Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(602)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: Source/core/loader/MixedContentChecker.cpp

Issue 561153002: Mixed Content: Migrate ResourceFetcher to the static mixed content checker. (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Dropping ResourceFetcher::checkInsecureContent Created 6 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« Source/core/fetch/ResourceFetcher.cpp ('K') | « Source/core/loader/MixedContentChecker.h ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/core/loader/MixedContentChecker.cpp
diff --git a/Source/core/loader/MixedContentChecker.cpp b/Source/core/loader/MixedContentChecker.cpp
index 7a81b6b13e899bce51b38bec59237e9087f1ef14..7a61bc3f51288ac0db20c7638eb66aaabe1ec9f1 100644
--- a/Source/core/loader/MixedContentChecker.cpp
+++ b/Source/core/loader/MixedContentChecker.cpp
@@ -109,7 +109,7 @@ MixedContentChecker::ContextType MixedContentChecker::contextTypeFromContext(Web
case WebURLRequest::RequestContextXMLHttpRequest:
return ContextTypeBlockableUnlessLax;
- // Contexts that we should block, but don't currently.
+ // FIXME: Contexts that we should block, but don't currently. https://crbug.com/388650
case WebURLRequest::RequestContextDownload:
case WebURLRequest::RequestContextInternal:
case WebURLRequest::RequestContextPlugin:
@@ -124,6 +124,94 @@ MixedContentChecker::ContextType MixedContentChecker::contextTypeFromContext(Web
}
// static
+const char* MixedContentChecker::typeNameFromContext(WebURLRequest::RequestContext context)
+{
+ switch (context) {
+ case WebURLRequest::RequestContextAudio:
+ return "audio file";
+ case WebURLRequest::RequestContextBeacon:
+ return "Beacon endpoint";
+ case WebURLRequest::RequestContextCSPReport:
+ return "Content Security Policy reporting endpoint";
+ case WebURLRequest::RequestContextDownload:
+ return "download";
+ case WebURLRequest::RequestContextEmbed:
+ return "plugin resource";
+ case WebURLRequest::RequestContextEventSource:
+ return "EventSource endpoint";
+ case WebURLRequest::RequestContextFavicon:
+ return "favicon";
+ case WebURLRequest::RequestContextFetch:
+ return "resource";
+ case WebURLRequest::RequestContextFont:
+ return "font";
+ case WebURLRequest::RequestContextForm:
+ return "form action";
+ case WebURLRequest::RequestContextFrame:
+ return "frame";
+ case WebURLRequest::RequestContextHyperlink:
+ return "resource";
+ case WebURLRequest::RequestContextIframe:
+ return "frame";
+ case WebURLRequest::RequestContextImage:
+ return "image";
+ case WebURLRequest::RequestContextImageSet:
+ return "image";
+ case WebURLRequest::RequestContextImport:
+ return "HTML Import";
+ case WebURLRequest::RequestContextInternal:
+ return "resource";
+ case WebURLRequest::RequestContextLocation:
+ return "resource";
+ case WebURLRequest::RequestContextManifest:
+ return "manifest";
+ case WebURLRequest::RequestContextObject:
+ return "plugin resource";
+ case WebURLRequest::RequestContextPing:
+ return "hyperlink auditing endpoint";
+ case WebURLRequest::RequestContextPlugin:
+ return "plugin data";
+ case WebURLRequest::RequestContextPrefetch:
+ return "prefetch resource";
+ case WebURLRequest::RequestContextScript:
+ return "script";
+ case WebURLRequest::RequestContextServiceWorker:
+ return "Service Worker script";
+ case WebURLRequest::RequestContextSharedWorker:
+ return "Shared Worker script";
+ case WebURLRequest::RequestContextStyle:
+ return "stylesheet";
+ case WebURLRequest::RequestContextSubresource:
+ return "resource";
