Add safety tips explanations to devtools

This CL adds summaries and explanations for safety tips to the
security tab of devtools. It assigns the precedence of warnings
as SafeBrowsing > Safety Tips > Connection status.

Bug: 1013374
Change-Id: I62524947a8c4588af78a430e0565e0969b8dc3bb
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1856680
Commit-Queue: Mustafa Emre Acer <meacer@chromium.org>
Reviewed-by: Christopher Thompson <cthomp@chromium.org>
Reviewed-by: Joe DeBlasio <jdeblasio@chromium.org>
Cr-Commit-Position: refs/heads/master@{#706169}

components/security_state/content/content_utils.cc

@@ -90,7 +90,10 @@ void ExplainSafeBrowsingSecurity(
   content::SecurityStyleExplanation explanation(
       l10n_util::GetStringUTF8(IDS_SAFEBROWSING_WARNING_SUMMARY),
       l10n_util::GetStringUTF8(IDS_SAFEBROWSING_WARNING_DESCRIPTION));
-  security_style_explanations->insecure_explanations.push_back(explanation);
+
+  // Always insert SafeBrowsing explanation at the front.
+  security_style_explanations->insecure_explanations.insert(
+      security_style_explanations->insecure_explanations.begin(), explanation);
 }
 
 void ExplainCertificateSecurity(
@@ -279,6 +282,51 @@ void ExplainConnectionSecurity(
       std::move(recommendations));
 }
 
+void ExplainSafetyTipSecurity(
+    const security_state::VisibleSecurityState& visible_security_state,
+    content::SecurityStyleExplanations* security_style_explanations) {
+  std::vector<content::SecurityStyleExplanation> explanations;
+
+  switch (visible_security_state.safety_tip_status) {
+    case security_state::SafetyTipStatus::kBadReputation:
+      explanations.emplace_back(
+          l10n_util::GetStringUTF8(
+              IDS_PAGE_INFO_SAFETY_TIP_BAD_REPUTATION_TITLE),
+          l10n_util::GetStringUTF8(
+              IDS_SECURITY_TAB_SAFETY_TIP_BAD_REPUTATION_DESCRIPTION));
+      break;
+
+    case security_state::SafetyTipStatus::kLookalike:
+      explanations.emplace_back(
+          l10n_util::GetStringUTF8(
+              IDS_SECURITY_TAB_SAFETY_TIP_LOOKALIKE_SUMMARY),
+          l10n_util::GetStringUTF8(
+              IDS_SECURITY_TAB_SAFETY_TIP_LOOKALIKE_DESCRIPTION));
+      break;
+
+    case security_state::SafetyTipStatus::kBadKeyword:
+      NOTREACHED();
+      return;
+
+    case security_state::SafetyTipStatus::kNone:
+    case security_state::SafetyTipStatus::kUnknown:
+      return;
+  }
+
+  if (!explanations.empty()) {
+    // To avoid overwriting SafeBrowsing's title, set the main summary only if
+    // it's empty. The title set here can be overridden by later checks (e.g.
+    // bad HTTP).
+    if (security_style_explanations->summary.empty()) {
+      security_style_explanations->summary = l10n_util::GetStringUTF8(
+          IDS_PAGE_INFO_SAFETY_TIP_BAD_REPUTATION_TITLE);
+    }
+    DCHECK_EQ(1u, explanations.size());
+    security_style_explanations->insecure_explanations.push_back(
+        explanations[0]);
+  }
+}
+
 void ExplainContentSecurity(
     const security_state::VisibleSecurityState& visible_security_state,
     content::SecurityStyleExplanations* security_style_explanations) {
@@ -415,6 +463,11 @@ blink::SecurityStyle GetSecurityStyle(
   const blink::SecurityStyle security_style =
       SecurityLevelToSecurityStyle(security_level);
 
+  // Safety tips come after SafeBrowsing but before HTTP warnings.
+  // ExplainSafeBrowsingSecurity always inserts warnings to the front, so
+  // doing safety tips check here works.
+  ExplainSafetyTipSecurity(visible_security_state, security_style_explanations);
+
   if (visible_security_state.malicious_content_status !=
       security_state::MALICIOUS_CONTENT_STATUS_NONE) {
     ExplainSafeBrowsingSecurity(visible_security_state,

components/security_state/content/content_utils_unittest.cc

@@ -11,6 +11,8 @@
 #include "base/command_line.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/test/metrics/histogram_tester.h"
+#include "base/test/scoped_feature_list.h"
+#include "components/security_state/core/features.h"
 #include "components/security_state/core/security_state.h"
 #include "components/strings/grit/components_strings.h"
 #include "content/public/browser/security_style_explanation.h"
@@ -651,6 +653,90 @@ TEST(SecurityStateContentUtilsTest, SafeBrowsingExplanation) {
   EXPECT_EQ(1u, explanations.insecure_explanations.size());
 }
 
