// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "content/browser/ssl/ssl_policy.h" #include "base/bind.h" #include "base/base_switches.h" #include "base/command_line.h" #include "base/memory/singleton.h" #include "base/string_piece.h" #include "base/string_util.h" #include "content/browser/renderer_host/render_process_host_impl.h" #include "content/browser/renderer_host/render_view_host_impl.h" #include "content/browser/site_instance_impl.h" #include "content/browser/ssl/ssl_cert_error_handler.h" #include "content/browser/ssl/ssl_request_info.h" #include "content/browser/web_contents/navigation_entry_impl.h" #include "content/browser/web_contents/web_contents_impl.h" #include "content/public/browser/content_browser_client.h" #include "content/public/common/ssl_status.h" #include "content/public/common/url_constants.h" #include "net/base/ssl_info.h" #include "webkit/glue/resource_type.h" using content::NavigationEntryImpl; using content::SiteInstance; using content::SSLStatus; namespace { static const char kDot = '.'; static bool IsIntranetHost(const std::string& host) { const size_t dot = host.find(kDot); return dot == std::string::npos || dot == host.length() - 1; } } // namespace SSLPolicy::SSLPolicy(SSLPolicyBackend* backend) : backend_(backend) { DCHECK(backend_); } void SSLPolicy::OnCertError(SSLCertErrorHandler* handler) { // First we check if we know the policy for this error. net::CertPolicy::Judgment judgment = backend_->QueryPolicy(handler->ssl_info().cert, handler->request_url().host()); if (judgment == net::CertPolicy::ALLOWED) { handler->ContinueRequest(); return; } // The judgment is either DENIED or UNKNOWN. // For now we handle the DENIED as the UNKNOWN, which means a blocking // page is shown to the user every time he comes back to the page. switch (handler->cert_error()) { case net::ERR_CERT_COMMON_NAME_INVALID: case net::ERR_CERT_DATE_INVALID: case net::ERR_CERT_AUTHORITY_INVALID: case net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM: case net::ERR_CERT_WEAK_KEY: OnCertErrorInternal(handler, !handler->fatal(), handler->fatal()); break; case net::ERR_CERT_NO_REVOCATION_MECHANISM: // Ignore this error. handler->ContinueRequest(); break; case net::ERR_CERT_UNABLE_TO_CHECK_REVOCATION: // We ignore this error but will show a warning status in the location // bar. handler->ContinueRequest(); break; case net::ERR_CERT_CONTAINS_ERRORS: case net::ERR_CERT_REVOKED: case net::ERR_CERT_INVALID: case net::ERR_CERT_NOT_IN_DNS: OnCertErrorInternal(handler, false, handler->fatal()); break; default: NOTREACHED(); handler->CancelRequest(); break; } } void SSLPolicy::DidRunInsecureContent(NavigationEntryImpl* entry, const std::string& security_origin) { if (!entry) return; SiteInstance* site_instance = entry->site_instance(); if (!site_instance) return; backend_->HostRanInsecureContent(GURL(security_origin).host(), site_instance->GetProcess()->GetID()); } void SSLPolicy::OnRequestStarted(SSLRequestInfo* info) { // TODO(abarth): This mechanism is wrong. What we should be doing is sending // this information back through WebKit and out some FrameLoaderClient // methods. if (net::IsCertStatusError(info->ssl_cert_status())) backend_->HostRanInsecureContent(info->url().host(), info->child_id()); } void SSLPolicy::UpdateEntry(NavigationEntryImpl* entry, WebContentsImpl* web_contents) { DCHECK(entry); InitializeEntryIfNeeded(entry); if (!entry->GetURL().SchemeIsSecure()) return; // An HTTPS response may not have a certificate for some reason. When that // happens, use the unauthenticated (HTTP) rather than the authentication // broken security style so that we can detect this error condition. if (!entry->GetSSL().cert_id) { entry->GetSSL().security_style = content::SECURITY_STYLE_UNAUTHENTICATED; return; } if (!