Subresource certificate errors are handled with a big giant hack |
|||||||
Issue descriptionWhen the renderer sees a subresource with a certificate error, it notifies the browser process via DidDisplayContentWithCertificateErrors or DidRunContentWithCertificateErrors messages. The browser then pretends that those subresources were basically mixed content, so that DISPLAYED_INSECURE_CONTENT or RAN_INSECURE_CONTENT flags get set on the navigation entry's SSLStatus and the security UI gets downgraded. The trouble is that subresources with certificate errors are kinda like mixed content but not really, and treating them as mixed content is a big hack that is not working out very well, somewhat unsurprisingly. One concrete example is that DevTools has no way of distinguishing "real" mixed content (subresources loaded over http) from "broken-https" mixed content (subresources loaded over https connections with certificate errors). See issue 587172 . I think that we can solve this with some additional plumbing, basically mirroring the mixed content plumbing. That is, instead of setting the DISPLAYED/RAN_INSECURE_CONTENT ContentStatus flags on the SSLStatus, we should introduce new flags for content loaded with certificate errors, so that we have a separate signal that UI can distinguish.
,
Aug 11 2016
,
Aug 11 2016
,
Aug 12 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/54f191f54bfac1f2400a42ece329516e225a2a75 commit 54f191f54bfac1f2400a42ece329516e225a2a75 Author: estark <estark@chromium.org> Date: Fri Aug 12 00:27:32 2016 Rename SecurityStateModel::MIXED_CONTENT_STATUS enum values I'm planning to add information about subresources with certificate errors to SecurityStateModel. This CL renames the MixedContentStatus enum values to be more generic, so that we can use the same passive/displayed, active/ran distinction for subresources with cert errors that we use for mixed content. #1: https://codereview.chromium.org/2224193003/ (this CL) #2: https://codereview.chromium.org/2224023003/ Teach SecurityStateModel about subresources with cert errors #3: https://codereview.chromium.org/2225213004/ Teach SSLHostStateDelegate about subresources with cert errors #4: https://codereview.chromium.org/2226363002/ Track subresources with cert errors separately from mixed content BUG= 634171 , 636986 Review-Url: https://codereview.chromium.org/2224193003 Cr-Commit-Position: refs/heads/master@{#411476} [modify] https://crrev.com/54f191f54bfac1f2400a42ece329516e225a2a75/chrome/browser/ssl/chrome_security_state_model_client.cc [modify] https://crrev.com/54f191f54bfac1f2400a42ece329516e225a2a75/chrome/browser/ssl/chrome_security_state_model_client_browser_tests.cc [modify] https://crrev.com/54f191f54bfac1f2400a42ece329516e225a2a75/chrome/browser/ssl/security_state_model_android.cc [modify] https://crrev.com/54f191f54bfac1f2400a42ece329516e225a2a75/chrome/browser/ui/website_settings/website_settings.cc [modify] https://crrev.com/54f191f54bfac1f2400a42ece329516e225a2a75/chrome/browser/ui/website_settings/website_settings_unittest.cc [modify] https://crrev.com/54f191f54bfac1f2400a42ece329516e225a2a75/components/security_state/security_state_model.cc [modify] https://crrev.com/54f191f54bfac1f2400a42ece329516e225a2a75/components/security_state/security_state_model.h [modify] https://crrev.com/54f191f54bfac1f2400a42ece329516e225a2a75/components/security_state/security_state_model_unittest.cc
,
Aug 12 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/61ab9d4706f6887539b9097bdbbc40ec6e671c85 commit 61ab9d4706f6887539b9097bdbbc40ec6e671c85 Author: estark <estark@chromium.org> Date: Fri Aug 12 02:08:57 2016 Teach SecurityStateModel about subresources with cert errors This is the second in a series of CLs to create dedicated plumbing for subresources with certificate errors, instead of treating them like mixed content from the browser's perspective. This CL adds flags for subresources with cert errors to SecurityStateModel and SSLStatus. ChromeSecurityStateModelClient sets these flags on the VisibleSecurityState based on the NavigationEntry's SSLStatus, and SecurityStateModel downgrades the security level appropriately. Nothing yet sets the flags on the SSLStatus. #1: https://codereview.chromium.org/2224193003/ Rename SecurityStateModel::MIXED_CONTENT_STATUS enum values #2: https://codereview.chromium.org/2224023003/ (this CL) #3: https://codereview.chromium.org/2225213004/ Teach SSLHostStateDelegate about subresources with cert errors #4: https://codereview.chromium.org/2226363002/ Track subresources with cert errors separately from mixed content BUG= 634171 , 