Add a WebSettings item to turn off mixed content check for WebSocket

Add a WebSettings item to turn off mixed content check for WebSocket

https://codereview.chromium.org/222153002/ will ban use of insecure
WebSockets from HTTPS origin. To give time for app developers to fix their
app and roll-out fixed version widely to get ready for this change, we'll
provide a WebSettings item to turn off the security check.

To limit this exception to WebSockets, I added a new item that controls
only WebSockets.

After this CL is landed, I'll land
https://codereview.chromium.org/248863003/ and then
https://codereview.chromium.org/222153002/

BUG=85271
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=172454

[yhirano, 2014-04-23 08:07:47]

lgtm

https://codereview.chromium.org/246893014/diff/1/Source/core/loader/MixedCont...
File Source/core/loader/MixedContentChecker.h (right):

https://codereview.chromium.org/246893014/diff/1/Source/core/loader/MixedCont...
Source/core/loader/MixedContentChecker.h:63: bool
canRunInsecureContentInternal(SecurityOrigin*, const KURL&, bool) const;
Can you name the boolean parameter?

[tyoshino (SeeGerritForStatus), 2014-04-23 12:39:27]

https://codereview.chromium.org/246893014/diff/1/Source/core/loader/MixedCont...
File Source/core/loader/MixedContentChecker.h (right):

https://codereview.chromium.org/246893014/diff/1/Source/core/loader/MixedCont...
Source/core/loader/MixedContentChecker.h:63: bool
canRunInsecureContentInternal(SecurityOrigin*, const KURL&, bool) const;
On 2014/04/23 08:07:48, yhirano wrote:
> Can you name the boolean parameter?

Done.

[tyoshino (SeeGerritForStatus), 2014-04-23 12:58:05]

+jochen

[jochen (gone - plz use gerrit), 2014-04-23 13:00:53]

The referenced bug appears to be unrelated?

Can you please get somebody from the security team to sign this off first?

And please provide more details than "some users".

[tyoshino (SeeGerritForStatus), 2014-04-23 13:11:25]

On 2014/04/23 13:00:53, jochen wrote:
> The referenced bug appears to be unrelated?
> 

Sorry. Fixed.

> Can you please get somebody from the security team to sign this off first?
> 

Added palmer@

> And please provide more details than "some users".

Done

[abarth-chromium, 2014-04-23 17:58:45]

What sorts of app developers do you mean?

[abarth-chromium, 2014-04-23 18:01:29]

On 2014/04/23 17:58:45, abarth wrote:
> What sorts of app developers do you mean?

The Chromium CL adds something to about:flags to control this setting. 
Generally speaking, we don't give users this sort of fine-grained control over
disabling security features.

We have the catch-all --disable-web-security, which disables all security
checks.  Is that sufficient for your use case?

[palmer, 2014-04-23 22:59:00]

> We have the catch-all --disable-web-security, which disables all security
> checks.  Is that sufficient for your use case?

Yes, let's see about this before adding a flag.

[palmer, 2014-04-23 23:01:50]

Oops, my bad. This does LGTM because it is known to be temporary. abarth, ping
me for details.

[abarth-chromium, 2014-04-23 23:12:43]

No test partner?  LGTM

https://codereview.chromium.org/246893014/diff/20001/Source/core/frame/Settin...
File Source/core/frame/Settings.in (right):

https://codereview.chromium.org/246893014/diff/20001/Source/core/frame/Settin...
Source/core/frame/Settings.in:130: allowConnectingInsecureWebSocket
initial=false
Can you add a link to a bug about removing this setting?

[tyoshino (SeeGerritForStatus), 2014-04-24 03:37:09]

https://codereview.chromium.org/246893014/diff/20001/Source/core/frame/Settin...
File Source/core/frame/Settings.in (right):

https://codereview.chromium.org/246893014/diff/20001/Source/core/frame/Settin...
Source/core/frame/Settings.in:130: allowConnectingInsecureWebSocket
initial=false
On 2014/04/23 23:12:43, abarth wrote:
> Can you add a link to a bug about removing this setting?

Done.

[tyoshino (SeeGerritForStatus), 2014-04-24 03:37:15]

The CQ bit was checked by tyoshino@chromium.org

[commit-bot: I haz the power, 2014-04-24 03:37:29]

CQ is trying da patch. Follow status at
https://chromium-status.appspot.com/cq/tyoshino@chromium.org/246893014/20001

[tyoshino (SeeGerritForStatus), 2014-04-24 03:40:58]

On 2014/04/23 23:12:43, abarth wrote:
> No test partner?  LGTM

I'm happy to write some tests for MixedContentChecker. To be done in a separate
CL.

[commit-bot: I haz the power, 2014-04-24 04:08:33]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2014-04-24 04:08:33]

Try jobs failed on following builders:
  tryserver.blink on win_blink_rel

[tyoshino (SeeGerritForStatus), 2014-04-24 04:16:18]

The CQ bit was checked by tyoshino@chromium.org

[commit-bot: I haz the power, 2014-04-24 04:16:26]

CQ is trying da patch. Follow status at
https://chromium-status.appspot.com/cq/tyoshino@chromium.org/246893014/20001

[commit-bot: I haz the power, 2014-04-24 04:53:51]

Change committed as 172454

[tyoshino (SeeGerritForStatus), 2014-04-24 05:50:49]

I failed to commit the latest file. https://codereview.chromium.org/254563002/
will add the comment suggested by abarth@.