Implementing mixed content for forms posting to insecure location from secure ones

Source/core/loader/MixedContentChecker.cpp

Index: Source/core/loader/MixedContentChecker.cpp
diff --git a/Source/core/loader/MixedContentChecker.cpp b/Source/core/loader/MixedContentChecker.cpp
index af7f992b2390a1bb4410b2da8fdb9f542b94d2ea..15ec83d555606fd8dafb245c08a9e6e4a5f63b2f 100644
--- a/Source/core/loader/MixedContentChecker.cpp
+++ b/Source/core/loader/MixedContentChecker.cpp
@@ -58,14 +58,14 @@ bool MixedContentChecker::isMixedContent(SecurityOrigin* securityOrigin, const K
     return !SecurityOrigin::isSecure(url);
 }
 
-bool MixedContentChecker::canDisplayInsecureContent(SecurityOrigin* securityOrigin, const KURL& url) const
+bool MixedContentChecker::canDisplayInsecureContentInternal(SecurityOrigin* securityOrigin, const KURL& url, const MixedContentType type) const
 {
     if (!isMixedContent(securityOrigin, url))
         return true;
 
     Settings* settings = m_frame->settings();
     bool allowed = client()->allowDisplayingInsecureContent(settings && settings->allowDisplayOfInsecureContent(), securityOrigin, url);
-    logWarning(allowed, "displayed", url);
+    logWarning(allowed, url, type);
 
     if (allowed)
         client()->didDisplayInsecureContent();
@@ -73,15 +73,15 @@ bool MixedContentChecker::canDisplayInsecureContent(SecurityOrigin* securityOrig
     return allowed;
 }
 
-bool MixedContentChecker::canRunInsecureContentInternal(SecurityOrigin* securityOrigin, const KURL& url, bool isWebSocket) const
+bool MixedContentChecker::canRunInsecureContentInternal(SecurityOrigin* securityOrigin, const KURL& url, const MixedContentType type) const
 {
     if (!isMixedContent(securityOrigin, url))
         return true;
 
     Settings* settings = m_frame->settings();
-    bool allowedPerSettings = settings && (settings->allowRunningOfInsecureContent() || (isWebSocket && settings->allowConnectingInsecureWebSocket()));
+    bool allowedPerSettings = settings && (settings->allowRunningOfInsecureContent() || ((type == WebSocket) && settings->allowConnectingInsecureWebSocket()));
     bool allowed = client()->allowRunningInsecureContent(allowedPerSettings, securityOrigin, url);
-    logWarning(allowed, "ran", url);
+    logWarning(allowed, url, type);
 
     if (allowed)
         client()->didRunInsecureContent(securityOrigin, url);
@@ -89,9 +89,21 @@ bool MixedContentChecker::canRunInsecureContentInternal(SecurityOrigin* security
     return allowed;
 }
 
-void MixedContentChecker::logWarning(bool allowed, const String& action, const KURL& target) const
+void MixedContentChecker::logWarning(bool allowed, const KURL& target, const MixedContentType type) const
 {
-    String message = String(allowed ? "" : "[blocked] ") + "The page at '" + m_frame->document()->url().elidedString() + "' was loaded over HTTPS, but " + action + " insecure content from '" + target.elidedString() + "': this content should also be loaded over HTTPS.\n";
+    String message = String(allowed ? "" : "[blocked] ") + "The page at '" + m_frame->document()->url().elidedString() + "' was loaded over HTTPS, but ";
+    switch (type) {
+    case Display:
+        message.append("displayed insecure content from '" + target.elidedString() + "': this content should also be loaded over HTTPS.\n");

[abarth-chromium, 2014/06/09 16:31:38]

String::append is extremely slow.  Please use StringBuilder instead.

[mhm, 2014/06/09 20:20:35]

Done.

+        break;
+    case Execution:
+    case WebSocket:
+        message.append("ran insecure content from '" + target.elidedString() + "': this content should also be loaded over HTTPS.\n");
+        break;
+    case Submission:
+        message.append("is submitting data to an insecure location at '" + target.elidedString() + "': this content should also be submitted over HTTPS.\n");
+        break;
+    }
     MessageLevel messageLevel = allowed ? WarningMessageLevel : ErrorMessageLevel;
     m_frame->document()->addConsoleMessage(SecurityMessageSource, messageLevel, message);
 }