab);
2350 EXPECT_TRUE(state->HasAllowException(https_server_host));
2352 ui_test_utils::NavigateToURL(browser(),
2353 https_server_.GetURL("files/ssl/google.html"));
2354 ASSERT_FALSE(tab->GetInterstitialPage());
2355 EXPECT_FALSE(state->HasAllowException(https_server_host));
2358 class CommonNameMismatchBrowserTest : public CertVerifierBrowserTest {
2359 public:
2360 CommonNameMismatchBrowserTest() : CertVerifierBrowserTest() {}
2361 ~CommonNameMismatchBrowserTest() override {}
2363 void SetUpCommandLine(base::CommandLine* command_line) override {
2364 // Enable finch experiment for SSL common name mismatch handling.
2365 command_line->AppendSwitchASCII(switches::kForceFieldTrials,
2366 "SSLCommonNameMismatchHandling/Enabled/");
2370 // Visit the URL www.mail.example.com on a server that presents a valid
2371 // certificate for mail.example.com. Verify that the page navigates to
2372 // mail.example.com.
2373 IN_PROC_BROWSER_TEST_F(CommonNameMismatchBrowserTest,
2374 ShouldShowWWWSubdomainMismatchInterstitial) {
2375 net::SpawnedTestServer https_server_example_domain_(
2376 net::SpawnedTestServer::TYPE_HTTPS,
2377 net::SpawnedTestServer::SSLOptions(
2378 net::SpawnedTestServer::SSLOptions::CERT_OK),
2379 base::FilePath(kDocRoot));
2380 ASSERT_TRUE(https_server_example_domain_.Start());
2382 host_resolver()->AddRule(
2383 "mail.example.com", https_server_example_domain_.host_port_pair().host());
2384 host_resolver()->AddRule(
2385 "www.mail.example.com",
2386 https_server_example_domain_.host_port_pair().host());
2388 scoped_refptr<net::X509Certificate> cert =
2389 https_server_example_domain_.GetCertificate();
2391 // Use the "spdy_pooling.pem" cert which has "mail.example.com"
2392 // as one of its SANs.
2393 net::CertVerifyResult verify_result;
2394 verify_result.verified_cert =
2395 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2396 verify_result.cert_status = net::CERT_STATUS_COMMON_NAME_INVALID;
2398 // Request to "www.mail.example.com" should result in
2399 // |net::ERR_CERT_COMMON_NAME_INVALID| error.
2400 mock_cert_verifier()->AddResultForCertAndHost(
2401 cert.get(), "www.mail.example.com", verify_result,
2402 net::ERR_CERT_COMMON_NAME_INVALID);
2404 net::CertVerifyResult verify_result_valid;
2405 verify_result_valid.verified_cert =
2406 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2407 // Request to "www.mail.example.com" should not result in any error.
2408 mock_cert_verifier()->AddResultForCertAndHost(cert.get(), "mail.example.com",
2409 verify_result_valid, net::OK);
2411 // Use a complex URL to ensure the path, etc., are preserved. The path itself
2412 // does not matter.
2413 GURL https_server_url =
2414 https_server_example_domain_.GetURL("files/ssl/google.html?a=b#anchor");
2415 GURL::Replacements replacements;
2416 replacements.SetHostStr("www.mail.example.com");
2417 GURL https_server_mismatched_url =
2418 https_server_url.ReplaceComponents(replacements);
2420 WebContents* contents = browser()->tab_strip_model()->GetActiveWebContents();
2421 content::TestNavigationObserver observer(contents, 2);
2422 ui_test_utils::NavigateToURL(browser(), https_server_mismatched_url);
2423 observer.Wait();
2425 CheckSecurityState(contents, CertError::NONE,
2426 content::SECURITY_STYLE_AUTHENTICATED, AuthState::NONE);
2427 replacements.SetHostStr("mail.example.com");
2428 GURL https_server_new_url = https_server_url.ReplaceComponents(replacements);
2429 // Verify that the current URL is the suggested URL.
