| OLD | NEW |
|---|
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/browser/frame_host/mixed_content_navigation_throttle.h" | 5 #include "content/browser/frame_host/mixed_content_navigation_throttle.h" |
| 6 | 6 |
| 7 #include "base/memory/ptr_util.h" | 7 #include "base/memory/ptr_util.h" |
| 8 #include "base/stl_util.h" | 8 #include "base/stl_util.h" |
| 9 #include "content/browser/frame_host/frame_tree.h" | 9 #include "content/browser/frame_host/frame_tree.h" |
| 10 #include "content/browser/frame_host/frame_tree_node.h" | 10 #include "content/browser/frame_host/frame_tree_node.h" |
| (...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 77 return is_secure; | 77 return is_secure; |
| 78 } | 78 } |
| 79 | 79 |
| 80 // This method should return the same results as | 80 // This method should return the same results as |
| 81 // SchemeRegistry::shouldTreatURLSchemeAsRestrictingMixedContent. | 81 // SchemeRegistry::shouldTreatURLSchemeAsRestrictingMixedContent. |
| 82 bool DoesOriginSchemeRestrictMixedContent(const url::Origin& origin) { | 82 bool DoesOriginSchemeRestrictMixedContent(const url::Origin& origin) { |
| 83 return origin.scheme() == url::kHttpsScheme; | 83 return origin.scheme() == url::kHttpsScheme; |
| 84 } | 84 } |
| 85 | 85 |
| 86 void UpdateRendererOnMixedContentFound(NavigationHandleImpl* navigation_handle, | 86 void UpdateRendererOnMixedContentFound(NavigationHandleImpl* navigation_handle, |
| 87 const GURL& mixed_content_url, | 87 FrameTreeNode* mixed_content_node, |
| 88 bool was_allowed, | 88 bool was_allowed, |
| 89 bool for_redirect) { | 89 bool for_redirect) { |
| 90 // TODO(carlosk): the root node should never be considered as being/having | 90 // TODO(carlosk): the root node should never be considered as being/having |
| 91 // mixed content for now. Once/if the browser should also check form submits | 91 // mixed content for now. Once/if the browser should also check form submits |
| 92 // for mixed content than this will be allowed to happen and this DCHECK | 92 // for mixed content than this will be allowed to happen and this DCHECK |
| 93 // should be updated. | 93 // should be updated. |
| 94 DCHECK(navigation_handle->frame_tree_node()->parent()); | 94 DCHECK(navigation_handle->frame_tree_node()->parent()); |
| 95 RenderFrameHost* rfh = | 95 RenderFrameHostImpl* rfh = |
| 96 navigation_handle->frame_tree_node()->current_frame_host(); | 96 navigation_handle->frame_tree_node()->current_frame_host(); |
| 97 |
| 98 // If mixed content is triggered by a navigation in a cross-site subframe, |
| 99 // ensure that the source URL and source location in the "mixed" frame are |
| 100 // not disclosed to the subframe, which might be in a separate renderer. For |
| 101 // example, if https://foo.com/sensitive.html embeds an OOPIF for |
| 102 // http://bar.com, the mixed content IPC will be sent to http://bar.com, and |
| 103 // we should not disclose the full foo.com URL or the source location in |
| 104 // foo.com which caused the navigation to bar.com. |
| 105 // See https://crbug.com/718942. |
| 106 // |
| 107 // TODO(arthursonzogni): Stop hiding sensitive parts of URLs in console error |
| 108 // messages as soon as there is a way to send them to the devtools process |
| 109 // without the round trip to the renderer process. |
| 110 // See https://crbug.com/721329. |
| 111 GURL safe_mixed_content_url = mixed_content_node->current_url(); |
| 112 SourceLocation safe_source_location = navigation_handle->source_location(); |
| 113 if (mixed_content_node != navigation_handle->frame_tree_node()) { |
| 114 rfh->SanitizeDataForUseInCspViolation(for_redirect, CSPDirective::Unknown, |
| 115 &safe_mixed_content_url, |
