OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2017 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "content/browser/frame_host/mixed_content_navigation_throttle.h" | |
6 | |
7 #include <algorithm> | |
8 | |
9 #include "base/memory/ptr_util.h" | |
10 #include "content/browser/frame_host/frame_tree.h" | |
11 #include "content/browser/frame_host/frame_tree_node.h" | |
12 #include "content/browser/frame_host/navigation_handle_impl.h" | |
13 #include "content/browser/frame_host/render_frame_host_delegate.h" | |
14 #include "content/browser/renderer_host/render_view_host_impl.h" | |
15 #include "content/common/frame_messages.h" | |
16 #include "content/public/browser/content_browser_client.h" | |
17 #include "content/public/browser/render_frame_host.h" | |
18 #include "content/public/common/browser_side_navigation_policy.h" | |
19 #include "content/public/common/content_client.h" | |
20 #include "content/public/common/origin_util.h" | |
21 #include "content/public/common/web_preferences.h" | |
22 #include "net/base/url_util.h" | |
23 #include "url/gurl.h" | |
24 #include "url/origin.h" | |
25 #include "url/url_constants.h" | |
26 #include "url/url_util.h" | |
27 | |
28 namespace { | |
29 | |
30 using namespace content; | |
31 | |
32 // Should return the same value as SchemeRegistry::shouldTreatURLSchemeAsSecure. | |
33 bool IsSecureScheme(const std::string& scheme) { | |
34 const std::vector<std::string>& secure_schemes = url::GetSecureSchemes(); | |
35 return std::find(secure_schemes.begin(), secure_schemes.end(), scheme) != | |
36 secure_schemes.end(); | |
37 } | |
38 | |
39 // Should return the same value as SchemeRegistry::shouldTreatURLSchemeAsSecure. | |
40 bool HasPotentiallySecureScheme(const GURL& url) { | |
41 return IsSecureScheme(url.scheme()); | |
42 } | |
43 | |
44 // Should return the same value as SecurityOrigin::isLocal (and consequentially | |
45 // SchemeRegistry::shouldTreatURLSchemeAsLocal). | |
46 bool HasLocalScheme(const GURL& url) { | |
47 const std::vector<std::string>& local_schemes = url::GetLocalSchemes(); | |
48 return std::find(local_schemes.begin(), local_schemes.end(), url.scheme()) != | |
49 local_schemes.end(); | |
50 } | |
51 | |
52 // This reflects the result expected from SecurityOrigin::isUnique (not its | |
53 // logic). It takes into account how SecurityOrigin::create might return unique | |
54 // origins for URLS that cause SchemeRegistry::shouldTreatURLSchemeAsNoAccess to | |
55 // return true. | |
56 bool IsUniqueScheme(const GURL& url) { | |
57 const std::vector<std::string>& no_access_schemes = url::GetNoAccessSchemes(); | |
58 return std::find(no_access_schemes.begin(), no_access_schemes.end(), | |
59 url.scheme()) != no_access_schemes.end(); | |
60 } | |
61 | |
62 // Should return the same value as SecurityOrigin::isLocal and | |
63 // SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled. | |
64 bool ShouldTreatURLSchemeAsCORSEnabled(const GURL& url) { | |
65 const std::vector<std::string>& cors_schemes = url::GetCORSEnabledSchemes(); | |
66 return std::find(cors_schemes.begin(), cors_schemes.end(), url.scheme()) != | |
67 cors_schemes.end(); | |
68 } | |
69 | |
70 // Should return the same value as SecurityOrigin::isSecure. | |
71 bool SecurityOriginIsSecure(const GURL& url) { | |
nasko
2017/01/23 22:32:38
nit: IsOriginSecure? We don't have "SecurityOrigin
carlosk
2017/02/08 02:59:03
Done.
| |
72 return HasPotentiallySecureScheme(url) || | |
73 (url.SchemeIsFileSystem() && url.inner_url() && | |
74 HasPotentiallySecureScheme(*url.inner_url())) || | |
nasko
2017/01/23 22:32:38
Let's use a different code pattern for extracting
carlosk
2017/02/08 02:59:03
Done.
