1 /* 2 * Copyright (C) 2012 Google Inc. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 18 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 21 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 24 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29 #include "config.h" 30 #include "core/loader/MixedContentChecker.h" 31 32 #include "core/dom/Document.h" 33 #include "core/loader/FrameLoader.h" 34 #include "core/loader/FrameLoaderClient.h" 35 #include "core/frame/Frame.h" 36 #include "core/frame/Settings.h" 37 #include "platform/weborigin/SecurityOrigin.h" 38 39 namespace WebCore { 40 41 MixedContentChecker::MixedContentChecker(Frame* frame) 42 : m_frame(frame) 43 { 44 } 45 46 FrameLoaderClient* MixedContentChecker::client() const 47 { 48 return m_frame->loader().client(); 49 } 50 51 // static 52 bool MixedContentChecker::isMixedContent(SecurityOrigin* securityOrigin, const KURL& url) 53 { 54 if (securityOrigin->protocol() != "https") 55 return false; // We only care about HTTPS security origins. 56 57 // We're in a secure context, so |url| is mixed content if it's insecure. 58 return !SecurityOrigin::isSecure(url); 59 } 60 61 bool MixedContentChecker::canDisplayInsecureContent(SecurityOrigin* securityOrigin, const KURL& url) const 62 { 63 if (!isMixedContent(securityOrigin, url)) 64 return true; 65 66 Settings* settings = m_frame->settings(); 67 bool allowed = client()->allowDisplayingInsecureContent(settings && settings->allowDisplayOfInsecureContent(), securityOrigin, url); 68 logWarning(allowed, "displayed", url); 69 70 if (allowed) 71 client()->didDisplayInsecureContent(); 72 73 return allowed; 74 } 75 76 bool MixedContentChecker::canRunInsecureContent(SecurityOrigin* securityOrigin, const KURL& url) const 77 { 78 if (!isMixedContent(securityOrigin, url)) 79 return true; 80 81 Settings* settings = m_frame->settings(); 82 bool allowed = client()->allowRunningInsecureContent(settings && settings->allowRunningOfInsecureContent(), securityOrigin, url); 83 logWarning(allowed, "ran", url); 84 85 if (allowed) 86 client()->didRunInsecureContent(securityOrigin, url); 87 88 return allowed; 89 } 90 91 void MixedContentChecker::logWarning(bool allowed, const String& action, const KURL& target) const 92 { 93 String message = String(allowed ? "" : "[blocked] ") + "The page at '" + m_frame->document()->url().elidedString() + "' was loaded over HTTPS, but " + action + " insecure content from '" + target.elidedString() + "': this content should also be loaded over HTTPS.\n"; 94 MessageLevel messageLevel = allowed ? WarningMessageLevel : ErrorMessageLevel; 95 m_frame->document()->addConsoleMessage(SecurityMessageSource, messageLevel, message); 96 } 97 98 } // namespace WebCore 99
