PlzNavigate: Move navigation-level mixed content checks to the browser.

content/browser/frame_host/mixed_content_navigation_throttle.cc

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "content/browser/frame_host/mixed_content_navigation_throttle.h"
+
+#include "base/strings/stringprintf.h"
+#include "content/browser/frame_host/frame_tree.h"
+#include "content/browser/frame_host/frame_tree_node.h"
+#include "content/browser/frame_host/navigation_handle_impl.h"
+#include "content/browser/frame_host/render_frame_host_delegate.h"
+#include "content/browser/renderer_host/render_view_host_impl.h"
+#include "content/common/frame_messages.h"
+#include "content/public/browser/content_browser_client.h"
+#include "content/public/browser/render_frame_host.h"
+#include "content/public/browser/web_contents.h"
+#include "content/public/browser/web_contents_delegate.h"
+#include "content/public/common/browser_side_navigation_policy.h"
+#include "content/public/common/content_client.h"
+#include "content/public/common/origin_util.h"
+#include "content/public/common/url_constants.h"
+#include "content/public/common/web_preferences.h"
+#include "net/base/url_util.h"
+#include "url/gurl.h"
+#include "url/origin.h"
+#include "url/url_constants.h"
+
+namespace {
+
+using namespace content;
+
+// Should return the same value as SchemeRegistry::shouldTreatURLSchemeAsSecure.
+// TODO(carlosk): we have to figure out how to share schemes registered within
+// Blink's SchemeRegistry with content/browser code. Should statically defined
+// ones in Chrome/embedder come from a shared file? Should dynamically defined
+// ones from extensions register both with browser and renderer code? See
+// https://crbug.com/627502.
+bool IsSecureScheme(const std::string& scheme) {
+  // Note: default schemes for URLSchemesRegistry::secureSchemes.
+  bool result = scheme == url::kHttpsScheme || scheme == url::kAboutScheme ||
+                scheme == url::kDataScheme || scheme == url::kWssScheme;
+
+  // Note: below are the schemes registered through registerURLSchemeAsSecure.
+  // Note: here and for other scheme "registration" code below some
+  // registrations should not happen as they depend on the target being built. I
+  // tried limiting that by using platform IF-DEF-s but it is insufficient.
+
+  // Registered from content/renderer/render_thread_impl.cc.
+  result |= scheme == kChromeUIScheme;
+  // Registered from chrome/common/url_constants.cc.
+  result |= scheme == "chrome-search";
+#if !defined(OS_ANDROID) && !defined(OS_IOS)
+  // Registered from extensions/renderer/dispatcher.cc.
+  result |= scheme == "chrome-extension";
+#endif
+#if defined(OS_ANDROID)
+  // Registered from android_webview/renderer/aw_content_renderer_client.cc.
+  result |= scheme == "android-webview-video-poster";
+#endif
+  return result;
+}
+
+// Should return the same value as SchemeRegistry::shouldTreatURLSchemeAsSecure.
+bool HasPotentiallySecureScheme(const GURL& url) {
+  return IsSecureScheme(url.scheme());
+}
+
+// Should return the same value as SecurityOrigin::isLocal and
+// SchemeRegistry::shouldTreatURLSchemeAsLocal.
+// TODO(carlosk): Same registration problem as described in IsSecureScheme
+// applies here. See https://crbug.com/627502.
+bool HasLocalScheme(const GURL& url) {
+  // Note: default schemes for URLSchemesRegistry::localSchemes.
+  bool result = url.SchemeIs(url::kFileScheme);
+
+  // Note: below are the schemes registered through registerURLSchemeAsLocal.
+
+#if defined(OS_CHROMEOS)
+  // Registered from chrome/renderer/chrome_content_renderer_client.cc.
+  result |= url.SchemeIs(content::kExternalFileScheme);
+#endif
+#if defined(OS_ANDROID)
