PlzNavigate: Move navigation-level mixed content checks to the browser.

content/browser/frame_host/mixed_content_navigation_throttle.cc

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "content/browser/frame_host/mixed_content_navigation_throttle.h"
+
+#include "content/browser/frame_host/frame_tree.h"
+#include "content/browser/frame_host/frame_tree_node.h"
+#include "content/browser/frame_host/navigation_handle_impl.h"
+#include "content/browser/frame_host/render_frame_host_delegate.h"
+#include "content/browser/renderer_host/render_view_host_impl.h"
+#include "content/common/frame_messages.h"
+#include "content/public/browser/content_browser_client.h"
+#include "content/public/browser/render_frame_host.h"
+#include "content/public/common/browser_side_navigation_policy.h"
+#include "content/public/common/content_client.h"
+#include "content/public/common/origin_util.h"
+#include "content/public/common/url_constants.h"
+#include "content/public/common/web_preferences.h"
+#include "net/base/url_util.h"
+#include "url/gurl.h"
+#include "url/origin.h"
+#include "url/url_constants.h"
+
+namespace {
+
+using namespace content;
+
+// Should return the same value as SchemeRegistry::shouldTreatURLSchemeAsSecure.
+// TODO(carlosk): we have to figure out how to share schemes registered within
+// Blink's SchemeRegistry with content/browser code. Should statically defined
+// ones in Chrome/embedder come from a shared file? Should dynamically defined
+// ones from extensions register both with browser and renderer code? See
+// https://crbug.com/627502.
+bool IsSecureScheme(const std::string& scheme) {
+  // Note: default schemes for URLSchemesRegistry::secureSchemes.
+  bool result = scheme == url::kHttpsScheme || scheme == url::kAboutScheme ||
+                scheme == url::kDataScheme || scheme == url::kWssScheme;
+
+  // Note: below are the schemes registered through registerURLSchemeAsSecure.
+  // Note: here and for other scheme "registration" code below some
+  // registrations should not happen as they depend on the target being built. I
+  // tried limiting that by using platform IF-DEF-s but it is insufficient.
+
+  // Registered from content/renderer/render_thread_impl.cc.
+  result |= scheme == kChromeUIScheme;
+  // Registered from chrome/common/url_constants.cc.
+  result |= scheme == "chrome-search";
+#if !defined(OS_ANDROID) && !defined(OS_IOS)
+  // Registered from extensions/renderer/dispatcher.cc.
+  result |= scheme == "chrome-extension";
+#endif
+#if defined(OS_ANDROID)
+  // Registered from android_webview/renderer/aw_content_renderer_client.cc.
+  result |= scheme == "android-webview-video-poster";
+#endif
+  return result;
+}
+
+// Should return the same value as SchemeRegistry::shouldTreatURLSchemeAsSecure.
+bool HasPotentiallySecureScheme(const GURL& url) {
+  return IsSecureScheme(url.scheme());
+}
+
+// Should return the same value as SecurityOrigin::isLocal (and consequentially
+// SchemeRegistry::shouldTreatURLSchemeAsLocal).
+// TODO(carlosk): Same registration problem as described in IsSecureScheme
+// applies here. See https://crbug.com/627502.
+bool HasLocalScheme(const GURL& url) {
+  // Note: default schemes for URLSchemesRegistry::localSchemes.
+  bool result = url.SchemeIs(url::kFileScheme);
+
+  // Note: below are the schemes registered through registerURLSchemeAsLocal.
+
+#if defined(OS_CHROMEOS)
+  // Registered from chrome/renderer/chrome_content_renderer_client.cc.
+  result |= url.SchemeIs(content::kExternalFileScheme);
+#endif
+#if defined(OS_ANDROID)
+  // Registered from chrome/renderer/chrome_content_renderer_client.cc and
+  // from android_webview/renderer/aw_content_renderer_client.cc.
+  result |= url.SchemeIs(url::kContentScheme);
+#endif
+
+  return result;
+}
+
+// This reflects the result expected from SecurityOrigin::isUnique (not its
+// logic). It takes into account how SecurityOrigin::create might return unique
+// origins for URLS that cause SchemeRegistry::shouldTreatURLSchemeAsNoAccess to
+// return true.
+// TODO(carlosk): Same registration problem as described in IsSecureScheme
+// applies here. See https://crbug.com/627502.
+bool IsUniqueScheme(const GURL& url) {
+  // Note: default schemes for URLSchemesRegistry::schemesWithUniqueOrigins.
+  bool result = url.SchemeIs(url::kAboutScheme) ||
+                url.SchemeIs(url::kJavaScriptScheme) ||
+                url.SchemeIs(url::kDataScheme);
+
+  // Note: below are the schemes registered through registerURLSchemeAsNoAccess.
+
+  // Registered from chrome/renderer/chrome_render_thread_observer.cc.
+  result |= url.SchemeIs("chrome-native");
+
+  return result;
+}
+
+// Should return the same value as SecurityOrigin::isLocal and
+// SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled.
+// TODO(carlosk): Same registration problem as described in IsSecureScheme
