OLD | NEW |
(Empty) | |
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "content/browser/frame_host/mixed_content_navigation_throttle.h" |
| 6 |
| 7 #include "base/memory/ptr_util.h" |
| 8 #include "base/stl_util.h" |
| 9 #include "content/browser/frame_host/frame_tree.h" |
| 10 #include "content/browser/frame_host/frame_tree_node.h" |
| 11 #include "content/browser/frame_host/navigation_handle_impl.h" |
| 12 #include "content/browser/frame_host/render_frame_host_delegate.h" |
| 13 #include "content/browser/renderer_host/render_view_host_impl.h" |
| 14 #include "content/common/frame_messages.h" |
| 15 #include "content/public/browser/content_browser_client.h" |
| 16 #include "content/public/browser/render_frame_host.h" |
| 17 #include "content/public/common/browser_side_navigation_policy.h" |
| 18 #include "content/public/common/content_client.h" |
| 19 #include "content/public/common/origin_util.h" |
| 20 #include "content/public/common/web_preferences.h" |
| 21 #include "net/base/url_util.h" |
| 22 #include "url/gurl.h" |
| 23 #include "url/origin.h" |
| 24 #include "url/url_constants.h" |
| 25 #include "url/url_util.h" |
| 26 |
| 27 namespace { |
| 28 |
| 29 using namespace content; |
| 30 |
| 31 // Should return the same value as SchemeRegistry::shouldTreatURLSchemeAsSecure. |
| 32 bool IsSecureScheme(const std::string& scheme) { |
| 33 return base::ContainsValue(url::GetSecureSchemes(), scheme); |
| 34 } |
| 35 |
| 36 // Should return the same value as SecurityOrigin::isLocal and |
| 37 // SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled. |
| 38 bool ShouldTreatURLSchemeAsCORSEnabled(const GURL& url) { |
| 39 return base::ContainsValue(url::GetCORSEnabledSchemes(), url.scheme()); |
| 40 } |
| 41 |
| 42 // Should return the same value as SecurityOrigin::isSecure. |
| 43 // TODO(carlosk): secure origin checks don't match between content and Blink |
| 44 // hence this implementation here instead of a direct call to IsOriginSecure (in |
| 45 // origin_util.cc). See https://crbug.com/629059. |
| 46 bool IsOriginSecure(const GURL& url) { |
| 47 if (IsSecureScheme(url.scheme())) |
| 48 return true; |
| 49 |
| 50 if (url.SchemeIsFileSystem() || url.SchemeIsBlob()) { |
| 51 // Should use inner URL. |
| 52 url::Origin origin(url); |
| 53 if (IsSecureScheme(origin.scheme())) |
| 54 return true; |
| 55 } |
| 56 |
| 57 return IsOriginWhiteListedTrustworthy(url::Origin(url)); |
| 58 } |
| 59 |
| 60 // Should return the same value as the resource URL checks assigned to |
| 61 // |isAllowed| made inside MixedContentChecker::isMixedContent. |
| 62 bool IsUrlPotentiallySecure(const GURL& url) { |
| 63 // blob: and filesystem: URLs never hit the network, and access is restricted |
| 64 // to same-origin contexts, so they are not blocked. |
| 65 bool is_secure = |
| 66 url.SchemeIs(url::kBlobScheme) || url.SchemeIs(url::kFileSystemScheme) || |
| 67 IsOriginSecure(url) || IsPotentiallyTrustworthyOrigin(url::Origin(url)); |
| 68 |
| 69 // TODO(mkwst): Remove this once the following draft is implemented: |
| 70 // https://tools.ietf.org/html/draft-west-let-localhost-be-localhost-03. See: |
| 71 // https://crbug.com/691930. |
| 72 if (is_secure && url.SchemeIs(url::kHttpScheme) && |
| 73 net::IsLocalHostname(url.HostNoBrackets(), nullptr)) { |
| 74 is_secure = false; |
| 75 } |
| 76 |
| 77 return is_secure; |
| 78 } |
| 79 |
| 80 // This method should return the same results as |
| 81 // SchemeRegistry::shouldTreatURLSchemeAsRestrictingMixedContent. |
| 82 bool DoesOriginSchemeRestrictMixedContent(const url::Origin& origin) { |
| 83 return origin.scheme() == url::kHttpsScheme; |
| 84 } |
| 85 |
| 86 void UpdateRendererOnMixedContentFound(NavigationHandleImpl* navigation_handle, |
| 87 const GURL& mixed_content_url, |
| 88 bool was_allowed, |
| 89 bool for_redirect) { |
| 90 // TODO(carlosk): the root node should never be considered as being/having |