2430 EXPECT_EQ(https_server_new_url.spec(),
2431 contents->GetLastCommittedURL().spec());
2434 // Visit the URL example.org on a server that presents a valid certificate
2435 // for www.example.org. Verify that the page redirects to www.example.org.
2436 IN_PROC_BROWSER_TEST_F(CommonNameMismatchBrowserTest,
2437 CheckWWWSubdomainMismatchInverse) {
2438 net::SpawnedTestServer https_server_example_domain_(
2439 net::SpawnedTestServer::TYPE_HTTPS,
2440 net::SpawnedTestServer::SSLOptions(
2441 net::SpawnedTestServer::SSLOptions::CERT_OK),
2442 base::FilePath(kDocRoot));
2443 ASSERT_TRUE(https_server_example_domain_.Start());
2445 host_resolver()->AddRule(
2446 "www.example.org", https_server_example_domain_.host_port_pair().host());
2447 host_resolver()->AddRule(
2448 "example.org", https_server_example_domain_.host_port_pair().host());
2450 scoped_refptr<net::X509Certificate> cert =
2451 https_server_example_domain_.GetCertificate();
2453 net::CertVerifyResult verify_result;
2454 verify_result.verified_cert =
2455 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2456 verify_result.cert_status = net::CERT_STATUS_COMMON_NAME_INVALID;
2458 mock_cert_verifier()->AddResultForCertAndHost(
2459 cert.get(), "example.org", verify_result,
2460 net::ERR_CERT_COMMON_NAME_INVALID);
2462 net::CertVerifyResult verify_result_valid;
2463 verify_result_valid.verified_cert =
2464 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2465 mock_cert_verifier()->AddResultForCertAndHost(cert.get(), "www.example.org",
2466 verify_result_valid, net::OK);
2468 GURL https_server_url =
2469 https_server_example_domain_.GetURL("files/ssl/google.html?a=b");
2470 GURL::Replacements replacements;
2471 replacements.SetHostStr("example.org");
2472 GURL https_server_mismatched_url =
2473 https_server_url.ReplaceComponents(replacements);
2475 WebContents* contents = browser()->tab_strip_model()->GetActiveWebContents();
2476 content::TestNavigationObserver observer(contents, 2);
2477 ui_test_utils::NavigateToURL(browser(), https_server_mismatched_url);
2478 observer.Wait();
2480 CheckSecurityState(contents, CertError::NONE,
2481 content::SECURITY_STYLE_AUTHENTICATED, AuthState::NONE);
2484 // Tests this scenario:
2485 // - |CommonNameMismatchHandler| does not give a callback as it's set into the
2486 // state |IGNORE_REQUESTS_FOR_TESTING|. So no suggested URL check result can
2487 // arrive.
2488 // - A cert error triggers an interstitial timer with a very long timeout.
2489 // - No suggested URL check results arrive, causing the tab to appear as loading
2490 // indefinitely (also because the timer has a long timeout).
2491 // - Stopping the page load shouldn't result in any interstitials.
