OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2012 Google Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * | 7 * |
8 * 1. Redistributions of source code must retain the above copyright | 8 * 1. Redistributions of source code must retain the above copyright |
9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
10 * 2. Redistributions in binary form must reproduce the above copyright | 10 * 2. Redistributions in binary form must reproduce the above copyright |
(...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
42 #include "platform/weborigin/SchemeRegistry.h" | 42 #include "platform/weborigin/SchemeRegistry.h" |
43 #include "platform/weborigin/SecurityOrigin.h" | 43 #include "platform/weborigin/SecurityOrigin.h" |
44 #include "public/platform/WebAddressSpace.h" | 44 #include "public/platform/WebAddressSpace.h" |
45 #include "public/platform/WebInsecureRequestPolicy.h" | 45 #include "public/platform/WebInsecureRequestPolicy.h" |
46 #include "wtf/text/StringBuilder.h" | 46 #include "wtf/text/StringBuilder.h" |
47 | 47 |
48 namespace blink { | 48 namespace blink { |
49 | 49 |
50 namespace { | 50 namespace { |
51 | 51 |
52 // When a frame is local, use its full URL to represent the main | 52 // When a frame is local, use its full URL to represent the main resource. When |
53 // resource. When the frame is remote, the full URL isn't accessible, so | 53 // the frame is remote, the full URL isn't accessible, so use the origin. This |
54 // use the origin. This function is used, for example, to determine the | 54 // function is used, for example, to determine the URL to show in console |
55 // URL to show in console messages about mixed content. | 55 // messages about mixed content. |
56 KURL mainResourceUrlForFrame(Frame* frame) { | 56 KURL mainResourceUrlForFrame(Frame* frame) { |
57 if (frame->isRemoteFrame()) | 57 if (frame->isRemoteFrame()) |
58 return KURL(KURL(), | 58 return KURL(KURL(), |
59 frame->securityContext()->getSecurityOrigin()->toString()); | 59 frame->securityContext()->getSecurityOrigin()->toString()); |
60 return toLocalFrame(frame)->document()->url(); | 60 return toLocalFrame(frame)->document()->url(); |
61 } | 61 } |
62 | 62 |
63 } // namespace | 63 } // namespace |
64 | 64 |
65 static void measureStricterVersionOfIsMixedContent(Frame* frame, | 65 static void measureStricterVersionOfIsMixedContent(Frame* frame, |
66 const KURL& url) { | 66 const KURL& url) { |
67 // We're currently only checking for mixed content in `https://*` contexts. | 67 // We're currently only checking for mixed content in `https://*` contexts. |
68 // What about other "secure" contexts the SchemeRegistry knows about? We'll | 68 // What about other "secure" contexts the SchemeRegistry knows about? We'll |
69 // use this method to measure the occurance of non-webby mixed content to | 69 // use this method to measure the occurance of non-webby mixed content to make |
70 // make sure we're not breaking the world without realizing it. | 70 // sure we're not breaking the world without realizing it. |
71 SecurityOrigin* origin = frame->securityContext()->getSecurityOrigin(); | 71 SecurityOrigin* origin = frame->securityContext()->getSecurityOrigin(); |
72 if (MixedContentChecker::isMixedContent(origin, url)) { | 72 if (MixedContentChecker::isMixedContent(origin, url)) { |
73 if (origin->protocol() != "https") | 73 if (origin->protocol() != "https") |
74 UseCounter::count( | 74 UseCounter::count( |
75 frame, | 75 frame, |
76 UseCounter::MixedContentInNonHTTPSFrameThatRestrictsMixedContent); | 76 UseCounter::MixedContentInNonHTTPSFrameThatRestrictsMixedContent); |
77 } else if (!SecurityOrigin::isSecure(url) && | 77 } else if (!SecurityOrigin::isSecure(url) && |
78 SchemeRegistry::shouldTreatURLSchemeAsSecure(origin->protocol())) { | 78 SchemeRegistry::shouldTreatURLSchemeAsSecure(origin->protocol())) { |
79 UseCounter::count( | 79 UseCounter::count( |
80 frame, | 80 frame, |
(...skipping 26 matching lines...) Expand all Loading... |
107 NetworkUtils::isLocalHostname(url.host(), nullptr)) | 107 NetworkUtils::isLocalHostname(url.host(), nullptr)) |
108 isAllowed = false; | 108 isAllowed = false; |
