Reland of Downgrade lock icon for broken-HTTPS subresources (patchset #2 id:300001 of https://codereview.chromium.org/1497423002/ )
Reason for revert:
Relanding since the speculative revert didn't seem to help with crbug.com/565540
Original issue's description:
> Revert of Downgrade lock icon for broken-HTTPS subresources (patchset #11 id:200001 of https://codereview.chromium.org/1415923015/ )
>
> Reason for revert:
> Speculatively reverting to see if it makes https://code.google.com/p/chromium/issues/detail?id=565540 go away
>
> Note that this revert preserves the histogrammed
> bad_message.h value that was added in CL 1415923015
>
> Original issue's description:
> > Downgrade lock icon for broken-HTTPS subresources
> >
> > This CL attaches a boolean to resource responses to indicate if they
> > have certificate errors. If Blink sees a resource with a cert error, it
> > notifies the renderer via FrameLoaderClient, who then notifies the
> > browser, who treats the situation like mixed content.
> >
> > The browser (//content) ignores subresources with cert errors on HTTP
> > pages, and subresources with the same cert errors as the main
> > resource. This allows embedders to distinguish broken-HTTPS foo.com with
> > a subresource from broken-HTTPS bar.com and broken-HTTPS foo.com with a
> > subresource from broken-HTTPS foo.com.
> >
> > BUG=477868
> >
> > Committed: https://crrev.com/8bfb78c859ab5993eada6db30e4de50aa7403f1c
> > Cr-Commit-Position: refs/heads/master@{#362246}
>
> [email protected],[email protected],[email protected]
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=477868
>
> Committed: https://crrev.com/51ea371ad45bb5887dacf7fca6fe0feef8941262
> Cr-Commit-Position: refs/heads/master@{#363388}
[email protected],[email protected],[email protected]
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=477868
Review URL: https://codereview.chromium.org/1506203004
Cr-Commit-Position: refs/heads/master@{#364152}
diff --git a/content/renderer/render_frame_impl.cc b/content/renderer/render_frame_impl.cc
index 271720e..9e432ba9 100644
--- a/content/renderer/render_frame_impl.cc
+++ b/content/renderer/render_frame_impl.cc
@@ -48,6 +48,7 @@
#include "content/common/savable_subframe.h"
#include "content/common/service_worker/service_worker_types.h"
#include "content/common/site_isolation_policy.h"
+#include "content/common/ssl_status_serialization.h"
#include "content/common/swapped_out_messages.h"
#include "content/common/view_messages.h"
#include "content/public/common/bindings_policy.h"
@@ -575,6 +576,38 @@
path.NormalizePathSeparatorsTo(FILE_PATH_LITERAL('/')).AsUTF8Unsafe());
}
+bool IsContentWithCertificateErrorsRelevantToUI(
+ const blink::WebURL& url,
+ const blink::WebCString& security_info,
+ const blink::WebURL& main_resource_url,
+ const blink::WebCString& main_resource_security_info) {
+ content::SSLStatus ssl_status;
+ content::SSLStatus main_resource_ssl_status;
+ CHECK(DeserializeSecurityInfo(security_info, &ssl_status));
+ CHECK(DeserializeSecurityInfo(main_resource_security_info,
+ &main_resource_ssl_status));
+
+ if (!GURL(main_resource_url).SchemeIsCryptographic())
+ return false;
+
+ // Do not handle subresource certificate errors if they are the same
+ // as errors that occured during the main page load. This compares
+ // most, but not all, fields of SSLStatus. For example, this check
+ // does not compare |content_status| because the navigation entry
+ // might have mixed content but also have the exact same SSL
+ // connection properties as the subresource, thereby making the
+ // subresource errors duplicative.
+ return (!url::Origin(GURL(url))
+ .IsSameOriginWith(url::Origin(GURL(main_resource_url))) ||
+ main_resource_ssl_status.security_style !=
+ ssl_status.security_style ||
+ main_resource_ssl_status.cert_id != ssl_status.cert_id ||
+ main_resource_ssl_status.cert_status != ssl_status.cert_status ||
+ main_resource_ssl_status.security_bits != ssl_status.security_bits ||
+ main_resource_ssl_status.connection_status !=
+ ssl_status.connection_status);
+}
+
} // namespace
// static
@@ -3680,12 +3713,38 @@
const blink::WebSecurityOrigin& origin,
const blink::WebURL& target) {
Send(new FrameHostMsg_DidRunInsecureContent(
- routing_id_, origin.toString().utf8(), target));
+ routing_id_, GURL(origin.toString().utf8()), target));
GetContentClient()->renderer()->RecordRapporURL(
"ContentSettings.MixedScript.RanMixedScript",
GURL(origin.toString().utf8()));
}
+void RenderFrameImpl::didDisplayContentWithCertificateErrors(
+ const blink::WebURL& url,
+ const blink::WebCString& security_info,
+ const blink::WebURL& main_resource_url,
+ const blink::WebCString& main_resource_security_info) {
+ if (!IsContentWithCertificateErrorsRelevantToUI(
+ url, security_info, main_resource_url, main_resource_security_info)) {
+ return;
+ }
+ Send(new FrameHostMsg_DidDisplayContentWithCertificateErrors(routing_id_, url,
+ security_info));
+}
+
+void RenderFrameImpl::didRunContentWithCertificateErrors(
+ const blink::WebURL& url,
+ const blink::WebCString& security_info,
+ const blink::WebURL& main_resource_url,
+ const blink::WebCString& main_resource_security_info) {
+ if (!IsContentWithCertificateErrorsRelevantToUI(
+ url, security_info, main_resource_url, main_resource_security_info)) {
+ return;
+ }
+ Send(new FrameHostMsg_DidRunContentWithCertificateErrors(
+ routing_id_, GURL(main_resource_url).GetOrigin(), url, security_info));
+}
+
void RenderFrameImpl::didChangePerformanceTiming() {
FOR_EACH_OBSERVER(RenderFrameObserver,
observers_,
diff --git a/content/renderer/render_frame_impl.h b/content/renderer/render_frame_impl.h
index 8d3c4f39..9da61e04 100644
--- a/content/renderer/render_frame_impl.h
+++ b/content/renderer/render_frame_impl.h
@@ -522,6 +522,16 @@
void didDisplayInsecureContent() override;
void didRunInsecureContent(const blink::WebSecurityOrigin& origin,
const blink::WebURL& target) override;
+ void didDisplayContentWithCertificateErrors(
+ const blink::WebURL& url,
+ const blink::WebCString& security_info,
+ const blink::WebURL& main_resource_url,
+ const blink::WebCString& main_resource_security_info) override;
+ void didRunContentWithCertificateErrors(
+ const blink::WebURL& url,
+ const blink::WebCString& security_info,
+ const blink::WebURL& main_resource_url,
+ const blink::WebCString& main_resource_security_info) override;
void didChangePerformanceTiming() override;
void didCreateScriptContext(blink::WebLocalFrame* frame,
v8::Local<v8::Context> context,