Chromium Code Reviews Chromium Code Reviews
Issue 948853002:
Mixed Content: Make strict mode stricter. (Closed)
Base URL: svn://svn.chromium.org/blink/trunk| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2012 Google Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
| 6 * are met: | 6 * are met: |
| 7 * | 7 * |
| 8 * 1. Redistributions of source code must retain the above copyright | 8 * 1. Redistributions of source code must retain the above copyright |
| 9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
| 10 * 2. Redistributions in binary form must reproduce the above copyright | 10 * 2. Redistributions in binary form must reproduce the above copyright |
| (...skipping 311 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 322 client->didDisplayInsecureContent(); | 322 client->didDisplayInsecureContent(); |
| 323 break; | 323 break; |
| 324 | 324 |
| 325 case ContextTypeBlockable: | 325 case ContextTypeBlockable: |
| 326 allowed = !strictMode && client->allowRunningInsecureContent(settings && settings->allowRunningOfInsecureContent(), securityOrigin, url); | 326 allowed = !strictMode && client->allowRunningInsecureContent(settings && settings->allowRunningOfInsecureContent(), securityOrigin, url); |
| 327 if (allowed) | 327 if (allowed) |
| 328 client->didRunInsecureContent(securityOrigin, url); | 328 client->didRunInsecureContent(securityOrigin, url); |
| 329 break; | 329 break; |
| 330 | 330 |
| 331 case ContextTypeShouldBeBlockable: | 331 case ContextTypeShouldBeBlockable: |
| 332 allowed = true; | 332 allowed = !strictMode && true; |
|
jww
2015/02/23 18:23:17
Why the '&& true'? Shouldn't !strictMode be suffic
Mike West
2015/02/24 07:43:34
Because I'm an idiot. Thanks!
| |
| 333 client->didDisplayInsecureContent(); | 333 if (allowed) |
| 334 client->didDisplayInsecureContent(); | |
| 334 break; | 335 break; |
| 335 }; | 336 }; |
| 336 | 337 |
| 337 if (reportingStatus == SendReport) | 338 if (reportingStatus == SendReport) |
| 338 logToConsole(frame, url, requestContext, allowed); | 339 logToConsole(frame, url, requestContext, allowed); |
| 339 return !allowed; | 340 return !allowed; |
| 340 } | 341 } |
| 341 | 342 |
| 342 // static | 343 // static |
| 343 bool MixedContentChecker::shouldBlockConnection(LocalFrame* frame, const KURL& u rl, MixedContentChecker::ReportingStatus reportingStatus) | 344 bool MixedContentChecker::shouldBlockConnection(LocalFrame* frame, const KURL& u rl, MixedContentChecker::ReportingStatus reportingStatus) |
| 344 { | 345 { |
| 345 LocalFrame* mixedFrame = inWhichFrameIsContentMixed(frame, WebURLRequest::Fr ameTypeNone, url); | 346 LocalFrame* mixedFrame = inWhichFrameIsContentMixed(frame, WebURLRequest::Fr ameTypeNone, url); |
| 346 if (!mixedFrame) | 347 if (!mixedFrame) |
| 347 return false; | 348 return false; |
| 348 | 349 |
| 349 UseCounter::count(mixedFrame, UseCounter::MixedContentPresent); | 350 UseCounter::count(mixedFrame, UseCounter::MixedContentPresent); |
| 350 UseCounter::count(mixedFrame, UseCounter::MixedContentWebSocket); | 351 UseCounter::count(mixedFrame, UseCounter::MixedContentWebSocket); |
| 351 | 352 |
| 352 // If we're in strict mode, we'll automagically fail everything, and intenti onally skip | |
| 353 // the client checks in order to prevent degrading the site's security UI. | |
| 354 bool strictMode = mixedFrame->document()->shouldEnforceStrictMixedContentChe cking(); | |
| 355 | |
| 356 Settings* settings = mixedFrame->settings(); | 353 Settings* settings = mixedFrame->settings(); |
