| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2012 Google Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
| 6 * are met: | 6 * are met: |
| 7 * | 7 * |
| 8 * 1. Redistributions of source code must retain the above copyright | 8 * 1. Redistributions of source code must retain the above copyright |
| 9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
| 10 * 2. Redistributions in binary form must reproduce the above copyright | 10 * 2. Redistributions in binary form must reproduce the above copyright |
| (...skipping 20 matching lines...) Expand all Loading... |
| 31 | 31 |
| 32 #include "core/dom/Document.h" | 32 #include "core/dom/Document.h" |
| 33 #include "core/frame/LocalFrame.h" | 33 #include "core/frame/LocalFrame.h" |
| 34 #include "core/frame/Settings.h" | 34 #include "core/frame/Settings.h" |
| 35 #include "core/frame/UseCounter.h" | 35 #include "core/frame/UseCounter.h" |
| 36 #include "core/inspector/ConsoleMessage.h" | 36 #include "core/inspector/ConsoleMessage.h" |
| 37 #include "core/loader/DocumentLoader.h" | 37 #include "core/loader/DocumentLoader.h" |
| 38 #include "core/loader/FrameLoader.h" | 38 #include "core/loader/FrameLoader.h" |
| 39 #include "core/loader/FrameLoaderClient.h" | 39 #include "core/loader/FrameLoaderClient.h" |
| 40 #include "platform/RuntimeEnabledFeatures.h" | 40 #include "platform/RuntimeEnabledFeatures.h" |
| 41 #include "platform/network/ResourceRequest.h" |
| 41 #include "platform/weborigin/SchemeRegistry.h" | 42 #include "platform/weborigin/SchemeRegistry.h" |
| 42 #include "platform/weborigin/SecurityOrigin.h" | 43 #include "platform/weborigin/SecurityOrigin.h" |
| 43 #include "public/platform/Platform.h" | 44 #include "public/platform/Platform.h" |
| 44 #include "wtf/text/StringBuilder.h" | 45 #include "wtf/text/StringBuilder.h" |
| 45 | 46 |
| 46 namespace blink { | 47 namespace blink { |
| 47 | 48 |
| 48 static void measureStricterVersionOfIsMixedContent(LocalFrame* frame, const KURL
& url) | 49 static void measureStricterVersionOfIsMixedContent(LocalFrame* frame, const KURL
& url) |
| 49 { | 50 { |
| 50 // We're currently only checking for mixed content in `https://*` contexts. | 51 // We're currently only checking for mixed content in `https://*` contexts. |
| (...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 92 | 93 |
| 93 measureStricterVersionOfIsMixedContent(frame, url); | 94 measureStricterVersionOfIsMixedContent(frame, url); |
| 94 if (isMixedContent(frame->document()->securityOrigin(), url)) | 95 if (isMixedContent(frame->document()->securityOrigin(), url)) |
| 95 return frame; | 96 return frame; |
| 96 | 97 |
| 97 // No mixed content, no problem. | 98 // No mixed content, no problem. |
| 98 return nullptr; | 99 return nullptr; |
| 99 } | 100 } |
| 100 | 101 |
| 101 // static | 102 // static |
| 102 MixedContentChecker::ContextType MixedContentChecker::contextTypeFromContext(Web
URLRequest::RequestContext context, LocalFrame* frame) | 103 ResourceRequest::ContextType MixedContentChecker::contextTypeFromContext(WebURLR
equest::RequestContext context, LocalFrame* frame) |
| 103 { | 104 { |
| 104 switch (context) { | 105 switch (context) { |
| 105 // "Optionally-blockable" mixed content | 106 // "Optionally-blockable" mixed content |
| 106 case WebURLRequest::RequestContextAudio: | 107 case WebURLRequest::RequestContextAudio: |
| 107 case WebURLRequest::RequestContextFavicon: | 108 case WebURLRequest::RequestContextFavicon: |
| 108 case WebURLRequest::RequestContextImage: | 109 case WebURLRequest::RequestContextImage: |
| 109 case WebURLRequest::RequestContextVideo: | 110 case WebURLRequest::RequestContextVideo: |
