Index: content/browser/frame_host/mixed_content_navigation_throttle.cc |
diff --git a/content/browser/frame_host/mixed_content_navigation_throttle.cc b/content/browser/frame_host/mixed_content_navigation_throttle.cc |
new file mode 100644 |
index 0000000000000000000000000000000000000000..e8e144d29bd749d2796766cf60cf9bf81699f8c7 |
--- /dev/null |
+++ b/content/browser/frame_host/mixed_content_navigation_throttle.cc |
@@ -0,0 +1,381 @@ |
+// Copyright 2016 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#include "content/browser/frame_host/mixed_content_navigation_throttle.h" |
+ |
+#include "base/strings/stringprintf.h" |
+#include "content/browser/frame_host/frame_tree.h" |
+#include "content/browser/frame_host/frame_tree_node.h" |
+#include "content/browser/frame_host/navigation_handle_impl.h" |
+#include "content/browser/frame_host/render_frame_host_delegate.h" |
+#include "content/browser/renderer_host/render_view_host_impl.h" |
+#include "content/common/frame_messages.h" |
+#include "content/public/browser/content_browser_client.h" |
+#include "content/public/browser/render_frame_host.h" |
+#include "content/public/common/browser_side_navigation_policy.h" |
+#include "content/public/common/content_client.h" |
+#include "content/public/common/origin_util.h" |
+#include "content/public/common/url_constants.h" |
+#include "content/public/common/web_preferences.h" |
+#include "net/base/url_util.h" |
+#include "url/gurl.h" |
+#include "url/origin.h" |
+#include "url/url_constants.h" |
+ |
+namespace { |
+ |
+using namespace content; |
+ |
+// Should return the same value as SchemeRegistry::shouldTreatURLSchemeAsSecure. |
+bool IsSecureScheme(const std::string& scheme) { |
+ // TODO(carlosk): find out how to properly handle these secure schemes. Should |
+ // statically defined ones in Chrome/embedder come from a shared file? Should |
+ // dynamically defined ones from extensions register both with browser and |
+ // renderer code? See https://crbug.com/627502. |
+ bool result = |
+ // Note: schemes statically defined in secureSchemes() |
+ scheme == url::kHttpsScheme || scheme == url::kAboutScheme || |
+ scheme == url::kDataScheme || scheme == url::kWssScheme || |
+ // Note: schemes "dynamically" registered with |
+ // SchemeRegistry::registerURLSchemeAsSecure. |
+ scheme == kChromeUIScheme; |
+ return result; |
+} |
+ |
+// Should return the same value as SchemeRegistry::shouldTreatURLSchemeAsSecure. |
+bool HasPotentiallySecureScheme(const GURL& url) { |
+ return IsSecureScheme(url.scheme()); |
+} |
+ |
+// Should return the same value as SecurityOrigin::isLocal and |
+// SchemeRegistry::shouldTreatURLSchemeAsLocal. |
+bool HasLocalScheme(const GURL& url) { |
+ // TODO(carlosk): Same registration problem as described in |
+ // HasPotentiallySecureScheme applies here. See https://crbug.com/627502. |
+ bool result = |
+ // Note: schemes statically defined in schemesWithUniqueOrigins() |
+ url.SchemeIs(url::kAboutScheme) || url.SchemeIs(url::kJavaScriptScheme) || |
+ url.SchemeIs(url::kDataScheme) || |
+ // Note: schemes "dynamically" registered with |
+ // SchemeRegistry::registerURLSchemeAsNoAccess. There's no content/ |
+ // re-definition of kChromeNativeScheme. |
+ url.SchemeIs("chrome-native"); |
+ return result; |
+} |
+ |
+// Should return the same value as SecurityOrigin::isSecure. |
+bool SecurityOriginIsSecure(const GURL& url) { |
+ return HasPotentiallySecureScheme(url) || |
+ (url.SchemeIsFileSystem() && url.inner_url() && |
+ HasPotentiallySecureScheme(*url.inner_url())) || |
+ (url.SchemeIsBlob() && |
+ HasPotentiallySecureScheme(GURL(url.GetContent()))) || |
+ IsOriginWhiteListedTrustworthy(url); |
+} |
+ |
+// Should return the same value as the resource URL checks made inside |
+// MixedContentChecker::isMixedContent. |
+bool IsUrlPotentiallySecure(const GURL& url) { |
+ // TODO(carlosk): secure origin checks don't match between content and Blink |
+ // hence this implementation here instead of a direct call to IsOriginSecure |
+ // (in origin_util.cc). See https://crbug.com/629059. |
+ |
+ bool is_secure = SecurityOriginIsSecure(url); |
+ |
+ // blob: and filesystem: URLs never hit the network, and access is restricted |
+ // to same-origin contexts, so they are not blocked either. |
+ if (url.SchemeIs(url::kBlobScheme) || url.SchemeIs(url::kFileSystemScheme)) |
+ is_secure |= true; |
+ |
+ // Mimics SecurityOrigin::isPotentiallyTrustworthy without duplicating (much) |
+ // of the checks already done previously. |
+ if (HasLocalScheme(url) || net::IsLocalhost(url.HostNoBrackets())) |
jam
2017/01/06 21:20:13
for clarity, it would help to split the HasLocalSc
carlosk
2017/01/10 02:10:44
Done.
