| Index: content/browser/frame_host/mixed_content_navigation_throttle.cc
|
| diff --git a/content/browser/frame_host/mixed_content_navigation_throttle.cc b/content/browser/frame_host/mixed_content_navigation_throttle.cc
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..c753e1a71d9f4db1e767dd5027683563674318bb
|
| --- /dev/null
|
| +++ b/content/browser/frame_host/mixed_content_navigation_throttle.cc
|
| @@ -0,0 +1,434 @@
|
| +// Copyright 2016 The Chromium Authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +#include "content/browser/frame_host/mixed_content_navigation_throttle.h"
|
| +
|
| +#include "base/strings/stringprintf.h"
|
| +#include "content/browser/frame_host/frame_tree.h"
|
| +#include "content/browser/frame_host/frame_tree_node.h"
|
| +#include "content/browser/frame_host/navigation_handle_impl.h"
|
| +#include "content/browser/frame_host/render_frame_host_delegate.h"
|
| +#include "content/browser/renderer_host/render_view_host_impl.h"
|
| +#include "content/common/frame_messages.h"
|
| +#include "content/public/browser/content_browser_client.h"
|
| +#include "content/public/browser/render_frame_host.h"
|
| +#include "content/public/common/browser_side_navigation_policy.h"
|
| +#include "content/public/common/content_client.h"
|
| +#include "content/public/common/origin_util.h"
|
| +#include "content/public/common/url_constants.h"
|
| +#include "content/public/common/web_preferences.h"
|
| +#include "net/base/url_util.h"
|
| +#include "third_party/WebKit/public/platform/WebMixedContentContextType.h"
|
| +#include "url/gurl.h"
|
| +#include "url/origin.h"
|
| +#include "url/url_constants.h"
|
| +
|
| +namespace {
|
| +
|
| +using namespace content;
|
| +
|
| +// Should return the same value as SchemeRegistry::shouldTreatURLSchemeAsSecure.
|
| +// TODO(carlosk): we have to figure out how to share schemes registered within
|
| +// Blink's SchemeRegistry with content/browser code. Should statically defined
|
| +// ones in Chrome/embedder come from a shared file? Should dynamically defined
|
| +// ones from extensions register both with browser and renderer code? See
|
| +// https://crbug.com/627502.
|
| +bool IsSecureScheme(const std::string& scheme) {
|
| + // Note: default schemes for URLSchemesRegistry::secureSchemes.
|
| + bool result = scheme == url::kHttpsScheme || scheme == url::kAboutScheme ||
|
| + scheme == url::kDataScheme || scheme == url::kWssScheme;
|
| +
|
| + // Note: below are the schemes registered through registerURLSchemeAsSecure.
|
| + // Note: here and for other scheme "registration" code below some
|
| + // registrations should not happen as they depend on the target being built. I
|
| + // tried limiting that by using platform IF-DEF-s but it is insufficient.
|
| +
|
| + // Registered from content/renderer/render_thread_impl.cc.
|
| + result |= scheme == kChromeUIScheme;
|
| + // Registered from chrome/common/url_constants.cc.
|
| + result |= scheme == "chrome-search";
|
| +#if !defined(OS_ANDROID) && !defined(OS_IOS)
|
| + // Registered from extensions/renderer/dispatcher.cc.
|
| + result |= scheme == "chrome-extension";
|
| +#endif
|
| +#if defined(OS_ANDROID)
|
| + // Registered from android_webview/renderer/aw_content_renderer_client.cc.
|
| + result |= scheme == "android-webview-video-poster";
|
| +#endif
|
| + return result;
|
| +}
|
| +
|
| +// Should return the same value as SchemeRegistry::shouldTreatURLSchemeAsSecure.
|
| +bool HasPotentiallySecureScheme(const GURL& url) {
|
| + return IsSecureScheme(url.scheme());
|
| +}
|
| +
|
| +// Should return the same value as SecurityOrigin::isLocal and
|
| +// SchemeRegistry::shouldTreatURLSchemeAsLocal.
|
| +// TODO(carlosk): Same registration problem as described in IsSecureScheme
|
| +// applies here. See https://crbug.com/627502.
|
| +bool HasLocalScheme(const GURL& url) {
|
| + // Note: default schemes for URLSchemesRegistry::localSchemes.
|
| + bool result = url.SchemeIs(url::kFileScheme);
|
| +
|
| + // Note: below are the schemes registered through registerURLSchemeAsLocal.
|
| +
|
| +#if defined(OS_CHROMEOS)
|
| + // Registered from chrome/renderer/chrome_content_renderer_client.cc.
