Enable "HTTP-Bad Final" by default

This CL enables the HTTP-Bad feature by default and sets it to warn on all
http:// pages, and updates tests accordingly.

Bug: 837034
Cq-Include-Trybots: master.tryserver.chromium.mac:ios-simulator-cronet;master.tryserver.chromium.mac:ios-simulator-full-configs
Change-Id: I470aa09220df9e02833de8f8636ea2e66e2a6b05
Reviewed-on: https://chromium-review.googlesource.com/1029415
Commit-Queue: Emily Stark <estark@chromium.org>
Reviewed-by: Christopher Thompson <cthomp@chromium.org>
Cr-Commit-Position: refs/heads/master@{#554605}

chrome/browser/ssl/security_state_tab_helper_unittest.cc

@@ -145,7 +145,7 @@ TEST_P(SecurityStateTabHelperHistogramTest, FormSubmissionHistogram) {
   base::HistogramTester histograms;
   StartFormSubmissionNavigation();
   histograms.ExpectUniqueSample(kFormSubmissionSecurityLevelHistogram,
-                                security_state::NONE, 1);
+                                security_state::HTTP_SHOW_WARNING, 1);
 }
 
 // Tests that UMA logs the omnibox warning when security level is

components/security_state/core/features.cc

@@ -8,7 +8,7 @@ namespace security_state {
 namespace features {
 
 const base::Feature kMarkHttpAsFeature{"MarkHttpAs",
-                                       base::FEATURE_DISABLED_BY_DEFAULT};
+                                       base::FEATURE_ENABLED_BY_DEFAULT};
 const char kMarkHttpAsFeatureParameterName[] = "treatment";
 const char kMarkHttpAsParameterWarning[] = "warning";
 const char kMarkHttpAsParameterDangerous[] = "dangerous";

components/security_state/core/security_state.cc

@@ -38,11 +38,6 @@ void SetSecurityLevelAndRelatedFieldsForNonSecureFieldTrial(
       return;
     }
 
-    if (parameter == features::kMarkHttpAsParameterWarning) {
-      security_info->security_level = HTTP_SHOW_WARNING;
-      return;
-    }
-
     if (parameter ==
         features::kMarkHttpAsParameterWarningAndDangerousOnFormEdits) {
       security_info->security_level =
@@ -63,6 +58,11 @@ void SetSecurityLevelAndRelatedFieldsForNonSecureFieldTrial(
                                           : HTTP_SHOW_WARNING;
       return;
     }
+
+    // By default, if the feature is enabled, show a warning on all http://
+    // pages.
+    security_info->security_level = HTTP_SHOW_WARNING;
+    return;
   }
 
   // No warning treatment is configured via field trial. Default to warning on

components/security_state/core/security_state_unittest.cc

@@ -339,16 +339,14 @@ TEST(SecurityStateTest, PasswordFieldWarning) {
   EXPECT_EQ(HTTP_SHOW_WARNING, security_info.security_level);
 }
 
-// Tests that password fields cause the security level to be downgraded
-// to HTTP_SHOW_WARNING on pseudo URLs.
-TEST(SecurityStateTest, PasswordFieldWarningOnPseudoUrls) {
+// Tests that the security level is downgraded to HTTP_SHOW_WARNING on pseudo
+// URLs.
+TEST(SecurityStateTest, WarningOnPseudoUrls) {
   for (const char* const url : kPseudoUrls) {
     TestSecurityStateHelper helper;
     helper.SetUrl(GURL(url));
-    helper.set_password_field_shown(true);
     SecurityInfo security_info;
     helper.GetSecurityInfo(&security_info);
-    EXPECT_TRUE(security_info.insecure_input_events.password_field_shown);
     EXPECT_EQ(HTTP_SHOW_WARNING, security_info.security_level);
   }
 }
@@ -365,20 +363,6 @@ TEST(SecurityStateTest, CreditCardFieldWarning) {
   EXPECT_EQ(HTTP_SHOW_WARNING, security_info.security_level);
 }
 
-// Tests that credit card fields cause the security level to be downgraded
-// to HTTP_SHOW_WARNING on pseudo URLs.
-TEST(SecurityStateTest, CreditCardFieldWarningOnPseudoUrls) {
-  for (const char* const url : kPseudoUrls) {
-    TestSecurityStateHelper helper;
-    helper.SetUrl(GURL(url));
-    helper.set_credit_card_field_edited(true);
-    SecurityInfo security_info;
-    helper.GetSecurityInfo(&security_info);
-    EXPECT_TRUE(security_info.insecure_input_events.credit_card_field_edited);
-    EXPECT_EQ(HTTP_SHOW_WARNING, security_info.security_level);
-  }
-}
-
 // Tests that neither |password_field_shown| nor
 // |credit_card_field_edited| is set when the corresponding
 // VisibleSecurityState flags are not set.
@@ -389,7 +373,7 @@ TEST(SecurityStateTest, PrivateUserDataNotSet) {
   helper.GetSecurityInfo(&security_info);
   EXPECT_FALSE(security_info.insecure_input_events.password_field_shown);
   EXPECT_FALSE(security_info.insecure_input_events.credit_card_field_edited);
-  EXPECT_EQ(NONE, security_info.security_level);
+  EXPECT_EQ(HTTP_SHOW_WARNING, security_info.security_level);
 }
 
