OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2017 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "content/browser/frame_host/mixed_content_navigation_throttle.h" | |
6 | |
7 #include "base/memory/ptr_util.h" | |
8 #include "base/stl_util.h" | |
9 #include "content/browser/frame_host/frame_tree.h" | |
10 #include "content/browser/frame_host/frame_tree_node.h" | |
11 #include "content/browser/frame_host/navigation_handle_impl.h" | |
12 #include "content/browser/frame_host/render_frame_host_delegate.h" | |
13 #include "content/browser/renderer_host/render_view_host_impl.h" | |
14 #include "content/common/frame_messages.h" | |
15 #include "content/public/browser/content_browser_client.h" | |
16 #include "content/public/browser/render_frame_host.h" | |
17 #include "content/public/common/browser_side_navigation_policy.h" | |
18 #include "content/public/common/content_client.h" | |
19 #include "content/public/common/origin_util.h" | |
20 #include "content/public/common/web_preferences.h" | |
21 #include "net/base/url_util.h" | |
22 #include "url/gurl.h" | |
23 #include "url/origin.h" | |
24 #include "url/url_constants.h" | |
25 #include "url/url_util.h" | |
26 | |
27 namespace { | |
28 | |
29 using namespace content; | |
30 | |
31 // Should return the same value as SchemeRegistry::shouldTreatURLSchemeAsSecure. | |
32 bool IsSecureScheme(const std::string& scheme) { | |
33 return base::ContainsValue(url::GetSecureSchemes(), scheme); | |
34 } | |
35 | |
36 // Should return the same value as SecurityOrigin::isLocal and | |
37 // SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled. | |
38 bool ShouldTreatURLSchemeAsCORSEnabled(const GURL& url) { | |
39 return base::ContainsValue(url::GetCORSEnabledSchemes(), url.scheme()); | |
40 } | |
41 | |
42 // Should return the same value as SecurityOrigin::isSecure. | |
43 // TODO(carlosk): secure origin checks don't match between content and Blink | |
44 // hence this implementation here instead of a direct call to IsOriginSecure (in | |
45 // origin_util.cc). See https://crbug.com/629059. | |
46 bool IsOriginSecure(const GURL& url) { | |
47 if (IsSecureScheme(url.scheme())) | |
48 return true; | |
49 | |
50 if (url.SchemeIsFileSystem() || url.SchemeIsBlob()) { | |
51 // Should use inner URL. | |
52 url::Origin origin(url); | |
53 if (IsSecureScheme(origin.scheme())) | |
54 return true; | |
55 } | |
56 | |
57 return IsOriginWhiteListedTrustworthy(url::Origin(url)); | |
58 } | |
59 | |
60 // Should return the same value as the resource URL checks assigned to | |
61 // |isAllowed| made inside MixedContentChecker::isMixedContent. | |
62 bool IsUrlPotentiallySecure(const GURL& url) { | |
63 // blob: and filesystem: URLs never hit the network, and access is restricted | |
64 // to same-origin contexts, so they are not blocked. | |
65 bool is_secure = | |
66 url.SchemeIs(url::kBlobScheme) || url.SchemeIs(url::kFileSystemScheme) || | |
67 IsOriginSecure(url) || IsPotentiallyTrustworthyOrigin(url::Origin(url)); | |
68 | |
69 // TODO(mkwst): Remove this once the following draft is implemented: | |
70 // https://tools.ietf.org/html/draft-west-let-localhost-be-localhost-03. See: | |
71 // https://crbug.com/691930. | |
72 if (is_secure && url.SchemeIs(url::kHttpScheme) && | |
73 net::IsLocalHostname(url.HostNoBrackets(), nullptr)) { | |
74 is_secure = false; | |
75 } | |
76 | |
77 return is_secure; | |
78 } | |
79 | |
80 // This method should return the same results as | |
81 // SchemeRegistry::shouldTreatURLSchemeAsRestrictingMixedContent. | |
82 bool DoesOriginSchemeRestrictsMixedContent(const url::Origin& origin) { | |
nasko
2017/02/15 17:41:39
minor nit: Does takes off the 's' suffix from verb
carlosk
2017/02/15 21:46:31
Done.
