| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2012 Google Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
| 6 * are met: | 6 * are met: |
| 7 * | 7 * |
| 8 * 1. Redistributions of source code must retain the above copyright | 8 * 1. Redistributions of source code must retain the above copyright |
| 9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
| 10 * 2. Redistributions in binary form must reproduce the above copyright | 10 * 2. Redistributions in binary form must reproduce the above copyright |
| (...skipping 11 matching lines...) Expand all Loading... |
| 22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | 22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
| 23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND | 23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND |
| 24 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | 24 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 27 */ | 27 */ |
| 28 | 28 |
| 29 #include "core/loader/MixedContentChecker.h" | 29 #include "core/loader/MixedContentChecker.h" |
| 30 | 30 |
| 31 #include "core/dom/Document.h" | 31 #include "core/dom/Document.h" |
| 32 #include "core/frame/ContentSettingsClient.h" |
| 32 #include "core/frame/Frame.h" | 33 #include "core/frame/Frame.h" |
| 33 #include "core/frame/LocalFrame.h" | 34 #include "core/frame/LocalFrame.h" |
| 34 #include "core/frame/LocalFrameClient.h" | 35 #include "core/frame/LocalFrameClient.h" |
| 35 #include "core/frame/Settings.h" | 36 #include "core/frame/Settings.h" |
| 36 #include "core/frame/UseCounter.h" | 37 #include "core/frame/UseCounter.h" |
| 37 #include "core/inspector/ConsoleMessage.h" | 38 #include "core/inspector/ConsoleMessage.h" |
| 38 #include "core/loader/DocumentLoader.h" | 39 #include "core/loader/DocumentLoader.h" |
| 39 #include "core/loader/FrameLoader.h" | 40 #include "core/loader/FrameLoader.h" |
| 40 #include "platform/RuntimeEnabledFeatures.h" | 41 #include "platform/RuntimeEnabledFeatures.h" |
| 41 #include "platform/network/NetworkUtils.h" | 42 #include "platform/network/NetworkUtils.h" |
| (...skipping 274 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 316 | 317 |
| 317 MixedContentChecker::count(mixedFrame, requestContext); | 318 MixedContentChecker::count(mixedFrame, requestContext); |
| 318 if (ContentSecurityPolicy* policy = | 319 if (ContentSecurityPolicy* policy = |
| 319 frame->securityContext()->contentSecurityPolicy()) | 320 frame->securityContext()->contentSecurityPolicy()) |
| 320 policy->reportMixedContent(url, redirectStatus); | 321 policy->reportMixedContent(url, redirectStatus); |
| 321 | 322 |
| 322 Settings* settings = mixedFrame->settings(); | 323 Settings* settings = mixedFrame->settings(); |
| 323 // Use the current local frame's client; the embedder doesn't distinguish | 324 // Use the current local frame's client; the embedder doesn't distinguish |
| 324 // mixed content signals from different frames on the same page. | 325 // mixed content signals from different frames on the same page. |
| 325 LocalFrameClient* client = frame->loader().client(); | 326 LocalFrameClient* client = frame->loader().client(); |
| 327 ContentSettingsClient* contentSettingsClient = frame->contentSettingsClient(); |
| 326 SecurityOrigin* securityOrigin = | 328 SecurityOrigin* securityOrigin = |
| 327 mixedFrame->securityContext()->getSecurityOrigin(); | 329 mixedFrame->securityContext()->getSecurityOrigin(); |
| 328 bool allowed = false; | 330 bool allowed = false; |
| 329 | 331 |
| 330 // If we're in strict mode, we'll automagically fail everything, and | 332 // If we're in strict mode, we'll automagically fail everything, and |
| 331 // intentionally skip the client checks in order to prevent degrading the | 333 // intentionally skip the client checks in order to prevent degrading the |
| 332 // site's security UI. | 334 // site's security UI. |
| 333 bool strictMode = mixedFrame->securityContext()->getInsecureRequestPolicy() & | 335 bool strictMode = mixedFrame->securityContext()->getInsecureRequestPolicy() & |
| 334 kBlockAllMixedContent || | 336 kBlockAllMixedContent || |
| 335 settings->getStrictMixedContentChecking(); | 337 settings->getStrictMixedContentChecking(); |
