Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(3703)

Unified Diff: chrome/browser/ssl/ssl_policy.cc

Issue 46094: Fix our handling of mixed SSL / non-SSL content.... (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: '' Created 11 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: chrome/browser/ssl/ssl_policy.cc
===================================================================
--- chrome/browser/ssl/ssl_policy.cc (revision 11701)
+++ chrome/browser/ssl/ssl_policy.cc (working copy)
@@ -4,7 +4,6 @@
#include "chrome/browser/ssl/ssl_policy.h"
-#include "base/singleton.h"
#include "base/string_piece.h"
#include "base/string_util.h"
#include "chrome/browser/cert_store.h"
@@ -38,37 +37,33 @@
// Wrap all these helper classes in an anonymous namespace.
namespace {
-static const char kDot = '.';
-
-class ShowUnsafeContentTask : public Task {
+class ShowMixedContentTask : public Task {
public:
- ShowUnsafeContentTask(const GURL& main_frame_url,
- SSLManager::ErrorHandler* error_handler);
- virtual ~ShowUnsafeContentTask();
+ ShowMixedContentTask(SSLPolicy* ssl_policy,
+ SSLManager::MixedContentHandler* handler);
+ virtual ~ShowMixedContentTask();
virtual void Run();
private:
- scoped_refptr<SSLManager::ErrorHandler> error_handler_;
- GURL main_frame_url_;
+ scoped_refptr<SSLManager::MixedContentHandler> handler_;
- DISALLOW_EVIL_CONSTRUCTORS(ShowUnsafeContentTask);
+ SSLPolicy* ssl_policy_;
+
+ DISALLOW_COPY_AND_ASSIGN(ShowMixedContentTask);
};
-ShowUnsafeContentTask::ShowUnsafeContentTask(
- const GURL& main_frame_url,
- SSLManager::ErrorHandler* error_handler)
- : error_handler_(error_handler),
- main_frame_url_(main_frame_url) {
+ShowMixedContentTask::ShowMixedContentTask(
+ SSLPolicy* ssl_policy, SSLManager::MixedContentHandler* handler)
+ : ssl_policy_(ssl_policy), handler_(handler) {
}
-ShowUnsafeContentTask::~ShowUnsafeContentTask() {
+ShowMixedContentTask::~ShowMixedContentTask() {
}
-void ShowUnsafeContentTask::Run() {
- error_handler_->manager()->AllowShowInsecureContentForURL(main_frame_url_);
- // Reload the page.
- error_handler_->GetWebContents()->controller()->Reload(true);
+void ShowMixedContentTask::Run() {
+ ssl_policy_->AllowMixedContent(handler_);
+ handler_->GetWebContents()->controller()->Reload(true);
}
static void ShowErrorPage(SSLPolicy* policy, SSLManager::CertError* error) {
@@ -116,332 +111,161 @@
blocking_page->Show();
}
-#if 0
-// See TODO(jcampan) below.
-static bool IsIntranetHost(const std::string& host) {
- const size_t dot = host.find(kDot);
- return dot == std::string::npos || dot == host.length() - 1;
-}
-#endif
+static void InitializeEntryIfNeeded(NavigationEntry* entry) {
+ if (entry->ssl().security_style() != SECURITY_STYLE_UNKNOWN)
+ return;
-class CommonNameInvalidPolicy : public SSLPolicy {
- public:
- static SSLPolicy* GetInstance() {
- return Singleton<CommonNameInvalidPolicy>::get();
- }
+ SecurityStyle security_style = entry->url().SchemeIsSecure() ?
+ SECURITY_STYLE_AUTHENTICATED : SECURITY_STYLE_UNAUTHENTICATED;
jcampan 2009/03/16 18:43:54 Nit: indent 4 spaces
abarth-chromium 2009/03/16 21:34:21 Fixed.