2492 IN_PROC_BROWSER_TEST_F(CommonNameMismatchBrowserTest,
2493 InterstitialStopNavigationWhileLoading) {
2494 net::SpawnedTestServer https_server_example_domain_(
2495 net::SpawnedTestServer::TYPE_HTTPS,
2496 net::SpawnedTestServer::SSLOptions(
2497 net::SpawnedTestServer::SSLOptions::CERT_OK),
2498 base::FilePath(kDocRoot));
2499 ASSERT_TRUE(https_server_example_domain_.Start());
2501 host_resolver()->AddRule(
2502 "mail.example.com", https_server_example_domain_.host_port_pair().host());
2503 host_resolver()->AddRule(
2504 "www.mail.example.com",
2505 https_server_example_domain_.host_port_pair().host());
2507 scoped_refptr<net::X509Certificate> cert =
2508 https_server_example_domain_.GetCertificate();
2510 net::CertVerifyResult verify_result;
2511 verify_result.verified_cert =
2512 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2513 verify_result.cert_status = net::CERT_STATUS_COMMON_NAME_INVALID;
2515 mock_cert_verifier()->AddResultForCertAndHost(
2516 cert.get(), "www.mail.example.com", verify_result,
2517 net::ERR_CERT_COMMON_NAME_INVALID);
2519 net::CertVerifyResult verify_result_valid;
2520 verify_result_valid.verified_cert =
2521 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2522 mock_cert_verifier()->AddResultForCertAndHost(cert.get(), "mail.example.com",
2523 verify_result_valid, net::OK);
2525 GURL https_server_url =
2526 https_server_example_domain_.GetURL("files/ssl/google.html?a=b");
2527 GURL::Replacements replacements;
2528 replacements.SetHostStr("www.mail.example.com");
2529 GURL https_server_mismatched_url =
2530 https_server_url.ReplaceComponents(replacements);
2532 WebContents* contents = browser()->tab_strip_model()->GetActiveWebContents();
2533 CommonNameMismatchHandler::set_state_for_testing(
2534 CommonNameMismatchHandler::IGNORE_REQUESTS_FOR_TESTING);
2535 // Set delay long enough so that the page appears loading.
2536 SSLErrorHandler::SetInterstitialDelayForTest(base::TimeDelta::FromHours(1));
2537 SSLInterstitialTimerObserver interstitial_timer_observer(contents);
2539 ui_test_utils::NavigateToURLWithDisposition(
2540 browser(), https_server_mismatched_url, CURRENT_TAB,
2541 ui_test_utils::BROWSER_TEST_NONE);
2542 interstitial_timer_observer.WaitForTimerStarted();
2544 EXPECT_TRUE(contents->IsLoading());
2545 content::WindowedNotificationObserver observer(
2546 content::NOTIFICATION_LOAD_STOP,
2547 content::NotificationService::AllSources());
2548 contents->Stop();
2549 observer.Wait();
2551 SSLErrorHandler* ssl_error_handler =
2552 SSLErrorHandler::FromWebContents(contents);
2553 // Make sure that the |SSLErrorHandler| is deleted.
2554 EXPECT_FALSE(ssl_error_handler);
2555 EXPECT_FALSE(contents->ShowingInterstitialPage());
2556 EXPECT_FALSE(contents->IsLoading());
2559 // Same as above, but instead of stopping, the loading page is reloaded. The end
2560 // result is the same. (i.e. page load stops, no interstitials shown)
2561 IN_PROC_BROWSER_TEST_F(CommonNameMismatchBrowserTest,
2562 InterstitialReloadNavigationWhileLoading) {
2563 net::SpawnedTestServer https_server_example_domain_(
2564 net::SpawnedTestServer::TYPE_HTTPS,
2565 net::SpawnedTestServer::SSLOptions(
2566 net::SpawnedTestServer::SSLOptions::CERT_OK),
2567 base::FilePath(kDocRoot));
2568 ASSERT_TRUE(https_server_example_domain_.Start());
2570 host_resolver()->AddRule(
2571 "mail.example.com", https_server_example_domain_.host_port_pair().host());
2572 host_resolver()->AddRule(
2573 "www.mail.example.com",
2574 https_server_example_domain_.host_port_pair().host());
2576 scoped_refptr<net::X509Certificate> cert =
2577 https_server_example_domain_.GetCertificate();
2579 net::CertVerifyResult verify_result;
2580 verify_result.verified_cert =
2581 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2582 verify_result.cert_status = net::CERT_STATUS_COMMON_NAME_INVALID;
2584 mock_cert_verifier()->AddResultForCertAndHost(
2585 cert.get(), "www.mail.example.com", verify_result,
2586 net::ERR_CERT_COMMON_NAME_INVALID);
2588 net::CertVerifyResult verify_result_valid;
2589 verify_result_valid.verified_cert =
2590 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2591 mock_cert_verifier()->AddResultForCertAndHost(cert.get(), "mail.example.com",
2592 verify_result_valid, net::OK);
2594 GURL https_server_url =
2595 https_server_example_domain_.GetURL("files/ssl/google.html?a=b");
2596 GURL::Replacements replacements;
2597 replacements.SetHostStr("www.mail.example.com");
2598 GURL https_server_mismatched_url =
2599 https_server_url.ReplaceComponents(replacements);
2601 WebContents* contents = browser()->tab_strip_model()->GetActiveWebContents();
2602 CommonNameMismatchHandler::set_state_for_testing(
2603 CommonNameMismatchHandler::IGNORE_REQUESTS_FOR_TESTING);
2604 // Set delay long enough so that the page appears loading.
