Adapt MixedContentChecker for remote frames

third_party/WebKit/Source/core/loader/MixedContentChecker.cpp

 /*
  * Copyright (C) 2012 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
  * 2.  Redistributions in binary form must reproduce the above copyright
@@ skipping 11 matching lines @@
  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
  * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 #include "core/loader/MixedContentChecker.h"
 
 #include "core/dom/Document.h"
+#include "core/frame/Frame.h"
 #include "core/frame/LocalFrame.h"
 #include "core/frame/Settings.h"
 #include "core/frame/UseCounter.h"
 #include "core/inspector/ConsoleMessage.h"
 #include "core/loader/DocumentLoader.h"
 #include "core/loader/FrameLoader.h"
 #include "core/loader/FrameLoaderClient.h"
 #include "platform/RuntimeEnabledFeatures.h"
 #include "platform/weborigin/SchemeRegistry.h"
 #include "platform/weborigin/SecurityOrigin.h"
 #include "public/platform/Platform.h"
 #include "wtf/text/StringBuilder.h"
 
 namespace blink {
 
-static void measureStricterVersionOfIsMixedContent(LocalFrame* frame, const KURL& url)
+namespace {
+
+// When a frame is local, use its full URL to represent the main
+// resource. When the frame is remote, the full URL isn't accessible, so
+// use the origin. This function is used, for example, to determine the
+// URL to show in console messages about mixed content.
+KURL mainResourceUrlForFrame(Frame* frame)
+{
+    if (frame->isRemoteFrame())
+        return KURL(KURL(), frame->securityContext()->securityOrigin()->toString());
+    return toLocalFrame(frame)->document()->url();
+}
+
+} // namespace
+
+static void measureStricterVersionOfIsMixedContent(Frame* frame, const KURL& url)

[Mike West, 2016/01/22 12:59:21]

Thanks for the reminder that I need to look at these counters... :)

 {
     // We're currently only checking for mixed content in `https://*` contexts.
     // What about other "secure" contexts the SchemeRegistry knows about? We'll
     // use this method to measure the occurance of non-webby mixed content to
     // make sure we're not breaking the world without realizing it.
-    SecurityOrigin* origin = frame->document()->securityOrigin();
+    SecurityOrigin* origin = frame->securityContext()->securityOrigin();
     if (MixedContentChecker::isMixedContent(origin, url)) {
-        if (frame->document()->securityOrigin()->protocol() != "https")
+        if (origin->protocol() != "https")
             UseCounter::count(frame, UseCounter::MixedContentInNonHTTPSFrameThatRestrictsMixedContent);
     } else if (!SecurityOrigin::isSecure(url) && SchemeRegistry::shouldTreatURLSchemeAsSecure(origin->protocol())) {
         UseCounter::count(frame, UseCounter::MixedContentInSecureFrameThatDoesNotRestrictMixedContent);
     }
 }
 
-bool requestIsSubframeSubresource(LocalFrame* frame, WebURLRequest::FrameType frameType)
+bool requestIsSubframeSubresource(Frame* frame, WebURLRequest::FrameType frameType)
 {
     return (frame && frame != frame->tree().top() && frameType != WebURLRequest::FrameTypeNested);
 }
 
 // static
 bool MixedContentChecker::isMixedContent(SecurityOrigin* securityOrigin, const KURL& url)
 {
     if (!SchemeRegistry::shouldTreatURLSchemeAsRestrictingMixedContent(securityOrigin->protocol()))
         return false;
 
     // We're in a secure context, so |url| is mixed content if it's insecure.
     return !SecurityOrigin::isSecure(url);
 }
 
 // static
-LocalFrame* MixedContentChecker::inWhichFrameIsContentMixed(LocalFrame* frame, WebURLRequest::FrameType frameType, const KURL& url)
+Frame* MixedContentChecker::inWhichFrameIsContentMixed(Frame* frame, WebURLRequest::FrameType frameType, const KURL& url)
 {
     // We only care about subresource loads; top-level navigations cannot be mixed content. Neither can frameless requests.
     if (frameType == WebURLRequest::FrameTypeTopLevel || !frame)
         return nullptr;
 