 // Tests that neither |password_field_shown| nor
@@ -403,7 +387,7 @@ TEST(SecurityStateTest, PrivateUserDataNotSetOnPseudoUrls) {
     helper.GetSecurityInfo(&security_info);
     EXPECT_FALSE(security_info.insecure_input_events.password_field_shown);
     EXPECT_FALSE(security_info.insecure_input_events.credit_card_field_edited);
-    EXPECT_EQ(NONE, security_info.security_level);
+    EXPECT_EQ(HTTP_SHOW_WARNING, security_info.security_level);
   }
 }
 
@@ -441,6 +425,13 @@ TEST(SecurityStateTest, IncognitoFlagPropagates) {
   helper.SetUrl(GURL(kHttpUrl));
   SecurityInfo security_info;
 
+  {
+    // Disable the feature, which shows the warning on all incognito http pages
+    // by default.
+    base::test::ScopedFeatureList scoped_feature_list;
+    scoped_feature_list.InitAndDisableFeature(
+        security_state::features::kMarkHttpAsFeature);
+
     // Test the default non-secure-while-incognito-or-editing configuration.
     helper.set_is_incognito(false);
     helper.GetSecurityInfo(&security_info);
@@ -449,6 +440,7 @@ TEST(SecurityStateTest, IncognitoFlagPropagates) {
     helper.set_is_incognito(true);
     helper.GetSecurityInfo(&security_info);
     EXPECT_TRUE(security_info.incognito_downgraded_security_level);
+  }
 
   {
     // Disable the "non-secure-while-incognito" configuration.
@@ -574,10 +566,17 @@ TEST(SecurityStateTest, FieldEdit) {
   TestSecurityStateHelper helper;
   helper.SetUrl(GURL(kHttpUrl));
 
+  {
+    // Test the configuration that warns on field edits (the default behavior
+    // when the feature is disabled).
+    base::test::ScopedFeatureList scoped_feature_list;
+    scoped_feature_list.InitAndDisableFeature(
+        security_state::features::kMarkHttpAsFeature);
+
     SecurityInfo no_field_edit_security_info;
     helper.GetSecurityInfo(&no_field_edit_security_info);
-  EXPECT_FALSE(
-      no_field_edit_security_info.insecure_input_events.insecure_field_edited);
+    EXPECT_FALSE(no_field_edit_security_info.insecure_input_events
+                     .insecure_field_edited);
     EXPECT_FALSE(
         no_field_edit_security_info.field_edit_downgraded_security_level);
     EXPECT_EQ(NONE, no_field_edit_security_info.security_level);
@@ -589,6 +588,7 @@ TEST(SecurityStateTest, FieldEdit) {
     EXPECT_TRUE(security_info.insecure_input_events.insecure_field_edited);
     EXPECT_TRUE(security_info.field_edit_downgraded_security_level);
     EXPECT_EQ(HTTP_SHOW_WARNING, security_info.security_level);
+  }
 
   {
     // Test the "dangerous" configuration.
@@ -598,6 +598,7 @@ TEST(SecurityStateTest, FieldEdit) {
         {{security_state::features::kMarkHttpAsFeatureParameterName,
           security_state::features::kMarkHttpAsParameterDangerous}});
 
+    SecurityInfo security_info;
     helper.GetSecurityInfo(&security_info);
     EXPECT_TRUE(security_info.insecure_input_events.insecure_field_edited);
     EXPECT_FALSE(security_info.field_edit_downgraded_security_level);
@@ -652,7 +653,6 @@ TEST(SecurityStateTest, IncognitoErrorPage) {
   helper.set_is_error_page(false);
   helper.GetSecurityInfo(&security_info);
   EXPECT_EQ(SecurityLevel::HTTP_SHOW_WARNING, security_info.security_level);
-  EXPECT_TRUE(security_info.incognito_downgraded_security_level);
 }
 
 // Tests that HTTP_SHOW_WARNING is set when the 'warning' field trial

ios/chrome/browser/ssl/ios_security_state_tab_helper_unittest.mm

@@ -55,7 +55,7 @@ TEST_F(IOSSecurityStateTabHelperIncognitoTest, SecurityInfoDowngradedForHTTP) {
   LoadHtml(@"<html><body></body></html>", GURL("http://chromium.test"));
   security_state::SecurityInfo security_info;
   GetSecurityInfo(&security_info);
-  EXPECT_TRUE(security_info.incognito_downgraded_security_level);
+  EXPECT_EQ(security_state::HTTP_SHOW_WARNING, security_info.security_level);
 }
 
 // This test fixture creates an IOSSecurityStateTabHelper and an