Update devtools security panel for HTTP-bad

Update devtools security panel for HTTP-bad

This CL adds an explanation string to note that HTTP pages will be
marked as "Not secure" if they contain password or credit card fields.

BUG=647561
Committed: https://crrev.com/22b1cd4f982e4bfed59d6e466a0b613fb4827e88
Cr-Commit-Position: refs/heads/master@{#426322}

[estark, 2016-10-17 21:26:20]

The CQ bit was checked by estark@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-10-17 21:27:11]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[estark, 2016-10-17 21:27:24]

estark@chromium.org changed reviewers:
+ lgarron@chromium.org

[estark, 2016-10-17 21:27:24]

lgarron, PTAL?

[commit-bot: I haz the power, 2016-10-18 00:17:22]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-10-18 00:17:23]

Dry run: This issue passed the CQ dry run.

[estark, 2016-10-18 23:40:26]

Friendly ping

[lgarron, 2016-10-18 23:49:55]

https://codereview.chromium.org/2424223002/diff/1/chrome/app/generated_resour...
File chrome/app/generated_resources.grd (right):

https://codereview.chromium.org/2424223002/diff/1/chrome/app/generated_resour...
chrome/app/generated_resources.grd:14808: +        The site includes a password
or credit card input over HTTP, so a warning will be added to the URL bar in
Chrome 56 (Jan 2017).
If we want to mention the browser, we need to use google_chrome_strings.grd,
right? (Does Opera use chrome_security_state_model_client?)
Also, since M55 has already branched, doesn't this already apply in all builds
that contain this string?

And more nitty:
I also have a strange visceral dislike of this usage of "so", although I can't
articulate exactly why.
I would simply write:  "The site includes a password or credit card input over
HTTP. A warning will appear in the URL bar for this page starting in Chrome 56
(Jan 2017)." (mutatis mutandis, re: comments above:)

https://codereview.chromium.org/2424223002/diff/1/chrome/browser/ssl/chrome_s...
File chrome/browser/ssl/chrome_security_state_model_client.cc (right):

https://codereview.chromium.org/2424223002/diff/1/chrome/browser/ssl/chrome_s...
chrome/browser/ssl/chrome_security_state_model_client.cc:189:
security_style_explanations->unauthenticated_explanations.push_back(
I *think* this should be an info explanation?

[estark, 2016-10-19 18:00:32]

The CQ bit was checked by estark@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-10-19 18:01:13]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[estark, 2016-10-19 18:12:27]

I rejiggered this CL a bit, PTAL. Changes:
- chrome vs chromium strings as suggested
- I'm now adding a string regardless of whether HTTP_SHOW_WARNING is set or not;
we now show "A warning has been added" (as an |unauthenticated_explanation|)
when HTTP_SHOW_WARNING is set, and "A warning will be added" (as an
|info_explanation|) when NONE is set but HTTP_SHOW_WARNING would be set if the
field trial were enabled. I think this makes sense: if the field trial isn't
enabled, then it's an info_explanation because it doesn't affect the lock icon,
but if the field trial is enabled, then it does affect the lock icon so it's an
unauthenticated_explanation.

[commit-bot: I haz the power, 2016-10-19 19:11:15]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-10-19 19:11:16]

Dry run: This issue passed the CQ dry run.

[lgarron, 2016-10-19 20:46:24]

LGTM mod wording consistency nit

https://codereview.chromium.org/2424223002/diff/20001/chrome/app/chromium_str...
File chrome/app/chromium_strings.grd (right):

https://codereview.chromium.org/2424223002/diff/20001/chrome/app/chromium_str...
chrome/app/chromium_strings.grd:1298: The site includes a password or credit
card input over HTTP. A warning will be added to the URL bar starting in
Chromium 56 (Jan 2017).
Looking at DevTools, it seems we actually write "This page" rather than
"the/this site". Could you switch to that?