- void OnCertError(const GURL& main_frame_url,
- SSLManager::CertError* error) {
- OnOverridableCertError(main_frame_url, error);
- }
-};
+ entry->ssl().set_security_style(security_style);
+}
-class DateInvalidPolicy : public SSLPolicy {
- public:
- static SSLPolicy* GetInstance() {
- return Singleton<DateInvalidPolicy>::get();
- }
+static void AddMixedContentWarningToConsole(
+ SSLManager::MixedContentHandler* handler) {
+ const std::wstring& msg = l10n_util::GetStringF(
+ IDS_MIXED_CONTENT_LOG_MESSAGE,
+ UTF8ToWide(handler->frame_origin()),
+ UTF8ToWide(handler->request_url().spec()));
+ handler->manager()->AddMessageToConsole(msg, MESSAGE_LEVEL_WARNING);
+}
- void OnCertError(const GURL& main_frame_url,
- SSLManager::CertError* error) {
- OnOverridableCertError(main_frame_url, error);
- }
-};
+static bool HasSafeScheme(const GURL& url) {
+ return (url.SchemeIsSecure() ||
+ url.SchemeIs(chrome::kDataScheme) ||
+ url.SchemeIs(chrome::kJavaScriptScheme) ||
+ url.SchemeIs(chrome::kAboutScheme));
+}
-class AuthorityInvalidPolicy : public SSLPolicy {
- public:
- static SSLPolicy* GetInstance() {
- return Singleton<AuthorityInvalidPolicy>::get();
- }
+} // namespace
- void OnCertError(const GURL& main_frame_url,
- SSLManager::CertError* error) {
- OnOverridableCertError(main_frame_url, error);
- }
-};
+SSLPolicy::SSLPolicy() {
+}
-class ContainsErrorsPolicy : public SSLPolicy {
- public:
- static SSLPolicy* GetInstance() {
- return Singleton<ContainsErrorsPolicy>::get();
- }
+SSLPolicy* SSLPolicy::GetDefaultPolicy() {
+ return Singleton<SSLPolicy>::get();
+}
- void OnCertError(const GURL& main_frame_url,
- SSLManager::CertError* error) {
- OnFatalCertError(main_frame_url, error);
- }
-};
+void SSLPolicy::OnCertError(SSLManager::CertError* error) {
+ // First we check if we know the policy for this error.
+ net::X509Certificate::Policy::Judgment judgment =
+ error->manager()->QueryPolicy(error->ssl_info().cert,
+ error->request_url().host());
-class NoRevocationMechanismPolicy : public SSLPolicy {
- public:
- static SSLPolicy* GetInstance() {
- return Singleton<NoRevocationMechanismPolicy>::get();
- }
-
- void OnCertError(const GURL& main_frame_url,
- SSLManager::CertError* error) {
- // Silently ignore this error.
+ if (judgment == net::X509Certificate::Policy::ALLOWED) {
error->ContinueRequest();
+ return;
}
-};
-class UnableToCheckRevocationPolicy : public SSLPolicy {
- public:
- static SSLPolicy* GetInstance() {
- return Singleton<UnableToCheckRevocationPolicy>::get();
- }
+ // The judgment is either DENIED or UNKNOWN.
+ // For now we handle the DENIED as the UNKNOWN, which means a blocking
+ // page is shown to the user every time he comes back to the page.
- void OnCertError(const GURL& main_frame_url,
- SSLManager::CertError* error) {
- // We ignore this error and display an info-bar.
- error->ContinueRequest();
- error->manager()->ShowMessage(l10n_util::GetString(
- IDS_CERT_ERROR_UNABLE_TO_CHECK_REVOCATION_INFO_BAR));
- }
-};
-
-class RevokedPolicy : public SSLPolicy {
- public:
- static SSLPolicy* GetInstance() {
- return Singleton<RevokedPolicy>::get();
- }
-
- void OnCertError(const GURL& main_frame_url,
- SSLManager::CertError* error) {
- OnFatalCertError(main_frame_url, error);
- }
-};
-
-class InvalidPolicy : public SSLPolicy {
- public:
- static SSLPolicy* GetInstance() {
- return Singleton<InvalidPolicy>::get();
- }
-
- void OnCertError(const GURL& main_frame_url,
- SSLManager::CertError* error) {
- OnFatalCertError(main_frame_url, error);
- }
-};
-
-class DefaultPolicy : public SSLPolicy {
- public:
- DefaultPolicy() {
- // Load our helper classes to handle various cert errors.