| 91 // mixed content for now. Once/if the browser should also check form submits |
| 92 // for mixed content than this will be allowed to happen and this DCHECK |
| 93 // should be updated. |
| 94 DCHECK(navigation_handle->frame_tree_node()->parent()); |
| 95 RenderFrameHost* rfh = |
| 96 navigation_handle->frame_tree_node()->current_frame_host(); |
| 97 rfh->Send(new FrameMsg_MixedContentFound( |
| 98 rfh->GetRoutingID(), mixed_content_url, navigation_handle->GetURL(), |
| 99 navigation_handle->request_context_type(), was_allowed, for_redirect)); |
| 100 } |
| 101 |
| 102 } // namespace |
| 103 |
| 104 namespace content { |
| 105 |
| 106 // static |
| 107 std::unique_ptr<NavigationThrottle> |
| 108 MixedContentNavigationThrottle::CreateThrottleForNavigation( |
| 109 NavigationHandle* navigation_handle) { |
| 110 if (IsBrowserSideNavigationEnabled()) |
| 111 return base::WrapUnique( |
| 112 new MixedContentNavigationThrottle(navigation_handle)); |
| 113 return nullptr; |
| 114 } |
| 115 |
| 116 MixedContentNavigationThrottle::MixedContentNavigationThrottle( |
| 117 NavigationHandle* navigation_handle) |
| 118 : NavigationThrottle(navigation_handle) { |
| 119 DCHECK(IsBrowserSideNavigationEnabled()); |
| 120 } |
| 121 |
| 122 MixedContentNavigationThrottle::~MixedContentNavigationThrottle() {} |
| 123 |
| 124 ThrottleCheckResult MixedContentNavigationThrottle::WillStartRequest() { |
| 125 bool should_block = ShouldBlockNavigation(false); |
| 126 return should_block ? ThrottleCheckResult::CANCEL |
| 127 : ThrottleCheckResult::PROCEED; |
| 128 } |
| 129 |
| 130 ThrottleCheckResult MixedContentNavigationThrottle::WillRedirectRequest() { |
| 131 // Upon redirects the same checks are to be executed as for requests. |
| 132 bool should_block = ShouldBlockNavigation(true); |
| 133 return should_block ? ThrottleCheckResult::CANCEL |
| 134 : ThrottleCheckResult::PROCEED; |
| 135 } |
| 136 |
| 137 ThrottleCheckResult MixedContentNavigationThrottle::WillProcessResponse() { |
| 138 // TODO(carlosk): At this point we are about to process the request response. |
| 139 // So if we ever need to, here/now it is a good moment to check for the final |
| 140 // attained security level of the connection. For instance, does it use an |
| 141 // outdated protocol? The implementation should be based off |
| 142 // MixedContentChecker::handleCertificateError. See https://crbug.com/576270. |
| 143 return ThrottleCheckResult::PROCEED; |
| 144 } |
| 145 |
| 146 // Based off of MixedContentChecker::shouldBlockFetch. |
| 147 bool MixedContentNavigationThrottle::ShouldBlockNavigation(bool for_redirect) { |
| 148 NavigationHandleImpl* handle_impl = |
| 149 static_cast<NavigationHandleImpl*>(navigation_handle()); |
| 150 FrameTreeNode* node = handle_impl->frame_tree_node(); |
| 151 |
| 152 // Find the parent node where mixed content is characterized, if any. |
| 153 FrameTreeNode* mixed_content_node = |
| 154 InWhichFrameIsContentMixed(node, handle_impl->GetURL()); |
| 155 if (!mixed_content_node) { |
| 156 MaybeSendBlinkFeatureUsageReport(); |
| 157 return false; |
| 158 } |
| 159 |
| 160 // From this point on we know this is not a main frame navigation and that |
| 161 // there is mixed content. Now let's decide if it's OK to proceed with it. |
| 162 const WebPreferences& prefs = mixed_content_node->current_frame_host() |
| 163 ->render_view_host() |
| 164 ->GetWebkitPreferences(); |
| 165 |
| 166 ReportBasicMixedContentFeatures(handle_impl->request_context_type(), |
| 167 handle_impl->mixed_content_context_type(), |
| 168 prefs); |
| 169 |
| 170 // If we're in strict mode, we'll automagically fail everything, and |
| 171 // intentionally skip the client/embedder checks in order to prevent degrading |
| 172 // the site's security UI. |
| 173 bool block_all_mixed_content = !!( |
| 174 mixed_content_node->current_replication_state().insecure_request_policy & |
| 175 blink::kBlockAllMixedContent); |
| 176 bool strict_mode = |
