PlzNavigate: Move navigation-level mixed content checks to the browser.

content/browser/frame_host/mixed_content_navigation_throttle.cc

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "content/browser/frame_host/mixed_content_navigation_throttle.h"
+
+#include "base/strings/stringprintf.h"
+#include "content/browser/frame_host/frame_tree.h"
+#include "content/browser/frame_host/frame_tree_node.h"
+#include "content/browser/frame_host/navigation_handle_impl.h"
+#include "content/browser/frame_host/render_frame_host_delegate.h"
+#include "content/browser/renderer_host/render_view_host_impl.h"
+#include "content/public/browser/content_browser_client.h"
+#include "content/public/common/content_client.h"
+#include "content/public/common/origin_util.h"
+#include "content/public/common/request_context_type.h"
+#include "content/public/common/url_constants.h"
+#include "content/public/common/web_preferences.h"
+#include "net/base/url_util.h"
+#include "third_party/WebKit/public/platform/WebMixedContent.h"
+#include "url/gurl.h"
+#include "url/origin.h"
+#include "url/url_constants.h"
+
+namespace {
+
+using namespace content;
+
+// Should return the same value as SchemeRegistry::shouldTreatURLSchemeAsSecure.
+bool HasPotentiallySecureScheme(const GURL& url) {
+  // TODO(carlosk): find out how to properly handle these secure schemes. Should
+  // statically defined ones in Chrome/embedder come from a shared file? Should
+  // dynamically defined ones from extensions register both with browser and
+  // renderer code? See http://crbug.com/627502.
+  bool result =
+      // Note: schemes statically defined in secureSchemes()
+      url.SchemeIs(url::kHttpsScheme) || url.SchemeIs(url::kAboutScheme) ||
+      url.SchemeIs(url::kDataScheme) || url.SchemeIs(url::kWssScheme) ||
+      // Note: schemes "dynamically" registered with
+      // SchemeRegistry::registerURLSchemeAsSecure.
+      url.SchemeIs(kChromeUIScheme);
+  return result;
+}
+
+// Should return the same value as SecurityOrigin::isLocal and
+// SchemeRegistry::shouldTreatURLSchemeAsLocal.
+bool HasLocalScheme(const GURL& url) {
+  // TODO(carlosk): Same registration problem as described in
+  // HasPotentiallySecureScheme applies here. See http://crbug.com/627502.
+  bool result =
+      // Note: schemes statically defined in schemesWithUniqueOrigins()
+      url.SchemeIs(url::kAboutScheme) || url.SchemeIs(url::kJavaScriptScheme) ||
+      url.SchemeIs(url::kDataScheme) ||
+      // Note: schemes "dynamically" registered with
+      // SchemeRegistry::registerURLSchemeAsNoAccess. There's no content/
+      // re-definition of kChromeNativeScheme.
+      url.SchemeIs("chrome-native");

[carlosk, 2016/07/18 14:37:13]

This is the kind of hack I'm referring to in my comment here:
https://bugs.chromium.org/p/chromium/issues/detail?id=627502#c1 . Is this
LGTM-able?

