1/* 2 * Copyright (C) 2012 Google Inc. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 18 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 21 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 24 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29#include "config.h" 30#include "MixedContentChecker.h" 31 32#include "Console.h" 33#include "DOMWindow.h" 34#include "Document.h" 35#include "Frame.h" 36#include "FrameLoader.h" 37#include "FrameLoaderClient.h" 38#include "SchemeRegistry.h" 39#include "SecurityOrigin.h" 40#include "Settings.h" 41#include <wtf/text/CString.h> 42#include <wtf/text/WTFString.h> 43 44namespace WebCore { 45 46MixedContentChecker::MixedContentChecker(Frame* frame) 47 : m_frame(frame) 48{ 49} 50 51FrameLoaderClient* MixedContentChecker::client() const 52{ 53 return m_frame->loader()->client(); 54} 55 56// static 57bool MixedContentChecker::isMixedContent(SecurityOrigin* securityOrigin, const KURL& url) 58{ 59 if (securityOrigin->protocol() != "https") 60 return false; // We only care about HTTPS security origins. 61 62 // We're in a secure context, so |url| is mixed content if it's insecure. 63 return !SecurityOrigin::isSecure(url); 64} 65 66bool MixedContentChecker::canDisplayInsecureContent(SecurityOrigin* securityOrigin, const KURL& url) const 67{ 68 if (!isMixedContent(securityOrigin, url)) 69 return true; 70 71 Settings* settings = m_frame->settings(); 72 bool allowed = client()->allowDisplayingInsecureContent(settings && settings->allowDisplayOfInsecureContent(), securityOrigin, url); 73 logWarning(allowed, "displayed", url); 74 75 if (allowed) 76 client()->didDisplayInsecureContent(); 77 78 return allowed; 79} 80 81bool MixedContentChecker::canRunInsecureContent(SecurityOrigin* securityOrigin, const KURL& url) const 82{ 83 if (!isMixedContent(securityOrigin, url)) 84 return true; 85 86 Settings* settings = m_frame->settings(); 87 bool allowed = client()->allowRunningInsecureContent(settings && settings->allowRunningOfInsecureContent(), securityOrigin, url); 88 logWarning(allowed, "ran", url); 89 90 if (allowed) 91 client()->didRunInsecureContent(securityOrigin, url); 92 93 return allowed; 94} 95 96void MixedContentChecker::logWarning(bool allowed, const String& action, const KURL& target) const 97{ 98 String message = makeString((allowed ? "" : "[blocked] "), "The page at ", m_frame->document()->url().stringCenterEllipsizedToLength(), " ", action, " insecure content from ", target.stringCenterEllipsizedToLength(), ".\n"); 99 m_frame->document()->addConsoleMessage(SecurityMessageSource, WarningMessageLevel, message); 100} 101 102} // namespace WebCore 103