Use origins instead of URLs in console messages about mixed content.

content/browser/frame_host/mixed_content_navigation_throttle.cc

Index: content/browser/frame_host/mixed_content_navigation_throttle.cc
diff --git a/content/browser/frame_host/mixed_content_navigation_throttle.cc b/content/browser/frame_host/mixed_content_navigation_throttle.cc
index a267d39e9084fcf3f86fb684029d14e06694e3de..a31bc5d5e89b37ad0f5cf54354a1e0da6884d969 100644
--- a/content/browser/frame_host/mixed_content_navigation_throttle.cc
+++ b/content/browser/frame_host/mixed_content_navigation_throttle.cc
@@ -84,7 +84,7 @@ bool DoesOriginSchemeRestrictMixedContent(const url::Origin& origin) {
 }
 
 void UpdateRendererOnMixedContentFound(NavigationHandleImpl* navigation_handle,
-                                       const GURL& mixed_content_url,
+                                       FrameTreeNode* mixed_content_node,
                                        bool was_allowed,
                                        bool for_redirect) {
   // TODO(carlosk): the root node should never be considered as being/having
@@ -92,15 +92,37 @@ void UpdateRendererOnMixedContentFound(NavigationHandleImpl* navigation_handle,
   // for mixed content than this will be allowed to happen and this DCHECK
   // should be updated.
   DCHECK(navigation_handle->frame_tree_node()->parent());
-  RenderFrameHost* rfh =
+  RenderFrameHostImpl* rfh =
       navigation_handle->frame_tree_node()->current_frame_host();
+
+  // If mixed content is triggered by a navigation in a cross-site subframe,
+  // ensure that the source URL and source location in the "mixed" frame are
+  // not disclosed to the subframe, which might be in a separate renderer.  For
+  // example, if https://foo.com/sensitive.html embeds an OOPIF for
+  // http://bar.com, the mixed content IPC will be sent to http://bar.com, and
+  // we should not disclose the full foo.com URL or the source location in
+  // foo.com which caused the navigation to bar.com.
+  // See https://crbug.com/718942.
+  //
+  // TODO(arthursonzogni): Stop hiding sensitive parts of URLs in console error
+  // messages as soon as there is a way to send them to the devtools process
+  // without the round trip to the renderer process.
+  // See https://crbug.com/721329.
+  GURL safe_mixed_content_url = mixed_content_node->current_url();
+  SourceLocation safe_source_location = navigation_handle->source_location();
+  if (mixed_content_node != navigation_handle->frame_tree_node()) {
+    rfh->SanitizeDataForUseInCspViolation(for_redirect, CSPDirective::Unknown,
+                                          &safe_mixed_content_url,
+                                          &safe_source_location);
+  }
+
   FrameMsg_MixedContentFound_Params params;
-  params.main_resource_url = mixed_content_url;
+  params.main_resource_url = safe_mixed_content_url;
   params.mixed_content_url = navigation_handle->GetURL();
   params.request_context_type = navigation_handle->request_context_type();
   params.was_allowed = was_allowed;
   params.had_redirect = for_redirect;
-  params.source_location = navigation_handle->source_location();
+  params.source_location = safe_source_location;
 
   rfh->Send(new FrameMsg_MixedContentFound(rfh->GetRoutingID(), params));
 }
@@ -242,8 +264,8 @@ bool MixedContentNavigationThrottle::ShouldBlockNavigation(bool for_redirect) {
       break;
   };
 
-  UpdateRendererOnMixedContentFound(
-      handle_impl, mixed_content_node->current_url(), allowed, for_redirect);
+  UpdateRendererOnMixedContentFound(handle_impl, mixed_content_node, allowed,
+                                    for_redirect);
   MaybeSendBlinkFeatureUsageReport();
 
   return !allowed;