OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2012 Google Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * | 7 * |
8 * 1. Redistributions of source code must retain the above copyright | 8 * 1. Redistributions of source code must retain the above copyright |
9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
10 * 2. Redistributions in binary form must reproduce the above copyright | 10 * 2. Redistributions in binary form must reproduce the above copyright |
(...skipping 328 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
339 contextType = ContextTypeOptionallyBlockable; | 339 contextType = ContextTypeOptionallyBlockable; |
340 | 340 |
341 switch (contextType) { | 341 switch (contextType) { |
342 case ContextTypeOptionallyBlockable: | 342 case ContextTypeOptionallyBlockable: |
343 allowed = !strictMode && client->allowDisplayingInsecureContent(settings
&& settings->allowDisplayOfInsecureContent(), url); | 343 allowed = !strictMode && client->allowDisplayingInsecureContent(settings
&& settings->allowDisplayOfInsecureContent(), url); |
344 if (allowed) | 344 if (allowed) |
345 client->didDisplayInsecureContent(); | 345 client->didDisplayInsecureContent(); |
346 break; | 346 break; |
347 | 347 |
348 case ContextTypeBlockable: { | 348 case ContextTypeBlockable: { |
349 // Strictly block subresources in subframes, unless all insecure | 349 // Strictly block subresources that are mixed with respect to |
350 // content is allowed. | 350 // their subframes, unless all insecure content is allowed. This |
351 if (!settings->allowRunningOfInsecureContent() && requestIsSubframeSubre
source(effectiveFrame, frameType)) { | 351 // is to avoid the following situation: https://a.com embeds |
| 352 // https://b.com, which loads a script over insecure HTTP. The |
| 353 // user opts to allow the insecure content, thinking that they are |
| 354 // allowing an insecure script to run on https://a.com and not |
| 355 // realizing that they are in fact allowing an insecure script on |
| 356 // https://b.com. |
| 357 if (!settings->allowRunningOfInsecureContent() && requestIsSubframeSubre
source(effectiveFrame, frameType) && isMixedContent(frame->securityContext()->se
curityOrigin(), url)) { |
352 UseCounter::count(mixedFrame, UseCounter::BlockableMixedContentInSub
frameBlocked); | 358 UseCounter::count(mixedFrame, UseCounter::BlockableMixedContentInSub
frameBlocked); |
353 allowed = false; | 359 allowed = false; |
354 break; | 360 break; |
355 } | 361 } |
356 | 362 |
357 bool shouldAskEmbedder = !strictMode && settings && (!settings->strictly
BlockBlockableMixedContent() || settings->allowRunningOfInsecureContent()); | 363 bool shouldAskEmbedder = !strictMode && settings && (!settings->strictly
BlockBlockableMixedContent() || settings->allowRunningOfInsecureContent()); |
358 allowed = shouldAskEmbedder && client->allowRunningInsecureContent(setti
ngs && settings->allowRunningOfInsecureContent(), securityOrigin, url); | 364 allowed = shouldAskEmbedder && client->allowRunningInsecureContent(setti
ngs && settings->allowRunningOfInsecureContent(), securityOrigin, url); |
359 if (allowed) { | 365 if (allowed) { |
360 client->didRunInsecureContent(securityOrigin, url); | 366 client->didRunInsecureContent(securityOrigin, url); |
361 UseCounter::count(mixedFrame, UseCounter::MixedContentBlockableAllow
ed); | 367 UseCounter::count(mixedFrame, UseCounter::MixedContentBlockableAllow
ed); |
(...skipping 150 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
512 | 518 |
513 // See comment in shouldBlockFetch() about loading the main resource of a su
bframe. | 519 // See comment in shouldBlockFetch() about loading the main resource of a su
bframe. |
514 if (request.frameType() == WebURLRequest::FrameTypeNested && !SchemeRegistry
::shouldTreatURLSchemeAsCORSEnabled(request.url().protocol())) { | 520 if (request.frameType() == WebURLRequest::FrameTypeNested && !SchemeRegistry
::shouldTreatURLSchemeAsCORSEnabled(request.url().protocol())) { |
515 return ContextTypeOptionallyBlockable; | 521 return ContextTypeOptionallyBlockable; |
516 } | 522 } |
517 | 523 |
518 return contextTypeFromContext(request.requestContext(), mixedFrame); | 524 return contextTypeFromContext(request.requestContext(), mixedFrame); |
519 } | 525 } |
520 | 526 |
521 } // namespace blink | 527 } // namespace blink |
OLD | NEW |