- DCHECK(SubPolicyIndex(net::ERR_CERT_COMMON_NAME_INVALID) == 0);
- sub_policies_[0] = CommonNameInvalidPolicy::GetInstance();
- DCHECK(SubPolicyIndex(net::ERR_CERT_DATE_INVALID) == 1);
- sub_policies_[1] = DateInvalidPolicy::GetInstance();
- DCHECK(SubPolicyIndex(net::ERR_CERT_AUTHORITY_INVALID) == 2);
- sub_policies_[2] = AuthorityInvalidPolicy::GetInstance();
- DCHECK(SubPolicyIndex(net::ERR_CERT_CONTAINS_ERRORS) == 3);
- sub_policies_[3] = ContainsErrorsPolicy::GetInstance();
- DCHECK(SubPolicyIndex(net::ERR_CERT_NO_REVOCATION_MECHANISM) == 4);
- sub_policies_[4] = NoRevocationMechanismPolicy::GetInstance();
- DCHECK(SubPolicyIndex(net::ERR_CERT_UNABLE_TO_CHECK_REVOCATION) == 5);
- sub_policies_[5] = UnableToCheckRevocationPolicy::GetInstance();
- DCHECK(SubPolicyIndex(net::ERR_CERT_REVOKED) == 6);
- sub_policies_[6] = RevokedPolicy::GetInstance();
- DCHECK(SubPolicyIndex(net::ERR_CERT_INVALID) == 7);
- sub_policies_[7] = InvalidPolicy::GetInstance();
- DCHECK(SubPolicyIndex(net::ERR_CERT_END) == 8);
- }
-
- void OnCertError(const GURL& main_frame_url,
- SSLManager::CertError* error) {
- size_t index = SubPolicyIndex(error->cert_error());
- if (index < 0 || index >= arraysize(sub_policies_)) {
+ switch(error->cert_error()) {
+ case net::ERR_CERT_COMMON_NAME_INVALID:
+ case net::ERR_CERT_DATE_INVALID:
+ case net::ERR_CERT_AUTHORITY_INVALID:
+ OnOverridableCertError(error);
+ break;
+ case net::ERR_CERT_NO_REVOCATION_MECHANISM:
+ // Ignore this error.
+ error->ContinueRequest();
+ break;
+ case net::ERR_CERT_UNABLE_TO_CHECK_REVOCATION:
+ // We ignore this error and display an infobar.
+ error->ContinueRequest();
+ error->manager()->ShowMessage(l10n_util::GetString(
+ IDS_CERT_ERROR_UNABLE_TO_CHECK_REVOCATION_INFO_BAR));
+ break;
+ case net::ERR_CERT_CONTAINS_ERRORS:
+ case net::ERR_CERT_REVOKED:
+ case net::ERR_CERT_INVALID:
+ OnFatalCertError(error);
+ break;
+ default:
NOTREACHED();
error->CancelRequest();
- return;
- }
-
- // First we check if we know the policy for this error.
- net::X509Certificate::Policy::Judgment judgment =
- error->manager()->QueryPolicy(error->ssl_info().cert,
- error->request_url().host());
-
- switch (judgment) {
- case net::X509Certificate::Policy::ALLOWED:
- // We've been told to allow this certificate.
- if (error->manager()->SetMaxSecurityStyle(
- SECURITY_STYLE_AUTHENTICATION_BROKEN)) {
- NotificationService::current()->Notify(
- NotificationType::SSL_STATE_CHANGED,
- Source<NavigationController>(error->manager()->controller()),
- Details<NavigationEntry>(
- error->manager()->controller()->GetActiveEntry()));
- }
- error->ContinueRequest();
- break;
- case net::X509Certificate::Policy::DENIED:
- // For now we handle the DENIED as the UNKNOWN, which means a blocking
- // page is shown to the user every time he comes back to the page.
- case net::X509Certificate::Policy::UNKNOWN:
- // We don't know how to handle this error. Ask our sub-policies.
- sub_policies_[index]->OnCertError(main_frame_url, error);
- break;
- default:
- NOTREACHED();
- }
+ break;
}
+}
- void OnMixedContent(NavigationController* navigation_controller,
- const GURL& main_frame_url,
- SSLManager::MixedContentHandler* mixed_content_handler) {
- PrefService* prefs = navigation_controller->profile()->GetPrefs();
- FilterPolicy::Type filter_policy = FilterPolicy::DONT_FILTER;
- if (!mixed_content_handler->manager()->
- CanShowInsecureContent(main_frame_url)) {
- filter_policy = FilterPolicy::FromInt(
- prefs->GetInteger(prefs::kMixedContentFiltering));
- }
- if (filter_policy != FilterPolicy::DONT_FILTER) {
- mixed_content_handler->manager()->ShowMessageWithLink(
- l10n_util::GetString(IDS_SSL_INFO_BAR_FILTERED_CONTENT),
- l10n_util::GetString(IDS_SSL_INFO_BAR_SHOW_CONTENT),
- new ShowUnsafeContentTask(main_frame_url, mixed_content_handler));
- }
- mixed_content_handler->StartRequest(filter_policy);
+void SSLPolicy::OnMixedContent(SSLManager::MixedContentHandler* handler) {
+ // Get the user's mixed content preference.