| 110 return ContextTypeOptionallyBlockable; | 111 return ResourceRequest::ContextTypeOptionallyBlockable; |
| 111 | 112 |
| 112 // Plugins! Oh how dearly we love plugin-loaded content! | 113 // Plugins! Oh how dearly we love plugin-loaded content! |
| 113 case WebURLRequest::RequestContextPlugin: { | 114 case WebURLRequest::RequestContextPlugin: { |
| 114 Settings* settings = frame->settings(); | 115 Settings* settings = frame->settings(); |
| 115 return settings || settings->strictMixedContentCheckingForPlugin() ? Con
textTypeBlockable : ContextTypeOptionallyBlockable; | 116 return settings || settings->strictMixedContentCheckingForPlugin() ? Res
ourceRequest::ContextTypeBlockable : ResourceRequest::ContextTypeOptionallyBlock
able; |
| 116 } | 117 } |
| 117 | 118 |
| 118 // "Blockable" mixed content | 119 // "Blockable" mixed content |
| 119 case WebURLRequest::RequestContextBeacon: | 120 case WebURLRequest::RequestContextBeacon: |
| 120 case WebURLRequest::RequestContextCSPReport: | 121 case WebURLRequest::RequestContextCSPReport: |
| 121 case WebURLRequest::RequestContextEmbed: | 122 case WebURLRequest::RequestContextEmbed: |
| 122 case WebURLRequest::RequestContextEventSource: | 123 case WebURLRequest::RequestContextEventSource: |
| 123 case WebURLRequest::RequestContextFetch: | 124 case WebURLRequest::RequestContextFetch: |
| 124 case WebURLRequest::RequestContextFont: | 125 case WebURLRequest::RequestContextFont: |
| 125 case WebURLRequest::RequestContextForm: | 126 case WebURLRequest::RequestContextForm: |
| 126 case WebURLRequest::RequestContextFrame: | 127 case WebURLRequest::RequestContextFrame: |
| 127 case WebURLRequest::RequestContextHyperlink: | 128 case WebURLRequest::RequestContextHyperlink: |
| 128 case WebURLRequest::RequestContextIframe: | 129 case WebURLRequest::RequestContextIframe: |
| 129 case WebURLRequest::RequestContextImageSet: | 130 case WebURLRequest::RequestContextImageSet: |
| 130 case WebURLRequest::RequestContextImport: | 131 case WebURLRequest::RequestContextImport: |
| 131 case WebURLRequest::RequestContextLocation: | 132 case WebURLRequest::RequestContextLocation: |
| 132 case WebURLRequest::RequestContextManifest: | 133 case WebURLRequest::RequestContextManifest: |
| 133 case WebURLRequest::RequestContextObject: | 134 case WebURLRequest::RequestContextObject: |
| 134 case WebURLRequest::RequestContextPing: | 135 case WebURLRequest::RequestContextPing: |
| 135 case WebURLRequest::RequestContextScript: | 136 case WebURLRequest::RequestContextScript: |
| 136 case WebURLRequest::RequestContextServiceWorker: | 137 case WebURLRequest::RequestContextServiceWorker: |
| 137 case WebURLRequest::RequestContextSharedWorker: | 138 case WebURLRequest::RequestContextSharedWorker: |
| 138 case WebURLRequest::RequestContextStyle: | 139 case WebURLRequest::RequestContextStyle: |
| 139 case WebURLRequest::RequestContextSubresource: | 140 case WebURLRequest::RequestContextSubresource: |
| 140 case WebURLRequest::RequestContextTrack: | 141 case WebURLRequest::RequestContextTrack: |
| 141 case WebURLRequest::RequestContextWorker: | 142 case WebURLRequest::RequestContextWorker: |
| 142 case WebURLRequest::RequestContextXMLHttpRequest: | 143 case WebURLRequest::RequestContextXMLHttpRequest: |
| 143 case WebURLRequest::RequestContextXSLT: | 144 case WebURLRequest::RequestContextXSLT: |
| 144 return ContextTypeBlockable; | 145 return ResourceRequest::ContextTypeBlockable; |
| 145 | 146 |
| 146 // FIXME: Contexts that we should block, but don't currently. https://crbug.
com/388650 | 147 // FIXME: Contexts that we should block, but don't currently. https://crbug.
