Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(214)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/loader/MixedContentChecker.cpp

Issue 311033003: Implementing mixed content for forms posting to insecure location from secure ones (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Moved the check for mixed content to a better location. Created 6 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« Source/core/html/HTMLFormElement.cpp ('K') | « Source/core/loader/MixedContentChecker.h ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2012 Google Inc. All rights reserved. 2 * Copyright (C) 2012 Google Inc. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
6 * are met: 6 * are met:
7 * 7 *
8 * 1. Redistributions of source code must retain the above copyright 8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer. 9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright 10 * 2. Redistributions in binary form must reproduce the above copyright
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after
51 // static 51 // static
52 bool MixedContentChecker::isMixedContent(SecurityOrigin* securityOrigin, const K URL& url) 52 bool MixedContentChecker::isMixedContent(SecurityOrigin* securityOrigin, const K URL& url)
53 { 53 {
54 if (securityOrigin->protocol() != "https") 54 if (securityOrigin->protocol() != "https")
55 return false; // We only care about HTTPS security origins. 55 return false; // We only care about HTTPS security origins.
56 56
57 // We're in a secure context, so |url| is mixed content if it's insecure. 57 // We're in a secure context, so |url| is mixed content if it's insecure.
58 return !SecurityOrigin::isSecure(url); 58 return !SecurityOrigin::isSecure(url);
59 } 59 }
60 60
61 bool MixedContentChecker::canDisplayInsecureContent(SecurityOrigin* securityOrig in, const KURL& url) const 61 bool MixedContentChecker::canDisplayInsecureContentInternal(SecurityOrigin* secu rityOrigin, const KURL& url, const MixedContentType type) const
62 { 62 {
63 if (!isMixedContent(securityOrigin, url)) 63 if (!isMixedContent(securityOrigin, url))
64 return true; 64 return true;
65 65
66 Settings* settings = m_frame->settings(); 66 Settings* settings = m_frame->settings();
67 bool allowed = client()->allowDisplayingInsecureContent(settings && settings ->allowDisplayOfInsecureContent(), securityOrigin, url); 67 bool allowed = client()->allowDisplayingInsecureContent(settings && settings ->allowDisplayOfInsecureContent(), securityOrigin, url);
68 logWarning(allowed, "displayed", url); 68 logWarning(allowed, url, type);
69 69
70 if (allowed) 70 if (allowed)
71 client()->didDisplayInsecureContent(); 71 client()->didDisplayInsecureContent();
72 72
73 return allowed; 73 return allowed;
74 } 74 }
75 75
76 bool MixedContentChecker::canRunInsecureContentInternal(SecurityOrigin* security Origin, const KURL& url, bool isWebSocket) const 76 bool MixedContentChecker::canRunInsecureContentInternal(SecurityOrigin* security Origin, const KURL& url, const MixedContentType type) const
77 { 77 {
78 if (!isMixedContent(securityOrigin, url)) 78 if (!isMixedContent(securityOrigin, url))
79 return true; 79 return true;
80 80
81 Settings* settings = m_frame->settings(); 81 Settings* settings = m_frame->settings();
82 bool allowedPerSettings = settings && (settings->allowRunningOfInsecureConte nt() || (isWebSocket && settings->allowConnectingInsecureWebSocket())); 82 bool allowedPerSettings = settings && (settings->allowRunningOfInsecureConte nt() || ((type == WebSocket) && settings->allowConnectingInsecureWebSocket()));
83 bool allowed = client()->allowRunningInsecureContent(allowedPerSettings, sec urityOrigin, url); 83 bool allowed = client()->allowRunningInsecureContent(allowedPerSettings, sec urityOrigin, url);
84 logWarning(allowed, "ran", url); 84 logWarning(allowed, url, type);
85 85
86 if (allowed) 86 if (allowed)
87 client()->didRunInsecureContent(securityOrigin, url); 87 client()->didRunInsecureContent(securityOrigin, url);
88 88
89 return allowed; 89 return allowed;
90 } 90 }
91 91
92 void MixedContentChecker::logWarning(bool allowed, const String& action, const K URL& target) const 92 void MixedContentChecker::logWarning(bool allowed, const KURL& target, const Mix edContentType type) const
93 { 93 {
94 String message = String(allowed ? "" : "[blocked] ") + "The page at '" + m_f rame->document()->url().elidedString() + "' was loaded over HTTPS, but " + actio n + " insecure content from '" + target.elidedString() + "': this content should also be loaded over HTTPS.\n"; 94 String message = String(allowed ? "" : "[blocked] ") + "The page at '" + m_f rame->document()->url().elidedString() + "' was loaded over HTTPS, but ";
95 switch (type) {
96 case Display:
97 message.append("displayed insecure content from '" + target.elidedString () + "': this content should also be loaded over HTTPS.\n");
abarth-chromium 2014/06/09 16:31:38 String::append is extremely slow. Please use Stri
mhm 2014/06/09 20:20:35 Done.
98 break;
99 case Execution:
100 case WebSocket:
101 message.append("ran insecure content from '" + target.elidedString() + " ': this content should also be loaded over HTTPS.\n");
102 break;
103 case Submission:
104 message.append("is submitting data to an insecure location at '" + targe t.elidedString() + "': this content should also be submitted over HTTPS.\n");
105 break;
106 }
95 MessageLevel messageLevel = allowed ? WarningMessageLevel : ErrorMessageLeve l; 107 MessageLevel messageLevel = allowed ? WarningMessageLevel : ErrorMessageLeve l;
96 m_frame->document()->addConsoleMessage(SecurityMessageSource, messageLevel, message); 108 m_frame->document()->addConsoleMessage(SecurityMessageSource, messageLevel, message);
97 } 109 }
98 110
99 } // namespace WebCore 111 } // namespace WebCore
OLDNEW
« Source/core/html/HTMLFormElement.cpp ('K') | « Source/core/loader/MixedContentChecker.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698