Refactor mixed content checks against the top frame into MixedContentChecker.

Source/core/loader/MixedContentChecker.cpp

 /*
  * Copyright (C) 2012 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
  * 2.  Redistributions in binary form must reproduce the above copyright
@@ skipping 44 matching lines @@
 {
     if (securityOrigin->protocol() != "https")
         return false; // We only care about HTTPS security origins.
 
     // We're in a secure context, so |url| is mixed content if it's insecure.
     return !SecurityOrigin::isSecure(url);
 }
 
 bool MixedContentChecker::canDisplayInsecureContentInternal(SecurityOrigin* securityOrigin, const KURL& url, const MixedContentType type) const
 {
+    // Check the top frame if it differs from MixedContentChecker's m_frame.
+    if (!m_frame->tree().top()->isLocalFrame()) {
+        // FIXME: We need a way to access the top-level frame's MixedContentChecker when that frame
+        // is in a different process from the current frame. Until that is done, we always allow
+        // loads in remote frames.
+        return false;
+    }
+    Frame* top = m_frame->tree().top();
+    if (top != m_frame && !toLocalFrame(top)->loader().mixedContentChecker()->canDisplayInsecureContent(toLocalFrame(top)->document()->securityOrigin(), url))
+        return false;
+
+    // Then check the current frame:
     if (!isMixedContent(securityOrigin, url))
         return true;
 
     Settings* settings = m_frame->settings();
     bool allowed = client()->allowDisplayingInsecureContent(settings && settings->allowDisplayOfInsecureContent(), securityOrigin, url);
     logWarning(allowed, url, type);
 
     if (allowed)
         client()->didDisplayInsecureContent();
 
     return allowed;
 }
 
 bool MixedContentChecker::canRunInsecureContentInternal(SecurityOrigin* securityOrigin, const KURL& url, const MixedContentType type) const
 {
+    // Check the top frame if it differs from MixedContentChecker's m_frame.
+    if (!m_frame->tree().top()->isLocalFrame()) {
+        // FIXME: We need a way to access the top-level frame's MixedContentChecker when that frame
+        // is in a different process from the current frame. Until that is done, we always allow
+        // loads in remote frames.
+        return false;
+    }
+    Frame* top = m_frame->tree().top();
+    if (top != m_frame && !toLocalFrame(top)->loader().mixedContentChecker()->canRunInsecureContent(toLocalFrame(top)->document()->securityOrigin(), url))
+        return false;
+
+    // Then check the current frame:
     if (!isMixedContent(securityOrigin, url))
         return true;
 
     Settings* settings = m_frame->settings();
     bool allowedPerSettings = settings && (settings->allowRunningOfInsecureContent() || ((type == WebSocket) && settings->allowConnectingInsecureWebSocket()));
     bool allowed = client()->allowRunningInsecureContent(allowedPerSettings, securityOrigin, url);
     logWarning(allowed, url, type);
 
     if (allowed)
         client()->didRunInsecureContent(securityOrigin, url);
@@ skipping 23 matching lines @@
         break;
     case Submission:
         message.append("is submitting data to an insecure location at '" + target.elidedString() + "': this content should also be submitted over HTTPS.\n");
         break;
     }
     MessageLevel messageLevel = allowed ? WarningMessageLevel : ErrorMessageLevel;
     m_frame->document()->addConsoleMessage(SecurityMessageSource, messageLevel, message.toString());
 }
 
 } // namespace WebCore