OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2012 Google Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * | 7 * |
8 * 1. Redistributions of source code must retain the above copyright | 8 * 1. Redistributions of source code must retain the above copyright |
9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
10 * 2. Redistributions in binary form must reproduce the above copyright | 10 * 2. Redistributions in binary form must reproduce the above copyright |
(...skipping 125 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
136 NOTREACHED(); | 136 NOTREACHED(); |
137 return "resource"; | 137 return "resource"; |
138 } | 138 } |
139 | 139 |
140 } // namespace | 140 } // namespace |
141 | 141 |
142 static void measureStricterVersionOfIsMixedContent(Frame* frame, | 142 static void measureStricterVersionOfIsMixedContent(Frame* frame, |
143 const KURL& url) { | 143 const KURL& url) { |
144 // We're currently only checking for mixed content in `https://*` contexts. | 144 // We're currently only checking for mixed content in `https://*` contexts. |
145 // What about other "secure" contexts the SchemeRegistry knows about? We'll | 145 // What about other "secure" contexts the SchemeRegistry knows about? We'll |
146 // use this method to measure the occurance of non-webby mixed content to make | 146 // use this method to measure the occurrence of non-webby mixed content to |
147 // sure we're not breaking the world without realizing it. | 147 // make sure we're not breaking the world without realizing it. |
148 SecurityOrigin* origin = frame->securityContext()->getSecurityOrigin(); | 148 SecurityOrigin* origin = frame->securityContext()->getSecurityOrigin(); |
149 if (MixedContentChecker::isMixedContent(origin, url)) { | 149 if (MixedContentChecker::isMixedContent(origin, url)) { |
150 if (origin->protocol() != "https") { | 150 if (origin->protocol() != "https") { |
151 UseCounter::count( | 151 UseCounter::count( |
152 frame, | 152 frame, |
153 UseCounter::MixedContentInNonHTTPSFrameThatRestrictsMixedContent); | 153 UseCounter::MixedContentInNonHTTPSFrameThatRestrictsMixedContent); |
154 } | 154 } |
155 } else if (!SecurityOrigin::isSecure(url) && | 155 } else if (!SecurityOrigin::isSecure(url) && |
156 SchemeRegistry::shouldTreatURLSchemeAsSecure(origin->protocol())) { | 156 SchemeRegistry::shouldTreatURLSchemeAsSecure(origin->protocol())) { |
157 UseCounter::count( | 157 UseCounter::count( |
(...skipping 129 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
287 } | 287 } |
288 | 288 |
289 // static | 289 // static |
290 bool MixedContentChecker::shouldBlockFetch( | 290 bool MixedContentChecker::shouldBlockFetch( |
291 LocalFrame* frame, | 291 LocalFrame* frame, |
292 WebURLRequest::RequestContext requestContext, | 292 WebURLRequest::RequestContext requestContext, |
293 WebURLRequest::FrameType frameType, | 293 WebURLRequest::FrameType frameType, |
294 ResourceRequest::RedirectStatus redirectStatus, | 294 ResourceRequest::RedirectStatus redirectStatus, |
295 const KURL& url, | 295 const KURL& url, |
296 MixedContentChecker::ReportingStatus reportingStatus) { | 296 MixedContentChecker::ReportingStatus reportingStatus) { |
| 297 // Frame-level loads are checked by the browser if PlzNavigate is enabled. No |
| 298 // need to check them again here. |
| 299 if (frame->settings()->getBrowserSideNavigationEnabled() && |
| 300 frameType != WebURLRequest::FrameTypeNone) { |
| 301 return false; |
| 302 } |
| 303 |
297 Frame* effectiveFrame = effectiveFrameForFrameType(frame, frameType); | 304 Frame* effectiveFrame = effectiveFrameForFrameType(frame, frameType); |
298 Frame* mixedFrame = | 305 Frame* mixedFrame = |
299 inWhichFrameIsContentMixed(effectiveFrame, frameType, url); | 306 inWhichFrameIsContentMixed(effectiveFrame, frameType, url); |
300 if (!mixedFrame) | 307 if (!mixedFrame) |
301 return false; | 308 return false; |
302 | 309 |
303 MixedContentChecker::count(mixedFrame, requestContext); | 310 MixedContentChecker::count(mixedFrame, requestContext); |
304 if (ContentSecurityPolicy* policy = | 311 if (ContentSecurityPolicy* policy = |
305 frame->securityContext()->contentSecurityPolicy()) | 312 frame->securityContext()->contentSecurityPolicy()) |
