OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright (C) 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2012 Google Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * | 7 * |
8 * 1. Redistributions of source code must retain the above copyright | 8 * 1. Redistributions of source code must retain the above copyright |
9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
10 * 2. Redistributions in binary form must reproduce the above copyright | 10 * 2. Redistributions in binary form must reproduce the above copyright |
(...skipping 125 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
136 NOTREACHED(); | 136 NOTREACHED(); |
137 return "resource"; | 137 return "resource"; |
138 } | 138 } |
139 | 139 |
140 } // namespace | 140 } // namespace |
141 | 141 |
142 static void measureStricterVersionOfIsMixedContent(Frame* frame, | 142 static void measureStricterVersionOfIsMixedContent(Frame* frame, |
143 const KURL& url) { | 143 const KURL& url) { |
144 // We're currently only checking for mixed content in `https://*` contexts. | 144 // We're currently only checking for mixed content in `https://*` contexts. |
145 // What about other "secure" contexts the SchemeRegistry knows about? We'll | 145 // What about other "secure" contexts the SchemeRegistry knows about? We'll |
146 // use this method to measure the occurance of non-webby mixed content to make | 146 // use this method to measure the occurrence of non-webby mixed content to |
147 // sure we're not breaking the world without realizing it. | 147 // make sure we're not breaking the world without realizing it. |
148 SecurityOrigin* origin = frame->securityContext()->getSecurityOrigin(); | 148 SecurityOrigin* origin = frame->securityContext()->getSecurityOrigin(); |
149 if (MixedContentChecker::isMixedContent(origin, url)) { | 149 if (MixedContentChecker::isMixedContent(origin, url)) { |
150 if (origin->protocol() != "https") { | 150 if (origin->protocol() != "https") { |
151 UseCounter::count( | 151 UseCounter::count( |
152 frame, | 152 frame, |
153 UseCounter::MixedContentInNonHTTPSFrameThatRestrictsMixedContent); | 153 UseCounter::MixedContentInNonHTTPSFrameThatRestrictsMixedContent); |
154 } | 154 } |
155 } else if (!SecurityOrigin::isSecure(url) && | 155 } else if (!SecurityOrigin::isSecure(url) && |
156 SchemeRegistry::shouldTreatURLSchemeAsSecure(origin->protocol())) { | 156 SchemeRegistry::shouldTreatURLSchemeAsSecure(origin->protocol())) { |
157 UseCounter::count( | 157 UseCounter::count( |
(...skipping 129 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
287 } | 287 } |
288 | 288 |
289 // static | 289 // static |
290 bool MixedContentChecker::shouldBlockFetch( | 290 bool MixedContentChecker::shouldBlockFetch( |
291 LocalFrame* frame, | 291 LocalFrame* frame, |
292 WebURLRequest::RequestContext requestContext, | 292 WebURLRequest::RequestContext requestContext, |
293 WebURLRequest::FrameType frameType, | 293 WebURLRequest::FrameType frameType, |
294 ResourceRequest::RedirectStatus redirectStatus, | 294 ResourceRequest::RedirectStatus redirectStatus, |
295 const KURL& url, | 295 const KURL& url, |
296 MixedContentChecker::ReportingStatus reportingStatus) { | 296 MixedContentChecker::ReportingStatus reportingStatus) { |
297 // Frame-level loads are checked by the browser if PlzNavigate is enabled. No | |
298 // need to check them again here. | |
299 if (frame->settings()->getBrowserSideNavigationEnabled() && | |
300 frameType != WebURLRequest::FrameTypeNone) { | |
301 return false; | |
Mike West
2017/01/13 13:20:00
Does this change the timing of MIX and HSTS? That
carlosk
2017/01/21 02:54:59
I wasn't aware of HSTS until you mentioned it here
Mike West
2017/01/25 11:37:30
I would hope that we have tests, but I wouldn't be
| |
302 } | |
303 | |
297 Frame* effectiveFrame = effectiveFrameForFrameType(frame, frameType); | 304 Frame* effectiveFrame = effectiveFrameForFrameType(frame, frameType); |
298 Frame* mixedFrame = | 305 Frame* mixedFrame = |
299 inWhichFrameIsContentMixed(effectiveFrame, frameType, url); | 306 inWhichFrameIsContentMixed(effectiveFrame, frameType, url); |
300 if (!mixedFrame) | 307 if (!mixedFrame) |
301 return false; | 308 return false; |
302 | 309 |
303 MixedContentChecker::count(mixedFrame, requestContext); | 310 MixedContentChecker::count(mixedFrame, requestContext); |