| 357 FrameLoaderClient* client = mixedFrame->loader().client(); | 354 FrameLoaderClient* client = mixedFrame->loader().client(); |
| 358 SecurityOrigin* securityOrigin = mixedFrame->document()->securityOrigin(); | 355 SecurityOrigin* securityOrigin = mixedFrame->document()->securityOrigin(); |
| 359 bool allowedPerSettings = settings && (settings->allowRunningOfInsecureConte nt() || settings->allowConnectingInsecureWebSocket()); | 356 |
| 357 // If we're in strict mode, we'll automagically fail everything, and intenti onally skip | |
| 358 // the client checks in order to prevent degrading the site's security UI. | |
| 359 bool strictMode = mixedFrame->document()->shouldEnforceStrictMixedContentChe cking() || settings->strictMixedContentChecking(); | |
| 360 bool allowedPerSettings = !strictMode && settings && (settings->allowRunning OfInsecureContent() || settings->allowConnectingInsecureWebSocket()); | |
| 360 bool allowed = !strictMode && client->allowRunningInsecureContent(allowedPer Settings, securityOrigin, url); | 361 bool allowed = !strictMode && client->allowRunningInsecureContent(allowedPer Settings, securityOrigin, url); |
| 361 | 362 |
| 362 if (reportingStatus == SendReport) { | 363 if (reportingStatus == SendReport) { |
| 363 String message = String::format( | 364 String message = String::format( |
| 364 "Mixed Content: The page at '%s' was loaded over HTTPS, but attempte d to connect to the insecure WebSocket endpoint '%s'. %s", | 365 "Mixed Content: The page at '%s' was loaded over HTTPS, but attempte d to connect to the insecure WebSocket endpoint '%s'. %s", |
| 365 frame->document()->url().elidedString().utf8().data(), url.elidedStr ing().utf8().data(), | 366 frame->document()->url().elidedString().utf8().data(), url.elidedStr ing().utf8().data(), |
| 366 allowed ? "This endpoint should be available via WSS. Insecure acces s is deprecated." : "This request has been blocked; this endpoint must be availa ble over WSS."); | 367 allowed ? "This endpoint should be available via WSS. Insecure acces s is deprecated." : "This request has been blocked; this endpoint must be availa ble over WSS."); |
| 367 MessageLevel messageLevel = allowed ? WarningMessageLevel : ErrorMessage Level; | 368 MessageLevel messageLevel = allowed ? WarningMessageLevel : ErrorMessage Level; |
| 368 mixedFrame->document()->addConsoleMessage(ConsoleMessage::create(Securit yMessageSource, messageLevel, message)); | 369 mixedFrame->document()->addConsoleMessage(ConsoleMessage::create(Securit yMessageSource, messageLevel, message)); |
| 369 } | 370 } |
| (...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 401 { | 402 { |
| 402 if (!frame || !frame->document() || !frame->document()->loader()) | 403 if (!frame || !frame->document() || !frame->document()->loader()) |
| 403 return; | 404 return; |
| 404 | 405 |
| 405 // Just count these for the moment, don't block them. | 406 // Just count these for the moment, don't block them. |
| 406 if (Platform::current()->isReservedIPAddress(resourceIPAddress) && !frame->d ocument()->isHostedInReservedIPRange()) | 407 if (Platform::current()->isReservedIPAddress(resourceIPAddress) && !frame->d ocument()->isHostedInReservedIPRange()) |
| 407 UseCounter::count(frame->document(), UseCounter::MixedContentPrivateHost nameInPublicHostname); | 408 UseCounter::count(frame->document(), UseCounter::MixedContentPrivateHost nameInPublicHostname); |
| 408 } | 409 } |
| 409 | 410 |
| 410 } // namespace blink | 411 } // namespace blink |
| OLD | NEW |