109 return !isAllowed; | 109 return !isAllowed; |
110 } | 110 } |
111 | 111 |
112 // static | 112 // static |
113 Frame* MixedContentChecker::inWhichFrameIsContentMixed( | 113 Frame* MixedContentChecker::inWhichFrameIsContentMixed( |
114 Frame* frame, | 114 Frame* frame, |
115 WebURLRequest::FrameType frameType, | 115 WebURLRequest::FrameType frameType, |
116 const KURL& url) { | 116 const KURL& url) { |
117 // We only care about subresource loads; top-level navigations cannot be mixed
content. Neither can frameless requests. | 117 // We only care about subresource loads; top-level navigations cannot be mixed |
| 118 // content. Neither can frameless requests. |
118 if (frameType == WebURLRequest::FrameTypeTopLevel || !frame) | 119 if (frameType == WebURLRequest::FrameTypeTopLevel || !frame) |
119 return nullptr; | 120 return nullptr; |
120 | 121 |
121 // Check the top frame first. | 122 // Check the top frame first. |
122 if (Frame* top = frame->tree().top()) { | 123 if (Frame* top = frame->tree().top()) { |
123 measureStricterVersionOfIsMixedContent(top, url); | 124 measureStricterVersionOfIsMixedContent(top, url); |
124 if (isMixedContent(top->securityContext()->getSecurityOrigin(), url)) | 125 if (isMixedContent(top->securityContext()->getSecurityOrigin(), url)) |
125 return top; | 126 return top; |
126 } | 127 } |
127 | 128 |
(...skipping 24 matching lines...) Expand all Loading... |
152 MessageLevel messageLevel = allowed ? WarningMessageLevel : ErrorMessageLevel; | 153 MessageLevel messageLevel = allowed ? WarningMessageLevel : ErrorMessageLevel; |
153 frame->document()->addConsoleMessage( | 154 frame->document()->addConsoleMessage( |
154 ConsoleMessage::create(SecurityMessageSource, messageLevel, message)); | 155 ConsoleMessage::create(SecurityMessageSource, messageLevel, message)); |
155 } | 156 } |
156 | 157 |
157 // static | 158 // static |
158 void MixedContentChecker::count(Frame* frame, | 159 void MixedContentChecker::count(Frame* frame, |
159 WebURLRequest::RequestContext requestContext) { | 160 WebURLRequest::RequestContext requestContext) { |
160 UseCounter::count(frame, UseCounter::MixedContentPresent); | 161 UseCounter::count(frame, UseCounter::MixedContentPresent); |
161 | 162 |
162 // Roll blockable content up into a single counter, count unblocked types indi
vidually so we | 163 // Roll blockable content up into a single counter, count unblocked types |
163 // can determine when they can be safely moved to the blockable category: | 164 // individually so we can determine when they can be safely moved to the |
| 165 // blockable category: |
164 WebMixedContent::ContextType contextType = | 166 WebMixedContent::ContextType contextType = |
165 WebMixedContent::contextTypeFromRequestContext( | 167 WebMixedContent::contextTypeFromRequestContext( |
166 requestContext, | 168 requestContext, |
167 frame->settings()->strictMixedContentCheckingForPlugin()); | 169 frame->settings()->strictMixedContentCheckingForPlugin()); |
168 if (contextType == WebMixedContent::ContextType::Blockable) { | 170 if (contextType == WebMixedContent::ContextType::Blockable) { |
169 UseCounter::count(frame, UseCounter::MixedContentBlockable); | 171 UseCounter::count(frame, UseCounter::MixedContentBlockable); |
170 return; | 172 return; |
171 } | 173 } |
172 | 174 |
173 UseCounter::Feature feature; | 175 UseCounter::Feature feature; |
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
217 inWhichFrameIsContentMixed(effectiveFrame, frameType, url); | 219 inWhichFrameIsContentMixed(effectiveFrame, frameType, url); |
218 if (!mixedFrame) | 220 if (!mixedFrame) |
219 return false; | 221 return false; |
220 | 222 |
221 MixedContentChecker::count(mixedFrame, requestContext); | 223 MixedContentChecker::count(mixedFrame, requestContext); |
222 if (ContentSecurityPolicy* policy = | 224 if (ContentSecurityPolicy* policy = |
223 frame->securityContext()->contentSecurityPolicy()) | 225 frame->securityContext()->contentSecurityPolicy()) |
224 policy->reportMixedContent(url, redirectStatus); | 226 policy->reportMixedContent(url, redirectStatus); |
225 | 227 |
226 Settings* settings = mixedFrame->settings(); | 228 Settings* settings = mixedFrame->settings(); |
