OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright (C) 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2012 Google Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * | 7 * |
8 * 1. Redistributions of source code must retain the above copyright | 8 * 1. Redistributions of source code must retain the above copyright |
9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
10 * 2. Redistributions in binary form must reproduce the above copyright | 10 * 2. Redistributions in binary form must reproduce the above copyright |
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
53 // make sure we're not breaking the world without realizing it. | 53 // make sure we're not breaking the world without realizing it. |
54 SecurityOrigin* origin = frame->document()->securityOrigin(); | 54 SecurityOrigin* origin = frame->document()->securityOrigin(); |
55 if (MixedContentChecker::isMixedContent(origin, url)) { | 55 if (MixedContentChecker::isMixedContent(origin, url)) { |
56 if (frame->document()->securityOrigin()->protocol() != "https") | 56 if (frame->document()->securityOrigin()->protocol() != "https") |
57 UseCounter::count(frame, UseCounter::MixedContentInNonHTTPSFrameThat RestrictsMixedContent); | 57 UseCounter::count(frame, UseCounter::MixedContentInNonHTTPSFrameThat RestrictsMixedContent); |
58 } else if (!SecurityOrigin::isSecure(url) && SchemeRegistry::shouldTreatURLS chemeAsSecure(origin->protocol())) { | 58 } else if (!SecurityOrigin::isSecure(url) && SchemeRegistry::shouldTreatURLS chemeAsSecure(origin->protocol())) { |
59 UseCounter::count(frame, UseCounter::MixedContentInSecureFrameThatDoesNo tRestrictMixedContent); | 59 UseCounter::count(frame, UseCounter::MixedContentInSecureFrameThatDoesNo tRestrictMixedContent); |
60 } | 60 } |
61 } | 61 } |
62 | 62 |
63 bool requestIsSubframeSubresource(LocalFrame* frame, WebURLRequest::FrameType fr ameType) | |
64 { | |
65 return (frame && frame != frame->tree().top() && frameType != WebURLRequest: :FrameTypeNested); | |
66 } | |
67 | |
63 // static | 68 // static |
64 bool MixedContentChecker::isMixedContent(SecurityOrigin* securityOrigin, const K URL& url) | 69 bool MixedContentChecker::isMixedContent(SecurityOrigin* securityOrigin, const K URL& url) |
65 { | 70 { |
66 if (!SchemeRegistry::shouldTreatURLSchemeAsRestrictingMixedContent(securityO rigin->protocol())) | 71 if (!SchemeRegistry::shouldTreatURLSchemeAsRestrictingMixedContent(securityO rigin->protocol())) |
67 return false; | 72 return false; |
68 | 73 |
69 // We're in a secure context, so |url| is mixed content if it's insecure. | 74 // We're in a secure context, so |url| is mixed content if it's insecure. |
70 return !SecurityOrigin::isSecure(url); | 75 return !SecurityOrigin::isSecure(url); |
71 } | 76 } |
72 | 77 |
(...skipping 248 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
321 contextType = ContextTypeOptionallyBlockable; | 326 contextType = ContextTypeOptionallyBlockable; |
322 | 327 |
323 switch (contextType) { | 328 switch (contextType) { |
324 case ContextTypeOptionallyBlockable: | 329 case ContextTypeOptionallyBlockable: |
325 allowed = !strictMode && client->allowDisplayingInsecureContent(settings && settings->allowDisplayOfInsecureContent(), securityOrigin, url); | 330 allowed = !strictMode && client->allowDisplayingInsecureContent(settings && settings->allowDisplayOfInsecureContent(), securityOrigin, url); |
326 if (allowed) | 331 if (allowed) |
327 client->didDisplayInsecureContent(); | 332 client->didDisplayInsecureContent(); |
328 break; | 333 break; |
329 | 334 |
330 case ContextTypeBlockable: { | 335 case ContextTypeBlockable: { |
336 // Strictly block subresources in subframes, unless all insecure | |
337 // content is allowed. | |
felt
2015/10/12 05:52:02
Why is that decision being codified here? Why not
felt
2015/10/12 05:54:07
I just saw that you already mentioned this point,
| |
338 if (!settings->allowRunningOfInsecureContent() && requestIsSubframeSubre source(frame, frameType)) { | |
339 UseCounter::count(mixedFrame, UseCounter::BlockableMixedContentInSub frameBlocked); | |
340 allowed = false; | |
341 break; | |
342 } | |
343 | |
331 bool shouldAskEmbedder = !strictMode && settings && (!settings->strictly BlockBlockableMixedContent() || settings->allowRunningOfInsecureContent()); | 344 bool shouldAskEmbedder = !strictMode && settings && (!settings->strictly BlockBlockableMixedContent() || settings->allowRunningOfInsecureContent()); |
332 allowed = shouldAskEmbedder && client->allowRunningInsecureContent(setti ngs && settings->allowRunningOfInsecureContent(), securityOrigin, url); | 345 allowed = shouldAskEmbedder && client->allowRunningInsecureContent(setti ngs && settings->allowRunningOfInsecureContent(), securityOrigin, url); |
333 if (allowed) { | 346 if (allowed) { |
334 client->didRunInsecureContent(securityOrigin, url); | 347 client->didRunInsecureContent(securityOrigin, url); |
335 UseCounter::count(mixedFrame, UseCounter::MixedContentBlockableAllow ed); | 348 UseCounter::count(mixedFrame, UseCounter::MixedContentBlockableAllow ed); |
336 } | 349 } |
337 break; | 350 break; |
338 } | 351 } |
339 | 352 |
340 case ContextTypeShouldBeBlockable: | 353 case ContextTypeShouldBeBlockable: |
(...skipping 114 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
455 | 468 |
456 // See comment in shouldBlockFetch() about loading the main resource of a su bframe. | 469 // See comment in shouldBlockFetch() about loading the main resource of a su bframe. |
457 if (request.frameType() == WebURLRequest::FrameTypeNested && !SchemeRegistry ::shouldTreatURLSchemeAsCORSEnabled(request.url().protocol())) { | 470 if (request.frameType() == WebURLRequest::FrameTypeNested && !SchemeRegistry ::shouldTreatURLSchemeAsCORSEnabled(request.url().protocol())) { |
458 return ContextTypeOptionallyBlockable; | 471 return ContextTypeOptionallyBlockable; |
459 } | 472 } |
460 | 473 |
461 return contextTypeFromContext(request.requestContext(), mixedFrame); | 474 return contextTypeFromContext(request.requestContext(), mixedFrame); |
462 } | 475 } |
463 | 476 |
464 } // namespace blink | 477 } // namespace blink |
OLD | NEW |