[Presentation API] PresentationRequest should throw SecurityError for mixed contents

third_party/WebKit/Source/modules/presentation/PresentationRequest.cpp

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "modules/presentation/PresentationRequest.h"
 
 #include "bindings/core/v8/CallbackPromiseAdapter.h"
 #include "bindings/core/v8/ExceptionState.h"
 #include "bindings/core/v8/ScriptPromise.h"
 #include "bindings/core/v8/ScriptPromiseResolver.h"
 #include "core/dom/DOMException.h"
 #include "core/dom/Document.h"
 #include "core/dom/ExecutionContext.h"
 #include "core/frame/Settings.h"
 #include "core/frame/UseCounter.h"
+#include "core/loader/MixedContentChecker.h"
 #include "modules/EventTargetModules.h"
 #include "modules/presentation/PresentationAvailability.h"
 #include "modules/presentation/PresentationAvailabilityCallbacks.h"
 #include "modules/presentation/PresentationConnection.h"
 #include "modules/presentation/PresentationConnectionCallbacks.h"
 #include "modules/presentation/PresentationController.h"
 #include "modules/presentation/PresentationError.h"
 #include "platform/UserGestureIndicator.h"
 
 namespace blink {
@@ skipping 12 matching lines @@
   return controller ? controller->client() : nullptr;
 }
 
 Settings* settings(ExecutionContext* executionContext) {
   DCHECK(executionContext);
 
   Document* document = toDocument(executionContext);
   return document->settings();
 }
 
+ScriptPromise rejectWithMixedContentException(ScriptState* scriptState,
+                                              const String& url) {
+  return ScriptPromise::rejectWithDOMException(
+      scriptState,
+      DOMException::create(SecurityError,
+                           "Presentation of an insecure document [" + url +
+                               "] is prohibited from a secure context."));
+}
+
+ScriptPromise rejectWithSandBoxException(ScriptState* scriptState) {
+  return ScriptPromise::rejectWithDOMException(
+      scriptState, DOMException::create(SecurityError,
+                                        "The document is sandboxed and lacks "
+                                        "the 'allow-presentation' flag."));
+}
+
 }  // anonymous namespace
 
 // static
 PresentationRequest* PresentationRequest::create(
     ExecutionContext* executionContext,
     const String& url,
     ExceptionState& exceptionState) {
   KURL parsedUrl = KURL(executionContext->url(), url);
   if (!parsedUrl.isValid() || parsedUrl.protocolIsAbout()) {
     exceptionState.throwTypeError("'" + url +
@@ skipping 40 matching lines @@
   bool isUserGestureRequired =
       !contextSettings || contextSettings->presentationRequiresUserGesture();
 
   if (isUserGestureRequired && !UserGestureIndicator::utilizeUserGesture())
     return ScriptPromise::rejectWithDOMException(
         scriptState,
         DOMException::create(
             InvalidAccessError,
             "PresentationRequest::start() requires user gesture."));
 
+  if (MixedContentChecker::isMixedContent(
+          getExecutionContext()->getSecurityOrigin(), m_url)) {
+    return rejectWithMixedContentException(scriptState, m_url.getString());
+  }
+
   if (toDocument(getExecutionContext())->isSandboxed(SandboxPresentation))
-    return ScriptPromise::rejectWithDOMException(
-        scriptState, DOMException::create(SecurityError,
-                                          "The document is sandboxed and lacks "
-                                          "the 'allow-presentation' flag."));
+    return rejectWithSandBoxException(scriptState);
 
   WebPresentationClient* client = presentationClient(getExecutionContext());
   if (!client)
     return ScriptPromise::rejectWithDOMException(
         scriptState,
         DOMException::create(
             InvalidStateError,
             "The PresentationRequest is no longer associated to a frame."));
 
   ScriptPromiseResolver* resolver = ScriptPromiseResolver::create(scriptState);
   // TODO(crbug.com/627655): Accept multiple URLs per PresentationRequest.
   WebVector<WebURL> presentationUrls(static_cast<size_t>(1U));
   presentationUrls[0] = m_url;
   client->startSession(presentationUrls,
                        new PresentationConnectionCallbacks(resolver, this));
   return resolver->promise();
 }
 
 ScriptPromise PresentationRequest::reconnect(ScriptState* scriptState,
                                              const String& id) {
+  if (MixedContentChecker::isMixedContent(
+          getExecutionContext()->getSecurityOrigin(), m_url)) {
+    return rejectWithMixedContentException(scriptState, m_url.getString());
+  }
+
   if (toDocument(getExecutionContext())->isSandboxed(SandboxPresentation))
-    return ScriptPromise::rejectWithDOMException(
-        scriptState, DOMException::create(SecurityError,
-                                          "The document is sandboxed and lacks "
-                                          "the 'allow-presentation' flag."));
+    return rejectWithSandBoxException(scriptState);
 
   WebPresentationClient* client = presentationClient(getExecutionContext());
   if (!client)
     return ScriptPromise::rejectWithDOMException(
         scriptState,
         DOMException::create(
             InvalidStateError,
             "The PresentationRequest is no longer associated to a frame."));
 
   ScriptPromiseResolver* resolver = ScriptPromiseResolver::create(scriptState);
   // TODO(crbug.com/627655): Accept multiple URLs per PresentationRequest.
   WebVector<WebURL> presentationUrls(static_cast<size_t>(1U));
   presentationUrls[0] = m_url;
   client->joinSession(presentationUrls, id,
                       new PresentationConnectionCallbacks(resolver, this));
   return resolver->promise();
 }
 
 ScriptPromise PresentationRequest::getAvailability(ScriptState* scriptState) {
+  if (MixedContentChecker::isMixedContent(
+          getExecutionContext()->getSecurityOrigin(), m_url)) {
+    return rejectWithMixedContentException(scriptState, m_url.getString());
+  }
+
   if (toDocument(getExecutionContext())->isSandboxed(SandboxPresentation))
-    return ScriptPromise::rejectWithDOMException(
-        scriptState, DOMException::create(SecurityError,
-                                          "The document is sandboxed and lacks "
-                                          "the 'allow-presentation' flag."));
+    return rejectWithSandBoxException(scriptState);
 
   WebPresentationClient* client = presentationClient(getExecutionContext());
   if (!client)
     return ScriptPromise::rejectWithDOMException(
         scriptState,
         DOMException::create(
             InvalidStateError,
             "The PresentationRequest is no longer associated to a frame."));
 
   ScriptPromiseResolver* resolver = ScriptPromiseResolver::create(scriptState);
@@ skipping 11 matching lines @@
   ActiveDOMObject::trace(visitor);
 }
 
 PresentationRequest::PresentationRequest(ExecutionContext* executionContext,
                                          const KURL& url)
     : ActiveScriptWrappable(this),
       ActiveDOMObject(executionContext),
       m_url(url) {}
 
 }  // namespace blink