Show mixed form warning for mixed forms that submit to new tab

Previously forms on secure sites that submit to an insecure target, but
that submitted on a new tab (with target=_blank) showed the on form
warning but not the on-submit one. This CL fixes it.

Pending work: Like other interstitials for navigations on new tabs,
this will go back to the NTP if Go Back is selected, it might make
more sense to close the new tab in this case, but in the interest of
keeping the CL simple for merging, this will be done on a separate CL,
which won't be merged.

Bug: 1134466
Change-Id: I6169fef6bd368f9c8ca054d7bbd8f96e50490956
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2451549
Commit-Queue: Carlos IL <carlosil@chromium.org>
Commit-Queue: Emily Stark <estark@chromium.org>
Reviewed-by: Emily Stark <estark@chromium.org>
Auto-Submit: Carlos IL <carlosil@chromium.org>
Cr-Commit-Position: refs/heads/master@{#814059}

chrome/browser/ssl/ssl_browsertest.cc

@@ -6234,6 +6234,33 @@ IN_PROC_BROWSER_TEST_F(SSLUITestWithInsecureFormsWarningEnabled,
             security_interstitials::InsecureFormBlockingPage::kTypeForTesting);
 }
 
+// Checks insecure form warning works for forms that submit on a new tab.
+IN_PROC_BROWSER_TEST_F(SSLUITestWithInsecureFormsWarningEnabled,
+                       TestDisplaysInsecureFormSubmissionWarningTargetBlank) {
+  ASSERT_TRUE(embedded_test_server()->Start());
+  ASSERT_TRUE(https_server_.Start());
+
+  std::string replacement_path = GetFilePathWithHostAndPortReplacement(
+      "/ssl/page_displays_insecure_form_target_blank.html",
+      embedded_test_server()->host_port_pair());
+
+  ui_test_utils::NavigateToURL(browser(),
+                               https_server_.GetURL(replacement_path));
+  WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
+  content::TestNavigationObserver nav_observer(tab, 1);
+  nav_observer.StartWatchingNewWebContents();
+  ASSERT_TRUE(content::ExecuteScript(tab, "submitForm();"));
+  nav_observer.Wait();
+  tab = browser()->tab_strip_model()->GetActiveWebContents();
+  security_interstitials::SecurityInterstitialTabHelper* helper =
+      security_interstitials::SecurityInterstitialTabHelper::FromWebContents(
+          tab);
+  EXPECT_TRUE(helper->IsDisplayingInterstitial());
+  EXPECT_EQ(helper->GetBlockingPageForCurrentlyCommittedNavigationForTesting()
+                ->GetTypeForTesting(),
+            security_interstitials::InsecureFormBlockingPage::kTypeForTesting);
+}
+
 // Check proceed works correctly on insecure form warning.
 IN_PROC_BROWSER_TEST_F(SSLUITestWithInsecureFormsWarningEnabled,
                        ProceedThroughInsecureFormWarning) {

chrome/test/data/ssl/page_displays_insecure_form_target_blank.html

+<html>
+<head><title>Page that displays an insecure form with target=_blank</title>
+<script>
+ function submitForm() {
+   form = document.getElementById("insecureForm");
+   form.submit();
+ }
+</script>
+</head>
+<body>
+This page contains an form which targets a non-secure URL on a new tab,
+causing insecure content (when this page is loaded over https).<br>
+<form id="insecureForm" target="_blank" action="http://does-not-exist.test/ssl/google_files/logo.gif">
+<input type="submit" />
+</form>
+
+</body>
+</html>

components/security_interstitials/content/insecure_form_navigation_throttle.cc

@@ -42,8 +42,11 @@ InsecureFormNavigationThrottle::WillStartRequest() {
   if (!handle->IsFormSubmission())
     return content::NavigationThrottle::PROCEED;
   content::WebContents* contents = handle->GetWebContents();
+
+  url::Origin form_originating_origin =
+      handle->GetInitiatorOrigin().value_or(url::Origin());
   if (!IsInsecureFormAction(handle->GetURL()) ||
-      !contents->GetLastCommittedURL().SchemeIs(url::kHttpsScheme)) {
+      !(form_originating_origin.scheme() == url::kHttpsScheme)) {
     // Currently we only warn for insecure forms in secure pages.
     return content::NavigationThrottle::PROCEED;
   }