| |
83 return origin.scheme() == url::kHttpsScheme; | |
84 } | |
85 | |
86 void UpdateRendererOnMixedContentFound(NavigationHandleImpl* navigation_handle, | |
87 const GURL& mixed_content_url, | |
88 bool was_allowed, | |
89 bool for_redirect) { | |
90 // TODO(carlosk): the root node should never be considered as being/having | |
91 // mixed content for now. Once/if the browser should also check form submits | |
92 // for mixed content than this will be allowed to happen and this DCHECK | |
93 // should be updated. | |
94 DCHECK(navigation_handle->frame_tree_node()->parent()); | |
95 RenderFrameHost* rfh = | |
96 navigation_handle->frame_tree_node()->current_frame_host(); | |
97 rfh->Send(new FrameMsg_MixedContentFound( | |
98 rfh->GetRoutingID(), mixed_content_url, navigation_handle->GetURL(), | |
99 navigation_handle->request_context_type(), was_allowed, for_redirect)); | |
100 } | |
101 | |
102 } // namespace | |
103 | |
104 namespace content { | |
105 | |
106 // static | |
107 std::unique_ptr<NavigationThrottle> | |
108 MixedContentNavigationThrottle::CreateThrottleForNavigation( | |
109 NavigationHandle* navigation_handle) { | |
110 if (IsBrowserSideNavigationEnabled()) | |
111 return base::WrapUnique( | |
112 new MixedContentNavigationThrottle(navigation_handle)); | |
113 return nullptr; | |
114 } | |
115 | |
116 MixedContentNavigationThrottle::MixedContentNavigationThrottle( | |
117 NavigationHandle* navigation_handle) | |
118 : NavigationThrottle(navigation_handle) { | |
119 DCHECK(IsBrowserSideNavigationEnabled()); | |
120 } | |
121 | |
122 MixedContentNavigationThrottle::~MixedContentNavigationThrottle() {} | |
123 | |
124 ThrottleCheckResult MixedContentNavigationThrottle::WillStartRequest() { | |
125 bool should_block = ShouldBlockNavigation(false); | |
126 return should_block ? ThrottleCheckResult::CANCEL | |
127 : ThrottleCheckResult::PROCEED; | |
128 } | |
129 | |
130 ThrottleCheckResult MixedContentNavigationThrottle::WillRedirectRequest() { | |
131 // Upon redirects the same checks are to be executed as for requests. | |
132 bool should_block = ShouldBlockNavigation(true); | |
133 return should_block ? ThrottleCheckResult::CANCEL | |
134 : ThrottleCheckResult::PROCEED; | |
135 } | |
136 | |
137 ThrottleCheckResult MixedContentNavigationThrottle::WillProcessResponse() { | |
138 // TODO(carlosk): At this point we are about to process the request response. | |
139 // So if we ever need to, here/now it is a good moment to check for the final | |
140 // attained security level of the connection. For instance, does it use an | |
141 // outdated protocol? The implementation should be based off | |
142 // MixedContentChecker::handleCertificateError. See https://crbug.com/576270. | |
143 return ThrottleCheckResult::PROCEED; | |
144 } | |
145 | |
146 // Based off of MixedContentChecker::shouldBlockFetch. | |
147 bool MixedContentNavigationThrottle::ShouldBlockNavigation(bool for_redirect) { | |
148 NavigationHandleImpl* handle_impl = | |
149 static_cast<NavigationHandleImpl*>(navigation_handle()); | |
150 FrameTreeNode* node = handle_impl->frame_tree_node(); | |
151 | |
152 // Find the parent node where mixed content is characterized, if any. | |
153 FrameTreeNode* mixed_content_node = | |
154 InWhichFrameIsContentMixed(node, handle_impl->GetURL()); | |
155 if (!mixed_content_node) { | |
156 MaybeSendBlinkFeatureUsageReport(); | |
157 return false; | |
158 } | |
159 | |
160 // From this point on we know this is not a main frame navigation and that | |
161 // there is mixed content. Now let's decide if it's OK to proceed with it. | |
162 const WebPreferences& prefs = mixed_content_node->current_frame_host() | |
163 ->render_view_host() | |
164 ->GetWebkitPreferences(); | |
165 | |
166 ReportBasicMixedContentFeatures(handle_impl->request_context_type(), | |
167 handle_impl->mixed_content_context_type(), | |
168 prefs); | |
169 | |
170 // If we're in strict mode, we'll automagically fail everything, and | |
171 // intentionally skip the client/embedder checks in order to prevent degrading | |
