brave · kjozwiak · Apr 11, 2024 · Apr 3, 2024
@@ -82,7 +82,7 @@ extension BrowserViewController {
 
     // Toogle Reader Mode Activity
     // If the reader mode button is occluded due to a secure content state warning add it as an activity
-    if let tab = tabManager.selectedTab, tab.secureContentState.shouldDisplayWarning {
+    if let tab = tabManager.selectedTab, tab.lastKnownSecureContentState.shouldDisplayWarning {
       if tab.readerModeAvailableOrActive {
         activities.append(
           BasicMenuActivity(
@@ -292,10 +292,6 @@ extension BrowserViewController {
       tabManager.selectedTab?.webView?.serverTrust != nil
         || ErrorPageHelper.hasCertificates(for: tabURL)
     {
-      if let selectedTab = tabManager.selectedTab {
-        logSecureContentState(tab: selectedTab, details: "Display Certificate Activity Settings")
-      }
-
       activities.append(
         BasicMenuActivity(
           activityType: .displaySecurityCertificate

@@ -1008,7 +1008,7 @@ extension BrowserViewController: ToolbarDelegate {
       (tab.webView?.serverTrust ?? (try? ErrorPageHelper.serverTrust(from: url))) != nil
     let pageSecurityView = PageSecurityView(
       displayURL: urlBar.locationView.urlDisplayLabel.text ?? url.absoluteDisplayString,
-      secureState: tab.secureContentState,
+      secureState: tab.lastKnownSecureContentState,
       hasCertificate: hasCertificate,
       presentCertificateViewer: { [weak self] in
         self?.dismiss(animated: true)

@@ -848,7 +848,6 @@ extension BrowserViewController: WKNavigationDelegate {
     // However, WebKit does NOT trigger the `serverTrust` observer when the URL changes, but the trust has not.
     // WebKit also does NOT trigger the `serverTrust` observer when the page is actually insecure (non-https).
     // So manually trigger it with the current trust.
-    logSecureContentState(tab: tab, details: "ObserveValue trigger in didCommit")
 
     observeValue(
       forKeyPath: KVOConstants.serverTrust.keyPath,

@@ -1960,7 +1960,7 @@ public class BrowserViewController: UIViewController {
         // If navigation will start from NTP, tab display url will be nil until
         // didCommit is called and it will cause url bar be empty in that period
         // To fix this when tab display url is empty, webview url is used
-        if tab.url?.displayURL == nil {
+        if tab === tabManager.selectedTab, tab.url?.displayURL == nil {
           if let url = webView.url, !url.isLocal, !InternalURL.isValid(url: url) {
             updateToolbarCurrentURL(url.displayURL)
           }
@@ -1986,6 +1986,14 @@ public class BrowserViewController: UIViewController {
       {
         topToolbar.updateProgressBar(Float(webView.estimatedProgress))
       }
+
+      Task {
+        await tab.updateSecureContentState()
+        self.logSecureContentState(tab: tab, path: .url)
+        if self.tabManager.selectedTab === tab {
+          self.updateToolbarSecureContentState(tab.lastKnownSecureContentState)
+        }
+      }
     case .title:
       // Ensure that the tab title *actually* changed to prevent repeated calls
       // to navigateInTab(tab:).
@@ -2009,218 +2017,20 @@ public class BrowserViewController: UIViewController {
 
