Remember that we've white listed a certificate when we switch to a new tab.

R=wtc
BUG=6456


git-svn-id: svn://svn.chromium.org/chrome/trunk/src@9749 0039d316-1c4b-4281-b951-d872f2087c98

8 files changed, 195 insertions, 53 deletions

diff --git a/chrome/browser/browser.scons b/chrome/browser/browser.scons
index 6e9e54d..f6ed585 100644
--- a/chrome/browser/browser.scons
+++ b/chrome/browser/browser.scons
@@ -623,6 +623,8 @@ input_files = ChromeFileList([
     'ssl/ssl_blocking_page.h',
     'ssl/ssl_error_info.cc',
     'ssl/ssl_error_info.h',
+    'ssl/ssl_host_state.cc',
+    'ssl/ssl_host_state.h',
     'ssl/ssl_manager.cc',
     'ssl/ssl_manager.h',
     'ssl/ssl_policy.cc',
@@ -895,6 +897,7 @@ xmldoc_files = [
     'search_engines/template_url_prepopulate_data.cc',
     'ssl/ssl_blocking_page.cc',
     'ssl/ssl_error_info.cc',
+    'ssl/ssl_host_state.cc',
     'ssl/ssl_manager.cc',
     'ssl/ssl_policy.cc',
     'tab_contents/interstitial_page.cc',
diff --git a/chrome/browser/browser.vcproj b/chrome/browser/browser.vcproj
index 8c02fd3..d341b5a 100644
--- a/chrome/browser/browser.vcproj
+++ b/chrome/browser/browser.vcproj
@@ -2358,6 +2358,14 @@
 				>
 			</File>
 			<File
+				RelativePath=".\ssl\ssl_host_state.cc"
+				>
+			</File>
+			<File
+				RelativePath=".\ssl\ssl_host_state.h"
+				>
+			</File>
+			<File
 				RelativePath=".\ssl\ssl_manager.cc"
 				>
 			</File>
diff --git a/chrome/browser/profile.cc b/chrome/browser/profile.cc
index 00fc733..21070b2 100644
--- a/chrome/browser/profile.cc
+++ b/chrome/browser/profile.cc
@@ -21,6 +21,7 @@
 #include "chrome/browser/profile_manager.h"
 #include "chrome/browser/renderer_host/render_process_host.h"
 #include "chrome/browser/search_engines/template_url_model.h"
+#include "chrome/browser/ssl/ssl_host_state.h"
 #include "chrome/browser/sessions/session_service.h"
 #include "chrome/browser/sessions/tab_restore_service.h"
 #include "chrome/browser/visitedlink_master.h"
@@ -59,7 +60,7 @@ static const int kCreateSessionServiceDelayMS = 500;
 // Profile::GetDefaultRequestContext.
 URLRequestContext* Profile::default_request_context_;
 
-//static
+// static
 void Profile::RegisterUserPrefs(PrefService* prefs) {
   prefs->RegisterBooleanPref(prefs::kSearchSuggestEnabled, true);
   prefs->RegisterBooleanPref(prefs::kSessionExitedCleanly, true);
@@ -76,12 +77,12 @@ void Profile::RegisterUserPrefs(PrefService* prefs) {
   prefs->RegisterBooleanPref(prefs::kEnableSpellCheck, true);
 }
 
-//static
+// static
 Profile* Profile::CreateProfile(const FilePath& path) {
   return new ProfileImpl(path);
 }
 
-//static
+// static
 URLRequestContext* Profile::GetDefaultRequestContext() {
   return default_request_context_;
 }
@@ -152,6 +153,14 @@ class OffTheRecordProfileImpl : public Profile,
     return profile_->GetUserScriptMaster();
   }
 
+  virtual SSLHostState* GetSSLHostState() {
+    if (!ssl_host_state_.get())
+      ssl_host_state_.reset(new SSLHostState());
+
+    DCHECK(ssl_host_state_->CalledOnValidThread());
+    return ssl_host_state_.get();
+  }
+
   virtual HistoryService* GetHistoryService(ServiceAccessType sat) {
     if (sat == EXPLICIT_ACCESS) {
       return profile_->GetHistoryService(sat);
@@ -306,6 +315,11 @@ class OffTheRecordProfileImpl : public Profile,
   // The download manager that only stores downloaded items in memory.
   scoped_refptr<DownloadManager> download_manager_;
 