| (...skipping 11 matching lines...) Expand all Loading... |
| 347 // launching external applications via URLs. http://crbug.com/318788 and | 349 // launching external applications via URLs. http://crbug.com/318788 and |
| 348 // https://crbug.com/393481 | 350 // https://crbug.com/393481 |
| 349 if (frameType == WebURLRequest::FrameTypeNested && | 351 if (frameType == WebURLRequest::FrameTypeNested && |
| 350 !SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(url.protocol())) | 352 !SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(url.protocol())) |
| 351 contextType = WebMixedContentContextType::OptionallyBlockable; | 353 contextType = WebMixedContentContextType::OptionallyBlockable; |
| 352 | 354 |
| 353 switch (contextType) { | 355 switch (contextType) { |
| 354 case WebMixedContentContextType::OptionallyBlockable: | 356 case WebMixedContentContextType::OptionallyBlockable: |
| 355 allowed = !strictMode; | 357 allowed = !strictMode; |
| 356 if (allowed) { | 358 if (allowed) { |
| 357 client->passiveInsecureContentFound(url); | 359 contentSettingsClient->passiveInsecureContentFound(url); |
| 358 client->didDisplayInsecureContent(); | 360 client->didDisplayInsecureContent(); |
| 359 } | 361 } |
| 360 break; | 362 break; |
| 361 | 363 |
| 362 case WebMixedContentContextType::Blockable: { | 364 case WebMixedContentContextType::Blockable: { |
| 363 // Strictly block subresources that are mixed with respect to their | 365 // Strictly block subresources that are mixed with respect to their |
| 364 // subframes, unless all insecure content is allowed. This is to avoid the | 366 // subframes, unless all insecure content is allowed. This is to avoid the |
| 365 // following situation: https://a.com embeds https://b.com, which loads a | 367 // following situation: https://a.com embeds https://b.com, which loads a |
| 366 // script over insecure HTTP. The user opts to allow the insecure content, | 368 // script over insecure HTTP. The user opts to allow the insecure content, |
| 367 // thinking that they are allowing an insecure script to run on | 369 // thinking that they are allowing an insecure script to run on |
| 368 // https://a.com and not realizing that they are in fact allowing an | 370 // https://a.com and not realizing that they are in fact allowing an |
| 369 // insecure script on https://b.com. | 371 // insecure script on https://b.com. |
| 370 if (!settings->getAllowRunningOfInsecureContent() && | 372 if (!settings->getAllowRunningOfInsecureContent() && |
| 371 requestIsSubframeSubresource(effectiveFrame, frameType) && | 373 requestIsSubframeSubresource(effectiveFrame, frameType) && |
| 372 isMixedContent(frame->securityContext()->getSecurityOrigin(), url)) { | 374 isMixedContent(frame->securityContext()->getSecurityOrigin(), url)) { |
| 373 UseCounter::count(mixedFrame, | 375 UseCounter::count(mixedFrame, |
| 374 UseCounter::BlockableMixedContentInSubframeBlocked); | 376 UseCounter::BlockableMixedContentInSubframeBlocked); |
| 375 allowed = false; | 377 allowed = false; |
| 376 break; | 378 break; |
| 377 } | 379 } |
| 378 | 380 |
| 379 bool shouldAskEmbedder = | 381 bool shouldAskEmbedder = |
| 380 !strictMode && settings && | 382 !strictMode && settings && |
| 381 (!settings->getStrictlyBlockBlockableMixedContent() || | 383 (!settings->getStrictlyBlockBlockableMixedContent() || |
| 382 settings->getAllowRunningOfInsecureContent()); | 384 settings->getAllowRunningOfInsecureContent()); |
| 383 allowed = shouldAskEmbedder && | 385 allowed = shouldAskEmbedder && |
| 384 client->allowRunningInsecureContent( | 386 contentSettingsClient->allowRunningInsecureContent( |
| 385 settings && settings->getAllowRunningOfInsecureContent(), | 387 settings && settings->getAllowRunningOfInsecureContent(), |
| 386 securityOrigin, url); | 388 securityOrigin, url); |
| 387 if (allowed) { | 389 if (allowed) { |
| 388 client->didRunInsecureContent(securityOrigin, url); | 390 client->didRunInsecureContent(securityOrigin, url); |
| 389 UseCounter::count(mixedFrame, UseCounter::MixedContentBlockableAllowed); | 391 UseCounter::count(mixedFrame, UseCounter::MixedContentBlockableAllowed); |
| 390 } | 392 } |
| 391 break; | 393 break; |
| 392 } | 394 } |
| 393 | 395 |