227 // Use the current local frame's client; the embedder doesn't | 229 // Use the current local frame's client; the embedder doesn't distinguish |
228 // distinguish mixed content signals from different frames on the | 230 // mixed content signals from different frames on the same page. |
229 // same page. | |
230 FrameLoaderClient* client = frame->loader().client(); | 231 FrameLoaderClient* client = frame->loader().client(); |
231 SecurityOrigin* securityOrigin = | 232 SecurityOrigin* securityOrigin = |
232 mixedFrame->securityContext()->getSecurityOrigin(); | 233 mixedFrame->securityContext()->getSecurityOrigin(); |
233 bool allowed = false; | 234 bool allowed = false; |
234 | 235 |
235 // If we're in strict mode, we'll automagically fail everything, and intention
ally skip | 236 // If we're in strict mode, we'll automagically fail everything, and |
236 // the client checks in order to prevent degrading the site's security UI. | 237 // intentionally skip the client checks in order to prevent degrading the |
| 238 // site's security UI. |
237 bool strictMode = mixedFrame->securityContext()->getInsecureRequestPolicy() & | 239 bool strictMode = mixedFrame->securityContext()->getInsecureRequestPolicy() & |
238 kBlockAllMixedContent || | 240 kBlockAllMixedContent || |
239 settings->strictMixedContentChecking(); | 241 settings->strictMixedContentChecking(); |
240 | 242 |
241 WebMixedContent::ContextType contextType = | 243 WebMixedContent::ContextType contextType = |
242 WebMixedContent::contextTypeFromRequestContext( | 244 WebMixedContent::contextTypeFromRequestContext( |
243 requestContext, settings->strictMixedContentCheckingForPlugin()); | 245 requestContext, settings->strictMixedContentCheckingForPlugin()); |
244 | 246 |
245 // If we're loading the main resource of a subframe, we need to take a close l
ook at the loaded URL. | 247 // If we're loading the main resource of a subframe, we need to take a close |
246 // If we're dealing with a CORS-enabled scheme, then block mixed frames as act
ive content. Otherwise, | 248 // look at the loaded URL. If we're dealing with a CORS-enabled scheme, then |
247 // treat frames as passive content. | 249 // block mixed frames as active content. Otherwise, treat frames as passive |
| 250 // content. |
248 // | 251 // |
249 // FIXME: Remove this temporary hack once we have a reasonable API for launchi
ng external applications | 252 // FIXME: Remove this temporary hack once we have a reasonable API for |
250 // via URLs. http://crbug.com/318788 and https://crbug.com/393481 | 253 // launching external applications via URLs. http://crbug.com/318788 and |
| 254 // https://crbug.com/393481 |
251 if (frameType == WebURLRequest::FrameTypeNested && | 255 if (frameType == WebURLRequest::FrameTypeNested && |
252 !SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(url.protocol())) | 256 !SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(url.protocol())) |
253 contextType = WebMixedContent::ContextType::OptionallyBlockable; | 257 contextType = WebMixedContent::ContextType::OptionallyBlockable; |
254 | 258 |
255 switch (contextType) { | 259 switch (contextType) { |
256 case WebMixedContent::ContextType::OptionallyBlockable: | 260 case WebMixedContent::ContextType::OptionallyBlockable: |
257 client->passiveInsecureContentFound(url); | 261 client->passiveInsecureContentFound(url); |
258 allowed = !strictMode; | 262 allowed = !strictMode; |
259 if (allowed) | 263 if (allowed) |
260 client->didDisplayInsecureContent(); | 264 client->didDisplayInsecureContent(); |
261 break; | 265 break; |
262 | 266 |
263 case WebMixedContent::ContextType::Blockable: { | 267 case WebMixedContent::ContextType::Blockable: { |
264 // Strictly block subresources that are mixed with respect to | 268 // Strictly block subresources that are mixed with respect to their |
265 // their subframes, unless all insecure content is allowed. This | 269 // subframes, unless all insecure content is allowed. This is to avoid the |
266 // is to avoid the following situation: https://a.com embeds | 270 // following situation: https://a.com embeds https://b.com, which loads a |
