Prevent mixed content iframes on back/forward.

third_party/WebKit/Source/core/loader/MixedContentChecker.cpp

Index: third_party/WebKit/Source/core/loader/MixedContentChecker.cpp
diff --git a/third_party/WebKit/Source/core/loader/MixedContentChecker.cpp b/third_party/WebKit/Source/core/loader/MixedContentChecker.cpp
index 639a7fd273737b48434ac3b0496d3774e76f56d4..c6d9cef569b1dded91552cb41afa8e5f18fb6950 100644
--- a/third_party/WebKit/Source/core/loader/MixedContentChecker.cpp
+++ b/third_party/WebKit/Source/core/loader/MixedContentChecker.cpp
@@ -203,6 +203,8 @@ bool MixedContentChecker::shouldBlockFetch(LocalFrame* frame, WebURLRequest::Req
     // If we're in strict mode, we'll automagically fail everything, and intentionally skip
     // the client checks in order to prevent degrading the site's security UI.
     bool strictMode = mixedFrame->securityContext()->getInsecureRequestPolicy() & kBlockAllMixedContent || settings->strictMixedContentChecking();
+    DLOG(INFO) << "MCC:shouldBlockFetch for "<< url.getString() << ", strictMode? " << strictMode <<
+        ", requestContext: " << requestContext;

[Charlie Reis, 2016/08/01 23:39:16]

Ignore all these DLOGs-- I'll remove them before we land anything.

 
     WebMixedContent::ContextType contextType = WebMixedContent::contextTypeFromRequestContext(requestContext, settings->strictMixedContentCheckingForPlugin());
 
@@ -218,6 +220,7 @@ bool MixedContentChecker::shouldBlockFetch(LocalFrame* frame, WebURLRequest::Req
     switch (contextType) {
     case WebMixedContent::ContextType::OptionallyBlockable:
         allowed = !strictMode && client->allowDisplayingInsecureContent(settings && settings->allowDisplayOfInsecureContent(), url);
+        DLOG(INFO) << "MCC: OptionallyBlockable says " << allowed;
         if (allowed)
             client->didDisplayInsecureContent();
         break;
@@ -231,7 +234,9 @@ bool MixedContentChecker::shouldBlockFetch(LocalFrame* frame, WebURLRequest::Req
         // allowing an insecure script to run on https://a.com and not
         // realizing that they are in fact allowing an insecure script on
         // https://b.com.
+        DLOG(INFO) << "MCC: Blockable...";
         if (!settings->allowRunningOfInsecureContent() && requestIsSubframeSubresource(effectiveFrame, frameType) && isMixedContent(frame->securityContext()->getSecurityOrigin(), url)) {
+            DLOG(INFO) << "MCC: Settings says not allowed.";
             UseCounter::count(mixedFrame, UseCounter::BlockableMixedContentInSubframeBlocked);
             allowed = false;
             break;
@@ -239,7 +244,9 @@ bool MixedContentChecker::shouldBlockFetch(LocalFrame* frame, WebURLRequest::Req
 
         bool shouldAskEmbedder = !strictMode && settings && (!settings->strictlyBlockBlockableMixedContent() || settings->allowRunningOfInsecureContent());
         allowed = shouldAskEmbedder && client->allowRunningInsecureContent(settings && settings->allowRunningOfInsecureContent(), securityOrigin, url);
+        DLOG(INFO) << "MCC: shouldAskEmbedder: " << shouldAskEmbedder << ", allowed: " << allowed;
         if (allowed) {
+            DLOG(INFO) << "MCC: Client says allowed.";
             client->didRunInsecureContent(securityOrigin, url);
             UseCounter::count(mixedFrame, UseCounter::MixedContentBlockableAllowed);
         }
@@ -247,6 +254,7 @@ bool MixedContentChecker::shouldBlockFetch(LocalFrame* frame, WebURLRequest::Req
     }
 
     case WebMixedContent::ContextType::ShouldBeBlockable:
+        DLOG(INFO) << "MCC: ShouldBeBlockable";
         allowed = !strictMode;
         if (allowed)
             client->didDisplayInsecureContent();
@@ -256,6 +264,7 @@ bool MixedContentChecker::shouldBlockFetch(LocalFrame* frame, WebURLRequest::Req
         break;
     };
 
+    DLOG(INFO) << "MCC: allowed: " << allowed;
     if (reportingStatus == SendReport)
         logToConsoleAboutFetch(frame, mainResourceUrlForFrame(mixedFrame), url, requestContext, allowed);
     return !allowed;