636986 Review-Url: https://codereview.chromium.org/2224023003 Cr-Commit-Position: refs/heads/master@{#411520} [modify] https://crrev.com/61ab9d4706f6887539b9097bdbbc40ec6e671c85/chrome/browser/ssl/chrome_security_state_model_client.cc [modify] https://crrev.com/61ab9d4706f6887539b9097bdbbc40ec6e671c85/chrome/browser/ssl/chrome_security_state_model_client_browser_tests.cc [modify] https://crrev.com/61ab9d4706f6887539b9097bdbbc40ec6e671c85/components/security_state/security_state_model.cc [modify] https://crrev.com/61ab9d4706f6887539b9097bdbbc40ec6e671c85/components/security_state/security_state_model.h [modify] https://crrev.com/61ab9d4706f6887539b9097bdbbc40ec6e671c85/content/public/common/ssl_status.h
,
Aug 12 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/854d78b541e9a8132f50985fc434d4d43c7417b1 commit 854d78b541e9a8132f50985fc434d4d43c7417b1 Author: estark <estark@chromium.org> Date: Fri Aug 12 03:30:33 2016 Teach SSLHostStateDelegate about subresources with cert errors This is the third in a series of CLs to create dedicated plumbing for subresources with certificate errors, instead of treating them like mixed content from the browser's perspective. This CL teaches SSLHostStateDelegate (and its implementation ChromeSSLHostStateDelegate) about subresources with certificate errors, as distinct from mixed content. ChromeSSLHostStateDelegate keeps two maps of broken hosts, one for mixed content and one for subresources with cert errors. HostRanInsecureContent() and DidHostRunInsecureContent() take an argument to indicate whether the subresource in question was mixed or had cert errors. (An alternative would be to have a separate set of methods for cert errors; I could be convinced either way.) #1: https://codereview.chromium.org/2224193003/ Rename SecurityStateModel::MIXED_CONTENT_STATUS enum values #2: https://codereview.chromium.org/2224023003/ Teach SecurityStateModel about subresources with cert errors #3: https://codereview.chromium.org/2225213004/ (this CL) #4: https://codereview.chromium.org/2226363002/ Track subresources with cert errors separately from mixed content BUG= 634171 , 636986 Review-Url: https://codereview.chromium.org/2225213004 Cr-Commit-Position: refs/heads/master@{#411543} [modify] https://crrev.com/854d78b541e9a8132f50985fc434d4d43c7417b1/android_webview/browser/aw_ssl_host_state_delegate.cc [modify] https://crrev.com/854d78b541e9a8132f50985fc434d4d43c7417b1/android_webview/browser/aw_ssl_host_state_delegate.h [modify] https://crrev.com/854d78b541e9a8132f50985fc434d4d43c7417b1/chrome/browser/ssl/chrome_ssl_host_state_delegate.cc [modify] https://crrev.com/854d78b541e9a8132f50985fc434d4d43c7417b1/chrome/browser/ssl/chrome_ssl_host_state_delegate.h [modify] https://crrev.com/854d78b541e9a8132f50985fc434d4d43c7417b1/chrome/browser/ssl/chrome_ssl_host_state_delegate_test.cc [modify] https://crrev.com/854d78b541e9a8132f50985fc434d4d43c7417b1/content/browser/ssl/ssl_policy_backend.cc [modify] https://crrev.com/854d78b541e9a8132f50985fc434d4d43c7417b1/content/public/browser/ssl_host_state_delegate.h [modify] https://crrev.com/854d78b541e9a8132f50985fc434d4d43c7417b1/content/test/mock_ssl_host_state_delegate.cc [modify] https://crrev.com/854d78b541e9a8132f50985fc434d4d43c7417b1/content/test/mock_ssl_host_state_delegate.h
,
Aug 12 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/cd2e30cd6679e2249af296807d7270087879919d commit cd2e30cd6679e2249af296807d7270087879919d Author: estark <estark@chromium.org> Date: Fri Aug 12 06:51:15 2016 Track subresources with cert errors separately from mixed content This is the final in a series of CLs to create dedicated plumbing for subresources with certificate errors, instead of treating them like mixed content from the browser's perspective. Previously, when WebContentsImpl learned about a subresource with certificate errors, it set its own DisplayedInsecureContent() flag for a passive resource, or notified SSLManager::HostRanInsecureContent() about an active subresource. This is the same set of mechanisms that was used for subresources loaded over HTTP on HTTPS pages (mixed content). In this CL, SSLManager, SSLPolicy, and SSLPolicyBackend get mechanisms for tracking subresources with cert errors separately from mixed content. WebContentsImpl also gets a DisplayedContentWithCertErrors() flag separate from DisplayedInsecureContent() which it uses for mixed content. This separate set of plumbing allows browser UI to distinguish mixed content from subresources with cert errors; for example, the DevTools security panel should use a separate message to describe these two different