Add a counter for postMessage from insecure to secure top-level frames

third_party/WebKit/Source/core/frame/DOMWindow.cpp

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "core/frame/DOMWindow.h"
 
 #include "core/dom/Document.h"
 #include "core/dom/ExceptionCode.h"
 #include "core/dom/ExecutionContext.h"
 #include "core/dom/SecurityContext.h"
@@ skipping 215 matching lines @@
           : securityOrigin->toString();
   String sourceSuborigin =
       hasSuborigin ? securityOrigin->suborigin()->name() : String();
 
   KURL targetUrl =
       isLocalDOMWindow()
           ? document()->url()
           : KURL(KURL(),
                  frame()->securityContext()->getSecurityOrigin()->toString());
   if (MixedContentChecker::isMixedContent(sourceDocument->getSecurityOrigin(),
-                                          targetUrl))
+                                          targetUrl)) {
     UseCounter::count(frame(), UseCounter::PostMessageFromSecureToInsecure);
-  else if (MixedContentChecker::isMixedContent(
-               frame()->securityContext()->getSecurityOrigin(),
-               sourceDocument->url()))
+  } else if (MixedContentChecker::isMixedContent(
+                 frame()->securityContext()->getSecurityOrigin(),
+                 sourceDocument->url())) {
     UseCounter::count(frame(), UseCounter::PostMessageFromInsecureToSecure);
+    if (frame()->isMainFrame()) {

[Mike West, 2017/01/23 08:59:22]

That is, I think the goal of the counter is to determine how often a user would
see the UI degrade from secure to insecure; to determine that, I think you want
to figure out if the top-level frame is secure or not. That is, given a message
to `grandchild` in the tree `top -> child -> grandchild`, this new counter would
never trigger, even if `grandchild`, `child`, and `top` were all secure.

WDYT about changing this to something like `if
(MixedContentChecker::isMixedContent(frame()->tree().top()->securityContext()->getSecurityOrigin(),
sourceDocument->url()))`?

+      UseCounter::count(frame(),
+                        UseCounter::PostMessageFromInsecureToSecureToplevel);
+    }
+  }
 
   MessageEvent* event =
       MessageEvent::create(std::move(channels), std::move(message),
                            sourceOrigin, String(), source, sourceSuborigin);
 
   schedulePostMessage(event, std::move(target), sourceDocument);
 }
 
 // FIXME: Once we're throwing exceptions for cross-origin access violations, we
 // will always sanitize the target frame details, so we can safely combine
@@ skipping 184 matching lines @@
   page->focusController().focusDocumentView(frame(), true /* notifyEmbedder */);
 }
 
 DEFINE_TRACE(DOMWindow) {
   visitor->trace(m_frame);
   visitor->trace(m_location);
   EventTargetWithInlineData::trace(visitor);
 }
 
 }  // namespace blink