[MIX-DL] Make MIX-DL blocking respect InsecureContentAllowedForUrls.

This CL makes MIX-DL blocking check the appropriate site setting for permitting mixed content. This allows controlling MIX-DL blocking with the "Insecure content" site setting, which can be set with the InsecureContentAllowedForUrls group policy. Bug: 1041695 Change-Id: I6e20ddc827a4034259ea6790965232af860c2292 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2036639Reviewed-by: Xing Liu <xingliu@chromium.org> Reviewed-by: Carlos IL <carlosil@chromium.org> Commit-Queue: Joe DeBlasio <jdeblasio@chromium.org> Cr-Commit-Position: refs/heads/master@{#738597}

[MIX-DL] Make MIX-DL blocking respect InsecureContentAllowedForUrls.
This CL makes MIX-DL blocking check the appropriate site setting for permitting mixed content. This allows controlling MIX-DL blocking with the "Insecure content" site setting, which can be set with the InsecureContentAllowedForUrls group policy. Bug: 1041695 Change-Id: I6e20ddc827a4034259ea6790965232af860c2292 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2036639Reviewed-by: Xing Liu <xingliu@chromium.org> Reviewed-by: Carlos IL <carlosil@chromium.org> Commit-Queue: Joe DeBlasio <jdeblasio@chromium.org> Cr-Commit-Position: refs/heads/master@{#738597}
7259fe2d · Joe DeBlasio · Commit Bot · c45fdfa7 · 7259fe2d · 7259fe2d
Commit 7259fe2d authored Feb 05, 2020 by Joe DeBlasio Committed by Commit Bot Feb 05, 2020
4 changed files
--- a/chrome/browser/download/chrome_download_manager_delegate.cc
+++ b/chrome/browser/download/chrome_download_manager_delegate.cc
@@ -785,7 +785,8 @@ void ChromeDownloadManagerDelegate::GetMixedContentStatus(
    const base::FilePath& virtual_path,
    const GetMixedContentStatusCallback& callback) {
  DCHECK(download);
-  callback.Run(GetMixedContentStatusForDownload(virtual_path, download));
+  callback.Run(
+      GetMixedContentStatusForDownload(profile_, virtual_path, download));
 }
 void ChromeDownloadManagerDelegate::NotifyExtensions(

--- a/chrome/browser/download/chrome_download_manager_delegate_unittest.cc
+++ b/chrome/browser/download/chrome_download_manager_delegate_unittest.cc
@@ -24,6 +24,7 @@
 #include "base/test/scoped_feature_list.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "build/build_config.h"
+#include "chrome/browser/content_settings/host_content_settings_map_factory.h"
 #include "chrome/browser/download/download_item_model.h"
 #include "chrome/browser/download/download_prefs.h"
 #include "chrome/browser/download/download_target_info.h"
@@ -39,6 +40,8 @@
 #include "chrome/test/base/testing_browser_process.h"
 #include "chrome/test/base/testing_profile.h"
 #include "chrome/test/base/testing_profile_manager.h"
+#include "components/content_settings/core/browser/host_content_settings_map.h"
+#include "components/content_settings/core/common/content_settings.h"
 #include "components/download/public/common/download_interrupt_reasons.h"
 #include "components/download/public/common/mock_download_item.h"
 #include "components/prefs/pref_service.h"
@@ -1191,6 +1194,62 @@ TEST_F(ChromeDownloadManagerDelegateTest, BlockedAsActiveContent_Block) {
      download::DownloadItem::MixedContentStatus::BLOCK);
 }
+// TODO(crbug.com/1048957): Checking content settings crashes unit tests on
+// Android. It shouldn't.
+#if defined(OS_ANDROID)
+#define MAYBE_BlockedAsActiveContent_PolicyOverride \
+  DISABLED_BlockedAsActiveContent_PolicyOverride
+#else
+#define MAYBE_BlockedAsActiveContent_PolicyOverride \
+  BlockedAsActiveContent_PolicyOverride
+#endif
+TEST_F(ChromeDownloadManagerDelegateTest,
+       MAYBE_BlockedAsActiveContent_PolicyOverride) {
+  // Verifies that active mixed content download blocking is overridden by the
+  // "Insecure content" site setting.
+  const GURL kInsecureWarnableFile("http://example.com/foo.warn_for_testing");
+  const GURL kInsecureBlockableFile("http://example.com/foo.exe");
+  const GURL kInsecureSilentlyBlockableFile(
+      "http://example.com/foo.silently_blocked_for_testing");
+  const auto kSecureOrigin = Origin::Create(GURL("https://example.org"));
+#if BUILDFLAG(ENABLE_PLUGINS)
+  // DownloadTargetDeterminer looks for plugin handlers if there's an
+  // extension.
+  content::PluginService::GetInstance()->Init();
+#endif
+  std::unique_ptr<download::MockDownloadItem> warned_download_item =
+      PrepareDownloadItemForMixedContent(kInsecureWarnableFile, kSecureOrigin,
+                                         base::nullopt);
+  std::unique_ptr<download::MockDownloadItem> blocked_download_item =
+      PrepareDownloadItemForMixedContent(kInsecureBlockableFile, kSecureOrigin,
+                                         base::nullopt);
+  std::unique_ptr<download::MockDownloadItem> silent_blocked_download_item =
+      PrepareDownloadItemForMixedContent(kInsecureSilentlyBlockableFile,
+                                         kSecureOrigin, base::nullopt);
+  HostContentSettingsMapFactory::GetForProfile(profile())
+      ->SetContentSettingDefaultScope(kSecureOrigin.GetURL(), GURL(),
+                                      ContentSettingsType::MIXEDSCRIPT,
+                                      std::string(), CONTENT_SETTING_ALLOW);
+  VerifyMixedContentExtensionOverride(
+      warned_download_item.get(), {{}}, InsecureDownloadExtensions::kTest,
+      download::DOWNLOAD_INTERRUPT_REASON_NONE,
+      download::DownloadItem::MixedContentStatus::SAFE);
+  VerifyMixedContentExtensionOverride(
+      blocked_download_item.get(), {{}},
+      InsecureDownloadExtensions::kMSExecutable,
+      download::DOWNLOAD_INTERRUPT_REASON_NONE,
+      download::DownloadItem::MixedContentStatus::SAFE);
+  VerifyMixedContentExtensionOverride(
+      silent_blocked_download_item.get(), {{}},
+      InsecureDownloadExtensions::kTest,
+      download::DOWNLOAD_INTERRUPT_REASON_NONE,
+      download::DownloadItem::MixedContentStatus::SAFE);
+}
 TEST_F(ChromeDownloadManagerDelegateTest, WithoutHistoryDbNextId) {
  delegate()->GetNextId(base::BindOnce(
      &ChromeDownloadManagerDelegateTest::GetNextId, base::Unretained(this)));