|
+ is_secure |= true; |
+ |
+ // TODO(mkwst): Remove this once 'localhost' is no longer considered |
+ // potentially trustworthy. |
+ if (is_secure && url.SchemeIs(url::kHttpScheme) && |
+ net::IsLocalHostname(url.HostNoBrackets(), nullptr)) { |
+ is_secure = false; |
+ } |
+ |
+ return is_secure; |
+} |
+ |
+// This method should return the same results as |
+// SchemeRegistry::shouldTreatURLSchemeAsRestrictingMixedContent. |
+bool DoesOriginSchemeRestricsMixedContent(const url::Origin& origin) { |
+ return origin.scheme() == url::kHttpsScheme; |
+} |
+ |
+bool ShouldTreatURLSchemeAsCORSEnabled(const GURL& url) { |
+ // TODO(carlosk): for CORS schemes we have the exact same issue as for the |
+ // secure schemes above. See callers to and references in |
+ // WebSecurityPolicy::registerURLSchemeAsCORSEnabled. See |
+ // https://crbug.com/627502. |
+ return |
+ // Note: CORS schemes statically defined in CORSEnabledSchemes() |
+ url.SchemeIsHTTPOrHTTPS() || url.SchemeIs(url::kDataScheme) || |
+ // Note: CORS schemes "dynamically" registered in |
+ // RenderThreadImpl::RegisterSchemes. |
jam
2017/01/06 21:20:13
nit: also mention that extensions/renderer/dispatc
carlosk
2017/01/10 02:10:44
Done. I reorganized all hard coded scheme code and
|
+ url.SchemeIs(kChromeUIScheme); |
+} |
+ |
+void UpdateRendererOnMixedContentFound(NavigationHandleImpl* handle_impl, |
+ const GURL& mixed_content_url, |
+ bool was_allowed, |
+ bool for_redirect) { |
+ // TODO(carlosk): the root node should never be considered mixed content for |
+ // now. Once/if the browser starts also checking form submits than this will |
+ // happen and this DCHECK should be updated. |
+ DCHECK(handle_impl->frame_tree_node()->parent()); |
+ RenderFrameHost* rfh = handle_impl->frame_tree_node()->current_frame_host(); |
+ rfh->Send(new FrameMsg_MixedContentFoundByTheBrowser( |
+ rfh->GetRoutingID(), mixed_content_url, handle_impl->GetURL(), |
+ handle_impl->request_context_type(), was_allowed, for_redirect)); |
+} |
+ |
+} // namespace |
+ |
+namespace content { |
+ |
+MixedContentNavigationThrottle::MixedContentNavigationThrottle( |
+ NavigationHandle* navigation_handle) |
+ : NavigationThrottle(navigation_handle) { |
+ DCHECK(IsBrowserSideNavigationEnabled()); |
+} |
+ |
+MixedContentNavigationThrottle::~MixedContentNavigationThrottle() {} |
+ |
+ThrottleCheckResult MixedContentNavigationThrottle::WillStartRequest() { |
+ bool should_block = ShouldBlockNavigation(false); |
+ return should_block ? ThrottleCheckResult::CANCEL |
+ : ThrottleCheckResult::PROCEED; |
+} |
+ |
+ThrottleCheckResult MixedContentNavigationThrottle::WillRedirectRequest() { |
+ // Upon redirects the same checks are to be executed as for requests. |
+ bool should_block = ShouldBlockNavigation(true); |
+ return should_block ? ThrottleCheckResult::CANCEL |
+ : ThrottleCheckResult::PROCEED; |
+} |
+ |
+ThrottleCheckResult MixedContentNavigationThrottle::WillProcessResponse() { |
+ // TODO(carlosk): at this point we must check the final security level of |
+ // the connection! Does it use an outdated protocol? See |
+ // MixedContentChecker::handleCertificateError |
+ return ThrottleCheckResult::PROCEED; |
+} |
+ |
+// Based off of MixedContentChecker::shouldBlockFetch. |
+bool MixedContentNavigationThrottle::ShouldBlockNavigation(bool for_redirect) { |
+ NavigationHandleImpl* handle_impl = |
+ static_cast<NavigationHandleImpl*>(navigation_handle()); |
+ FrameTreeNode* node = handle_impl->frame_tree_node(); |
+ |
+ // Find the parent node with mixed content, if any. |
+ FrameTreeNode* mixed_content_node = |
+ InWhichFrameIsContentMixed(node, handle_impl->GetURL()); |
+ if (!mixed_content_node) { |
+ MaybeSendBlinkFeatureUsageReport(); |
+ return false; |
+ } |
+ |
+ // From this point on we know this is not a main frame navigation and that |
