OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2016 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "content/browser/frame_host/mixed_content_navigation_throttle.h" | |
6 | |
7 #include "base/strings/stringprintf.h" | |
8 #include "content/browser/frame_host/frame_tree.h" | |
9 #include "content/browser/frame_host/frame_tree_node.h" | |
10 #include "content/browser/frame_host/navigation_handle_impl.h" | |
11 #include "content/browser/frame_host/render_frame_host_delegate.h" | |
12 #include "content/browser/renderer_host/render_view_host_impl.h" | |
13 #include "content/common/frame_messages.h" | |
14 #include "content/public/browser/content_browser_client.h" | |
15 #include "content/public/browser/render_frame_host.h" | |
16 #include "content/public/common/browser_side_navigation_policy.h" | |
17 #include "content/public/common/content_client.h" | |
18 #include "content/public/common/origin_util.h" | |
19 #include "content/public/common/url_constants.h" | |
20 #include "content/public/common/web_preferences.h" | |
21 #include "net/base/url_util.h" | |
22 #include "url/gurl.h" | |
23 #include "url/origin.h" | |
24 #include "url/url_constants.h" | |
25 | |
26 namespace { | |
27 | |
28 using namespace content; | |
29 | |
30 // Should return the same value as SchemeRegistry::shouldTreatURLSchemeAsSecure. | |
31 bool IsSecureScheme(const std::string& scheme) { | |
32 // TODO(carlosk): find out how to properly handle these secure schemes. Should | |
33 // statically defined ones in Chrome/embedder come from a shared file? Should | |
34 // dynamically defined ones from extensions register both with browser and | |
35 // renderer code? See https://crbug.com/627502. | |
36 bool result = | |
37 // Note: schemes statically defined in secureSchemes() | |
38 scheme == url::kHttpsScheme || scheme == url::kAboutScheme || | |
39 scheme == url::kDataScheme || scheme == url::kWssScheme || | |
40 // Note: schemes "dynamically" registered with | |
41 // SchemeRegistry::registerURLSchemeAsSecure. | |
42 scheme == kChromeUIScheme; | |
43 return result; | |
44 } | |
45 | |
46 // Should return the same value as SchemeRegistry::shouldTreatURLSchemeAsSecure. | |
47 bool HasPotentiallySecureScheme(const GURL& url) { | |
48 return IsSecureScheme(url.scheme()); | |
49 } | |
50 | |
51 // Should return the same value as SecurityOrigin::isLocal and | |
52 // SchemeRegistry::shouldTreatURLSchemeAsLocal. | |
53 bool HasLocalScheme(const GURL& url) { | |
54 // TODO(carlosk): Same registration problem as described in | |
55 // HasPotentiallySecureScheme applies here. See https://crbug.com/627502. | |
56 bool result = | |
57 // Note: schemes statically defined in schemesWithUniqueOrigins() | |
58 url.SchemeIs(url::kAboutScheme) || url.SchemeIs(url::kJavaScriptScheme) || | |
59 url.SchemeIs(url::kDataScheme) || | |
60 // Note: schemes "dynamically" registered with | |
61 // SchemeRegistry::registerURLSchemeAsNoAccess. There's no content/ | |
62 // re-definition of kChromeNativeScheme. | |
63 url.SchemeIs("chrome-native"); | |
64 return result; | |
65 } | |
66 | |
67 // Should return the same value as SecurityOrigin::isSecure. | |
68 bool SecurityOriginIsSecure(const GURL& url) { | |
69 return HasPotentiallySecureScheme(url) || | |
70 (url.SchemeIsFileSystem() && url.inner_url() && | |
71 HasPotentiallySecureScheme(*url.inner_url())) || | |
72 (url.SchemeIsBlob() && | |
73 HasPotentiallySecureScheme(GURL(url.GetContent()))) || | |
74 IsOriginWhiteListedTrustworthy(url); | |
75 } | |
76 | |
77 // Should return the same value as the resource URL checks made inside | |
78 // MixedContentChecker::isMixedContent. | |
79 bool IsUrlPotentiallySecure(const GURL& url) { | |
80 // TODO(carlosk): secure origin checks don't match between content and Blink | |
81 // hence this implementation here instead of a direct call to IsOriginSecure | |
82 // (in origin_util.cc). See https://crbug.com/629059. | |
83 | |
84 bool is_secure = SecurityOriginIsSecure(url); | |
85 | |
86 // blob: and filesystem: URLs never hit the network, and access is restricted | |
87 // to same-origin contexts, so they are not blocked either. | |
88 if (url.SchemeIs(url::kBlobScheme) || url.SchemeIs(url::kFileSystemScheme)) | |
89 is_secure |= true; | |
90 | |
91 // Mimics SecurityOrigin::isPotentiallyTrustworthy without duplicating (much) | |
92 // of the checks already done previously. | |
93 if (HasLocalScheme(url) || net::IsLocalhost(url.HostNoBrackets())) | |
jam
2017/01/06 21:20:13
for clarity, it would help to split the HasLocalSc
carlosk
2017/01/10 02:10:44
Done.
