Disallow connecting an insecure WebSocket from a secure page.

Source/modules/websockets/NewWebSocketChannelImpl.cpp

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 17 matching lines @@
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 #include "config.h"
 #include "modules/websockets/NewWebSocketChannelImpl.h"
 
 #include "core/dom/Document.h"
 #include "core/dom/ExecutionContext.h"
 #include "core/fileapi/FileReaderLoader.h"
 #include "core/fileapi/FileReaderLoaderClient.h"
+#include "core/frame/LocalFrame.h"
 #include "core/inspector/InspectorInstrumentation.h"
+#include "core/loader/FrameLoader.h"
+#include "core/loader/MixedContentChecker.h"
 #include "core/loader/UniqueIdentifier.h"
 #include "modules/websockets/WebSocketChannelClient.h"
 #include "modules/websockets/WebSocketFrame.h"
 #include "platform/Logging.h"
 #include "platform/network/WebSocketHandshakeRequest.h"
 #include "platform/weborigin/SecurityOrigin.h"
 #include "public/platform/Platform.h"
 #include "public/platform/WebSerializedOrigin.h"
 #include "public/platform/WebSocketHandshakeRequestInfo.h"
 #include "public/platform/WebSocketHandshakeResponseInfo.h"
@@ skipping 63 matching lines @@
 {
     if (context->isDocument() && toDocument(context)->page())
         m_identifier = createUniqueIdentifier();
 }
 
 NewWebSocketChannelImpl::~NewWebSocketChannelImpl()
 {
     abortAsyncOperations();
 }
 
-void NewWebSocketChannelImpl::connect(const KURL& url, const String& protocol)
+bool NewWebSocketChannelImpl::connect(const KURL& url, const String& protocol)
 {
     WTF_LOG(Network, "NewWebSocketChannelImpl %p connect()", this);
     if (!m_handle)
-        return;
+        return false;
+
+    if (executionContext()->isDocument() && document()->frame() && !document()->frame()->loader().mixedContentChecker()->canConnectInsecureWebSocket(document()->securityOrigin(), url))
+        return false;
+    if (MixedContentChecker::isMixedContent(document()->securityOrigin(), url)) {
+        String message = "Connecting to a non-secure WebSocket server from a secure origin is deprecated.";
+        document()->addConsoleMessage(JSMessageSource, WarningMessageLevel, message);
+    }
+
     m_url = url;
     Vector<String> protocols;
     // Avoid placing an empty token in the Vector when the protocol string is
     // empty.
     if (!protocol.isEmpty()) {
         // Since protocol is already verified and escaped, we can simply split
         // it.
         protocol.split(", ", true, protocols);
     }
     blink::WebVector<blink::WebString> webProtocols(protocols.size());
     for (size_t i = 0; i < protocols.size(); ++i) {
         webProtocols[i] = protocols[i];
     }
     m_handle->connect(url, webProtocols, *executionContext()->securityOrigin(), this);
     flowControlIfNecessary();
     if (m_identifier)
         InspectorInstrumentation::didCreateWebSocket(document(), m_identifier, url, protocol);
+    return true;
 }
 
 String NewWebSocketChannelImpl::subprotocol()
 {
     WTF_LOG(Network, "NewWebSocketChannelImpl %p subprotocol()", this);
     return m_subprotocol;
 }
 
 String NewWebSocketChannelImpl::extensions()
 {
@@ skipping 337 matching lines @@
     if (errorCode == FileError::ABORT_ERR) {
         // The error is caused by cancel().
         return;
     }
     // FIXME: Generate human-friendly reason message.
     failAsError("Failed to load Blob: error code = " + String::number(errorCode));
     // |this| can be deleted here.
 }
 
 } // namespace WebCore