+  // Registered from chrome/renderer/chrome_content_renderer_client.cc and
+  // from android_webview/renderer/aw_content_renderer_client.cc.
+  result |= url.SchemeIs(url::kContentScheme);
+#endif
+
+  return result;
+}
+
+// This reflects the result of SecurityOrigin::isUnique considering the logic in
+// SecurityOrigin::create that will return unique origins for URLs that cause
+// shouldTreatAsUniqueOrigin to return true. The latter checks the scheme
+// against shouldTreatURLSchemeAsNoAccess and a few other things that don't seem
+// applicable here.
+// TODO(carlosk): Same registration problem as described in IsSecureScheme
+// applies here. See https://crbug.com/627502.
+bool IsUniqueScheme(const GURL& url) {
+  // Note: default schemes for URLSchemesRegistry::schemesWithUniqueOrigins.
+  bool result = url.SchemeIs(url::kAboutScheme) ||
+                url.SchemeIs(url::kJavaScriptScheme) ||
+                url.SchemeIs(url::kDataScheme);
+
+  // Note: below are the schemes registered through registerURLSchemeAsNoAccess.
+
+  // Registered from chrome/renderer/chrome_render_thread_observer.cc.
+  result |= url.SchemeIs("chrome-native");
+
+  return result;
+}
+
+// TODO(carlosk): Same registration problem as described in IsSecureScheme
+// applies here. See https://crbug.com/627502.
+bool ShouldTreatURLSchemeAsCORSEnabled(const GURL& url) {
+  // Note: default schemes for URLSchemesRegistry::CORSEnabledSchemes.
+  bool result = url.SchemeIsHTTPOrHTTPS() || url.SchemeIs(url::kDataScheme);
+
+  // Note: below are the schemes registered through
+  // registerURLSchemeAsCORSEnabled.
+
+  // Registered from content/renderer/render_thread_impl.cc.
+  result |= url.SchemeIs(kChromeUIScheme);
+#if !defined(OS_ANDROID) && !defined(OS_IOS)
+  // Registered from extensions/renderer/dispatcher.cc.
+  result |= url.SchemeIs("chrome-extension");
+#endif
+
+  return result;
+}
+
+// Should return the same value as SecurityOrigin::isSecure.
+bool SecurityOriginIsSecure(const GURL& url) {
+  return HasPotentiallySecureScheme(url) ||
+         (url.SchemeIsFileSystem() && url.inner_url() &&
+          HasPotentiallySecureScheme(*url.inner_url())) ||
+         (url.SchemeIsBlob() &&
+          HasPotentiallySecureScheme(GURL(url.GetContent()))) ||
+         IsOriginWhiteListedTrustworthy(url);
+}
+
+// Should return the same value as the resource URL checks made inside
+// MixedContentChecker::isMixedContent.
+bool IsUrlPotentiallySecure(const GURL& url) {
+  // TODO(carlosk): secure origin checks don't match between content and Blink
+  // hence this implementation here instead of a direct call to IsOriginSecure
+  // (in origin_util.cc). See https://crbug.com/629059.
+
+  bool is_secure = SecurityOriginIsSecure(url);
+
+  // blob: and filesystem: URLs never hit the network, and access is restricted
+  // to same-origin contexts, so they are not blocked either.
+  if (url.SchemeIs(url::kBlobScheme) || url.SchemeIs(url::kFileSystemScheme))
+    is_secure |= true;
+
+  // These next checks mimics the behavior of
+  // SecurityOrigin::isPotentiallyTrustworthy without duplicating much of the
+  // checks already performed previously (hence this not being enclosed in
+  // another method). The logic here will consider a unique scheme secure as if
+  // SecurityOrigin::m_isUniqueOriginPotentiallyTrustworthy was true.
+  if (IsUniqueScheme(url) || HasLocalScheme(url) ||
+      net::IsLocalhost(url.HostNoBrackets()))
+    is_secure |= true;
+
+  // TODO(mkwst): Remove this once 'localhost' is no longer considered
+  // potentially trustworthy.
+  if (is_secure && url.SchemeIs(url::kHttpScheme) &&
+      net::IsLocalHostname(url.HostNoBrackets(), nullptr)) {
+    is_secure = false;
+  }
+
