Disallow connecting an insecure WebSocket from a secure page.

Source/modules/websockets/MainThreadWebSocketChannel.cpp

 /*
  * Copyright (C) 2011, 2012 Google Inc.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 22 matching lines @@
 
 #include "bindings/v8/ExceptionStatePlaceholder.h"
 #include "core/dom/Document.h"
 #include "core/dom/ExecutionContext.h"
 #include "core/fileapi/Blob.h"
 #include "core/fileapi/FileReaderLoader.h"
 #include "core/frame/LocalFrame.h"
 #include "core/inspector/InspectorInstrumentation.h"
 #include "core/loader/FrameLoader.h"
 #include "core/loader/FrameLoaderClient.h"
+#include "core/loader/MixedContentChecker.h"
 #include "core/loader/UniqueIdentifier.h"
 #include "core/page/Page.h"
 #include "modules/websockets/WebSocketChannelClient.h"
 #include "platform/Logging.h"
 #include "platform/network/SocketStreamError.h"
 #include "platform/network/SocketStreamHandle.h"
 #include "wtf/ArrayBuffer.h"
 #include "wtf/FastMalloc.h"
 #include "wtf/HashMap.h"
 #include "wtf/OwnPtr.h"
@@ skipping 27 matching lines @@
     , m_lineNumberAtConstruction(lineNumber)
 {
     if (m_document->page())
         m_identifier = createUniqueIdentifier();
 }
 
 MainThreadWebSocketChannel::~MainThreadWebSocketChannel()
 {
 }
 
-void MainThreadWebSocketChannel::connect(const KURL& url, const String& protocol)
+bool MainThreadWebSocketChannel::connect(const KURL& url, const String& protocol)
 {
     WTF_LOG(Network, "MainThreadWebSocketChannel %p connect()", this);
     ASSERT(!m_handle);
     ASSERT(!m_suspended);
+
+    if (m_document->frame() && !m_document->frame()->loader().mixedContentChecker()->canConnectInsecureWebSocket(m_document->securityOrigin(), url))
+        return false;
+    if (MixedContentChecker::isMixedContent(m_document->securityOrigin(), url)) {
+        String message = "Connecting to a non-secure WebSocket server from a secure origin is deprecated.";
+        m_document->addConsoleMessage(JSMessageSource, WarningMessageLevel, message);
+    }
+
     m_handshake = adoptPtr(new WebSocketHandshake(url, protocol, m_document));
     m_handshake->reset();
     m_handshake->addExtensionProcessor(m_perMessageDeflate.createExtensionProcessor());
     m_handshake->addExtensionProcessor(m_deflateFramer.createExtensionProcessor());
     if (m_identifier)
         InspectorInstrumentation::didCreateWebSocket(m_document, m_identifier, url, protocol);
     ref();
     m_handle = SocketStreamHandle::create(m_handshake->url(), this);
+    return true;
 }
 
 String MainThreadWebSocketChannel::subprotocol()
 {
     WTF_LOG(Network, "MainThreadWebSocketChannel %p subprotocol()", this);
     if (!m_handshake || m_handshake->mode() != WebSocketHandshake::Connected)
         return "";
     String serverProtocol = m_handshake->serverWebSocketProtocol();
     if (serverProtocol.isNull())
         return "";
@@ skipping 708 matching lines @@
     }
 
     Vector<char> frameData;
     frame.makeFrameData(frameData);
 
     m_perMessageDeflate.resetDeflateBuffer();
     return m_handle->send(frameData.data(), frameData.size());
 }
 
 } // namespace WebCore