Chromium Code Reviews

Issue 811773002: Mixed Content: Implement strict mode. (Closed)

Created:
6 years ago by Mike West
Modified:
6 years ago
Reviewers:
palmer, jochen (gone - plz use gerrit), Ryan Sleevi
CC:
blink-reviews, blink-reviews-dom_chromium.org, dglazkov+blink, eae+blinkwatch, gavinp+loader_chromium.org, Nate Chapin, mkwst+watchlist-csp_chromium.org, rwlbuis, sof, tyoshino+watch_chromium.org
Base URL:
https://chromium.googlesource.com/chromium/blink.git@master
Target Ref:
refs/heads/master
Project:
blink
Visibility:
Public.

Description

Mixed Content: Implement strict mode. https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode defines strict mixed content checking, which allows authors to opt-into stricter mixed content checking with the following effects: 1. "Optionally-blockable" mixed content will be treated as "blockable" mixed content, meaning that mixed content of all types will be blocked by default. 2. Embedder notification is suppressed, meaning that users will not be offered the ability to choose to enable mixed content for a particular document, even if they really really want to (similar to HSTS's effect on TLS violations). Together, this has the effect of allowing a site to avoid degraded security UI, which removes some of the risk of migrating to HTTPS. This patch lands the 'strict-mixed-content-checking' CSP directive behind the experimental flag, as I suspect we'll bikeshed the name a bit before shipping the spec. BUG=442662 Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=187241

Patch Set 1 #

Patch Set 2 : Tests. #

Patch Set 3 : Tests. #

Unified diffs Side-by-side diffs Stats (+134 lines, -8 lines)
M LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-image.html View 1 chunk +2 lines, -0 lines 0 comments
A LayoutTests/http/tests/security/mixedContent/strict-mode-image-blocked.https.html View 1 chunk +15 lines, -0 lines 0 comments
A LayoutTests/http/tests/security/mixedContent/strict-mode-image-blocked.https-expected.txt View 1 chunk +4 lines, -0 lines 0 comments
A LayoutTests/http/tests/security/mixedContent/strict-mode-image-in-frame-blocked.https.html View 1 chunk +20 lines, -0 lines 0 comments
A LayoutTests/http/tests/security/mixedContent/strict-mode-image-in-frame-blocked.https-expected.txt View 1 chunk +4 lines, -0 lines 0 comments
M Source/core/dom/Document.cpp View 1 chunk +2 lines, -0 lines 0 comments
M Source/core/dom/DocumentInit.h View 1 chunk +1 line, -0 lines 0 comments
M Source/core/dom/DocumentInit.cpp View 1 chunk +6 lines, -0 lines 0 comments
M Source/core/dom/ExecutionContext.h View 2 chunks +5 lines, -0 lines 0 comments
M Source/core/dom/ExecutionContext.cpp View 1 chunk +1 line, -0 lines 0 comments
M Source/core/frame/csp/CSPDirectiveList.h View 2 chunks +3 lines, -0 lines 0 comments
M Source/core/frame/csp/CSPDirectiveList.cpp View 3 chunks +19 lines, -0 lines 0 comments
M Source/core/frame/csp/ContentSecurityPolicy.h View 5 chunks +8 lines, -1 line 0 comments
M Source/core/frame/csp/ContentSecurityPolicy.cpp View 8 chunks +22 lines, -5 lines 0 comments
M Source/core/loader/FrameLoader.h View 1 chunk +2 lines, -0 lines 0 comments
M Source/core/loader/FrameLoader.cpp View 1 chunk +14 lines, -0 lines 0 comments
M Source/core/loader/MixedContentChecker.cpp View 2 chunks +6 lines, -2 lines 0 comments

Messages

Total messages: 7 (3 generated)
Mike West
Jochen, mind taking a look? Ryan, Chris: FYI.
6 years ago (2014-12-16 09:38:46 UTC) #3
jochen (gone - plz use gerrit)
lgtm
6 years ago (2014-12-16 09:45:58 UTC) #4
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/811773002/40001
6 years ago (2014-12-16 10:04:23 UTC) #6
commit-bot: I haz the power
6 years ago (2014-12-16 10:56:40 UTC) #7
Message was sent while issue was closed.
Committed patchset #3 (id:40001) as
https://src.chromium.org/viewvc/blink?view=rev&revision=187241

Powered by Google App Engine