306 policy->reportMixedContent(url, redirectStatus); | 313 policy->reportMixedContent(url, redirectStatus); |
(...skipping 249 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
556 if (contextType == WebMixedContentContextType::Blockable) { | 563 if (contextType == WebMixedContentContextType::Blockable) { |
557 client->didRunContentWithCertificateErrors(response.url()); | 564 client->didRunContentWithCertificateErrors(response.url()); |
558 } else { | 565 } else { |
559 // contextTypeFromRequestContext() never returns NotMixedContent (it | 566 // contextTypeFromRequestContext() never returns NotMixedContent (it |
560 // computes the type of mixed content, given that the content is mixed). | 567 // computes the type of mixed content, given that the content is mixed). |
561 DCHECK_NE(contextType, WebMixedContentContextType::NotMixedContent); | 568 DCHECK_NE(contextType, WebMixedContentContextType::NotMixedContent); |
562 client->didDisplayContentWithCertificateErrors(response.url()); | 569 client->didDisplayContentWithCertificateErrors(response.url()); |
563 } | 570 } |
564 } | 571 } |
565 | 572 |
| 573 // static |
| 574 void MixedContentChecker::mixedContentFound( |
| 575 LocalFrame* frame, |
| 576 const KURL& mainResourceUrl, |
| 577 const KURL& mixedContentUrl, |
| 578 WebURLRequest::RequestContext requestContext, |
| 579 bool wasAllowed, |
| 580 bool hadRedirect) { |
| 581 // Logs to the frame console. |
| 582 logToConsoleAboutFetch(frame, mainResourceUrl, mixedContentUrl, |
| 583 requestContext, wasAllowed); |
| 584 // Reports to the CSP policy. |
| 585 ContentSecurityPolicy* policy = |
| 586 frame->securityContext()->contentSecurityPolicy(); |
| 587 if (policy) { |
| 588 policy->reportMixedContent( |
| 589 mixedContentUrl, hadRedirect |
| 590 ? ResourceRequest::RedirectStatus::FollowedRedirect |
| 591 : ResourceRequest::RedirectStatus::NoRedirect); |
| 592 } |
| 593 } |
| 594 |
566 WebMixedContentContextType MixedContentChecker::contextTypeForInspector( | 595 WebMixedContentContextType MixedContentChecker::contextTypeForInspector( |
567 LocalFrame* frame, | 596 LocalFrame* frame, |
568 const ResourceRequest& request) { | 597 const ResourceRequest& request) { |
569 Frame* effectiveFrame = | 598 Frame* effectiveFrame = |
570 effectiveFrameForFrameType(frame, request.frameType()); | 599 effectiveFrameForFrameType(frame, request.frameType()); |
571 | 600 |
572 Frame* mixedFrame = inWhichFrameIsContentMixed( | 601 Frame* mixedFrame = inWhichFrameIsContentMixed( |
573 effectiveFrame, request.frameType(), request.url()); | 602 effectiveFrame, request.frameType(), request.url()); |
574 if (!mixedFrame) | 603 if (!mixedFrame) |
575 return WebMixedContentContextType::NotMixedContent; | 604 return WebMixedContentContextType::NotMixedContent; |
576 | 605 |
577 // See comment in shouldBlockFetch() about loading the main resource of a | 606 // See comment in shouldBlockFetch() about loading the main resource of a |
578 // subframe. | 607 // subframe. |
579 if (request.frameType() == WebURLRequest::FrameTypeNested && | 608 if (request.frameType() == WebURLRequest::FrameTypeNested && |
580 !SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled( | 609 !SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled( |
581 request.url().protocol())) { | 610 request.url().protocol())) { |
582 return WebMixedContentContextType::OptionallyBlockable; | 611 return WebMixedContentContextType::OptionallyBlockable; |
583 } | 612 } |
584 | 613 |
585 bool strictMixedContentCheckingForPlugin = | 614 bool strictMixedContentCheckingForPlugin = |
586 mixedFrame->settings() && | 615 mixedFrame->settings() && |
587 mixedFrame->settings()->getStrictMixedContentCheckingForPlugin(); | 616 mixedFrame->settings()->getStrictMixedContentCheckingForPlugin(); |
588 return WebMixedContent::contextTypeFromRequestContext( | 617 return WebMixedContent::contextTypeFromRequestContext( |
589 request.requestContext(), strictMixedContentCheckingForPlugin); | 618 request.requestContext(), strictMixedContentCheckingForPlugin); |
590 } | 619 } |
591 | 620 |
592 } // namespace blink | 621 } // namespace blink |
OLD | NEW |