     // Check the top frame first.
     if (Frame* top = frame->tree().top()) {
-        // FIXME: We need a way to access the top-level frame's SecurityOrigin when that frame
-        // is in a different process from the current frame. Until that is done, we bail out.
-        if (!top->isLocalFrame())
-            return nullptr;
-
-        LocalFrame* localTop = toLocalFrame(top);
-        measureStricterVersionOfIsMixedContent(localTop, url);
-        if (isMixedContent(localTop->document()->securityOrigin(), url))
-            return localTop;
+        measureStricterVersionOfIsMixedContent(top, url);
+        if (isMixedContent(top->securityContext()->securityOrigin(), url))
+            return top;
     }
 
     measureStricterVersionOfIsMixedContent(frame, url);
-    if (isMixedContent(frame->document()->securityOrigin(), url))
+    if (isMixedContent(frame->securityContext()->securityOrigin(), url))
         return frame;
 
     // No mixed content, no problem.
     return nullptr;
 }
 
 // static
-MixedContentChecker::ContextType MixedContentChecker::contextTypeFromContext(WebURLRequest::RequestContext context, LocalFrame* frame)
+MixedContentChecker::ContextType MixedContentChecker::contextTypeFromContext(WebURLRequest::RequestContext context, Frame* frame)
 {
     switch (context) {
     // "Optionally-blockable" mixed content
     case WebURLRequest::RequestContextAudio:
     case WebURLRequest::RequestContextFavicon:
     case WebURLRequest::RequestContextImage:
     case WebURLRequest::RequestContextVideo:
         return ContextTypeOptionallyBlockable;
 
     // Plugins! Oh how dearly we love plugin-loaded content!
@@ skipping 114 matching lines @@
     case WebURLRequest::RequestContextXMLHttpRequest:
         return "XMLHttpRequest endpoint";
     case WebURLRequest::RequestContextXSLT:
         return "XSLT";
     }
     ASSERT_NOT_REACHED();
     return "resource";
 }
 
 // static
-void MixedContentChecker::logToConsoleAboutFetch(LocalFrame* frame, const KURL& url, WebURLRequest::RequestContext requestContext, bool allowed)
+void MixedContentChecker::logToConsoleAboutFetch(LocalFrame* frame, const KURL& mainResourceUrl, const KURL& url, WebURLRequest::RequestContext requestContext, bool allowed)
 {
     String message = String::format(
         "Mixed Content: The page at '%s' was loaded over HTTPS, but requested an insecure %s '%s'. %s",
-        frame->document()->url().elidedString().utf8().data(), typeNameFromContext(requestContext), url.elidedString().utf8().data(),
+        mainResourceUrl.elidedString().utf8().data(), typeNameFromContext(requestContext), url.elidedString().utf8().data(),
         allowed ? "This content should also be served over HTTPS." : "This request has been blocked; the content must be served over HTTPS.");
     MessageLevel messageLevel = allowed ? WarningMessageLevel : ErrorMessageLevel;
     frame->document()->addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, messageLevel, message));
 }
 
 // static
-void MixedContentChecker::count(LocalFrame* frame, WebURLRequest::RequestContext requestContext)
+void MixedContentChecker::count(Frame* frame, WebURLRequest::RequestContext requestContext)
 {
     UseCounter::count(frame, UseCounter::MixedContentPresent);
 
     // Roll blockable content up into a single counter, count unblocked types individually so we
     // can determine when they can be safely moved to the blockable category:
     ContextType contextType = contextTypeFromContext(requestContext, frame);
     if (contextType == ContextTypeBlockable) {
         UseCounter::count(frame, UseCounter::MixedContentBlockable);
         return;
     }
@@ skipping 28 matching lines @@
     default:
         ASSERT_NOT_REACHED();
         return;
     }
     UseCounter::count(frame, feature);
 }
 