|
| + result |= url.SchemeIs(content::kExternalFileScheme);
|
| +#endif
|
| +#if defined(OS_ANDROID)
|
| + // Registered from chrome/renderer/chrome_content_renderer_client.cc and
|
| + // from android_webview/renderer/aw_content_renderer_client.cc.
|
| + result |= url.SchemeIs(url::kContentScheme);
|
| +#endif
|
| +
|
| + return result;
|
| +}
|
| +
|
| +// This reflects the result of SecurityOrigin::isUnique considering the logic in
|
| +// SecurityOrigin::create that will return unique origins for URLs that cause
|
| +// shouldTreatAsUniqueOrigin to return true. The latter checks the scheme
|
| +// against shouldTreatURLSchemeAsNoAccess and a few other things that don't seem
|
| +// applicable here.
|
| +// TODO(carlosk): Same registration problem as described in IsSecureScheme
|
| +// applies here. See https://crbug.com/627502.
|
| +bool IsUniqueScheme(const GURL& url) {
|
| + // Note: default schemes for URLSchemesRegistry::schemesWithUniqueOrigins.
|
| + bool result = url.SchemeIs(url::kAboutScheme) ||
|
| + url.SchemeIs(url::kJavaScriptScheme) ||
|
| + url.SchemeIs(url::kDataScheme);
|
| +
|
| + // Note: below are the schemes registered through registerURLSchemeAsNoAccess.
|
| +
|
| + // Registered from chrome/renderer/chrome_render_thread_observer.cc.
|
| + result |= url.SchemeIs("chrome-native");
|
| +
|
| + return result;
|
| +}
|
| +
|
| +// TODO(carlosk): Same registration problem as described in IsSecureScheme
|
| +// applies here. See https://crbug.com/627502.
|
| +bool ShouldTreatURLSchemeAsCORSEnabled(const GURL& url) {
|
| + // Note: default schemes for URLSchemesRegistry::CORSEnabledSchemes.
|
| + bool result = url.SchemeIsHTTPOrHTTPS() || url.SchemeIs(url::kDataScheme);
|
| +
|
| + // Note: below are the schemes registered through
|
| + // registerURLSchemeAsCORSEnabled.
|
| +
|
| + // Registered from content/renderer/render_thread_impl.cc.
|
| + result |= url.SchemeIs(kChromeUIScheme);
|
| +#if !defined(OS_ANDROID) && !defined(OS_IOS)
|
| + // Registered from extensions/renderer/dispatcher.cc.
|
| + result |= url.SchemeIs("chrome-extension");
|
| +#endif
|
| +
|
| + return result;
|
| +}
|
| +
|
| +// Should return the same value as SecurityOrigin::isSecure.
|
| +bool SecurityOriginIsSecure(const GURL& url) {
|
| + return HasPotentiallySecureScheme(url) ||
|
| + (url.SchemeIsFileSystem() && url.inner_url() &&
|
| + HasPotentiallySecureScheme(*url.inner_url())) ||
|
| + (url.SchemeIsBlob() &&
|
| + HasPotentiallySecureScheme(GURL(url.GetContent()))) ||
|
| + IsOriginWhiteListedTrustworthy(url);
|
| +}
|
| +
|
| +// Should return the same value as the resource URL checks made inside
|
| +// MixedContentChecker::isMixedContent.
|
| +bool IsUrlPotentiallySecure(const GURL& url) {
|
| + // TODO(carlosk): secure origin checks don't match between content and Blink
|
| + // hence this implementation here instead of a direct call to IsOriginSecure
|
| + // (in origin_util.cc). See https://crbug.com/629059.
|
| +
|
| + bool is_secure = SecurityOriginIsSecure(url);
|
| +
|
| + // blob: and filesystem: URLs never hit the network, and access is restricted
|
| + // to same-origin contexts, so they are not blocked either.
|
| + if (url.SchemeIs(url::kBlobScheme) || url.SchemeIs(url::kFileSystemScheme))
|
| + is_secure |= true;
|
| +
|
| + // These next checks mimics the behavior of
|
| + // SecurityOrigin::isPotentiallyTrustworthy without duplicating much of the
|
| + // checks already performed previously (hence this not being enclosed in
|
| + // another method). The logic here will consider a unique scheme secure as if
|
| + // SecurityOrigin::m_isUniqueOriginPotentiallyTrustworthy was true.
|
| + if (IsUniqueScheme(url) || HasLocalScheme(url) ||
|
| + net::IsLocalhost(url.HostNoBrackets()))
|
| + is_secure |= true;
|
| +
|
| + // TODO(mkwst): Remove this once 'localhost' is no longer considered
|
| + // potentially trustworthy.
