MixedContentChecker.cpp [plain text]
#include "config.h"
#include "MixedContentChecker.h"
#include "ContentSecurityPolicy.h"
#include "Document.h"
#include "Frame.h"
#include "FrameLoader.h"
#include "FrameLoaderClient.h"
#include "SecurityOrigin.h"
#include "Settings.h"
#include <wtf/text/CString.h>
#include <wtf/text/WTFString.h>
namespace WebCore {
bool MixedContentChecker::isMixedContent(SecurityOrigin& securityOrigin, const URL& url)
{
if (securityOrigin.protocol() != "https")
return false;
return !SecurityOrigin::isSecure(url);
}
static void logWarning(const Frame& frame, bool allowed, const String& action, const URL& target)
{
const char* errorString = allowed ? " was allowed to " : " was not allowed to ";
String message = makeString((allowed ? String() : "[blocked] "), "The page at ", frame.document()->url().stringCenterEllipsizedToLength(), errorString, action, " insecure content from ", target.stringCenterEllipsizedToLength(), ".\n");
frame.document()->addConsoleMessage(MessageSource::Security, MessageLevel::Warning, message);
}
bool MixedContentChecker::canDisplayInsecureContent(Frame& frame, SecurityOrigin& securityOrigin, ContentType type, const URL& url, AlwaysDisplayInNonStrictMode alwaysDisplayInNonStrictMode)
{
if (!isMixedContent(securityOrigin, url))
return true;
if (!frame.document()->contentSecurityPolicy()->allowRunningOrDisplayingInsecureContent(url))
return false;
bool isStrictMode = frame.document()->isStrictMixedContentMode();
if (!isStrictMode && alwaysDisplayInNonStrictMode == AlwaysDisplayInNonStrictMode::Yes)
return true;
bool allowed = !isStrictMode && (frame.settings().allowDisplayOfInsecureContent() || type == ContentType::ActiveCanWarn) && !frame.document()->geolocationAccessed();
logWarning(frame, allowed, "display", url);
if (allowed) {
frame.document()->setFoundMixedContent(SecurityContext::MixedContentType::Inactive);
frame.loader().client().didDisplayInsecureContent();
}
return allowed;
}
bool MixedContentChecker::canRunInsecureContent(Frame& frame, SecurityOrigin& securityOrigin, const URL& url)
{
if (!isMixedContent(securityOrigin, url))
return true;
if (!frame.document()->contentSecurityPolicy()->allowRunningOrDisplayingInsecureContent(url))
return false;
bool allowed = !frame.document()->isStrictMixedContentMode() && frame.settings().allowRunningOfInsecureContent() && !frame.document()->geolocationAccessed() && !frame.document()->secureCookiesAccessed();
logWarning(frame, allowed, "run", url);
if (allowed) {
frame.document()->setFoundMixedContent(SecurityContext::MixedContentType::Active);
frame.loader().client().didRunInsecureContent(securityOrigin, url);
}
return allowed;
}
void MixedContentChecker::checkFormForMixedContent(Frame& frame, SecurityOrigin& securityOrigin, const URL& url)
{
if (url.protocolIsJavaScript())
return;
if (!isMixedContent(securityOrigin, url))
return;
String message = makeString("The page at ", frame.document()->url().stringCenterEllipsizedToLength(), " contains a form which targets an insecure URL ", url.stringCenterEllipsizedToLength(), ".\n");
frame.document()->addConsoleMessage(MessageSource::Security, MessageLevel::Warning, message);
frame.loader().client().didDisplayInsecureContent();
}
Optional<String> MixedContentChecker::checkForMixedContentInFrameTree(const Frame& frame, const URL& url)
{
auto* document = frame.document();
while (document) {
RELEASE_ASSERT_WITH_MESSAGE(document->frame(), "An unparented document tried to connect to a websocket with url: %s", url.string().utf8().data());
auto* frame = document->frame();
if (isMixedContent(document->securityOrigin(), url))
return makeString("The page at ", document->url().stringCenterEllipsizedToLength(), " was blocked from connecting insecurely to ", url.stringCenterEllipsizedToLength(), " either because the protocol is insecure or the page is embedded from an insecure page.");
if (frame->isMainFrame())
break;
frame = frame->tree().parent();
RELEASE_ASSERT_WITH_MESSAGE(frame, "Should never have a parentless non main frame");
document = frame->document();
}
return WTF::nullopt;
}
}