| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2012 Google Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
| 6 * are met: | 6 * are met: |
| 7 * | 7 * |
| 8 * 1. Redistributions of source code must retain the above copyright | 8 * 1. Redistributions of source code must retain the above copyright |
| 9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
| 10 * 2. Redistributions in binary form must reproduce the above copyright | 10 * 2. Redistributions in binary form must reproduce the above copyright |
| (...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 54 // function is used, for example, to determine the URL to show in console | 54 // function is used, for example, to determine the URL to show in console |
| 55 // messages about mixed content. | 55 // messages about mixed content. |
| 56 KURL mainResourceUrlForFrame(Frame* frame) { | 56 KURL mainResourceUrlForFrame(Frame* frame) { |
| 57 if (frame->isRemoteFrame()) { | 57 if (frame->isRemoteFrame()) { |
| 58 return KURL(KURL(), | 58 return KURL(KURL(), |
| 59 frame->securityContext()->getSecurityOrigin()->toString()); | 59 frame->securityContext()->getSecurityOrigin()->toString()); |
| 60 } | 60 } |
| 61 return toLocalFrame(frame)->document()->url(); | 61 return toLocalFrame(frame)->document()->url(); |
| 62 } | 62 } |
| 63 | 63 |
| 64 const char* requestContextName(WebURLRequest::RequestContext context) { |
| 65 switch (context) { |
| 66 case WebURLRequest::RequestContextAudio: |
| 67 return "audio file"; |
| 68 case WebURLRequest::RequestContextBeacon: |
| 69 return "Beacon endpoint"; |
| 70 case WebURLRequest::RequestContextCSPReport: |
| 71 return "Content Security Policy reporting endpoint"; |
| 72 case WebURLRequest::RequestContextDownload: |
| 73 return "download"; |
| 74 case WebURLRequest::RequestContextEmbed: |
| 75 return "plugin resource"; |
| 76 case WebURLRequest::RequestContextEventSource: |
| 77 return "EventSource endpoint"; |
| 78 case WebURLRequest::RequestContextFavicon: |
| 79 return "favicon"; |
| 80 case WebURLRequest::RequestContextFetch: |
| 81 return "resource"; |
| 82 case WebURLRequest::RequestContextFont: |
| 83 return "font"; |
| 84 case WebURLRequest::RequestContextForm: |
| 85 return "form action"; |
| 86 case WebURLRequest::RequestContextFrame: |
| 87 return "frame"; |
| 88 case WebURLRequest::RequestContextHyperlink: |
| 89 return "resource"; |
| 90 case WebURLRequest::RequestContextIframe: |
| 91 return "frame"; |
| 92 case WebURLRequest::RequestContextImage: |
| 93 return "image"; |
| 94 case WebURLRequest::RequestContextImageSet: |
| 95 return "image"; |
| 96 case WebURLRequest::RequestContextImport: |
| 97 return "HTML Import"; |
| 98 case WebURLRequest::RequestContextInternal: |
| 99 return "resource"; |
| 100 case WebURLRequest::RequestContextLocation: |
| 101 return "resource"; |
| 102 case WebURLRequest::RequestContextManifest: |
| 103 return "manifest"; |
| 104 case WebURLRequest::RequestContextObject: |
| 105 return "plugin resource"; |
| 106 case WebURLRequest::RequestContextPing: |
| 107 return "hyperlink auditing endpoint"; |
| 108 case WebURLRequest::RequestContextPlugin: |
| 109 return "plugin data"; |
| 110 case WebURLRequest::RequestContextPrefetch: |
| 111 return "prefetch resource"; |
| 112 case WebURLRequest::RequestContextScript: |
| 113 return "script"; |
| 114 case WebURLRequest::RequestContextServiceWorker: |
| 115 return "Service Worker script"; |
| 116 case WebURLRequest::RequestContextSharedWorker: |
| 117 return "Shared Worker script"; |
| 118 case WebURLRequest::RequestContextStyle: |
| 119 return "stylesheet"; |
| 120 case WebURLRequest::RequestContextSubresource: |
| 121 return "resource"; |
| 122 case WebURLRequest::RequestContextTrack: |
| 123 return "Text Track"; |
| 124 case WebURLRequest::RequestContextUnspecified: |
| 125 return "resource"; |
| 126 case WebURLRequest::RequestContextVideo: |
| 127 return "video"; |
| 128 case WebURLRequest::RequestContextWorker: |
| 129 return "Worker script"; |
| 130 case WebURLRequest::RequestContextXMLHttpRequest: |
| 131 return "XMLHttpRequest endpoint"; |
| 132 case WebURLRequest::RequestContextXSLT: |
| 133 return "XSLT"; |
| 134 } |
| 135 NOTREACHED(); |
| 136 return "resource"; |
| 137 } |
| 138 |
| 64 } // namespace | 139 } // namespace |
| 65 | 140 |
| 66 static void measureStricterVersionOfIsMixedContent(Frame* frame, | 141 static void measureStricterVersionOfIsMixedContent(Frame* frame, |
| 67 const KURL& url) { | 142 const KURL& url) { |
