// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include <optional> #include "base/base64.h" #include "base/base_paths.h" #include "base/command_line.h" #include "base/feature_list.h" #include "base/files/file_path.h" #include "base/functional/bind.h" #include "base/memory/raw_ptr.h" #include "base/metrics/field_trial.h" #include "base/metrics/field_trial_params.h" #include "base/path_service.h" #include "base/run_loop.h" #include "base/strings/string_split.h" #include "base/strings/stringprintf.h" #include "base/strings/utf_string_conversions.h" #include "base/test/bind.h" #include "base/test/metrics/histogram_tester.h" #include "base/test/scoped_command_line.h" #include "base/test/scoped_feature_list.h" #include "build/build_config.h" #include "chrome/browser/browser_process.h" #include "chrome/browser/net/system_network_context_manager.h" #include "chrome/browser/policy/policy_test_utils.h" #include "chrome/browser/profiles/profile.h" #include "chrome/browser/profiles/profile_window.h" #include "chrome/browser/safe_browsing/chrome_password_protection_service.h" #include "chrome/browser/ssl/cert_verifier_browser_test.h" #include "chrome/browser/ssl/chrome_security_state_tab_helper.h" #include "chrome/browser/ssl/https_upgrades_util.h" #include "chrome/browser/ui/browser.h" #include "chrome/browser/ui/browser_commands.h" #include "chrome/browser/ui/browser_finder.h" #include "chrome/browser/ui/browser_list.h" #include "chrome/browser/ui/tabs/tab_strip_model.h" #include "chrome/common/chrome_features.h" #include "chrome/common/chrome_paths.h" #include "chrome/common/chrome_switches.h" #include "chrome/common/pref_names.h" #include "chrome/test/base/in_process_browser_test.h" #include "chrome/test/base/ui_test_utils.h" #include "components/password_manager/core/browser/password_manager_metrics_util.h" #include "components/prefs/pref_service.h" #include "components/safe_browsing/content/browser/password_protection/password_protection_request_content.h" #include "components/safe_browsing/content/browser/password_protection/password_protection_test_util.h" #include "components/safe_browsing/core/browser/password_protection/metrics_util.h" #include "components/safe_browsing/core/common/features.h" #include "components/safe_browsing/core/common/proto/csd.pb.h" #include "components/security_interstitials/content/security_interstitial_tab_helper.h" #include "components/security_interstitials/content/ssl_blocking_page.h" #include "components/security_interstitials/core/pref_names.h" #include "components/security_state/core/security_state.h" #include "content/public/browser/browser_task_traits.h" #include "content/public/browser/browser_thread.h" #include "content/public/browser/file_select_listener.h" #include "content/public/browser/navigation_controller.h" #include "content/public/browser/navigation_entry.h" #include "content/public/browser/network_service_instance.h" #include "content/public/browser/reload_type.h" #include "content/public/browser/render_frame_host.h" #include "content/public/browser/ssl_status.h" #include "content/public/browser/storage_partition.h" #include "content/public/browser/web_contents.h" #include "content/public/browser/web_contents_delegate.h" #include "content/public/common/content_features.h" #include "content/public/common/page_type.h" #include "content/public/common/referrer.h" #include "content/public/test/browser_test.h" #include "content/public/test/browser_test_utils.h" #include "content/public/test/fenced_frame_test_util.h" #include "content/public/test/navigation_handle_observer.h" #include "content/public/test/prerender_test_util.h" #include "content/public/test/signed_exchange_browser_test_helper.h" #include "content/public/test/test_navigation_observer.h" #include "content/public/test/url_loader_interceptor.h" #include "mojo/public/cpp/bindings/remote.h" #include "mojo/public/cpp/bindings/sync_call_restrictions.h" #include "net/base/features.h" #include "net/base/net_errors.h" #include "net/cert/cert_database.h" #include "net/cert/cert_status_flags.h" #include "net/cert/cert_verify_result.h" #include "net/cert/ct_policy_status.h" #include "net/cert/mock_cert_verifier.h" #include "net/cert/x509_certificate.h" #include "net/dns/mock_host_resolver.h" #include "net/http/transport_security_state_test_util.h" #include "net/ssl/ssl_cipher_suite_names.h" #include "net/ssl/ssl_connection_status_flags.h" #include "net/test/cert_test_util.h" #include "net/test/embedded_test_server/embedded_test_server.h" #include "net/test/embedded_test_server/http_request.h" #include "net/test/embedded_test_server/http_response.h" #include "net/test/embedded_test_server/request_handler_util.h" #include "net/test/test_data_directory.h" #include "services/network/public/cpp/features.h" #include "services/network/public/mojom/network_service.mojom.h" #include "third_party/blink/public/common/features.h" #include "third_party/boringssl/src/include/openssl/ssl.h" namespace { PasswordType; LoginReputationClientResponse; RequestOutcome; const char kCreateFilesystemUrlJavascript[] = …; const char kCreateBlobUrlJavascript[] = …; enum CertificateStatus { … }; bool IsShowingInterstitial(content::WebContents* tab) { … } // Inject a script into every frame in the active page. Used by tests that check // for visible password fields to wait for notifications about these fields. // Notifications about visible password fields are queued at the end of the // event loop, so waiting for a dummy script to run ensures that these // notifications have been sent. void InjectScript(content::WebContents* contents) { … } // A WebContentsObserver useful for testing the DidChangeVisibleSecurityState() // method: it keeps track of the latest security level that was fired. class SecurityStyleTestObserver : public content::WebContentsObserver { … }; void CheckSecurityInfoForSecure( content::WebContents* contents, security_state::SecurityLevel expect_security_level, bool expect_sha1_in_chain, bool expect_displayed_mixed_content, bool expect_ran_mixed_content, bool expect_cert_error) { … } // Check that the current security state reflects a non-committed navigation. void CheckSecurityInfoForNonCommitted(content::WebContents* contents) { … } void ProceedThroughInterstitial(content::WebContents* tab) { … } std::string GetFilePathWithHostAndPortReplacement( const std::string& original_file_path, const net::HostPortPair& host_port_pair) { … } GURL GetURLWithNonLocalHostname(net::EmbeddedTestServer* server, const std::string& path) { … } class SecurityStateTabHelperTest : public CertVerifierBrowserTest { … }; // Same as SecurityStateTabHelperTest, but with Incognito enabled. class SecurityStateTabHelperIncognitoTest : public SecurityStateTabHelperTest { … }; class DidChangeVisibleSecurityStateTest : public InProcessBrowserTest, public testing::WithParamInterface<bool> { … }; IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTest, HttpPage) { … } IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTest, HttpsPage) { … } // TODO(crbug.com/40928765): Add an end-to-end test for // security_state::SECURE_WITH_POLICY_INSTALLED_CERT (currently that depends on // a cros-specific policy/service). IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTest, DevToolsPage) { … } // Tests that interstitial.ssl.visited_site_after_warning is being logged to // correctly. IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTest, UMALogsVisitsAfterWarning) { … } // Tests that interstitial.ssl.visited_site_after_warning is being logged // on ERR_CERT_UNABLE_TO_CHECK_REVOCATION (which previously did not show an // interstitial.) IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTest, UMALogsVisitsAfterRevocationCheckFailureWarning) { … } // Test security state after clickthrough for a SHA-1 certificate that is // blocked by default. IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTest, SHA1CertificateBlocked) { … } // Test security state for a SHA-1 certificate that is allowed by policy. IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTest, SHA1CertificateWarning) { … } class SecurityStateTabHelperTestWithAutoupgradesDisabled : public SecurityStateTabHelperTest { … }; IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTestWithAutoupgradesDisabled, MixedContent) { … } class SecurityStateTabHelperTestWithAutoupgradesDisabledAndMixedContentWarningEnabled : public SecurityStateTabHelperTest { … }; // Checks that the proper security state is displayed when the passive mixed // content warning feature is enabled. // TODO(crbug.com/40108287): Once that launch is finished and other tests run // with the feature enabled this test and the class will be redundant and can be // removed. IN_PROC_BROWSER_TEST_F( SecurityStateTabHelperTestWithAutoupgradesDisabledAndMixedContentWarningEnabled, PassiveMixedContentWarning) { … } IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTest, ActiveContentWithCertErrors) { … } IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTest, PassiveContentWithCertErrors) { … } IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTest, ActiveAndPassiveContentWithCertErrors) { … } // Same as SecurityStateTabHelperTest.ActiveAndPassiveContentWithCertErrors but // with a SHA1 cert. IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTestWithAutoupgradesDisabled, MixedContentWithSHA1Cert) { … } // Tests that the Content Security Policy block-all-mixed-content // directive stops mixed content from running. IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTestWithAutoupgradesDisabled, MixedContentStrictBlocking) { … } IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTestWithAutoupgradesDisabled, BrokenHTTPS) { … } // Tests