+ PrefService* prefs = handler->GetWebContents()->profile()->GetPrefs();
+ FilterPolicy::Type filter_policy =
+ FilterPolicy::FromInt(prefs->GetInteger(prefs::kMixedContentFiltering));
- NavigationEntry* entry = navigation_controller->GetLastCommittedEntry();
- DCHECK(entry);
- // Even though we are loading the mixed-content resource, it will not be
- // included in the page when we set the policy to FILTER_ALL or
- // FILTER_ALL_EXCEPT_IMAGES (only images and they are stamped with warning
- // icons), so we don't set the mixed-content mode in these cases.
- if (filter_policy == FilterPolicy::DONT_FILTER)
- entry->ssl().set_has_mixed_content();
+ // If the user have added an exception, doctor the |filter_policy|.
+ if (!handler->manager()->DidAllowMixedContentForHost(
+ GURL(handler->main_frame_origin()).host()))
+ filter_policy = FilterPolicy::DONT_FILTER;
- // Print a message indicating the mixed-contents resource in the console.
- const std::wstring& msg = l10n_util::GetStringF(
- IDS_MIXED_CONTENT_LOG_MESSAGE,
- UTF8ToWide(entry->url().spec()),
- UTF8ToWide(mixed_content_handler->request_url().spec()));
- mixed_content_handler->manager()->
- AddMessageToConsole(msg, MESSAGE_LEVEL_WARNING);
-
- NotificationService::current()->Notify(
- NotificationType::SSL_STATE_CHANGED,
- Source<NavigationController>(navigation_controller),
- Details<NavigationEntry>(entry));
+ if (filter_policy != FilterPolicy::DONT_FILTER) {
+ // Give the user a chance to see unfiltered content.
+ handler->manager()->ShowMessageWithLink(
+ l10n_util::GetString(IDS_SSL_INFO_BAR_FILTERED_CONTENT),
+ l10n_util::GetString(IDS_SSL_INFO_BAR_SHOW_CONTENT),
+ new ShowMixedContentTask(this, handler));
}
-
- void OnDenyCertificate(SSLManager::CertError* error) {
- size_t index = SubPolicyIndex(error->cert_error());
- if (index < 0 || index >= arraysize(sub_policies_)) {
- NOTREACHED();
- return;
- }
- sub_policies_[index]->OnDenyCertificate(error);
- }
-
- void OnAllowCertificate(SSLManager::CertError* error) {
- size_t index = SubPolicyIndex(error->cert_error());
- if (index < 0 || index >= arraysize(sub_policies_)) {
- NOTREACHED();
- return;
- }
- sub_policies_[index]->OnAllowCertificate(error);
- }
-
- private:
- // Returns the index of the sub-policy for |cert_error| in the
- // sub_policies_ array.
- int SubPolicyIndex(int cert_error) {
- // Certificate errors are negative integers from net::ERR_CERT_BEGIN
- // (inclusive) to net::ERR_CERT_END (exclusive) in *decreasing* order.
- return net::ERR_CERT_BEGIN - cert_error;
- }
- SSLPolicy* sub_policies_[net::ERR_CERT_BEGIN - net::ERR_CERT_END];
-};
-
-} // namespace
-
-SSLPolicy* SSLPolicy::GetDefaultPolicy() {
- // Lazily initialize our default policy instance.
- static SSLPolicy* default_policy = new DefaultPolicy();
- return default_policy;
+ handler->StartRequest(filter_policy);
+ AddMixedContentWarningToConsole(handler);
}
-SSLPolicy::SSLPolicy() {
-}
+void SSLPolicy::OnRequestStarted(SSLManager::RequestInfo* info) {
+ if (IsMixedContent(info->url(), info->resource_type(), info->frame_origin()))
+ UpdateStateForMixedContent(info);
-void SSLPolicy::OnCertError(const GURL& main_frame_url,
- SSLManager::CertError* error) {
- // Default to secure behavior.
