PlzNavigate: Move navigation-level mixed content checks to the browser.

content/browser/frame_host/mixed_content_navigation_throttle.cc

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "content/browser/frame_host/mixed_content_navigation_throttle.h"
+
+#include "base/strings/stringprintf.h"
+#include "content/browser/frame_host/frame_tree.h"
+#include "content/browser/frame_host/frame_tree_node.h"
+#include "content/browser/frame_host/navigation_handle_impl.h"
+#include "content/browser/frame_host/render_frame_host_delegate.h"
+#include "content/browser/renderer_host/render_view_host_impl.h"
+#include "content/common/frame_messages.h"
+#include "content/public/browser/content_browser_client.h"
+#include "content/public/browser/render_frame_host.h"
+#include "content/public/common/browser_side_navigation_policy.h"
+#include "content/public/common/content_client.h"
+#include "content/public/common/origin_util.h"
+#include "content/public/common/url_constants.h"
+#include "content/public/common/web_preferences.h"
+#include "net/base/url_util.h"
+#include "url/gurl.h"
+#include "url/origin.h"
+#include "url/url_constants.h"
+
+namespace {
+
+using namespace content;
+
+// Should return the same value as SchemeRegistry::shouldTreatURLSchemeAsSecure.
+bool IsSecureScheme(const std::string& scheme) {
+  // TODO(carlosk): find out how to properly handle these secure schemes. Should
+  // statically defined ones in Chrome/embedder come from a shared file? Should
+  // dynamically defined ones from extensions register both with browser and
+  // renderer code? See https://crbug.com/627502.
+  bool result =
+      // Note: schemes statically defined in secureSchemes()
+      scheme == url::kHttpsScheme || scheme == url::kAboutScheme ||
+      scheme == url::kDataScheme || scheme == url::kWssScheme ||
+      // Note: schemes "dynamically" registered with
+      // SchemeRegistry::registerURLSchemeAsSecure.
+      scheme == kChromeUIScheme;
+  return result;
+}
+
+// Should return the same value as SchemeRegistry::shouldTreatURLSchemeAsSecure.
+bool HasPotentiallySecureScheme(const GURL& url) {
+  return IsSecureScheme(url.scheme());
+}
+
+// Should return the same value as SecurityOrigin::isLocal and
+// SchemeRegistry::shouldTreatURLSchemeAsLocal.
+bool HasLocalScheme(const GURL& url) {
+  // TODO(carlosk): Same registration problem as described in
+  // HasPotentiallySecureScheme applies here. See https://crbug.com/627502.
+  bool result =
+      // Note: schemes statically defined in schemesWithUniqueOrigins()
+      url.SchemeIs(url::kAboutScheme) || url.SchemeIs(url::kJavaScriptScheme) ||
+      url.SchemeIs(url::kDataScheme) ||
+      // Note: schemes "dynamically" registered with
+      // SchemeRegistry::registerURLSchemeAsNoAccess. There's no content/
+      // re-definition of kChromeNativeScheme.
+      url.SchemeIs("chrome-native");
+  return result;
+}
+
+// Should return the same value as SecurityOrigin::isSecure.
+bool SecurityOriginIsSecure(const GURL& url) {
+  return HasPotentiallySecureScheme(url) ||
+         (url.SchemeIsFileSystem() && url.inner_url() &&
+          HasPotentiallySecureScheme(*url.inner_url())) ||
+         (url.SchemeIsBlob() &&
+          HasPotentiallySecureScheme(GURL(url.GetContent()))) ||
+         IsOriginWhiteListedTrustworthy(url);
+}
+
+// Should return the same value as the resource URL checks made inside
+// MixedContentChecker::isMixedContent.
+bool IsUrlPotentiallySecure(const GURL& url) {
+  // TODO(carlosk): secure origin checks don't match between content and Blink
+  // hence this implementation here instead of a direct call to IsOriginSecure
+  // (in origin_util.cc). See https://crbug.com/629059.
+
+  bool is_secure = SecurityOriginIsSecure(url);
+
+  // blob: and filesystem: URLs never hit the network, and access is restricted
+  // to same-origin contexts, so they are not blocked either.
+  if (url.SchemeIs(url::kBlobScheme) || url.SchemeIs(url::kFileSystemScheme))
+    is_secure |= true;
+
+  // Mimics SecurityOrigin::isPotentiallyTrustworthy without duplicating (much)
+  // of the checks already done previously.
+  if (HasLocalScheme(url) || net::IsLocalhost(url.HostNoBrackets()))

[jam, 2017/01/06 21:20:13]

for clarity, it would help to split the HasLocalScheme into IsUnique() and
IsLocal()

then IsLocal() would be easy to compare to SecurityOrigin::isLocal(). When I try
to compare them I see differences, i.e.
SecurityOrigin::isLocal checks "file" (hardcoded from SchemeRegistry.cpp) while
here doesn't and also there's kContentScheme from
chrome_content_renderer_client.cc and aw_content_renderer_client.cc. 