       navigationToolbar.updateForwardStatus(canGoForward)
     case .hasOnlySecureContent:
-      guard let tab = tabManager[webView] else {
-        break
-      }
-
-      if tab.secureContentState == .secure, !webView.hasOnlySecureContent,
-        tab.url?.origin == tab.webView?.url?.origin
-      {
-        if let url = tab.webView?.url, url.isInternalURL(for: .readermode) {
-          break
-        }
-
-        tab.secureContentState = .mixedContent
-        logSecureContentState(tab: tab, path: path)
-      }
-
-      if let url = tab.webView?.url,
-        InternalURL.isValid(url: url),
-        let internalUrl = InternalURL(url)
-      {
-
-        if internalUrl.isErrorPage {
-          if ErrorPageHelper.certificateError(for: url) != 0 {
-            // Cert validation takes precedence over all other errors
-            tab.secureContentState = .invalidCert
-            logSecureContentState(
-              tab: tab,
-              path: path,
-              details: "Cert validation takes precedence over all other errors"
-            )
-          } else if NetworkErrorPageHandler.isNetworkError(
-            errorCode: ErrorPageHelper.errorCode(for: url)
-          ) {
-            // Network error takes precedence over missing cert
-            // Because we cannot determine if a cert is missing yet, if we cannot connect to the server
-            // Our network interstitial page shows
-            tab.secureContentState = .localhost
-            logSecureContentState(
-              tab: tab,
-              path: path,
-              details: "Network error takes precedence over missing cert"
-            )
-          } else {
-            // Since it's not a cert error explicitly, and it's not a network error, and the cert is missing (no serverTrust),
-            // then we display .missingSSL
-            tab.secureContentState = .missingSSL
-            logSecureContentState(
-              tab: tab,
-              path: path,
-              details: "Certificate is missing (no serverTrust)"
-            )
-          }
-        } else if url.isInternalURL(for: .readermode) || InternalURL.isValid(url: url) {
-          tab.secureContentState = .localhost
-          logSecureContentState(tab: tab, path: path, details: "Reader Mode or Internal URL")
-        }
-      }
-
-      if tabManager.selectedTab === tab {
-        updateToolbarSecureContentState(tab.secureContentState)
-      }
-    case .serverTrust:
-      guard let tab = tabManager[webView] else {
-        break
-      }
-
-      tab.secureContentState = .unknown
-      logSecureContentState(tab: tab, path: path)
-
-      guard let url = webView.url,
-        let serverTrust = webView.serverTrust
-      else {
-        if let url = webView.url {
-          if InternalURL.isValid(url: url),
-            let internalUrl = InternalURL(url),
-            internalUrl.isAboutURL || internalUrl.isAboutHomeURL
-          {
-
-            tab.secureContentState = .localhost
-            logSecureContentState(
-              tab: tab,
-              path: path,
-              details: "Internal URL aboutURL or is aboutHomeURL"
-            )
-
-            if tabManager.selectedTab === tab {
-              updateToolbarSecureContentState(.localhost)
-            }
-            break
-          }
-
-          if InternalURL.isValid(url: url),
-            let internalUrl = InternalURL(url),
-            internalUrl.isErrorPage
-          {
-
-            if ErrorPageHelper.certificateError(for: url) != 0 {
-              // Cert validation takes precedence over all other errors
-              tab.secureContentState = .invalidCert
-              logSecureContentState(
-                tab: tab,
-                path: path,
-                details: "Cert validation takes precedence over all other errors"
-              )
-            } else if NetworkErrorPageHandler.isNetworkError(
-              errorCode: ErrorPageHelper.errorCode(for: url)
-            ) {
-              // Network error takes precedence over missing cert
-              // Because we cannot determine if a cert is missing yet, if we cannot connect to the server
-              // Our network interstitial page shows
-              tab.secureContentState = .localhost
-              logSecureContentState(
-                tab: tab,
-                path: path,
-                details: "Network error takes precedence over missing cert"
-              )
-            } else {
-              // Since it's not a cert error explicitly, and it's not a network error, and the cert is missing (no serverTrust),
-              // then we display .missingSSL
-              tab.secureContentState = .missingSSL
-              logSecureContentState(
-                tab: tab,
-                path: path,
-                details: "Certificate is missing (no serverTrust)"
-              )
-            }
-
-            if tabManager.selectedTab === tab {
-              updateToolbarSecureContentState(tab.secureContentState)
-            }
-            break
-          }
-
-          if url.isInternalURL(for: .readermode) || InternalURL.isValid(url: url) {
-            tab.secureContentState = .localhost
-            logSecureContentState(tab: tab, path: path, details: "Reader Mode or Internal URL")
-
-            if tabManager.selectedTab === tab {
-              updateToolbarSecureContentState(.localhost)
-            }
-            break
-          }
-
-          // All our checks failed, we show the page as insecure
-          tab.secureContentState = .missingSSL
-          logSecureContentState(
-            tab: tab,
-            path: path,
-            details: "All our checks failed, we show the page as insecure"
-          )
-        } else {
-          // When there is no URL, it's likely a new tab.
-          tab.secureContentState = .localhost
-          logSecureContentState(
-            tab: tab,
-            path: path,
-            details: "When there is no URL, it's likely a new tab"
-          )
-        }
-
+      Task {
+        await tab.updateSecureContentState()
+        self.logSecureContentState(tab: tab, path: .hasOnlySecureContent)
         if tabManager.selectedTab === tab {
-          updateToolbarSecureContentState(tab.secureContentState)
+          self.updateToolbarSecureContentState(tab.lastKnownSecureContentState)
         }
-        break
-      }
-
-      guard let scheme = url.scheme,
-        let host = url.host
-      else {
-        tab.secureContentState = .unknown
-        logSecureContentState(tab: tab, path: path, details: "No webview URL host scheme)")
-
-        self.updateURLBar()
-        return
       }
-
-      let port: Int
-      if let urlPort = url.port {
-        port = urlPort
-      } else if scheme == "https" {
-        port = 443
-      } else {
-        port = 80
-      }
-
-      Task { @MainActor in
-        do {
-          let result = await BraveCertificateUtils.verifyTrust(serverTrust, host: host, port: port)
-
-          // Cert is valid!
-          if result == 0 {
-            tab.secureContentState = .secure
-            logSecureContentState(tab: tab, path: path, details: "Cert is valid!")
-          } else if result == Int32.min {
-            // Cert is valid but should be validated by the system
-            // Let the system handle it and we'll show an error if the system cannot validate it
-            try await BraveCertificateUtils.evaluateTrust(serverTrust, for: host)
-            tab.secureContentState = .secure
-            logSecureContentState(
-              tab: tab,
-              path: path,
-              details: "Cert is valid but should be validated by the system"
-            )
-          } else {
-            tab.secureContentState = .invalidCert
-            logSecureContentState(tab: tab, path: path, details: "Invalid Cert")
-          }
-        } catch {
-          tab.secureContentState = .invalidCert
-          logSecureContentState(tab: tab, path: path, details: "Verify Trust Error")
+    case .serverTrust:
+      Task {
+        await tab.updateSecureContentState()
+        self.logSecureContentState(tab: tab, path: .serverTrust)
+        if self.tabManager.selectedTab === tab {
+          self.updateToolbarSecureContentState(tab.lastKnownSecureContentState)
         }
-
-        self.updateURLBar()
       }
     case ._sampledPageTopColor:
       updateStatusBarOverlayColor()
@@ -2229,19 +2039,24 @@ public class BrowserViewController: UIViewController {
     }
   }
 
