AW: block malicious unwanted software

This adds support in WebView for blocking Malicious Unwanted Software
(MUwS, UwS) AKA "Harmful software" via Safe Browsing.

In this CL, we do the following:

 * Add new strings for the quiet MUwS interstitial (which is only used
   by WebView). These strings live in assets/stored-locales/ in the APK.
 * Whitelist the quiet MUwS strings (from the previous bullet point) as
   well as the previously chrome-only loud MUwS strings. These strings
   move from assets/locales/ (compressed, chrome-only resources) to
   assets/stored-locales/ (uncompressed, chrome+webview resources) in
   the APK.
 * Change WebView's declared list of threats to include MUwS
 * Change testSafeBrowsingDoesNotBlockUnwantedSoftwarePages, since this
   assertion is no longer valid. Change this to ensure we *do* block
   MUwS pages
 * Add a new test to ensure we can show quiet interstitials for MUwS
 * Change SafeBrowsingQuietErrorUI to respond to MUwS, and refactor it
   to be more similar to the LoudErrorUI.

This change causes the following APK size changes (measurements taken
with is_official_build = true), after unzipping the APKs with `unzip -lv
$APK | grep 'pak'`.

Monochrome:
 * assets/locales/en-US.pak: 20068 -> 19926 (-142) (improvement)
 * assets/stored-locales/en-US.pak: 7773 -> 8472 (+669)
SystemWebViewGoogle:
 * assets/stored-locales/en-US.pak: 7773 -> 8472 (+669)

A later follow-up will add this page to chrome://interstitials.

Bug: 729268
Bug: 729271
Bug: 729272
Test: run_webview_instrumentation_test_apk -f SafeBrowsingTest#*
Test: Manual - load big and small interstitials, verify it looks correct
Change-Id: I79e81f48d8b2ceb1ddcad7fab2d3bed3fcb479ae
Reviewed-on: https://chromium-review.googlesource.com/1182945
Commit-Queue: Nate Fischer <ntfschr@chromium.org>
Reviewed-by: Tao Bai <michaelbai@chromium.org>
Reviewed-by: Changwan Ryu <changwan@chromium.org>
Reviewed-by: Nathan Parker <nparker@chromium.org>
Cr-Commit-Position: refs/heads/master@{#585268}

android_webview/browser/aw_url_checker_delegate_impl.cc

@@ -28,7 +28,8 @@ AwUrlCheckerDelegateImpl::AwUrlCheckerDelegateImpl(
       ui_manager_(std::move(ui_manager)),
       threat_types_(safe_browsing::CreateSBThreatTypeSet(
           {safe_browsing::SB_THREAT_TYPE_URL_MALWARE,
-           safe_browsing::SB_THREAT_TYPE_URL_PHISHING})),
+           safe_browsing::SB_THREAT_TYPE_URL_PHISHING,
+           safe_browsing::SB_THREAT_TYPE_URL_UNWANTED})),
       whitelist_manager_(whitelist_manager) {}
 
 AwUrlCheckerDelegateImpl::~AwUrlCheckerDelegateImpl() = default;

android_webview/javatests/src/org/chromium/android_webview/test/SafeBrowsingTest.java

@@ -152,10 +152,6 @@ public class SafeBrowsingTest {
             final String metadata;
             Arrays.sort(threatsOfInterest);
 
-            // TODO(ntfschr): remove this assert once we support Unwanted Software warnings
-            // (crbug/729272)
-            Assert.assertEquals(Arrays.binarySearch(threatsOfInterest, UNWANTED_SOFTWARE_CODE), -1);
-
             if (uri.endsWith(PHISHING_HTML_PATH)
                     && Arrays.binarySearch(threatsOfInterest, PHISHING_CODE) >= 0) {
                 metadata = buildMetadataFromCode(PHISHING_CODE);
@@ -473,14 +469,13 @@ public class SafeBrowsingTest {
     @Test
     @SmallTest
     @Feature({"AndroidWebView"})
-    public void testSafeBrowsingDoesNotBlockUnwantedSoftwarePages() throws Throwable {
-        // TODO(ntfschr): this is a temporary check until we add support for Unwanted Software
-        // warnings (crbug/729272)
+    public void testSafeBrowsingBlocksUnwantedSoftwarePages() throws Throwable {
         loadGreenPage();
-        final String responseUrl = mTestServer.getURL(UNWANTED_SOFTWARE_HTML_PATH);
-        mActivityTestRule.loadUrlSync(
-                mAwContents, mContentsClient.getOnPageFinishedHelper(), responseUrl);
-        assertTargetPageHasLoaded(UNWANTED_SOFTWARE_PAGE_BACKGROUND_COLOR);
+        loadPathAndWaitForInterstitial(UNWANTED_SOFTWARE_HTML_PATH);
+        assertGreenPageNotShowing();
+        assertTargetPageNotShowing(UNWANTED_SOFTWARE_PAGE_BACKGROUND_COLOR);
+        // Assume that we are rendering the interstitial, since we see neither the previous page nor
+        // the target page
     }
 