[carlosk, 2017/01/10 02:10:44]

Done.

+    is_secure |= true;
+
+  // TODO(mkwst): Remove this once 'localhost' is no longer considered
+  // potentially trustworthy.
+  if (is_secure && url.SchemeIs(url::kHttpScheme) &&
+      net::IsLocalHostname(url.HostNoBrackets(), nullptr)) {
+    is_secure = false;
+  }
+
+  return is_secure;
+}
+
+// This method should return the same results as
+// SchemeRegistry::shouldTreatURLSchemeAsRestrictingMixedContent.
+bool DoesOriginSchemeRestricsMixedContent(const url::Origin& origin) {
+  return origin.scheme() == url::kHttpsScheme;
+}
+
+bool ShouldTreatURLSchemeAsCORSEnabled(const GURL& url) {
+  // TODO(carlosk): for CORS schemes we have the exact same issue as for the
+  // secure schemes above. See callers to and references in
+  // WebSecurityPolicy::registerURLSchemeAsCORSEnabled. See
+  // https://crbug.com/627502.
+  return
+      // Note: CORS schemes statically defined in CORSEnabledSchemes()
+      url.SchemeIsHTTPOrHTTPS() || url.SchemeIs(url::kDataScheme) ||
+      // Note: CORS schemes "dynamically" registered in
+      // RenderThreadImpl::RegisterSchemes.

[jam, 2017/01/06 21:20:13]

nit: also mention that extensions/renderer/dispatcher.cc also adds
chrome-extension?

[carlosk, 2017/01/10 02:10:44]

Done. I reorganized all hard coded scheme code and updated comments with file
references and other information.

