Attach mixed content status to resource requests when sent to devtools

Source/core/loader/MixedContentChecker.cpp

 /*
  * Copyright (C) 2012 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
  * 2.  Redistributions in binary form must reproduce the above copyright
@@ skipping 20 matching lines @@
 
 #include "core/dom/Document.h"
 #include "core/frame/LocalFrame.h"
 #include "core/frame/Settings.h"
 #include "core/frame/UseCounter.h"
 #include "core/inspector/ConsoleMessage.h"
 #include "core/loader/DocumentLoader.h"
 #include "core/loader/FrameLoader.h"
 #include "core/loader/FrameLoaderClient.h"
 #include "platform/RuntimeEnabledFeatures.h"
+#include "platform/network/ResourceRequest.h"
 #include "platform/weborigin/SchemeRegistry.h"
 #include "platform/weborigin/SecurityOrigin.h"
 #include "public/platform/Platform.h"
 #include "wtf/text/StringBuilder.h"
 
 namespace blink {
 
 static void measureStricterVersionOfIsMixedContent(LocalFrame* frame, const KURL& url)
 {
     // We're currently only checking for mixed content in `https://*` contexts.
@@ skipping 41 matching lines @@
 
     measureStricterVersionOfIsMixedContent(frame, url);
     if (isMixedContent(frame->document()->securityOrigin(), url))
         return frame;
 
     // No mixed content, no problem.
     return nullptr;
 }
 
 // static
-MixedContentChecker::ContextType MixedContentChecker::contextTypeFromContext(WebURLRequest::RequestContext context, LocalFrame* frame)
+ResourceRequest::ContextType MixedContentChecker::contextTypeFromContext(WebURLRequest::RequestContext context, LocalFrame* frame)
 {
     switch (context) {
     // "Optionally-blockable" mixed content
     case WebURLRequest::RequestContextAudio:
     case WebURLRequest::RequestContextFavicon:
     case WebURLRequest::RequestContextImage:
     case WebURLRequest::RequestContextVideo:
-        return ContextTypeOptionallyBlockable;
+        return ResourceRequest::ContextTypeOptionallyBlockable;
 
     // Plugins! Oh how dearly we love plugin-loaded content!
     case WebURLRequest::RequestContextPlugin: {
         Settings* settings = frame->settings();
-        return settings || settings->strictMixedContentCheckingForPlugin() ? ContextTypeBlockable : ContextTypeOptionallyBlockable;
+        return settings || settings->strictMixedContentCheckingForPlugin() ? ResourceRequest::ContextTypeBlockable : ResourceRequest::ContextTypeOptionallyBlockable;
     }
 
     // "Blockable" mixed content
     case WebURLRequest::RequestContextBeacon:
     case WebURLRequest::RequestContextCSPReport:
     case WebURLRequest::RequestContextEmbed:
     case WebURLRequest::RequestContextEventSource:
     case WebURLRequest::RequestContextFetch:
     case WebURLRequest::RequestContextFont:
     case WebURLRequest::RequestContextForm:
     case WebURLRequest::RequestContextFrame:
     case WebURLRequest::RequestContextHyperlink:
     case WebURLRequest::RequestContextIframe:
     case WebURLRequest::RequestContextImageSet:
     case WebURLRequest::RequestContextImport:
     case WebURLRequest::RequestContextLocation:
     case WebURLRequest::RequestContextManifest:
     case WebURLRequest::RequestContextObject:
     case WebURLRequest::RequestContextPing:
     case WebURLRequest::RequestContextScript:
     case WebURLRequest::RequestContextServiceWorker:
     case WebURLRequest::RequestContextSharedWorker:
     case WebURLRequest::RequestContextStyle:
     case WebURLRequest::RequestContextSubresource:
     case WebURLRequest::RequestContextTrack:
     case WebURLRequest::RequestContextWorker:
     case WebURLRequest::RequestContextXMLHttpRequest:
     case WebURLRequest::RequestContextXSLT:
-        return ContextTypeBlockable;
+        return ResourceRequest::ContextTypeBlockable;
 
     // FIXME: Contexts that we should block, but don't currently. https://crbug.com/388650
     case WebURLRequest::RequestContextDownload:
     case WebURLRequest::RequestContextInternal:
     case WebURLRequest::RequestContextPrefetch:
-        return ContextTypeShouldBeBlockable;
+        return ResourceRequest::ContextTypeShouldBeBlockable;
 
     case WebURLRequest::RequestContextUnspecified:
         ASSERT_NOT_REACHED();
     }
     ASSERT_NOT_REACHED();
-    return ContextTypeBlockable;
+    return ResourceRequest::ContextTypeBlockable;
 }
 
 // static
 const char* MixedContentChecker::typeNameFromContext(WebURLRequest::RequestContext context)
 {
     switch (context) {
     case WebURLRequest::RequestContextAudio:
         return "audio file";
     case WebURLRequest::RequestContextBeacon:
         return "Beacon endpoint";
@@ skipping 77 matching lines @@
     frame->document()->addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, messageLevel, message));
 }
 
 // static
 void MixedContentChecker::count(LocalFrame* frame, WebURLRequest::RequestContext requestContext)
 {
     UseCounter::count(frame, UseCounter::MixedContentPresent);
 
