OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2012 Google Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * | 7 * |
8 * 1. Redistributions of source code must retain the above copyright | 8 * 1. Redistributions of source code must retain the above copyright |
9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
10 * 2. Redistributions in binary form must reproduce the above copyright | 10 * 2. Redistributions in binary form must reproduce the above copyright |
(...skipping 11 matching lines...) Expand all Loading... |
22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | 22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND | 23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND |
24 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | 24 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
27 */ | 27 */ |
28 | 28 |
29 #include "core/loader/MixedContentChecker.h" | 29 #include "core/loader/MixedContentChecker.h" |
30 | 30 |
31 #include "core/dom/Document.h" | 31 #include "core/dom/Document.h" |
| 32 #include "core/frame/ContentSettingsClient.h" |
32 #include "core/frame/Frame.h" | 33 #include "core/frame/Frame.h" |
33 #include "core/frame/LocalFrame.h" | 34 #include "core/frame/LocalFrame.h" |
34 #include "core/frame/LocalFrameClient.h" | 35 #include "core/frame/LocalFrameClient.h" |
35 #include "core/frame/Settings.h" | 36 #include "core/frame/Settings.h" |
36 #include "core/frame/UseCounter.h" | 37 #include "core/frame/UseCounter.h" |
37 #include "core/inspector/ConsoleMessage.h" | 38 #include "core/inspector/ConsoleMessage.h" |
38 #include "core/loader/DocumentLoader.h" | 39 #include "core/loader/DocumentLoader.h" |
39 #include "core/loader/FrameLoader.h" | 40 #include "core/loader/FrameLoader.h" |
40 #include "platform/RuntimeEnabledFeatures.h" | 41 #include "platform/RuntimeEnabledFeatures.h" |
41 #include "platform/network/NetworkUtils.h" | 42 #include "platform/network/NetworkUtils.h" |
(...skipping 274 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
316 | 317 |
317 MixedContentChecker::count(mixedFrame, requestContext); | 318 MixedContentChecker::count(mixedFrame, requestContext); |
318 if (ContentSecurityPolicy* policy = | 319 if (ContentSecurityPolicy* policy = |
319 frame->securityContext()->contentSecurityPolicy()) | 320 frame->securityContext()->contentSecurityPolicy()) |
320 policy->reportMixedContent(url, redirectStatus); | 321 policy->reportMixedContent(url, redirectStatus); |
321 | 322 |
322 Settings* settings = mixedFrame->settings(); | 323 Settings* settings = mixedFrame->settings(); |
323 // Use the current local frame's client; the embedder doesn't distinguish | 324 // Use the current local frame's client; the embedder doesn't distinguish |
324 // mixed content signals from different frames on the same page. | 325 // mixed content signals from different frames on the same page. |
325 LocalFrameClient* client = frame->loader().client(); | 326 LocalFrameClient* client = frame->loader().client(); |
| 327 ContentSettingsClient* contentSettingsClient = frame->contentSettingsClient(); |
326 SecurityOrigin* securityOrigin = | 328 SecurityOrigin* securityOrigin = |
327 mixedFrame->securityContext()->getSecurityOrigin(); | 329 mixedFrame->securityContext()->getSecurityOrigin(); |
328 bool allowed = false; | 330 bool allowed = false; |
329 | 331 |
330 // If we're in strict mode, we'll automagically fail everything, and | 332 // If we're in strict mode, we'll automagically fail everything, and |
331 // intentionally skip the client checks in order to prevent degrading the | 333 // intentionally skip the client checks in order to prevent degrading the |
332 // site's security UI. | 334 // site's security UI. |
333 bool strictMode = mixedFrame->securityContext()->getInsecureRequestPolicy() & | 335 bool strictMode = mixedFrame->securityContext()->getInsecureRequestPolicy() & |
334 kBlockAllMixedContent || | 336 kBlockAllMixedContent || |
335 settings->getStrictMixedContentChecking(); | 337 settings->getStrictMixedContentChecking(); |
(...skipping 11 matching lines...) Expand all Loading... |
