Mixed Content: Migrate ResourceFetcher to the static mixed content checker.

Source/core/fetch/ResourceFetcher.cpp

 /*
     Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de)
     Copyright (C) 2001 Dirk Mueller (mueller@kde.org)
     Copyright (C) 2002 Waldo Bastian (bastian@kde.org)
     Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.
     Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/
 
     This library is free software; you can redistribute it and/or
     modify it under the terms of the GNU Library General Public
     License as published by the Free Software Foundation; either
@@ skipping 415 matching lines @@
     resource->setNeedsSynchronousCacheHit(substituteData.forceSynchronousLoad());
     resource->setOptions(request.options());
     resource->setDataBufferingPolicy(BufferData);
     resource->responseReceived(response);
     if (substituteData.content()->size())
         resource->setResourceBuffer(substituteData.content());
     resource->finish();
     memoryCache()->add(resource.get());
 }
 
-bool ResourceFetcher::checkInsecureContent(Resource::Type type, const KURL& url, LocalFrame* frame, MixedContentBlockingTreatment treatment) const
-{
-    if (treatment == TreatAsDefaultForType) {
-        switch (type) {
-        case Resource::XSLStyleSheet:
-            ASSERT(RuntimeEnabledFeatures::xsltEnabled());
-        case Resource::Script:
-        case Resource::SVGDocument:
-        case Resource::CSSStyleSheet:
-        case Resource::ImportResource:
-            // These resource can inject script into the current document (Script,
-            // XSL) or exfiltrate the content of the current document (CSS).
-            treatment = TreatAsActiveContent;
-            break;
-
-        case Resource::Font:
-        case Resource::TextTrack:
-            // These resources are passive, but mixed usage is low enough that we
-            // can block them in a mixed context.
-            treatment = TreatAsActiveContent;
-            break;
-
-        case Resource::Raw:
-        case Resource::Image:
-        case Resource::Media:
-            // These resources can corrupt only the frame's pixels.
-            treatment = TreatAsPassiveContent;
-            break;
-
-        case Resource::MainResource:
-        case Resource::LinkPrefetch:
-        case Resource::LinkSubresource:
-            // These cannot affect the current document.
-            treatment = TreatAsAlwaysAllowedContent;
-            break;
-        }
-    }
-
-    // No frame, no mixed content.
-    if (!frame)
-        return true;
-
-    if (treatment == TreatAsActiveContent) {
-        if (!frame->loader().mixedContentChecker()->canRunInsecureContent(frame->document()->securityOrigin(), url))
-            return false;
-    } else if (treatment == TreatAsPassiveContent) {
-        if (!frame->loader().mixedContentChecker()->canDisplayInsecureContent(frame->document()->securityOrigin(), url))
-            return false;
-        if (MixedContentChecker::isMixedContent(frame->document()->securityOrigin(), url) || MixedContentChecker::isMixedContent(toLocalFrame(frame->tree().top())->document()->securityOrigin(), url)) {
-            switch (type) {
-            case Resource::Raw:
-                UseCounter::count(frame->document(), UseCounter::MixedContentRaw);
-                break;
-
-            case Resource::Image:
-                UseCounter::count(frame->document(), UseCounter::MixedContentImage);
-                break;
-
-            case Resource::Media:
-                UseCounter::count(frame->document(), UseCounter::MixedContentMedia);
-                break;
-
-            default:
-                ASSERT_NOT_REACHED();
-            }
-        }
-    } else {
-        ASSERT(treatment == TreatAsAlwaysAllowedContent);
-    }
-    return true;
-}
-
 bool ResourceFetcher::canRequest(Resource::Type type, const ResourceRequest& resourceRequest, const KURL& url, const ResourceLoaderOptions& options, bool forPreload, FetchRequest::OriginRestriction originRestriction) const
 {
     SecurityOrigin* securityOrigin = options.securityOrigin.get();
     if (!securityOrigin && document())
         securityOrigin = document()->securityOrigin();
 
     if (originRestriction != FetchRequest::NoOriginRestriction && securityOrigin && !securityOrigin->canDisplay(url)) {
         if (!forPreload)
             context().reportLocalLoadFailed(url);
         WTF_LOG(ResourceLoading, "ResourceFetcher::requestResource URL was not allowed by SecurityOrigin::canDisplay");
@@ skipping 97 matching lines @@
         break;
     }
 
     // SVG Images have unique security rules that prevent all subresource requests
     // except for data urls.
     if (type != Resource::MainResource) {
         if (frame() && frame()->chromeClient().isSVGImageChromeClient() && !url.protocolIsData())
             return false;
     }
 
-    // Last of all, check for insecure content. We do this last so that when
-    // folks block insecure content with a CSP policy, they don't get a warning.
+    // Last of all, check for mixed content. We do this last so that when
+    // folks block mixed content with a CSP policy, they don't get a warning.
     // They'll still get a warning in the console about CSP blocking the load.
 
     // If we're loading the main resource of a subframe, ensure that we treat the resource as active

[sof, 2014/09/11 09:34:42]

Do you need to adjust this comment to fit what's now done just below?

[Mike West, 2014/09/11 09:49:35]

I do need to drop that bit of the comment. Thanks for pointing it out.

     // content for the purposes of mixed content checks, and that we check against the parent of the
     // active frame, rather than the frame itself.
     LocalFrame* effectiveFrame = frame();
-    MixedContentBlockingTreatment effectiveTreatment = options.mixedContentBlockingTreatment;
     if (resourceRequest.frameType() == WebURLRequest::FrameTypeNested) {
-        effectiveTreatment = TreatAsActiveContent;
         // FIXME: Deal with RemoteFrames.
         if (frame()->tree().parent()->isLocalFrame())
             effectiveFrame = toLocalFrame(frame()->tree().parent());
     }
 
-    // FIXME: Should we consider forPreload here?
-    if (!checkInsecureContent(type, url, effectiveFrame, effectiveTreatment)) {
-        ASSERT(MixedContentChecker::shouldBlockFetch(effectiveFrame, resourceRequest, url));
-        return false;
-    }
-
-    ASSERT(!MixedContentChecker::shouldBlockFetch(effectiveFrame, resourceRequest, url));
-    return true;
+    return !MixedContentChecker::shouldBlockFetch(effectiveFrame, resourceRequest, url);
 }
 
 bool ResourceFetcher::canAccessResource(Resource* resource, SecurityOrigin* sourceOrigin, const KURL& url) const
 {
     // Redirects can change the response URL different from one of request.
     if (!canRequest(resource->type(), resource->resourceRequest(), url, resource->options(), resource->isUnusedPreload(), FetchRequest::UseDefaultOriginRestrictionForType))
         return false;
 
     if (!sourceOrigin && document())
         sourceOrigin = document()->securityOrigin();
@@ skipping 912 matching lines @@
 
 void ResourceFetcher::trace(Visitor* visitor)
 {
     visitor->trace(m_document);
     visitor->trace(m_loaders);
     visitor->trace(m_multipartLoaders);
     ResourceLoaderHost::trace(visitor);
 }
 
 }