172 // the site's security UI. | |
173 bool block_all_mixed_content = !!( | |
174 mixed_content_node->current_replication_state().insecure_request_policy & | |
175 blink::kBlockAllMixedContent); | |
176 bool strict_mode = | |
177 prefs.strict_mixed_content_checking || block_all_mixed_content; | |
178 | |
179 blink::WebMixedContentContextType mixed_context_type = | |
180 handle_impl->mixed_content_context_type(); | |
181 | |
182 if (!ShouldTreatURLSchemeAsCORSEnabled(handle_impl->GetURL())) | |
183 mixed_context_type = blink::WebMixedContentContextType::OptionallyBlockable; | |
184 | |
185 bool allowed = false; | |
186 RenderFrameHostDelegate* frame_host_delegate = | |
187 node->current_frame_host()->delegate(); | |
188 switch (mixed_context_type) { | |
189 case blink::WebMixedContentContextType::OptionallyBlockable: | |
190 allowed = !strict_mode; | |
191 if (allowed) { | |
192 frame_host_delegate->PassiveInsecureContentFound(handle_impl->GetURL()); | |
193 frame_host_delegate->DidDisplayInsecureContent(); | |
194 } | |
195 break; | |
196 | |
197 case blink::WebMixedContentContextType::Blockable: { | |
198 // Note: from the renderer side implementation it seems like we don't need | |
199 // to care about reporting | |
200 // blink::UseCounter::BlockableMixedContentInSubframeBlocked because it is | |
201 // only triggered for sub-resources which are not checked for in the | |
202 // browser. | |
203 bool should_ask_delegate = | |
204 !strict_mode && (!prefs.strictly_block_blockable_mixed_content || | |
205 prefs.allow_running_insecure_content); | |
206 allowed = | |
207 should_ask_delegate && | |
208 frame_host_delegate->ShouldAllowRunningInsecureContent( | |
209 handle_impl->GetWebContents(), | |
210 prefs.allow_running_insecure_content, | |
211 mixed_content_node->current_origin(), handle_impl->GetURL()); | |
212 if (allowed) { | |
213 const GURL& origin_url = mixed_content_node->current_origin().GetURL(); | |
214 frame_host_delegate->DidRunInsecureContent(origin_url, | |
215 handle_impl->GetURL()); | |
216 GetContentClient()->browser()->RecordURLMetric( | |
217 "ContentSettings.MixedScript.RanMixedScript", origin_url); | |
218 mixed_content_features_.insert(MIXED_CONTENT_BLOCKABLE_ALLOWED); | |
219 } | |
220 break; | |
221 } | |
222 | |
223 case blink::WebMixedContentContextType::ShouldBeBlockable: | |
224 allowed = !strict_mode; | |
225 if (allowed) | |
226 frame_host_delegate->DidDisplayInsecureContent(); | |
227 break; | |
228 | |
229 case blink::WebMixedContentContextType::NotMixedContent: | |
230 NOTREACHED(); | |
231 break; | |
232 }; | |
233 | |
234 UpdateRendererOnMixedContentFound( | |
235 handle_impl, mixed_content_node->current_url(), allowed, for_redirect); | |
236 MaybeSendBlinkFeatureUsageReport(); | |
237 | |
238 return !allowed; | |
239 } | |
240 | |
241 // This method mirrors MixedContentChecker::inWhichFrameIsContentMixed but is | |
242 // implemented in a different form that seems more appropriate here. | |
243 FrameTreeNode* MixedContentNavigationThrottle::InWhichFrameIsContentMixed( | |
244 FrameTreeNode* node, | |
245 const GURL& url) { | |
246 // Main frame navigations cannot be mixed content. | |
247 // TODO(carlosk): except for form submissions which might be supported in the | |
248 // future. | |
249 if (node->IsMainFrame()) | |
250 return nullptr; | |
251 | |
252 // There's no mixed content if any of these are true: | |
253 // - The navigated URL is potentially secure. | |
254 // - Neither the root nor parent frames have secure origins. | |
255 // This next section diverges in how the Blink version is implemented but | |
256 // should get to the same results. Especially where isMixedContent calls | |
257 // exist, here they are partially fulfilled here and partially replaced by | |
258 // DoesOriginSchemeRestrictsMixedContent. | |
259 FrameTreeNode* mixed_content_node = nullptr; | |
260 FrameTreeNode* root = node->frame_tree()->root(); | |
261 FrameTreeNode* parent = node->parent(); | |
262 if (!IsUrlPotentiallySecure(url)) { | |
