Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(164)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/fetch/ResourceFetcher.cpp

Issue 23437013: Consider "mixed content XHR" as mixed script instead of mixed display. (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Tidy. Created 7 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « Source/core/fetch/ResourceFetcher.h ('k') | Source/core/fetch/ResourceLoaderOptions.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de) 2 Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de)
3 Copyright (C) 2001 Dirk Mueller (mueller@kde.org) 3 Copyright (C) 2001 Dirk Mueller (mueller@kde.org)
4 Copyright (C) 2002 Waldo Bastian (bastian@kde.org) 4 Copyright (C) 2002 Waldo Bastian (bastian@kde.org)
5 Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved. 5 Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.
6 Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/ 6 Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/
7 7
8 This library is free software; you can redistribute it and/or 8 This library is free software; you can redistribute it and/or
9 modify it under the terms of the GNU Library General Public 9 modify it under the terms of the GNU Library General Public
10 License as published by the Free Software Foundation; either 10 License as published by the Free Software Foundation; either
(...skipping 284 matching lines...) Expand 10 before | Expand all | Expand 10 after
295 ResourcePtr<RawResource> ResourceFetcher::fetchRawResource(FetchRequest& request ) 295 ResourcePtr<RawResource> ResourceFetcher::fetchRawResource(FetchRequest& request )
296 { 296 {
297 return static_cast<RawResource*>(requestResource(Resource::Raw, request).get ()); 297 return static_cast<RawResource*>(requestResource(Resource::Raw, request).get ());
298 } 298 }
299 299
300 ResourcePtr<RawResource> ResourceFetcher::fetchMainResource(FetchRequest& reques t) 300 ResourcePtr<RawResource> ResourceFetcher::fetchMainResource(FetchRequest& reques t)
301 { 301 {
302 return static_cast<RawResource*>(requestResource(Resource::MainResource, req uest).get()); 302 return static_cast<RawResource*>(requestResource(Resource::MainResource, req uest).get());
303 } 303 }
304 304
305 bool ResourceFetcher::checkInsecureContent(Resource::Type type, const KURL& url) const 305 bool ResourceFetcher::checkInsecureContent(Resource::Type type, const KURL& url, MixedContentBlockingTreatment treatment) const
306 { 306 {
307 switch (type) { 307 if (treatment == TreatAsDefaultForType) {
308 case Resource::Script: 308 switch (type) {
309 case Resource::XSLStyleSheet: 309 case Resource::Script:
310 case Resource::SVGDocument: 310 case Resource::XSLStyleSheet:
311 case Resource::CSSStyleSheet: 311 case Resource::SVGDocument:
312 case Resource::ImportResource: 312 case Resource::CSSStyleSheet:
313 // These resource can inject script into the current document (Script, 313 case Resource::ImportResource:
314 // XSL) or exfiltrate the content of the current document (CSS). 314 // These resource can inject script into the current document (Scrip t,
315 // XSL) or exfiltrate the content of the current document (CSS).
316 treatment = TreatAsActiveContent;
317 break;
318
319 case Resource::TextTrack:
320 case Resource::Shader:
321 case Resource::Raw:
322 case Resource::Image:
323 case Resource::Font:
324 // These resources can corrupt only the frame's pixels.
325 treatment = TreatAsPassiveContent;
326 break;
327
328 case Resource::MainResource:
329 case Resource::LinkPrefetch:
330 case Resource::LinkSubresource:
331 // These cannot affect the current document.
332 treatment = TreatAsAlwaysAllowedContent;
333 break;
334 }
335 }
336 if (treatment == TreatAsActiveContent) {
315 if (Frame* f = frame()) { 337 if (Frame* f = frame()) {
316 if (!f->loader()->mixedContentChecker()->canRunInsecureContent(m_doc ument->securityOrigin(), url)) 338 if (!f->loader()->mixedContentChecker()->canRunInsecureContent(m_doc ument->securityOrigin(), url))
317 return false; 339 return false;
318 } 340 }
319 341 } else if (treatment == TreatAsPassiveContent) {
320 break;
321 case Resource::TextTrack:
322 case Resource::Shader:
323 case Resource::Raw:
324 case Resource::Image:
325 case Resource::Font: {
326 // These resources can corrupt only the frame's pixels.
