Consider "mixed content XHR" as mixed script instead of mixed display.

Source/core/fetch/ResourceFetcher.cpp

Index: Source/core/fetch/ResourceFetcher.cpp
diff --git a/Source/core/fetch/ResourceFetcher.cpp b/Source/core/fetch/ResourceFetcher.cpp
index 28ffda05dcb4e67baff2dca19bb98a18cf005d15..396c1239d0e61b0f15bd247e6b51a0122153d5be 100644
--- a/Source/core/fetch/ResourceFetcher.cpp
+++ b/Source/core/fetch/ResourceFetcher.cpp
@@ -302,8 +302,11 @@ ResourcePtr<RawResource> ResourceFetcher::fetchMainResource(FetchRequest& reques
     return static_cast<RawResource*>(requestResource(Resource::MainResource, request).get());
 }
 
-bool ResourceFetcher::checkInsecureContent(Resource::Type type, const KURL& url) const
+bool ResourceFetcher::checkInsecureContent(Resource::Type type, const KURL& url, MixedRawContentBlockingOption mixedRawContentBlockingOption) const
 {
+    bool checkAsActiveContent = false;
+    bool checkAsPassiveContent = false;
+
     switch (type) {
     case Resource::Script:
     case Resource::XSLStyleSheet:
@@ -312,31 +315,45 @@ bool ResourceFetcher::checkInsecureContent(Resource::Type type, const KURL& url)
     case Resource::ImportResource:
         // These resource can inject script into the current document (Script,
         // XSL) or exfiltrate the content of the current document (CSS).
-        if (Frame* f = frame()) {
-            if (!f->loader()->mixedContentChecker()->canRunInsecureContent(m_document->securityOrigin(), url))
-                return false;
-        }
-
+        checkAsActiveContent = true;
         break;
+
     case Resource::TextTrack:
     case Resource::Shader:
-    case Resource::Raw:
     case Resource::Image:
-    case Resource::Font: {
+    case Resource::Font:
         // These resources can corrupt only the frame's pixels.
-        if (Frame* f = frame()) {
-            Frame* top = f->tree()->top();
-            if (!top->loader()->mixedContentChecker()->canDisplayInsecureContent(top->document()->securityOrigin(), url))
-                return false;
-        }
+        checkAsPassiveContent = true;
         break;
-    }
+
+    case Resource::Raw:
+        // These resources could be either. Check the option for clarification.
+        if (mixedRawContentBlockingOption == TreatAsActiveContent)
+            checkAsActiveContent = true;
+        else
+            checkAsPassiveContent = true;
+        break;
+
     case Resource::MainResource:
     case Resource::LinkPrefetch:
     case Resource::LinkSubresource:
-        // Prefetch cannot affect the current document.
+        // These cannot affect the current document.
         break;
     }
+
+    if (checkAsActiveContent) {
+        if (Frame* f = frame()) {
+            if (!f->loader()->mixedContentChecker()->canRunInsecureContent(m_document->securityOrigin(), url))
+                return false;
+        }
+    }

[abarth-chromium, 2013/08/30 06:37:08]

Should this be "else if" ?  I don't think we ever want to call both of these
functions.

+    if (checkAsPassiveContent) {
+        if (Frame* f = frame()) {
+            Frame* top = f->tree()->top();
+            if (!top->loader()->mixedContentChecker()->canDisplayInsecureContent(top->document()->securityOrigin(), url))
+                return false;
+        }
+    }
     return true;
 }
 
@@ -435,7 +452,7 @@ bool ResourceFetcher::canRequest(Resource::Type type, const KURL& url, const Res
     // They'll still get a warning in the console about CSP blocking the load.
 
     // FIXME: Should we consider forPreload here?
-    if (!checkInsecureContent(type, url))
+    if (!checkInsecureContent(type, url, options.mixedRawContentBlockingOption))
         return false;
 
     return true;