347 // launching external applications via URLs. http://crbug.com/318788 and | 349 // launching external applications via URLs. http://crbug.com/318788 and |
348 // https://crbug.com/393481 | 350 // https://crbug.com/393481 |
349 if (frameType == WebURLRequest::FrameTypeNested && | 351 if (frameType == WebURLRequest::FrameTypeNested && |
350 !SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(url.protocol())) | 352 !SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(url.protocol())) |
351 contextType = WebMixedContentContextType::OptionallyBlockable; | 353 contextType = WebMixedContentContextType::OptionallyBlockable; |
352 | 354 |
353 switch (contextType) { | 355 switch (contextType) { |
354 case WebMixedContentContextType::OptionallyBlockable: | 356 case WebMixedContentContextType::OptionallyBlockable: |
355 allowed = !strictMode; | 357 allowed = !strictMode; |
356 if (allowed) { | 358 if (allowed) { |
357 client->passiveInsecureContentFound(url); | 359 contentSettingsClient->passiveInsecureContentFound(url); |
358 client->didDisplayInsecureContent(); | 360 client->didDisplayInsecureContent(); |
359 } | 361 } |
360 break; | 362 break; |
361 | 363 |
362 case WebMixedContentContextType::Blockable: { | 364 case WebMixedContentContextType::Blockable: { |
363 // Strictly block subresources that are mixed with respect to their | 365 // Strictly block subresources that are mixed with respect to their |
364 // subframes, unless all insecure content is allowed. This is to avoid the | 366 // subframes, unless all insecure content is allowed. This is to avoid the |
365 // following situation: https://a.com embeds https://b.com, which loads a | 367 // following situation: https://a.com embeds https://b.com, which loads a |
366 // script over insecure HTTP. The user opts to allow the insecure content, | 368 // script over insecure HTTP. The user opts to allow the insecure content, |
367 // thinking that they are allowing an insecure script to run on | 369 // thinking that they are allowing an insecure script to run on |
368 // https://a.com and not realizing that they are in fact allowing an | 370 // https://a.com and not realizing that they are in fact allowing an |
369 // insecure script on https://b.com. | 371 // insecure script on https://b.com. |
370 if (!settings->getAllowRunningOfInsecureContent() && | 372 if (!settings->getAllowRunningOfInsecureContent() && |
371 requestIsSubframeSubresource(effectiveFrame, frameType) && | 373 requestIsSubframeSubresource(effectiveFrame, frameType) && |
372 isMixedContent(frame->securityContext()->getSecurityOrigin(), url)) { | 374 isMixedContent(frame->securityContext()->getSecurityOrigin(), url)) { |
373 UseCounter::count(mixedFrame, | 375 UseCounter::count(mixedFrame, |
374 UseCounter::BlockableMixedContentInSubframeBlocked); | 376 UseCounter::BlockableMixedContentInSubframeBlocked); |
375 allowed = false; | 377 allowed = false; |
376 break; | 378 break; |
377 } | 379 } |
378 | 380 |
379 bool shouldAskEmbedder = | 381 bool shouldAskEmbedder = |
380 !strictMode && settings && | 382 !strictMode && settings && |
381 (!settings->getStrictlyBlockBlockableMixedContent() || | 383 (!settings->getStrictlyBlockBlockableMixedContent() || |
382 settings->getAllowRunningOfInsecureContent()); | 384 settings->getAllowRunningOfInsecureContent()); |
383 allowed = shouldAskEmbedder && | 385 allowed = shouldAskEmbedder && |
384 client->allowRunningInsecureContent( | 386 contentSettingsClient->allowRunningInsecureContent( |
385 settings && settings->getAllowRunningOfInsecureContent(), | 387 settings && settings->getAllowRunningOfInsecureContent(), |
386 securityOrigin, url); | 388 securityOrigin, url); |
387 if (allowed) { | 389 if (allowed) { |
388 client->didRunInsecureContent(securityOrigin, url); | 390 client->didRunInsecureContent(securityOrigin, url); |
389 UseCounter::count(mixedFrame, UseCounter::MixedContentBlockableAllowed); | 391 UseCounter::count(mixedFrame, UseCounter::MixedContentBlockableAllowed); |
390 } | 392 } |
391 break; | 393 break; |
392 } | 394 } |
393 | 395 |
