This source file includes following definitions.
- OnCertError
- DidRunInsecureContent
- OnRequestStarted
- UpdateEntry
- OnAllowCertificate
- OnCertErrorInternal
- InitializeEntryIfNeeded
- OriginRanInsecureContent
#include "content/browser/ssl/ssl_policy.h"
#include "base/base_switches.h"
#include "base/bind.h"
#include "base/command_line.h"
#include "base/memory/singleton.h"
#include "base/strings/string_piece.h"
#include "base/strings/string_util.h"
#include "content/browser/frame_host/navigation_entry_impl.h"
#include "content/browser/renderer_host/render_process_host_impl.h"
#include "content/browser/renderer_host/render_view_host_impl.h"
#include "content/browser/site_instance_impl.h"
#include "content/browser/ssl/ssl_cert_error_handler.h"
#include "content/browser/ssl/ssl_request_info.h"
#include "content/browser/web_contents/web_contents_impl.h"
#include "content/public/browser/content_browser_client.h"
#include "content/public/common/ssl_status.h"
#include "content/public/common/url_constants.h"
#include "net/ssl/ssl_info.h"
#include "webkit/common/resource_type.h"
namespace content {
SSLPolicy::SSLPolicy(SSLPolicyBackend* backend)
: backend_(backend) {
DCHECK(backend_);
}
void SSLPolicy::OnCertError(SSLCertErrorHandler* handler) {
net::CertPolicy::Judgment judgment = backend_->QueryPolicy(
handler->ssl_info().cert.get(),
handler->request_url().host(),
handler->cert_error());
if (judgment == net::CertPolicy::ALLOWED) {
handler->ContinueRequest();
return;
}
switch (handler->cert_error()) {
case net::ERR_CERT_COMMON_NAME_INVALID:
case net::ERR_CERT_DATE_INVALID:
case net::ERR_CERT_AUTHORITY_INVALID:
case net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM:
case net::ERR_CERT_WEAK_KEY:
case net::ERR_CERT_NAME_CONSTRAINT_VIOLATION:
OnCertErrorInternal(handler, !handler->fatal(), handler->fatal());
break;
case net::ERR_CERT_NO_REVOCATION_MECHANISM:
handler->ContinueRequest();
break;
case net::ERR_CERT_UNABLE_TO_CHECK_REVOCATION:
handler->ContinueRequest();
break;
case net::ERR_CERT_CONTAINS_ERRORS:
case net::ERR_CERT_REVOKED:
case net::ERR_CERT_INVALID:
case net::ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY:
case net::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN:
OnCertErrorInternal(handler, false, handler->fatal());
break;
default:
NOTREACHED();
handler->CancelRequest();
break;
}
}
void SSLPolicy::DidRunInsecureContent(NavigationEntryImpl* entry,
const std::string& security_origin) {
if (!entry)
return;
SiteInstance* site_instance = entry->site_instance();
if (!site_instance)
return;
backend_->HostRanInsecureContent(GURL(security_origin).host(),
site_instance->GetProcess()->GetID());
}
void SSLPolicy::OnRequestStarted(SSLRequestInfo* info) {
if (net::IsCertStatusError(info->ssl_cert_status()))
backend_->HostRanInsecureContent(info->url().host(), info->child_id());
}
void SSLPolicy::UpdateEntry(NavigationEntryImpl* entry,
WebContentsImpl* web_contents) {
DCHECK(entry);
InitializeEntryIfNeeded(entry);
if (!entry->GetURL().SchemeIsSecure())
return;
if (!web_contents->DisplayedInsecureContent())
entry->GetSSL().content_status &= ~SSLStatus::DISPLAYED_INSECURE_CONTENT;
if (!entry->GetSSL().cert_id) {
entry->GetSSL().security_style = SECURITY_STYLE_UNAUTHENTICATED;
return;
}
if (web_contents->DisplayedInsecureContent())
entry->GetSSL().content_status |= SSLStatus::DISPLAYED_INSECURE_CONTENT;
if (net::IsCertStatusError(entry->GetSSL().cert_status)) {
if (!net::IsCertStatusMinorError(entry->GetSSL().cert_status)) {
entry->GetSSL().security_style =
SECURITY_STYLE_AUTHENTICATION_BROKEN;
}
return;
}
SiteInstance* site_instance = entry->site_instance();
if (site_instance &&
backend_->DidHostRunInsecureContent(
entry->GetURL().host(), site_instance->GetProcess()->GetID())) {
entry->GetSSL().security_style =
SECURITY_STYLE_AUTHENTICATION_BROKEN;
entry->GetSSL().content_status |= SSLStatus::RAN_INSECURE_CONTENT;
return;
}
}
void SSLPolicy::OnAllowCertificate(scoped_refptr<SSLCertErrorHandler> handler,
bool allow) {
if (allow) {
backend_->AllowCertForHost(handler->ssl_info().cert.get(),
handler->request_url().host(),
handler->cert_error());
handler->ContinueRequest();
} else {
backend_->DenyCertForHost(handler->ssl_info().cert.get(),
handler->request_url().host(),
handler->cert_error());
handler->CancelRequest();
}
}
void SSLPolicy::OnCertErrorInternal(SSLCertErrorHandler* handler,
bool overridable,
bool strict_enforcement) {
CertificateRequestResultType result =
CERTIFICATE_REQUEST_RESULT_TYPE_CONTINUE;
GetContentClient()->browser()->AllowCertificateError(
handler->render_process_id(),
handler->render_frame_id(),
handler->cert_error(),
handler->ssl_info(),
handler->request_url(),
handler->resource_type(),
overridable,
strict_enforcement,
base::Bind(&SSLPolicy::OnAllowCertificate, base::Unretained(this),
make_scoped_refptr(handler)),
&result);
switch (result) {
case CERTIFICATE_REQUEST_RESULT_TYPE_CONTINUE:
break;
case CERTIFICATE_REQUEST_RESULT_TYPE_CANCEL:
handler->CancelRequest();
break;
case CERTIFICATE_REQUEST_RESULT_TYPE_DENY:
handler->DenyRequest();
break;
default:
NOTREACHED();
}
}
void SSLPolicy::InitializeEntryIfNeeded(NavigationEntryImpl* entry) {
if (entry->GetSSL().security_style != SECURITY_STYLE_UNKNOWN)
return;
entry->GetSSL().security_style = entry->GetURL().SchemeIsSecure() ?
SECURITY_STYLE_AUTHENTICATED : SECURITY_STYLE_UNAUTHENTICATED;
}
void SSLPolicy::OriginRanInsecureContent(const std::string& origin, int pid) {
GURL parsed_origin(origin);
if (parsed_origin.SchemeIsSecure())
backend_->HostRanInsecureContent(parsed_origin.host(), pid);
}
}