-  func logSecureContentState(tab: Tab, path: KVOConstants? = nil, details: String? = nil) {
+  func logSecureContentState(tab: Tab, path: KVOConstants? = nil) {
     var text = """
       Tab URL: \(tab.url?.absoluteString ?? "Empty Tab URL")
-       Tab VebView URL: \(tab.webView?.url?.absoluteString ?? "Empty Webview URL")
-       Secure State: \(tab.secureContentState.rawValue)
+       Secure State: \(tab.lastKnownSecureContentState.rawValue)
       """
 
     if let keyPath = path?.keyPath {
       text.append("\n Value Observed: \(keyPath)\n")
     }
 
-    if let extraDetails = details {
-      text.append("\n Extra Details: \(extraDetails)\n")
+    if let webView = tab.webView {
+      text.append(
+        """
+         WebView url: \(webView.url?.absoluteString ?? "nil")
+         WebView hasOnlySecureContent: \(webView.hasOnlySecureContent ? "true" : "false")
+         WebView serverTrust: \(webView.serverTrust != nil ? "present" : "nil")
+        """
+      )
     }
 
     DebugLogger.log(for: .secureState, text: text)
@@ -2303,7 +2118,7 @@ public class BrowserViewController: UIViewController {
 
     updateToolbarCurrentURL(tab.url?.displayURL)
     if tabManager.selectedTab === tab {
-      updateToolbarSecureContentState(tab.secureContentState)
+      self.updateToolbarSecureContentState(tab.lastKnownSecureContentState)
     }
 
     let isPage = tab.url?.isWebPage() ?? false
@@ -3460,7 +3275,6 @@ extension BrowserViewController: NewTabPageDelegate {
       guard let self = self else { return }
 
       let viewRect = CGRect(origin: self.view.center, size: .zero)
-
       self.presentActivityViewController(
         url,
         sourceView: self.view,