Implementing mixed content for forms posting to insecure location from secure ones

Source/core/html/HTMLFormElement.cpp

 /*
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
  * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009 Apple Inc. All rights reserved.
  *           (C) 2006 Alexey Proskuryakov (ap@nypop.com)
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Library General Public
  * License as published by the Free Software Foundation; either
@@ skipping 20 matching lines @@
 #include "bindings/v8/ScriptController.h"
 #include "bindings/v8/ScriptEventListener.h"
 #include "core/dom/Attribute.h"
 #include "core/dom/Document.h"
 #include "core/dom/ElementTraversal.h"
 #include "core/dom/IdTargetObserverRegistry.h"
 #include "core/events/AutocompleteErrorEvent.h"
 #include "core/events/Event.h"
 #include "core/events/GenericEventQueue.h"
 #include "core/events/ScopedEventQueue.h"
+#include "core/frame/DOMWindow.h"
+#include "core/frame/LocalFrame.h"
+#include "core/frame/UseCounter.h"
+#include "core/frame/csp/ContentSecurityPolicy.h"
 #include "core/html/HTMLCollection.h"
 #include "core/html/HTMLDialogElement.h"
 #include "core/html/HTMLImageElement.h"
 #include "core/html/HTMLInputElement.h"
 #include "core/html/HTMLObjectElement.h"
 #include "core/html/RadioNodeList.h"
 #include "core/html/forms/FormController.h"
 #include "core/loader/FrameLoader.h"
 #include "core/loader/FrameLoaderClient.h"
-#include "core/frame/DOMWindow.h"
-#include "core/frame/LocalFrame.h"
-#include "core/frame/UseCounter.h"
-#include "core/frame/csp/ContentSecurityPolicy.h"
+#include "core/loader/MixedContentChecker.h"
 #include "core/rendering/RenderTextControl.h"
 #include "platform/UserGestureIndicator.h"
 
 using namespace std;
 
 namespace WebCore {
 
 using namespace HTMLNames;
 
 HTMLFormElement::HTMLFormElement(Document& document)
@@ skipping 275 matching lines @@
     }
 }
 
 void HTMLFormElement::submit(Event* event, bool activateSubmitButton, bool processingUserGesture, FormSubmissionTrigger formSubmissionTrigger)
 {
     FrameView* view = document().view();
     LocalFrame* frame = document().frame();
     if (!view || !frame || !frame->page())
         return;
 
+    // Mixed content with form submission to insecure "action"

[jww, 2014/06/05 17:35:05]

This comment is actually a bit unclear. Can you be more explicit with something
like:

"On submission of a form a secure origin with an action pointing to an insecure
action, if passive mixed content blocking is enabled, block the submission."

[mhm, 2014/06/05 17:47:43]

Done.

+    KURL actionURL = getActionURL();
+    if (!frame->loader().mixedContentChecker()->canDisplayInsecureContent(document().securityOrigin(), actionURL))

[Mike West, 2014/06/05 17:51:26]

Please add a UseCounter here so we know what percentage of form submissions are
being treated as passive mixed content. See
https://codereview.chromium.org/312253003/ for some counters I just added to
ResourceLoader.

I'd also suggest adding one UseCounter::count call to the top of this method to
measure the total number of submissions as a baseline.

+        return;
+
     m_wasUserSubmitted = processingUserGesture;
 
     RefPtrWillBeRawPtr<HTMLFormControlElement> firstSuccessfulSubmitButton = nullptr;
     bool needButtonActivation = activateSubmitButton; // do we need to activate a submit button?
 
     const FormAssociatedElement::List& elements = associatedElements();
     for (unsigned i = 0; i < elements.size(); ++i) {
         FormAssociatedElement* associatedElement = elements[i];
         if (!associatedElement->isFormControlElement())
             continue;
@@ skipping 425 matching lines @@
     returnValue0 = radioNodeList(name, onlyMatchImg);
 }
 
 void HTMLFormElement::setDemoted(bool demoted)
 {
     if (demoted)
         UseCounter::count(document(), UseCounter::DemotedFormElement);
     m_wasDemoted = demoted;
 }
 
+void HTMLFormElement::attributeChanged(const QualifiedName& name, const AtomicString& newValue, AttributeModificationReason)
+{
+    Element::attributeChanged(name, newValue);
+
+    if (name == actionAttr) {
+        // If the new action attribute is pointing to insecure "action" location from a secure page
+        // it is mixed content.

[jww, 2014/06/05 17:35:05]

You should probably clarify "passive mixed content."

[mhm, 2014/06/05 17:47:43]

Done.

+        KURL actionURL = getActionURL();
+        if (MixedContentChecker::isMixedContent(document().securityOrigin(), actionURL))

[Mike West, 2014/06/05 17:51:26]

This is strange, but I understand why you did it. :)

How about:

  if (!document().....->canDisplayInsecureContent())
    // Set the HTMLFormElement action to the empty string.
  }
  if (...isMixedContent(...)) {
    UseCounter::count(...);
  }

+            document().frame()->loader().mixedContentChecker()->canDisplayInsecureContent(document().securityOrigin(), actionURL);
+    }
+}
+
 } // namespace