+  // We don't want SSLHostState from the OTR profile to leak back to the main
+  // profile because then the main profile would learn some of the host names
+  // the user visited while OTR.
+  scoped_ptr<SSLHostState> ssl_host_state_;
+
   // Time we were started.
   Time start_time_;
 
@@ -499,6 +513,14 @@ UserScriptMaster* ProfileImpl::GetUserScriptMaster() {
   return user_script_master_.get();
 }
 
+SSLHostState* ProfileImpl::GetSSLHostState() {
+  if (!ssl_host_state_.get())
+    ssl_host_state_.reset(new SSLHostState());
+
+  DCHECK(ssl_host_state_->CalledOnValidThread());
+  return ssl_host_state_.get();
+}
+
 PrefService* ProfileImpl::GetPrefs() {
   if (!prefs_.get()) {
     prefs_.reset(new PrefService(GetPrefFilePath().ToWStringHack()));
@@ -768,7 +790,7 @@ SpellChecker* ProfileImpl::GetSpellChecker() {
     // This is where spellchecker gets initialized. Note that this is being
     // initialized in the ui_thread. However, this is not a problem as long as
     // it is *used* in the io thread.
-    // TODO (sidchat) One day, change everything so that spellchecker gets
+    // TODO(sidchat): One day, change everything so that spellchecker gets
     // initialized in the IO thread itself.
     InitializeSpellChecker(false);
   }
diff --git a/chrome/browser/profile.h b/chrome/browser/profile.h
index fdbfd61..8f513ae 100644
--- a/chrome/browser/profile.h
+++ b/chrome/browser/profile.h
@@ -28,6 +28,7 @@ class NavigationController;
 class PrefService;
 class SessionService;
 class SpellChecker;
+class SSLHostState;
 class TabRestoreService;
 class TemplateURLFetcher;
 class TemplateURLModel;
@@ -110,6 +111,11 @@ class Profile {
   // that this method is called.
   virtual UserScriptMaster* GetUserScriptMaster() = 0;
 