+      url.SchemeIs(kChromeUIScheme);
+}
+
+void UpdateRendererOnMixedContentFound(NavigationHandleImpl* handle_impl,
+                                       const GURL& mixed_content_url,
+                                       bool was_allowed,
+                                       bool for_redirect) {
+  // TODO(carlosk): the root node should never be considered mixed content for
+  // now. Once/if the browser starts also checking form submits than this will
+  // happen and this DCHECK should be updated.
+  DCHECK(handle_impl->frame_tree_node()->parent());
+  RenderFrameHost* rfh = handle_impl->frame_tree_node()->current_frame_host();
+  rfh->Send(new FrameMsg_MixedContentFoundByTheBrowser(
+      rfh->GetRoutingID(), mixed_content_url, handle_impl->GetURL(),
+      handle_impl->request_context_type(), was_allowed, for_redirect));
+}
+
+}  // namespace
+
+namespace content {
+
+MixedContentNavigationThrottle::MixedContentNavigationThrottle(
+    NavigationHandle* navigation_handle)
+    : NavigationThrottle(navigation_handle) {
+  DCHECK(IsBrowserSideNavigationEnabled());
+}
+
+MixedContentNavigationThrottle::~MixedContentNavigationThrottle() {}
+
+ThrottleCheckResult MixedContentNavigationThrottle::WillStartRequest() {
+  bool should_block = ShouldBlockNavigation(false);
+  return should_block ? ThrottleCheckResult::CANCEL
+                      : ThrottleCheckResult::PROCEED;
+}
+
+ThrottleCheckResult MixedContentNavigationThrottle::WillRedirectRequest() {
+  // Upon redirects the same checks are to be executed as for requests.
+  bool should_block = ShouldBlockNavigation(true);
+  return should_block ? ThrottleCheckResult::CANCEL
+                      : ThrottleCheckResult::PROCEED;
+}
+
+ThrottleCheckResult MixedContentNavigationThrottle::WillProcessResponse() {
+  // TODO(carlosk): at this point we must check the final security level of
+  // the connection! Does it use an outdated protocol? See
+  // MixedContentChecker::handleCertificateError
+  return ThrottleCheckResult::PROCEED;
+}
+
+// Based off of MixedContentChecker::shouldBlockFetch.
+bool MixedContentNavigationThrottle::ShouldBlockNavigation(bool for_redirect) {
+  NavigationHandleImpl* handle_impl =
+      static_cast<NavigationHandleImpl*>(navigation_handle());
+  FrameTreeNode* node = handle_impl->frame_tree_node();
+
+  // Find the parent node with mixed content, if any.
+  FrameTreeNode* mixed_content_node =
+      InWhichFrameIsContentMixed(node, handle_impl->GetURL());
+  if (!mixed_content_node) {
+    MaybeSendBlinkFeatureUsageReport();
+    return false;
+  }
+
+  // From this point on we know this is not a main frame navigation and that
+  // there is mixed-content. Now let's decide if it's OK to proceed with it.
+
+  const WebPreferences& prefs = mixed_content_node->current_frame_host()
+                                    ->render_view_host()
+                                    ->GetWebkitPreferences();
+
+  ReportBasicMixedContentFeatures(handle_impl->request_context_type(),
+                                  handle_impl->mixed_content_context_type(),
+                                  prefs);
+
+  // If we're in strict mode, we'll automagically fail everything, and
+  // intentionally skip the client/embedder checks in order to prevent degrading
+  // the site's security UI.
+  bool block_all_mixed_content = !!(
+      mixed_content_node->current_replication_state().insecure_request_policy &
+      blink::kBlockAllMixedContent);
+  bool strictMode =
+      prefs.strict_mixed_content_checking || block_all_mixed_content;
+
+  blink::WebMixedContent::ContextType mixed_context_type =
+      handle_impl->mixed_content_context_type();
+
+  if (!ShouldTreatURLSchemeAsCORSEnabled(handle_impl->GetURL())) {
+    mixed_context_type =
+        blink::WebMixedContent::ContextType::OptionallyBlockable;
+  }
+
+  bool allowed = false;
+  ContentBrowserClient* browser_client = GetContentClient()->browser();
+  RenderFrameHostDelegate* frame_host_delegate =
+      node->current_frame_host()->delegate();
+  switch (mixed_context_type) {
+    case blink::WebMixedContent::ContextType::OptionallyBlockable:
+      allowed = !strictMode;
+      if (allowed) {
+        browser_client->PassiveInsecureContentFound(handle_impl->GetURL());
+        frame_host_delegate->DidDisplayInsecureContent();
+      }
+      break;
+
+    case blink::WebMixedContent::ContextType::Blockable: {
+      // Note: from the renderer side implementation it doesn't seem like we
+      // need to care about the UseCounter reporting of
+      // BlockableMixedContentInSubframeBlocked because it is only triggered for
+      // sub-resources which are not handled in the browser.
+      bool shouldAskEmbedder =
+          !strictMode && (!prefs.strictly_block_blockable_mixed_content ||
+                          prefs.allow_running_insecure_content);
+      allowed = shouldAskEmbedder &&
+                browser_client->ShouldAllowRunningInsecureContent(
+                    prefs.allow_running_insecure_content,
+                    mixed_content_node->current_origin(), handle_impl->GetURL(),
+                    handle_impl->GetWebContents());
+      if (allowed) {
+        const GURL& origin_url = mixed_content_node->current_url().GetOrigin();
+        frame_host_delegate->DidRunInsecureContent(origin_url,
+                                                   handle_impl->GetURL());
+        browser_client->RecordURLMetric(