2605 SSLErrorHandler::SetInterstitialDelayForTest(base::TimeDelta::FromHours(1));
2606 SSLInterstitialTimerObserver interstitial_timer_observer(contents);
2608 ui_test_utils::NavigateToURLWithDisposition(
2609 browser(), https_server_mismatched_url, CURRENT_TAB,
2610 ui_test_utils::BROWSER_TEST_NONE);
2611 interstitial_timer_observer.WaitForTimerStarted();
2613 EXPECT_TRUE(contents->IsLoading());
2614 content::TestNavigationObserver observer(contents, 1);
2615 chrome::Reload(browser(), CURRENT_TAB);
2616 observer.Wait();
2618 SSLErrorHandler* ssl_error_handler =
2619 SSLErrorHandler::FromWebContents(contents);
2620 // Make sure that the |SSLErrorHandler| is deleted.
2621 EXPECT_FALSE(ssl_error_handler);
2622 EXPECT_FALSE(contents->ShowingInterstitialPage());
2623 EXPECT_FALSE(contents->IsLoading());
2626 // Same as above, but instead of reloading, the page is navigated away. The
2627 // new page should load, and no interstitials should be shown.
2628 IN_PROC_BROWSER_TEST_F(CommonNameMismatchBrowserTest,
2629 InterstitialNavigateAwayWhileLoading) {
2630 net::SpawnedTestServer https_server_example_domain_(
2631 net::SpawnedTestServer::TYPE_HTTPS,
2632 net::SpawnedTestServer::SSLOptions(
2633 net::SpawnedTestServer::SSLOptions::CERT_OK),
2634 base::FilePath(kDocRoot));
2635 ASSERT_TRUE(https_server_example_domain_.Start());
2637 host_resolver()->AddRule(
2638 "mail.example.com", https_server_example_domain_.host_port_pair().host());
2639 host_resolver()->AddRule(
2640 "www.mail.example.com",
2641 https_server_example_domain_.host_port_pair().host());
2643 scoped_refptr<net::X509Certificate> cert =
2644 https_server_example_domain_.GetCertificate();
2646 net::CertVerifyResult verify_result;
2647 verify_result.verified_cert =
2648 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2649 verify_result.cert_status = net::CERT_STATUS_COMMON_NAME_INVALID;
2651 mock_cert_verifier()->AddResultForCertAndHost(
2652 cert.get(), "www.mail.example.com", verify_result,
2653 net::ERR_CERT_COMMON_NAME_INVALID);
2655 net::CertVerifyResult verify_result_valid;
2656 verify_result_valid.verified_cert =
2657 net::ImportCertFromFile(net::GetTestCertsDirectory(), "spdy_pooling.pem");
2658 mock_cert_verifier()->AddResultForCertAndHost(cert.get(), "mail.example.com",
2659 verify_result_valid, net::OK);
2661 GURL https_server_url =
2662 https_server_example_domain_.GetURL("files/ssl/google.html?a=b");
2663 GURL::Replacements replacements;
2664 replacements.SetHostStr("www.mail.example.com");
2665 GURL https_server_mismatched_url =
2666 https_server_url.ReplaceComponents(replacements);
2668 WebContents* contents = browser()->tab_strip_model()->GetActiveWebContents();
2669 CommonNameMismatchHandler::set_state_for_testing(
2670 CommonNameMismatchHandler::IGNORE_REQUESTS_FOR_TESTING);
2671 // Set delay long enough so that the page appears loading.