| 68 // We're currently only checking for mixed content in `https://*` contexts. | 143 // We're currently only checking for mixed content in `https://*` contexts. |
| 69 // What about other "secure" contexts the SchemeRegistry knows about? We'll | 144 // What about other "secure" contexts the SchemeRegistry knows about? We'll |
| 70 // use this method to measure the occurance of non-webby mixed content to make | 145 // use this method to measure the occurance of non-webby mixed content to make |
| 71 // sure we're not breaking the world without realizing it. | 146 // sure we're not breaking the world without realizing it. |
| 72 SecurityOrigin* origin = frame->securityContext()->getSecurityOrigin(); | 147 SecurityOrigin* origin = frame->securityContext()->getSecurityOrigin(); |
| 73 if (MixedContentChecker::isMixedContent(origin, url)) { | 148 if (MixedContentChecker::isMixedContent(origin, url)) { |
| (...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 143 void MixedContentChecker::logToConsoleAboutFetch( | 218 void MixedContentChecker::logToConsoleAboutFetch( |
| 144 LocalFrame* frame, | 219 LocalFrame* frame, |
| 145 const KURL& mainResourceUrl, | 220 const KURL& mainResourceUrl, |
| 146 const KURL& url, | 221 const KURL& url, |
| 147 WebURLRequest::RequestContext requestContext, | 222 WebURLRequest::RequestContext requestContext, |
| 148 bool allowed) { | 223 bool allowed) { |
| 149 String message = String::format( | 224 String message = String::format( |
| 150 "Mixed Content: The page at '%s' was loaded over HTTPS, but requested an " | 225 "Mixed Content: The page at '%s' was loaded over HTTPS, but requested an " |
| 151 "insecure %s '%s'. %s", | 226 "insecure %s '%s'. %s", |
| 152 mainResourceUrl.elidedString().utf8().data(), | 227 mainResourceUrl.elidedString().utf8().data(), |
| 153 WebMixedContent::requestContextName(requestContext), | 228 requestContextName(requestContext), url.elidedString().utf8().data(), |
| 154 url.elidedString().utf8().data(), | |
| 155 allowed ? "This content should also be served over HTTPS." | 229 allowed ? "This content should also be served over HTTPS." |
| 156 : "This request has been blocked; the content must be served " | 230 : "This request has been blocked; the content must be served " |
| 157 "over HTTPS."); | 231 "over HTTPS."); |
| 158 MessageLevel messageLevel = allowed ? WarningMessageLevel : ErrorMessageLevel; | 232 MessageLevel messageLevel = allowed ? WarningMessageLevel : ErrorMessageLevel; |
| 159 frame->document()->addConsoleMessage( | 233 frame->document()->addConsoleMessage( |
| 160 ConsoleMessage::create(SecurityMessageSource, messageLevel, message)); | 234 ConsoleMessage::create(SecurityMessageSource, messageLevel, message)); |
| 161 } | 235 } |
| 162 | 236 |
| 163 // static | 237 // static |
| 164 void MixedContentChecker::count(Frame* frame, | 238 void MixedContentChecker::count(Frame* frame, |
| (...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 212 } | 286 } |
| 213 | 287 |
| 214 // static | 288 // static |
| 215 bool MixedContentChecker::shouldBlockFetch( | 289 bool MixedContentChecker::shouldBlockFetch( |
| 216 LocalFrame* frame, | 290 LocalFrame* frame, |
| 217 WebURLRequest::RequestContext requestContext, | 291 WebURLRequest::RequestContext requestContext, |
| 218 WebURLRequest::FrameType frameType, | 292 WebURLRequest::FrameType frameType, |
| 219 ResourceRequest::RedirectStatus redirectStatus, | 293 ResourceRequest::RedirectStatus redirectStatus, |
| 220 const KURL& url, | 294 const KURL& url, |
| 221 MixedContentChecker::ReportingStatus reportingStatus) { | 295 MixedContentChecker::ReportingStatus reportingStatus) { |
| 296 // Frame-level loads are checked by the browser. No need to check them again |
| 297 // here. |
| 298 if (frame->settings()->getBrowserSideNavigationEnabled() && |
| 299 frameType != WebURLRequest::FrameTypeNone) { |
| 300 return false; |
| 301 } |
| 302 |
| 222 Frame* effectiveFrame = effectiveFrameForFrameType(frame, frameType); | 303 Frame* effectiveFrame = effectiveFrameForFrameType(frame, frameType); |
| 223 Frame* mixedFrame = | 304 Frame* mixedFrame = |
| 224 inWhichFrameIsContentMixed(effectiveFrame, frameType, url); | 305 inWhichFrameIsContentMixed(effectiveFrame, frameType, url); |
| 225 if (!mixedFrame) | 306 if (!mixedFrame) |
| 226 return false; | 307 return false; |
| 227 | 308 |
| 228 MixedContentChecker::count(mixedFrame, requestContext); | 309 MixedContentChecker::count(mixedFrame, requestContext); |
