service worker: Don't control a subframe of an insecure context

content/browser/service_worker/service_worker_controllee_request_handler.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/service_worker/service_worker_controllee_request_handler.h"
 
 #include <memory>
 #include <string>
 
 #include "base/trace_event/trace_event.h"
@@ skipping 194 matching lines @@
     job_->FallbackToNetwork();
     TRACE_EVENT_ASYNC_END2(
         "ServiceWorker",
         "ServiceWorkerControlleeRequestHandler::PrepareForMainResource",
         job_.get(),
         "Status", status,
         "Info", "ServiceWorker is blocked");
     return;
   }
 
+  if (!provider_host_->is_parent_frame_secure()) {
+    std::set<std::string> schemes;
+    GetContentClient()
+        ->browser()
+        ->GetSchemesBypassingSecureContextCheckWhitelist(&schemes);
+    if (schemes.find(provider_host_->document_url().scheme()) ==

[Marijn Kruisselbrink, 2016/06/02 22:44:43]

Would it make sense to combine both the is_parent_frame_secure and the checking
for whitelisted schemes into one helper method somewhere in SWProviderHost? I
did something like that in https://codereview.chromium.org/1914593002 where I'm
(still very much WIP) trying to apply the same secure context limitations to
when Link headers are allowed to install service workers for navigations.

[falken, 2016/06/03 08:22:05]

I like that and ended up adopting your patch, thanks. I think we must use
OriginCanAccessServiceWorkers, which is slightly different from IsOriginSecure
(SW is HTTP/HTTPS only and has its own set of exceptions, but in practice that
is just chrome://extensions).

I think the SWProviderHost function needs to be called something like
IsSecureEnoughForServiceWorkers.

+        schemes.end()) {
+      // TODO(falken): Figure out a way to surface in the page's DevTools
+      // console that the service worker was blocked for security.
+      job_->FallbackToNetwork();
+      TRACE_EVENT_ASYNC_END1(
+          "ServiceWorker",
+          "ServiceWorkerControlleeRequestHandler::PrepareForMainResource",
+          job_.get(), "Info", "Insecure context");
+      return;
+    }
+  }
+
   if (need_to_update) {
     force_update_started_ = true;
     context_->UpdateServiceWorker(
         registration.get(), true /* force_bypass_cache */,
         true /* skip_script_comparison */, provider_host_.get(),
         base::Bind(&self::DidUpdateRegistration, weak_factory_.GetWeakPtr(),
                    registration));
     return;
   }
 
@@ skipping 182 matching lines @@
   DCHECK(provider_host_);
   // Detach the controller so subresource requests also skip the worker.
   provider_host_->NotifyControllerLost();
 }
 
 void ServiceWorkerControlleeRequestHandler::ClearJob() {
   job_.reset();
 }
 
 }  // namespace content