Reflow comments in core/loader

third_party/WebKit/Source/core/loader/MixedContentChecker.cpp

 /*
  * Copyright (C) 2012 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
  * 2.  Redistributions in binary form must reproduce the above copyright
@@ skipping 31 matching lines @@
 #include "platform/weborigin/SchemeRegistry.h"
 #include "platform/weborigin/SecurityOrigin.h"
 #include "public/platform/WebAddressSpace.h"
 #include "public/platform/WebInsecureRequestPolicy.h"
 #include "wtf/text/StringBuilder.h"
 
 namespace blink {
 
 namespace {
 
-// When a frame is local, use its full URL to represent the main
-// resource. When the frame is remote, the full URL isn't accessible, so
-// use the origin. This function is used, for example, to determine the
-// URL to show in console messages about mixed content.
+// When a frame is local, use its full URL to represent the main resource. When
+// the frame is remote, the full URL isn't accessible, so use the origin. This
+// function is used, for example, to determine the URL to show in console
+// messages about mixed content.
 KURL mainResourceUrlForFrame(Frame* frame) {
   if (frame->isRemoteFrame())
     return KURL(KURL(),
                 frame->securityContext()->getSecurityOrigin()->toString());
   return toLocalFrame(frame)->document()->url();
 }
 
 }  // namespace
 
 static void measureStricterVersionOfIsMixedContent(Frame* frame,
                                                    const KURL& url) {
   // We're currently only checking for mixed content in `https://*` contexts.
   // What about other "secure" contexts the SchemeRegistry knows about? We'll
-  // use this method to measure the occurance of non-webby mixed content to
-  // make sure we're not breaking the world without realizing it.
+  // use this method to measure the occurance of non-webby mixed content to make
+  // sure we're not breaking the world without realizing it.
   SecurityOrigin* origin = frame->securityContext()->getSecurityOrigin();
   if (MixedContentChecker::isMixedContent(origin, url)) {
     if (origin->protocol() != "https")
       UseCounter::count(
           frame,
           UseCounter::MixedContentInNonHTTPSFrameThatRestrictsMixedContent);
   } else if (!SecurityOrigin::isSecure(url) &&
              SchemeRegistry::shouldTreatURLSchemeAsSecure(origin->protocol())) {
     UseCounter::count(
         frame,
@@ skipping 26 matching lines @@
       NetworkUtils::isLocalHostname(url.host(), nullptr))
     isAllowed = false;
   return !isAllowed;
 }
 
 // static
 Frame* MixedContentChecker::inWhichFrameIsContentMixed(
     Frame* frame,
     WebURLRequest::FrameType frameType,
     const KURL& url) {
-  // We only care about subresource loads; top-level navigations cannot be mixed content. Neither can frameless requests.
+  // We only care about subresource loads; top-level navigations cannot be mixed
+  // content. Neither can frameless requests.
   if (frameType == WebURLRequest::FrameTypeTopLevel || !frame)
     return nullptr;
 
   // Check the top frame first.
   if (Frame* top = frame->tree().top()) {
     measureStricterVersionOfIsMixedContent(top, url);
     if (isMixedContent(top->securityContext()->getSecurityOrigin(), url))
       return top;
   }
 
@@ skipping 24 matching lines @@
   MessageLevel messageLevel = allowed ? WarningMessageLevel : ErrorMessageLevel;
   frame->document()->addConsoleMessage(
       ConsoleMessage::create(SecurityMessageSource, messageLevel, message));
 }
 
 // static
 void MixedContentChecker::count(Frame* frame,
                                 WebURLRequest::RequestContext requestContext) {
   UseCounter::count(frame, UseCounter::MixedContentPresent);
 
-  // Roll blockable content up into a single counter, count unblocked types individually so we
-  // can determine when they can be safely moved to the blockable category:
+  // Roll blockable content up into a single counter, count unblocked types
+  // individually so we can determine when they can be safely moved to the
+  // blockable category:
   WebMixedContent::ContextType contextType =
       WebMixedContent::contextTypeFromRequestContext(
           requestContext,
           frame->settings()->strictMixedContentCheckingForPlugin());
   if (contextType == WebMixedContent::ContextType::Blockable) {
     UseCounter::count(frame, UseCounter::MixedContentBlockable);
     return;
   }
 
   UseCounter::Feature feature;
@@ skipping 43 matching lines @@
       inWhichFrameIsContentMixed(effectiveFrame, frameType, url);
   if (!mixedFrame)
     return false;
 
   MixedContentChecker::count(mixedFrame, requestContext);
   if (ContentSecurityPolicy* policy =
           frame->securityContext()->contentSecurityPolicy())
     policy->reportMixedContent(url, redirectStatus);
 
