ContextQMD
Back to Chromium

Security Interstitials

components/security_interstitials/README.md

149.0.7827.22.7 KB
Original Source

Security Interstitials

This directory contains the implementation of security interstitials -- warning pages that are shown instead of web content when certain security events occur (such as an invalid certificate on an HTTPS connection, or a URL that is flagged by Safe Browsing).

This is a layered component that includes a core/ implementation (which is also used by //ios/components/security_interstitials for the iOS implementation), and a content/ implementation for Blink platforms.

Security interstitials are split between an HTML+JS front end (which defines the actual contents shown) and a C++ backing implementation.

core/common/resources/ contains the shared HTML+JS used across the various interstitial types.

core/common/mojom/ contains the Mojo IPC definitions that are used for the interstitial JS to communicate back to the C++ interstitial code to execute various actions the user can take on the interstitial page.

core/browser/resources contain the HTML+JS implementations of the various interstitial types (such as the SSL interstitial or Safe Browsing interstitial).

When adding a new interstitial type, you should also add it to core/browser/resources/list_of_interstitials.html and chrome/browser/ui/webui/interstitials/interstitial_ui.cc so that it is listed in the interstitial testing page at chrome://interstitials.

ControllerClient is the C++ logic that handles commands sent by the interstitial JS. The specific implementation is extended by the embedder -- see content/security_interstitial_controller_client.h and //ios/components/security_interstitials/ios_blocking_page_controller_client.h.

Many interstitials follow the pattern of implementing a core “UI” class (like SSLErrorUI for SSL interstitials), which configures details for the interstitial HTML, and connects the specific blocking page implementation with the controller client implementation.

In content/, the central classes are:

  • SecurityInterstitialControllerClient, which handles commands from security interstitial pages. This is used by and extended for each interstitial type.
  • SecurityInterstitialPage, which handles the state of the interstitial page. This is extended for each interstitial type.
  • SecurityInterstitialTabHelper, which connects an interstitial page to a WebContents, and owns the underlying interstitial page.

//ios/components/security_interstitials/ has parallel implementations, but for iOS where we can’t use content/.

This directory is not an exhaustive container of all security interstitials. Some interstitial types build on the core component classes but are implemented outside of this directory (e.g., chrome/browser/lookalikes/).