| |
94 is_secure |= true; | |
95 | |
96 // TODO(mkwst): Remove this once 'localhost' is no longer considered | |
97 // potentially trustworthy. | |
98 if (is_secure && url.SchemeIs(url::kHttpScheme) && | |
99 net::IsLocalHostname(url.HostNoBrackets(), nullptr)) { | |
100 is_secure = false; | |
101 } | |
102 | |
103 return is_secure; | |
104 } | |
105 | |
106 // This method should return the same results as | |
107 // SchemeRegistry::shouldTreatURLSchemeAsRestrictingMixedContent. | |
108 bool DoesOriginSchemeRestricsMixedContent(const url::Origin& origin) { | |
109 return origin.scheme() == url::kHttpsScheme; | |
110 } | |
111 | |
112 bool ShouldTreatURLSchemeAsCORSEnabled(const GURL& url) { | |
113 // TODO(carlosk): for CORS schemes we have the exact same issue as for the | |
114 // secure schemes above. See callers to and references in | |
115 // WebSecurityPolicy::registerURLSchemeAsCORSEnabled. See | |
116 // https://crbug.com/627502. | |
117 return | |
118 // Note: CORS schemes statically defined in CORSEnabledSchemes() | |
119 url.SchemeIsHTTPOrHTTPS() || url.SchemeIs(url::kDataScheme) || | |
120 // Note: CORS schemes "dynamically" registered in | |
121 // RenderThreadImpl::RegisterSchemes. | |
jam
2017/01/06 21:20:13
nit: also mention that extensions/renderer/dispatc
carlosk
2017/01/10 02:10:44
Done. I reorganized all hard coded scheme code and
| |
122 url.SchemeIs(kChromeUIScheme); | |
123 } | |
124 | |
125 void UpdateRendererOnMixedContentFound(NavigationHandleImpl* handle_impl, | |
126 const GURL& mixed_content_url, | |
127 bool was_allowed, | |
128 bool for_redirect) { | |
129 // TODO(carlosk): the root node should never be considered mixed content for | |
130 // now. Once/if the browser starts also checking form submits than this will | |
131 // happen and this DCHECK should be updated. | |
132 DCHECK(handle_impl->frame_tree_node()->parent()); | |
133 RenderFrameHost* rfh = handle_impl->frame_tree_node()->current_frame_host(); | |
134 rfh->Send(new FrameMsg_MixedContentFoundByTheBrowser( | |
135 rfh->GetRoutingID(), mixed_content_url, handle_impl->GetURL(), | |
136 handle_impl->request_context_type(), was_allowed, for_redirect)); | |
137 } | |
138 | |
139 } // namespace | |
140 | |
141 namespace content { | |
142 | |
143 MixedContentNavigationThrottle::MixedContentNavigationThrottle( | |
144 NavigationHandle* navigation_handle) | |
145 : NavigationThrottle(navigation_handle) { | |
146 DCHECK(IsBrowserSideNavigationEnabled()); | |
147 } | |
148 | |
149 MixedContentNavigationThrottle::~MixedContentNavigationThrottle() {} | |
150 | |
151 ThrottleCheckResult MixedContentNavigationThrottle::WillStartRequest() { | |
152 bool should_block = ShouldBlockNavigation(false); | |
153 return should_block ? ThrottleCheckResult::CANCEL | |
154 : ThrottleCheckResult::PROCEED; | |
155 } | |
156 | |
157 ThrottleCheckResult MixedContentNavigationThrottle::WillRedirectRequest() { | |
158 // Upon redirects the same checks are to be executed as for requests. | |
159 bool should_block = ShouldBlockNavigation(true); | |
160 return should_block ? ThrottleCheckResult::CANCEL | |
161 : ThrottleCheckResult::PROCEED; | |
162 } | |
163 | |
