That sounds a little weird. Why can't we reuse the existing non-secure level?
(I'm sure there's a good reason; it's just not immediately evident to me.)

The new state that we're adding needs to be distinct from all of the others because the enum is directly consumed by UI. Otherwise, how will consumers know what UI to show? We aren't reusing existing UI form other states.

Mind if I do part (A)? I happen to already have a CL that does it bc I was investigating everywhere that SecurityLevels travelled. I'll send you the CL now and you can pick up the bug again to do part (B).

Oh, cool! Didn't know you had already started on it.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0e7efe19fc0d0eb8454ff0cc6e6962aa50d72cdc

commit 0e7efe19fc0d0eb8454ff0cc6e6962aa50d72cdc
Author: felt <felt@chromium.org>
Date: Tue Sep 20 01:51:58 2016

Add new SecurityLevel for Http Bad state

This adds a new SecurityLevel, HTTP_SHOW_WARNING, for Http-Bad states.

At this point in time, HTTP_SHOW_WARNING is never set, nor is it
consumed anywhere. You should ONLY make use of it behind the HttpBad
flag. I'm adding it separately in a small CL since it's a dependency
for several of our other tasks.

BUG= 647558 

Review-Url: https://codereview.chromium.org/2346063002
Cr-Commit-Position: refs/heads/master@{#419640}

[modify] https://crrev.com/0e7efe19fc0d0eb8454ff0cc6e6962aa50d72cdc/chrome/android/java/src/org/chromium/chrome/browser/omnibox/LocationBarLayout.java
[modify] https://crrev.com/0e7efe19fc0d0eb8454ff0cc6e6962aa50d72cdc/chrome/browser/ssl/chrome_security_state_model_client.cc
[modify] https://crrev.com/0e7efe19fc0d0eb8454ff0cc6e6962aa50d72cdc/components/security_state/security_state_model.cc
[modify] https://crrev.com/0e7efe19fc0d0eb8454ff0cc6e6962aa50d72cdc/components/security_state/security_state_model.h
[modify] https://crrev.com/0e7efe19fc0d0eb8454ff0cc6e6962aa50d72cdc/components/toolbar/toolbar_model_impl.cc

(A) landed, back to you for (B)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a7040a0af3abeca232b0b4bf493d30f070e37d86

commit a7040a0af3abeca232b0b4bf493d30f070e37d86
Author: estark <estark@chromium.org>
Date: Wed Sep 21 03:07:51 2016

Add SSLStatus flags to feed HTTP_WARNING security level

This change adds SSLStatus flags to |content_status| for when the page
is detected to contain password or credit card fields over HTTP. Nothing
yet sets these SSLStatus flags.

When the flags are set (and the command-line switch), SecurityStateModel
downgrades the security level to HTTP_WARNING.

This is based on top of https://codereview.chromium.org/2346063002/

BUG= 647558 

Review-Url: https://codereview.chromium.org/2350273002
Cr-Commit-Position: refs/heads/master@{#419961}

[modify] https://crrev.com/a7040a0af3abeca232b0b4bf493d30f070e37d86/chrome/browser/ssl/chrome_security_state_model_client.cc
[modify] https://crrev.com/a7040a0af3abeca232b0b4bf493d30f070e37d86/chrome/browser/ssl/chrome_security_state_model_client_browser_tests.cc
[modify] https://crrev.com/a7040a0af3abeca232b0b4bf493d30f070e37d86/components/security_state/security_state_model.cc
[modify] https://crrev.com/a7040a0af3abeca232b0b4bf493d30f070e37d86/components/security_state/security_state_model.h
[modify] https://crrev.com/a7040a0af3abeca232b0b4bf493d30f070e37d86/components/security_state/security_state_model_unittest.cc
[modify] https://crrev.com/a7040a0af3abeca232b0b4bf493d30f070e37d86/content/public/browser/ssl_status.h
[modify] https://crrev.com/a7040a0af3abeca232b0b4bf493d30f070e37d86/tools/metrics/histograms/histograms.xml

I think we can mark this done. (There's a separate bug for ios). felt, anything else you want to do here?

nope think this one's done. 1 down, ... a lot to go!