- error->CancelRequest();
+ if (net::IsCertStatusError(info->ssl_cert_status()))
+ UpdateStateForUnsafeContent(info);
}
-void SSLPolicy::OnRequestStarted(SSLManager* manager, const GURL& url,
- ResourceType::Type resource_type,
- int ssl_cert_id, int ssl_cert_status) {
- // These schemes never leave the browser and don't require a warning.
- if (url.SchemeIs(chrome::kDataScheme) ||
- url.SchemeIs(chrome::kJavaScriptScheme) ||
- url.SchemeIs(chrome::kAboutScheme))
- return;
+void SSLPolicy::UpdateEntry(SSLManager* manager, NavigationEntry* entry) {
+ DCHECK(entry);
- NavigationEntry* entry = manager->controller()->GetActiveEntry();
- if (!entry) {
- // We may not have an entry for cases such as the inspector.
- return;
- }
+ InitializeEntryIfNeeded(entry);
- NavigationEntry::SSLStatus& ssl = entry->ssl();
- bool changed = false;
- if (!entry->url().SchemeIsSecure() || // Current page is not secure.
- resource_type == ResourceType::MAIN_FRAME || // Main frame load.
- net::IsCertStatusError(ssl.cert_status())) { // There is already
- // an error for the main page, don't report sub-resources as unsafe
- // content.
- // No mixed/unsafe content check necessary.
+ if (!entry->url().SchemeIsSecure())
return;
- }
- if (url.SchemeIsSecure()) {
- // Check for insecure content (anything served over intranet is considered
- // insecure).
+ const std::string& host = entry->url().host();
+ if (manager->DidMarkHostAsBroken(host))
+ entry->ssl().set_security_style(SECURITY_STYLE_AUTHENTICATION_BROKEN);
+}
- // TODO(jcampan): bug #1178228 Disabling the broken style for intranet
- // hosts for beta as it is missing error strings (and cert status).
- // if (IsIntranetHost(url.host()) ||
- // net::IsCertStatusError(ssl_cert_status)) {
- if (net::IsCertStatusError(ssl_cert_status)) {
- // The resource is unsafe.
- if (!ssl.has_unsafe_content()) {
- changed = true;
- ssl.set_has_unsafe_content();
- manager->SetMaxSecurityStyle(SECURITY_STYLE_AUTHENTICATION_BROKEN);
- }
- }
- }
+// static
+bool SSLPolicy::IsMixedContent(const GURL& url,
+ ResourceType::Type resource_type,
+ const std::string& frame_origin) {
+ ////////////////////////////////////////////////////////////////////////////
+ // WARNING: This function is called from both the IO and UI threads. Do //
+ // not touch any non-thread-safe objects! You have been warned. //
+ ////////////////////////////////////////////////////////////////////////////
- if (changed) {
- // Only send the notification when something actually changed.
- NotificationService::current()->Notify(
- NotificationType::SSL_STATE_CHANGED,
- Source<NavigationController>(manager->controller()),
- NotificationService::NoDetails());
- }
-}
+ // We can't possibly have mixed content when loading the main frame.
+ if (resource_type == ResourceType::MAIN_FRAME)
+ return false;
-SecurityStyle SSLPolicy::GetDefaultStyle(const GURL& url) {
- // Show the secure style for HTTPS.
- if (url.SchemeIsSecure()) {
- // TODO(jcampan): bug #1178228 Disabling the broken style for intranet
- // hosts for beta as it is missing error strings (and cert status).
- // CAs issue certs for intranet hosts to anyone.
- // if (IsIntranetHost(url.host()))
- // return SECURITY_STYLE_AUTHENTICATION_BROKEN;
+ // If the frame doing the loading is already insecure, then we must have
+ // already dealt with whatever mixed content might be going on.
+ if (!GURL(frame_origin).SchemeIsSecure())
+ return false;
- return SECURITY_STYLE_AUTHENTICATED;
- }
+ // We aren't worried about mixed content if we're loading an HTTPS, about,
+ // or data URL.
+ if (HasSafeScheme(url))
+ return false;
- // Otherwise, show the unauthenticated style.