| 116 &safe_source_location); |
| 117 } |
| 118 |
| 97 FrameMsg_MixedContentFound_Params params; | 119 FrameMsg_MixedContentFound_Params params; |
| 98 params.main_resource_url = mixed_content_url; | 120 params.main_resource_url = safe_mixed_content_url; |
| 99 params.mixed_content_url = navigation_handle->GetURL(); | 121 params.mixed_content_url = navigation_handle->GetURL(); |
| 100 params.request_context_type = navigation_handle->request_context_type(); | 122 params.request_context_type = navigation_handle->request_context_type(); |
| 101 params.was_allowed = was_allowed; | 123 params.was_allowed = was_allowed; |
| 102 params.had_redirect = for_redirect; | 124 params.had_redirect = for_redirect; |
| 103 params.source_location = navigation_handle->source_location(); | 125 params.source_location = safe_source_location; |
| 104 | 126 |
| 105 rfh->Send(new FrameMsg_MixedContentFound(rfh->GetRoutingID(), params)); | 127 rfh->Send(new FrameMsg_MixedContentFound(rfh->GetRoutingID(), params)); |
| 106 } | 128 } |
| 107 | 129 |
| 108 } // namespace | 130 } // namespace |
| 109 | 131 |
| 110 namespace content { | 132 namespace content { |
| 111 | 133 |
| 112 // static | 134 // static |
| 113 std::unique_ptr<NavigationThrottle> | 135 std::unique_ptr<NavigationThrottle> |
| (...skipping 121 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 235 allowed = !strict_mode; | 257 allowed = !strict_mode; |
| 236 if (allowed) | 258 if (allowed) |
| 237 frame_host_delegate->DidDisplayInsecureContent(); | 259 frame_host_delegate->DidDisplayInsecureContent(); |
| 238 break; | 260 break; |
| 239 | 261 |
| 240 case blink::WebMixedContentContextType::kNotMixedContent: | 262 case blink::WebMixedContentContextType::kNotMixedContent: |
| 241 NOTREACHED(); | 263 NOTREACHED(); |
| 242 break; | 264 break; |
| 243 }; | 265 }; |
| 244 | 266 |
| 245 UpdateRendererOnMixedContentFound( | 267 UpdateRendererOnMixedContentFound(handle_impl, mixed_content_node, allowed, |
| 246 handle_impl, mixed_content_node->current_url(), allowed, for_redirect); | 268 for_redirect); |
| 247 MaybeSendBlinkFeatureUsageReport(); | 269 MaybeSendBlinkFeatureUsageReport(); |
| 248 | 270 |
| 249 return !allowed; | 271 return !allowed; |
| 250 } | 272 } |
| 251 | 273 |
| 252 // This method mirrors MixedContentChecker::inWhichFrameIsContentMixed but is | 274 // This method mirrors MixedContentChecker::inWhichFrameIsContentMixed but is |
| 253 // implemented in a different form that seems more appropriate here. | 275 // implemented in a different form that seems more appropriate here. |
| 254 FrameTreeNode* MixedContentNavigationThrottle::InWhichFrameIsContentMixed( | 276 FrameTreeNode* MixedContentNavigationThrottle::InWhichFrameIsContentMixed( |
| 255 FrameTreeNode* node, | 277 FrameTreeNode* node, |
| 256 const GURL& url) { | 278 const GURL& url) { |
| (...skipping 101 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 358 // static | 380 // static |
| 359 bool MixedContentNavigationThrottle::IsMixedContentForTesting( | 381 bool MixedContentNavigationThrottle::IsMixedContentForTesting( |
| 360 const GURL& origin_url, | 382 const GURL& origin_url, |
| 361 const GURL& url) { | 383 const GURL& url) { |
| 362 const url::Origin origin(origin_url); | 384 const url::Origin origin(origin_url); |
| 363 return !IsUrlPotentiallySecure(url) && | 385 return !IsUrlPotentiallySecure(url) && |
| 364 DoesOriginSchemeRestrictMixedContent(origin); | 386 DoesOriginSchemeRestrictMixedContent(origin); |
| 365 } | 387 } |
| 366 | 388 |
| 367 } // namespace content | 389 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2900423003:
Use origins instead of URLs in console messages about mixed content.