(entry->GetSSL().cert_status & net::CERT_STATUS_COMMON_NAME_INVALID)) { // CAs issue certificates for intranet hosts to everyone. Therefore, we // mark intranet hosts as being non-unique. if (IsIntranetHost(entry->GetURL().host())) { entry->GetSSL().cert_status |= net::CERT_STATUS_NON_UNIQUE_NAME; } } if (net::IsCertStatusError(entry->GetSSL().cert_status)) { // Minor errors don't lower the security style to // SECURITY_STYLE_AUTHENTICATION_BROKEN. if (!net::IsCertStatusMinorError(entry->GetSSL().cert_status)) { entry->GetSSL().security_style = content::SECURITY_STYLE_AUTHENTICATION_BROKEN; } return; } SiteInstance* site_instance = entry->site_instance(); // Note that |site_instance| can be NULL here because NavigationEntries don't // necessarily have site instances. Without a process, the entry can't // possibly have insecure content. See bug http://crbug.com/12423. if (site_instance && backend_->DidHostRunInsecureContent( entry->GetURL().host(), site_instance->GetProcess()->GetID())) { entry->GetSSL().security_style = content::SECURITY_STYLE_AUTHENTICATION_BROKEN; entry->GetSSL().content_status |= SSLStatus::RAN_INSECURE_CONTENT; return; } if (web_contents->DisplayedInsecureContent()) entry->GetSSL().content_status |= SSLStatus::DISPLAYED_INSECURE_CONTENT; } void SSLPolicy::OnAllowCertificate(scoped_refptr handler, bool allow) { if (allow) { // Default behavior for accepting a certificate. // Note that we should not call SetMaxSecurityStyle here, because the active // NavigationEntry has just been deleted (in HideInterstitialPage) and the // new NavigationEntry will not be set until DidNavigate. This is ok, // because the new NavigationEntry will have its max security style set // within DidNavigate. // // While AllowCertForHost() executes synchronously on this thread, // ContinueRequest() gets posted to a different thread. Calling // AllowCertForHost() first ensures deterministic ordering. backend_->AllowCertForHost(handler->ssl_info().cert, handler->request_url().host()); handler->ContinueRequest(); } else { // Default behavior for rejecting a certificate. // // While DenyCertForHost() executes synchronously on this thread, // CancelRequest() gets posted to a different thread. Calling // DenyCertForHost() first ensures deterministic ordering. backend_->DenyCertForHost(handler->ssl_info().cert, handler->request_url().host()); handler->CancelRequest(); } } //////////////////////////////////////////////////////////////////////////////// // Certificate Error Routines void SSLPolicy::OnCertErrorInternal(SSLCertErrorHandler* handler, bool overridable, bool strict_enforcement) { if (handler->resource_type() != ResourceType::MAIN_FRAME) { // A sub-resource has a certificate error. The user doesn't really // have a context for making the right decision, so block the // request hard, without an info bar to allow showing the insecure // content. handler->DenyRequest(); return; } bool cancel_request = false; content::GetContentClient()->browser()->AllowCertificateError( handler->render_process_id(), handler->render_view_id(), handler->cert_error(), handler->ssl_info(), handler->request_url(), overridable, strict_enforcement, base::Bind(&SSLPolicy::OnAllowCertificate, base::Unretained(this), make_scoped_refptr(handler)), &cancel_request); if (cancel_request) handler->CancelRequest(); } void SSLPolicy::InitializeEntryIfNeeded(NavigationEntryImpl* entry) { if (entry->GetSSL().security_style != content::SECURITY_STYLE_UNKNOWN) return; entry->GetSSL().security_style = entry->GetURL().SchemeIsSecure() ? content::SECURITY_STYLE_AUTHENTICATED : content::SECURITY_STYLE_UNAUTHENTICATED; } void SSLPolicy::OriginRanInsecureContent(const std::string& origin, int pid) { GURL parsed_origin(origin); if (parsed_origin.SchemeIsSecure()) backend_->HostRanInsecureContent(parsed_origin.host(), pid); }