Upgrade Insecure Requests: bugfixes, tests, and support for OOPIF.

third_party/WebKit/Source/core/loader/FrameLoader.cpp

 /*
  * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights
  * reserved.
  * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
  * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved.
  * (http://www.torchmobile.com/)
  * Copyright (C) 2008 Alp Toker <alp@atoker.com>
  * Copyright (C) Research In Motion Limited 2009. All rights reserved.
  * Copyright (C) 2011 Kris Jordan <krisjordan@gmail.com>
  * Copyright (C) 2011 Google Inc. All rights reserved.
@@ skipping 1654 matching lines @@
       frameLoadRequest.triggeringEvent());
   resourceRequest.setRequestContext(
       determineRequestContextFromNavigationType(navigationType));
   resourceRequest.setFrameType(m_frame->isMainFrame()
                                    ? WebURLRequest::FrameTypeTopLevel
                                    : WebURLRequest::FrameTypeNested);
 
   // Record the latest requiredCSP value that will be used when sending this
   // request.
   recordLatestRequiredCSP();
-  modifyRequestForCSP(resourceRequest, nullptr);
+  modifyRequestForCSP(resourceRequest, frameLoadRequest.originDocument());

[arthursonzogni, 2016/12/07 13:51:26]

This line makes Upgrade Insecure Requests works with and without
browser-side-navigation. We only need this to make the 8 tests pass.

Then, the remaining lines in the patch make it works with OOPIF. With
cross-process iframe, the originDocument is not accessible (i.e nullptr). To
make it works, the 'upgrade insecure navigations set' is replicated accross
process and the url is upgraded just before we left the initiating frame (see
Frame::upgradeInsecureRequest).

   if (!shouldContinueForNavigationPolicy(
           resourceRequest, frameLoadRequest.substituteData(), nullptr,
           frameLoadRequest.shouldCheckMainWorldContentSecurityPolicy(),
           navigationType, navigationPolicy,
           type == FrameLoadTypeReplaceCurrentItem,
           frameLoadRequest.clientRedirect() ==
               ClientRedirectPolicy::ClientRedirect,
           frameLoadRequest.form()))
     return;
 
@@ skipping 174 matching lines @@
   return parentFrame->securityContext()->getInsecureRequestPolicy();
 }
 
 SecurityContext::InsecureNavigationsSet*
 FrameLoader::insecureNavigationsToUpgrade() const {
   DCHECK(m_frame);
   Frame* parentFrame = m_frame->tree().parent();
   if (!parentFrame)
     return nullptr;
 
-  // FIXME: We need a way to propagate insecure requests policy flags to
-  // out-of-process frames. For now, we'll always use default behavior.
-  if (!parentFrame->isLocalFrame())
-    return nullptr;
-
-  DCHECK(toLocalFrame(parentFrame)->document());
-  return toLocalFrame(parentFrame)->document()->insecureNavigationsToUpgrade();
+  return parentFrame->securityContext()->insecureNavigationsToUpgrade();
 }
 
 void FrameLoader::modifyRequestForCSP(ResourceRequest& resourceRequest,
-                                      Document* document) const {
+                                      Document* originDocument) const {
   if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() &&
       !requiredCSP().isEmpty()) {
     // TODO(amalika): Strengthen this DCHECK that requiredCSP has proper format
     DCHECK(requiredCSP().getString().containsOnlyASCII());
     resourceRequest.setHTTPHeaderField(HTTPNames::Embedding_CSP, requiredCSP());
   }
 
   // Tack an 'Upgrade-Insecure-Requests' header to outgoing navigational
   // requests, as described in
   // https://w3c.github.io/webappsec/specs/upgrade/#feature-detect
   if (resourceRequest.frameType() != WebURLRequest::FrameTypeNone) {
     // Early return if the request has already been upgraded.
     if (!resourceRequest.httpHeaderField(HTTPNames::Upgrade_Insecure_Requests)
              .isNull()) {
       return;
     }
 
     resourceRequest.setHTTPHeaderField(HTTPNames::Upgrade_Insecure_Requests,
                                        "1");
   }
 
-  upgradeInsecureRequest(resourceRequest, document);
+  upgradeInsecureRequest(resourceRequest, originDocument);
 }
 
 void FrameLoader::upgradeInsecureRequest(ResourceRequest& resourceRequest,
-                                         Document* document) const {
+                                         Document* originDocument) const {
+  // We always upgrade requests that meet any of the following criteria:
+  //
+  // Enforced in FrameLoader::upgradeInsecureRequest.
+  //    1. Are for subresources.
+  //    2. Are for nested frames.
+  //    3. Are form submissions.
+  //    4. Whose hosts are contained in the originDocument's upgrade insecure
+  //       navigations set. (same-frame navigation).
+  // Enforced in Frame::upgradeInsecureRequest.
+  //    4. Whose hosts are contained in the originDocument's upgrade insecure
+  //       navigations set. (cross-frame navigation).
+
   KURL url = resourceRequest.url();
 
-  // If we don't yet have an |m_document| (because we're loading an iframe, for
-  // instance), check the FrameLoader's policy.
+  // If we don't yet have an |originDocument| (because we're loading an iframe,
+  // for instance), check the FrameLoader's policy.
   WebInsecureRequestPolicy relevantPolicy =
-      document ? document->getInsecureRequestPolicy()
-               : getInsecureRequestPolicy();
+      originDocument ? originDocument->getInsecureRequestPolicy()
+                     : getInsecureRequestPolicy();
   SecurityContext::InsecureNavigationsSet* relevantNavigationSet =
-      document ? document->insecureNavigationsToUpgrade()
-               : insecureNavigationsToUpgrade();
+      originDocument ? originDocument->insecureNavigationsToUpgrade()
+                     : insecureNavigationsToUpgrade();
 
   if (url.protocolIs("http") && relevantPolicy & kUpgradeInsecureRequests) {
-    // We always upgrade requests that meet any of the following criteria:
-    //
-    // 1. Are for subresources (including nested frames).
-    // 2. Are form submissions.
-    // 3. Whose hosts are contained in the document's InsecureNavigationSet.
     if (resourceRequest.frameType() == WebURLRequest::FrameTypeNone ||
         resourceRequest.frameType() == WebURLRequest::FrameTypeNested ||
         resourceRequest.requestContext() == WebURLRequest::RequestContextForm ||
         (!url.host().isNull() &&
          relevantNavigationSet->contains(url.host().impl()->hash()))) {
-      UseCounter::count(document,
+      UseCounter::count(originDocument,
                         UseCounter::UpgradeInsecureRequestsUpgradedRequest);
       url.setProtocol("https");
       if (url.port() == 80)
         url.setPort(443);
       resourceRequest.setURL(url);
     }
   }
 }
 
 void FrameLoader::recordLatestRequiredCSP() {
@@ skipping 19 matching lines @@
                          m_documentLoader ? m_documentLoader->url() : String());
   return tracedValue;
 }
 
 inline void FrameLoader::takeObjectSnapshot() const {
   TRACE_EVENT_OBJECT_SNAPSHOT_WITH_ID("loading", "FrameLoader", this,
                                       toTracedValue());
 }
 
 }  // namespace blink