Use origins instead of URLs in console messages about mixed content.

third_party/WebKit/Source/core/loader/MixedContentChecker.cpp

 /*
  * Copyright (C) 2012 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
  * 2.  Redistributions in binary form must reproduce the above copyright
@@ skipping 33 matching lines @@
 #include "platform/weborigin/SecurityOrigin.h"
 #include "platform/wtf/text/StringBuilder.h"
 #include "public/platform/WebAddressSpace.h"
 #include "public/platform/WebInsecureRequestPolicy.h"
 #include "public/platform/WebMixedContent.h"
 
 namespace blink {
 
 namespace {
 
-// When a frame is local, use its full URL to represent the main resource. When
-// the frame is remote, the full URL isn't accessible, so use the origin. This
-// function is used, for example, to determine the URL to show in console
-// messages about mixed content.
-KURL MainResourceUrlForFrame(Frame* frame) {
-  if (frame->IsRemoteFrame()) {
-    return KURL(KURL(),
-                frame->GetSecurityContext()->GetSecurityOrigin()->ToString());
+// This helper function is used to determine the URL to show for |mixed_frame|
+// in console messages about mixed content.  |mixed_frame| is the frame with
+// respect to which content is mixed, and |frame| is the LocalFrame which is
+// loading the resource that triggered mixed content.  If the two frames are
+// different, use |mixed_frame|'s origin.  This automatically handles the OOPIF
+// cases where mixed_frame might be a RemoteFrame, and is done for consistency
+// even when |mixed_frame| is local.
+KURL MainResourceUrlForMixedFrame(Frame* mixed_frame, LocalFrame* frame) {
+  if (mixed_frame != frame) {
+    return KURL(
+        KURL(),
+        mixed_frame->GetSecurityContext()->GetSecurityOrigin()->ToString());
   }
-  return ToLocalFrame(frame)->GetDocument()->Url();
+  return ToLocalFrame(mixed_frame)->GetDocument()->Url();
 }
 
 const char* RequestContextName(WebURLRequest::RequestContext context) {
   switch (context) {
     case WebURLRequest::kRequestContextAudio:
       return "audio file";
     case WebURLRequest::kRequestContextBeacon:
       return "Beacon endpoint";
     case WebURLRequest::kRequestContextCSPReport:
       return "Content Security Policy reporting endpoint";
@@ skipping 327 matching lines @@
       allowed = !strict_mode;
       if (allowed)
         client->DidDisplayInsecureContent();
       break;
     case WebMixedContentContextType::kNotMixedContent:
       NOTREACHED();
       break;
   };
 
   if (reporting_policy == SecurityViolationReportingPolicy::kReport) {
-    LogToConsoleAboutFetch(frame, MainResourceUrlForFrame(mixed_frame), url,
-                           request_context, allowed, nullptr);
+    LogToConsoleAboutFetch(frame,
+                           MainResourceUrlForMixedFrame(mixed_frame, frame),
+                           url, request_context, allowed, nullptr);
   }
   return !allowed;
 }
 
 // static
 void MixedContentChecker::LogToConsoleAboutWebSocket(
     LocalFrame* frame,
     const KURL& main_resource_url,
     const KURL& url,
     bool allowed) {
@@ skipping 51 matching lines @@
     bool allowed_per_settings =
         settings && settings->GetAllowRunningOfInsecureContent();
     allowed = content_settings_client->AllowRunningInsecureContent(
         allowed_per_settings, security_origin, url);
   }
 
   if (allowed)
     client->DidRunInsecureContent(security_origin, url);
 
   if (reporting_policy == SecurityViolationReportingPolicy::kReport) {
-    LogToConsoleAboutWebSocket(frame, MainResourceUrlForFrame(mixed_frame), url,
-                               allowed);
+    LogToConsoleAboutWebSocket(
+        frame, MainResourceUrlForMixedFrame(mixed_frame, frame), url, allowed);
   }
   return !allowed;
 }
 
 bool MixedContentChecker::IsMixedFormAction(
     LocalFrame* frame,
     const KURL& url,
     SecurityViolationReportingPolicy reporting_policy) {
   // For whatever reason, some folks handle forms via JavaScript, and submit to
   // `javascript:void(0)` rather than calling `preventDefault()`. We
@@ skipping 11 matching lines @@
 
   // Use the current local frame's client; the embedder doesn't distinguish
   // mixed content signals from different frames on the same page.
   frame->Loader().Client()->DidContainInsecureFormAction();
 
   if (reporting_policy == SecurityViolationReportingPolicy::kReport) {
     String message = String::Format(
         "Mixed Content: The page at '%s' was loaded over a secure connection, "
         "but contains a form which targets an insecure endpoint '%s'. This "
         "endpoint should be made available over a secure connection.",
-        MainResourceUrlForFrame(mixed_frame).ElidedString().Utf8().data(),
+        MainResourceUrlForMixedFrame(mixed_frame, frame)
+            .ElidedString()
+            .Utf8()
+            .data(),
         url.ElidedString().Utf8().data());
     frame->GetDocument()->AddConsoleMessage(ConsoleMessage::Create(
         kSecurityMessageSource, kWarningMessageLevel, message));
   }
 
   return true;
 }
 
 void MixedContentChecker::CheckMixedPrivatePublic(
     LocalFrame* frame,
@@ skipping 104 matching lines @@
   }
 
   bool strict_mixed_content_checking_for_plugin =
       mixed_frame->GetSettings() &&
       mixed_frame->GetSettings()->GetStrictMixedContentCheckingForPlugin();
   return WebMixedContent::ContextTypeFromRequestContext(
       request.GetRequestContext(), strict_mixed_content_checking_for_plugin);
 }
 
 }  // namespace blink