267 // https://b.com, which loads a script over insecure HTTP. The | 271 // script over insecure HTTP. The user opts to allow the insecure content, |
268 // user opts to allow the insecure content, thinking that they are | 272 // thinking that they are allowing an insecure script to run on |
269 // allowing an insecure script to run on https://a.com and not | 273 // https://a.com and not realizing that they are in fact allowing an |
270 // realizing that they are in fact allowing an insecure script on | 274 // insecure script on https://b.com. |
271 // https://b.com. | |
272 if (!settings->allowRunningOfInsecureContent() && | 275 if (!settings->allowRunningOfInsecureContent() && |
273 requestIsSubframeSubresource(effectiveFrame, frameType) && | 276 requestIsSubframeSubresource(effectiveFrame, frameType) && |
274 isMixedContent(frame->securityContext()->getSecurityOrigin(), url)) { | 277 isMixedContent(frame->securityContext()->getSecurityOrigin(), url)) { |
275 UseCounter::count(mixedFrame, | 278 UseCounter::count(mixedFrame, |
276 UseCounter::BlockableMixedContentInSubframeBlocked); | 279 UseCounter::BlockableMixedContentInSubframeBlocked); |
277 allowed = false; | 280 allowed = false; |
278 break; | 281 break; |
279 } | 282 } |
280 | 283 |
281 bool shouldAskEmbedder = | 284 bool shouldAskEmbedder = |
(...skipping 58 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
340 return false; | 343 return false; |
341 | 344 |
342 UseCounter::count(mixedFrame, UseCounter::MixedContentPresent); | 345 UseCounter::count(mixedFrame, UseCounter::MixedContentPresent); |
343 UseCounter::count(mixedFrame, UseCounter::MixedContentWebSocket); | 346 UseCounter::count(mixedFrame, UseCounter::MixedContentWebSocket); |
344 if (ContentSecurityPolicy* policy = | 347 if (ContentSecurityPolicy* policy = |
345 frame->securityContext()->contentSecurityPolicy()) | 348 frame->securityContext()->contentSecurityPolicy()) |
346 policy->reportMixedContent(url, | 349 policy->reportMixedContent(url, |
347 ResourceRequest::RedirectStatus::NoRedirect); | 350 ResourceRequest::RedirectStatus::NoRedirect); |
348 | 351 |
349 Settings* settings = mixedFrame->settings(); | 352 Settings* settings = mixedFrame->settings(); |
350 // Use the current local frame's client; the embedder doesn't | 353 // Use the current local frame's client; the embedder doesn't distinguish |
351 // distinguish mixed content signals from different frames on the | 354 // mixed content signals from different frames on the same page. |
352 // same page. | |
353 FrameLoaderClient* client = frame->loader().client(); | 355 FrameLoaderClient* client = frame->loader().client(); |
354 SecurityOrigin* securityOrigin = | 356 SecurityOrigin* securityOrigin = |
355 mixedFrame->securityContext()->getSecurityOrigin(); | 357 mixedFrame->securityContext()->getSecurityOrigin(); |
356 bool allowed = false; | 358 bool allowed = false; |
357 | 359 |
358 // If we're in strict mode, we'll automagically fail everything, and intention
ally skip | 360 // If we're in strict mode, we'll automagically fail everything, and |
359 // the client checks in order to prevent degrading the site's security UI. | 361 // intentionally skip the client checks in order to prevent degrading the |
| 362 // site's security UI. |
360 bool strictMode = mixedFrame->securityContext()->getInsecureRequestPolicy() & | 363 bool strictMode = mixedFrame->securityContext()->getInsecureRequestPolicy() & |
361 kBlockAllMixedContent || | 364 kBlockAllMixedContent || |
362 settings->strictMixedContentChecking(); | 365 settings->strictMixedContentChecking(); |
363 if (!strictMode) { | 366 if (!strictMode) { |
364 bool allowedPerSettings = | 367 bool allowedPerSettings = |
365 settings && settings->allowRunningOfInsecureContent(); | 368 settings && settings->allowRunningOfInsecureContent(); |
366 allowed = client->allowRunningInsecureContent(allowedPerSettings, | 369 allowed = client->allowRunningInsecureContent(allowedPerSettings, |
367 securityOrigin, url); | 370 securityOrigin, url); |
368 } | 371 } |
369 | 372 |
370 if (allowed) | 373 if (allowed) |