- return SECURITY_STYLE_UNAUTHENTICATED;
+ return true;
}
+void SSLPolicy::AllowMixedContent(SSLManager::MixedContentHandler* handler) {
+ std::string main_frame_host = GURL(handler->main_frame_origin()).host();
+ handler->manager()->AllowMixedContentForHost(main_frame_host);
+}
+
+////////////////////////////////////////////////////////////////////////////////
+// SSLBlockingPage::Delegate methods
+
SSLErrorInfo SSLPolicy::GetSSLErrorInfo(SSLManager::CertError* error) {
return SSLErrorInfo::CreateError(
SSLErrorInfo::NetErrorToErrorType(error->cert_error()),
@@ -449,26 +273,21 @@
}
void SSLPolicy::OnDenyCertificate(SSLManager::CertError* error) {
- // Default behavior for rejecting a certificate.
error->CancelRequest();
error->manager()->DenyCertForHost(error->ssl_info().cert,
error->request_url().host());
}
void SSLPolicy::OnAllowCertificate(SSLManager::CertError* error) {
- // Default behavior for accepting a certificate.
- // Note that we should not call SetMaxSecurityStyle here, because the active
- // NavigationEntry has just been deleted (in HideInterstitialPage) and the
- // new NavigationEntry will not be set until DidNavigate. This is ok,
- // because the new NavigationEntry will have its max security style set
- // within DidNavigate.
error->ContinueRequest();
error->manager()->AllowCertForHost(error->ssl_info().cert,
error->request_url().host());
}
-void SSLPolicy::OnOverridableCertError(const GURL& main_frame_url,
- SSLManager::CertError* error) {
+////////////////////////////////////////////////////////////////////////////////
+// Certificate Error Routines
+
+void SSLPolicy::OnOverridableCertError(SSLManager::CertError* error) {
if (error->resource_type() != ResourceType::MAIN_FRAME) {
// A sub-resource has a certificate error. The user doesn't really
// have a context for making the right decision, so block the
@@ -481,13 +300,51 @@
ShowBlockingPage(this, error);
}
-void SSLPolicy::OnFatalCertError(const GURL& main_frame_url,
- SSLManager::CertError* error) {
+void SSLPolicy::OnFatalCertError(SSLManager::CertError* error) {
if (error->resource_type() != ResourceType::MAIN_FRAME) {
error->DenyRequest();
return;
}
error->CancelRequest();
ShowErrorPage(this, error);
- // No need to degrade our security indicators because we didn't continue.
}
+
+////////////////////////////////////////////////////////////////////////////////
+// State Updating
+
+void SSLPolicy::MarkOriginAsBroken(SSLManager* manager,
+ const std::string& origin) {
+ GURL parsed_origin(origin);
+
+ // In particular, the origin "null" will be parsed as invalid.
+ if (!parsed_origin.is_valid() || !parsed_origin.SchemeIsSecure())
+ return;
+
+ manager->MarkHostAsBroken(parsed_origin.host());
+}
+
+void SSLPolicy::UpdateStateForMixedContent(SSLManager::RequestInfo* info) {
+ // The frame's origin now contains mixed content and therefore is broken.
+ MarkOriginAsBroken(info->manager(), info->frame_origin());
+
+ // The user approved a mixed content exception for the main frame's origin.
+ // That makes the main frame's origin broken too.
+ MarkOriginAsBroken(info->manager(), info->main_frame_origin());
+}
+
+void SSLPolicy::UpdateStateForUnsafeContent(SSLManager::RequestInfo* info) {
+ // This request as a broken cert, which means its host is broken.
+ info->manager()->MarkHostAsBroken(info->url().host());
+
+ if (info->resource_type() != ResourceType::MAIN_FRAME ||
+ info->resource_type() != ResourceType::SUB_FRAME) {
+ // If we're loading some sort of resource into the frame, that frame is now
+ // unsafe.
+ MarkOriginAsBroken(info->manager(), info->frame_origin());
+ }
+
+ if (info->resource_type() != ResourceType::MAIN_FRAME) {
+ // We make the main frame unsafe even if we load an unsafe sub frame.
+ MarkOriginAsBroken(info->manager(), info->main_frame_origin());
+ }
+}

Powered by Google App Engine
This is Rietveld 408576698