Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(64)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/Source/core/loader/MixedContentChecker.cpp

Issue 1731103007: Apply strict blocking of active mixed content in HTTPS subframes only (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 4 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« third_party/WebKit/LayoutTests/http/tests/security/mixedContent/active-subresource-in-http-iframe-not-blocked.https-expected.txt ('K') | « third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/script-post-message.js ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2012 Google Inc. All rights reserved. 2 * Copyright (C) 2012 Google Inc. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
6 * are met: 6 * are met:
7 * 7 *
8 * 1. Redistributions of source code must retain the above copyright 8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer. 9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright 10 * 2. Redistributions in binary form must reproduce the above copyright
(...skipping 328 matching lines...) Expand 10 before | Expand all | Expand 10 after
339 contextType = ContextTypeOptionallyBlockable; 339 contextType = ContextTypeOptionallyBlockable;
340 340
341 switch (contextType) { 341 switch (contextType) {
342 case ContextTypeOptionallyBlockable: 342 case ContextTypeOptionallyBlockable:
343 allowed = !strictMode && client->allowDisplayingInsecureContent(settings && settings->allowDisplayOfInsecureContent(), url); 343 allowed = !strictMode && client->allowDisplayingInsecureContent(settings && settings->allowDisplayOfInsecureContent(), url);
344 if (allowed) 344 if (allowed)
345 client->didDisplayInsecureContent(); 345 client->didDisplayInsecureContent();
346 break; 346 break;
347 347
348 case ContextTypeBlockable: { 348 case ContextTypeBlockable: {
349 // Strictly block subresources in subframes, unless all insecure 349 // Strictly block subresources that are mixed with respect to
350 // content is allowed. 350 // their subframes, unless all insecure content is allowed. This
351 if (!settings->allowRunningOfInsecureContent() && requestIsSubframeSubre source(effectiveFrame, frameType)) { 351 // is to avoid the following situation: https://a.com embeds
352 // https://b.com, which loads a script over insecure HTTP. The
353 // user opts to allow the insecure content, thinking that they are
354 // allowing an insecure script to run on https://a.com and not
355 // realizing that they are in fact allowing an insecure script on
356 // https://b.com.
357 if (!settings->allowRunningOfInsecureContent() && requestIsSubframeSubre source(effectiveFrame, frameType) && isMixedContent(frame->securityContext()->se curityOrigin(), url)) {
352 UseCounter::count(mixedFrame, UseCounter::BlockableMixedContentInSub frameBlocked); 358 UseCounter::count(mixedFrame, UseCounter::BlockableMixedContentInSub frameBlocked);
353 allowed = false; 359 allowed = false;
354 break; 360 break;
355 } 361 }
356 362
357 bool shouldAskEmbedder = !strictMode && settings && (!settings->strictly BlockBlockableMixedContent() || settings->allowRunningOfInsecureContent()); 363 bool shouldAskEmbedder = !strictMode && settings && (!settings->strictly BlockBlockableMixedContent() || settings->allowRunningOfInsecureContent());
358 allowed = shouldAskEmbedder && client->allowRunningInsecureContent(setti ngs && settings->allowRunningOfInsecureContent(), securityOrigin, url); 364 allowed = shouldAskEmbedder && client->allowRunningInsecureContent(setti ngs && settings->allowRunningOfInsecureContent(), securityOrigin, url);
359 if (allowed) { 365 if (allowed) {
360 client->didRunInsecureContent(securityOrigin, url); 366 client->didRunInsecureContent(securityOrigin, url);
361 UseCounter::count(mixedFrame, UseCounter::MixedContentBlockableAllow ed); 367 UseCounter::count(mixedFrame, UseCounter::MixedContentBlockableAllow ed);
(...skipping 150 matching lines...) Expand 10 before | Expand all | Expand 10 after
512 518
513 // See comment in shouldBlockFetch() about loading the main resource of a su bframe. 519 // See comment in shouldBlockFetch() about loading the main resource of a su bframe.
514 if (request.frameType() == WebURLRequest::FrameTypeNested && !SchemeRegistry ::shouldTreatURLSchemeAsCORSEnabled(request.url().protocol())) { 520 if (request.frameType() == WebURLRequest::FrameTypeNested && !SchemeRegistry ::shouldTreatURLSchemeAsCORSEnabled(request.url().protocol())) {
515 return ContextTypeOptionallyBlockable; 521 return ContextTypeOptionallyBlockable;
516 } 522 }
517 523
518 return contextTypeFromContext(request.requestContext(), mixedFrame); 524 return contextTypeFromContext(request.requestContext(), mixedFrame);
519 } 525 }
520 526
521 } // namespace blink 527 } // namespace blink
OLDNEW
« third_party/WebKit/LayoutTests/http/tests/security/mixedContent/active-subresource-in-http-iframe-not-blocked.https-expected.txt ('K') | « third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/script-post-message.js ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698