But looking at this again made me concerned
| |
75 (url.SchemeIsBlob() && | |
76 HasPotentiallySecureScheme(GURL(url.GetContent()))) || | |
77 IsOriginWhiteListedTrustworthy(url); | |
78 } | |
79 | |
80 // Should return the same value as the resource URL checks made inside | |
81 // MixedContentChecker::isMixedContent. | |
82 bool IsUrlPotentiallySecure(const GURL& url) { | |
83 // TODO(carlosk): secure origin checks don't match between content and Blink | |
84 // hence this implementation here instead of a direct call to IsOriginSecure | |
85 // (in origin_util.cc). See https://crbug.com/629059. | |
86 | |
87 bool is_secure = SecurityOriginIsSecure(url); | |
88 | |
89 // blob: and filesystem: URLs never hit the network, and access is restricted | |
90 // to same-origin contexts, so they are not blocked either. | |
nasko
2017/01/23 22:32:38
nit: no need for " either" as the rest of the comm
carlosk
2017/02/08 02:59:03
Done.
| |
91 if (url.SchemeIs(url::kBlobScheme) || url.SchemeIs(url::kFileSystemScheme)) | |
92 is_secure |= true; | |
93 | |
94 // These next checks mimics the behavior of | |
95 // SecurityOrigin::isPotentiallyTrustworthy without duplicating much of the | |
nasko
2017/01/23 22:32:38
It is a bit sad to have this code and https://cs.c
carlosk
2017/02/08 02:59:03
Done and this method changed quite considerably be
| |
96 // checks already performed previously (hence this not being enclosed in | |
97 // another method). The logic here will consider a unique scheme to be secure | |
98 // as done when SecurityOrigin::m_isUniqueOriginPotentiallyTrustworthy is | |
99 // true. | |
100 if (IsUniqueScheme(url) || HasLocalScheme(url) || | |
nasko
2017/01/23 22:32:38
This doesn't match what isPotentiallyTrustworthy d
carlosk
2017/02/08 02:59:03
With my latest patch I tried to mirror the uniquen
| |
101 net::IsLocalhost(url.HostNoBrackets())) | |
102 is_secure |= true; | |
103 | |
104 // TODO(mkwst): Remove this once 'localhost' is no longer considered | |
105 // potentially trustworthy. | |
106 if (is_secure && url.SchemeIs(url::kHttpScheme) && | |
107 net::IsLocalHostname(url.HostNoBrackets(), nullptr)) { | |
nasko
2017/01/23 22:32:38
Why IsLocalHostname vs IsLocalhost above?
carlosk
2017/02/08 02:59:03
This is due to a CL by mkwst@ that I had to mirror
| |
108 is_secure = false; | |
109 } | |
110 | |
111 return is_secure; | |
112 } | |
113 | |
114 // This method should return the same results as | |
115 // SchemeRegistry::shouldTreatURLSchemeAsRestrictingMixedContent. | |
116 bool DoesOriginSchemeRestricsMixedContent(const url::Origin& origin) { | |
117 return origin.scheme() == url::kHttpsScheme; | |
118 } | |
119 | |
120 void UpdateRendererOnMixedContentFound(NavigationHandleImpl* handle_impl, | |
121 const GURL& mixed_content_url, | |
122 bool was_allowed, | |
123 bool for_redirect) { | |
124 // TODO(carlosk): the root node should never be considered as being/having | |
125 // mixed content for now. Once/if the browser should also check form submits | |
126 // for mixed content than this will be allowed to happen and this DCHECK | |
127 // should be updated. | |
128 DCHECK(handle_impl->frame_tree_node()->parent()); | |
129 RenderFrameHost* rfh = handle_impl->frame_tree_node()->current_frame_host(); | |
130 rfh->Send(new FrameMsg_MixedContentFound( | |
131 rfh->GetRoutingID(), mixed_content_url, handle_impl->GetURL(), | |
132 handle_impl->request_context_type(), was_allowed, for_redirect)); | |
133 } | |
134 | |
135 } // namespace | |
136 | |
137 namespace content { | |
138 | |
139 // static | |
140 std::unique_ptr<NavigationThrottle> | |