com/388650 |
| 147 case WebURLRequest::RequestContextDownload: | 148 case WebURLRequest::RequestContextDownload: |
| 148 case WebURLRequest::RequestContextInternal: | 149 case WebURLRequest::RequestContextInternal: |
| 149 case WebURLRequest::RequestContextPrefetch: | 150 case WebURLRequest::RequestContextPrefetch: |
| 150 return ContextTypeShouldBeBlockable; | 151 return ResourceRequest::ContextTypeShouldBeBlockable; |
| 151 | 152 |
| 152 case WebURLRequest::RequestContextUnspecified: | 153 case WebURLRequest::RequestContextUnspecified: |
| 153 ASSERT_NOT_REACHED(); | 154 ASSERT_NOT_REACHED(); |
| 154 } | 155 } |
| 155 ASSERT_NOT_REACHED(); | 156 ASSERT_NOT_REACHED(); |
| 156 return ContextTypeBlockable; | 157 return ResourceRequest::ContextTypeBlockable; |
| 157 } | 158 } |
| 158 | 159 |
| 159 // static | 160 // static |
| 160 const char* MixedContentChecker::typeNameFromContext(WebURLRequest::RequestConte
xt context) | 161 const char* MixedContentChecker::typeNameFromContext(WebURLRequest::RequestConte
xt context) |
| 161 { | 162 { |
| 162 switch (context) { | 163 switch (context) { |
| 163 case WebURLRequest::RequestContextAudio: | 164 case WebURLRequest::RequestContextAudio: |
| 164 return "audio file"; | 165 return "audio file"; |
| 165 case WebURLRequest::RequestContextBeacon: | 166 case WebURLRequest::RequestContextBeacon: |
| 166 return "Beacon endpoint"; | 167 return "Beacon endpoint"; |
| (...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 244 frame->document()->addConsoleMessage(ConsoleMessage::create(SecurityMessageS
ource, messageLevel, message)); | 245 frame->document()->addConsoleMessage(ConsoleMessage::create(SecurityMessageS
ource, messageLevel, message)); |
| 245 } | 246 } |
| 246 | 247 |
| 247 // static | 248 // static |
| 248 void MixedContentChecker::count(LocalFrame* frame, WebURLRequest::RequestContext
requestContext) | 249 void MixedContentChecker::count(LocalFrame* frame, WebURLRequest::RequestContext
requestContext) |
| 249 { | 250 { |
| 250 UseCounter::count(frame, UseCounter::MixedContentPresent); | 251 UseCounter::count(frame, UseCounter::MixedContentPresent); |
| 251 | 252 |
| 252 // Roll blockable content up into a single counter, count unblocked types in
dividually so we | 253 // Roll blockable content up into a single counter, count unblocked types in
dividually so we |
| 253 // can determine when they can be safely moved to the blockable category: | 254 // can determine when they can be safely moved to the blockable category: |
| 254 ContextType contextType = contextTypeFromContext(requestContext, frame); | 255 ResourceRequest::ContextType contextType = contextTypeFromContext(requestCon
text, frame); |
| 255 if (contextType == ContextTypeBlockable) { | 256 if (contextType == ResourceRequest::ContextTypeBlockable) { |
| 256 UseCounter::count(frame, UseCounter::MixedContentBlockable); | 257 UseCounter::count(frame, UseCounter::MixedContentBlockable); |
| 257 return; | 258 return; |
| 258 } | 259 } |
| 259 | 260 |
| 260 UseCounter::Feature feature; | 261 UseCounter::Feature feature; |
| 261 switch (requestContext) { | 262 switch (requestContext) { |
| 262 case WebURLRequest::RequestContextAudio: | 263 case WebURLRequest::RequestContextAudio: |
| 263 feature = UseCounter::MixedContentAudio; | 264 feature = UseCounter::MixedContentAudio; |
| 264 break; | 265 break; |
| 265 case WebURLRequest::RequestContextDownload: | 266 case WebURLRequest::RequestContextDownload: |
| (...skipping 19 matching lines...) Expand all Loading... |
| 285 break; | 286 break; |
| 286 | 287 |
| 287 default: | 288 default: |
| 288 ASSERT_NOT_REACHED(); | 289 ASSERT_NOT_REACHED(); |
| 289 return; | 290 return; |
| 290 } | 291 } |
| 291 UseCounter::count(frame, feature); | 292 UseCounter::count(frame, feature); |
| 292 } | 293 } |
| 293 | 294 |
| 294 // static | 295 // static |