|
| + if (is_secure && url.SchemeIs(url::kHttpScheme) &&
|
| + net::IsLocalHostname(url.HostNoBrackets(), nullptr)) {
|
| + is_secure = false;
|
| + }
|
| +
|
| + return is_secure;
|
| +}
|
| +
|
| +// This method should return the same results as
|
| +// SchemeRegistry::shouldTreatURLSchemeAsRestrictingMixedContent.
|
| +bool DoesOriginSchemeRestricsMixedContent(const url::Origin& origin) {
|
| + return origin.scheme() == url::kHttpsScheme;
|
| +}
|
| +
|
| +void UpdateRendererOnMixedContentFound(NavigationHandleImpl* handle_impl,
|
| + const GURL& mixed_content_url,
|
| + bool was_allowed,
|
| + bool for_redirect) {
|
| + // TODO(carlosk): the root node should never be considered mixed content for
|
| + // now. Once/if the browser starts also checking form submits than this will
|
| + // happen and this DCHECK should be updated.
|
| + DCHECK(handle_impl->frame_tree_node()->parent());
|
| + RenderFrameHost* rfh = handle_impl->frame_tree_node()->current_frame_host();
|
| + rfh->Send(new FrameMsg_MixedContentFoundByTheBrowser(
|
| + rfh->GetRoutingID(), mixed_content_url, handle_impl->GetURL(),
|
| + handle_impl->request_context_type(), was_allowed, for_redirect));
|
| +}
|
| +
|
| +} // namespace
|
| +
|
| +namespace content {
|
| +
|
| +MixedContentNavigationThrottle::MixedContentNavigationThrottle(
|
| + NavigationHandle* navigation_handle)
|
| + : NavigationThrottle(navigation_handle) {
|
| + DCHECK(IsBrowserSideNavigationEnabled());
|
| +}
|
| +
|
| +MixedContentNavigationThrottle::~MixedContentNavigationThrottle() {}
|
| +
|
| +ThrottleCheckResult MixedContentNavigationThrottle::WillStartRequest() {
|
| + bool should_block = ShouldBlockNavigation(false);
|
| + return should_block ? ThrottleCheckResult::CANCEL
|
| + : ThrottleCheckResult::PROCEED;
|
| +}
|
| +
|
| +ThrottleCheckResult MixedContentNavigationThrottle::WillRedirectRequest() {
|
| + // Upon redirects the same checks are to be executed as for requests.
|
| + bool should_block = ShouldBlockNavigation(true);
|
| + return should_block ? ThrottleCheckResult::CANCEL
|
| + : ThrottleCheckResult::PROCEED;
|
| +}
|
| +
|
| +ThrottleCheckResult MixedContentNavigationThrottle::WillProcessResponse() {
|
| + // TODO(carlosk): at this point we must check the final security level of
|
| + // the connection! Does it use an outdated protocol? See
|
| + // MixedContentChecker::handleCertificateError
|
| + return ThrottleCheckResult::PROCEED;
|
| +}
|
| +
|
| +// Based off of MixedContentChecker::shouldBlockFetch.
|
| +bool MixedContentNavigationThrottle::ShouldBlockNavigation(bool for_redirect) {
|
| + NavigationHandleImpl* handle_impl =
|
| + static_cast<NavigationHandleImpl*>(navigation_handle());
|
| + FrameTreeNode* node = handle_impl->frame_tree_node();
|
| +
|
| + // Find the parent node with mixed content, if any.
|
| + FrameTreeNode* mixed_content_node =
|
| + InWhichFrameIsContentMixed(node, handle_impl->GetURL());
|
| + if (!mixed_content_node) {
|
| + MaybeSendBlinkFeatureUsageReport();
|
| + return false;
|
| + }
|
| +
|
| + // From this point on we know this is not a main frame navigation and that
|
| + // there is mixed-content. Now let's decide if it's OK to proceed with it.
|
| +
|
| + const WebPreferences& prefs = mixed_content_node->current_frame_host()
|
| + ->render_view_host()
|
| + ->GetWebkitPreferences();
|
| +
|
| + ReportBasicMixedContentFeatures(handle_impl->request_context_type(),
|
| + handle_impl->mixed_content_context_type(),
|
| + prefs);
|
| +
|
| + // If we're in strict mode, we'll automagically fail everything, and
|
| + // intentionally skip the client/embedder checks in order to prevent degrading
|
| + // the site's security UI.