141 MixedContentNavigationThrottle::CreateThrottleForNavigation( | |
142 NavigationHandle* navigation_handle) { | |
143 if (IsBrowserSideNavigationEnabled()) | |
144 return base::WrapUnique( | |
145 new MixedContentNavigationThrottle(navigation_handle)); | |
146 return nullptr; | |
147 } | |
148 | |
149 MixedContentNavigationThrottle::MixedContentNavigationThrottle( | |
150 NavigationHandle* navigation_handle) | |
151 : NavigationThrottle(navigation_handle) { | |
152 DCHECK(IsBrowserSideNavigationEnabled()); | |
153 } | |
154 | |
155 MixedContentNavigationThrottle::~MixedContentNavigationThrottle() {} | |
156 | |
157 ThrottleCheckResult MixedContentNavigationThrottle::WillStartRequest() { | |
158 bool should_block = ShouldBlockNavigation(false); | |
159 return should_block ? ThrottleCheckResult::CANCEL | |
160 : ThrottleCheckResult::PROCEED; | |
161 } | |
162 | |
163 ThrottleCheckResult MixedContentNavigationThrottle::WillRedirectRequest() { | |
164 // Upon redirects the same checks are to be executed as for requests. | |
165 bool should_block = ShouldBlockNavigation(true); | |
166 return should_block ? ThrottleCheckResult::CANCEL | |
167 : ThrottleCheckResult::PROCEED; | |
168 } | |
169 | |
170 ThrottleCheckResult MixedContentNavigationThrottle::WillProcessResponse() { | |
171 // TODO(carlosk): At this point we are about to process the request response. | |
172 // So if we ever need to, here/now it is a good moment to check for the final | |
173 // attained security level of the connection. For instance, does it use an | |
174 // outdated protocol? The implementation should be based off | |
175 // MixedContentChecker::handleCertificateError. See https://crbug.com/576270. | |
176 return ThrottleCheckResult::PROCEED; | |
177 } | |
178 | |
179 // Based off of MixedContentChecker::shouldBlockFetch. | |
180 bool MixedContentNavigationThrottle::ShouldBlockNavigation(bool for_redirect) { | |
181 NavigationHandleImpl* handle_impl = | |
182 static_cast<NavigationHandleImpl*>(navigation_handle()); | |
183 FrameTreeNode* node = handle_impl->frame_tree_node(); | |
184 | |
185 // Find the parent node where mixed content is characterized, if any. | |
186 FrameTreeNode* mixed_content_node = | |
187 InWhichFrameIsContentMixed(node, handle_impl->GetURL()); | |
188 if (!mixed_content_node) { | |
189 MaybeSendBlinkFeatureUsageReport(); | |
190 return false; | |
191 } | |
192 | |
193 // From this point on we know this is not a main frame navigation and that | |
194 // there is mixed content. Now let's decide if it's OK to proceed with it. | |
195 | |
196 const WebPreferences& prefs = mixed_content_node->current_frame_host() | |
197 ->render_view_host() | |
198 ->GetWebkitPreferences(); | |
199 | |
200 ReportBasicMixedContentFeatures(handle_impl->request_context_type(), | |
201 handle_impl->mixed_content_context_type(), | |
202 prefs); | |
203 | |
204 // If we're in strict mode, we'll automagically fail everything, and | |
205 // intentionally skip the client/embedder checks in order to prevent degrading | |
206 // the site's security UI. | |
207 bool block_all_mixed_content = !!( | |
208 mixed_content_node->current_replication_state().insecure_request_policy & | |
209 blink::kBlockAllMixedContent); | |
210 bool strict_mode = | |
211 prefs.strict_mixed_content_checking || block_all_mixed_content; | |
212 | |
213 blink::WebMixedContentContextType mixed_context_type = | |
214 handle_impl->mixed_content_context_type(); | |
215 | |
216 if (!ShouldTreatURLSchemeAsCORSEnabled(handle_impl->GetURL())) { | |
nasko
2017/01/23 22:32:38
nit: no need of {} for one line if statements.
carlosk
2017/02/08 02:59:03
Done.
