Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(986)

Unified Diff: Source/core/html/HTMLFormElement.cpp

Issue 311033003: Implementing mixed content for forms posting to insecure location from secure ones (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Fixed the isse of incosistency with inspector Created 6 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « Source/core/html/HTMLFormElement.h ('k') | Source/core/loader/MixedContentChecker.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/core/html/HTMLFormElement.cpp
diff --git a/Source/core/html/HTMLFormElement.cpp b/Source/core/html/HTMLFormElement.cpp
index 566e8c19e40f2aa73d99201f720d2b2f8ff7090b..68ee764490804718d33c45d976f13c2eccde754c 100644
--- a/Source/core/html/HTMLFormElement.cpp
+++ b/Source/core/html/HTMLFormElement.cpp
@@ -37,6 +37,10 @@
#include "core/events/Event.h"
#include "core/events/GenericEventQueue.h"
#include "core/events/ScopedEventQueue.h"
+#include "core/frame/DOMWindow.h"
+#include "core/frame/LocalFrame.h"
+#include "core/frame/UseCounter.h"
+#include "core/frame/csp/ContentSecurityPolicy.h"
#include "core/html/HTMLCollection.h"
#include "core/html/HTMLDialogElement.h"
#include "core/html/HTMLImageElement.h"
@@ -46,12 +50,10 @@
#include "core/html/forms/FormController.h"
#include "core/loader/FrameLoader.h"
#include "core/loader/FrameLoaderClient.h"
-#include "core/frame/DOMWindow.h"
-#include "core/frame/LocalFrame.h"
-#include "core/frame/UseCounter.h"
-#include "core/frame/csp/ContentSecurityPolicy.h"
+#include "core/loader/MixedContentChecker.h"
#include "core/rendering/RenderTextControl.h"
#include "platform/UserGestureIndicator.h"
+#include "wtf/text/AtomicString.h"
using namespace std;
@@ -59,6 +61,15 @@ namespace WebCore {
using namespace HTMLNames;
+namespace {
+
+KURL getActionURL(const Document& document, const String& action)
+{
+ return action.isEmpty() ? document.url() : document.completeURL(action);
+}
+
+} // namespace
+
HTMLFormElement::HTMLFormElement(Document& document)
: HTMLElement(formTag, document)
#if !ENABLE(OILPAN)
@@ -347,6 +358,13 @@ void HTMLFormElement::submit(Event* event, bool activateSubmitButton, bool proce
m_wasUserSubmitted = processingUserGesture;
+ KURL actionURL = getActionURL(document(), m_attributes.action());
+ if (MixedContentChecker::isMixedContent(document().securityOrigin(), actionURL))
+ UseCounter::count(document(), UseCounter::MixedContentSubmittedForm);
+
+ if (!document().frame()->loader().mixedContentChecker()->canSubmitToInsecureForm(document().securityOrigin(), actionURL))
+ return;
+
RefPtrWillBeRawPtr<HTMLFormControlElement> firstSuccessfulSubmitButton = nullptr;
bool needButtonActivation = activateSubmitButton; // do we need to activate a submit button?
@@ -790,4 +808,20 @@ void HTMLFormElement::setDemoted(bool demoted)
m_wasDemoted = demoted;
}
+void HTMLFormElement::attributeChanged(const QualifiedName& name, const AtomicString& newValue, AttributeModificationReason)
+{
+ Element::attributeChanged(name, newValue);
+ if (name == actionAttr) {
+ // If the new action attribute is pointing to insecure "action" location from a secure page
+ // it is marked as "passive" mixed content. In other words, it will just
+ // show a console warning unless the user override the preferences to
+ // block all mixed content.
+ KURL actionURL = getActionURL(document(), m_attributes.action());
+ if (MixedContentChecker::isMixedContent(document().securityOrigin(), actionURL)) {
+ document().frame()->loader().mixedContentChecker()->canSubmitToInsecureForm(document().securityOrigin(), actionURL);
+ UseCounter::count(document(), UseCounter::MixedContentForm);
+ }
+ }
abarth-chromium 2014/06/07 08:59:50 Is there a reason to trigger this use counter for
mhm 2014/06/09 15:55:35 mkwst@ suggested that we need to count three thing
+}
+
} // namespace
« no previous file with comments | « Source/core/html/HTMLFormElement.h ('k') | Source/core/loader/MixedContentChecker.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698