+// applies here. See https://crbug.com/627502.
+bool ShouldTreatURLSchemeAsCORSEnabled(const GURL& url) {
+  // Note: default schemes for URLSchemesRegistry::CORSEnabledSchemes.
+  bool result = url.SchemeIsHTTPOrHTTPS() || url.SchemeIs(url::kDataScheme);
+
+  // Note: below are the schemes registered through
+  // registerURLSchemeAsCORSEnabled.
+
+  // Registered from content/renderer/render_thread_impl.cc.
+  result |= url.SchemeIs(kChromeUIScheme);
+#if !defined(OS_ANDROID) && !defined(OS_IOS)
+  // Registered from extensions/renderer/dispatcher.cc.
+  result |= url.SchemeIs("chrome-extension");
+#endif
+
+  return result;
+}
+
+// Should return the same value as SecurityOrigin::isSecure.
+bool SecurityOriginIsSecure(const GURL& url) {
+  return HasPotentiallySecureScheme(url) ||
+         (url.SchemeIsFileSystem() && url.inner_url() &&
+          HasPotentiallySecureScheme(*url.inner_url())) ||
+         (url.SchemeIsBlob() &&
+          HasPotentiallySecureScheme(GURL(url.GetContent()))) ||
+         IsOriginWhiteListedTrustworthy(url);
+}
+
+// Should return the same value as the resource URL checks made inside
+// MixedContentChecker::isMixedContent.
+bool IsUrlPotentiallySecure(const GURL& url) {
+  // TODO(carlosk): secure origin checks don't match between content and Blink
+  // hence this implementation here instead of a direct call to IsOriginSecure
+  // (in origin_util.cc). See https://crbug.com/629059.
+
+  bool is_secure = SecurityOriginIsSecure(url);
+
+  // blob: and filesystem: URLs never hit the network, and access is restricted
+  // to same-origin contexts, so they are not blocked either.
+  if (url.SchemeIs(url::kBlobScheme) || url.SchemeIs(url::kFileSystemScheme))
+    is_secure |= true;
+
+  // These next checks mimics the behavior of
+  // SecurityOrigin::isPotentiallyTrustworthy without duplicating much of the
+  // checks already performed previously (hence this not being enclosed in
+  // another method). The logic here will consider a unique scheme to be secure
+  // as done when SecurityOrigin::m_isUniqueOriginPotentiallyTrustworthy is
+  // true.
+  if (IsUniqueScheme(url) || HasLocalScheme(url) ||
+      net::IsLocalhost(url.HostNoBrackets()))
+    is_secure |= true;
+
+  // TODO(mkwst): Remove this once 'localhost' is no longer considered
+  // potentially trustworthy.
+  if (is_secure && url.SchemeIs(url::kHttpScheme) &&
+      net::IsLocalHostname(url.HostNoBrackets(), nullptr)) {
+    is_secure = false;
+  }
+
+  return is_secure;
+}
+
+// This method should return the same results as
+// SchemeRegistry::shouldTreatURLSchemeAsRestrictingMixedContent.
+bool DoesOriginSchemeRestricsMixedContent(const url::Origin& origin) {
+  return origin.scheme() == url::kHttpsScheme;
+}
+
+void UpdateRendererOnMixedContentFound(NavigationHandleImpl* handle_impl,
+                                       const GURL& mixed_content_url,
+                                       bool was_allowed,
+                                       bool for_redirect) {
+  // TODO(carlosk): the root node should never be considered as being/having
+  // mixed content for now. Once/if the browser should also check form submits
+  // for mixed content than this will be allowed to happen and this DCHECK
+  // should be updated.
+  DCHECK(handle_impl->frame_tree_node()->parent());
+  RenderFrameHost* rfh = handle_impl->frame_tree_node()->current_frame_host();
+  rfh->Send(new FrameMsg_MixedContentFound(
+      rfh->GetRoutingID(), mixed_content_url, handle_impl->GetURL(),
+      handle_impl->request_context_type(), was_allowed, for_redirect));
+}
+
+}  // namespace
+
+namespace content {
+
+MixedContentNavigationThrottle::MixedContentNavigationThrottle(
+    NavigationHandle* navigation_handle)
+    : NavigationThrottle(navigation_handle) {
+  DCHECK(IsBrowserSideNavigationEnabled());
+}
+
+MixedContentNavigationThrottle::~MixedContentNavigationThrottle() {}
+
+ThrottleCheckResult MixedContentNavigationThrottle::WillStartRequest() {
+  bool should_block = ShouldBlockNavigation(false);
+  return should_block ? ThrottleCheckResult::CANCEL
+                      : ThrottleCheckResult::PROCEED;
+}
+
+ThrottleCheckResult MixedContentNavigationThrottle::WillRedirectRequest() {
+  // Upon redirects the same checks are to be executed as for requests.
+  bool should_block = ShouldBlockNavigation(true);
+  return should_block ? ThrottleCheckResult::CANCEL
+                      : ThrottleCheckResult::PROCEED;
+}
+
+ThrottleCheckResult MixedContentNavigationThrottle::WillProcessResponse() {
+  // TODO(carlosk): At this point we are about to process the request response.
+  // So here/now it is a good moment to check for the final attained security
+  // level of the connection. For instance: does it use an outdated protocol?