| 229 if (ContentSecurityPolicy* policy = | 310 if (ContentSecurityPolicy* policy = |
| 230 frame->securityContext()->contentSecurityPolicy()) | 311 frame->securityContext()->contentSecurityPolicy()) |
| 231 policy->reportMixedContent(url, redirectStatus); | 312 policy->reportMixedContent(url, redirectStatus); |
| (...skipping 249 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 481 if (contextType == WebMixedContent::ContextType::Blockable) { | 562 if (contextType == WebMixedContent::ContextType::Blockable) { |
| 482 client->didRunContentWithCertificateErrors(response.url()); | 563 client->didRunContentWithCertificateErrors(response.url()); |
| 483 } else { | 564 } else { |
| 484 // contextTypeFromRequestContext() never returns NotMixedContent (it | 565 // contextTypeFromRequestContext() never returns NotMixedContent (it |
| 485 // computes the type of mixed content, given that the content is mixed). | 566 // computes the type of mixed content, given that the content is mixed). |
| 486 DCHECK_NE(contextType, WebMixedContent::ContextType::NotMixedContent); | 567 DCHECK_NE(contextType, WebMixedContent::ContextType::NotMixedContent); |
| 487 client->didDisplayContentWithCertificateErrors(response.url()); | 568 client->didDisplayContentWithCertificateErrors(response.url()); |
| 488 } | 569 } |
| 489 } | 570 } |
| 490 | 571 |
| 572 // static |
| 573 void MixedContentChecker::mixedContentFoundByTheBrowser( |
| 574 LocalFrame* frame, |
| 575 const KURL& mainResourceUrl, |
| 576 const KURL& mixedContentUrl, |
| 577 WebURLRequest::RequestContext requestContext, |
| 578 bool wasAllowed, |
| 579 bool hadRedirect) { |
| 580 logToConsoleAboutFetch(frame, mainResourceUrl, mixedContentUrl, |
| 581 requestContext, wasAllowed); |
| 582 ContentSecurityPolicy* policy = |
| 583 frame->securityContext()->contentSecurityPolicy(); |
| 584 if (policy) { |
| 585 policy->reportMixedContent( |
| 586 mixedContentUrl, hadRedirect |
| 587 ? ResourceRequest::RedirectStatus::FollowedRedirect |
| 588 : ResourceRequest::RedirectStatus::NoRedirect); |
| 589 } |
| 590 } |
| 591 |
| 491 WebMixedContent::ContextType MixedContentChecker::contextTypeForInspector( | 592 WebMixedContent::ContextType MixedContentChecker::contextTypeForInspector( |
| 492 LocalFrame* frame, | 593 LocalFrame* frame, |
| 493 const ResourceRequest& request) { | 594 const ResourceRequest& request) { |
| 494 Frame* effectiveFrame = | 595 Frame* effectiveFrame = |
| 495 effectiveFrameForFrameType(frame, request.frameType()); | 596 effectiveFrameForFrameType(frame, request.frameType()); |
| 496 | 597 |
| 497 Frame* mixedFrame = inWhichFrameIsContentMixed( | 598 Frame* mixedFrame = inWhichFrameIsContentMixed( |
| 498 effectiveFrame, request.frameType(), request.url()); | 599 effectiveFrame, request.frameType(), request.url()); |
| 499 if (!mixedFrame) | 600 if (!mixedFrame) |
| 500 return WebMixedContent::ContextType::NotMixedContent; | 601 return WebMixedContent::ContextType::NotMixedContent; |
| 501 | 602 |
| 502 // See comment in shouldBlockFetch() about loading the main resource of a | 603 // See comment in shouldBlockFetch() about loading the main resource of a |
| 503 // subframe. | 604 // subframe. |
| 504 if (request.frameType() == WebURLRequest::FrameTypeNested && | 605 if (request.frameType() == WebURLRequest::FrameTypeNested && |
| 505 !SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled( | 606 !SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled( |
| 506 request.url().protocol())) { | 607 request.url().protocol())) { |
| 507 return WebMixedContent::ContextType::OptionallyBlockable; | 608 return WebMixedContent::ContextType::OptionallyBlockable; |
| 508 } | 609 } |
| 509 | 610 |
| 510 bool strictMixedContentCheckingForPlugin = | 611 bool strictMixedContentCheckingForPlugin = |
| 511 mixedFrame->settings() && | 612 mixedFrame->settings() && |
| 512 mixedFrame->settings()->getStrictMixedContentCheckingForPlugin(); | 613 mixedFrame->settings()->getStrictMixedContentCheckingForPlugin(); |
| 513 return WebMixedContent::contextTypeFromRequestContext( | 614 return WebMixedContent::contextTypeFromRequestContext( |
| 514 request.requestContext(), strictMixedContentCheckingForPlugin); | 615 request.requestContext(), strictMixedContentCheckingForPlugin); |
| 515 } | 616 } |
| 516 | 617 |
| 517 } // namespace blink | 618 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1905033002:
PlzNavigate: Move navigation-level mixed content checks to the browser. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@console-security-message