+  return result;
+}
+
+// Should return the same value as the resource URL checks made inside
+// MixedContentChecker::isMixedContent.
+bool IsUrlPotentiallySecure(const GURL& url) {
+  // TODO(carlosk): secure origin checks don't match between content and Blink
+  // hence this implementation here instead of a direct call to IsOriginSecure
+  // (in origin_util.cc). See http://crbug.com/629059.
+  bool is_secure = false;
+
+  // Mimics SecurityOrigin::isSecure.
+  if (HasPotentiallySecureScheme(url) ||
+      (url.SchemeIsFileSystem() &&
+       HasPotentiallySecureScheme(*url.inner_url())) ||
+      (url.SchemeIsBlob() &&
+       HasPotentiallySecureScheme(GURL(url.GetContent()))) ||
+      IsOriginWhiteListedTrustworthy(url)) {
+    is_secure |= true;
+  }
+
+  // Mimics SecurityOrigin::isPotentiallyTrustworthy without duplicating (much)
+  // of the checks already done previously.
+  if (HasLocalScheme(url) || net::IsLocalhost(url.HostNoBrackets()))
+    is_secure |= true;
+
+  // TODO(mkwst): Remove this once 'localhost' is no longer considered
+  // potentially trustworthy.
+  if (is_secure && url.SchemeIs(url::kHttpScheme) &&
+      net::IsLocalHostname(url.HostNoBrackets(), nullptr)) {
+    is_secure = false;
+  }
+
+  return is_secure;
+}
+
+// This method should return the same results as
+// SchemeRegistry::shouldTreatURLSchemeAsRestrictingMixedContent.
+bool DoesOriginSchemeRestricsMixedContent(const url::Origin& origin) {
+  return origin.scheme() == url::kHttpsScheme;
+}
+
+bool ShouldTreatURLSchemeAsCORSEnabled(const GURL& url) {
+  // TODO(carlosk): for CORS schemes we have the exact same issue as for the
+  // secure schemes above. See callers to and references in
+  // WebSecurityPolicy::registerURLSchemeAsCORSEnabled. See
+  // http://crbug.com/627502.
+  return
+      // Note: CORS schemes statically defined in CORSEnabledSchemes()
+      url.SchemeIsHTTPOrHTTPS() || url.SchemeIs(url::kDataScheme) ||
+      // Note: CORS schemes "dynamically" registered in
+      // RenderThreadImpl::RegisterSchemes.
+      url.SchemeIs(kChromeUIScheme);
+}
+
+const char* TypeNameFromContext(RequestContextType context) {
+  // Note: the static_cast below is guaranteed by the static asserts in
+  // content/child/web_url_request_util.cc.
+  return blink::WebMixedContent::requestContextName(
+      static_cast<blink::WebURLRequest::RequestContext>(context));
+}
+
+blink::WebMixedContent::ContextType MixedContextTypeFromContext(
+    RequestContextType context,
+    bool block_mixed_plugin_content) {
+  // Note: the static_cast below is guaranteed by the static asserts in
+  // content/child/web_url_request_util.cc.
+  return blink::WebMixedContent::contextTypeFromRequestContext(
+      static_cast<blink::WebURLRequest::RequestContext>(context),
+      block_mixed_plugin_content);
+}
+
+void LogToConsoleAboutFetch(FrameTreeNode* mixed_content_node,
+                            NavigationHandleImpl* handle_impl,
+                            const GURL& url,
+                            bool allowed) {
+  FrameTreeNode* tree_node = handle_impl->frame_tree_node();
+  // TODO(carlosk): we should only use the very tree_node here for the form
+  // submission case. (D)CHECK for that when we get there. For now just check
+  // this is not the root node.
+  DCHECK(tree_node->parent());
+  RequestContextType request_context_type =
+      handle_impl->fetch_request_context_type();
+
+  std::string message = base::StringPrintf(
+      "Mixed Content: The page at '%s' was loaded over HTTPS, but requested an "
+      "insecure %s '%s'. %s",
+      mixed_content_node->current_url().spec().c_str(),
+      TypeNameFromContext(request_context_type), url.spec().c_str(),
+      allowed ? "This content should also be served over HTTPS."
+              : "This request has been blocked; the content must be served "
+                "over HTTPS.");
+  ConsoleMessageLevel messageLevel =
+      allowed ? ConsoleMessageLevel::CONSOLE_MESSAGE_LEVEL_WARNING
+              : ConsoleMessageLevel::CONSOLE_MESSAGE_LEVEL_ERROR;
+  tree_node->current_frame_host()->AddMessageToConsole(messageLevel, message);
+}
+
+}  // namespace
+
+namespace content {
+
+MixedContentNavigationThrottle::MixedContentNavigationThrottle(
+    NavigationHandle* navigation_handle)
+    : NavigationThrottle(navigation_handle) {}
+
+MixedContentNavigationThrottle::~MixedContentNavigationThrottle() {}
+
+ThrottleCheckResult MixedContentNavigationThrottle::WillStartRequest() {
+  NavigationHandleImpl* handle_impl =
+      static_cast<NavigationHandleImpl*>(navigation_handle());
+  FrameTreeNode* node = handle_impl->frame_tree_node();
+
+  // Find the parent node with mixed content, if any.
+  FrameTreeNode* mixed_content_node =
+      InWhichFrameIsContentMixed(node, navigation_handle()->GetURL());
+  if (!mixed_content_node)
+    return ThrottleCheckResult::PROCEED;
+
+  // From this point on we know this is not a main frame navigation and that
+  // there is mixed-content. Now let's decide if it's OK to proceed with it.
+
+  const WebPreferences& prefs =
+      node->current_frame_host()->render_view_host()->GetWebkitPreferences();
+
+  // If we're in strict mode, we'll automagically fail everything, and
+  // intentionally skip the client/embedder checks in order to prevent degrading
+  // the site's security UI.
+  bool block_all_mixed_content = !!(
+      mixed_content_node->current_replication_state().insecure_request_policy &
+      blink::kBlockAllMixedContent);
+  bool strictMode =
+      prefs.strict_mixed_content_checking || block_all_mixed_content;
+
+  blink::WebMixedContent::ContextType mixed_context_type =
+      MixedContextTypeFromContext(handle_impl->fetch_request_context_type(),
+                                  prefs.block_mixed_plugin_content);
+
+  if (!ShouldTreatURLSchemeAsCORSEnabled(navigation_handle()->GetURL())) {
+    mixed_context_type =
+        blink::WebMixedContent::ContextType::OptionallyBlockable;
+  }
+
+  bool allowed = false;
+  ContentBrowserClient* browser_client = GetContentClient()->browser();
+  RenderFrameHostDelegate* frame_host_delegate =
+      node->current_frame_host()->delegate();
+  switch (mixed_context_type) {
+    case blink::WebMixedContent::ContextType::OptionallyBlockable:
+      allowed =
+          !strictMode &&
+          browser_client->ShouldAllowDisplayingInsecureContent(
+              prefs.allow_displaying_insecure_content,
+              navigation_handle()->GetURL(), handle_impl->GetWebContents());
+      if (allowed)
+        frame_host_delegate->DidDisplayInsecureContent();
+      break;
+
+    case blink::WebMixedContent::ContextType::Blockable: {
+      bool shouldAskEmbedder =
+          !strictMode && (!prefs.strictly_block_blockable_mixed_content ||
+                          prefs.allow_running_insecure_content);
+      allowed =
+          shouldAskEmbedder &&
+          browser_client->ShouldAllowRunningInsecureContent(
+              prefs.allow_running_insecure_content,
+              mixed_content_node->current_origin(),
+              navigation_handle()->GetURL(), handle_impl->GetWebContents());
+      if (allowed) {
+        const GURL& origin_url = mixed_content_node->current_url().GetOrigin();
+        frame_host_delegate->DidRunInsecureContent(
+            origin_url, navigation_handle()->GetURL());
+        browser_client->RecordURLMetric(
+            "ContentSettings.MixedScript.RanMixedScript", origin_url);
+      }
+      break;
+    }
+
+    case blink::WebMixedContent::ContextType::ShouldBeBlockable:
+      allowed = !strictMode;
+      if (allowed)
+        frame_host_delegate->DidDisplayInsecureContent();
+      break;
+
+    case blink::WebMixedContent::ContextType::NotMixedContent:
+      NOTREACHED();
+      break;
+  };
+
+  LogToConsoleAboutFetch(mixed_content_node, handle_impl,
+                         navigation_handle()->GetURL(), allowed);

