headless: Add --allow-insecure-localhost flag.

This flag was present in chrome, but ignored in headless.
This commit makes headless behave as expected.

R=eseckler@chromium.org

Bug: 714287
Change-Id: I2b06c345c1f29eb4390e7853537af9cf5d809bb8
Reviewed-on: https://chromium-review.googlesource.com/599809Reviewed-by: Eric Seckler <eseckler@chromium.org>
Commit-Queue: Luca Versari <veluca@google.com>
Cr-Commit-Position: refs/heads/master@{#491694}

headless/lib/browser/headless_content_browser_client.cc

@@ -28,6 +28,7 @@
 #include "headless/lib/browser/headless_devtools_manager_delegate.h"
 #include "headless/lib/browser/headless_quota_permission_context.h"
 #include "headless/lib/headless_macros.h"
+#include "net/base/url_util.h"
 #include "storage/browser/quota/quota_settings.h"
 #include "ui/base/resource/resource_bundle.h"
 #include "ui/base/ui_base_switches.h"
@@ -254,8 +255,18 @@ void HeadlessContentBrowserClient::AllowCertificateError(
     bool expired_previous_decision,
     const base::Callback<void(content::CertificateRequestResultType)>&
         callback) {
-  if (!callback.is_null())
+  if (!callback.is_null()) {
+    // If --allow-insecure-localhost is specified, and the request
+    // was for localhost, then the error was not fatal.
+    bool allow_localhost = base::CommandLine::ForCurrentProcess()->HasSwitch(
+        ::switches::kAllowInsecureLocalhost);
+    if (allow_localhost && net::IsLocalhost(request_url.host())) {
+      callback.Run(content::CERTIFICATE_REQUEST_RESULT_TYPE_CONTINUE);
+      return;
+    }
+
     callback.Run(content::CERTIFICATE_REQUEST_RESULT_TYPE_DENY);
+  }
 }
 
 void HeadlessContentBrowserClient::ResourceDispatcherHostCreated() {

headless/lib/headless_browser_browsertest.cc

@@ -13,6 +13,8 @@
 #include "base/threading/thread_restrictions.h"
 #include "content/public/browser/permission_manager.h"
 #include "content/public/browser/permission_type.h"
+#include "content/public/browser/web_contents.h"
+#include "content/public/common/content_switches.h"
 #include "content/public/common/url_constants.h"
 #include "content/public/test/browser_test.h"
 #include "headless/lib/browser/headless_browser_context_impl.h"
@@ -913,4 +915,26 @@ IN_PROC_BROWSER_TEST_F(HeadlessBrowserTest, WindowPrint) {
       EvaluateScript(web_contents, "window.print()")->HasExceptionDetails());
 }
 
+IN_PROC_BROWSER_TEST_F(HeadlessBrowserTest, AllowInsecureLocalhostFlag) {
+  net::EmbeddedTestServer https_server(net::EmbeddedTestServer::TYPE_HTTPS);
+  https_server.SetSSLConfig(net::EmbeddedTestServer::CERT_EXPIRED);
+  https_server.ServeFilesFromSourceDirectory("headless/test/data");
+  ASSERT_TRUE(https_server.Start());
+  GURL test_url = https_server.GetURL("/hello.html");
+
+  base::CommandLine::ForCurrentProcess()->AppendSwitch(
+      switches::kAllowInsecureLocalhost);
+
+  HeadlessBrowserContext* browser_context =
+      browser()->CreateBrowserContextBuilder().Build();
+
+  HeadlessWebContentsImpl* web_contents =
+      HeadlessWebContentsImpl::From(browser_context->CreateWebContentsBuilder()
+                                        .SetInitialURL(test_url)
+                                        .Build());
+
+  // If the certificate fails to validate, this should fail.
+  EXPECT_TRUE(WaitForLoad(web_contents));
+}
+
 }  // namespace headless