| 295 bool MixedContentChecker::shouldBlockFetch(LocalFrame* frame, WebURLRequest::Req
uestContext requestContext, WebURLRequest::FrameType frameType, const KURL& url,
MixedContentChecker::ReportingStatus reportingStatus) | 296 bool MixedContentChecker::shouldBlockFetch(LocalFrame* frame, ResourceRequest* r
equest, WebURLRequest::RequestContext requestContext, WebURLRequest::FrameType f
rameType, const KURL& url, MixedContentChecker::ReportingStatus reportingStatus) |
| 296 { | 297 { |
| 297 LocalFrame* mixedFrame = inWhichFrameIsContentMixed(frame, frameType, url); | 298 LocalFrame* mixedFrame = inWhichFrameIsContentMixed(frame, frameType, url); |
| 298 if (!mixedFrame) | 299 if (!mixedFrame) |
| 299 return false; | 300 return false; |
| 300 | 301 |
| 301 MixedContentChecker::count(mixedFrame, requestContext); | 302 MixedContentChecker::count(mixedFrame, requestContext); |
| 302 | 303 |
| 303 Settings* settings = mixedFrame->settings(); | 304 Settings* settings = mixedFrame->settings(); |
| 304 FrameLoaderClient* client = mixedFrame->loader().client(); | 305 FrameLoaderClient* client = mixedFrame->loader().client(); |
| 305 SecurityOrigin* securityOrigin = mixedFrame->document()->securityOrigin(); | 306 SecurityOrigin* securityOrigin = mixedFrame->document()->securityOrigin(); |
| 306 bool allowed = false; | 307 bool allowed = false; |
| 307 | 308 |
| 308 // If we're in strict mode, we'll automagically fail everything, and intenti
onally skip | 309 // If we're in strict mode, we'll automagically fail everything, and intenti
onally skip |
| 309 // the client checks in order to prevent degrading the site's security UI. | 310 // the client checks in order to prevent degrading the site's security UI. |
| 310 bool strictMode = mixedFrame->document()->shouldEnforceStrictMixedContentChe
cking() || settings->strictMixedContentChecking(); | 311 bool strictMode = mixedFrame->document()->shouldEnforceStrictMixedContentChe
cking() || settings->strictMixedContentChecking(); |
| 311 | 312 |
| 312 ContextType contextType = contextTypeFromContext(requestContext, mixedFrame)
; | 313 ResourceRequest::ContextType contextType = contextTypeFromContext(requestCon
text, mixedFrame); |
| 313 | 314 |
| 314 // If we're loading the main resource of a subframe, we need to take a close
look at the loaded URL. | 315 // If we're loading the main resource of a subframe, we need to take a close
look at the loaded URL. |
| 315 // If we're dealing with a CORS-enabled scheme, then block mixed frames as a
ctive content. Otherwise, | 316 // If we're dealing with a CORS-enabled scheme, then block mixed frames as a
ctive content. Otherwise, |
| 316 // treat frames as passive content. | 317 // treat frames as passive content. |
| 317 // | 318 // |
| 318 // FIXME: Remove this temporary hack once we have a reasonable API for launc
hing external applications | 319 // FIXME: Remove this temporary hack once we have a reasonable API for launc
hing external applications |
| 319 // via URLs. http://crbug.com/318788 and https://crbug.com/393481 | 320 // via URLs. http://crbug.com/318788 and https://crbug.com/393481 |
| 320 if (frameType == WebURLRequest::FrameTypeNested && !SchemeRegistry::shouldTr
eatURLSchemeAsCORSEnabled(url.protocol())) | 321 if (frameType == WebURLRequest::FrameTypeNested && !SchemeRegistry::shouldTr
eatURLSchemeAsCORSEnabled(url.protocol())) |
| 321 contextType = ContextTypeOptionallyBlockable; | 322 contextType = ResourceRequest::ContextTypeOptionallyBlockable; |
| 322 | 323 |
| 323 switch (contextType) { | 324 switch (contextType) { |
| 324 case ContextTypeOptionallyBlockable: | 325 case ResourceRequest::ContextTypeOptionallyBlockable: |
| 325 allowed = !strictMode && client->allowDisplayingInsecureContent(settings
&& settings->allowDisplayOfInsecureContent(), securityOrigin, url); | 326 allowed = !strictMode && client->allowDisplayingInsecureContent(settings
