[ServiceWorker] Block all mixed-content requests from a ServiceWorker.

Source/web/WebEmbeddedWorkerImpl.cpp

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 286 matching lines @@
 void WebEmbeddedWorkerImpl::prepareShadowPageForLoader()
 {
     // Create 'shadow page', which is never displayed and is used mainly to
     // provide a context for loading on the main thread.
     //
     // FIXME: This does mostly same as WebSharedWorkerImpl::initializeLoader.
     // This code, and probably most of the code in this class should be shared
     // with SharedWorker.
     ASSERT(!m_webView);
     m_webView = WebView::create(0);
+    WebSettings* settings = m_webView->settings();
     // FIXME: http://crbug.com/363843. This needs to find a better way to
     // not create graphics layers.
-    m_webView->settings()->setAcceleratedCompositingEnabled(false);
+    settings->setAcceleratedCompositingEnabled(false);
+    // Currently we block all mixed-content requests from a ServiceWorker.
+    // FIXME: When we support FetchEvent.default(), we should relax this
+    // restriction.
+    settings->setStrictMixedContentChecking(true);

[Mike West, 2015/01/26 10:04:53]

This settings object only takes effect for this worker, right? I assume we throw
the webview away after the worker is destructed, and don't use it for any
page-level security checks?

[horo, 2015/01/26 11:17:14]

Yes. This WebView is only used for the resource loading requests from the
ServiceWorker.

+    settings->setAllowDisplayOfInsecureContent(false);
+    settings->setAllowRunningOfInsecureContent(false);

[Mike West, 2015/01/26 10:04:53]

Setting strict mode will stop notifications up to the frame client; that might
or might not be what you want. It will prevent UI degradation, but it will also
prevent the mixed content shield icon from showing up for user override, and
will stop any browser-side UMA measurement.

As long as everything mixed-content-related that you want to measure happens on
the blink side, that's fine, but it's something to consider.

[horo, 2015/01/26 11:17:14]

We discussed with rsleevi@ and decided to block all mixed-content requests from
ServiceWorkers for M42.
This ensures that the ServiceWorker will not touch any HTTP responses.

And for M43, we will implement the browser side buffering for No-CORS
mixed-content requests.
https://docs.google.com/document/d/1y6X8rVhkP_fQeC2awsG8mSCVTorw9FLniOncVLtT1...

     m_mainFrame = WebLocalFrame::create(this);
     m_webView->setMainFrame(m_mainFrame);
     m_webView->setDevToolsAgentClient(this);
 
     // If we were asked to wait for debugger then it is the good time to do that.
     // However if we are updating service worker version (m_pauseAfterDownloadState is set)
     // Then we need to load the worker script to check the version, so in this case we wait for debugger
     // later in ::resumeAfterDownload().
     if (m_pauseAfterDownloadState != DoPauseAfterDownload) {
         m_workerContextClient->workerReadyForInspection();
@@ skipping 114 matching lines @@
     m_mainScriptLoader.clear();
 
     m_workerGlobalScopeProxy = ServiceWorkerGlobalScopeProxy::create(*this, *document, *m_workerContextClient);
     m_loaderProxy = LoaderProxy::create(*this);
     m_workerThread = ServiceWorkerThread::create(*m_loaderProxy, *m_workerGlobalScopeProxy, startupData.release());
     m_workerThread->start();
     m_workerInspectorProxy->workerThreadCreated(document, m_workerThread.get(), scriptURL);
 }
 
 } // namespace blink