Small improvements to MixedContentChecker.

third_party/WebKit/Source/core/loader/MixedContentChecker.cpp

 /*
  * Copyright (C) 2012 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
  * 2.  Redistributions in binary form must reproduce the above copyright
@@ skipping 70 matching lines @@
 {
     return (frame && frame != frame->tree().top() && frameType != WebURLRequest::FrameTypeNested);
 }
 
 // static
 bool MixedContentChecker::isMixedContent(SecurityOrigin* securityOrigin, const KURL& url)
 {
     if (!SchemeRegistry::shouldTreatURLSchemeAsRestrictingMixedContent(securityOrigin->protocol()))
         return false;
 
-    // |url| is mixed content if its origin is not potentially trustworthy, and
-    // its protocol is not 'data'. We do a quick check against `SecurityOrigin::isSecure`
-    // to catch things like `about:blank`, which cannot be sanely passed into
+    // |url| is mixed content if its origin is not potentially trustworthy nor
+    // secure. We do a quick check against `SecurityOrigin::isSecure` to catch
+    // things like `about:blank`, which cannot be sanely passed into
     // `SecurityOrigin::create` (as their origin depends on their context).
-    bool isAllowed = url.protocolIsData() || SecurityOrigin::isSecure(url) || SecurityOrigin::create(url)->isPotentiallyTrustworthy();

[Mike West, 2016/07/14 05:50:17]

Do we have test coverage for `data:`? I'm pretty sure we do, but would you mind
checking?

[carlosk, 2016/07/18 09:38:36]

In TEST(MixedContentCheckerTest, IsMixedContent) we test these cases:

{"http://example.com/foo", "data:text/html,<p>Hi!</p>", false},
{"https://example.com/foo", "data:text/html,<p>Hi!</p>", false},

So I think that should do it.

-    // TODO(mkwst): Remove this once 'localhost' is no longer considered potentially trustworthy:
-    if (isAllowed && url.protocolIs("http") && url.host() == "localhost")
+    bool isAllowed = SecurityOrigin::isSecure(url) || SecurityOrigin::create(url)->isPotentiallyTrustworthy();
+    // TODO(mkwst): Remove this once 'localhost' is no longer considered
+    // potentially trustworthy.
+    if (isAllowed && url.protocolIs("http") && NetworkUtils::isLocalHostname(url.host(), nullptr))
         isAllowed = false;
     return !isAllowed;
 }
 
 // static
 Frame* MixedContentChecker::inWhichFrameIsContentMixed(Frame* frame, WebURLRequest::FrameType frameType, const KURL& url)
 {
     // We only care about subresource loads; top-level navigations cannot be mixed content. Neither can frameless requests.
     if (frameType == WebURLRequest::FrameTypeTopLevel || !frame)
         return nullptr;
@@ skipping 284 matching lines @@
     // See comment in shouldBlockFetch() about loading the main resource of a subframe.
     if (request.frameType() == WebURLRequest::FrameTypeNested && !SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().protocol())) {
         return WebMixedContent::ContextType::OptionallyBlockable;
     }
 
     bool strictMixedContentCheckingForPlugin = mixedFrame->settings() && mixedFrame->settings()->strictMixedContentCheckingForPlugin();
     return WebMixedContent::contextTypeFromRequestContext(request.requestContext(), strictMixedContentCheckingForPlugin);
 }
 
 } // namespace blink