394 case WebMixedContentContextType::ShouldBeBlockable: | 396 case WebMixedContentContextType::ShouldBeBlockable: |
(...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
442 UseCounter::count(mixedFrame, UseCounter::MixedContentWebSocket); | 444 UseCounter::count(mixedFrame, UseCounter::MixedContentWebSocket); |
443 if (ContentSecurityPolicy* policy = | 445 if (ContentSecurityPolicy* policy = |
444 frame->securityContext()->contentSecurityPolicy()) { | 446 frame->securityContext()->contentSecurityPolicy()) { |
445 policy->reportMixedContent(url, | 447 policy->reportMixedContent(url, |
446 ResourceRequest::RedirectStatus::NoRedirect); | 448 ResourceRequest::RedirectStatus::NoRedirect); |
447 } | 449 } |
448 | 450 |
449 Settings* settings = mixedFrame->settings(); | 451 Settings* settings = mixedFrame->settings(); |
450 // Use the current local frame's client; the embedder doesn't distinguish | 452 // Use the current local frame's client; the embedder doesn't distinguish |
451 // mixed content signals from different frames on the same page. | 453 // mixed content signals from different frames on the same page. |
452 LocalFrameClient* client = frame->loader().client(); | 454 ContentSettingsClient* contentSettingsClient = frame->contentSettingsClient(); |
| 455 LocalFrameClient* client = frame->client(); |
453 SecurityOrigin* securityOrigin = | 456 SecurityOrigin* securityOrigin = |
454 mixedFrame->securityContext()->getSecurityOrigin(); | 457 mixedFrame->securityContext()->getSecurityOrigin(); |
455 bool allowed = false; | 458 bool allowed = false; |
456 | 459 |
457 // If we're in strict mode, we'll automagically fail everything, and | 460 // If we're in strict mode, we'll automagically fail everything, and |
458 // intentionally skip the client checks in order to prevent degrading the | 461 // intentionally skip the client checks in order to prevent degrading the |
459 // site's security UI. | 462 // site's security UI. |
460 bool strictMode = mixedFrame->securityContext()->getInsecureRequestPolicy() & | 463 bool strictMode = mixedFrame->securityContext()->getInsecureRequestPolicy() & |
461 kBlockAllMixedContent || | 464 kBlockAllMixedContent || |
462 settings->getStrictMixedContentChecking(); | 465 settings->getStrictMixedContentChecking(); |
463 if (!strictMode) { | 466 if (!strictMode) { |
464 bool allowedPerSettings = | 467 bool allowedPerSettings = |
465 settings && settings->getAllowRunningOfInsecureContent(); | 468 settings && settings->getAllowRunningOfInsecureContent(); |
466 allowed = client->allowRunningInsecureContent(allowedPerSettings, | 469 allowed = contentSettingsClient->allowRunningInsecureContent( |
467 securityOrigin, url); | 470 allowedPerSettings, securityOrigin, url); |
468 } | 471 } |
469 | 472 |
470 if (allowed) | 473 if (allowed) |
471 client->didRunInsecureContent(securityOrigin, url); | 474 client->didRunInsecureContent(securityOrigin, url); |
472 | 475 |
473 if (reportingPolicy == SecurityViolationReportingPolicy::Report) { | 476 if (reportingPolicy == SecurityViolationReportingPolicy::Report) { |
474 logToConsoleAboutWebSocket(frame, mainResourceUrlForFrame(mixedFrame), url, | 477 logToConsoleAboutWebSocket(frame, mainResourceUrlForFrame(mixedFrame), url, |
475 allowed); | 478 allowed); |
476 } | 479 } |
477 return !allowed; | 480 return !allowed; |
(...skipping 143 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
621 } | 624 } |
622 | 625 |
623 bool strictMixedContentCheckingForPlugin = | 626 bool strictMixedContentCheckingForPlugin = |
624 mixedFrame->settings() && | 627 mixedFrame->settings() && |
625 mixedFrame->settings()->getStrictMixedContentCheckingForPlugin(); | 628 mixedFrame->settings()->getStrictMixedContentCheckingForPlugin(); |
626 return WebMixedContent::contextTypeFromRequestContext( | 629 return WebMixedContent::contextTypeFromRequestContext( |
627 request.requestContext(), strictMixedContentCheckingForPlugin); | 630 request.requestContext(), strictMixedContentCheckingForPlugin); |
628 } | 631 } |
629 | 632 |
630 } // namespace blink | 633 } // namespace blink |
OLD | NEW |