   Settings* settings = mixedFrame->settings();
-  // Use the current local frame's client; the embedder doesn't
-  // distinguish mixed content signals from different frames on the
-  // same page.
+  // Use the current local frame's client; the embedder doesn't distinguish
+  // mixed content signals from different frames on the same page.
   FrameLoaderClient* client = frame->loader().client();
   SecurityOrigin* securityOrigin =
       mixedFrame->securityContext()->getSecurityOrigin();
   bool allowed = false;
 
-  // If we're in strict mode, we'll automagically fail everything, and intentionally skip
-  // the client checks in order to prevent degrading the site's security UI.
+  // If we're in strict mode, we'll automagically fail everything, and
+  // intentionally skip the client checks in order to prevent degrading the
+  // site's security UI.
   bool strictMode = mixedFrame->securityContext()->getInsecureRequestPolicy() &
                         kBlockAllMixedContent ||
                     settings->strictMixedContentChecking();
 
   WebMixedContent::ContextType contextType =
       WebMixedContent::contextTypeFromRequestContext(
           requestContext, settings->strictMixedContentCheckingForPlugin());
 
-  // If we're loading the main resource of a subframe, we need to take a close look at the loaded URL.
-  // If we're dealing with a CORS-enabled scheme, then block mixed frames as active content. Otherwise,
-  // treat frames as passive content.
+  // If we're loading the main resource of a subframe, we need to take a close
+  // look at the loaded URL. If we're dealing with a CORS-enabled scheme, then
+  // block mixed frames as active content. Otherwise, treat frames as passive
+  // content.
   //
-  // FIXME: Remove this temporary hack once we have a reasonable API for launching external applications
-  // via URLs. http://crbug.com/318788 and https://crbug.com/393481
+  // FIXME: Remove this temporary hack once we have a reasonable API for
+  // launching external applications via URLs. http://crbug.com/318788 and
+  // https://crbug.com/393481
   if (frameType == WebURLRequest::FrameTypeNested &&
       !SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(url.protocol()))
     contextType = WebMixedContent::ContextType::OptionallyBlockable;
 
   switch (contextType) {
     case WebMixedContent::ContextType::OptionallyBlockable:
       client->passiveInsecureContentFound(url);
       allowed = !strictMode;
       if (allowed)
         client->didDisplayInsecureContent();
       break;
 
     case WebMixedContent::ContextType::Blockable: {
-      // Strictly block subresources that are mixed with respect to
-      // their subframes, unless all insecure content is allowed. This
-      // is to avoid the following situation: https://a.com embeds
-      // https://b.com, which loads a script over insecure HTTP. The
-      // user opts to allow the insecure content, thinking that they are
-      // allowing an insecure script to run on https://a.com and not
-      // realizing that they are in fact allowing an insecure script on
-      // https://b.com.
+      // Strictly block subresources that are mixed with respect to their
+      // subframes, unless all insecure content is allowed. This is to avoid the
+      // following situation: https://a.com embeds https://b.com, which loads a
+      // script over insecure HTTP. The user opts to allow the insecure content,
+      // thinking that they are allowing an insecure script to run on
+      // https://a.com and not realizing that they are in fact allowing an
+      // insecure script on https://b.com.
       if (!settings->allowRunningOfInsecureContent() &&
           requestIsSubframeSubresource(effectiveFrame, frameType) &&
           isMixedContent(frame->securityContext()->getSecurityOrigin(), url)) {
         UseCounter::count(mixedFrame,
                           UseCounter::BlockableMixedContentInSubframeBlocked);
         allowed = false;
         break;
       }
 
       bool shouldAskEmbedder =
@@ skipping 58 matching lines @@
     return false;
 
   UseCounter::count(mixedFrame, UseCounter::MixedContentPresent);
   UseCounter::count(mixedFrame, UseCounter::MixedContentWebSocket);
   if (ContentSecurityPolicy* policy =
           frame->securityContext()->contentSecurityPolicy())
     policy->reportMixedContent(url,
                                ResourceRequest::RedirectStatus::NoRedirect);
 
   Settings* settings = mixedFrame->settings();
-  // Use the current local frame's client; the embedder doesn't
-  // distinguish mixed content signals from different frames on the
-  // same page.
+  // Use the current local frame's client; the embedder doesn't distinguish
+  // mixed content signals from different frames on the same page.
   FrameLoaderClient* client = frame->loader().client();
   SecurityOrigin* securityOrigin =
       mixedFrame->securityContext()->getSecurityOrigin();
   bool allowed = false;
 
