OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2012 Google Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * | 7 * |
8 * 1. Redistributions of source code must retain the above copyright | 8 * 1. Redistributions of source code must retain the above copyright |
9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
10 * 2. Redistributions in binary form must reproduce the above copyright | 10 * 2. Redistributions in binary form must reproduce the above copyright |
(...skipping 273 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
284 if (!isMixedContent(frame->document()->securityOrigin(), url)) | 284 if (!isMixedContent(frame->document()->securityOrigin(), url)) |
285 return false; | 285 return false; |
286 | 286 |
287 MixedContentChecker::count(frame, resourceRequest.requestContext()); | 287 MixedContentChecker::count(frame, resourceRequest.requestContext()); |
288 | 288 |
289 Settings* settings = frame->settings(); | 289 Settings* settings = frame->settings(); |
290 FrameLoaderClient* client = frame->loader().client(); | 290 FrameLoaderClient* client = frame->loader().client(); |
291 SecurityOrigin* securityOrigin = frame->document()->securityOrigin(); | 291 SecurityOrigin* securityOrigin = frame->document()->securityOrigin(); |
292 bool allowed = false; | 292 bool allowed = false; |
293 | 293 |
| 294 // If we're in strict mode, we'll automagically fail everything, and intenti
onally skip |
| 295 // the client checks in order to prevent degrading the site's security UI. |
| 296 bool strictMode = frame->document()->shouldEnforceStrictMixedContentChecking
(); |
| 297 |
294 ContextType contextType = contextTypeFromContext(resourceRequest.requestCont
ext()); | 298 ContextType contextType = contextTypeFromContext(resourceRequest.requestCont
ext()); |
295 if (contextType == ContextTypeBlockableUnlessLax) | 299 if (contextType == ContextTypeBlockableUnlessLax) |
296 contextType = RuntimeEnabledFeatures::laxMixedContentCheckingEnabled() ?
ContextTypeOptionallyBlockable : ContextTypeBlockable; | 300 contextType = RuntimeEnabledFeatures::laxMixedContentCheckingEnabled() ?
ContextTypeOptionallyBlockable : ContextTypeBlockable; |
297 | 301 |
298 // If we're loading the main resource of a subframe, we need to take a close
look at the loaded URL. | 302 // If we're loading the main resource of a subframe, we need to take a close
look at the loaded URL. |
299 // If we're dealing with a CORS-enabled scheme, then block mixed frames as a
ctive content. Otherwise, | 303 // If we're dealing with a CORS-enabled scheme, then block mixed frames as a
ctive content. Otherwise, |
300 // treat frames as passive content. | 304 // treat frames as passive content. |
301 // | 305 // |
302 // FIXME: Remove this temporary hack once we have a reasonable API for launc
hing external applications | 306 // FIXME: Remove this temporary hack once we have a reasonable API for launc
hing external applications |
303 // via URLs. http://crbug.com/318788 and https://crbug.com/393481 | 307 // via URLs. http://crbug.com/318788 and https://crbug.com/393481 |
304 if (resourceRequest.frameType() == WebURLRequest::FrameTypeNested && !Scheme
Registry::shouldTreatURLSchemeAsCORSEnabled(url.protocol())) | 308 if (resourceRequest.frameType() == WebURLRequest::FrameTypeNested && !Scheme
Registry::shouldTreatURLSchemeAsCORSEnabled(url.protocol())) |
305 contextType = ContextTypeOptionallyBlockable; | 309 contextType = ContextTypeOptionallyBlockable; |
306 | 310 |
307 switch (contextType) { | 311 switch (contextType) { |
308 case ContextTypeOptionallyBlockable: | 312 case ContextTypeOptionallyBlockable: |
309 allowed = client->allowDisplayingInsecureContent(settings && settings->a
llowDisplayOfInsecureContent(), securityOrigin, url); | 313 allowed = !strictMode && client->allowDisplayingInsecureContent(settings
&& settings->allowDisplayOfInsecureContent(), securityOrigin, url); |
310 if (allowed) | 314 if (allowed) |
311 client->didDisplayInsecureContent(); | 315 client->didDisplayInsecureContent(); |
312 break; | 316 break; |
313 | 317 |
314 case ContextTypeBlockable: | 318 case ContextTypeBlockable: |
315 allowed = client->allowRunningInsecureContent(settings && settings->allo
wRunningOfInsecureContent(), securityOrigin, url); | 319 allowed = !strictMode && client->allowRunningInsecureContent(settings &&
settings->allowRunningOfInsecureContent(), securityOrigin, url); |
316 if (allowed) | 320 if (allowed) |
317 client->didRunInsecureContent(securityOrigin, url); | 321 client->didRunInsecureContent(securityOrigin, url); |
318 break; | 322 break; |
319 | 323 |
320 case ContextTypeShouldBeBlockable: | 324 case ContextTypeShouldBeBlockable: |
321 return false; | 325 return false; |
322 | 326 |
323 case ContextTypeBlockableUnlessLax: | 327 case ContextTypeBlockableUnlessLax: |
324 // We map this to either OptionallyBlockable or Blockable above. | 328 // We map this to either OptionallyBlockable or Blockable above. |
325 ASSERT_NOT_REACHED(); | 329 ASSERT_NOT_REACHED(); |
(...skipping 136 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
462 if (Platform::current()->isReservedIPAddress(resourceIP) && !Platform::curre
nt()->isReservedIPAddress(documentIP)) | 466 if (Platform::current()->isReservedIPAddress(resourceIP) && !Platform::curre
nt()->isReservedIPAddress(documentIP)) |
463 UseCounter::count(frame->document(), UseCounter::MixedContentPrivateHost
nameInPublicHostname); | 467 UseCounter::count(frame->document(), UseCounter::MixedContentPrivateHost
nameInPublicHostname); |
464 } | 468 } |
465 | 469 |
466 void MixedContentChecker::trace(Visitor* visitor) | 470 void MixedContentChecker::trace(Visitor* visitor) |
467 { | 471 { |
468 visitor->trace(m_frame); | 472 visitor->trace(m_frame); |
469 } | 473 } |
470 | 474 |
471 } // namespace blink | 475 } // namespace blink |
OLD | NEW |