https://codereview.chromium.org/2424223002/diff/20001/chrome/app/chromium_str...
chrome/app/chromium_strings.grd:1301: The site includes a password or credit
card input over HTTP. A warning has been added to the URL bar.
ditto

https://codereview.chromium.org/2424223002/diff/20001/chrome/app/google_chrom...
File chrome/app/google_chrome_strings.grd (right):

https://codereview.chromium.org/2424223002/diff/20001/chrome/app/google_chrom...
chrome/app/google_chrome_strings.grd:1299: The site includes a password or
credit card input over HTTP. A warning will appear in the URL bar starting in
Chrome 56 (Jan 2017).
ditto3

https://codereview.chromium.org/2424223002/diff/20001/chrome/app/google_chrom...
chrome/app/google_chrome_strings.grd:1302: The site includes a password or
credit card input over HTTP. A warning has been added the URL bar.
ditto4

https://codereview.chromium.org/2424223002/diff/20001/components/security_sta...
File components/security_state/security_state_model.h (right):

https://codereview.chromium.org/2424223002/diff/20001/components/security_sta...
components/security_state/security_state_model.h:142: bool
displayed_private_user_data_input_on_http;
Would it be worth keeping track of the two cases (passwords/credits) using a
mask?

[estark, 2016-10-19 21:02:18]

Thanks!

https://codereview.chromium.org/2424223002/diff/20001/chrome/app/chromium_str...
File chrome/app/chromium_strings.grd (right):

https://codereview.chromium.org/2424223002/diff/20001/chrome/app/chromium_str...
chrome/app/chromium_strings.grd:1298: The site includes a password or credit
card input over HTTP. A warning will be added to the URL bar starting in
Chromium 56 (Jan 2017).
On 2016/10/19 20:46:23, lgarron wrote:
> Looking at DevTools, it seems we actually write "This page" rather than
> "the/this site". Could you switch to that?

Done.

https://codereview.chromium.org/2424223002/diff/20001/chrome/app/chromium_str...
chrome/app/chromium_strings.grd:1301: The site includes a password or credit
card input over HTTP. A warning has been added to the URL bar.
On 2016/10/19 20:46:23, lgarron wrote:
> ditto

Done.

https://codereview.chromium.org/2424223002/diff/20001/chrome/app/google_chrom...
File chrome/app/google_chrome_strings.grd (right):

https://codereview.chromium.org/2424223002/diff/20001/chrome/app/google_chrom...
chrome/app/google_chrome_strings.grd:1299: The site includes a password or
credit card input over HTTP. A warning will appear in the URL bar starting in
Chrome 56 (Jan 2017).
On 2016/10/19 20:46:23, lgarron wrote:
> ditto3

Done.

https://codereview.chromium.org/2424223002/diff/20001/chrome/app/google_chrom...
chrome/app/google_chrome_strings.grd:1302: The site includes a password or
credit card input over HTTP. A warning has been added the URL bar.
On 2016/10/19 20:46:23, lgarron wrote:
> ditto4

Done.

https://codereview.chromium.org/2424223002/diff/20001/components/security_sta...
File components/security_state/security_state_model.h (right):

https://codereview.chromium.org/2424223002/diff/20001/components/security_sta...
components/security_state/security_state_model.h:142: bool
displayed_private_user_data_input_on_http;
On 2016/10/19 20:46:23, lgarron wrote:
> Would it be worth keeping track of the two cases (passwords/credits) using a
> mask?

I thought about it, but thought that we could always do that later if we need it
-- no need for it now.

[estark, 2016-10-19 21:02:22]

The CQ bit was checked by estark@chromium.org

[estark, 2016-10-19 21:02:22]

The patchset sent to the CQ was uploaded after l-g-t-m from lgarron@chromium.org
Link to the patchset: https://codereview.chromium.org/2424223002/#ps40001
(title: "lgarron comments")

[commit-bot: I haz the power, 2016-10-19 21:03:13]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-10-19 23:11:29]

Committed patchset #3 (id:40001)

[commit-bot: I haz the power, 2016-10-21 13:12:48]

Description was changed from

==========
Update devtools security panel for HTTP-bad

This CL adds an explanation string to note that HTTP pages will be
marked as "Not secure" if they contain password or credit card fields.

BUG=647561
==========

to

==========
Update devtools security panel for HTTP-bad

This CL adds an explanation string to note that HTTP pages will be
marked as "Not secure" if they contain password or credit card fields.

BUG=647561

Committed: https://crrev.com/22b1cd4f982e4bfed59d6e466a0b613fb4827e88
Cr-Commit-Position: refs/heads/master@{#426322}
==========

[commit-bot: I haz the power, 2016-10-21 13:12:49]

Patchset 3 (id:??) landed as
https://crrev.com/22b1cd4f982e4bfed59d6e466a0b613fb4827e88
Cr-Commit-Position: refs/heads/master@{#426322}