| 177 prefs.strict_mixed_content_checking || block_all_mixed_content; |
| 178 |
| 179 blink::WebMixedContentContextType mixed_context_type = |
| 180 handle_impl->mixed_content_context_type(); |
| 181 |
| 182 if (!ShouldTreatURLSchemeAsCORSEnabled(handle_impl->GetURL())) |
| 183 mixed_context_type = blink::WebMixedContentContextType::OptionallyBlockable; |
| 184 |
| 185 bool allowed = false; |
| 186 RenderFrameHostDelegate* frame_host_delegate = |
| 187 node->current_frame_host()->delegate(); |
| 188 switch (mixed_context_type) { |
| 189 case blink::WebMixedContentContextType::OptionallyBlockable: |
| 190 allowed = !strict_mode; |
| 191 if (allowed) { |
| 192 frame_host_delegate->PassiveInsecureContentFound(handle_impl->GetURL()); |
| 193 frame_host_delegate->DidDisplayInsecureContent(); |
| 194 } |
| 195 break; |
| 196 |
| 197 case blink::WebMixedContentContextType::Blockable: { |
| 198 // Note: from the renderer side implementation it seems like we don't need |
| 199 // to care about reporting |
| 200 // blink::UseCounter::BlockableMixedContentInSubframeBlocked because it is |
| 201 // only triggered for sub-resources which are not checked for in the |
| 202 // browser. |
| 203 bool should_ask_delegate = |
| 204 !strict_mode && (!prefs.strictly_block_blockable_mixed_content || |
| 205 prefs.allow_running_insecure_content); |
| 206 allowed = |
| 207 should_ask_delegate && |
| 208 frame_host_delegate->ShouldAllowRunningInsecureContent( |
| 209 handle_impl->GetWebContents(), |
| 210 prefs.allow_running_insecure_content, |
| 211 mixed_content_node->current_origin(), handle_impl->GetURL()); |
| 212 if (allowed) { |
| 213 const GURL& origin_url = mixed_content_node->current_origin().GetURL(); |
| 214 frame_host_delegate->DidRunInsecureContent(origin_url, |
| 215 handle_impl->GetURL()); |
| 216 GetContentClient()->browser()->RecordURLMetric( |
| 217 "ContentSettings.MixedScript.RanMixedScript", origin_url); |
| 218 mixed_content_features_.insert(MIXED_CONTENT_BLOCKABLE_ALLOWED); |
| 219 } |
| 220 break; |
| 221 } |
| 222 |
| 223 case blink::WebMixedContentContextType::ShouldBeBlockable: |
| 224 allowed = !strict_mode; |
| 225 if (allowed) |
| 226 frame_host_delegate->DidDisplayInsecureContent(); |
| 227 break; |
| 228 |
| 229 case blink::WebMixedContentContextType::NotMixedContent: |
| 230 NOTREACHED(); |
| 231 break; |
| 232 }; |
| 233 |
| 234 UpdateRendererOnMixedContentFound( |
| 235 handle_impl, mixed_content_node->current_url(), allowed, for_redirect); |
| 236 MaybeSendBlinkFeatureUsageReport(); |
| 237 |
| 238 return !allowed; |
| 239 } |
| 240 |
| 241 // This method mirrors MixedContentChecker::inWhichFrameIsContentMixed but is |
| 242 // implemented in a different form that seems more appropriate here. |
| 243 FrameTreeNode* MixedContentNavigationThrottle::InWhichFrameIsContentMixed( |
| 244 FrameTreeNode* node, |
| 245 const GURL& url) { |
| 246 // Main frame navigations cannot be mixed content. |
| 247 // TODO(carlosk): except for form submissions which might be supported in the |
| 248 // future. |
| 249 if (node->IsMainFrame()) |
| 250 return nullptr; |
| 251 |
| 252 // There's no mixed content if any of these are true: |
| 253 // - The navigated URL is potentially secure. |
| 254 // - Neither the root nor parent frames have secure origins. |
| 255 // This next section diverges in how the Blink version is implemented but |
| 256 // should get to the same results. Especially where isMixedContent calls |
| 257 // exist, here they are partially fulfilled here and partially replaced by |
| 258 // DoesOriginSchemeRestrictMixedContent. |
| 259 FrameTreeNode* mixed_content_node = nullptr; |
| 260 FrameTreeNode* root = node->frame_tree()->root(); |
| 261 FrameTreeNode* parent = node->parent(); |
| 262 if (!IsUrlPotentiallySecure(url)) { |
| 263 // TODO(carlosk): we might need to check more than just the immediate parent |
| 264 // and the root. See https://crbug.com/623486. |