+  return is_secure;
+}
+
+// This method should return the same results as
+// SchemeRegistry::shouldTreatURLSchemeAsRestrictingMixedContent.
+bool DoesOriginSchemeRestricsMixedContent(const url::Origin& origin) {
+  return origin.scheme() == url::kHttpsScheme;
+}
+
+void UpdateRendererOnMixedContentFound(NavigationHandleImpl* handle_impl,
+                                       const GURL& mixed_content_url,
+                                       bool was_allowed,
+                                       bool for_redirect) {
+  // TODO(carlosk): the root node should never be considered mixed content for
+  // now. Once/if the browser starts also checking form submits than this will
+  // happen and this DCHECK should be updated.
+  DCHECK(handle_impl->frame_tree_node()->parent());
+  RenderFrameHost* rfh = handle_impl->frame_tree_node()->current_frame_host();
+  rfh->Send(new FrameMsg_MixedContentFound(
+      rfh->GetRoutingID(), mixed_content_url, handle_impl->GetURL(),
+      handle_impl->request_context_type(), was_allowed, for_redirect));
+}
+
+}  // namespace
+
+namespace content {
+
+MixedContentNavigationThrottle::MixedContentNavigationThrottle(
+    NavigationHandle* navigation_handle)
+    : NavigationThrottle(navigation_handle) {
+  DCHECK(IsBrowserSideNavigationEnabled());
+}
+
+MixedContentNavigationThrottle::~MixedContentNavigationThrottle() {}
+
+ThrottleCheckResult MixedContentNavigationThrottle::WillStartRequest() {
+  bool should_block = ShouldBlockNavigation(false);
+  return should_block ? ThrottleCheckResult::CANCEL
+                      : ThrottleCheckResult::PROCEED;
+}
+
+ThrottleCheckResult MixedContentNavigationThrottle::WillRedirectRequest() {
+  // Upon redirects the same checks are to be executed as for requests.
+  bool should_block = ShouldBlockNavigation(true);
+  return should_block ? ThrottleCheckResult::CANCEL
+                      : ThrottleCheckResult::PROCEED;
+}
+
+ThrottleCheckResult MixedContentNavigationThrottle::WillProcessResponse() {
+  // TODO(carlosk): at this point we must check the final security level of
+  // the connection! Does it use an outdated protocol? See
+  // MixedContentChecker::handleCertificateError
+  return ThrottleCheckResult::PROCEED;
+}
+
+// Based off of MixedContentChecker::shouldBlockFetch.
+bool MixedContentNavigationThrottle::ShouldBlockNavigation(bool for_redirect) {
+  NavigationHandleImpl* handle_impl =
+      static_cast<NavigationHandleImpl*>(navigation_handle());
+  FrameTreeNode* node = handle_impl->frame_tree_node();
+
+  // Find the parent node with mixed content, if any.
+  FrameTreeNode* mixed_content_node =
+      InWhichFrameIsContentMixed(node, handle_impl->GetURL());
+  if (!mixed_content_node) {
+    MaybeSendBlinkFeatureUsageReport();
+    return false;
+  }
+
+  // From this point on we know this is not a main frame navigation and that
+  // there is mixed-content. Now let's decide if it's OK to proceed with it.
+
+  const WebPreferences& prefs = mixed_content_node->current_frame_host()
+                                    ->render_view_host()
+                                    ->GetWebkitPreferences();
+
+  ReportBasicMixedContentFeatures(handle_impl->request_context_type(),
+                                  handle_impl->mixed_content_context_type(),
+                                  prefs);
+
+  // If we're in strict mode, we'll automagically fail everything, and
+  // intentionally skip the client/embedder checks in order to prevent degrading
+  // the site's security UI.
+  bool block_all_mixed_content = !!(
+      mixed_content_node->current_replication_state().insecure_request_policy &
+      blink::kBlockAllMixedContent);
+  bool strictMode =