     @Test
@@ -738,6 +733,17 @@ public class SafeBrowsingTest {
         assertTargetPageNotShowing(PHISHING_PAGE_BACKGROUND_COLOR);
     }
 
+    @Test
+    @SmallTest
+    @Feature({"AndroidWebView"})
+    public void testSafeBrowsingCanShowQuietUnwantedSoftwareInterstitial() throws Throwable {
+        mAwContents.setCanShowBigInterstitial(false);
+        loadGreenPage();
+        loadPathAndWaitForInterstitial(UNWANTED_SOFTWARE_HTML_PATH);
+        assertGreenPageNotShowing();
+        assertTargetPageNotShowing(UNWANTED_SOFTWARE_PAGE_BACKGROUND_COLOR);
+    }
+
     @Test
     @SmallTest
     @Feature({"AndroidWebView"})

android_webview/ui/grit_strings_whitelist.txt

@@ -11,6 +11,11 @@ IDS_MALWARE_V3_PRIMARY_PARAGRAPH
 IDS_MALWARE_V3_EXPLANATION_PARAGRAPH
 IDS_MALWARE_V3_EXPLANATION_PARAGRAPH_SUBRESOURCE
 IDS_MALWARE_V3_PROCEED_PARAGRAPH
+IDS_HARMFUL_V3_HEADING
+IDS_HARMFUL_V3_PRIMARY_PARAGRAPH
+IDS_HARMFUL_V3_EXPLANATION_PARAGRAPH
+IDS_HARMFUL_V3_EXPLANATION_PARAGRAPH_SUBRESOURCE
+IDS_HARMFUL_V3_PROCEED_PARAGRAPH
 IDS_SAFE_BROWSING_PRIVACY_POLICY_PAGE
 IDS_SAFE_BROWSING_MALWARE_REPORTING_AGREE
 IDS_SAFE_BROWSING_SCOUT_REPORTING_AGREE
@@ -22,4 +27,6 @@ IDS_MALWARE_WEBVIEW_HEADING
 IDS_MALWARE_WEBVIEW_EXPLANATION_PARAGRAPH
 IDS_PHISHING_WEBVIEW_HEADING
 IDS_PHISHING_WEBVIEW_EXPLANATION_PARAGRAPH
+IDS_HARMFUL_WEBVIEW_HEADING
+IDS_HARMFUL_WEBVIEW_EXPLANATION_PARAGRAPH
 IDS_SB_UNDER_CONSTRUCTION

components/security_interstitials/core/safe_browsing_quiet_error_ui.cc

@@ -61,25 +61,20 @@ void SafeBrowsingQuietErrorUI::PopulateStringsForHtml(
       l10n_util::GetStringUTF16(IDS_SAFEBROWSING_V3_OPEN_DETAILS_BUTTON));
   load_time_data->SetBoolean("is_giant", is_giant_webview_);
 
-  bool phishing =
-      interstitial_reason() == BaseSafeBrowsingErrorUI::SB_REASON_PHISHING;
-  load_time_data->SetBoolean("phishing", phishing);
-  load_time_data->SetString(
-      "heading", phishing
-                     ? l10n_util::GetStringUTF16(IDS_PHISHING_WEBVIEW_HEADING)
-                     : l10n_util::GetStringUTF16(IDS_MALWARE_WEBVIEW_HEADING));
-
-  int explanation_ids = -1;
-  if (phishing)
-    explanation_ids = IDS_PHISHING_WEBVIEW_EXPLANATION_PARAGRAPH;
-  else if (interstitial_reason() == BaseSafeBrowsingErrorUI::SB_REASON_MALWARE)
-    explanation_ids = IDS_MALWARE_WEBVIEW_EXPLANATION_PARAGRAPH;
-
-  if (explanation_ids > -1) {
-    load_time_data->SetString("explanationParagraph",
-                              l10n_util::GetStringUTF16(explanation_ids));
-  } else {
-    NOTREACHED();
+  switch (interstitial_reason()) {
+    case BaseSafeBrowsingErrorUI::SB_REASON_MALWARE:
+      PopulateMalwareLoadTimeData(load_time_data);
+      break;
+    case BaseSafeBrowsingErrorUI::SB_REASON_HARMFUL:
+      PopulateHarmfulLoadTimeData(load_time_data);
+      break;
+    case BaseSafeBrowsingErrorUI::SB_REASON_PHISHING:
+      PopulatePhishingLoadTimeData(load_time_data);
+      break;
+    case BaseSafeBrowsingErrorUI::SB_REASON_BILLING:
+      // This is not currently handled in WebView.
+      NOTREACHED();
+      break;
   }
 
