diff options
Diffstat (limited to 'chromium/third_party/blink/renderer/core/loader/mixed_content_checker.cc')
-rw-r--r-- | chromium/third_party/blink/renderer/core/loader/mixed_content_checker.cc | 92 |
1 files changed, 66 insertions, 26 deletions
diff --git a/chromium/third_party/blink/renderer/core/loader/mixed_content_checker.cc b/chromium/third_party/blink/renderer/core/loader/mixed_content_checker.cc index 4355ac7084b..1c148e0da03 100644 --- a/chromium/third_party/blink/renderer/core/loader/mixed_content_checker.cc +++ b/chromium/third_party/blink/renderer/core/loader/mixed_content_checker.cc @@ -33,12 +33,12 @@ #include "services/network/public/mojom/request_context_frame_type.mojom-blink.h" #include "third_party/blink/public/common/features.h" #include "third_party/blink/public/mojom/net/ip_address_space.mojom-blink.h" +#include "third_party/blink/public/platform/web_content_settings_client.h" #include "third_party/blink/public/platform/web_insecure_request_policy.h" #include "third_party/blink/public/platform/web_mixed_content.h" #include "third_party/blink/public/platform/web_security_origin.h" #include "third_party/blink/public/platform/web_worker_fetch_context.h" #include "third_party/blink/renderer/core/dom/document.h" -#include "third_party/blink/renderer/core/frame/content_settings_client.h" #include "third_party/blink/renderer/core/frame/frame.h" #include "third_party/blink/renderer/core/frame/local_frame.h" #include "third_party/blink/renderer/core/frame/local_frame_client.h" @@ -148,15 +148,12 @@ const char* RequestContextName(mojom::RequestContextType context) { return "resource"; } -// TODO(nhiroki): Consider adding interfaces for Settings/WorkerSettings and -// ContentSettingsClient/WorkerContentSettingsClient to avoid using C++ -// template. -template <typename SettingsType, typename SettingsClientType> +// TODO(nhiroki): Consider adding interfaces for Settings/WorkerSettings +// to avoid using C++ template. +template <typename SettingsType> bool IsWebSocketAllowedImpl(const BaseFetchContext& fetch_context, SecurityContext* security_context, - const SecurityOrigin* security_origin, SettingsType* settings, - SettingsClientType* settings_client, const KURL& url) { fetch_context.CountUsage(WebFeature::kMixedContentPresent); fetch_context.CountUsage(WebFeature::kMixedContentWebSocket); @@ -174,10 +171,7 @@ bool IsWebSocketAllowedImpl(const BaseFetchContext& fetch_context, settings->GetStrictMixedContentChecking(); if (strict_mode) return false; - bool allowed_per_settings = - settings && settings->GetAllowRunningOfInsecureContent(); - return settings_client->AllowRunningInsecureContent(allowed_per_settings, - security_origin, url); + return settings && settings->GetAllowRunningOfInsecureContent(); } } // namespace @@ -237,7 +231,7 @@ bool MixedContentChecker::IsMixedContent(const SecurityOrigin* security_origin, // static bool MixedContentChecker::IsMixedContent( - const FetchClientSettingsObjectImpl& settings, + const FetchClientSettingsObject& settings, const KURL& url) { switch (settings.GetHttpsState()) { case HttpsState::kNone: @@ -378,7 +372,7 @@ bool MixedContentChecker::ShouldBlockFetch( // Use the current local frame's client; the embedder doesn't distinguish // mixed content signals from different frames on the same page. LocalFrameClient* client = frame->Client(); - ContentSettingsClient* content_settings_client = + WebContentSettingsClient* content_settings_client = frame->GetContentSettingsClient(); const SecurityOrigin* security_origin = mixed_frame->GetSecurityContext()->GetSecurityOrigin(); @@ -405,14 +399,15 @@ bool MixedContentChecker::ShouldBlockFetch( // launching external applications via URLs. http://crbug.com/318788 and // https://crbug.com/393481 if (frame_type == network::mojom::RequestContextFrameType::kNested && - !SchemeRegistry::ShouldTreatURLSchemeAsCORSEnabled(url.Protocol())) + !SchemeRegistry::ShouldTreatURLSchemeAsCorsEnabled(url.Protocol())) context_type = WebMixedContentContextType::kOptionallyBlockable; switch (context_type) { case WebMixedContentContextType::kOptionallyBlockable: allowed = !strict_mode; if (allowed) { - content_settings_client->PassiveInsecureContentFound(url); + if (content_settings_client) + content_settings_client->PassiveInsecureContentFound(url); client->DidDisplayInsecureContent(); } break; @@ -439,10 +434,13 @@ bool MixedContentChecker::ShouldBlockFetch( !strict_mode && settings && (!settings->GetStrictlyBlockBlockableMixedContent() || settings->GetAllowRunningOfInsecureContent()); - allowed = should_ask_embedder && - content_settings_client->AllowRunningInsecureContent( - settings && settings->GetAllowRunningOfInsecureContent(), - security_origin, url); + if (should_ask_embedder) { + allowed = settings && settings->GetAllowRunningOfInsecureContent(); + if (content_settings_client) { + allowed = content_settings_client->AllowRunningInsecureContent( + allowed, WebSecurityOrigin(security_origin), url); + } + } if (allowed) { client->DidRunInsecureContent(security_origin, url); UseCounter::Count(frame, WebFeature::kMixedContentBlockableAllowed); @@ -561,14 +559,18 @@ bool MixedContentChecker::IsWebSocketAllowed( Settings* settings = mixed_frame->GetSettings(); // Use the current local frame's client; the embedder doesn't distinguish // mixed content signals from different frames on the same page. - ContentSettingsClient* content_settings_client = + WebContentSettingsClient* content_settings_client = frame->GetContentSettingsClient(); SecurityContext* security_context = mixed_frame->GetSecurityContext(); const SecurityOrigin* security_origin = security_context->GetSecurityOrigin(); bool allowed = IsWebSocketAllowedImpl(frame_fetch_context, security_context, - security_origin, settings, - content_settings_client, url); + settings, url); + if (content_settings_client) { + allowed = content_settings_client->AllowRunningInsecureContent( + allowed, WebSecurityOrigin(security_origin), url); + } + if (allowed) frame->Client()->DidRunInsecureContent(security_origin, url); @@ -596,8 +598,12 @@ bool MixedContentChecker::IsWebSocketAllowed( worker_fetch_context.GetSecurityOrigin(); bool allowed = IsWebSocketAllowedImpl(worker_fetch_context, security_context, - security_origin, settings, - content_settings_client, url); + settings, url); + if (content_settings_client) { + allowed = content_settings_client->AllowRunningInsecureContent( + allowed, security_origin, url); + } + if (allowed) { worker_fetch_context.GetWebWorkerFetchContext()->DidRunInsecureContent( WebSecurityOrigin(security_origin), url); @@ -679,7 +685,7 @@ void MixedContentChecker::CheckMixedPrivatePublic( return; // Just count these for the moment, don't block them. - if (NetworkUtils::IsReservedIPAddress(resource_ip_address) && + if (network_utils::IsReservedIPAddress(resource_ip_address) && frame->GetDocument()->AddressSpace() == mojom::IPAddressSpace::kPublic) { UseCounter::Count(frame->GetDocument(), WebFeature::kMixedContentPrivateHostnameInPublicHostname); @@ -762,6 +768,40 @@ void MixedContentChecker::MixedContentFound( } } +// static +ConsoleMessage* MixedContentChecker::CreateConsoleMessageAboutFetchAutoupgrade( + const KURL& main_resource_url, + const KURL& mixed_content_url) { + String message = String::Format( + "Mixed Content: The page at '%s' was loaded over HTTPS, but requested an " + "insecure element '%s'. As part of an experiment this request was " + "automatically upgraded to HTTPS, For more information see " + "https://chromium.googlesource.com/chromium/src/+/master/docs/security/" + "autougprade-mixed.md", + main_resource_url.ElidedString().Utf8().data(), + mixed_content_url.ElidedString().Utf8().data()); + return ConsoleMessage::Create(kSecurityMessageSource, kWarningMessageLevel, + message); +} + +// static +ConsoleMessage* +MixedContentChecker::CreateConsoleMessageAboutWebSocketAutoupgrade( + const KURL& main_resource_url, + const KURL& mixed_content_url) { + String message = String::Format( + "Mixed Content: The page at '%s' was loaded over HTTPS, but attempted " + "to connect to the insecure WebSocket endpoint '%s'. As part of an " + "experiment this request was automatically upgraded to HTTPS, For more " + "information see " + "https://chromium.googlesource.com/chromium/src/+/master/docs/security/" + "autougprade-mixed.md", + main_resource_url.ElidedString().Utf8().data(), + mixed_content_url.ElidedString().Utf8().data()); + return ConsoleMessage::Create(kSecurityMessageSource, kWarningMessageLevel, + message); +} + WebMixedContentContextType MixedContentChecker::ContextTypeForInspector( LocalFrame* frame, const ResourceRequest& request) { @@ -777,7 +817,7 @@ WebMixedContentContextType MixedContentChecker::ContextTypeForInspector( // subframe. if (request.GetFrameType() == network::mojom::RequestContextFrameType::kNested && - !SchemeRegistry::ShouldTreatURLSchemeAsCORSEnabled( + !SchemeRegistry::ShouldTreatURLSchemeAsCorsEnabled( request.Url().Protocol())) { return WebMixedContentContextType::kOptionallyBlockable; } |