+  // Retrieves a pointer to the SSLHostState associated with this profile.
+  // The SSLHostState is lazily created the first time that this method is
+  // called.
+  virtual SSLHostState* GetSSLHostState() = 0;
+
   // Retrieves a pointer to the HistoryService associated with this
   // profile.  The HistoryService is lazily created the first time
   // that this method is called.
@@ -261,6 +267,7 @@ class ProfileImpl : public Profile,
   virtual Profile* GetOriginalProfile();
   virtual VisitedLinkMaster* GetVisitedLinkMaster();
   virtual UserScriptMaster* GetUserScriptMaster();
+  virtual SSLHostState* GetSSLHostState();
   virtual ExtensionsService* GetExtensionsService();
   virtual HistoryService* GetHistoryService(ServiceAccessType sat);
   virtual WebDataService* GetWebDataService(ServiceAccessType sat);
@@ -323,6 +330,7 @@ class ProfileImpl : public Profile,
   scoped_ptr<VisitedLinkMaster> visited_link_master_;
   scoped_refptr<ExtensionsService> extensions_service_;
   scoped_refptr<UserScriptMaster> user_script_master_;
+  scoped_ptr<SSLHostState> ssl_host_state_;
   scoped_ptr<PrefService> prefs_;
   scoped_ptr<TemplateURLFetcher> template_url_fetcher_;
   scoped_ptr<TemplateURLModel> template_url_model_;
diff --git a/chrome/browser/ssl/ssl_host_state.cc b/chrome/browser/ssl/ssl_host_state.cc
new file mode 100755
index 0000000..5bee7d9
--- /dev/null
+++ b/chrome/browser/ssl/ssl_host_state.cc
@@ -0,0 +1,47 @@
+// Copyright (c) 2006-2009 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/ssl/ssl_host_state.h"
+
+SSLHostState::SSLHostState() {
+}
+
+SSLHostState::~SSLHostState() {
+}
+
+void SSLHostState::DenyCertForHost(net::X509Certificate* cert,
+                                   const std::string& host) {
+  DCHECK(CalledOnValidThread());
+
+  // Remember that we don't like this cert for this host.
+  cert_policy_for_host_[host].Deny(cert);
+}
+
+void SSLHostState::AllowCertForHost(net::X509Certificate* cert,
+                                    const std::string& host) {
+  DCHECK(CalledOnValidThread());
+
+  // Remember that we do like this cert for this host.
+  cert_policy_for_host_[host].Allow(cert);
+}
+
+net::X509Certificate::Policy::Judgment SSLHostState::QueryPolicy(
+    net::X509Certificate* cert, const std::string& host) {
+  DCHECK(CalledOnValidThread());
+
+  return cert_policy_for_host_[host].Check(cert);
+}
+
+bool SSLHostState::CanShowInsecureContent(const GURL& url) {
+  DCHECK(CalledOnValidThread());
+
+  return (can_show_insecure_content_for_host_.find(url.host()) !=
+      can_show_insecure_content_for_host_.end());
+}
+
+void SSLHostState::AllowShowInsecureContentForURL(const GURL& url) {
+  DCHECK(CalledOnValidThread());
+
+  can_show_insecure_content_for_host_.insert(url.host());
+}
diff --git a/chrome/browser/ssl/ssl_host_state.h b/chrome/browser/ssl/ssl_host_state.h
new file mode 100755
index 0000000..6d0194f
--- /dev/null
+++ b/chrome/browser/ssl/ssl_host_state.h
@@ -0,0 +1,59 @@
+// Copyright (c) 2006-2009 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_SSL_SSL_HOST_STATE_H_
+#define CHROME_BROWSER_SSL_SSL_HOST_STATE_H_
+
+#include <string>
+#include <map>
+#include <set>
+
+#include "base/basictypes.h"
+#include "base/non_thread_safe.h"
+#include "googleurl/src/gurl.h"
+#include "net/base/x509_certificate.h"
+
+// SSLHostState
+//
+// The SSLHostState encapulates the host-specific state for SSL errors.  For
+// example, SSLHostState rememebers whether the user has whitelisted a
+// particular broken cert for use with particular host.  We separate this state
+// from the SSLManager because this state is shared across many navigation
+// controllers.
+
+class SSLHostState : public NonThreadSafe {
+ public:
+  SSLHostState();
+  ~SSLHostState();
+
+  // Records that |cert| is permitted to be used for |host| in the future.
+  void DenyCertForHost(net::X509Certificate* cert, const std::string& host);
+
+  // Records that |cert| is not permitted to be used for |host| in the future.
+  void AllowCertForHost(net::X509Certificate* cert, const std::string& host);
+
+  // Queries whether |cert| is allowed or denied for |host|.
+  net::X509Certificate::Policy::Judgment QueryPolicy(
+      net::X509Certificate* cert, const std::string& host);
+
+  // Allow mixed/unsafe content to be visible (non filtered) for the specified
+  // URL.
+  // Note that the current implementation allows on a host name basis.
+  void AllowShowInsecureContentForURL(const GURL& url);
+
+  // Returns whether the specified URL is allowed to show insecure (mixed or
+  // unsafe) content.
+  bool CanShowInsecureContent(const GURL& url);
+
+ private:
+  // Certificate policies for each host.
+  std::map<std::string, net::X509Certificate::Policy> cert_policy_for_host_;
+
+  // Domains for which it is OK to show insecure content.
+  std::set<std::string> can_show_insecure_content_for_host_;
+
+  DISALLOW_COPY_AND_ASSIGN(SSLHostState);
+};
+
+#endif  // CHROME_BROWSER_SSL_SSL_HOST_STATE_H_
diff --git a/chrome/browser/ssl/ssl_manager.cc b/chrome/browser/ssl/ssl_manager.cc
index 910d43f..195d25e 100644
--- a/chrome/browser/ssl/ssl_manager.cc
+++ b/chrome/browser/ssl/ssl_manager.cc
@@ -12,6 +12,7 @@
 #include "chrome/browser/renderer_host/render_view_host.h"
 #include "chrome/browser/renderer_host/resource_request_details.h"
 #include "chrome/browser/ssl/ssl_error_info.h"
+#include "chrome/browser/ssl/ssl_host_state.h"
 #include "chrome/browser/tab_contents/navigation_controller.h"
 #include "chrome/browser/tab_contents/navigation_entry.h"
 #include "chrome/browser/tab_contents/provisional_load_details.h"
@@ -43,14 +44,14 @@
 
 class SSLInfoBarDelegate : public ConfirmInfoBarDelegate {
  public:
-   SSLInfoBarDelegate(TabContents* contents,
-                      const std::wstring message,
-                      const std::wstring& button_label,
-                      Task* task)
-      : ConfirmInfoBarDelegate(contents),
-        message_(message),
-        button_label_(button_label),
-        task_(task) {
+  SSLInfoBarDelegate(TabContents* contents,
+                     const std::wstring message,
+                     const std::wstring& button_label,
+                     Task* task)
+    : ConfirmInfoBarDelegate(contents),
+      message_(message),
+      button_label_(button_label),
+      task_(task) {
   }
   virtual ~SSLInfoBarDelegate() {}
 