164 ThrottleCheckResult MixedContentNavigationThrottle::WillProcessResponse() { | |
165 // TODO(carlosk): at this point we must check the final security level of | |
166 // the connection! Does it use an outdated protocol? See | |
167 // MixedContentChecker::handleCertificateError | |
168 return ThrottleCheckResult::PROCEED; | |
169 } | |
170 | |
171 // Based off of MixedContentChecker::shouldBlockFetch. | |
172 bool MixedContentNavigationThrottle::ShouldBlockNavigation(bool for_redirect) { | |
173 NavigationHandleImpl* handle_impl = | |
174 static_cast<NavigationHandleImpl*>(navigation_handle()); | |
175 FrameTreeNode* node = handle_impl->frame_tree_node(); | |
176 | |
177 // Find the parent node with mixed content, if any. | |
178 FrameTreeNode* mixed_content_node = | |
179 InWhichFrameIsContentMixed(node, handle_impl->GetURL()); | |
180 if (!mixed_content_node) { | |
181 MaybeSendBlinkFeatureUsageReport(); | |
182 return false; | |
183 } | |
184 | |
185 // From this point on we know this is not a main frame navigation and that | |
186 // there is mixed-content. Now let's decide if it's OK to proceed with it. | |
187 | |
188 const WebPreferences& prefs = mixed_content_node->current_frame_host() | |
189 ->render_view_host() | |
190 ->GetWebkitPreferences(); | |
191 | |
192 ReportBasicMixedContentFeatures(handle_impl->request_context_type(), | |
193 handle_impl->mixed_content_context_type(), | |
194 prefs); | |
195 | |
196 // If we're in strict mode, we'll automagically fail everything, and | |
197 // intentionally skip the client/embedder checks in order to prevent degrading | |
198 // the site's security UI. | |
199 bool block_all_mixed_content = !!( | |
200 mixed_content_node->current_replication_state().insecure_request_policy & | |
201 blink::kBlockAllMixedContent); | |
202 bool strictMode = | |
203 prefs.strict_mixed_content_checking || block_all_mixed_content; | |
204 | |
205 blink::WebMixedContent::ContextType mixed_context_type = | |
206 handle_impl->mixed_content_context_type(); | |
207 | |
208 if (!ShouldTreatURLSchemeAsCORSEnabled(handle_impl->GetURL())) { | |
209 mixed_context_type = | |
210 blink::WebMixedContent::ContextType::OptionallyBlockable; | |
211 } | |
212 | |
213 bool allowed = false; | |
214 ContentBrowserClient* browser_client = GetContentClient()->browser(); | |
215 RenderFrameHostDelegate* frame_host_delegate = | |
216 node->current_frame_host()->delegate(); | |
217 switch (mixed_context_type) { | |
218 case blink::WebMixedContent::ContextType::OptionallyBlockable: | |
219 allowed = !strictMode; | |
220 if (allowed) { | |
221 browser_client->PassiveInsecureContentFound(handle_impl->GetURL()); | |
222 frame_host_delegate->DidDisplayInsecureContent(); | |
223 } | |
224 break; | |
225 | |
226 case blink::WebMixedContent::ContextType::Blockable: { | |
227 // Note: from the renderer side implementation it doesn't seem like we | |
228 // need to care about the UseCounter reporting of | |
229 // BlockableMixedContentInSubframeBlocked because it is only triggered for | |
230 // sub-resources which are not handled in the browser. | |
231 bool shouldAskEmbedder = | |
232 !strictMode && (!prefs.strictly_block_blockable_mixed_content || | |