+ case WebURLRequest::RequestContextTrack:
+ return "Text Track";
+ case WebURLRequest::RequestContextUnspecified:
+ return "resource";
+ case WebURLRequest::RequestContextVideo:
+ return "video";
+ case WebURLRequest::RequestContextWorker:
+ return "Worker script";
+ case WebURLRequest::RequestContextXMLHttpRequest:
+ return "XMLHttpRequest endpoint";
+ case WebURLRequest::RequestContextXSLT:
+ return "XSLT";
+ }
+ ASSERT_NOT_REACHED();
+ return "resource";
+}
+
+// static
+void MixedContentChecker::logToConsole(LocalFrame* frame, const KURL& url, WebURLRequest::RequestContext requestContext, bool allowed)
+{
+ String message = String::format(
+ "Mixed Content: The page at '%s' was loaded over HTTPS, but requested an insecure %s '%s'. %s",
+ frame->document()->url().elidedString().utf8().data(), typeNameFromContext(requestContext), url.elidedString().utf8().data(),
+ allowed ? "This content should also be served over HTTPS." : "This request has been blocked; the content must be served over HTTPS.");
+ MessageLevel messageLevel = allowed ? WarningMessageLevel : ErrorMessageLevel;
+ frame->document()->addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, messageLevel, message));
+}
+
+// static
bool MixedContentChecker::shouldBlockFetch(LocalFrame* frame, const ResourceRequest& resourceRequest, const KURL& url)
{
// No frame, no mixed content:
@@ -156,36 +244,34 @@ bool MixedContentChecker::shouldBlockFetch(LocalFrame* frame, const ResourceRequ
SecurityOrigin* securityOrigin = frame->document()->securityOrigin();
bool allowed = false;
- switch (contextTypeFromContext(resourceRequest.requestContext())) {
+ ContextType contextType = contextTypeFromContext(resourceRequest.requestContext());
+ if (contextType == ContextTypeBlockableUnlessLax)
+ contextType = RuntimeEnabledFeatures::laxMixedContentCheckingEnabled() ? ContextTypeOptionallyBlockable : ContextTypeBlockable;
+
+ switch (contextType) {
case ContextTypeOptionallyBlockable:
allowed = client->allowDisplayingInsecureContent(settings && settings->allowDisplayOfInsecureContent(), securityOrigin, url);
if (allowed)
client->didDisplayInsecureContent();
- return !allowed;
+ break;
case ContextTypeBlockable:
allowed = client->allowRunningInsecureContent(settings && settings->allowRunningOfInsecureContent(), securityOrigin, url);
if (allowed)
client->didRunInsecureContent(securityOrigin, url);
- return !allowed;
-
- case ContextTypeBlockableUnlessLax:
- if (RuntimeEnabledFeatures::laxMixedContentCheckingEnabled()) {
- allowed = client->allowDisplayingInsecureContent(settings && settings->allowDisplayOfInsecureContent(), securityOrigin, url);
- if (allowed)
- client->didDisplayInsecureContent();
- } else {
- allowed = client->allowRunningInsecureContent(settings && settings->allowRunningOfInsecureContent(), securityOrigin, url);
- if (allowed)
- client->didRunInsecureContent(securityOrigin, url);
- }
- return !allowed;
+ break;
case ContextTypeShouldBeBlockable:
return false;
+
+ case ContextTypeBlockableUnlessLax:
+ // We map this to either OptionallyBlockable or Blockable above.
+ ASSERT_NOT_REACHED();
+ return true;
};
- ASSERT_NOT_REACHED();
- return true;
+
+ logToConsole(frame, url, resourceRequest.requestContext(), allowed);
+ return !allowed;
}
bool MixedContentChecker::canDisplayInsecureContentInternal(SecurityOrigin* securityOrigin, const KURL& url, const MixedContentType type) const
« Source/core/fetch/ResourceFetcher.cpp ('K') | « Source/core/loader/MixedContentChecker.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698