[jam, 2017/01/11 16:38:06]

nit: strict_mode

[carlosk, 2017/01/11 22:15:02]

Done.

+      prefs.strict_mixed_content_checking || block_all_mixed_content;
+
+  blink::WebMixedContentContextType mixed_context_type =
+      handle_impl->mixed_content_context_type();
+
+  if (!ShouldTreatURLSchemeAsCORSEnabled(handle_impl->GetURL())) {
+    mixed_context_type = blink::WebMixedContentContextType::OptionallyBlockable;
+  }
+
+  bool allowed = false;
+  WebContentsDelegate* web_contents_delegate =

[jam, 2017/01/11 16:38:06]

frame_host can't include web_contents for layering reasons (see comment at the
top of the DEPS file).

This should go through RenderFrameHostDelegate. So add the two new methods to
that interface, implement them in WebContentsImpl, and then call out to WCD
there

[carlosk, 2017/01/11 22:15:02]

Done.

+      handle_impl->GetWebContents()->GetDelegate();
+  RenderFrameHostDelegate* frame_host_delegate =
+      node->current_frame_host()->delegate();
+  switch (mixed_context_type) {
+    case blink::WebMixedContentContextType::OptionallyBlockable:
+      allowed = !strictMode;
+      if (allowed) {
+        web_contents_delegate->PassiveInsecureContentFound(
+            handle_impl->GetURL());
+        frame_host_delegate->DidDisplayInsecureContent();
+      }
+      break;
+
+    case blink::WebMixedContentContextType::Blockable: {
+      // Note: from the renderer side implementation it doesn't seem like we
+      // need to care about the UseCounter reporting of
+      // BlockableMixedContentInSubframeBlocked because it is only triggered for
+      // sub-resources which are not handled in the browser.
+      bool shouldAskEmbedder =
+          !strictMode && (!prefs.strictly_block_blockable_mixed_content ||
+                          prefs.allow_running_insecure_content);
+      allowed = shouldAskEmbedder &&
+                web_contents_delegate->ShouldAllowRunningInsecureContent(
+                    prefs.allow_running_insecure_content,
+                    mixed_content_node->current_origin(), handle_impl->GetURL(),
+                    handle_impl->GetWebContents());
+      if (allowed) {
+        const GURL& origin_url = mixed_content_node->current_url().GetOrigin();
+        frame_host_delegate->DidRunInsecureContent(origin_url,
+                                                   handle_impl->GetURL());
+        GetContentClient()->browser()->RecordURLMetric(
+            "ContentSettings.MixedScript.RanMixedScript", origin_url);
+        mixed_content_features_.insert(MIXED_CONTENT_BLOCKABLE_ALLOWED);
+      }
+      break;
+    }
+
+    case blink::WebMixedContentContextType::ShouldBeBlockable:
+      allowed = !strictMode;
+      if (allowed)
+        frame_host_delegate->DidDisplayInsecureContent();
+      break;
+
+    case blink::WebMixedContentContextType::NotMixedContent:
+      NOTREACHED();
+      break;
+  };
+
+  UpdateRendererOnMixedContentFound(
+      handle_impl, mixed_content_node->current_url(), allowed, for_redirect);
+  MaybeSendBlinkFeatureUsageReport();
+
+  return !allowed;
+}
+
+FrameTreeNode* MixedContentNavigationThrottle::InWhichFrameIsContentMixed(
+    FrameTreeNode* node,
+    const GURL& url) {
+  // Main frame navigations cannot be mixed content.
+  // TODO(carlosk): except for form submissions which will be dealt with later.
+  if (node->IsMainFrame())
+    return nullptr;
+
+  // There's no mixed content if any of these are true:
+  // - The navigated URL is potentially secure.
+  // - The root nor parent frames' origins are secure.

[jam, 2017/01/11 16:38:06]

is this supposed to read "or"?

[carlosk, 2017/01/11 22:15:02]

No but I rephrased it a bit. Apparently nor should generally come after a
neither. :)