233 prefs.allow_running_insecure_content); | |
234 allowed = shouldAskEmbedder && | |
235 browser_client->ShouldAllowRunningInsecureContent( | |
236 prefs.allow_running_insecure_content, | |
237 mixed_content_node->current_origin(), handle_impl->GetURL(), | |
238 handle_impl->GetWebContents()); | |
239 if (allowed) { | |
240 const GURL& origin_url = mixed_content_node->current_url().GetOrigin(); | |
241 frame_host_delegate->DidRunInsecureContent(origin_url, | |
242 handle_impl->GetURL()); | |
243 browser_client->RecordURLMetric( | |
244 "ContentSettings.MixedScript.RanMixedScript", origin_url); | |
245 mixed_content_features_.insert(MixedContentBlockableAllowed); | |
246 } | |
247 break; | |
248 } | |
249 | |
250 case blink::WebMixedContent::ContextType::ShouldBeBlockable: | |
251 allowed = !strictMode; | |
252 if (allowed) | |
253 frame_host_delegate->DidDisplayInsecureContent(); | |
254 break; | |
255 | |
256 case blink::WebMixedContent::ContextType::NotMixedContent: | |
257 NOTREACHED(); | |
258 break; | |
259 }; | |
260 | |
261 UpdateRendererOnMixedContentFound( | |
262 handle_impl, mixed_content_node->current_url(), allowed, for_redirect); | |
263 MaybeSendBlinkFeatureUsageReport(); | |
264 | |
265 return !allowed; | |
266 } | |
267 | |
268 FrameTreeNode* MixedContentNavigationThrottle::InWhichFrameIsContentMixed( | |
269 FrameTreeNode* node, | |
270 const GURL& url) { | |
271 // Main frame navigations cannot be mixed content. | |
272 // TODO(carlosk): except for form submissions which will be dealt with later. | |
273 if (node->IsMainFrame()) | |
274 return nullptr; | |
275 | |
276 // There's no mixed content if any of these are true: | |
277 // - The navigated URL is potentially secure. | |
278 // - The root nor parent frames' origins are secure. | |
279 FrameTreeNode* mixed_content_node = nullptr; | |
280 FrameTreeNode* root = node->frame_tree()->root(); | |
281 FrameTreeNode* parent = node->parent(); | |
282 if (!IsUrlPotentiallySecure(url)) { | |
283 // TODO(carlosk): don't we need to check more than just the immediate parent | |
284 // and the root? Is it always the case that these two are the only sources | |
285 // for obtaining the "origin of the security context"? | |
286 // See https://crbug.com/623486. | |
287 | |
288 // Checks if the root or immediate parent frame's origin are secure. | |
289 if (DoesOriginSchemeRestricsMixedContent(root->current_origin())) | |
290 mixed_content_node = root; | |
291 else if (DoesOriginSchemeRestricsMixedContent(parent->current_origin())) | |
292 mixed_content_node = parent; | |
293 } | |
294 | |
295 // Note: This code below should behave the same way as as the two calls to | |
296 // measureStricterVersionOfIsMixedContent from inside | |
297 // MixedContentChecker::inWhichFrameIs. | |
298 if (mixed_content_node) { | |
299 // We're currently only checking for mixed content in `https://*` contexts. | |
300 // What about other "secure" contexts the SchemeRegistry knows about? We'll | |
301 // use this method to measure the occurance of non-webby mixed content to | |
302 // make sure we're not breaking the world without realizing it. | |
303 // Note: Based off of measureStricterVersionOfIsMixedContent in | |