&& settings->allowDisplayOfInsecureContent(), securityOrigin, url); |
| 326 if (allowed) | 327 if (allowed) |
| 327 client->didDisplayInsecureContent(); | 328 client->didDisplayInsecureContent(); |
| 328 break; | 329 break; |
| 329 | 330 |
| 330 case ContextTypeBlockable: { | 331 case ResourceRequest::ContextTypeBlockable: { |
| 331 bool shouldAskEmbedder = !strictMode && settings && (!settings->strictly
BlockBlockableMixedContent() || settings->allowRunningOfInsecureContent()); | 332 bool shouldAskEmbedder = !strictMode && settings && (!settings->strictly
BlockBlockableMixedContent() || settings->allowRunningOfInsecureContent()); |
| 332 allowed = shouldAskEmbedder && client->allowRunningInsecureContent(setti
ngs && settings->allowRunningOfInsecureContent(), securityOrigin, url); | 333 allowed = shouldAskEmbedder && client->allowRunningInsecureContent(setti
ngs && settings->allowRunningOfInsecureContent(), securityOrigin, url); |
| 333 if (allowed) { | 334 if (allowed) { |
| 334 client->didRunInsecureContent(securityOrigin, url); | 335 client->didRunInsecureContent(securityOrigin, url); |
| 335 UseCounter::count(mixedFrame, UseCounter::MixedContentBlockableAllow
ed); | 336 UseCounter::count(mixedFrame, UseCounter::MixedContentBlockableAllow
ed); |
| 336 } | 337 } |
| 337 break; | 338 break; |
| 338 } | 339 } |
| 339 | 340 |
| 340 case ContextTypeShouldBeBlockable: | 341 case ResourceRequest::ContextTypeShouldBeBlockable: |
| 341 allowed = !strictMode; | 342 allowed = !strictMode; |
| 342 if (allowed) | 343 if (allowed) |
| 343 client->didDisplayInsecureContent(); | 344 client->didDisplayInsecureContent(); |
| 344 break; | 345 break; |
| 345 }; | 346 }; |
| 346 | 347 |
| 348 if (request) { |
| 349 request->setContextType(contextType); |
| 350 request->setIsMixedContent(true); |
| 351 } |
| 352 |
| 347 if (reportingStatus == SendReport) | 353 if (reportingStatus == SendReport) |
| 348 logToConsoleAboutFetch(frame, url, requestContext, allowed); | 354 logToConsoleAboutFetch(frame, url, requestContext, allowed); |
| 349 return !allowed; | 355 return !allowed; |
| 350 } | 356 } |
| 351 | 357 |
| 352 // static | 358 // static |
| 353 void MixedContentChecker::logToConsoleAboutWebSocket(LocalFrame* frame, const KU
RL& url, bool allowed) | 359 void MixedContentChecker::logToConsoleAboutWebSocket(LocalFrame* frame, const KU
RL& url, bool allowed) |
| 354 { | 360 { |
| 355 String message = String::format( | 361 String message = String::format( |
| 356 "Mixed Content: The page at '%s' was loaded over HTTPS, but attempted to
connect to the insecure WebSocket endpoint '%s'. %s", | 362 "Mixed Content: The page at '%s' was loaded over HTTPS, but attempted to
connect to the insecure WebSocket endpoint '%s'. %s", |
| (...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 421 { | 427 { |
| 422 if (!frame || !frame->document() || !frame->document()->loader()) | 428 if (!frame || !frame->document() || !frame->document()->loader()) |
| 423 return; | 429 return; |
| 424 | 430 |
| 425 // Just count these for the moment, don't block them. | 431 // Just count these for the moment, don't block them. |
| 426 if (Platform::current()->isReservedIPAddress(resourceIPAddress) && !frame->d
ocument()->isHostedInReservedIPRange()) | 432 if (Platform::current()->isReservedIPAddress(resourceIPAddress) && !frame->d
ocument()->isHostedInReservedIPRange()) |
| 427 UseCounter::count(frame->document(), UseCounter::MixedContentPrivateHost
nameInPublicHostname); | 433 UseCounter::count(frame->document(), UseCounter::MixedContentPrivateHost
nameInPublicHostname); |
| 428 } | 434 } |
| 429 | 435 |
| 430 } // namespace blink | 436 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1299493003:
Attach mixed content status to resource requests when sent to devtools (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master