+  FrameTreeNode* mixed_content_node = nullptr;
+  FrameTreeNode* root = node->frame_tree()->root();
+  FrameTreeNode* parent = node->parent();
+  if (!IsUrlPotentiallySecure(url)) {
+    // TODO(carlosk): don't we need to check more than just the immediate parent
+    // and the root? Is it always the case that these two are the only sources
+    // for obtaining the "origin of the security context"?
+    // See https://crbug.com/623486.
+
+    // Checks if the root or immediate parent frame's origin are secure.
+    if (DoesOriginSchemeRestricsMixedContent(root->current_origin()))
+      mixed_content_node = root;
+    else if (DoesOriginSchemeRestricsMixedContent(parent->current_origin()))
+      mixed_content_node = parent;
+  }
+
+  // Note: This code below should behave the same way as as the two calls to
+  // measureStricterVersionOfIsMixedContent from inside
+  // MixedContentChecker::inWhichFrameIs.
+  if (mixed_content_node) {
+    // We're currently only checking for mixed content in `https://*` contexts.
+    // What about other "secure" contexts the SchemeRegistry knows about? We'll
+    // use this method to measure the occurance of non-webby mixed content to
+    // make sure we're not breaking the world without realizing it.
+    // Note: Based off of measureStricterVersionOfIsMixedContent in
+    // MixedContentChecker.cpp.
+    // TODO(carlosk): this will only ever work once we allow registration of new
+    // potentially secure schemes. crbug.com/627502
+    if (mixed_content_node->current_origin().scheme() != url::kHttpsScheme) {
+      mixed_content_features_.insert(
+          MIXED_CONTENT_IN_NON_HTTPS_FRAME_THAT_RESTRICTS_MIXED_CONTENT);
+    }
+  } else if (!SecurityOriginIsSecure(url) &&
+             (IsSecureScheme(root->current_origin().scheme()) ||
+              IsSecureScheme(parent->current_origin().scheme()))) {
+    mixed_content_features_.insert(
+        MIXED_CONTENT_IN_SECURE_FRAME_THAT_DOES_NOT_RESTRICT_MIXED_CONTENT);
+  }
+  return mixed_content_node;
+}
+
+void MixedContentNavigationThrottle::MaybeSendBlinkFeatureUsageReport() {
+  if (!mixed_content_features_.empty()) {
+    NavigationHandleImpl* handle_impl =
+        static_cast<NavigationHandleImpl*>(navigation_handle());
+    RenderFrameHost* rfh = handle_impl->frame_tree_node()->current_frame_host();
+    rfh->Send(new FrameMsg_BlinkFeatureUsageReport(rfh->GetRoutingID(),
+                                                   mixed_content_features_));
+    mixed_content_features_.clear();
+  }
+}
+
+// Based off of MixedContentChecker::count.
+void MixedContentNavigationThrottle::ReportBasicMixedContentFeatures(
+    RequestContextType request_context_type,
+    blink::WebMixedContentContextType mixed_content_context_type,
+    const WebPreferences& prefs) {
+  mixed_content_features_.insert(MIXED_CONTENT_PRESENT);
+
+  // Report any blockable content.
+  if (mixed_content_context_type ==
+      blink::WebMixedContentContextType::Blockable) {
+    mixed_content_features_.insert(MIXED_CONTENT_BLOCKABLE);
+    return;
+  }
+
+  // Note: as there's no mixed content checks for sub resources on the browser
+  // there should only be a subset |request_context_type| values that could ever
+  // be found here.
+  UseCounterFeature feature;
+  switch (request_context_type) {
+    case REQUEST_CONTEXT_TYPE_INTERNAL:
+      feature = MIXED_CONTENT_INTERNAL;
+      break;
+    case REQUEST_CONTEXT_TYPE_PREFETCH:
+      feature = MIXED_CONTENT_PREFETCH;
+      break;
+
+    case REQUEST_CONTEXT_TYPE_AUDIO:
+    case REQUEST_CONTEXT_TYPE_DOWNLOAD:
+    case REQUEST_CONTEXT_TYPE_FAVICON:
+    case REQUEST_CONTEXT_TYPE_IMAGE:
+    case REQUEST_CONTEXT_TYPE_PLUGIN:
+    case REQUEST_CONTEXT_TYPE_VIDEO:
+    default:
+      NOTREACHED() << "RequestContextType has value " << request_context_type
+                   << " and has WebMixedContentContextType of "
+                   << static_cast<int>(mixed_content_context_type);
+      return;
+  }
+  mixed_content_features_.insert(feature);
+}
+
+// static
+bool MixedContentNavigationThrottle::IsMixedContentForTesting(
+    const GURL& origin_url,
+    const GURL& url) {
+  const url::Origin origin(origin_url);
+  return !IsUrlPotentiallySecure(url) &&
+         DoesOriginSchemeRestricsMixedContent(origin);
+}
+
+}  // namespace content