304 // MixedContentChecker.cpp. | |
305 // TODO(carlosk): this will only ever work once we allow registration of new | |
306 // potentially secure schemes. crbug.com/627502 | |
307 if (mixed_content_node->current_origin().scheme() != url::kHttpsScheme) { | |
308 mixed_content_features_.insert( | |
309 MixedContentInNonHTTPSFrameThatRestrictsMixedContent); | |
310 } | |
311 } else if (!SecurityOriginIsSecure(url) && | |
312 (IsSecureScheme(root->current_origin().scheme()) || | |
313 IsSecureScheme(parent->current_origin().scheme()))) { | |
314 mixed_content_features_.insert( | |
315 MixedContentInSecureFrameThatDoesNotRestrictMixedContent); | |
316 } | |
317 return mixed_content_node; | |
318 } | |
319 | |
320 void MixedContentNavigationThrottle::MaybeSendBlinkFeatureUsageReport() { | |
321 if (!mixed_content_features_.empty()) { | |
322 NavigationHandleImpl* handle_impl = | |
323 static_cast<NavigationHandleImpl*>(navigation_handle()); | |
324 RenderFrameHost* rfh = handle_impl->frame_tree_node()->current_frame_host(); | |
325 rfh->Send(new FrameMsg_BlinkFeatureUsageReport(rfh->GetRoutingID(), | |
326 mixed_content_features_)); | |
327 mixed_content_features_.clear(); | |
328 } | |
329 } | |
330 | |
331 // Based off of MixedContentChecker::count. | |
332 void MixedContentNavigationThrottle::ReportBasicMixedContentFeatures( | |
333 RequestContextType request_context_type, | |
334 blink::WebMixedContent::ContextType mixed_content_context_type, | |
335 const WebPreferences& prefs) { | |
336 mixed_content_features_.insert(MixedContentPresent); | |
337 | |
338 // Report any blockable content. | |
339 if (mixed_content_context_type == | |
340 blink::WebMixedContent::ContextType::Blockable) { | |
341 mixed_content_features_.insert(MixedContentBlockable); | |
342 return; | |
343 } | |
344 | |
345 // Note: as there's no mixed content checks for sub resources on the browser | |
346 // there should only be a subset |request_context_type| values that could ever | |
347 // be found here. | |
348 UseCounterFeature feature; | |
349 switch (request_context_type) { | |
350 case REQUEST_CONTEXT_TYPE_INTERNAL: | |
351 feature = MixedContentInternal; | |
352 break; | |
353 case REQUEST_CONTEXT_TYPE_PREFETCH: | |
354 feature = MixedContentPrefetch; | |
355 break; | |
356 | |
357 case REQUEST_CONTEXT_TYPE_AUDIO: | |
358 case REQUEST_CONTEXT_TYPE_DOWNLOAD: | |
359 case REQUEST_CONTEXT_TYPE_FAVICON: | |
360 case REQUEST_CONTEXT_TYPE_IMAGE: | |
361 case REQUEST_CONTEXT_TYPE_PLUGIN: | |
362 case REQUEST_CONTEXT_TYPE_VIDEO: | |
363 default: | |
364 NOTREACHED() << "RequestContextType has value " << request_context_type | |
365 << " and has WebMixedContent::ContextType of " | |
366 << static_cast<int>(mixed_content_context_type); | |
367 return; | |
368 } | |
369 mixed_content_features_.insert(feature); | |
370 } | |
371 | |
372 // static | |
373 bool MixedContentNavigationThrottle::IsMixedContentForTesting( | |
374 const GURL& origin_url, | |
375 const GURL& url) { | |
376 const url::Origin origin(origin_url); | |
377 return !IsUrlPotentiallySecure(url) && | |
378 DoesOriginSchemeRestricsMixedContent(origin); | |
379 } | |
380 | |
381 } // namespace content | |
OLD | NEW |