| 265 |
| 266 // Checks if the root and then the immediate parent frames' origins are |
| 267 // secure. |
| 268 if (DoesOriginSchemeRestrictMixedContent(root->current_origin())) |
| 269 mixed_content_node = root; |
| 270 else if (DoesOriginSchemeRestrictMixedContent(parent->current_origin())) |
| 271 mixed_content_node = parent; |
| 272 } |
| 273 |
| 274 // Note: The code below should behave the same way as the two calls to |
| 275 // measureStricterVersionOfIsMixedContent from inside |
| 276 // MixedContentChecker::inWhichFrameIs. |
| 277 if (mixed_content_node) { |
| 278 // We're currently only checking for mixed content in `https://*` contexts. |
| 279 // What about other "secure" contexts the SchemeRegistry knows about? We'll |
| 280 // use this method to measure the occurrence of non-webby mixed content to |
| 281 // make sure we're not breaking the world without realizing it. |
| 282 if (mixed_content_node->current_origin().scheme() != url::kHttpsScheme) { |
| 283 mixed_content_features_.insert( |
| 284 MIXED_CONTENT_IN_NON_HTTPS_FRAME_THAT_RESTRICTS_MIXED_CONTENT); |
| 285 } |
| 286 } else if (!IsOriginSecure(url) && |
| 287 (IsSecureScheme(root->current_origin().scheme()) || |
| 288 IsSecureScheme(parent->current_origin().scheme()))) { |
| 289 mixed_content_features_.insert( |
| 290 MIXED_CONTENT_IN_SECURE_FRAME_THAT_DOES_NOT_RESTRICT_MIXED_CONTENT); |
| 291 } |
| 292 return mixed_content_node; |
| 293 } |
| 294 |
| 295 void MixedContentNavigationThrottle::MaybeSendBlinkFeatureUsageReport() { |
| 296 if (!mixed_content_features_.empty()) { |
| 297 NavigationHandleImpl* handle_impl = |
| 298 static_cast<NavigationHandleImpl*>(navigation_handle()); |
| 299 RenderFrameHost* rfh = handle_impl->frame_tree_node()->current_frame_host(); |
| 300 rfh->Send(new FrameMsg_BlinkFeatureUsageReport(rfh->GetRoutingID(), |
| 301 mixed_content_features_)); |
| 302 mixed_content_features_.clear(); |
| 303 } |
| 304 } |
| 305 |
| 306 // Based off of MixedContentChecker::count. |
| 307 void MixedContentNavigationThrottle::ReportBasicMixedContentFeatures( |
| 308 RequestContextType request_context_type, |
| 309 blink::WebMixedContentContextType mixed_content_context_type, |
| 310 const WebPreferences& prefs) { |
| 311 mixed_content_features_.insert(MIXED_CONTENT_PRESENT); |
| 312 |
| 313 // Report any blockable content. |
| 314 if (mixed_content_context_type == |
| 315 blink::WebMixedContentContextType::Blockable) { |
| 316 mixed_content_features_.insert(MIXED_CONTENT_BLOCKABLE); |
| 317 return; |
| 318 } |
| 319 |
| 320 // Note: as there's no mixed content checks for sub-resources on the browser |
| 321 // side there should only be a subset of RequestContextType values that could |
| 322 // ever be found here. |
| 323 UseCounterFeature feature; |
| 324 switch (request_context_type) { |
| 325 case REQUEST_CONTEXT_TYPE_INTERNAL: |
| 326 feature = MIXED_CONTENT_INTERNAL; |
| 327 break; |
| 328 case REQUEST_CONTEXT_TYPE_PREFETCH: |
| 329 feature = MIXED_CONTENT_PREFETCH; |
| 330 break; |
| 331 |
| 332 case REQUEST_CONTEXT_TYPE_AUDIO: |
| 333 case REQUEST_CONTEXT_TYPE_DOWNLOAD: |
| 334 case REQUEST_CONTEXT_TYPE_FAVICON: |
| 335 case REQUEST_CONTEXT_TYPE_IMAGE: |
| 336 case REQUEST_CONTEXT_TYPE_PLUGIN: |
| 337 case REQUEST_CONTEXT_TYPE_VIDEO: |
| 338 default: |
| 339 NOTREACHED() << "RequestContextType has value " << request_context_type |
| 340 << " and has WebMixedContentContextType of " |
| 341 << static_cast<int>(mixed_content_context_type); |
| 342 return; |
| 343 } |
| 344 mixed_content_features_.insert(feature); |
| 345 } |
| 346 |
| 347 // static |
| 348 bool MixedContentNavigationThrottle::IsMixedContentForTesting( |
| 349 const GURL& origin_url, |
| 350 const GURL& url) { |
| 351 const url::Origin origin(origin_url); |
| 352 return !IsUrlPotentiallySecure(url) && |
| 353 DoesOriginSchemeRestrictMixedContent(origin); |
| 354 } |
| 355 |
| 356 } // namespace content |
OLD | NEW |