263 // TODO(carlosk): we might need to check more than just the immediate parent | |
264 // and the root. See https://crbug.com/623486. | |
265 | |
266 // Checks if the root and then the immediate parent frames' origins are | |
267 // secure. | |
268 if (DoesOriginSchemeRestrictsMixedContent(root->current_origin())) | |
269 mixed_content_node = root; | |
270 else if (DoesOriginSchemeRestrictsMixedContent(parent->current_origin())) | |
271 mixed_content_node = parent; | |
272 } | |
273 | |
274 // Note: The code below should behave the same way as the two calls to | |
275 // measureStricterVersionOfIsMixedContent from inside | |
276 // MixedContentChecker::inWhichFrameIs. | |
277 if (mixed_content_node) { | |
278 // We're currently only checking for mixed content in `https://*` contexts. | |
279 // What about other "secure" contexts the SchemeRegistry knows about? We'll | |
280 // use this method to measure the occurrence of non-webby mixed content to | |
281 // make sure we're not breaking the world without realizing it. | |
282 if (mixed_content_node->current_origin().scheme() != url::kHttpsScheme) { | |
283 mixed_content_features_.insert( | |
284 MIXED_CONTENT_IN_NON_HTTPS_FRAME_THAT_RESTRICTS_MIXED_CONTENT); | |
285 } | |
286 } else if (!IsOriginSecure(url) && | |
287 (IsSecureScheme(root->current_origin().scheme()) || | |
288 IsSecureScheme(parent->current_origin().scheme()))) { | |
289 mixed_content_features_.insert( | |
290 MIXED_CONTENT_IN_SECURE_FRAME_THAT_DOES_NOT_RESTRICT_MIXED_CONTENT); | |
291 } | |
292 return mixed_content_node; | |
293 } | |
294 | |
295 void MixedContentNavigationThrottle::MaybeSendBlinkFeatureUsageReport() { | |
296 if (!mixed_content_features_.empty()) { | |
297 NavigationHandleImpl* handle_impl = | |
298 static_cast<NavigationHandleImpl*>(navigation_handle()); | |
299 RenderFrameHost* rfh = handle_impl->frame_tree_node()->current_frame_host(); | |
300 rfh->Send(new FrameMsg_BlinkFeatureUsageReport(rfh->GetRoutingID(), | |
301 mixed_content_features_)); | |
302 mixed_content_features_.clear(); | |
303 } | |
304 } | |
305 | |
306 // Based off of MixedContentChecker::count. | |
307 void MixedContentNavigationThrottle::ReportBasicMixedContentFeatures( | |
308 RequestContextType request_context_type, | |
309 blink::WebMixedContentContextType mixed_content_context_type, | |
310 const WebPreferences& prefs) { | |
311 mixed_content_features_.insert(MIXED_CONTENT_PRESENT); | |
312 | |
313 // Report any blockable content. | |
314 if (mixed_content_context_type == | |
315 blink::WebMixedContentContextType::Blockable) { | |
316 mixed_content_features_.insert(MIXED_CONTENT_BLOCKABLE); | |
317 return; | |
318 } | |
319 | |
320 // Note: as there's no mixed content checks for sub-resources on the browser | |
321 // side there should only be a subset of RequestContextType values that could | |
322 // ever be found here. | |
323 UseCounterFeature feature; | |
324 switch (request_context_type) { | |
325 case REQUEST_CONTEXT_TYPE_INTERNAL: | |
326 feature = MIXED_CONTENT_INTERNAL; | |
327 break; | |
328 case REQUEST_CONTEXT_TYPE_PREFETCH: | |
329 feature = MIXED_CONTENT_PREFETCH; | |
330 break; | |
331 | |
332 case REQUEST_CONTEXT_TYPE_AUDIO: | |
333 case REQUEST_CONTEXT_TYPE_DOWNLOAD: | |
334 case REQUEST_CONTEXT_TYPE_FAVICON: | |
335 case REQUEST_CONTEXT_TYPE_IMAGE: | |
336 case REQUEST_CONTEXT_TYPE_PLUGIN: | |
337 case REQUEST_CONTEXT_TYPE_VIDEO: | |
338 default: | |
339 NOTREACHED() << "RequestContextType has value " << request_context_type | |
340 << " and has WebMixedContentContextType of " | |
341 << static_cast<int>(mixed_content_context_type); | |
342 return; | |
343 } | |
344 mixed_content_features_.insert(feature); | |
345 } | |
346 | |
347 // static | |
348 bool MixedContentNavigationThrottle::IsMixedContentForTesting( | |
349 const GURL& origin_url, | |
350 const GURL& url) { | |
351 const url::Origin origin(origin_url); | |
352 return !IsUrlPotentiallySecure(url) && | |
353 DoesOriginSchemeRestrictsMixedContent(origin); | |
354 } | |
355 | |
356 } // namespace content | |
OLD | NEW |