@@ -101,7 +102,8 @@ void SSLManager::RegisterUserPrefs(PrefService* prefs) {
 
 SSLManager::SSLManager(NavigationController* controller, Delegate* delegate)
     : delegate_(delegate),
-      controller_(controller) {
+      controller_(controller),
+      ssl_host_state_(controller->profile()->GetSSLHostState()) {
   DCHECK(controller_);
 
   // If do delegate is supplied, use the default policy.
@@ -191,33 +193,27 @@ void SSLManager::AddMessageToConsole(const std::wstring& msg,
 void SSLManager::DenyCertForHost(net::X509Certificate* cert,
                                  const std::string& host) {
   // Remember that we don't like this cert for this host.
-  // TODO(abarth): Do we want to persist this information in the user's profile?
-  cert_policy_for_host_[host].Deny(cert);
+  ssl_host_state_->DenyCertForHost(cert, host);
 }
 
 // Delegate API method.
 void SSLManager::AllowCertForHost(net::X509Certificate* cert,
                                   const std::string& host) {
-  // Remember that we do like this cert for this host.
-  // TODO(abarth): Do we want to persist this information in the user's profile?
-  cert_policy_for_host_[host].Allow(cert);
+  ssl_host_state_->AllowCertForHost(cert, host);
 }
 
 // Delegate API method.
 net::X509Certificate::Policy::Judgment SSLManager::QueryPolicy(
     net::X509Certificate* cert, const std::string& host) {
-  // TODO(abarth): Do we want to read this information from the user's profile?
-  return cert_policy_for_host_[host].Check(cert);
+  return ssl_host_state_->QueryPolicy(cert, host);
 }
 
 bool SSLManager::CanShowInsecureContent(const GURL& url) {
-  // TODO(jcampan): Do we want to read this information from the user's profile?
-  return (can_show_insecure_content_for_host_.find(url.host()) !=
-      can_show_insecure_content_for_host_.end());
+  return ssl_host_state_->CanShowInsecureContent(url);
 }
 
 void SSLManager::AllowShowInsecureContentForURL(const GURL& url) {
-  can_show_insecure_content_for_host_.insert(url.host());
+  ssl_host_state_->AllowShowInsecureContentForURL(url);
 }
 
 bool SSLManager::ProcessedSSLErrorFromRequest() const {
@@ -609,7 +605,7 @@ void SSLManager::DidCommitProvisionalLoad(
       // If the frame has been blocked we keep our security style as
       // authenticated in that case as nothing insecure is actually showing or
       // loaded.
-      if (!details->is_content_filtered && 
+      if (!details->is_content_filtered &&
           !details->entry->ssl().has_mixed_content()) {
         details->entry->ssl().set_has_mixed_content();
         changed = true;
diff --git a/chrome/browser/ssl/ssl_manager.h b/chrome/browser/ssl/ssl_manager.h
index 2c013a9..0b1842e 100644
--- a/chrome/browser/ssl/ssl_manager.h
+++ b/chrome/browser/ssl/ssl_manager.h
@@ -2,11 +2,12 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef CHROME_BROWSER_SSL_MANAGER_H_
-#define CHROME_BROWSER_SSL_MANAGER_H_
+#ifndef CHROME_BROWSER_SSL_SSL_MANAGER_H_
+#define CHROME_BROWSER_SSL_SSL_MANAGER_H_
 
 #include <string>
 #include <map>
+#include <vector>
 
 #include "base/basictypes.h"
 #include "base/observer_list.h"
@@ -32,6 +33,7 @@ class PrefService;
 class ResourceRedirectDetails;
 class ResourceRequestDetails;
 class SSLErrorInfo;
+class SSLHostState;
 class Task;
 class URLRequest;
 class WebContents;
@@ -59,7 +61,7 @@ class SSLManager : public NotificationObserver {
   // necessary for ensuring the instance is not leaked.
   class ErrorHandler : public base::RefCountedThreadSafe<ErrorHandler> {
    public:
-     virtual ~ErrorHandler() { }
+    virtual ~ErrorHandler() { }
 