304 if (ContentSecurityPolicy* policy = | 311 if (ContentSecurityPolicy* policy = |
305 frame->securityContext()->contentSecurityPolicy()) | 312 frame->securityContext()->contentSecurityPolicy()) |
306 policy->reportMixedContent(url, redirectStatus); | 313 policy->reportMixedContent(url, redirectStatus); |
(...skipping 249 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
556 if (contextType == WebMixedContentContextType::Blockable) { | 563 if (contextType == WebMixedContentContextType::Blockable) { |
557 client->didRunContentWithCertificateErrors(response.url()); | 564 client->didRunContentWithCertificateErrors(response.url()); |
558 } else { | 565 } else { |
559 // contextTypeFromRequestContext() never returns NotMixedContent (it | 566 // contextTypeFromRequestContext() never returns NotMixedContent (it |
560 // computes the type of mixed content, given that the content is mixed). | 567 // computes the type of mixed content, given that the content is mixed). |
561 DCHECK_NE(contextType, WebMixedContentContextType::NotMixedContent); | 568 DCHECK_NE(contextType, WebMixedContentContextType::NotMixedContent); |
562 client->didDisplayContentWithCertificateErrors(response.url()); | 569 client->didDisplayContentWithCertificateErrors(response.url()); |
563 } | 570 } |
564 } | 571 } |
565 | 572 |
573 // static | |
574 void MixedContentChecker::mixedContentFoundByTheBrowser( | |
575 LocalFrame* frame, | |
576 const KURL& mainResourceUrl, | |
577 const KURL& mixedContentUrl, | |
578 WebURLRequest::RequestContext requestContext, | |
579 bool wasAllowed, | |
580 bool hadRedirect) { | |
581 // Logs to the frame console. | |
582 logToConsoleAboutFetch(frame, mainResourceUrl, mixedContentUrl, | |
583 requestContext, wasAllowed); | |
584 // Reports to the CSP policy. | |
585 ContentSecurityPolicy* policy = | |
586 frame->securityContext()->contentSecurityPolicy(); | |
587 if (policy) { | |
588 policy->reportMixedContent( | |
589 mixedContentUrl, hadRedirect | |
590 ? ResourceRequest::RedirectStatus::FollowedRedirect | |
591 : ResourceRequest::RedirectStatus::NoRedirect); | |
592 } | |
593 } | |
594 | |
566 WebMixedContentContextType MixedContentChecker::contextTypeForInspector( | 595 WebMixedContentContextType MixedContentChecker::contextTypeForInspector( |
567 LocalFrame* frame, | 596 LocalFrame* frame, |
568 const ResourceRequest& request) { | 597 const ResourceRequest& request) { |
569 Frame* effectiveFrame = | 598 Frame* effectiveFrame = |
570 effectiveFrameForFrameType(frame, request.frameType()); | 599 effectiveFrameForFrameType(frame, request.frameType()); |
571 | 600 |
572 Frame* mixedFrame = inWhichFrameIsContentMixed( | 601 Frame* mixedFrame = inWhichFrameIsContentMixed( |
573 effectiveFrame, request.frameType(), request.url()); | 602 effectiveFrame, request.frameType(), request.url()); |
574 if (!mixedFrame) | 603 if (!mixedFrame) |
575 return WebMixedContentContextType::NotMixedContent; | 604 return WebMixedContentContextType::NotMixedContent; |
576 | 605 |
577 // See comment in shouldBlockFetch() about loading the main resource of a | 606 // See comment in shouldBlockFetch() about loading the main resource of a |
578 // subframe. | 607 // subframe. |
579 if (request.frameType() == WebURLRequest::FrameTypeNested && | 608 if (request.frameType() == WebURLRequest::FrameTypeNested && |
580 !SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled( | 609 !SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled( |
581 request.url().protocol())) { | 610 request.url().protocol())) { |
582 return WebMixedContentContextType::OptionallyBlockable; | 611 return WebMixedContentContextType::OptionallyBlockable; |
583 } | 612 } |
584 | 613 |
585 bool strictMixedContentCheckingForPlugin = | 614 bool strictMixedContentCheckingForPlugin = |
586 mixedFrame->settings() && | 615 mixedFrame->settings() && |
587 mixedFrame->settings()->getStrictMixedContentCheckingForPlugin(); | 616 mixedFrame->settings()->getStrictMixedContentCheckingForPlugin(); |
588 return WebMixedContent::contextTypeFromRequestContext( | 617 return WebMixedContent::contextTypeFromRequestContext( |
589 request.requestContext(), strictMixedContentCheckingForPlugin); | 618 request.requestContext(), strictMixedContentCheckingForPlugin); |
590 } | 619 } |
591 | 620 |
592 } // namespace blink | 621 } // namespace blink |
OLD | NEW |