that the security level of HTTP pages is set properly. IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTest, SecurityLevelForHttpPage) { … } // Tests that the security level of data: URLs is always downgraded to // WARNING. IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTest, SecurityLevelDowngradedOnDataUrl) { … } // Tests the security level and malicious content status for sign-in password // reuse threat type. IN_PROC_BROWSER_TEST_F( SecurityStateTabHelperTest, VerifySignInPasswordReuseMaliciousContentAndSecurityLevel) { … } // Tests the security level and malicious content status for enterprise password // reuse threat type. IN_PROC_BROWSER_TEST_F( SecurityStateTabHelperTest, VerifyEnterprisePasswordReuseMaliciousContentAndSecurityLevel) { … } class PKPModelClientTest : public SecurityStateTabHelperTest { … }; IN_PROC_BROWSER_TEST_F(PKPModelClientTest, PKPBypass) { … } IN_PROC_BROWSER_TEST_F(PKPModelClientTest, PKPEnforced) { … } class SecurityStateLoadingTest : public SecurityStateTabHelperTest { … }; // Tests that navigation state changes cause the security state to be // updated. IN_PROC_BROWSER_TEST_F(SecurityStateLoadingTest, NavigationStateChanges) { … } // Tests the default security level on blob URLs. IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTest, DefaultSecurityLevelOnBlobUrl) { … } // Same as DefaultSecurityLevelOnBlobUrl, but instead of a blob URL, // this creates a filesystem URL. IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTest, DefaultSecurityLevelOnFilesystemUrl) { … } // Tests the default security level on blob URLs with a secure inner origin. IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTest, DefaultSecurityLevelOnSecureBlobUrl) { … } // Same as DefaultSecurityLevelOnBlobUrl, but instead of a blob URL, // this creates a filesystem URL with a secure inner origin. IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTest, DefaultSecurityLevelOnSecureFilesystemUrl) { … } // Tests that the security state for a WebContents is up to date when the // WebContents is inserted into a Browser's TabStripModel. IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTest, AddedTab) { … } class DidChangeVisibleSecurityStateTestWithAutoupgradesDisabled : public DidChangeVisibleSecurityStateTest { … }; // Tests that the WebContentsObserver::DidChangeVisibleSecurityState event fires // with the current level on HTTP, broken HTTPS, and valid HTTPS pages. IN_PROC_BROWSER_TEST_F( DidChangeVisibleSecurityStateTestWithAutoupgradesDisabled, DidChangeVisibleSecurityStateObserver) { … } // Visit a valid HTTPS page, then a broken HTTPS page, and then go back, // and test that the observed security level matches. IN_PROC_BROWSER_TEST_F(DidChangeVisibleSecurityStateTest, DidChangeVisibleSecurityStateObserverGoBack) { … } // Tests that the Not Secure chip does not show for error pages on http:// URLs. // Regression test for https://crbug.com/760647. IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperIncognitoTest, HttpErrorPage) { … } // Tests that the security level form submission histogram is logged correctly. IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTest, FormSecurityLevelHistogram) { … } IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTest, MixedFormsShowLockIfWarningsAreEnabled) { … } IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperTest, MixedFormsDontShowLockIfWarningsAreDisabledByPolicy) { … } class SignedExchangeSecurityStateTest : public CertVerifierBrowserTest { … }; IN_PROC_BROWSER_TEST_F(SignedExchangeSecurityStateTest, SecurityLevelIsSecure) { … } // TODO(crbug.com/40921701): This test is failing on Mac12 Tests. #if BUILDFLAG(IS_MAC) #define MAYBE_SecurityLevelIsSecureAfterPrefetch … #else #define MAYBE_SecurityLevelIsSecureAfterPrefetch … #endif // BUILDFLAG(IS_MAC) IN_PROC_BROWSER_TEST_F(SignedExchangeSecurityStateTest, MAYBE_SecurityLevelIsSecureAfterPrefetch) { … } class SecurityStateTabHelperPrerenderTest : public SecurityStateTabHelperTest { … }; // Tests that starting a prerender will not modify the existing security info // and navigating to a previously prerendered URL may trigger a failure. IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperPrerenderTest, InvalidPrerender) { … } IN_PROC_BROWSER_TEST_F(SecurityStateTabHelperPrerenderTest, PrerenderedMixedContent) { … } // For tests which use fenced frame. class SecurityStateTabHelperFencedFrameTest : public SecurityStateTabHelperTest, public testing::WithParamInterface<bool> { … }; INSTANTIATE_TEST_SUITE_P(…); IN_PROC_BROWSER_TEST_P(SecurityStateTabHelperFencedFrameTest, ChangeSecurityStateWhenLoadingInsecureContent) { … } IN_PROC_BROWSER_TEST_P(SecurityStateTabHelperFencedFrameTest, LoadFencedFrameViaInsecureURL) { … } } // namespace
Codebase Browser
chromium