|
| + bool block_all_mixed_content = !!(
|
| + mixed_content_node->current_replication_state().insecure_request_policy &
|
| + blink::kBlockAllMixedContent);
|
| + bool strictMode =
|
| + prefs.strict_mixed_content_checking || block_all_mixed_content;
|
| +
|
| + blink::WebMixedContentContextType mixed_context_type =
|
| + handle_impl->mixed_content_context_type();
|
| +
|
| + if (!ShouldTreatURLSchemeAsCORSEnabled(handle_impl->GetURL())) {
|
| + mixed_context_type = blink::WebMixedContentContextType::OptionallyBlockable;
|
| + }
|
| +
|
| + bool allowed = false;
|
| + ContentBrowserClient* browser_client = GetContentClient()->browser();
|
| + RenderFrameHostDelegate* frame_host_delegate =
|
| + node->current_frame_host()->delegate();
|
| + switch (mixed_context_type) {
|
| + case blink::WebMixedContentContextType::OptionallyBlockable:
|
| + allowed = !strictMode;
|
| + if (allowed) {
|
| + browser_client->PassiveInsecureContentFound(handle_impl->GetURL());
|
| + frame_host_delegate->DidDisplayInsecureContent();
|
| + }
|
| + break;
|
| +
|
| + case blink::WebMixedContentContextType::Blockable: {
|
| + // Note: from the renderer side implementation it doesn't seem like we
|
| + // need to care about the UseCounter reporting of
|
| + // BlockableMixedContentInSubframeBlocked because it is only triggered for
|
| + // sub-resources which are not handled in the browser.
|
| + bool shouldAskEmbedder =
|
| + !strictMode && (!prefs.strictly_block_blockable_mixed_content ||
|
| + prefs.allow_running_insecure_content);
|
| + allowed = shouldAskEmbedder &&
|
| + browser_client->ShouldAllowRunningInsecureContent(
|
| + prefs.allow_running_insecure_content,
|
| + mixed_content_node->current_origin(), handle_impl->GetURL(),
|
| + handle_impl->GetWebContents());
|
| + if (allowed) {
|
| + const GURL& origin_url = mixed_content_node->current_url().GetOrigin();
|
| + frame_host_delegate->DidRunInsecureContent(origin_url,
|
| + handle_impl->GetURL());
|
| + browser_client->RecordURLMetric(
|
| + "ContentSettings.MixedScript.RanMixedScript", origin_url);
|
| + mixed_content_features_.insert(MixedContentBlockableAllowed);
|
| + }
|
| + break;
|
| + }
|
| +
|
| + case blink::WebMixedContentContextType::ShouldBeBlockable:
|
| + allowed = !strictMode;
|
| + if (allowed)
|
| + frame_host_delegate->DidDisplayInsecureContent();
|
| + break;
|
| +
|
| + case blink::WebMixedContentContextType::NotMixedContent:
|
| + NOTREACHED();
|
| + break;
|
| + };
|
| +
|
| + UpdateRendererOnMixedContentFound(
|
| + handle_impl, mixed_content_node->current_url(), allowed, for_redirect);
|
| + MaybeSendBlinkFeatureUsageReport();
|
| +
|
| + return !allowed;
|
| +}
|
| +
|
| +FrameTreeNode* MixedContentNavigationThrottle::InWhichFrameIsContentMixed(
|
| + FrameTreeNode* node,
|
| + const GURL& url) {
|
| + // Main frame navigations cannot be mixed content.
|
| + // TODO(carlosk): except for form submissions which will be dealt with later.
|
| + if (node->IsMainFrame())
|
| + return nullptr;
|
| +
|
| + // There's no mixed content if any of these are true:
|
| + // - The navigated URL is potentially secure.
|
| + // - The root nor parent frames' origins are secure.
|
| + FrameTreeNode* mixed_content_node = nullptr;
|
| + FrameTreeNode* root = node->frame_tree()->root();
|
| + FrameTreeNode* parent = node->parent();
|
| + if (!IsUrlPotentiallySecure(url)) {
|
| + // TODO(carlosk): don't we need to check more than just the immediate parent
|
| + // and the root? Is it always the case that these two are the only sources
|
| + // for obtaining the "origin of the security context"?
|
| + // See https://crbug.com/623486.
|
| +
|
| + // Checks if the root or immediate parent frame's origin are secure.
|
| + if (DoesOriginSchemeRestricsMixedContent(root->current_origin()))
|
| + mixed_content_node = root;
|
| + else if (DoesOriginSchemeRestricsMixedContent(parent->current_origin()))
|
| + mixed_content_node = parent;
|
| + }
|
| +
|
| + // Note: This code below should behave the same way as as the two calls to
|
| + // measureStricterVersionOfIsMixedContent from inside
|
| + // MixedContentChecker::inWhichFrameIs.