+ // there is mixed-content. Now let's decide if it's OK to proceed with it. |
+ |
+ const WebPreferences& prefs = mixed_content_node->current_frame_host() |
+ ->render_view_host() |
+ ->GetWebkitPreferences(); |
+ |
+ ReportBasicMixedContentFeatures(handle_impl->request_context_type(), |
+ handle_impl->mixed_content_context_type(), |
+ prefs); |
+ |
+ // If we're in strict mode, we'll automagically fail everything, and |
+ // intentionally skip the client/embedder checks in order to prevent degrading |
+ // the site's security UI. |
+ bool block_all_mixed_content = !!( |
+ mixed_content_node->current_replication_state().insecure_request_policy & |
+ blink::kBlockAllMixedContent); |
+ bool strictMode = |
+ prefs.strict_mixed_content_checking || block_all_mixed_content; |
+ |
+ blink::WebMixedContent::ContextType mixed_context_type = |
+ handle_impl->mixed_content_context_type(); |
+ |
+ if (!ShouldTreatURLSchemeAsCORSEnabled(handle_impl->GetURL())) { |
+ mixed_context_type = |
+ blink::WebMixedContent::ContextType::OptionallyBlockable; |
+ } |
+ |
+ bool allowed = false; |
+ ContentBrowserClient* browser_client = GetContentClient()->browser(); |
+ RenderFrameHostDelegate* frame_host_delegate = |
+ node->current_frame_host()->delegate(); |
+ switch (mixed_context_type) { |
+ case blink::WebMixedContent::ContextType::OptionallyBlockable: |
+ allowed = !strictMode; |
+ if (allowed) { |
+ browser_client->PassiveInsecureContentFound(handle_impl->GetURL()); |
+ frame_host_delegate->DidDisplayInsecureContent(); |
+ } |
+ break; |
+ |
+ case blink::WebMixedContent::ContextType::Blockable: { |
+ // Note: from the renderer side implementation it doesn't seem like we |
+ // need to care about the UseCounter reporting of |
+ // BlockableMixedContentInSubframeBlocked because it is only triggered for |
+ // sub-resources which are not handled in the browser. |
+ bool shouldAskEmbedder = |
+ !strictMode && (!prefs.strictly_block_blockable_mixed_content || |
+ prefs.allow_running_insecure_content); |
+ allowed = shouldAskEmbedder && |
+ browser_client->ShouldAllowRunningInsecureContent( |
+ prefs.allow_running_insecure_content, |
+ mixed_content_node->current_origin(), handle_impl->GetURL(), |
+ handle_impl->GetWebContents()); |
+ if (allowed) { |
+ const GURL& origin_url = mixed_content_node->current_url().GetOrigin(); |
+ frame_host_delegate->DidRunInsecureContent(origin_url, |
+ handle_impl->GetURL()); |
+ browser_client->RecordURLMetric( |
+ "ContentSettings.MixedScript.RanMixedScript", origin_url); |
+ mixed_content_features_.insert(MixedContentBlockableAllowed); |
+ } |
+ break; |
+ } |
+ |
+ case blink::WebMixedContent::ContextType::ShouldBeBlockable: |
+ allowed = !strictMode; |
+ if (allowed) |
+ frame_host_delegate->DidDisplayInsecureContent(); |
+ break; |
+ |
+ case blink::WebMixedContent::ContextType::NotMixedContent: |
+ NOTREACHED(); |
+ break; |
+ }; |
+ |
+ UpdateRendererOnMixedContentFound( |
+ handle_impl, mixed_content_node->current_url(), allowed, for_redirect); |
+ MaybeSendBlinkFeatureUsageReport(); |
+ |
+ return !allowed; |
+} |
+ |
+FrameTreeNode* MixedContentNavigationThrottle::InWhichFrameIsContentMixed( |
+ FrameTreeNode* node, |
+ const GURL& url) { |
+ // Main frame navigations cannot be mixed content. |
+ // TODO(carlosk): except for form submissions which will be dealt with later. |
+ if (node->IsMainFrame()) |
+ return nullptr; |
+ |
+ // There's no mixed content if any of these are true: |
+ // - The navigated URL is potentially secure. |
+ // - The root nor parent frames' origins are secure. |
+ FrameTreeNode* mixed_content_node = nullptr; |
+ FrameTreeNode* root = node->frame_tree()->root(); |
+ FrameTreeNode* parent = node->parent(); |
+ if (!IsUrlPotentiallySecure(url)) { |
+ // TODO(carlosk): don't we need to check more than just the immediate parent |
+ // and the root? Is it always the case that these two are the only sources |
