Limit requests for which link headers can install service workers to secure contexts.

content/browser/loader/resource_dispatcher_host_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // See http://dev.chromium.org/developers/design-documents/multi-process-resource-loading
 
 #include "content/browser/loader/resource_dispatcher_host_impl.h"
 
 #include <stddef.h>
 
@@ skipping 1526 matching lines @@
       false,  // is stream
       allow_download, request_data.has_user_gesture,
       request_data.enable_load_timing, request_data.enable_upload_progress,
       do_not_prompt_for_login, request_data.referrer_policy,
       request_data.visiblity_state, resource_context, filter_->GetWeakPtr(),
       report_raw_headers, !is_sync_load,
       IsUsingLoFi(request_data.lofi_state, delegate_, *new_request,
                   resource_context,
                   request_data.resource_type == RESOURCE_TYPE_MAIN_FRAME),
       support_async_revalidation ? request_data.headers : std::string(),
-      request_data.request_body);
+      request_data.request_body, request_data.initiated_in_secure_context);
   // Request takes ownership.
   extra_info->AssociateWithRequest(new_request.get());
 
   if (new_request->url().SchemeIs(url::kBlobScheme)) {
     // Hang on to a reference to ensure the blob is not released prior
     // to the job being started.
     storage::BlobProtocolHandler::SetRequestedBlobDataHandle(
         new_request.get(),
         filter_->blob_storage_context()->context()->GetBlobDataFromPublicURL(
             new_request->url()));
@@ skipping 279 matching lines @@
       false,     // enable_upload_progress
       false,     // do_not_prompt_for_login
       blink::WebReferrerPolicyDefault,
       blink::WebPageVisibilityStateVisible,
       context,
       base::WeakPtr<ResourceMessageFilter>(),  // filter
       false,                                   // report_raw_headers
       true,                                    // is_async
       false,                                   // is_using_lofi
       std::string(),                           // original_headers
-      nullptr);                                // body
+      nullptr,                                 // body
+      false);                                  // initiated_in_secure_context
 }
 
 void ResourceDispatcherHostImpl::OnRenderFrameDeleted(
     const GlobalFrameRoutingId& global_routing_id) {
   CancelRequestsForRoute(global_routing_id);
 }
 
 void ResourceDispatcherHostImpl::OnRenderViewHostCreated(int child_id,
                                                          int route_id) {
   scheduler_->OnClientCreated(child_id, route_id);
@@ skipping 394 matching lines @@
       false,  // request_data.report_raw_headers
       true,   // is_async
       IsUsingLoFi(info.common_params.lofi_state, delegate_, *new_request,
                   resource_context, info.is_main_frame),
       // The original_headers field is for stale-while-revalidate but the
       // feature doesn't work with PlzNavigate, so it's just a placeholder
       // here.
       // TODO(ricea): Make the feature work with stale-while-revalidate
       // and clean this up.
       std::string(),  // original_headers
-      info.common_params.post_data);
+      info.common_params.post_data,
+      false);  // initiated_in_secure_context

[kinuko, 2016/06/23 14:42:27]

when we're enabling plznavigate how will we handle this? (it's ok not to have
answer for now, but if necessary we can note additional TODO here too)

[Marijn Kruisselbrink, 2016/06/23 18:02:01]

Added a TODO. At least it doesn't matter for the link header case, as in the
case of navigations I'm relying on
ServiceWorkerProviderHost::IsContextSecureForServiceWorker rather than the
initiated_in_secure_context flag.

   // Request takes ownership.
   extra_info->AssociateWithRequest(new_request.get());
 
   if (new_request->url().SchemeIs(url::kBlobScheme)) {
     // Hang on to a reference to ensure the blob is not released prior
     // to the job being started.
     storage::BlobProtocolHandler::SetRequestedBlobDataHandle(
         new_request.get(),
         blob_context->GetBlobDataFromPublicURL(new_request->url()));
   }
@@ skipping 369 matching lines @@
   ssl.cert_id = GetCertStore()->StoreCert(ssl_info.cert.get(), child_id);
   response->head.security_info = SerializeSecurityInfo(ssl);
 }
 
 CertStore* ResourceDispatcherHostImpl::GetCertStore() {
   return cert_store_for_testing_ ? cert_store_for_testing_
                                  : CertStore::GetInstance();
 }
 
 }  // namespace content