Strictly block blockable mixed subresources in subframes

third_party/WebKit/Source/core/loader/MixedContentChecker.cpp

 /*
  * Copyright (C) 2012 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
  * 2.  Redistributions in binary form must reproduce the above copyright
@@ skipping 42 matching lines @@
     // make sure we're not breaking the world without realizing it.
     SecurityOrigin* origin = frame->document()->securityOrigin();
     if (MixedContentChecker::isMixedContent(origin, url)) {
         if (frame->document()->securityOrigin()->protocol() != "https")
             UseCounter::count(frame, UseCounter::MixedContentInNonHTTPSFrameThatRestrictsMixedContent);
     } else if (!SecurityOrigin::isSecure(url) && SchemeRegistry::shouldTreatURLSchemeAsSecure(origin->protocol())) {
         UseCounter::count(frame, UseCounter::MixedContentInSecureFrameThatDoesNotRestrictMixedContent);
     }
 }
 
+bool requestIsSubframeSubresource(LocalFrame* frame, WebURLRequest::FrameType frameType)
+{
+    return (frame && frame != frame->tree().top() && frameType != WebURLRequest::FrameTypeNested);
+}
+
 // static
 bool MixedContentChecker::isMixedContent(SecurityOrigin* securityOrigin, const KURL& url)
 {
     if (!SchemeRegistry::shouldTreatURLSchemeAsRestrictingMixedContent(securityOrigin->protocol()))
         return false;
 
     // We're in a secure context, so |url| is mixed content if it's insecure.
     return !SecurityOrigin::isSecure(url);
 }
 
@@ skipping 248 matching lines @@
         contextType = ContextTypeOptionallyBlockable;
 
     switch (contextType) {
     case ContextTypeOptionallyBlockable:
         allowed = !strictMode && client->allowDisplayingInsecureContent(settings && settings->allowDisplayOfInsecureContent(), securityOrigin, url);
         if (allowed)
             client->didDisplayInsecureContent();
         break;
 
     case ContextTypeBlockable: {
+        // Strictly block subresources in subframes, unless all insecure
+        // content is allowed.

[felt, 2015/10/12 05:52:02]

Why is that decision being codified here? Why not ask the embedder, passing in
frame status?

[felt, 2015/10/12 05:54:07]

I just saw that you already mentioned this point, and your reason was to avoid
plumbing through the boolean (and not thinking any embedders will allow it
anyway).

But IMO it seems really odd (layering violation?) to have half the policy
decided in one place and the other half at another layer.

+        if (!settings->allowRunningOfInsecureContent() && requestIsSubframeSubresource(frame, frameType)) {
+            UseCounter::count(mixedFrame, UseCounter::BlockableMixedContentInSubframeBlocked);
+            allowed = false;
+            break;
+        }
+
         bool shouldAskEmbedder = !strictMode && settings && (!settings->strictlyBlockBlockableMixedContent() || settings->allowRunningOfInsecureContent());
         allowed = shouldAskEmbedder && client->allowRunningInsecureContent(settings && settings->allowRunningOfInsecureContent(), securityOrigin, url);
         if (allowed) {
             client->didRunInsecureContent(securityOrigin, url);
             UseCounter::count(mixedFrame, UseCounter::MixedContentBlockableAllowed);
         }
         break;
     }
 
     case ContextTypeShouldBeBlockable:
@@ skipping 114 matching lines @@
 
     // See comment in shouldBlockFetch() about loading the main resource of a subframe.
     if (request.frameType() == WebURLRequest::FrameTypeNested && !SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().protocol())) {
         return ContextTypeOptionallyBlockable;
     }
 
     return contextTypeFromContext(request.requestContext(), mixedFrame);
 }
 
 } // namespace blink