| |
217 mixed_context_type = blink::WebMixedContentContextType::OptionallyBlockable; | |
218 } | |
219 | |
220 bool allowed = false; | |
221 RenderFrameHostDelegate* frame_host_delegate = | |
222 node->current_frame_host()->delegate(); | |
223 switch (mixed_context_type) { | |
224 case blink::WebMixedContentContextType::OptionallyBlockable: | |
225 allowed = !strict_mode; | |
226 if (allowed) { | |
227 frame_host_delegate->PassiveInsecureContentFound(handle_impl->GetURL()); | |
228 frame_host_delegate->DidDisplayInsecureContent(); | |
229 } | |
230 break; | |
231 | |
232 case blink::WebMixedContentContextType::Blockable: { | |
233 // Note: from the renderer side implementation it seems like we don't need | |
234 // to care about reporting | |
235 // blink::UseCounter::BlockableMixedContentInSubframeBlocked because it is | |
236 // only triggered for sub-resources which are not checked for in the | |
237 // browser. | |
238 bool should_ask_embedder = | |
239 !strict_mode && (!prefs.strictly_block_blockable_mixed_content || | |
240 prefs.allow_running_insecure_content); | |
241 allowed = | |
242 should_ask_embedder && | |
243 frame_host_delegate->ShouldAllowRunningInsecureContent( | |
244 handle_impl->GetWebContents(), | |
245 prefs.allow_running_insecure_content, | |
246 mixed_content_node->current_origin(), handle_impl->GetURL()); | |
247 if (allowed) { | |
248 const GURL& origin_url = mixed_content_node->current_url().GetOrigin(); | |
249 frame_host_delegate->DidRunInsecureContent(origin_url, | |
250 handle_impl->GetURL()); | |
251 GetContentClient()->browser()->RecordURLMetric( | |
252 "ContentSettings.MixedScript.RanMixedScript", origin_url); | |
253 mixed_content_features_.insert(MIXED_CONTENT_BLOCKABLE_ALLOWED); | |
254 } | |
255 break; | |
256 } | |
257 | |
258 case blink::WebMixedContentContextType::ShouldBeBlockable: | |
259 allowed = !strict_mode; | |
260 if (allowed) | |
261 frame_host_delegate->DidDisplayInsecureContent(); | |
262 break; | |
263 | |
264 case blink::WebMixedContentContextType::NotMixedContent: | |
265 NOTREACHED(); | |
266 break; | |
267 }; | |
268 | |
269 UpdateRendererOnMixedContentFound( | |
270 handle_impl, mixed_content_node->current_url(), allowed, for_redirect); | |
271 MaybeSendBlinkFeatureUsageReport(); | |
272 | |
273 return !allowed; | |
274 } | |
275 | |
276 FrameTreeNode* MixedContentNavigationThrottle::InWhichFrameIsContentMixed( | |
277 FrameTreeNode* node, | |
278 const GURL& url) { | |
279 // Main frame navigations cannot be mixed content. | |
280 // TODO(carlosk): except for form submissions which might be supported in the | |
281 // future. | |
282 if (node->IsMainFrame()) | |
283 return nullptr; | |
284 | |
285 // There's no mixed content if any of these are true: | |
286 // - The navigated URL is potentially secure. | |
287 // - Neither the root nor parent frames have secure origins. | |
288 FrameTreeNode* mixed_content_node = nullptr; | |
289 FrameTreeNode* root = node->frame_tree()->root(); | |
290 FrameTreeNode* parent = node->parent(); | |
291 if (!IsUrlPotentiallySecure(url)) { | |
292 // TODO(carlosk): we might need to check more than just the immediate parent | |
293 // and the root. See https://crbug.com/623486. | |
294 | |
295 // Checks if the root and then the immediate parent frames' origins are | |
296 // secure. | |
297 if (DoesOriginSchemeRestricsMixedContent(root->current_origin())) | |
298 mixed_content_node = root; | |
299 else if (DoesOriginSchemeRestricsMixedContent(parent->current_origin())) | |
300 mixed_content_node = parent; | |
301 } | |
302 | |