     // Find the appropriate SSLManager for the URLRequest and begin handling
     // this error.
@@ -71,7 +73,7 @@ class SSLManager : public NotificationObserver {
     const GURL& request_url() const { return request_url_; }
 
     // Call on the UI thread.
-    SSLManager* manager() const { return manager_; };
+    SSLManager* manager() const { return manager_; }
 
     // Returns the WebContents this object is associated with.  Should be
     // called from the UI thread.
@@ -162,8 +164,8 @@ class SSLManager : public NotificationObserver {
     const GURL request_url_;  // The URL that we requested.
 
     // Should only be accessed on the IO thread
-    bool request_has_been_notified_; // A flag to make sure we notify the
-                                     // URLRequest exactly once.
+    bool request_has_been_notified_;  // A flag to make sure we notify the
+                                      // URLRequest exactly once.
 
     DISALLOW_EVIL_CONSTRUCTORS(ErrorHandler);
   };
@@ -198,7 +200,7 @@ class SSLManager : public NotificationObserver {
 
     // These read-only members can be accessed on any thread.
     net::SSLInfo ssl_info_;
-    const int cert_error_; // The error we represent.
+    const int cert_error_;  // The error we represent.
 
     // What kind of resource is associated with the requested that generated
     // that error.
@@ -337,7 +339,7 @@ class SSLManager : public NotificationObserver {
   // Called when a mixed-content sub-resource request has been detected.  The
   // request is not started yet.  The SSLManager will make a decision on whether
   // to filter that request's content (with the filter_policy flag).
-  // TODO (jcampan): Implement a way to just cancel the request.  This is not
+  // TODO(jcampan): Implement a way to just cancel the request.  This is not
   // straight-forward as canceling a request that has not been started will
   // not remove from the pending_requests_ of the ResourceDispatcherHost.
   // Called on the IO thread.
@@ -398,24 +400,25 @@ class SSLManager : public NotificationObserver {
   // in an info-bar.
   struct SSLMessageInfo {
    public:
-     explicit SSLMessageInfo(const std::wstring& text)
+    explicit SSLMessageInfo(const std::wstring& text)
         : message(text),
           action(NULL) { }
-     SSLMessageInfo(const std::wstring& message,
-                    const std::wstring& link_text,
-                    Task* action)
+
+    SSLMessageInfo(const std::wstring& message,
+                   const std::wstring& link_text,
+                   Task* action)
         : message(message), link_text(link_text), action(action) { }
 
-     // Overridden so that std::find works.
-     bool operator==(const std::wstring& other_message) const {
-       // We are uniquing SSLMessageInfo by their message only.
-       return message == other_message;
-     }
+    // Overridden so that std::find works.
+    bool operator==(const std::wstring& other_message) const {
+      // We are uniquing SSLMessageInfo by their message only.
+      return message == other_message;
+    }
 
-     std::wstring message;
-     std::wstring link_text;
-     Task* action;
-   };
+    std::wstring message;
+    std::wstring link_text;
+    Task* action;
+  };
 
   // Entry points for notifications to which we subscribe. Note that
   // DidCommitProvisionalLoad uses the abstract NotificationDetails type since
@@ -447,11 +450,8 @@ class SSLManager : public NotificationObserver {
   // Handles registering notifications with the NotificationService.
   NotificationRegistrar registrar_;
 
-  // Certificate policies for each host.
-  std::map<std::string, net::X509Certificate::Policy> cert_policy_for_host_;
-
-  // Domains for which it is OK to show insecure content.
-  std::set<std::string> can_show_insecure_content_for_host_;
+  // SSL state specific for each host.
+  SSLHostState* ssl_host_state_;
 
   // The list of messages that should be displayed (in info bars) when the page
   // currently loading had loaded.
@@ -460,5 +460,4 @@ class SSLManager : public NotificationObserver {
   DISALLOW_COPY_AND_ASSIGN(SSLManager);
 };
 
-#endif // CHROME_BROWSER_SSL_MANAGER_H_
-
+#endif  // CHROME_BROWSER_SSL_SSL_MANAGER_H_