371 client->didRunInsecureContent(securityOrigin, url); | 374 client->didRunInsecureContent(securityOrigin, url); |
372 | 375 |
373 if (reportingStatus == SendReport) | 376 if (reportingStatus == SendReport) |
374 logToConsoleAboutWebSocket(frame, mainResourceUrlForFrame(mixedFrame), url, | 377 logToConsoleAboutWebSocket(frame, mainResourceUrlForFrame(mixedFrame), url, |
375 allowed); | 378 allowed); |
376 return !allowed; | 379 return !allowed; |
377 } | 380 } |
378 | 381 |
379 bool MixedContentChecker::isMixedFormAction(LocalFrame* frame, | 382 bool MixedContentChecker::isMixedFormAction(LocalFrame* frame, |
380 const KURL& url, | 383 const KURL& url, |
381 ReportingStatus reportingStatus) { | 384 ReportingStatus reportingStatus) { |
382 // For whatever reason, some folks handle forms via JavaScript, and submit to
`javascript:void(0)` | 385 // For whatever reason, some folks handle forms via JavaScript, and submit to |
383 // rather than calling `preventDefault()`. We special-case `javascript:` URLs
here, as they don't | 386 // `javascript:void(0)` rather than calling `preventDefault()`. We |
384 // introduce MixedContent for form submissions. | 387 // special-case `javascript:` URLs here, as they don't introduce MixedContent |
| 388 // for form submissions. |
385 if (url.protocolIs("javascript")) | 389 if (url.protocolIs("javascript")) |
386 return false; | 390 return false; |
387 | 391 |
388 Frame* mixedFrame = | 392 Frame* mixedFrame = |
389 inWhichFrameIsContentMixed(frame, WebURLRequest::FrameTypeNone, url); | 393 inWhichFrameIsContentMixed(frame, WebURLRequest::FrameTypeNone, url); |
390 if (!mixedFrame) | 394 if (!mixedFrame) |
391 return false; | 395 return false; |
392 | 396 |
393 UseCounter::count(mixedFrame, UseCounter::MixedContentPresent); | 397 UseCounter::count(mixedFrame, UseCounter::MixedContentPresent); |
394 | 398 |
395 // Use the current local frame's client; the embedder doesn't | 399 // Use the current local frame's client; the embedder doesn't distinguish |
396 // distinguish mixed content signals from different frames on the | 400 // mixed content signals from different frames on the same page. |
397 // same page. | |
398 frame->loader().client()->didDisplayInsecureContent(); | 401 frame->loader().client()->didDisplayInsecureContent(); |
399 | 402 |
400 if (reportingStatus == SendReport) { | 403 if (reportingStatus == SendReport) { |
401 String message = String::format( | 404 String message = String::format( |
402 "Mixed Content: The page at '%s' was loaded over a secure connection, " | 405 "Mixed Content: The page at '%s' was loaded over a secure connection, " |
403 "but contains a form which targets an insecure endpoint '%s'. This " | 406 "but contains a form which targets an insecure endpoint '%s'. This " |
404 "endpoint should be made available over a secure connection.", | 407 "endpoint should be made available over a secure connection.", |
405 mainResourceUrlForFrame(mixedFrame).elidedString().utf8().data(), | 408 mainResourceUrlForFrame(mixedFrame).elidedString().utf8().data(), |
406 url.elidedString().utf8().data()); | 409 url.elidedString().utf8().data()); |
407 frame->document()->addConsoleMessage(ConsoleMessage::create( | 410 frame->document()->addConsoleMessage(ConsoleMessage::create( |
(...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
439 | 442 |
440 void MixedContentChecker::handleCertificateError( | 443 void MixedContentChecker::handleCertificateError( |
441 LocalFrame* frame, | 444 LocalFrame* frame, |
442 const ResourceResponse& response, | 445 const ResourceResponse& response, |
443 WebURLRequest::FrameType frameType, | 446 WebURLRequest::FrameType frameType, |
444 WebURLRequest::RequestContext requestContext) { | 447 WebURLRequest::RequestContext requestContext) { |
445 Frame* effectiveFrame = effectiveFrameForFrameType(frame, frameType); | 448 Frame* effectiveFrame = effectiveFrameForFrameType(frame, frameType); |
446 if (frameType == WebURLRequest::FrameTypeTopLevel || !effectiveFrame) | 449 if (frameType == WebURLRequest::FrameTypeTopLevel || !effectiveFrame) |
447 return; | 450 return; |
448 | 451 |
449 // Use the current local frame's client; the embedder doesn't | 452 // Use the current local frame's client; the embedder doesn't distinguish |
