Forget SSL error exceptions when good certs seen for regular requests.

Chrome remembers decisions by the user to proceed through SSL errors. However, it remembers this even after a good certificate has been seen for the given host. This change removes all previous exceptions for a given host after a good certificate is seen on a regular request, but not on redirects. In the SSLPolicy, this adds a call to RevokeUserAllowExceptions() on the SSLHostStateDelegate when a request response begins. This removes all prior exceptions for the specified host. However, there is currently no similar plumbing for redirects, so until that plumbing is built, revocation will not occur when a valid cert for a host is seen on redirect. BUG=473390 Review URL: https://codereview.chromium.org/1058003004 Cr-Commit-Position: refs/heads/master@{#326332}
author: jww <jww@chromium.org> 2015-04-22 10:41:52 -0700
committer: Commit bot <commit-bot@chromium.org> 2015-04-22 17:44:53 +0000
commit: 5a586e5039cf30c3071b14a8e1df105f08c6b06a (patch)
tree: ce2880c5e1e009d1fe1f33756c03e7b59d285b4d /content/browser/ssl
parent: ba26bd8b9bd2c797f3457c930635866b0c0185a6 (diff)
download: chromium_src-5a586e5039cf30c3071b14a8e1df105f08c6b06a.zip
chromium_src-5a586e5039cf30c3071b14a8e1df105f08c6b06a.tar.gz
chromium_src-5a586e5039cf30c3071b14a8e1df105f08c6b06a.tar.bz2
3 files changed, 45 insertions, 1 deletions
diff --git a/content/browser/ssl/ssl_policy.cc b/content/browser/ssl/ssl_policy.cc
index 610f741..5a627fb 100644
--- a/content/browser/ssl/ssl_policy.cc
+++ b/content/browser/ssl/ssl_policy.cc
@@ -8,6 +8,7 @@
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "base/memory/singleton.h"
+#include "base/metrics/histogram_macros.h"
 #include "base/strings/string_piece.h"
 #include "base/strings/string_util.h"
 #include "content/browser/frame_host/navigation_entry_impl.h"
@@ -26,6 +27,16 @@
 
 namespace content {
 
+namespace {
+
+// Events for UMA. Do not reorder or change!
+enum SSLGoodCertSeenEvent {
+  NO_PREVIOUS_EXCEPTION = 0,
+  HAD_PREVIOUS_EXCEPTION = 1,
+  SSL_GOOD_CERT_SEEN_EVENT_MAX = 2
+};
+}
+
 SSLPolicy::SSLPolicy(SSLPolicyBackend* backend)
     : backend_(backend) {
   DCHECK(backend_);
@@ -110,8 +121,20 @@ void SSLPolicy::OnRequestStarted(SSLRequestInfo* info) {
   // this information back through WebKit and out some FrameLoaderClient
   // methods.
 
-  if (net::IsCertStatusError(info->ssl_cert_status()))
+  if (net::IsCertStatusError(info->ssl_cert_status())) {
     backend_->HostRanInsecureContent(info->url().host(), info->child_id());
+  } else {
+    SSLGoodCertSeenEvent event = NO_PREVIOUS_EXCEPTION;
+    if (backend_->HasAllowException(info->url().host())) {
+      // If there's no certificate error, a good certificate has been seen, so
+      // clear out any exceptions that were made by the user for bad
+      // certificates.
+      backend_->RevokeUserAllowExceptions(info->url().host());
+      event = HAD_PREVIOUS_EXCEPTION;
+    }
+    UMA_HISTOGRAM_ENUMERATION("interstitial.ssl.good_cert_seen", event,
+                              SSL_GOOD_CERT_SEEN_EVENT_MAX);
+  }
 }
 
 void SSLPolicy::UpdateEntry(NavigationEntryImpl* entry,
diff --git a/content/browser/ssl/ssl_policy_backend.cc b/content/browser/ssl/ssl_policy_backend.cc
index 5c65874..a2626da 100644
--- a/content/browser/ssl/ssl_policy_backend.cc
+++ b/content/browser/ssl/ssl_policy_backend.cc
@@ -31,6 +31,20 @@ bool SSLPolicyBackend::DidHostRunInsecureContent(const std::string& host,
   return ssl_host_state_delegate_->DidHostRunInsecureContent(host, pid);
 }
 
+void SSLPolicyBackend::RevokeUserAllowExceptions(const std::string& host) {
+  if (!ssl_host_state_delegate_)
+    return;
+
+  ssl_host_state_delegate_->RevokeUserAllowExceptions(host);
+}
+
+bool SSLPolicyBackend::HasAllowException(const std::string& host) {
+  if (!ssl_host_state_delegate_)
+    return false;
+
+  return ssl_host_state_delegate_->HasAllowException(host);
+}
+
 void SSLPolicyBackend::AllowCertForHost(const net::X509Certificate& cert,
                                         const std::string& host,
                                         net::CertStatus error) {
diff --git a/content/browser/ssl/ssl_policy_backend.h b/content/browser/ssl/ssl_policy_backend.h
index 15ebe31..ed50c24 100644
--- a/content/browser/ssl/ssl_policy_backend.h
+++ b/content/browser/ssl/ssl_policy_backend.h
@@ -27,6 +27,13 @@ class SSLPolicyBackend {
   // Returns whether the specified host ran insecure content.
   bool DidHostRunInsecureContent(const std::string& host, int pid) const;
 
+  // Revokes all allow exceptions by the user for |host|.
+  void RevokeUserAllowExceptions(const std::string& host);
+
+  // Returns true if and only if a user exception has previously been made for
+  // |host|.
+  bool HasAllowException(const std::string& host);
+
   // Records that |cert| is permitted to be used for |host| in the future, for
   // a specific error type.
   void AllowCertForHost(const net::X509Certificate& cert,
author	jww <jww@chromium.org>	2015-04-22 10:41:52 -0700
committer	Commit bot <commit-bot@chromium.org>	2015-04-22 17:44:53 +0000
commit	5a586e5039cf30c3071b14a8e1df105f08c6b06a (patch)
tree	ce2880c5e1e009d1fe1f33756c03e7b59d285b4d /content/browser/ssl
parent	ba26bd8b9bd2c797f3457c930635866b0c0185a6 (diff)
download	chromium_src-5a586e5039cf30c3071b14a8e1df105f08c6b06a.zip chromium_src-5a586e5039cf30c3071b14a8e1df105f08c6b06a.tar.gz chromium_src-5a586e5039cf30c3071b14a8e1df105f08c6b06a.tar.bz2