327 if (Frame* f = frame()) { 342 if (Frame* f = frame()) {
328 Frame* top = f->tree()->top(); 343 Frame* top = f->tree()->top();
329 if (!top->loader()->mixedContentChecker()->canDisplayInsecureContent (top->document()->securityOrigin(), url)) 344 if (!top->loader()->mixedContentChecker()->canDisplayInsecureContent (top->document()->securityOrigin(), url))
330 return false; 345 return false;
331 } 346 }
332 break; 347 } else {
333 } 348 ASSERT(treatment == TreatAsAlwaysAllowedContent);
334 case Resource::MainResource:
335 case Resource::LinkPrefetch:
336 case Resource::LinkSubresource:
337 // Prefetch cannot affect the current document.
338 break;
339 } 349 }
340 return true; 350 return true;
341 } 351 }
342 352
343 bool ResourceFetcher::canRequest(Resource::Type type, const KURL& url, const Res ourceLoaderOptions& options, bool forPreload) 353 bool ResourceFetcher::canRequest(Resource::Type type, const KURL& url, const Res ourceLoaderOptions& options, bool forPreload)
344 { 354 {
345 if (document() && !document()->securityOrigin()->canDisplay(url)) { 355 if (document() && !document()->securityOrigin()->canDisplay(url)) {
346 if (!forPreload) 356 if (!forPreload)
347 FrameLoader::reportLocalLoadFailed(frame(), url.elidedString()); 357 FrameLoader::reportLocalLoadFailed(frame(), url.elidedString());
348 LOG(ResourceLoading, "ResourceFetcher::requestResource URL was not allow ed by SecurityOrigin::canDisplay"); 358 LOG(ResourceLoading, "ResourceFetcher::requestResource URL was not allow ed by SecurityOrigin::canDisplay");
(...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after
428 if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentS ecurityPolicy()->allowMediaFromSource(url)) 438 if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentS ecurityPolicy()->allowMediaFromSource(url))
429 return false; 439 return false;
430 break; 440 break;
431 } 441 }
432 442
433 // Last of all, check for insecure content. We do this last so that when 443 // Last of all, check for insecure content. We do this last so that when
434 // folks block insecure content with a CSP policy, they don't get a warning. 444 // folks block insecure content with a CSP policy, they don't get a warning.
435 // They'll still get a warning in the console about CSP blocking the load. 445 // They'll still get a warning in the console about CSP blocking the load.
436 446
437 // FIXME: Should we consider forPreload here? 447 // FIXME: Should we consider forPreload here?
438 if (!checkInsecureContent(type, url)) 448 if (!checkInsecureContent(type, url, options.mixedContentBlockingTreatment))
439 return false; 449 return false;
440 450
441 return true; 451 return true;
442 } 452 }
443 453
444 bool ResourceFetcher::canAccess(Resource* resource) 454 bool ResourceFetcher::canAccess(Resource* resource)
445 { 455 {
446 // Redirects can change the response URL different from one of request. 456 // Redirects can change the response URL different from one of request.
447 if (!canRequest(resource->type(), resource->response().url(), resource->opti ons(), false)) 457 if (!canRequest(resource->type(), resource->response().url(), resource->opti ons(), false))
448 return false; 458 return false;
(...skipping 838 matching lines...) Expand 10 before | Expand all | Expand 10 after
1287 } 1297 }
1288 #endif 1298 #endif
1289 1299
1290 const ResourceLoaderOptions& ResourceFetcher::defaultResourceOptions() 1300 const ResourceLoaderOptions& ResourceFetcher::defaultResourceOptions()
1291 { 1301 {
1292 DEFINE_STATIC_LOCAL(ResourceLoaderOptions, options, (SendCallbacks, SniffCon tent, BufferData, AllowStoredCredentials, ClientRequestedCredentials, AskClientF orCrossOriginCredentials, DoSecurityCheck, CheckContentSecurityPolicy, UseDefaul tOriginRestrictionsForType, DocumentContext)); 1302 DEFINE_STATIC_LOCAL(ResourceLoaderOptions, options, (SendCallbacks, SniffCon tent, BufferData, AllowStoredCredentials, ClientRequestedCredentials, AskClientF orCrossOriginCredentials, DoSecurityCheck, CheckContentSecurityPolicy, UseDefaul tOriginRestrictionsForType, DocumentContext));
1293 return options; 1303 return options;
1294 } 1304 }
1295 1305
1296 } 1306 }
OLDNEW
« no previous file with comments | « Source/core/fetch/ResourceFetcher.h ('k') | Source/core/fetch/ResourceLoaderOptions.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698