 // static
 bool MixedContentChecker::shouldBlockFetch(LocalFrame* frame, WebURLRequest::RequestContext requestContext, WebURLRequest::FrameType frameType, const KURL& url, MixedContentChecker::ReportingStatus reportingStatus)
 {
-    LocalFrame* mixedFrame = inWhichFrameIsContentMixed(frame, frameType, url);
+    Frame* effectiveFrame = effectiveFrameForFrameType(frame, frameType);

[estark, 2016/01/21 23:35:49]

Mike: it used to be that FrameFetchContext called effectiveFrameForFrameType()
and passed the result of that in to shouldBlockFetch(). Now I'm calling it in
here because we need access to a LocalFrame here inside shouldBlockFetch(). (And
the result of effectiveFrameForFrameType() is not necessarily local.)

However, Alex pointed out that there are other shouldBlockFetch() callers that
might be affected by this change. The only callsite that I think would be
affected is WebLocalFrameImpl::checkIfRunInsecureContent()
(https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit...).
We'll now end up using the parent frame for that mixed content check instead of
the local frame. However, I don't understand why that callsite uses
FrameTypeNested, and what might explode with this change. Do you have any wisdom
you can share?

[Mike West, 2016/01/22 12:59:21]

I'm pretty sure we can remove that path entirely, as I'm pretty sure I added the
comment asserting that it was wrapped up in NPAPI terribleness. Will attempt to
kill it in a separate CL: https://codereview.chromium.org/1621503003

[estark, 2016/01/22 17:37:37]

Perfect, thanks!

+    Frame* mixedFrame = inWhichFrameIsContentMixed(effectiveFrame, frameType, url);
     if (!mixedFrame)
         return false;
 
     MixedContentChecker::count(mixedFrame, requestContext);
 
     Settings* settings = mixedFrame->settings();
-    FrameLoaderClient* client = mixedFrame->loader().client();
-    SecurityOrigin* securityOrigin = mixedFrame->document()->securityOrigin();
+    // Use the current local frame's client; the embedder doesn't
+    // distinguish mixed content signals from different frames on the
+    // same page.
+    FrameLoaderClient* client = frame->loader().client();
+    SecurityOrigin* securityOrigin = mixedFrame->securityContext()->securityOrigin();
     bool allowed = false;
 
     // If we're in strict mode, we'll automagically fail everything, and intentionally skip
     // the client checks in order to prevent degrading the site's security UI.
     bool strictMode = mixedFrame->securityContext()->shouldEnforceStrictMixedContentChecking() || settings->strictMixedContentChecking();
 
     ContextType contextType = contextTypeFromContext(requestContext, mixedFrame);
 
     // If we're loading the main resource of a subframe, we need to take a close look at the loaded URL.
     // If we're dealing with a CORS-enabled scheme, then block mixed frames as active content. Otherwise,
     // treat frames as passive content.
     //
     // FIXME: Remove this temporary hack once we have a reasonable API for launching external applications
     // via URLs. http://crbug.com/318788 and https://crbug.com/393481
     if (frameType == WebURLRequest::FrameTypeNested && !SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(url.protocol()))
         contextType = ContextTypeOptionallyBlockable;
 
     switch (contextType) {
     case ContextTypeOptionallyBlockable:
         allowed = !strictMode && client->allowDisplayingInsecureContent(settings && settings->allowDisplayOfInsecureContent(), url);
         if (allowed)
             client->didDisplayInsecureContent();
         break;
 
     case ContextTypeBlockable: {
         // Strictly block subresources in subframes, unless all insecure
         // content is allowed.
-        if (!settings->allowRunningOfInsecureContent() && requestIsSubframeSubresource(frame, frameType)) {
+        if (!settings->allowRunningOfInsecureContent() && requestIsSubframeSubresource(effectiveFrame, frameType)) {
             UseCounter::count(mixedFrame, UseCounter::BlockableMixedContentInSubframeBlocked);
             allowed = false;
             break;
         }
 