     // Roll blockable content up into a single counter, count unblocked types individually so we
     // can determine when they can be safely moved to the blockable category:
-    ContextType contextType = contextTypeFromContext(requestContext, frame);
-    if (contextType == ContextTypeBlockable) {
+    ResourceRequest::ContextType contextType = contextTypeFromContext(requestContext, frame);
+    if (contextType == ResourceRequest::ContextTypeBlockable) {
         UseCounter::count(frame, UseCounter::MixedContentBlockable);
         return;
     }
 
     UseCounter::Feature feature;
     switch (requestContext) {
     case WebURLRequest::RequestContextAudio:
         feature = UseCounter::MixedContentAudio;
         break;
     case WebURLRequest::RequestContextDownload:
@@ skipping 19 matching lines @@
         break;
 
     default:
         ASSERT_NOT_REACHED();
         return;
     }
     UseCounter::count(frame, feature);
 }
 
 // static
-bool MixedContentChecker::shouldBlockFetch(LocalFrame* frame, WebURLRequest::RequestContext requestContext, WebURLRequest::FrameType frameType, const KURL& url, MixedContentChecker::ReportingStatus reportingStatus)
+bool MixedContentChecker::shouldBlockFetch(LocalFrame* frame, ResourceRequest* request, WebURLRequest::RequestContext requestContext, WebURLRequest::FrameType frameType, const KURL& url, MixedContentChecker::ReportingStatus reportingStatus)
 {
     LocalFrame* mixedFrame = inWhichFrameIsContentMixed(frame, frameType, url);
-    if (!mixedFrame)
+    if (!mixedFrame) {
+        if (request)
+            request->setContextType(ResourceRequest::ContextTypeNotMixedContent);

[pfeldman, 2015/08/17 20:32:52]

Sorry for not taking a look at it earlier. You should not plumb it as mutable
all the way to here to set this bit. Is returning enum an option?

[estark, 2015/08/17 20:36:22]

Mike preferred setting it here on the request. If we return an enum, it would
have to be returned not just from here but also from
FrameFetchContext::canRequest().

         return false;
+    }
 
     MixedContentChecker::count(mixedFrame, requestContext);
 
     Settings* settings = mixedFrame->settings();
     FrameLoaderClient* client = mixedFrame->loader().client();
     SecurityOrigin* securityOrigin = mixedFrame->document()->securityOrigin();
     bool allowed = false;
 
     // If we're in strict mode, we'll automagically fail everything, and intentionally skip
     // the client checks in order to prevent degrading the site's security UI.
     bool strictMode = mixedFrame->document()->shouldEnforceStrictMixedContentChecking() || settings->strictMixedContentChecking();
 
-    ContextType contextType = contextTypeFromContext(requestContext, mixedFrame);
+    ResourceRequest::ContextType contextType = contextTypeFromContext(requestContext, mixedFrame);
 
     // If we're loading the main resource of a subframe, we need to take a close look at the loaded URL.
     // If we're dealing with a CORS-enabled scheme, then block mixed frames as active content. Otherwise,
     // treat frames as passive content.
     //
     // FIXME: Remove this temporary hack once we have a reasonable API for launching external applications
     // via URLs. http://crbug.com/318788 and https://crbug.com/393481
     if (frameType == WebURLRequest::FrameTypeNested && !SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(url.protocol()))
-        contextType = ContextTypeOptionallyBlockable;
+        contextType = ResourceRequest::ContextTypeOptionallyBlockable;
 
     switch (contextType) {
-    case ContextTypeOptionallyBlockable:
+    case ResourceRequest::ContextTypeOptionallyBlockable:
         allowed = !strictMode && client->allowDisplayingInsecureContent(settings && settings->allowDisplayOfInsecureContent(), securityOrigin, url);
         if (allowed)
             client->didDisplayInsecureContent();
         break;
 
-    case ContextTypeBlockable: {
+    case ResourceRequest::ContextTypeBlockable: {
         bool shouldAskEmbedder = !strictMode && settings && (!settings->strictlyBlockBlockableMixedContent() || settings->allowRunningOfInsecureContent());
         allowed = shouldAskEmbedder && client->allowRunningInsecureContent(settings && settings->allowRunningOfInsecureContent(), securityOrigin, url);
         if (allowed) {
             client->didRunInsecureContent(securityOrigin, url);
             UseCounter::count(mixedFrame, UseCounter::MixedContentBlockableAllowed);
         }
         break;
     }
 
-    case ContextTypeShouldBeBlockable:
+    case ResourceRequest::ContextTypeShouldBeBlockable:
         allowed = !strictMode;
         if (allowed)
             client->didDisplayInsecureContent();
         break;
+    case ResourceRequest::ContextTypeNotMixedContent:
+        ASSERT_NOT_REACHED();
+        break;
     };
 
+    if (request)
+        request->setContextType(contextType);
+
     if (reportingStatus == SendReport)
         logToConsoleAboutFetch(frame, url, requestContext, allowed);
     return !allowed;
 }
 
 // static
 void MixedContentChecker::logToConsoleAboutWebSocket(LocalFrame* frame, const KURL& url, bool allowed)
 {
     String message = String::format(
         "Mixed Content: The page at '%s' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint '%s'. %s",
@@ skipping 64 matching lines @@
 {
     if (!frame || !frame->document() || !frame->document()->loader())
         return;
 
     // Just count these for the moment, don't block them.
     if (Platform::current()->isReservedIPAddress(resourceIPAddress) && !frame->document()->isHostedInReservedIPRange())
         UseCounter::count(frame->document(), UseCounter::MixedContentPrivateHostnameInPublicHostname);
 }
 
 } // namespace blink