[carlosk, 2016/07/18 14:37:13]

Following the implementation of MixedContentChecker::shouldBlockFetch this log
(aka mixed content reporting) should be suppressed for fetch requests triggered
by preload actions. The example snippet below comes from
FrameFetchContext::canRequestInternal:

MixedContentChecker::ReportingStatus mixedContentReporting = forPreload ?
    MixedContentChecker::SuppressReport : MixedContentChecker::SendReport;

It seems the main resource loads covered here (frame navigations) never fall in
that category but I don't know it for sure. I am testing this assumption with a
DCHECK in another CL [1] but on the other hand I'm unsure on how to detect
preloads on the browser side. Any suggestions?


[1] https://codereview.chromium.org/2160583003

+
+  return allowed ? ThrottleCheckResult::PROCEED : ThrottleCheckResult::CANCEL;
+}
+
+ThrottleCheckResult MixedContentNavigationThrottle::WillRedirectRequest() {
+  // Upon redirects the same checks are to be executed as for requests.
+  return MixedContentNavigationThrottle::WillStartRequest();
+}
+
+ThrottleCheckResult MixedContentNavigationThrottle::WillProcessResponse() {
+  // TODO(carlosk): at this point we must check the final security level of
+  // the connection! Does it use an outdated protocol? See
+  // MixedContentChecker::handleCertificateError
+  return ThrottleCheckResult::PROCEED;
+}
+
+FrameTreeNode* MixedContentNavigationThrottle::InWhichFrameIsContentMixed(
+    FrameTreeNode* node,
+    const GURL& url) {
+  // Main frame navigations cannot be mixed content.
+  // TODO(carlosk): except for form submissions which will be dealt with later.
+  if (node->IsMainFrame())
+    return nullptr;
+
+  // If the navigated URL is potentially secure there's no mixed-content (at
+  // request time at least).
+  if (IsUrlPotentiallySecure(url))
+    return nullptr;
+
+  // TODO(carlosk): don't we need to check more than just the immediate parent
+  // and the root? Is it always the case that these two are the only sources for
+  // obtaining the "origin of the security context"? http://crbug.com/623486
+
+  // If neither the parent nor root frames' origins are secure, there is no
+  // mixed content.
+  FrameTreeNode* mixed_content_node = nullptr;
+
+  // Checks if the root or immediate parent frame's origin are secure.
+  FrameTreeNode* root = node->frame_tree()->root();
+  FrameTreeNode* parent = node->parent();
+  if (DoesOriginSchemeRestricsMixedContent(root->current_origin()))
+    mixed_content_node = root;
+  else if (DoesOriginSchemeRestricsMixedContent(parent->current_origin()))
+    mixed_content_node = parent;
+
+  return mixed_content_node;
+}
+
+// static
+bool MixedContentNavigationThrottle::IsMixedContentForTesting(
+    const GURL& origin_url,
+    const GURL& url) {
+  const url::Origin origin(origin_url);
+  return !IsUrlPotentiallySecure(url) &&
+         DoesOriginSchemeRestricsMixedContent(origin);
+}
+
+}  // namespace content