         bool shouldAskEmbedder = !strictMode && settings && (!settings->strictlyBlockBlockableMixedContent() || settings->allowRunningOfInsecureContent());
         allowed = shouldAskEmbedder && client->allowRunningInsecureContent(settings && settings->allowRunningOfInsecureContent(), securityOrigin, url);
         if (allowed) {
             client->didRunInsecureContent(securityOrigin, url);
             UseCounter::count(mixedFrame, UseCounter::MixedContentBlockableAllowed);
         }
         break;
     }
 
     case ContextTypeShouldBeBlockable:
         allowed = !strictMode;
         if (allowed)
             client->didDisplayInsecureContent();
         break;
     case ContextTypeNotMixedContent:
         ASSERT_NOT_REACHED();
         break;
     };
 
     if (reportingStatus == SendReport)
-        logToConsoleAboutFetch(frame, url, requestContext, allowed);
+        logToConsoleAboutFetch(frame, mainResourceUrlForFrame(mixedFrame), url, requestContext, allowed);

[estark, 2016/01/21 23:35:49]

Mike: there's a small regression here that I want to make sure you're okay with.
We used to print the console log to the effective frame, but now we print it to
the local frame (since we don't right now have any way of printing a console
message to a remote frame and the effective frame might be remote). Practically
speaking, this means that if https://foo.com embeds <iframe
src="http://bar.com">, the console message about the mixed content will no
longer have a line number associated with it, because the message gets printed
to the subframe rather than the parent frame. (This is reflected in the layout
test expectations that I changed.) Do you think that's okay?

[Mike West, 2016/01/22 12:59:22]

I think that's a reasonable tradeoff. It's unfortunate that we lose the line
number in these cases, but that doesn't seem fatal.

What would be more problematic is if the console message no longer appears on
the console. I don't know off the top of my head if devtools cares what frame
the message is dumped into. If you open up Chrome with this patch, and still see
the error, then I'm happy. :)

[estark, 2016/01/22 17:37:37]

So the message does get printed to the console, but the catch is that DevTools
is currently frame-specific for OOPIFs. So you'll see the message if you inspect
the frame to which the message gets printed. There is, however, a general
DevTools refactor that'll happen at some point to make the whole thing make more
sense when OOPIFs is on. I had a thread going with site-isolation-dev@ a few
weeks ago about this; I can add you if you want to see more detail.

     return !allowed;
 }
 
 // static
-void MixedContentChecker::logToConsoleAboutWebSocket(LocalFrame* frame, const KURL& url, bool allowed)
+void MixedContentChecker::logToConsoleAboutWebSocket(LocalFrame* frame, const KURL& mainResourceUrl, const KURL& url, bool allowed)
 {
     String message = String::format(
         "Mixed Content: The page at '%s' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint '%s'. %s",
-        frame->document()->url().elidedString().utf8().data(), url.elidedString().utf8().data(),
+        mainResourceUrl.elidedString().utf8().data(), url.elidedString().utf8().data(),
         allowed ? "This endpoint should be available via WSS. Insecure access is deprecated." : "This request has been blocked; this endpoint must be available over WSS.");
     MessageLevel messageLevel = allowed ? WarningMessageLevel : ErrorMessageLevel;
     frame->document()->addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, messageLevel, message));
 }
 
 // static
 bool MixedContentChecker::shouldBlockWebSocket(LocalFrame* frame, const KURL& url, MixedContentChecker::ReportingStatus reportingStatus)
 {
-    LocalFrame* mixedFrame = inWhichFrameIsContentMixed(frame, WebURLRequest::FrameTypeNone, url);
+    Frame* mixedFrame = inWhichFrameIsContentMixed(frame, WebURLRequest::FrameTypeNone, url);
     if (!mixedFrame)
         return false;
 
     UseCounter::count(mixedFrame, UseCounter::MixedContentPresent);
     UseCounter::count(mixedFrame, UseCounter::MixedContentWebSocket);
 
