chrome/renderer/chrome_content_renderer_client.cc - Issue 809153004: Mixed Content: Treat some Chrome schemes as restricting mixed content.

Side by Side Diff: chrome/renderer/chrome_content_renderer_client.cc

Issue 809153004: Mixed Content: Treat some Chrome schemes as restricting mixed content. Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: devtools=secure Created 6 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "chrome/renderer/chrome_content_renderer_client.h"	5 #include "chrome/renderer/chrome_content_renderer_client.h"

6	6

7 #include "base/command_line.h"	7 #include "base/command_line.h"

8 #include "base/debug/crash_logging.h"	8 #include "base/debug/crash_logging.h"

9 #include "base/logging.h"	9 #include "base/logging.h"

10 #include "base/metrics/field_trial.h"	10 #include "base/metrics/field_trial.h"

(...skipping 385 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
396 WebSecurityPolicy::registerURLSchemeAsLocal(external_file_scheme);	396 WebSecurityPolicy::registerURLSchemeAsLocal(external_file_scheme);

397 #endif	397 #endif

398	398

399 // chrome: and chrome-search: pages should not be accessible by bookmarklets	399 // chrome: and chrome-search: pages should not be accessible by bookmarklets

400 // or javascript: URLs typed in the omnibox.	400 // or javascript: URLs typed in the omnibox.

401 WebSecurityPolicy::registerURLSchemeAsNotAllowingJavascriptURLs(	401 WebSecurityPolicy::registerURLSchemeAsNotAllowingJavascriptURLs(

402 chrome_ui_scheme);	402 chrome_ui_scheme);

403 WebSecurityPolicy::registerURLSchemeAsNotAllowingJavascriptURLs(	403 WebSecurityPolicy::registerURLSchemeAsNotAllowingJavascriptURLs(

404 chrome_search_scheme);	404 chrome_search_scheme);

405	405

406 // chrome:, chrome-search:, chrome-extension:, and chrome-extension-resource:	406 // chrome:, chrome-search:, chrome-extension:, chrome-extension-resource:,

407 // resources shouldn't trigger insecure content warnings.	407 // and chrome-devtools: resources shouldn't trigger insecure content

	408 // warnings when embedded in pages whose schemes are registered as

	409 // restricting mixed content.

408 WebSecurityPolicy::registerURLSchemeAsSecure(chrome_ui_scheme);	410 WebSecurityPolicy::registerURLSchemeAsSecure(chrome_ui_scheme);

409 WebSecurityPolicy::registerURLSchemeAsSecure(chrome_search_scheme);	411 WebSecurityPolicy::registerURLSchemeAsSecure(chrome_search_scheme);

410	412

411 WebString extension_scheme(ASCIIToUTF16(extensions::kExtensionScheme));	413 WebString extension_scheme(ASCIIToUTF16(extensions::kExtensionScheme));

412 WebSecurityPolicy::registerURLSchemeAsSecure(extension_scheme);	414 WebSecurityPolicy::registerURLSchemeAsSecure(extension_scheme);

413	415

414 WebString extension_resource_scheme(	416 WebString extension_resource_scheme(

415 ASCIIToUTF16(extensions::kExtensionResourceScheme));	417 ASCIIToUTF16(extensions::kExtensionResourceScheme));

416 WebSecurityPolicy::registerURLSchemeAsSecure(extension_resource_scheme);	418 WebSecurityPolicy::registerURLSchemeAsSecure(extension_resource_scheme);

	419 WebSecurityPolicy::registerURLSchemeAsSecure(dev_tools_scheme);

	420

	421 // chrome:, chrome-search:, chrome-extension-resource:, and chrome-devtools:

	422 // pages should not directly embed insecure resources.
	jochen (gone - plz use gerrit) 2015/05/18 22:48:40 chrome: and chrome-devtools: are defined in conten chrome: and chrome-devtools: are defined in content. I wonder whether we should register them there?
	423 WebSecurityPolicy::registerURLSchemeAsRestrictingMixedContent(

	424 chrome_ui_scheme);

	425 WebSecurityPolicy::registerURLSchemeAsRestrictingMixedContent(

	426 chrome_search_scheme);

	427 WebSecurityPolicy::registerURLSchemeAsRestrictingMixedContent(

	428 dev_tools_scheme);

	429 WebSecurityPolicy::registerURLSchemeAsRestrictingMixedContent(

	430 extension_resource_scheme);
	not at google - send to devlin 2015/05/18 23:08:33 Double-check with the ARC people about this, they' Double-check with the ARC people about this, they're the main clients of chrome-extension-resource. elijahtaylor1 2015/05/18 23:46:33 I don't think this should be a problem for ARC. We Show quoted text On 2015/05/18 23:08:33, kalman wrote: > Double-check with the ARC people about this, they're the main clients of > chrome-extension-resource. I don't think this should be a problem for ARC. We actually don't use chrome-extension-resource, shared module resources are delivered via reserved _modules/ paths from the normal chrome-extension:// scheme.
417	431

418 // chrome:, chrome-extension:, chrome-extension-resource: resources should be	432 // chrome:, chrome-extension:, chrome-extension-resource: resources should be

419 // allowed to receive CORS requests.	433 // allowed to receive CORS requests.

420 WebSecurityPolicy::registerURLSchemeAsCORSEnabled(chrome_ui_scheme);	434 WebSecurityPolicy::registerURLSchemeAsCORSEnabled(chrome_ui_scheme);

421 WebSecurityPolicy::registerURLSchemeAsCORSEnabled(extension_scheme);	435 WebSecurityPolicy::registerURLSchemeAsCORSEnabled(extension_scheme);

422 WebSecurityPolicy::registerURLSchemeAsCORSEnabled(extension_resource_scheme);	436 WebSecurityPolicy::registerURLSchemeAsCORSEnabled(extension_resource_scheme);

423	437

424 // chrome-extension: resources should bypass Content Security Policy checks	438 // chrome-extension: resources should bypass Content Security Policy checks

425 // when included in protected resources.	439 // when included in protected resources.

426 WebSecurityPolicy::registerURLSchemeAsBypassingContentSecurityPolicy(	440 WebSecurityPolicy::registerURLSchemeAsBypassingContentSecurityPolicy(

(...skipping 1146 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1573 if (mime_type == content::kBrowserPluginMimeType) {	1587 if (mime_type == content::kBrowserPluginMimeType) {

1574 return new extensions::ExtensionsGuestViewContainer(render_frame);	1588 return new extensions::ExtensionsGuestViewContainer(render_frame);

1575 } else {	1589 } else {

1576 return new extensions::MimeHandlerViewContainer(	1590 return new extensions::MimeHandlerViewContainer(

1577 render_frame, mime_type, original_url);	1591 render_frame, mime_type, original_url);

1578 }	1592 }

1579 #else	1593 #else

1580 return NULL;	1594 return NULL;

1581 #endif	1595 #endif

1582 }	1596 }

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »