OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2012 Google Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * | 7 * |
8 * 1. Redistributions of source code must retain the above copyright | 8 * 1. Redistributions of source code must retain the above copyright |
9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
10 * 2. Redistributions in binary form must reproduce the above copyright | 10 * 2. Redistributions in binary form must reproduce the above copyright |
(...skipping 17 matching lines...) Expand all Loading... |
28 | 28 |
29 #include "config.h" | 29 #include "config.h" |
30 #include "core/loader/MixedContentChecker.h" | 30 #include "core/loader/MixedContentChecker.h" |
31 | 31 |
32 #include "core/dom/Document.h" | 32 #include "core/dom/Document.h" |
33 #include "core/frame/LocalFrame.h" | 33 #include "core/frame/LocalFrame.h" |
34 #include "core/frame/Settings.h" | 34 #include "core/frame/Settings.h" |
35 #include "core/loader/FrameLoader.h" | 35 #include "core/loader/FrameLoader.h" |
36 #include "core/loader/FrameLoaderClient.h" | 36 #include "core/loader/FrameLoaderClient.h" |
37 #include "platform/weborigin/SecurityOrigin.h" | 37 #include "platform/weborigin/SecurityOrigin.h" |
| 38 #include "wtf/text/StringBuilder.h" |
38 | 39 |
39 namespace WebCore { | 40 namespace WebCore { |
40 | 41 |
41 MixedContentChecker::MixedContentChecker(LocalFrame* frame) | 42 MixedContentChecker::MixedContentChecker(LocalFrame* frame) |
42 : m_frame(frame) | 43 : m_frame(frame) |
43 { | 44 { |
44 } | 45 } |
45 | 46 |
46 FrameLoaderClient* MixedContentChecker::client() const | 47 FrameLoaderClient* MixedContentChecker::client() const |
47 { | 48 { |
48 return m_frame->loader().client(); | 49 return m_frame->loader().client(); |
49 } | 50 } |
50 | 51 |
51 // static | 52 // static |
52 bool MixedContentChecker::isMixedContent(SecurityOrigin* securityOrigin, const K
URL& url) | 53 bool MixedContentChecker::isMixedContent(SecurityOrigin* securityOrigin, const K
URL& url) |
53 { | 54 { |
54 if (securityOrigin->protocol() != "https") | 55 if (securityOrigin->protocol() != "https") |
55 return false; // We only care about HTTPS security origins. | 56 return false; // We only care about HTTPS security origins. |
56 | 57 |
57 // We're in a secure context, so |url| is mixed content if it's insecure. | 58 // We're in a secure context, so |url| is mixed content if it's insecure. |
58 return !SecurityOrigin::isSecure(url); | 59 return !SecurityOrigin::isSecure(url); |
59 } | 60 } |
60 | 61 |
61 bool MixedContentChecker::canDisplayInsecureContent(SecurityOrigin* securityOrig
in, const KURL& url) const | 62 bool MixedContentChecker::canDisplayInsecureContentInternal(SecurityOrigin* secu
rityOrigin, const KURL& url, const MixedContentType type) const |
62 { | 63 { |
63 if (!isMixedContent(securityOrigin, url)) | 64 if (!isMixedContent(securityOrigin, url)) |
64 return true; | 65 return true; |
65 | 66 |
66 Settings* settings = m_frame->settings(); | 67 Settings* settings = m_frame->settings(); |
67 bool allowed = client()->allowDisplayingInsecureContent(settings && settings
->allowDisplayOfInsecureContent(), securityOrigin, url); | 68 bool allowed = client()->allowDisplayingInsecureContent(settings && settings
->allowDisplayOfInsecureContent(), securityOrigin, url); |
68 logWarning(allowed, "displayed", url); | 69 logWarning(allowed, url, type); |
69 | 70 |
70 if (allowed) | 71 if (allowed) |
71 client()->didDisplayInsecureContent(); | 72 client()->didDisplayInsecureContent(); |
72 | 73 |
73 return allowed; | 74 return allowed; |
74 } | 75 } |
75 | 76 |
76 bool MixedContentChecker::canRunInsecureContentInternal(SecurityOrigin* security
Origin, const KURL& url, bool isWebSocket) const | 77 bool MixedContentChecker::canRunInsecureContentInternal(SecurityOrigin* security
Origin, const KURL& url, const MixedContentType type) const |
77 { | 78 { |
78 if (!isMixedContent(securityOrigin, url)) | 79 if (!isMixedContent(securityOrigin, url)) |
79 return true; | 80 return true; |
80 | 81 |
81 Settings* settings = m_frame->settings(); | 82 Settings* settings = m_frame->settings(); |
82 bool allowedPerSettings = settings && (settings->allowRunningOfInsecureConte
nt() || (isWebSocket && settings->allowConnectingInsecureWebSocket())); | 83 bool allowedPerSettings = settings && (settings->allowRunningOfInsecureConte
nt() || ((type == WebSocket) && settings->allowConnectingInsecureWebSocket())); |
83 bool allowed = client()->allowRunningInsecureContent(allowedPerSettings, sec
urityOrigin, url); | 84 bool allowed = client()->allowRunningInsecureContent(allowedPerSettings, sec
urityOrigin, url); |
84 logWarning(allowed, "ran", url); | 85 logWarning(allowed, url, type); |
85 | 86 |
86 if (allowed) | 87 if (allowed) |
87 client()->didRunInsecureContent(securityOrigin, url); | 88 client()->didRunInsecureContent(securityOrigin, url); |
88 | 89 |
89 return allowed; | 90 return allowed; |
90 } | 91 } |
91 | 92 |
92 void MixedContentChecker::logWarning(bool allowed, const String& action, const K
URL& target) const | 93 void MixedContentChecker::logWarning(bool allowed, const KURL& target, const Mix
edContentType type) const |
93 { | 94 { |
94 String message = String(allowed ? "" : "[blocked] ") + "The page at '" + m_f
rame->document()->url().elidedString() + "' was loaded over HTTPS, but " + actio
n + " insecure content from '" + target.elidedString() + "': this content should
also be loaded over HTTPS.\n"; | 95 StringBuilder message; |
| 96 message.append((allowed ? "" : "[blocked] ")); |
| 97 message.append("The page at '" + m_frame->document()->url().elidedString() +
"' was loaded over HTTPS, but "); |
| 98 switch (type) { |
| 99 case Display: |
| 100 message.append("displayed insecure content from '" + target.elidedString
() + "': this content should also be loaded over HTTPS.\n"); |
| 101 break; |
| 102 case Execution: |
| 103 case WebSocket: |
| 104 message.append("ran insecure content from '" + target.elidedString() + "
': this content should also be loaded over HTTPS.\n"); |
| 105 break; |
| 106 case Submission: |
| 107 message.append("is submitting data to an insecure location at '" + targe
t.elidedString() + "': this content should also be submitted over HTTPS.\n"); |
| 108 break; |
| 109 } |
95 MessageLevel messageLevel = allowed ? WarningMessageLevel : ErrorMessageLeve
l; | 110 MessageLevel messageLevel = allowed ? WarningMessageLevel : ErrorMessageLeve
l; |
96 m_frame->document()->addConsoleMessage(SecurityMessageSource, messageLevel,
message); | 111 m_frame->document()->addConsoleMessage(SecurityMessageSource, messageLevel,
message.toString()); |
97 } | 112 } |
98 | 113 |
99 } // namespace WebCore | 114 } // namespace WebCore |
OLD | NEW |