303 // Note: The code below should behave the same way as the two calls to | |
304 // measureStricterVersionOfIsMixedContent from inside | |
305 // MixedContentChecker::inWhichFrameIs. | |
306 if (mixed_content_node) { | |
307 // We're currently only checking for mixed content in `https://*` contexts. | |
308 // What about other "secure" contexts the SchemeRegistry knows about? We'll | |
309 // use this method to measure the occurrence of non-webby mixed content to | |
310 // make sure we're not breaking the world without realizing it. | |
311 if (mixed_content_node->current_origin().scheme() != url::kHttpsScheme) { | |
312 mixed_content_features_.insert( | |
313 MIXED_CONTENT_IN_NON_HTTPS_FRAME_THAT_RESTRICTS_MIXED_CONTENT); | |
314 } | |
315 } else if (!SecurityOriginIsSecure(url) && | |
316 (IsSecureScheme(root->current_origin().scheme()) || | |
317 IsSecureScheme(parent->current_origin().scheme()))) { | |
318 mixed_content_features_.insert( | |
319 MIXED_CONTENT_IN_SECURE_FRAME_THAT_DOES_NOT_RESTRICT_MIXED_CONTENT); | |
320 } | |
321 return mixed_content_node; | |
322 } | |
323 | |
324 void MixedContentNavigationThrottle::MaybeSendBlinkFeatureUsageReport() { | |
325 if (!mixed_content_features_.empty()) { | |
326 NavigationHandleImpl* handle_impl = | |
327 static_cast<NavigationHandleImpl*>(navigation_handle()); | |
328 RenderFrameHost* rfh = handle_impl->frame_tree_node()->current_frame_host(); | |
329 rfh->Send(new FrameMsg_BlinkFeatureUsageReport(rfh->GetRoutingID(), | |
330 mixed_content_features_)); | |
331 mixed_content_features_.clear(); | |
332 } | |
333 } | |
334 | |
335 // Based off of MixedContentChecker::count. | |
336 void MixedContentNavigationThrottle::ReportBasicMixedContentFeatures( | |
337 RequestContextType request_context_type, | |
338 blink::WebMixedContentContextType mixed_content_context_type, | |
339 const WebPreferences& prefs) { | |
340 mixed_content_features_.insert(MIXED_CONTENT_PRESENT); | |
341 | |
342 // Report any blockable content. | |
343 if (mixed_content_context_type == | |
344 blink::WebMixedContentContextType::Blockable) { | |
345 mixed_content_features_.insert(MIXED_CONTENT_BLOCKABLE); | |
346 return; | |
347 } | |
348 | |
349 // Note: as there's no mixed content checks for sub-resources on the browser | |
350 // side there should only be a subset of RequestContextType values that could | |
351 // ever be found here. | |
352 UseCounterFeature feature; | |
353 switch (request_context_type) { | |
354 case REQUEST_CONTEXT_TYPE_INTERNAL: | |
355 feature = MIXED_CONTENT_INTERNAL; | |
356 break; | |
357 case REQUEST_CONTEXT_TYPE_PREFETCH: | |
358 feature = MIXED_CONTENT_PREFETCH; | |
359 break; | |
360 | |
361 case REQUEST_CONTEXT_TYPE_AUDIO: | |
362 case REQUEST_CONTEXT_TYPE_DOWNLOAD: | |
363 case REQUEST_CONTEXT_TYPE_FAVICON: | |
364 case REQUEST_CONTEXT_TYPE_IMAGE: | |
365 case REQUEST_CONTEXT_TYPE_PLUGIN: | |
366 case REQUEST_CONTEXT_TYPE_VIDEO: | |
367 default: | |
368 NOTREACHED() << "RequestContextType has value " << request_context_type | |
369 << " and has WebMixedContentContextType of " | |
370 << static_cast<int>(mixed_content_context_type); | |
371 return; | |
372 } | |
373 mixed_content_features_.insert(feature); | |
374 } | |
375 | |
376 // static | |
377 bool MixedContentNavigationThrottle::IsMixedContentForTesting( | |
378 const GURL& origin_url, | |
379 const GURL& url) { | |
380 const url::Origin origin(origin_url); | |
381 return !IsUrlPotentiallySecure(url) && | |
382 DoesOriginSchemeRestricsMixedContent(origin); | |
383 } | |
384 | |
385 } // namespace content | |
OLD | NEW |