[nasko, 2017/01/12 18:32:37]

nit: s/:/,/

[carlosk, 2017/01/21 02:54:58]

Done.

+  // The implementation should be based off
+  // MixedContentChecker::handleCertificateError.

[nasko, 2017/01/12 18:32:37]

Should this be fixed before we consider mixed content checking browser side
complete? Maybe put a crbug link here.

[carlosk, 2017/01/21 02:54:58]

I am honestly unsure about this. This is checked mainly when the
"DidReceiveResponse" chain of calls happen on the renderer which I think happen
normally even with PlzNavigate enabled. For PlzNavigate* the reason for moving
mixed content checking to the browser is to avoid extra IPC-round trips to the
renderer and *I think* that doesn't apply for this method.

WDYT? Should we involve clamy@ in this matter?

I clarified the comment a little and added a reference to the main issue of this
very CL. I also updated that issue's description to explain this.

(*): Mind that OOPIF has different reasons to want to move mixed content checks
to the browser so it *could* be a requirement from their side.

[carlosk, 2017/02/08 02:59:02]

Bumping this comment as I had not specific response and it might be important.

+  return ThrottleCheckResult::PROCEED;
+}
+
+// Based off of MixedContentChecker::shouldBlockFetch.
+bool MixedContentNavigationThrottle::ShouldBlockNavigation(bool for_redirect) {
+  NavigationHandleImpl* handle_impl =
+      static_cast<NavigationHandleImpl*>(navigation_handle());
+  FrameTreeNode* node = handle_impl->frame_tree_node();
+
+  // Find the parent node where mixed content is characterized, if any.
+  FrameTreeNode* mixed_content_node =
+      InWhichFrameIsContentMixed(node, handle_impl->GetURL());
+  if (!mixed_content_node) {
+    MaybeSendBlinkFeatureUsageReport();
+    return false;
+  }
+
+  // From this point on we know this is not a main frame navigation and that
+  // there is mixed content. Now let's decide if it's OK to proceed with it.
+
+  const WebPreferences& prefs = mixed_content_node->current_frame_host()
+                                    ->render_view_host()
+                                    ->GetWebkitPreferences();
+
+  ReportBasicMixedContentFeatures(handle_impl->request_context_type(),
+                                  handle_impl->mixed_content_context_type(),
+                                  prefs);
+
+  // If we're in strict mode, we'll automagically fail everything, and
+  // intentionally skip the client/embedder checks in order to prevent degrading
+  // the site's security UI.
+  bool block_all_mixed_content = !!(
+      mixed_content_node->current_replication_state().insecure_request_policy &
+      blink::kBlockAllMixedContent);
+  bool strict_mode =
+      prefs.strict_mixed_content_checking || block_all_mixed_content;
+
+  blink::WebMixedContentContextType mixed_context_type =
+      handle_impl->mixed_content_context_type();
+
+  if (!ShouldTreatURLSchemeAsCORSEnabled(handle_impl->GetURL())) {
+    mixed_context_type = blink::WebMixedContentContextType::OptionallyBlockable;
+  }
+
+  bool allowed = false;
+  RenderFrameHostDelegate* frame_host_delegate =
+      node->current_frame_host()->delegate();
+  switch (mixed_context_type) {
+    case blink::WebMixedContentContextType::OptionallyBlockable:
+      allowed = !strict_mode;
+      if (allowed) {
+        frame_host_delegate->PassiveInsecureContentFound(handle_impl->GetURL());
+        frame_host_delegate->DidDisplayInsecureContent();
+      }
+      break;
+
+    case blink::WebMixedContentContextType::Blockable: {
+      // Note: from the renderer side implementation it seems like we don't need
+      // to care about reporting
+      // blink::UseCounter::BlockableMixedContentInSubframeBlocked because it is
+      // only triggered for sub-resources which are not checked for in the
+      // browser.
+      bool shouldAskEmbedder =