|
| + if (mixed_content_node) {
|
| + // We're currently only checking for mixed content in `https://*` contexts.
|
| + // What about other "secure" contexts the SchemeRegistry knows about? We'll
|
| + // use this method to measure the occurance of non-webby mixed content to
|
| + // make sure we're not breaking the world without realizing it.
|
| + // Note: Based off of measureStricterVersionOfIsMixedContent in
|
| + // MixedContentChecker.cpp.
|
| + // TODO(carlosk): this will only ever work once we allow registration of new
|
| + // potentially secure schemes. crbug.com/627502
|
| + if (mixed_content_node->current_origin().scheme() != url::kHttpsScheme) {
|
| + mixed_content_features_.insert(
|
| + MixedContentInNonHTTPSFrameThatRestrictsMixedContent);
|
| + }
|
| + } else if (!SecurityOriginIsSecure(url) &&
|
| + (IsSecureScheme(root->current_origin().scheme()) ||
|
| + IsSecureScheme(parent->current_origin().scheme()))) {
|
| + mixed_content_features_.insert(
|
| + MixedContentInSecureFrameThatDoesNotRestrictMixedContent);
|
| + }
|
| + return mixed_content_node;
|
| +}
|
| +
|
| +void MixedContentNavigationThrottle::MaybeSendBlinkFeatureUsageReport() {
|
| + if (!mixed_content_features_.empty()) {
|
| + NavigationHandleImpl* handle_impl =
|
| + static_cast<NavigationHandleImpl*>(navigation_handle());
|
| + RenderFrameHost* rfh = handle_impl->frame_tree_node()->current_frame_host();
|
| + rfh->Send(new FrameMsg_BlinkFeatureUsageReport(rfh->GetRoutingID(),
|
| + mixed_content_features_));
|
| + mixed_content_features_.clear();
|
| + }
|
| +}
|
| +
|
| +// Based off of MixedContentChecker::count.
|
| +void MixedContentNavigationThrottle::ReportBasicMixedContentFeatures(
|
| + RequestContextType request_context_type,
|
| + blink::WebMixedContentContextType mixed_content_context_type,
|
| + const WebPreferences& prefs) {
|
| + mixed_content_features_.insert(MixedContentPresent);
|
| +
|
| + // Report any blockable content.
|
| + if (mixed_content_context_type ==
|
| + blink::WebMixedContentContextType::Blockable) {
|
| + mixed_content_features_.insert(MixedContentBlockable);
|
| + return;
|
| + }
|
| +
|
| + // Note: as there's no mixed content checks for sub resources on the browser
|
| + // there should only be a subset |request_context_type| values that could ever
|
| + // be found here.
|
| + UseCounterFeature feature;
|
| + switch (request_context_type) {
|
| + case REQUEST_CONTEXT_TYPE_INTERNAL:
|
| + feature = MixedContentInternal;
|
| + break;
|
| + case REQUEST_CONTEXT_TYPE_PREFETCH:
|
| + feature = MixedContentPrefetch;
|
| + break;
|
| +
|
| + case REQUEST_CONTEXT_TYPE_AUDIO:
|
| + case REQUEST_CONTEXT_TYPE_DOWNLOAD:
|
| + case REQUEST_CONTEXT_TYPE_FAVICON:
|
| + case REQUEST_CONTEXT_TYPE_IMAGE:
|
| + case REQUEST_CONTEXT_TYPE_PLUGIN:
|
| + case REQUEST_CONTEXT_TYPE_VIDEO:
|
| + default:
|
| + NOTREACHED() << "RequestContextType has value " << request_context_type
|
| + << " and has WebMixedContentContextType of "
|
| + << static_cast<int>(mixed_content_context_type);
|
| + return;
|
| + }
|
| + mixed_content_features_.insert(feature);
|
| +}
|
| +
|
| +// static
|
| +bool MixedContentNavigationThrottle::IsMixedContentForTesting(
|
| + const GURL& origin_url,
|
| + const GURL& url) {
|
| + const url::Origin origin(origin_url);
|
| + return !IsUrlPotentiallySecure(url) &&
|
| + DoesOriginSchemeRestricsMixedContent(origin);
|
| +}
|
| +
|
| +} // namespace content
|
|
|
Chromium Code Reviews
Issue 1905033002:
PlzNavigate: Move navigation-level mixed content checks to the browser. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@console-security-message