--- a/chrome/browser/download/mixed_content_download_blocking.cc
+++ b/chrome/browser/download/mixed_content_download_blocking.cc
@@ -13,7 +13,10 @@
 #include "base/strings/stringprintf.h"
 #include "base/strings/utf_string_conversions.h"
 #include "build/build_config.h"
+#include "chrome/browser/content_settings/host_content_settings_map_factory.h"
 #include "chrome/common/chrome_features.h"
+#include "components/content_settings/core/browser/host_content_settings_map.h"
+#include "components/content_settings/core/common/content_settings.h"
 #include "components/download/public/common/download_stats.h"
 #include "content/public/browser/download_item_utils.h"
 #include "content/public/browser/web_contents.h"
@@ -320,9 +323,40 @@ void PrintConsoleMessage(const MixedContentDownloadData& data,
                      : "will be blocked in future versions of Chrome")));
 }
+bool IsDownloadPermittedByContentSettings(
+    Profile* profile,
+    const base::Optional<url::Origin>& initiator) {
+  // TODO(crbug.com/1048957): Checking content settings crashes unit tests on
+  // Android. It shouldn't.
+#if !defined(OS_ANDROID)
+  ContentSettingsForOneType settings;
+  HostContentSettingsMap* host_content_settings_map =
+      HostContentSettingsMapFactory::GetForProfile(profile);
+  host_content_settings_map->GetSettingsForOneType(
+      ContentSettingsType::MIXEDSCRIPT, std::string(), &settings);
+  // When there's only one rule, it's the default wildcard rule.
+  if (settings.size() == 1) {
+    DCHECK(settings[0].primary_pattern == ContentSettingsPattern::Wildcard());
+    DCHECK(settings[0].secondary_pattern == ContentSettingsPattern::Wildcard());
+    return settings[0].GetContentSetting() == CONTENT_SETTING_ALLOW;
+  }
+  for (const auto& setting : settings) {
+    if (setting.primary_pattern.Matches(initiator->GetURL())) {
+      return setting.GetContentSetting() == CONTENT_SETTING_ALLOW;
+    }
+  }
+  NOTREACHED();
+#endif
+  return false;
+}
 }  // namespace
 MixedContentStatus GetMixedContentStatusForDownload(
+    Profile* profile,
    const base::FilePath& path,
    const download::DownloadItem* item) {
  MixedContentDownloadData data(path, item);
@@ -337,6 +371,11 @@ MixedContentStatus GetMixedContentStatusForDownload(
    return MixedContentStatus::SAFE;
  }
+  if (IsDownloadPermittedByContentSettings(profile, data.initiator_)) {
+    PrintConsoleMessage(data, false);
+    return MixedContentStatus::SAFE;
+  }
  if (ContainsExtension(kSilentBlockExtensionList,
                        kTreatSilentBlockListAsAllowlist, data.extension_)) {
    PrintConsoleMessage(data, true);

--- a/chrome/browser/download/mixed_content_download_blocking.h
+++ b/chrome/browser/download/mixed_content_download_blocking.h
@@ -7,6 +7,7 @@
 #include <string>
 #include "base/files/file_path.h"
+#include "chrome/browser/profiles/profile.h"
 #include "components/download/public/common/download_item.h"
 // Each download is recorded with two histograms.
@@ -207,6 +208,7 @@ inline std::string GetDLBlockingHistogramName(const std::string& initiator,
 // Returns the correct mixed content download blocking behavior for the given
 // |item| saved to |path|.  Controlled by kTreatUnsafeDownloadsAsActive.
 download::DownloadItem::MixedContentStatus GetMixedContentStatusForDownload(
+    Profile* profile,
    const base::FilePath& path,
    const download::DownloadItem* item);