   // Not used by this interstitial.
@@ -124,6 +119,36 @@ void SafeBrowsingQuietErrorUI::HandleCommand(
   }
 }
 
+void SafeBrowsingQuietErrorUI::PopulateMalwareLoadTimeData(
+    base::DictionaryValue* load_time_data) {
+  load_time_data->SetBoolean("phishing", false);
+  load_time_data->SetString(
+      "heading", l10n_util::GetStringUTF16(IDS_MALWARE_WEBVIEW_HEADING));
+  load_time_data->SetString(
+      "explanationParagraph",
+      l10n_util::GetStringUTF16(IDS_MALWARE_WEBVIEW_EXPLANATION_PARAGRAPH));
+}
+
+void SafeBrowsingQuietErrorUI::PopulateHarmfulLoadTimeData(
+    base::DictionaryValue* load_time_data) {
+  load_time_data->SetBoolean("phishing", false);
+  load_time_data->SetString(
+      "heading", l10n_util::GetStringUTF16(IDS_HARMFUL_WEBVIEW_HEADING));
+  load_time_data->SetString(
+      "explanationParagraph",
+      l10n_util::GetStringUTF16(IDS_HARMFUL_WEBVIEW_EXPLANATION_PARAGRAPH));
+}
+
+void SafeBrowsingQuietErrorUI::PopulatePhishingLoadTimeData(
+    base::DictionaryValue* load_time_data) {
+  load_time_data->SetBoolean("phishing", true);
+  load_time_data->SetString(
+      "heading", l10n_util::GetStringUTF16(IDS_PHISHING_WEBVIEW_HEADING));
+  load_time_data->SetString(
+      "explanationParagraph",
+      l10n_util::GetStringUTF16(IDS_PHISHING_WEBVIEW_EXPLANATION_PARAGRAPH));
+}
+
 int SafeBrowsingQuietErrorUI::GetHTMLTemplateId() const {
   return IDR_SECURITY_INTERSTITIAL_QUIET_HTML;
 };

components/security_interstitials/core/safe_browsing_quiet_error_ui.h

@@ -47,6 +47,10 @@ class SafeBrowsingQuietErrorUI
   int GetHTMLTemplateId() const override;
 
  private:
+  void PopulateMalwareLoadTimeData(base::DictionaryValue* load_time_data);
+  void PopulateHarmfulLoadTimeData(base::DictionaryValue* load_time_data);
+  void PopulatePhishingLoadTimeData(base::DictionaryValue* load_time_data);
+
   bool is_giant_webview_;
 
   DISALLOW_COPY_AND_ASSIGN(SafeBrowsingQuietErrorUI);

components/security_interstitials_strings.grdp

@@ -305,6 +305,13 @@
   <message name="IDS_PHISHING_WEBVIEW_EXPLANATION_PARAGRAPH" desc="The explanation of why Safe Browsing has blocked the page. Allows the user to proceed using a link.">
     This content might try to trick you into installing software or revealing personal information. <ph name="BEGIN_LINK">&lt;a href="#" id="proceed-link"&gt;</ph>Show anyway<ph name="END_LINK">&lt;/a&gt;</ph>
   </message>
+  <message name="IDS_HARMFUL_WEBVIEW_HEADING" desc="The heading of the unwanted software interstitial on medium sized Webview.">
+    Harmful content blocked.
+  </message>
+  <message name="IDS_HARMFUL_WEBVIEW_EXPLANATION_PARAGRAPH" desc="The explanation of why Safe Browsing has blocked the page. Allows the user to proceed using a link.">
+    This content might try to install deceptive apps that pretend to be something else or collect data that may be used to track you. <ph name="BEGIN_LINK">&lt;a href="#" id="proceed-link"&gt;</ph>Show anyway<ph name="END_LINK">&lt;/a&gt;</ph>
+  </message>
+
   <message name="IDS_CONNECTION_HELP_SHOW_MORE" desc="The button label to expand sections for the chrome://connection-help site. Paired with IDS_CONNECTION_HELP_SHOW_LESS">
     Show More
   </message>