Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(21)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/html/HTMLFormElement.cpp

Issue 431273006: Fixing the case where mixed content checking for insecure form submission in secure origins is brea… (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Addressing jww comments Created 6 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « LayoutTests/http/tests/security/mixedContent/resources/frame-with-invisible-DOM-with-insecure-form.html ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) 3 * (C) 1999 Antti Koivisto (koivisto@kde.org)
4 * (C) 2001 Dirk Mueller (mueller@kde.org) 4 * (C) 2001 Dirk Mueller (mueller@kde.org)
5 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009 Apple Inc. All rights reserv ed. 5 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009 Apple Inc. All rights reserv ed.
6 * (C) 2006 Alexey Proskuryakov (ap@nypop.com) 6 * (C) 2006 Alexey Proskuryakov (ap@nypop.com)
7 * 7 *
8 * This library is free software; you can redistribute it and/or 8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Library General Public 9 * modify it under the terms of the GNU Library General Public
10 * License as published by the Free Software Foundation; either 10 * License as published by the Free Software Foundation; either
(...skipping 485 matching lines...) Expand 10 before | Expand all | Expand 10 after
496 m_pendingAutocompleteEventsQueue->enqueueEvent(event.release()); 496 m_pendingAutocompleteEventsQueue->enqueueEvent(event.release());
497 } 497 }
498 498
499 void HTMLFormElement::parseAttribute(const QualifiedName& name, const AtomicStri ng& value) 499 void HTMLFormElement::parseAttribute(const QualifiedName& name, const AtomicStri ng& value)
500 { 500 {
501 if (name == actionAttr) { 501 if (name == actionAttr) {
502 m_attributes.parseAction(value); 502 m_attributes.parseAction(value);
503 // If the new action attribute is pointing to insecure "action" location from a secure page 503 // If the new action attribute is pointing to insecure "action" location from a secure page
504 // it is marked as "passive" mixed content. 504 // it is marked as "passive" mixed content.
505 KURL actionURL = document().completeURL(m_attributes.action().isEmpty() ? document().url().string() : m_attributes.action()); 505 KURL actionURL = document().completeURL(m_attributes.action().isEmpty() ? document().url().string() : m_attributes.action());
506 if (MixedContentChecker::isMixedContent(document().securityOrigin(), act ionURL)) 506 // Blink needs to check if the form is associted with a frame because mi xed content checker
jww 2014/08/01 23:35:42 Can you please wrap this comment to 80 characters?
adamk 2014/08/01 23:43:29 I don't think this comment is useful, the very nex
mhm 2014/08/02 00:08:52 Done.
mhm 2014/08/04 15:15:44 Done.
507 document().frame()->loader().mixedContentChecker()->canSubmitToInsec ureForm(document().securityOrigin(), actionURL); 507 // assumes it has a fram. See bug 398066.
jww 2014/08/01 23:35:42 fram -> frame
mhm 2014/08/02 00:08:52 Done.
508 if (document().frame()) {
adamk 2014/08/01 23:43:28 Nit: if { if looks funny to me, please make this:
mhm 2014/08/04 15:15:44 Done.
509 if (MixedContentChecker::isMixedContent(document().securityOrigin(), actionURL))
510 document().frame()->loader().mixedContentChecker()->canSubmitToI nsecureForm(document().securityOrigin(), actionURL);
511 }
508 } else if (name == targetAttr) 512 } else if (name == targetAttr)
509 m_attributes.setTarget(value); 513 m_attributes.setTarget(value);
510 else if (name == methodAttr) 514 else if (name == methodAttr)
511 m_attributes.updateMethodType(value); 515 m_attributes.updateMethodType(value);
512 else if (name == enctypeAttr) 516 else if (name == enctypeAttr)
513 m_attributes.updateEncodingType(value); 517 m_attributes.updateEncodingType(value);
514 else if (name == accept_charsetAttr) 518 else if (name == accept_charsetAttr)
515 m_attributes.setAcceptCharset(value); 519 m_attributes.setAcceptCharset(value);
516 else if (name == onautocompleteAttr) 520 else if (name == onautocompleteAttr)
517 setAttributeEventListener(EventTypeNames::autocomplete, createAttributeE ventListener(this, name, value, eventParameterName())); 521 setAttributeEventListener(EventTypeNames::autocomplete, createAttributeE ventListener(this, name, value, eventParameterName()));
(...skipping 309 matching lines...) Expand 10 before | Expand all | Expand 10 after
827 } 831 }
828 832
829 void HTMLFormElement::setDemoted(bool demoted) 833 void HTMLFormElement::setDemoted(bool demoted)
830 { 834 {
831 if (demoted) 835 if (demoted)
832 UseCounter::count(document(), UseCounter::DemotedFormElement); 836 UseCounter::count(document(), UseCounter::DemotedFormElement);
833 m_wasDemoted = demoted; 837 m_wasDemoted = demoted;
834 } 838 }
835 839
836 } // namespace 840 } // namespace
OLDNEW
« no previous file with comments | « LayoutTests/http/tests/security/mixedContent/resources/frame-with-invisible-DOM-with-insecure-form.html ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698