situations. (This CL does not actually make aforementioned UI changes, but rather just sets up the plumbing to do so.) #1: https://codereview.chromium.org/2224193003/ Rename SecurityStateModel::MIXED_CONTENT_STATUS enum values #2: https://codereview.chromium.org/2224023003/ Teach SecurityStateModel about subresources with cert errors #3: https://codereview.chromium.org/2225213004/ Teach SSLHostStateDelegate about subresources with cert errors #4: https://codereview.chromium.org/2226363002/ (this CL) BUG= 634171 , 636986 Review-Url: https://codereview.chromium.org/2226363002 Cr-Commit-Position: refs/heads/master@{#411564} [modify] https://crrev.com/cd2e30cd6679e2249af296807d7270087879919d/chrome/browser/ssl/ssl_browser_tests.cc [modify] https://crrev.com/cd2e30cd6679e2249af296807d7270087879919d/content/browser/service_worker/service_worker_browsertest.cc [modify] https://crrev.com/cd2e30cd6679e2249af296807d7270087879919d/content/browser/site_per_process_browsertest.cc [modify] https://crrev.com/cd2e30cd6679e2249af296807d7270087879919d/content/browser/ssl/ssl_manager.cc [modify] https://crrev.com/cd2e30cd6679e2249af296807d7270087879919d/content/browser/ssl/ssl_manager.h [modify] https://crrev.com/cd2e30cd6679e2249af296807d7270087879919d/content/browser/ssl/ssl_policy.cc [modify] https://crrev.com/cd2e30cd6679e2249af296807d7270087879919d/content/browser/ssl/ssl_policy.h [modify] https://crrev.com/cd2e30cd6679e2249af296807d7270087879919d/content/browser/ssl/ssl_policy_backend.cc [modify] https://crrev.com/cd2e30cd6679e2249af296807d7270087879919d/content/browser/ssl/ssl_policy_backend.h [modify] https://crrev.com/cd2e30cd6679e2249af296807d7270087879919d/content/browser/web_contents/web_contents_impl.cc [modify] https://crrev.com/cd2e30cd6679e2249af296807d7270087879919d/content/browser/web_contents/web_contents_impl.h [modify] https://crrev.com/cd2e30cd6679e2249af296807d7270087879919d/content/public/browser/web_contents.h
,
Aug 12 2016
,
Aug 15 2016
Reopening because WebsiteSettings needs a few tweaks.
,
Aug 19 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/00e83f13e0edc9bc0d3df45cf25f96fc55149b2b commit 00e83f13e0edc9bc0d3df45cf25f96fc55149b2b Author: estark <estark@chromium.org> Date: Fri Aug 19 18:24:04 2016 Adjust WebsiteSettings statuses for subresources with cert errors SSLPolicy and SecurityStateModel used to record subresources with certificate errors as mixed content. As of https://codereview.chromium.org/2226363002/, however, subresources with cert errors are recorderded separately, in their own |content_with_cert_errors_status| field on SecurityStateModel::SecurityInfo. This CL updates WebsiteSettings to warn the user when there are subresources with cert errors on the page. Currently, WebsiteSettings uses the same statuses as are used for mixed content, because the strings happen to apply well to both types of insecure content. (I also renamed a few strings and enums to make it more clear that they describe different types of insecure subresources, not just mixed content.) In future, maybe we'd want to use different strings to describe subresources with cert errors in WebsiteSettings, but I think the mixed content strings work well enough for now. (Other UI like DevTools will distinguish mixed content from subresources with cert errors, which is one of the reasons that we separated the two into |mixed_content_status| and |content_with_cert_errors_status|.) For simplicity, WebsiteSettings ignores subresources with certificate errors when the main resource was loaded with a certificate error. I think that trying to distinguish subresource cert errors from cert errors on the main resource is probably TMI for the average user. BUG= 634171 Review-Url: https://codereview.chromium.org/2244243002 Cr-Commit-Position: refs/heads/master@{#413190} [modify] https://crrev.com/00e83f13e0edc9bc0d3df45cf25f96fc55149b2b/chrome/app/generated_resources.grd [modify] https://crrev.com/00e83f13e0edc9bc0d3df45cf25f96fc55149b2b/chrome/browser/ui/website_settings/website_settings.cc [modify] https://crrev.com/00e83f13e0edc9bc0d3df45cf25f96fc55149b2b/chrome/browser/ui/website_settings/website_settings.h [modify] https://crrev.com/00e83f13e0edc9bc0d3df45cf25f96fc55149b2b/chrome/browser/ui/website_settings/website_settings_ui.cc [modify] https://crrev.com/00e83f13e0edc9bc0d3df45cf25f96fc55149b2b/chrome/browser/ui/website_settings/website_settings_unittest.cc
,
Aug 19 2016
,
Dec 9 2016
Security>UX component is deprecated in favor of the Team-Security-UX label |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by est...@chromium.org
, Aug 11 2016