+            "ContentSettings.MixedScript.RanMixedScript", origin_url);
+        mixed_content_features_.insert(MixedContentBlockableAllowed);
+      }
+      break;
+    }
+
+    case blink::WebMixedContent::ContextType::ShouldBeBlockable:
+      allowed = !strictMode;
+      if (allowed)
+        frame_host_delegate->DidDisplayInsecureContent();
+      break;
+
+    case blink::WebMixedContent::ContextType::NotMixedContent:
+      NOTREACHED();
+      break;
+  };
+
+  UpdateRendererOnMixedContentFound(
+      handle_impl, mixed_content_node->current_url(), allowed, for_redirect);
+  MaybeSendBlinkFeatureUsageReport();
+
+  return !allowed;
+}
+
+FrameTreeNode* MixedContentNavigationThrottle::InWhichFrameIsContentMixed(
+    FrameTreeNode* node,
+    const GURL& url) {
+  // Main frame navigations cannot be mixed content.
+  // TODO(carlosk): except for form submissions which will be dealt with later.
+  if (node->IsMainFrame())
+    return nullptr;
+
+  // There's no mixed content if any of these are true:
+  // - The navigated URL is potentially secure.
+  // - The root nor parent frames' origins are secure.
+  FrameTreeNode* mixed_content_node = nullptr;
+  FrameTreeNode* root = node->frame_tree()->root();
+  FrameTreeNode* parent = node->parent();
+  if (!IsUrlPotentiallySecure(url)) {
+    // TODO(carlosk): don't we need to check more than just the immediate parent
+    // and the root? Is it always the case that these two are the only sources
+    // for obtaining the "origin of the security context"?
+    // See https://crbug.com/623486.
+
+    // Checks if the root or immediate parent frame's origin are secure.
+    if (DoesOriginSchemeRestricsMixedContent(root->current_origin()))
+      mixed_content_node = root;
+    else if (DoesOriginSchemeRestricsMixedContent(parent->current_origin()))
+      mixed_content_node = parent;
+  }
+
+  // Note: This code below should behave the same way as as the two calls to
+  // measureStricterVersionOfIsMixedContent from inside
+  // MixedContentChecker::inWhichFrameIs.
+  if (mixed_content_node) {
+    // We're currently only checking for mixed content in `https://*` contexts.
+    // What about other "secure" contexts the SchemeRegistry knows about? We'll
+    // use this method to measure the occurance of non-webby mixed content to
+    // make sure we're not breaking the world without realizing it.
+    // Note: Based off of measureStricterVersionOfIsMixedContent in
+    // MixedContentChecker.cpp.
+    // TODO(carlosk): this will only ever work once we allow registration of new
+    // potentially secure schemes. crbug.com/627502
+    if (mixed_content_node->current_origin().scheme() != url::kHttpsScheme) {
+      mixed_content_features_.insert(
+          MixedContentInNonHTTPSFrameThatRestrictsMixedContent);
+    }
+  } else if (!SecurityOriginIsSecure(url) &&
+             (IsSecureScheme(root->current_origin().scheme()) ||
+              IsSecureScheme(parent->current_origin().scheme()))) {
+    mixed_content_features_.insert(
+        MixedContentInSecureFrameThatDoesNotRestrictMixedContent);
+  }
+  return mixed_content_node;
+}
+
+void MixedContentNavigationThrottle::MaybeSendBlinkFeatureUsageReport() {
+  if (!mixed_content_features_.empty()) {
+    NavigationHandleImpl* handle_impl =
+        static_cast<NavigationHandleImpl*>(navigation_handle());
+    RenderFrameHost* rfh = handle_impl->frame_tree_node()->current_frame_host();
+    rfh->Send(new FrameMsg_BlinkFeatureUsageReport(rfh->GetRoutingID(),
+                                                   mixed_content_features_));
+    mixed_content_features_.clear();
+  }
+}
+
+// Based off of MixedContentChecker::count.
+void MixedContentNavigationThrottle::ReportBasicMixedContentFeatures(
+    RequestContextType request_context_type,
+    blink::WebMixedContent::ContextType mixed_content_context_type,
+    const WebPreferences& prefs) {
+  mixed_content_features_.insert(MixedContentPresent);
+
+  // Report any blockable content.
+  if (mixed_content_context_type ==
+      blink::WebMixedContent::ContextType::Blockable) {
+    mixed_content_features_.insert(MixedContentBlockable);
+    return;
+  }
+
+  // Note: as there's no mixed content checks for sub resources on the browser
+  // there should only be a subset |request_context_type| values that could ever
+  // be found here.
+  UseCounterFeature feature;
+  switch (request_context_type) {
+    case REQUEST_CONTEXT_TYPE_INTERNAL:
+      feature = MixedContentInternal;
+      break;
+    case REQUEST_CONTEXT_TYPE_PREFETCH:
+      feature = MixedContentPrefetch;
+      break;
+
+    case REQUEST_CONTEXT_TYPE_AUDIO:
+    case REQUEST_CONTEXT_TYPE_DOWNLOAD:
+    case REQUEST_CONTEXT_TYPE_FAVICON:
+    case REQUEST_CONTEXT_TYPE_IMAGE:
+    case REQUEST_CONTEXT_TYPE_PLUGIN:
+    case REQUEST_CONTEXT_TYPE_VIDEO:
+    default:
+      NOTREACHED() << "RequestContextType has value " << request_context_type
+                   << " and has WebMixedContent::ContextType of "
+                   << static_cast<int>(mixed_content_context_type);
+      return;
+  }
+  mixed_content_features_.insert(feature);
+}
+
+// static
+bool MixedContentNavigationThrottle::IsMixedContentForTesting(
+    const GURL& origin_url,
+    const GURL& url) {
+  const url::Origin origin(origin_url);
+  return !IsUrlPotentiallySecure(url) &&
+         DoesOriginSchemeRestricsMixedContent(origin);
+}
+
+}  // namespace content