2672 SSLErrorHandler::SetInterstitialDelayForTest(base::TimeDelta::FromHours(1));
2673 SSLInterstitialTimerObserver interstitial_timer_observer(contents);
2675 ui_test_utils::NavigateToURLWithDisposition(
2676 browser(), https_server_mismatched_url, CURRENT_TAB,
2677 ui_test_utils::BROWSER_TEST_NONE);
2678 interstitial_timer_observer.WaitForTimerStarted();
2680 EXPECT_TRUE(contents->IsLoading());
2681 content::TestNavigationObserver observer(contents, 1);
2682 browser()->OpenURL(content::OpenURLParams(GURL("https://google.com"),
2683 content::Referrer(), CURRENT_TAB,
2684 ui::PAGE_TRANSITION_TYPED, false));
2685 observer.Wait();
2687 SSLErrorHandler* ssl_error_handler =
2688 SSLErrorHandler::FromWebContents(contents);
2689 // Make sure that the |SSLErrorHandler| is deleted.
2690 EXPECT_FALSE(ssl_error_handler);
2691 EXPECT_FALSE(contents->ShowingInterstitialPage());
2692 EXPECT_FALSE(contents->IsLoading());
2695 class SSLBlockingPageIDNTest : public SecurityInterstitialIDNTest {
2696 protected:
2697 // SecurityInterstitialIDNTest implementation
2698 SecurityInterstitialPage* CreateInterstitial(
2699 content::WebContents* contents,
2700 const GURL& request_url) const override {
2701 net::SSLInfo ssl_info;
2702 ssl_info.cert = new net::X509Certificate(
2703 request_url.host(), "CA", base::Time::Max(), base::Time::Max());
2704 return new SSLBlockingPage(
2705 contents, net::ERR_CERT_CONTAINS_ERRORS, ssl_info, request_url, 0,
2706 base::Time::NowFromSystemTime(), nullptr, base::Callback<void(bool)>());
2710 IN_PROC_BROWSER_TEST_F(SSLBlockingPageIDNTest, SSLBlockingPageDecodesIDN) {
2711 EXPECT_TRUE(VerifyIDNDecoded());
2714 IN_PROC_BROWSER_TEST_F(CertVerifierBrowserTest, MockCertVerifierSmokeTest) {
2715 net::SpawnedTestServer https_server(
2716 net::SpawnedTestServer::TYPE_HTTPS,
2717 net::SpawnedTestServer::SSLOptions(
2718 net::SpawnedTestServer::SSLOptions::CERT_OK),
2719 base::FilePath(kDocRoot));
2720 ASSERT_TRUE(https_server.Start());
2722 mock_cert_verifier()->set_default_result(
2723 net::ERR_CERT_NAME_CONSTRAINT_VIOLATION);
2725 ui_test_utils::NavigateToURL(browser(),
2726 https_server.GetURL("files/ssl/google.html"));
2728 CheckSecurityState(browser()->tab_strip_model()->GetActiveWebContents(),
2729 net::CERT_STATUS_NAME_CONSTRAINT_VIOLATION,
2730 content::SECURITY_STYLE_AUTHENTICATION_BROKEN,
2731 AuthState::SHOWING_INTERSTITIAL);
2734 // TODO(jcampan): more tests to do below.
2736 // Visit a page over https that contains a frame with a redirect.
2738 // XMLHttpRequest insecure content in synchronous mode.
2740 // XMLHttpRequest insecure content in asynchronous mode.
2742 // XMLHttpRequest over bad ssl in synchronous mode.
2744 // XMLHttpRequest over OK ssl in synchronous mode.