OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2012 Google Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * | 7 * |
8 * 1. Redistributions of source code must retain the above copyright | 8 * 1. Redistributions of source code must retain the above copyright |
9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
10 * 2. Redistributions in binary form must reproduce the above copyright | 10 * 2. Redistributions in binary form must reproduce the above copyright |
(...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
81 { | 81 { |
82 return (frame && frame != frame->tree().top() && frameType != WebURLRequest:
:FrameTypeNested); | 82 return (frame && frame != frame->tree().top() && frameType != WebURLRequest:
:FrameTypeNested); |
83 } | 83 } |
84 | 84 |
85 // static | 85 // static |
86 bool MixedContentChecker::isMixedContent(SecurityOrigin* securityOrigin, const K
URL& url) | 86 bool MixedContentChecker::isMixedContent(SecurityOrigin* securityOrigin, const K
URL& url) |
87 { | 87 { |
88 if (!SchemeRegistry::shouldTreatURLSchemeAsRestrictingMixedContent(securityO
rigin->protocol())) | 88 if (!SchemeRegistry::shouldTreatURLSchemeAsRestrictingMixedContent(securityO
rigin->protocol())) |
89 return false; | 89 return false; |
90 | 90 |
91 // |url| is mixed content if its origin is not potentially trustworthy, and | 91 // |url| is mixed content if its origin is not potentially trustworthy nor |
92 // its protocol is not 'data'. We do a quick check against `SecurityOrigin::
isSecure` | 92 // secure. We do a quick check against `SecurityOrigin::isSecure` to catch |
93 // to catch things like `about:blank`, which cannot be sanely passed into | 93 // things like `about:blank`, which cannot be sanely passed into |
94 // `SecurityOrigin::create` (as their origin depends on their context). | 94 // `SecurityOrigin::create` (as their origin depends on their context). |
95 bool isAllowed = url.protocolIsData() || SecurityOrigin::isSecure(url) || Se
curityOrigin::create(url)->isPotentiallyTrustworthy(); | 95 bool isAllowed = SecurityOrigin::isSecure(url) || SecurityOrigin::create(url
)->isPotentiallyTrustworthy(); |
96 // TODO(mkwst): Remove this once 'localhost' is no longer considered potenti
ally trustworthy: | 96 // TODO(mkwst): Remove this once 'localhost' is no longer considered |
97 if (isAllowed && url.protocolIs("http") && url.host() == "localhost") | 97 // potentially trustworthy. |
| 98 if (isAllowed && url.protocolIs("http") && NetworkUtils::isLocalHostname(url
.host(), nullptr)) |
98 isAllowed = false; | 99 isAllowed = false; |
99 return !isAllowed; | 100 return !isAllowed; |
100 } | 101 } |
101 | 102 |
102 // static | 103 // static |
103 Frame* MixedContentChecker::inWhichFrameIsContentMixed(Frame* frame, WebURLReque
st::FrameType frameType, const KURL& url) | 104 Frame* MixedContentChecker::inWhichFrameIsContentMixed(Frame* frame, WebURLReque
st::FrameType frameType, const KURL& url) |
104 { | 105 { |
105 // We only care about subresource loads; top-level navigations cannot be mix
ed content. Neither can frameless requests. | 106 // We only care about subresource loads; top-level navigations cannot be mix
ed content. Neither can frameless requests. |
106 if (frameType == WebURLRequest::FrameTypeTopLevel || !frame) | 107 if (frameType == WebURLRequest::FrameTypeTopLevel || !frame) |
107 return nullptr; | 108 return nullptr; |
(...skipping 284 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
392 // See comment in shouldBlockFetch() about loading the main resource of a su
bframe. | 393 // See comment in shouldBlockFetch() about loading the main resource of a su
bframe. |
393 if (request.frameType() == WebURLRequest::FrameTypeNested && !SchemeRegistry
::shouldTreatURLSchemeAsCORSEnabled(request.url().protocol())) { | 394 if (request.frameType() == WebURLRequest::FrameTypeNested && !SchemeRegistry
::shouldTreatURLSchemeAsCORSEnabled(request.url().protocol())) { |
394 return WebMixedContent::ContextType::OptionallyBlockable; | 395 return WebMixedContent::ContextType::OptionallyBlockable; |
395 } | 396 } |
396 | 397 |
397 bool strictMixedContentCheckingForPlugin = mixedFrame->settings() && mixedFr
ame->settings()->strictMixedContentCheckingForPlugin(); | 398 bool strictMixedContentCheckingForPlugin = mixedFrame->settings() && mixedFr
ame->settings()->strictMixedContentCheckingForPlugin(); |
398 return WebMixedContent::contextTypeFromRequestContext(request.requestContext
(), strictMixedContentCheckingForPlugin); | 399 return WebMixedContent::contextTypeFromRequestContext(request.requestContext
(), strictMixedContentCheckingForPlugin); |
399 } | 400 } |
400 | 401 |
401 } // namespace blink | 402 } // namespace blink |
OLD | NEW |