     Settings* settings = mixedFrame->settings();
-    FrameLoaderClient* client = mixedFrame->loader().client();
-    SecurityOrigin* securityOrigin = mixedFrame->document()->securityOrigin();
+    // Use the current local frame's client; the embedder doesn't
+    // distinguish mixed content signals from different frames on the
+    // same page.
+    FrameLoaderClient* client = frame->loader().client();
+    SecurityOrigin* securityOrigin = mixedFrame->securityContext()->securityOrigin();
     bool allowed = false;
 
     // If we're in strict mode, we'll automagically fail everything, and intentionally skip
     // the client checks in order to prevent degrading the site's security UI.
-    bool strictMode = mixedFrame->document()->shouldEnforceStrictMixedContentChecking() || settings->strictMixedContentChecking();
+    bool strictMode = mixedFrame->securityContext()->shouldEnforceStrictMixedContentChecking() || settings->strictMixedContentChecking();
     if (!strictMode) {
         bool allowedPerSettings = settings && settings->allowRunningOfInsecureContent();
         allowed = client->allowRunningInsecureContent(allowedPerSettings, securityOrigin, url);
     }
 
     if (allowed)
         client->didRunInsecureContent(securityOrigin, url);
 
     if (reportingStatus == SendReport)
-        logToConsoleAboutWebSocket(frame, url, allowed);
+        logToConsoleAboutWebSocket(frame, mainResourceUrlForFrame(mixedFrame), url, allowed);
     return !allowed;
 }
 
 bool MixedContentChecker::isMixedFormAction(LocalFrame* frame, const KURL& url, ReportingStatus reportingStatus)
 {
     // For whatever reason, some folks handle forms via JavaScript, and submit to `javascript:void(0)`
     // rather than calling `preventDefault()`. We special-case `javascript:` URLs here, as they don't
     // introduce MixedContent for form submissions.
     if (url.protocolIs("javascript"))
         return false;
 
-    LocalFrame* mixedFrame = inWhichFrameIsContentMixed(frame, WebURLRequest::FrameTypeNone, url);
+    Frame* mixedFrame = inWhichFrameIsContentMixed(frame, WebURLRequest::FrameTypeNone, url);
     if (!mixedFrame)
         return false;
 
     UseCounter::count(mixedFrame, UseCounter::MixedContentPresent);
 
-    mixedFrame->loader().client()->didDisplayInsecureContent();
+    // Use the current local frame's client; the embedder doesn't
+    // distinguish mixed content signals from different frames on the
+    // same page.
+    frame->loader().client()->didDisplayInsecureContent();
 
     if (reportingStatus == SendReport) {
         String message = String::format(
             "Mixed Content: The page at '%s' was loaded over a secure connection, but contains a form which targets an insecure endpoint '%s'. This endpoint should be made available over a secure connection.",
-            frame->document()->url().elidedString().utf8().data(), url.elidedString().utf8().data());
-        mixedFrame->document()->addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, WarningMessageLevel, message));
+            mainResourceUrlForFrame(mixedFrame).elidedString().utf8().data(), url.elidedString().utf8().data());
+        frame->document()->addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, WarningMessageLevel, message));
     }
 
     return true;
 }
 
 void MixedContentChecker::checkMixedPrivatePublic(LocalFrame* frame, const AtomicString& resourceIPAddress)
 {
     if (!frame || !frame->document() || !frame->document()->loader())
         return;
 
     // Just count these for the moment, don't block them.
     if (Platform::current()->isReservedIPAddress(resourceIPAddress) && !frame->document()->isHostedInReservedIPRange())
         UseCounter::count(frame->document(), UseCounter::MixedContentPrivateHostnameInPublicHostname);
 }
 