[nasko, 2017/01/12 18:32:37]

nit: should_ask_embedder, this is not Blink code anymore. :)

[carlosk, 2017/01/21 02:54:58]

Done.

+          !strict_mode && (!prefs.strictly_block_blockable_mixed_content ||
+                           prefs.allow_running_insecure_content);
+      allowed = shouldAskEmbedder &&
+                frame_host_delegate->ShouldAllowRunningInsecureContent(
+                    prefs.allow_running_insecure_content,
+                    mixed_content_node->current_origin(), handle_impl->GetURL(),
+                    handle_impl->GetWebContents());
+      if (allowed) {
+        const GURL& origin_url = mixed_content_node->current_url().GetOrigin();
+        frame_host_delegate->DidRunInsecureContent(origin_url,
+                                                   handle_impl->GetURL());
+        GetContentClient()->browser()->RecordURLMetric(
+            "ContentSettings.MixedScript.RanMixedScript", origin_url);
+        mixed_content_features_.insert(MIXED_CONTENT_BLOCKABLE_ALLOWED);
+      }
+      break;
+    }
+
+    case blink::WebMixedContentContextType::ShouldBeBlockable:
+      allowed = !strict_mode;
+      if (allowed)
+        frame_host_delegate->DidDisplayInsecureContent();
+      break;
+
+    case blink::WebMixedContentContextType::NotMixedContent:
+      NOTREACHED();
+      break;
+  };
+
+  UpdateRendererOnMixedContentFound(
+      handle_impl, mixed_content_node->current_url(), allowed, for_redirect);
+  MaybeSendBlinkFeatureUsageReport();
+
+  return !allowed;
+}
+
+FrameTreeNode* MixedContentNavigationThrottle::InWhichFrameIsContentMixed(
+    FrameTreeNode* node,
+    const GURL& url) {
+  // Main frame navigations cannot be mixed content.
+  // TODO(carlosk): except for form submissions which might be supported in the
+  // future.
+  if (node->IsMainFrame())
+    return nullptr;
+
+  // There's no mixed content if any of these are true:
+  // - The navigated URL is potentially secure.
+  // - Neither the root nor parent frames have secure origins.
+  FrameTreeNode* mixed_content_node = nullptr;
+  FrameTreeNode* root = node->frame_tree()->root();
+  FrameTreeNode* parent = node->parent();
+  if (!IsUrlPotentiallySecure(url)) {
+    // TODO(carlosk): we might need to check more than just the immediate parent
+    // and the root. See https://crbug.com/623486.
+
+    // Checks if the root and then the immediate parent frames' origins are
+    // secure.
+    if (DoesOriginSchemeRestricsMixedContent(root->current_origin()))
+      mixed_content_node = root;
+    else if (DoesOriginSchemeRestricsMixedContent(parent->current_origin()))
+      mixed_content_node = parent;
+  }
+
+  // Note: This code below should behave the same way as as the two calls to

[nasko, 2017/01/12 18:32:37]

nit: s/as as/as/

[carlosk, 2017/01/21 02:54:58]

Done.