+ // for obtaining the "origin of the security context"? |
+ // See https://crbug.com/623486. |
+ |
+ // Checks if the root or immediate parent frame's origin are secure. |
+ if (DoesOriginSchemeRestricsMixedContent(root->current_origin())) |
+ mixed_content_node = root; |
+ else if (DoesOriginSchemeRestricsMixedContent(parent->current_origin())) |
+ mixed_content_node = parent; |
+ } |
+ |
+ // Note: This code below should behave the same way as as the two calls to |
+ // measureStricterVersionOfIsMixedContent from inside |
+ // MixedContentChecker::inWhichFrameIs. |
+ if (mixed_content_node) { |
+ // We're currently only checking for mixed content in `https://*` contexts. |
+ // What about other "secure" contexts the SchemeRegistry knows about? We'll |
+ // use this method to measure the occurance of non-webby mixed content to |
+ // make sure we're not breaking the world without realizing it. |
+ // Note: Based off of measureStricterVersionOfIsMixedContent in |
+ // MixedContentChecker.cpp. |
+ // TODO(carlosk): this will only ever work once we allow registration of new |
+ // potentially secure schemes. crbug.com/627502 |
+ if (mixed_content_node->current_origin().scheme() != url::kHttpsScheme) { |
+ mixed_content_features_.insert( |
+ MixedContentInNonHTTPSFrameThatRestrictsMixedContent); |
+ } |
+ } else if (!SecurityOriginIsSecure(url) && |
+ (IsSecureScheme(root->current_origin().scheme()) || |
+ IsSecureScheme(parent->current_origin().scheme()))) { |
+ mixed_content_features_.insert( |
+ MixedContentInSecureFrameThatDoesNotRestrictMixedContent); |
+ } |
+ return mixed_content_node; |
+} |
+ |
+void MixedContentNavigationThrottle::MaybeSendBlinkFeatureUsageReport() { |
+ if (!mixed_content_features_.empty()) { |
+ NavigationHandleImpl* handle_impl = |
+ static_cast<NavigationHandleImpl*>(navigation_handle()); |
+ RenderFrameHost* rfh = handle_impl->frame_tree_node()->current_frame_host(); |
+ rfh->Send(new FrameMsg_BlinkFeatureUsageReport(rfh->GetRoutingID(), |
+ mixed_content_features_)); |
+ mixed_content_features_.clear(); |
+ } |
+} |
+ |
+// Based off of MixedContentChecker::count. |
+void MixedContentNavigationThrottle::ReportBasicMixedContentFeatures( |
+ RequestContextType request_context_type, |
+ blink::WebMixedContent::ContextType mixed_content_context_type, |
+ const WebPreferences& prefs) { |
+ mixed_content_features_.insert(MixedContentPresent); |
+ |
+ // Report any blockable content. |
+ if (mixed_content_context_type == |
+ blink::WebMixedContent::ContextType::Blockable) { |
+ mixed_content_features_.insert(MixedContentBlockable); |
+ return; |
+ } |
+ |
+ // Note: as there's no mixed content checks for sub resources on the browser |
+ // there should only be a subset |request_context_type| values that could ever |
+ // be found here. |
+ UseCounterFeature feature; |
+ switch (request_context_type) { |
+ case REQUEST_CONTEXT_TYPE_INTERNAL: |
+ feature = MixedContentInternal; |
+ break; |
+ case REQUEST_CONTEXT_TYPE_PREFETCH: |
+ feature = MixedContentPrefetch; |
+ break; |
+ |
+ case REQUEST_CONTEXT_TYPE_AUDIO: |
+ case REQUEST_CONTEXT_TYPE_DOWNLOAD: |
+ case REQUEST_CONTEXT_TYPE_FAVICON: |
+ case REQUEST_CONTEXT_TYPE_IMAGE: |
+ case REQUEST_CONTEXT_TYPE_PLUGIN: |
+ case REQUEST_CONTEXT_TYPE_VIDEO: |
+ default: |
+ NOTREACHED() << "RequestContextType has value " << request_context_type |
+ << " and has WebMixedContent::ContextType of " |
+ << static_cast<int>(mixed_content_context_type); |
+ return; |
+ } |
+ mixed_content_features_.insert(feature); |
+} |
+ |
+// static |
+bool MixedContentNavigationThrottle::IsMixedContentForTesting( |
+ const GURL& origin_url, |
+ const GURL& url) { |
+ const url::Origin origin(origin_url); |
+ return !IsUrlPotentiallySecure(url) && |
+ DoesOriginSchemeRestricsMixedContent(origin); |
+} |
+ |
+} // namespace content |