Monitor some sensitive UI actions for evidence of clickjacking.

Defending against clickjacking on these UI elements has a usability cost.  We should measure to see if anyone is trying these attacks before inventing some crazy half-workaround.

R=jar

Review URL: http://codereview.chromium.org/99021

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@14568 0039d316-1c4b-4281-b951-d872f2087c98

4 files changed, 28 insertions, 1 deletions

diff --git a/chrome/browser/views/download_item_view.cc b/chrome/browser/views/download_item_view.cc
index ffef0a6..9069c8d 100644
--- a/chrome/browser/views/download_item_view.cc
+++ b/chrome/browser/views/download_item_view.cc
@@ -142,6 +142,7 @@ DownloadItemView::DownloadItemView(DownloadItem* download,
     discard_button_(NULL),
     dangerous_download_label_(NULL),
     dangerous_download_label_sized_(false),
+    creation_time_(base::Time::Now()),
     reenable_method_factory_(this),
     disabled_while_opening_(false) {
   // TODO(idana) Bug# 1163334
@@ -406,11 +407,17 @@ void DownloadItemView::Layout() {
 
 void DownloadItemView::ButtonPressed(views::Button* sender) {
   if (sender == discard_button_) {
+    UMA_HISTOGRAM_LONG_TIMES("clickjacking.discard_download",
+                             base::Time::Now() - creation_time_);
     if (download_->state() == DownloadItem::IN_PROGRESS)
       download_->Cancel(true);
     download_->Remove(true);
     // WARNING: we are deleted at this point.  Don't access 'this'.
   } else if (sender == save_button_) {
+    // The user has confirmed a dangerous download.  We'd record how quickly the
+    // user did this to detect whether we're being clickjacked.
+    UMA_HISTOGRAM_LONG_TIMES("clickjacking.save_download",
+                             base::Time::Now() - creation_time_);
     // This will change the state and notify us.
     download_->manager()->DangerousDownloadValidated(download_);
   }
@@ -830,6 +837,10 @@ void DownloadItemView::AnimationProgressed(const Animation* animation) {
 }
 
 void DownloadItemView::OpenDownload() {
+  // We're interested in how long it takes users to open downloads.  If they
+  // open downloads super quickly, we should be concerned about clickjacking.
+  UMA_HISTOGRAM_LONG_TIMES("clickjacking.open_download",
+                           base::Time::Now() - creation_time_);
   if (download_->state() == DownloadItem::IN_PROGRESS) {
     download_->set_open_when_complete(!download_->open_when_complete());
   } else if (download_->state() == DownloadItem::COMPLETE) {
diff --git a/chrome/browser/views/download_item_view.h b/chrome/browser/views/download_item_view.h
index 4cd805f..730b425 100644
--- a/chrome/browser/views/download_item_view.h
+++ b/chrome/browser/views/download_item_view.h
@@ -20,6 +20,7 @@
 
 #include "base/basictypes.h"
 #include "base/scoped_ptr.h"
+#include "base/time.h"
 #include "base/timer.h"
 #include "chrome/common/gfx/chrome_font.h"
 #include "chrome/common/slide_animation.h"
@@ -228,6 +229,9 @@ class DownloadItemView : public views::ButtonListener,
   // Whether we are currently disabled as part of opening the downloaded file.
   bool disabled_while_opening_;
 
+  // The time at which this view was created.
+  base::Time creation_time_;
+
   // Method factory used to delay reenabling of the item when opening the
   // downloaded file.
   ScopedRunnableMethodFactory<DownloadItemView> reenable_method_factory_;
diff --git a/chrome/browser/views/external_protocol_dialog.cc b/chrome/browser/views/external_protocol_dialog.cc
index 2852b60..24f004c 100644
--- a/chrome/browser/views/external_protocol_dialog.cc
+++ b/chrome/browser/views/external_protocol_dialog.cc
@@ -4,6 +4,7 @@
 
 #include "chrome/browser/views/external_protocol_dialog.h"
 
+#include "base/histogram.h"
 #include "base/registry.h"
 #include "base/string_util.h"
 #include "base/thread.h"
@@ -65,6 +66,12 @@ void ExternalProtocolDialog::DeleteDelegate() {
 }
 
 bool ExternalProtocolDialog::Accept() {
+  // We record how long it takes the user to accept an external protocol.  If
+  // users start accepting these dialogs too quickly, we should worry about
+  // clickjacking.
+  UMA_HISTOGRAM_LONG_TIMES("clickjacking.launch_url",
+                           base::Time::Now() - creation_time_);
+
   MessageLoop* io_loop = g_browser_process->io_thread()->message_loop();
   if (io_loop == NULL) {
     // Returning true closes the dialog.
@@ -89,7 +96,8 @@ ExternalProtocolDialog::ExternalProtocolDialog(TabContents* tab_contents,
                                                const GURL& url,
                                                const std::wstring& command)
     : tab_contents_(tab_contents),
-      url_(url) {
+      url_(url),
+      creation_time_(base::Time::Now()) {
   std::wstring message_text = l10n_util::GetStringF(
       IDS_EXTERNAL_PROTOCOL_INFORMATION,
       ASCIIToWide(url.scheme() + ":"),
diff --git a/chrome/browser/views/external_protocol_dialog.h b/chrome/browser/views/external_protocol_dialog.h
index 7392cbb..860178f 100644
--- a/chrome/browser/views/external_protocol_dialog.h
+++ b/chrome/browser/views/external_protocol_dialog.h
@@ -5,6 +5,7 @@
 #ifndef CHROME_BROWSER_EXTERNAL_PROTOCOL_DIALOG_H__
 #define CHROME_BROWSER_EXTERNAL_PROTOCOL_DIALOG_H__
 
+#include "base/time.h"
 #include "chrome/views/window/dialog_delegate.h"
 #include "googleurl/src/gurl.h"
 
@@ -62,6 +63,9 @@ class ExternalProtocolDialog : public views::DialogDelegate {
   // URL of the external protocol request.
   GURL url_;
 
+  // The time at which this dialog was created.
+  base::Time creation_time_;
+
   DISALLOW_EVIL_CONSTRUCTORS(ExternalProtocolDialog);
 };