+// Tests that a bad reputation warning in VisibleSecurityState causes an
+// insecure explanation to be set.
+TEST(SecurityStateContentUtilsTest, SafetyTipExplanation) {
+  base::test::ScopedFeatureList scoped_feature_list;
+  scoped_feature_list.InitAndEnableFeature(
+      security_state::features::kSafetyTipUI);
+
+  security_state::VisibleSecurityState visible_security_state;
+  visible_security_state.cert_status = 0;
+  visible_security_state.url = GURL("https://scheme-is-cryptographic.test");
+  visible_security_state.malicious_content_status =
+      security_state::MALICIOUS_CONTENT_STATUS_NONE;
+  visible_security_state.safety_tip_status =
+      security_state::SafetyTipStatus::kBadReputation;
+  content::SecurityStyleExplanations explanations;
+  GetSecurityStyle(security_state::WARNING, visible_security_state,
+                   &explanations);
+
+  EXPECT_EQ(
+      l10n_util::GetStringUTF8(IDS_PAGE_INFO_SAFETY_TIP_BAD_REPUTATION_TITLE),
+      explanations.summary);
+  EXPECT_EQ(1u, explanations.insecure_explanations.size());
+}
+
+// Tests that a Safebrowsing warning and a bad reputation warning in
+// VisibleSecurityState causes two insecure explanations to be set, while
+// keeping the title SafeBrowsing related.
+TEST(SecurityStateContentUtilsTest,
+     SafetyTipExplanation_WithSafeBrowsingError) {
+  base::test::ScopedFeatureList scoped_feature_list;
+  scoped_feature_list.InitAndEnableFeature(
+      security_state::features::kSafetyTipUI);
+
+  security_state::VisibleSecurityState visible_security_state;
+  visible_security_state.cert_status = 0;
+  visible_security_state.url = GURL("https://scheme-is-cryptographic.test");
+  visible_security_state.malicious_content_status =
+      security_state::MALICIOUS_CONTENT_STATUS_MALWARE;
+  visible_security_state.safety_tip_status =
+      security_state::SafetyTipStatus::kBadReputation;
+  content::SecurityStyleExplanations explanations;
+  GetSecurityStyle(security_state::DANGEROUS, visible_security_state,
+                   &explanations);
+  // When there is also a SafeBrowsing warning, the title must be related to
+  // SafeBrowsing.
+  EXPECT_EQ(l10n_util::GetStringUTF8(IDS_SAFEBROWSING_WARNING),
+            explanations.summary);
+
+  EXPECT_EQ(2u, explanations.insecure_explanations.size());
+  EXPECT_EQ(l10n_util::GetStringUTF8(IDS_SAFEBROWSING_WARNING_SUMMARY),
+            explanations.insecure_explanations[0].summary);
+  EXPECT_EQ(
+      l10n_util::GetStringUTF8(IDS_PAGE_INFO_SAFETY_TIP_BAD_REPUTATION_TITLE),
+      explanations.insecure_explanations[1].summary);
+}
+
+// Tests that a Safebrowsing warning and safety tip status of None in
+// VisibleSecurityState causes only one insecure explanation to be set.
+TEST(SecurityStateContentUtilsTest,
+     SafetyTipExplanationNone_WithSafeBrowsingError) {
+  base::test::ScopedFeatureList scoped_feature_list;
+  scoped_feature_list.InitAndEnableFeature(
+      security_state::features::kSafetyTipUI);
+
+  security_state::VisibleSecurityState visible_security_state;
+  visible_security_state.cert_status = 0;
+  visible_security_state.url = GURL("https://scheme-is-cryptographic.test");
+  visible_security_state.malicious_content_status =
+      security_state::MALICIOUS_CONTENT_STATUS_MALWARE;
+  visible_security_state.safety_tip_status =
+      security_state::SafetyTipStatus::kNone;
+  content::SecurityStyleExplanations explanations;
+  GetSecurityStyle(security_state::DANGEROUS, visible_security_state,
+                   &explanations);
+  // When there is also a SafeBrowsing warning, the title must be related to
+  // SafeBrowsing.
+  EXPECT_EQ(l10n_util::GetStringUTF8(IDS_SAFEBROWSING_WARNING),
+            explanations.summary);
+
+  EXPECT_EQ(1u, explanations.insecure_explanations.size());
+  EXPECT_EQ(l10n_util::GetStringUTF8(IDS_SAFEBROWSING_WARNING_SUMMARY),
+            explanations.insecure_explanations[0].summary);
+}
+
 // NSS requires that serial numbers be unique even for the same issuer;
 // as all fake certificates will contain the same issuer name, it's
 // necessary to ensure the serial number is unique, as otherwise

components/security_state_strings.grdp

@@ -141,4 +141,25 @@
   <message name="IDS_NON_SECURE_FORM_DESCRIPTION" desc="" translateable="false">
     This page includes a form with a non-secure "action" attribute.
   </message>
+
+  <!-- Safety tips -->
+
+  <message name="IDS_PAGE_INFO_SAFETY_TIP_BAD_REPUTATION_SUMMARY" desc="Message to display in devtools security tab when the page you are on triggered a safety tip.">
+    This page is suspicious.
+  </message>
+  <message name="IDS_SECURITY_TAB_SAFETY_TIP_BAD_REPUTATION_DESCRIPTION" desc="Body of
+    message to display in devtools security tab when you are viewing a page that
+    triggered a safety tip.">
+    Chrome has determined that this site could be fake or fraudulent.
+
+    If you believe this is shown in error please visit https://bugs.chromium.org/p/chromium/issues/entry?template=Safety+Tips+Appeals.
+  </message>
+  <message name="IDS_SECURITY_TAB_SAFETY_TIP_LOOKALIKE_SUMMARY" desc="Summary of a warning when the user visits a page that triggered a Safety Tip because the domain looked like another domain.">
+    Possible spoofing URL
+  </message>
+  <message name="IDS_SECURITY_TAB_SAFETY_TIP_LOOKALIKE_DESCRIPTION" desc="Body of a warning when the user visits a page that triggered a Safety Tip because the domain looked like another domain.">
+    This site's hostname looks similar to <ph name='LOOKALIKE_DOMAIN'>$1<ex>google.com</ex></ph>. Attackers sometimes mimic sites by making small, hard-to-see changes to the domain name.
+
+    If you believe this is shown in error please visit https://bugs.chromium.org/p/chromium/issues/entry?template=Safety+Tips+Appeals.
+  </message>
 </grit-part>