1 files changed, 66 insertions, 26 deletions

diff --git a/chromium/third_party/blink/renderer/core/loader/mixed_content_checker.cc b/chromium/third_party/blink/renderer/core/loader/mixed_content_checker.cc
index 4355ac7084b..1c148e0da03 100644
--- a/chromium/third_party/blink/renderer/core/loader/mixed_content_checker.cc
+++ b/chromium/third_party/blink/renderer/core/loader/mixed_content_checker.cc
@@ -33,12 +33,12 @@
 #include "services/network/public/mojom/request_context_frame_type.mojom-blink.h"
 #include "third_party/blink/public/common/features.h"
 #include "third_party/blink/public/mojom/net/ip_address_space.mojom-blink.h"
+#include "third_party/blink/public/platform/web_content_settings_client.h"
 #include "third_party/blink/public/platform/web_insecure_request_policy.h"
 #include "third_party/blink/public/platform/web_mixed_content.h"
 #include "third_party/blink/public/platform/web_security_origin.h"
 #include "third_party/blink/public/platform/web_worker_fetch_context.h"
 #include "third_party/blink/renderer/core/dom/document.h"
-#include "third_party/blink/renderer/core/frame/content_settings_client.h"
 #include "third_party/blink/renderer/core/frame/frame.h"
 #include "third_party/blink/renderer/core/frame/local_frame.h"
 #include "third_party/blink/renderer/core/frame/local_frame_client.h"
@@ -148,15 +148,12 @@ const char* RequestContextName(mojom::RequestContextType context) {
   return "resource";
 }
 
-// TODO(nhiroki): Consider adding interfaces for Settings/WorkerSettings and
-// ContentSettingsClient/WorkerContentSettingsClient to avoid using C++
-// template.
-template <typename SettingsType, typename SettingsClientType>
+// TODO(nhiroki): Consider adding interfaces for Settings/WorkerSettings
+// to avoid using C++ template.
+template <typename SettingsType>
 bool IsWebSocketAllowedImpl(const BaseFetchContext& fetch_context,
                             SecurityContext* security_context,
-                            const SecurityOrigin* security_origin,
                             SettingsType* settings,
-                            SettingsClientType* settings_client,
                             const KURL& url) {
   fetch_context.CountUsage(WebFeature::kMixedContentPresent);
   fetch_context.CountUsage(WebFeature::kMixedContentWebSocket);
@@ -174,10 +171,7 @@ bool IsWebSocketAllowedImpl(const BaseFetchContext& fetch_context,
       settings->GetStrictMixedContentChecking();
   if (strict_mode)
     return false;
-  bool allowed_per_settings =
-      settings && settings->GetAllowRunningOfInsecureContent();
-  return settings_client->AllowRunningInsecureContent(allowed_per_settings,
-                                                      security_origin, url);
+  return settings && settings->GetAllowRunningOfInsecureContent();
 }
 
 }  // namespace
@@ -237,7 +231,7 @@ bool MixedContentChecker::IsMixedContent(const SecurityOrigin* security_origin,
 
 // static
 bool MixedContentChecker::IsMixedContent(
-    const FetchClientSettingsObjectImpl& settings,
+    const FetchClientSettingsObject& settings,
     const KURL& url) {
   switch (settings.GetHttpsState()) {
     case HttpsState::kNone:
@@ -378,7 +372,7 @@ bool MixedContentChecker::ShouldBlockFetch(
   // Use the current local frame's client; the embedder doesn't distinguish
   // mixed content signals from different frames on the same page.
   LocalFrameClient* client = frame->Client();
-  ContentSettingsClient* content_settings_client =
+  WebContentSettingsClient* content_settings_client =
       frame->GetContentSettingsClient();
   const SecurityOrigin* security_origin =
       mixed_frame->GetSecurityContext()->GetSecurityOrigin();
@@ -405,14 +399,15 @@ bool MixedContentChecker::ShouldBlockFetch(
   // launching external applications via URLs. http://crbug.com/318788 and
   // https://crbug.com/393481
   if (frame_type == network::mojom::RequestContextFrameType::kNested &&
-      !SchemeRegistry::ShouldTreatURLSchemeAsCORSEnabled(url.Protocol()))
+      !SchemeRegistry::ShouldTreatURLSchemeAsCorsEnabled(url.Protocol()))
     context_type = WebMixedContentContextType::kOptionallyBlockable;
 