450 // distinguish mixed content signals from different frames on the | 453 // mixed content signals from different frames on the same page. |
451 // same page. | |
452 FrameLoaderClient* client = frame->loader().client(); | 454 FrameLoaderClient* client = frame->loader().client(); |
453 bool strictMixedContentCheckingForPlugin = | 455 bool strictMixedContentCheckingForPlugin = |
454 effectiveFrame->settings() && | 456 effectiveFrame->settings() && |
455 effectiveFrame->settings()->strictMixedContentCheckingForPlugin(); | 457 effectiveFrame->settings()->strictMixedContentCheckingForPlugin(); |
456 WebMixedContent::ContextType contextType = | 458 WebMixedContent::ContextType contextType = |
457 WebMixedContent::contextTypeFromRequestContext( | 459 WebMixedContent::contextTypeFromRequestContext( |
458 requestContext, strictMixedContentCheckingForPlugin); | 460 requestContext, strictMixedContentCheckingForPlugin); |
459 if (contextType == WebMixedContent::ContextType::Blockable) { | 461 if (contextType == WebMixedContent::ContextType::Blockable) { |
460 client->didRunContentWithCertificateErrors(response.url()); | 462 client->didRunContentWithCertificateErrors(response.url()); |
461 } else { | 463 } else { |
462 // contextTypeFromRequestContext() never returns NotMixedContent (it | 464 // contextTypeFromRequestContext() never returns NotMixedContent (it |
463 // computes the type of mixed content, given that the content is | 465 // computes the type of mixed content, given that the content is mixed). |
464 // mixed). | |
465 DCHECK_NE(contextType, WebMixedContent::ContextType::NotMixedContent); | 466 DCHECK_NE(contextType, WebMixedContent::ContextType::NotMixedContent); |
466 client->didDisplayContentWithCertificateErrors(response.url()); | 467 client->didDisplayContentWithCertificateErrors(response.url()); |
467 } | 468 } |
468 } | 469 } |
469 | 470 |
470 WebMixedContent::ContextType MixedContentChecker::contextTypeForInspector( | 471 WebMixedContent::ContextType MixedContentChecker::contextTypeForInspector( |
471 LocalFrame* frame, | 472 LocalFrame* frame, |
472 const ResourceRequest& request) { | 473 const ResourceRequest& request) { |
473 Frame* effectiveFrame = | 474 Frame* effectiveFrame = |
474 effectiveFrameForFrameType(frame, request.frameType()); | 475 effectiveFrameForFrameType(frame, request.frameType()); |
475 | 476 |
476 Frame* mixedFrame = inWhichFrameIsContentMixed( | 477 Frame* mixedFrame = inWhichFrameIsContentMixed( |
477 effectiveFrame, request.frameType(), request.url()); | 478 effectiveFrame, request.frameType(), request.url()); |
478 if (!mixedFrame) | 479 if (!mixedFrame) |
479 return WebMixedContent::ContextType::NotMixedContent; | 480 return WebMixedContent::ContextType::NotMixedContent; |
480 | 481 |
481 // See comment in shouldBlockFetch() about loading the main resource of a subf
rame. | 482 // See comment in shouldBlockFetch() about loading the main resource of a |
| 483 // subframe. |
482 if (request.frameType() == WebURLRequest::FrameTypeNested && | 484 if (request.frameType() == WebURLRequest::FrameTypeNested && |
483 !SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled( | 485 !SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled( |
484 request.url().protocol())) { | 486 request.url().protocol())) { |
485 return WebMixedContent::ContextType::OptionallyBlockable; | 487 return WebMixedContent::ContextType::OptionallyBlockable; |
486 } | 488 } |
487 | 489 |
488 bool strictMixedContentCheckingForPlugin = | 490 bool strictMixedContentCheckingForPlugin = |
489 mixedFrame->settings() && | 491 mixedFrame->settings() && |
490 mixedFrame->settings()->strictMixedContentCheckingForPlugin(); | 492 mixedFrame->settings()->strictMixedContentCheckingForPlugin(); |
491 return WebMixedContent::contextTypeFromRequestContext( | 493 return WebMixedContent::contextTypeFromRequestContext( |
492 request.requestContext(), strictMixedContentCheckingForPlugin); | 494 request.requestContext(), strictMixedContentCheckingForPlugin); |
493 } | 495 } |
494 | 496 |
495 } // namespace blink | 497 } // namespace blink |
OLD | NEW |