| 394 case WebMixedContentContextType::ShouldBeBlockable: | 396 case WebMixedContentContextType::ShouldBeBlockable: |
| (...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 442 UseCounter::count(mixedFrame, UseCounter::MixedContentWebSocket); | 444 UseCounter::count(mixedFrame, UseCounter::MixedContentWebSocket); |
| 443 if (ContentSecurityPolicy* policy = | 445 if (ContentSecurityPolicy* policy = |
| 444 frame->securityContext()->contentSecurityPolicy()) { | 446 frame->securityContext()->contentSecurityPolicy()) { |
| 445 policy->reportMixedContent(url, | 447 policy->reportMixedContent(url, |
| 446 ResourceRequest::RedirectStatus::NoRedirect); | 448 ResourceRequest::RedirectStatus::NoRedirect); |
| 447 } | 449 } |
| 448 | 450 |
| 449 Settings* settings = mixedFrame->settings(); | 451 Settings* settings = mixedFrame->settings(); |
| 450 // Use the current local frame's client; the embedder doesn't distinguish | 452 // Use the current local frame's client; the embedder doesn't distinguish |
| 451 // mixed content signals from different frames on the same page. | 453 // mixed content signals from different frames on the same page. |
| 452 LocalFrameClient* client = frame->loader().client(); | 454 ContentSettingsClient* contentSettingsClient = frame->contentSettingsClient(); |
| 455 LocalFrameClient* client = frame->client(); |
| 453 SecurityOrigin* securityOrigin = | 456 SecurityOrigin* securityOrigin = |
| 454 mixedFrame->securityContext()->getSecurityOrigin(); | 457 mixedFrame->securityContext()->getSecurityOrigin(); |
| 455 bool allowed = false; | 458 bool allowed = false; |
| 456 | 459 |
| 457 // If we're in strict mode, we'll automagically fail everything, and | 460 // If we're in strict mode, we'll automagically fail everything, and |
| 458 // intentionally skip the client checks in order to prevent degrading the | 461 // intentionally skip the client checks in order to prevent degrading the |
| 459 // site's security UI. | 462 // site's security UI. |
| 460 bool strictMode = mixedFrame->securityContext()->getInsecureRequestPolicy() & | 463 bool strictMode = mixedFrame->securityContext()->getInsecureRequestPolicy() & |
| 461 kBlockAllMixedContent || | 464 kBlockAllMixedContent || |
| 462 settings->getStrictMixedContentChecking(); | 465 settings->getStrictMixedContentChecking(); |
| 463 if (!strictMode) { | 466 if (!strictMode) { |
| 464 bool allowedPerSettings = | 467 bool allowedPerSettings = |
| 465 settings && settings->getAllowRunningOfInsecureContent(); | 468 settings && settings->getAllowRunningOfInsecureContent(); |
| 466 allowed = client->allowRunningInsecureContent(allowedPerSettings, | 469 allowed = contentSettingsClient->allowRunningInsecureContent( |
| 467 securityOrigin, url); | 470 allowedPerSettings, securityOrigin, url); |
| 468 } | 471 } |
| 469 | 472 |
| 470 if (allowed) | 473 if (allowed) |
| 471 client->didRunInsecureContent(securityOrigin, url); | 474 client->didRunInsecureContent(securityOrigin, url); |
| 472 | 475 |
| 473 if (reportingPolicy == SecurityViolationReportingPolicy::Report) { | 476 if (reportingPolicy == SecurityViolationReportingPolicy::Report) { |
| 474 logToConsoleAboutWebSocket(frame, mainResourceUrlForFrame(mixedFrame), url, | 477 logToConsoleAboutWebSocket(frame, mainResourceUrlForFrame(mixedFrame), url, |
| 475 allowed); | 478 allowed); |
| 476 } | 479 } |
| 477 return !allowed; | 480 return !allowed; |
| (...skipping 143 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 621 } | 624 } |
| 622 | 625 |
| 623 bool strictMixedContentCheckingForPlugin = | 626 bool strictMixedContentCheckingForPlugin = |
| 624 mixedFrame->settings() && | 627 mixedFrame->settings() && |
| 625 mixedFrame->settings()->getStrictMixedContentCheckingForPlugin(); | 628 mixedFrame->settings()->getStrictMixedContentCheckingForPlugin(); |
| 626 return WebMixedContent::contextTypeFromRequestContext( | 629 return WebMixedContent::contextTypeFromRequestContext( |
| 627 request.requestContext(), strictMixedContentCheckingForPlugin); | 630 request.requestContext(), strictMixedContentCheckingForPlugin); |
| 628 } | 631 } |
| 629 | 632 |
| 630 } // namespace blink | 633 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2786673002:
Separate ContentSettingsClient out from LocalFrameClient (Closed)