   switch (context_type) {
     case WebMixedContentContextType::kOptionallyBlockable:
       allowed = !strict_mode;
       if (allowed) {
-        content_settings_client->PassiveInsecureContentFound(url);
+        if (content_settings_client)
+          content_settings_client->PassiveInsecureContentFound(url);
         client->DidDisplayInsecureContent();
       }
       break;
@@ -439,10 +434,13 @@ bool MixedContentChecker::ShouldBlockFetch(
           !strict_mode && settings &&
           (!settings->GetStrictlyBlockBlockableMixedContent() ||
            settings->GetAllowRunningOfInsecureContent());
-      allowed = should_ask_embedder &&
-                content_settings_client->AllowRunningInsecureContent(
-                    settings && settings->GetAllowRunningOfInsecureContent(),
-                    security_origin, url);
+      if (should_ask_embedder) {
+        allowed = settings && settings->GetAllowRunningOfInsecureContent();
+        if (content_settings_client) {
+          allowed = content_settings_client->AllowRunningInsecureContent(
+              allowed, WebSecurityOrigin(security_origin), url);
+        }
+      }
       if (allowed) {
         client->DidRunInsecureContent(security_origin, url);
         UseCounter::Count(frame, WebFeature::kMixedContentBlockableAllowed);
@@ -561,14 +559,18 @@ bool MixedContentChecker::IsWebSocketAllowed(
   Settings* settings = mixed_frame->GetSettings();
   // Use the current local frame's client; the embedder doesn't distinguish
   // mixed content signals from different frames on the same page.
-  ContentSettingsClient* content_settings_client =
+  WebContentSettingsClient* content_settings_client =
       frame->GetContentSettingsClient();
   SecurityContext* security_context = mixed_frame->GetSecurityContext();
   const SecurityOrigin* security_origin = security_context->GetSecurityOrigin();
 
   bool allowed = IsWebSocketAllowedImpl(frame_fetch_context, security_context,
-                                        security_origin, settings,
-                                        content_settings_client, url);
+                                        settings, url);
+  if (content_settings_client) {
+    allowed = content_settings_client->AllowRunningInsecureContent(
+        allowed, WebSecurityOrigin(security_origin), url);
+  }
+
   if (allowed)
     frame->Client()->DidRunInsecureContent(security_origin, url);
 
@@ -596,8 +598,12 @@ bool MixedContentChecker::IsWebSocketAllowed(
       worker_fetch_context.GetSecurityOrigin();
 
   bool allowed = IsWebSocketAllowedImpl(worker_fetch_context, security_context,
-                                        security_origin, settings,
-                                        content_settings_client, url);
+                                        settings, url);
+  if (content_settings_client) {
+    allowed = content_settings_client->AllowRunningInsecureContent(
+        allowed, security_origin, url);
+  }
+
   if (allowed) {
     worker_fetch_context.GetWebWorkerFetchContext()->DidRunInsecureContent(
         WebSecurityOrigin(security_origin), url);
@@ -679,7 +685,7 @@ void MixedContentChecker::CheckMixedPrivatePublic(
     return;
 
   // Just count these for the moment, don't block them.
-  if (NetworkUtils::IsReservedIPAddress(resource_ip_address) &&
+  if (network_utils::IsReservedIPAddress(resource_ip_address) &&
       frame->GetDocument()->AddressSpace() == mojom::IPAddressSpace::kPublic) {
     UseCounter::Count(frame->GetDocument(),
                       WebFeature::kMixedContentPrivateHostnameInPublicHostname);
@@ -762,6 +768,40 @@ void MixedContentChecker::MixedContentFound(
   }
 }
 
+// static
+ConsoleMessage* MixedContentChecker::CreateConsoleMessageAboutFetchAutoupgrade(
+    const KURL& main_resource_url,
+    const KURL& mixed_content_url) {
+  String message = String::Format(
+      "Mixed Content: The page at '%s' was loaded over HTTPS, but requested an "
+      "insecure element '%s'. As part of an experiment this request was "
+      "automatically upgraded to HTTPS, For more information see "
+      "https://chromium.googlesource.com/chromium/src/+/master/docs/security/"
+      "autougprade-mixed.md",
+      main_resource_url.ElidedString().Utf8().data(),
+      mixed_content_url.ElidedString().Utf8().data());
+  return ConsoleMessage::Create(kSecurityMessageSource, kWarningMessageLevel,
+                                message);
+}
+
+// static
+ConsoleMessage*
+MixedContentChecker::CreateConsoleMessageAboutWebSocketAutoupgrade(
+    const KURL& main_resource_url,
+    const KURL& mixed_content_url) {
+  String message = String::Format(
+      "Mixed Content: The page at '%s' was loaded over HTTPS, but attempted "
+      "to connect to the insecure WebSocket endpoint '%s'. As part of an "
+      "experiment this request was automatically upgraded to HTTPS, For more "
+      "information see "
+      "https://chromium.googlesource.com/chromium/src/+/master/docs/security/"
+      "autougprade-mixed.md",
+      main_resource_url.ElidedString().Utf8().data(),
+      mixed_content_url.ElidedString().Utf8().data());
+  return ConsoleMessage::Create(kSecurityMessageSource, kWarningMessageLevel,
+                                message);
+}
+
 WebMixedContentContextType MixedContentChecker::ContextTypeForInspector(
     LocalFrame* frame,
     const ResourceRequest& request) {
@@ -777,7 +817,7 @@ WebMixedContentContextType MixedContentChecker::ContextTypeForInspector(
   // subframe.
   if (request.GetFrameType() ==
           network::mojom::RequestContextFrameType::kNested &&
-      !SchemeRegistry::ShouldTreatURLSchemeAsCORSEnabled(
+      !SchemeRegistry::ShouldTreatURLSchemeAsCorsEnabled(
           request.Url().Protocol())) {
     return WebMixedContentContextType::kOptionallyBlockable;
   }