-LocalFrame* MixedContentChecker::effectiveFrameForFrameType(LocalFrame* frame, WebURLRequest::FrameType frameType)
+Frame* MixedContentChecker::effectiveFrameForFrameType(LocalFrame* frame, WebURLRequest::FrameType frameType)
 {
     // If we're loading the main resource of a subframe, ensure that we check
     // against the parent of the active frame, rather than the frame itself.
-    LocalFrame* effectiveFrame = frame;
-    if (frameType == WebURLRequest::FrameTypeNested) {
-        // FIXME: Deal with RemoteFrames.
-        Frame* parentFrame = effectiveFrame->tree().parent();
-        ASSERT(parentFrame);
-        if (parentFrame->isLocalFrame())
-            effectiveFrame = toLocalFrame(parentFrame);
-    }
-    return effectiveFrame;
+    if (frameType != WebURLRequest::FrameTypeNested)
+        return frame;
+
+    Frame* parentFrame = frame->tree().parent();
+    ASSERT(parentFrame);
+    return parentFrame;
 }
 
 void MixedContentChecker::handleCertificateError(LocalFrame* frame, const ResourceRequest& request, const ResourceResponse& response)
 {
     WebURLRequest::FrameType frameType = request.frameType();
-    LocalFrame* effectiveFrame = effectiveFrameForFrameType(frame, frameType);
+    Frame* effectiveFrame = effectiveFrameForFrameType(frame, frameType);
     if (frameType == WebURLRequest::FrameTypeTopLevel || !effectiveFrame)
         return;
 
-    FrameLoaderClient* client = effectiveFrame->loader().client();
+    // TODO(estark): handle remote frames, perhaps by omitting security info when the effective frame is remote.
+    if (!effectiveFrame->isLocalFrame())
+        return;
+
+    LocalFrame* localEffectiveFrame = toLocalFrame(effectiveFrame);
+
+    // Use the current local frame's client; the embedder doesn't
+    // distinguish mixed content signals from different frames on the
+    // same page.
+    FrameLoaderClient* client = frame->loader().client();
     WebURLRequest::RequestContext requestContext = request.requestContext();
-    ContextType contextType = MixedContentChecker::contextTypeFromContext(requestContext, frame);
+    ContextType contextType = MixedContentChecker::contextTypeFromContext(requestContext, effectiveFrame);
     if (contextType == ContextTypeBlockable) {
-        client->didRunContentWithCertificateErrors(response.url(), response.getSecurityInfo(), effectiveFrame->document()->url(), effectiveFrame->loader().documentLoader()->response().getSecurityInfo());
+        client->didRunContentWithCertificateErrors(response.url(), response.getSecurityInfo(), mainResourceUrlForFrame(effectiveFrame), localEffectiveFrame->loader().documentLoader()->response().getSecurityInfo());
     } else {
         // contextTypeFromContext() never returns NotMixedContent (it
         // computes the type of mixed content, given that the content is
         // mixed).
         ASSERT(contextType != ContextTypeNotMixedContent);
-        client->didDisplayContentWithCertificateErrors(response.url(), response.getSecurityInfo(), effectiveFrame->document()->url(), effectiveFrame->loader().documentLoader()->response().getSecurityInfo());
+        client->didDisplayContentWithCertificateErrors(response.url(), response.getSecurityInfo(), mainResourceUrlForFrame(effectiveFrame), localEffectiveFrame->loader().documentLoader()->response().getSecurityInfo());
     }
 }
 
 MixedContentChecker::ContextType MixedContentChecker::contextTypeForInspector(LocalFrame* frame, const ResourceRequest& request)
 {
-    LocalFrame* effectiveFrame = effectiveFrameForFrameType(frame, request.frameType());
+    Frame* effectiveFrame = effectiveFrameForFrameType(frame, request.frameType());
 
-    LocalFrame* mixedFrame = inWhichFrameIsContentMixed(effectiveFrame, request.frameType(), request.url());
+    Frame* mixedFrame = inWhichFrameIsContentMixed(effectiveFrame, request.frameType(), request.url());
     if (!mixedFrame)
         return ContextTypeNotMixedContent;
 
     // See comment in shouldBlockFetch() about loading the main resource of a subframe.
     if (request.frameType() == WebURLRequest::FrameTypeNested && !SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().protocol())) {
         return ContextTypeOptionallyBlockable;
     }
 
     return contextTypeFromContext(request.requestContext(), mixedFrame);
 }
 
 } // namespace blink