+  // measureStricterVersionOfIsMixedContent from inside
+  // MixedContentChecker::inWhichFrameIs.
+  if (mixed_content_node) {
+    // We're currently only checking for mixed content in `https://*` contexts.
+    // What about other "secure" contexts the SchemeRegistry knows about? We'll
+    // use this method to measure the occurrence of non-webby mixed content to
+    // make sure we're not breaking the world without realizing it.
+    if (mixed_content_node->current_origin().scheme() != url::kHttpsScheme) {
+      mixed_content_features_.insert(
+          MIXED_CONTENT_IN_NON_HTTPS_FRAME_THAT_RESTRICTS_MIXED_CONTENT);
+    }
+  } else if (!SecurityOriginIsSecure(url) &&
+             (IsSecureScheme(root->current_origin().scheme()) ||
+              IsSecureScheme(parent->current_origin().scheme()))) {
+    mixed_content_features_.insert(
+        MIXED_CONTENT_IN_SECURE_FRAME_THAT_DOES_NOT_RESTRICT_MIXED_CONTENT);
+  }
+  return mixed_content_node;
+}
+
+void MixedContentNavigationThrottle::MaybeSendBlinkFeatureUsageReport() {
+  if (!mixed_content_features_.empty()) {
+    NavigationHandleImpl* handle_impl =
+        static_cast<NavigationHandleImpl*>(navigation_handle());
+    RenderFrameHost* rfh = handle_impl->frame_tree_node()->current_frame_host();

[nasko, 2017/01/12 18:32:37]

Is the current RFH the correct place to always report these?

[carlosk, 2017/01/21 02:54:58]

It shouldn't really matter what frame this is reported to as on the renderer
these values are stored at the page level (UseCounter is a member of the Page
instance). See this UseCounter::count [1] implementation.

[1]
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/frame/Use...

+    rfh->Send(new FrameMsg_BlinkFeatureUsageReport(rfh->GetRoutingID(),
+                                                   mixed_content_features_));
+    mixed_content_features_.clear();
+  }
+}
+
+// Based off of MixedContentChecker::count.
+void MixedContentNavigationThrottle::ReportBasicMixedContentFeatures(
+    RequestContextType request_context_type,
+    blink::WebMixedContentContextType mixed_content_context_type,
+    const WebPreferences& prefs) {
+  mixed_content_features_.insert(MIXED_CONTENT_PRESENT);
+
+  // Report any blockable content.
+  if (mixed_content_context_type ==
+      blink::WebMixedContentContextType::Blockable) {
+    mixed_content_features_.insert(MIXED_CONTENT_BLOCKABLE);
+    return;
+  }
+
+  // Note: as there's no mixed content checks for sub resources on the browser

[nasko, 2017/01/12 18:32:37]

nit: sub-resources or subresources, "browser side"

[carlosk, 2017/01/21 02:54:58]

Done.

+  // there should only be a subset of RequestContextType values that could ever
+  // be found here.
+  UseCounterFeature feature;
+  switch (request_context_type) {
+    case REQUEST_CONTEXT_TYPE_INTERNAL:
+      feature = MIXED_CONTENT_INTERNAL;
+      break;
+    case REQUEST_CONTEXT_TYPE_PREFETCH:
+      feature = MIXED_CONTENT_PREFETCH;
+      break;
+
+    case REQUEST_CONTEXT_TYPE_AUDIO:
+    case REQUEST_CONTEXT_TYPE_DOWNLOAD:
+    case REQUEST_CONTEXT_TYPE_FAVICON:
+    case REQUEST_CONTEXT_TYPE_IMAGE:
+    case REQUEST_CONTEXT_TYPE_PLUGIN:
+    case REQUEST_CONTEXT_TYPE_VIDEO:
+    default:
+      NOTREACHED() << "RequestContextType has value " << request_context_type
+                   << " and has WebMixedContentContextType of "
+                   << static_cast<int>(mixed_content_context_type);
+      return;
+  }
+  mixed_content_features_.insert(feature);
+}
+
+// static
+bool MixedContentNavigationThrottle::IsMixedContentForTesting(
+    const GURL& origin_url,
+    const GURL& url) {
+  const url::Origin origin(origin_url);
+  return !IsUrlPotentiallySecure(url) &&
+         DoesOriginSchemeRestricsMixedContent(origin);
+}
+
+}  // namespace content