1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CONTENT_BROWSER_SSL_SSL_POLICY_H_ 6 #define CONTENT_BROWSER_SSL_SSL_POLICY_H_ 7 8 #include <string> 9 10 #include "base/memory/ref_counted.h" 11 #include "content/public/common/resource_type.h" 12 13 namespace content { 14 class NavigationEntryImpl; 15 class SSLCertErrorHandler; 16 class SSLPolicyBackend; 17 class SSLRequestInfo; 18 class WebContentsImpl; 19 20 // SSLPolicy 21 // 22 // This class is responsible for making the security decisions that concern the 23 // SSL trust indicators. It relies on the SSLPolicyBackend to actually enact 24 // the decisions it reaches. 25 // 26 class SSLPolicy { 27 public: 28 explicit SSLPolicy(SSLPolicyBackend* backend); 29 30 // An error occurred with the certificate in an SSL connection. 31 void OnCertError(SSLCertErrorHandler* handler); 32 33 void DidRunInsecureContent(NavigationEntryImpl* entry, 34 const std::string& security_origin); 35 36 // We have started a resource request with the given info. 37 void OnRequestStarted(SSLRequestInfo* info); 38 39 // Update the SSL information in |entry| to match the current state. 40 // |web_contents| is the WebContentsImpl associated with this entry. 41 void UpdateEntry(NavigationEntryImpl* entry, 42 WebContentsImpl* web_contents); 43 44 SSLPolicyBackend* backend() const { return backend_; } 45 46 private: 47 enum OnCertErrorInternalOptionsMask { 48 OVERRIDABLE = 1 << 0, 49 STRICT_ENFORCEMENT = 1 << 1, 50 EXPIRED_PREVIOUS_DECISION = 1 << 2 51 }; 52 53 // Callback that the user chose to accept or deny the certificate. 54 void OnAllowCertificate(scoped_refptr<SSLCertErrorHandler> handler, 55 bool allow); 56 57 // Helper method for derived classes handling certificate errors. 58 // 59 // Options should be a bitmask combination of OnCertErrorInternalOptionsMask. 60 // OVERRIDABLE indicates whether or not the user could (assuming perfect 61 // knowledge) successfully override the error and still get the security 62 // guarantees of TLS. STRICT_ENFORCEMENT indicates whether or not the site the 63 // user is trying to connect to has requested strict enforcement of 64 // certificate validation (e.g. with HTTP Strict-Transport-Security). 65 // EXPIRED_PREVIOUS_DECISION indicates whether a user decision had been 66 // previously made but the decision has expired. 67 void OnCertErrorInternal(SSLCertErrorHandler* handler, int options_mask); 68 69 // If the security style of |entry| has not been initialized, then initialize 70 // it with the default style for its URL. 71 void InitializeEntryIfNeeded(NavigationEntryImpl* entry); 72 73 // Mark |origin| as having run insecure content in the process with ID |pid|. 74 void OriginRanInsecureContent(const std::string& origin, int pid); 75 76 // The backend we use to enact our decisions. 77 SSLPolicyBackend* backend_; 78 79 DISALLOW_COPY_AND_ASSIGN(SSLPolicy); 80 }; 81 82 } // namespace content 83 84 #endif // CONTENT_BROWSER_SSL_SSL_POLICY_H_ 85