-  // If we're in strict mode, we'll automagically fail everything, and intentionally skip
-  // the client checks in order to prevent degrading the site's security UI.
+  // If we're in strict mode, we'll automagically fail everything, and
+  // intentionally skip the client checks in order to prevent degrading the
+  // site's security UI.
   bool strictMode = mixedFrame->securityContext()->getInsecureRequestPolicy() &
                         kBlockAllMixedContent ||
                     settings->strictMixedContentChecking();
   if (!strictMode) {
     bool allowedPerSettings =
         settings && settings->allowRunningOfInsecureContent();
     allowed = client->allowRunningInsecureContent(allowedPerSettings,
                                                   securityOrigin, url);
   }
 
   if (allowed)
     client->didRunInsecureContent(securityOrigin, url);
 
   if (reportingStatus == SendReport)
     logToConsoleAboutWebSocket(frame, mainResourceUrlForFrame(mixedFrame), url,
                                allowed);
   return !allowed;
 }
 
 bool MixedContentChecker::isMixedFormAction(LocalFrame* frame,
                                             const KURL& url,
                                             ReportingStatus reportingStatus) {
-  // For whatever reason, some folks handle forms via JavaScript, and submit to `javascript:void(0)`
-  // rather than calling `preventDefault()`. We special-case `javascript:` URLs here, as they don't
-  // introduce MixedContent for form submissions.
+  // For whatever reason, some folks handle forms via JavaScript, and submit to
+  // `javascript:void(0)` rather than calling `preventDefault()`. We
+  // special-case `javascript:` URLs here, as they don't introduce MixedContent
+  // for form submissions.
   if (url.protocolIs("javascript"))
     return false;
 
   Frame* mixedFrame =
       inWhichFrameIsContentMixed(frame, WebURLRequest::FrameTypeNone, url);
   if (!mixedFrame)
     return false;
 
   UseCounter::count(mixedFrame, UseCounter::MixedContentPresent);
 
-  // Use the current local frame's client; the embedder doesn't
-  // distinguish mixed content signals from different frames on the
-  // same page.
+  // Use the current local frame's client; the embedder doesn't distinguish
+  // mixed content signals from different frames on the same page.
   frame->loader().client()->didDisplayInsecureContent();
 
   if (reportingStatus == SendReport) {
     String message = String::format(
         "Mixed Content: The page at '%s' was loaded over a secure connection, "
         "but contains a form which targets an insecure endpoint '%s'. This "
         "endpoint should be made available over a secure connection.",
         mainResourceUrlForFrame(mixedFrame).elidedString().utf8().data(),
         url.elidedString().utf8().data());
     frame->document()->addConsoleMessage(ConsoleMessage::create(
@@ skipping 31 matching lines @@
 
 void MixedContentChecker::handleCertificateError(
     LocalFrame* frame,
     const ResourceResponse& response,
     WebURLRequest::FrameType frameType,
     WebURLRequest::RequestContext requestContext) {
   Frame* effectiveFrame = effectiveFrameForFrameType(frame, frameType);
   if (frameType == WebURLRequest::FrameTypeTopLevel || !effectiveFrame)
     return;
 
-  // Use the current local frame's client; the embedder doesn't
-  // distinguish mixed content signals from different frames on the
-  // same page.
+  // Use the current local frame's client; the embedder doesn't distinguish
+  // mixed content signals from different frames on the same page.
   FrameLoaderClient* client = frame->loader().client();
   bool strictMixedContentCheckingForPlugin =
       effectiveFrame->settings() &&
       effectiveFrame->settings()->strictMixedContentCheckingForPlugin();
   WebMixedContent::ContextType contextType =
       WebMixedContent::contextTypeFromRequestContext(
           requestContext, strictMixedContentCheckingForPlugin);
   if (contextType == WebMixedContent::ContextType::Blockable) {
     client->didRunContentWithCertificateErrors(response.url());
   } else {
     // contextTypeFromRequestContext() never returns NotMixedContent (it
-    // computes the type of mixed content, given that the content is
-    // mixed).
+    // computes the type of mixed content, given that the content is mixed).
     DCHECK_NE(contextType, WebMixedContent::ContextType::NotMixedContent);
     client->didDisplayContentWithCertificateErrors(response.url());
   }
 }
 
 WebMixedContent::ContextType MixedContentChecker::contextTypeForInspector(
     LocalFrame* frame,
     const ResourceRequest& request) {
   Frame* effectiveFrame =
       effectiveFrameForFrameType(frame, request.frameType());
 
   Frame* mixedFrame = inWhichFrameIsContentMixed(
       effectiveFrame, request.frameType(), request.url());
   if (!mixedFrame)
     return WebMixedContent::ContextType::NotMixedContent;
 
-  // See comment in shouldBlockFetch() about loading the main resource of a subframe.
+  // See comment in shouldBlockFetch() about loading the main resource of a
+  // subframe.
   if (request.frameType() == WebURLRequest::FrameTypeNested &&
       !SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(
           request.url().protocol())) {
     return WebMixedContent::ContextType::OptionallyBlockable;
   }
 
   bool strictMixedContentCheckingForPlugin =
       mixedFrame->settings() &&
       mixedFrame->settings()->strictMixedContentCheckingForPlugin();
   return WebMixedContent::contextTypeFromRequestContext(
       request.requestContext(), strictMixedContentCheckingForPlugin);
 }
 
 }  // namespace blink