Dont show mixed form interstitial in iframes

This reverts mixed forms inside iframes to the pre-mixed form warning behavior, they are silently blocked from submitting, and a console error is shown. Bug: 1141628 Change-Id: Ibabdc6d250a347bde8475d94c37402b971c0bdec Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2493302 Commit-Queue: Carlos IL <carlosil@chromium.org> Reviewed-by: Mustafa Emre Acer <meacer@chromium.org> Cr-Commit-Position: refs/heads/master@{#820114}

Dont show mixed form interstitial in iframes
This reverts mixed forms inside iframes to the pre-mixed form warning behavior, they are silently blocked from submitting, and a console error is shown. Bug: 1141628 Change-Id: Ibabdc6d250a347bde8475d94c37402b971c0bdec Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2493302 Commit-Queue: Carlos IL <carlosil@chromium.org> Reviewed-by: Mustafa Emre Acer <meacer@chromium.org> Cr-Commit-Position: refs/heads/master@{#820114}
0a4e594f · Carlos IL · Commit Bot · e47bf15e · 0a4e594f · 0a4e594f
Commit 0a4e594f authored Oct 23, 2020 by Carlos IL Committed by Commit Bot Oct 23, 2020
3 changed files
--- a/chrome/browser/ssl/ssl_browsertest.cc
+++ b/chrome/browser/ssl/ssl_browsertest.cc
@@ -6234,6 +6234,53 @@ IN_PROC_BROWSER_TEST_F(SSLUITestWithInsecureFormsWarningEnabled,
            security_interstitials::InsecureFormBlockingPage::kTypeForTesting);
 }

+// Visits a page that displays an insecure form inside an iframe, attempts to
+// submit the form, and checks an interstitial is not shown (submissions of
+// mixed forms inside iframes are separately blocked, and that behavior is
+// tested in mixed_content_navigation_throttle_unittest.cc).
+IN_PROC_BROWSER_TEST_F(
+    SSLUITestWithInsecureFormsWarningEnabled,
+    TestDoesNotDisplayInsecureFormSubmissionWarningInIframe) {
+  ChromeContentBrowserClientForMixedContentTest browser_client;
+  browser_client.SetMixedContentSettings(
+      false, /* allow_running_insecure_content */
+      false, /* strict_mixed_content_checking */
+      false /*strictly_block_blockable_mixed_content */);
+  content::ContentBrowserClient* old_browser_client =
+      content::SetBrowserClientForTesting(&browser_client);
+  WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
+  tab->OnWebPreferencesChanged();
+  ASSERT_TRUE(embedded_test_server()->Start());
+  ASSERT_TRUE(https_server_.Start());
+
+  std::string replacement_path = GetFilePathWithHostAndPortReplacement(
+      "/ssl/page_displays_insecure_form_in_iframe.html",
+      https_server_.host_port_pair());
+
+  ui_test_utils::NavigateToURL(browser(),
+                               https_server_.GetURL(replacement_path));
+  content::TestNavigationObserver nav_observer(tab, 1);
+  content::WebContentsConsoleObserver console_observer(tab);
+  console_observer.SetPattern(
+      "Mixed Content: The page at * was loaded over a secure connection, but "
+      "contains a form that targets an insecure endpoint "
+      "'http://does-not-exist.test/ssl/google_files/logo.gif'. This endpoint "
+      "should be made available over a secure connection.");
+  ASSERT_TRUE(content::ExecuteScript(tab, "submitForm();"));
+  nav_observer.Wait();
+
+  // We shouldn't be displaying an interstitial.
+  security_interstitials::SecurityInterstitialTabHelper* helper =
+      security_interstitials::SecurityInterstitialTabHelper::FromWebContents(
+          tab);
+  EXPECT_FALSE(helper);
+
+  // Check console message was printed.
+  EXPECT_EQ(console_observer.messages().size(), 1u);
+
+  content::SetBrowserClientForTesting(old_browser_client);
+}
+
 // Checks insecure form warning works for forms that submit on a new tab.
 IN_PROC_BROWSER_TEST_F(SSLUITestWithInsecureFormsWarningEnabled,
                       TestDisplaysInsecureFormSubmissionWarningTargetBlank) {

--- a/chrome/test/data/ssl/page_displays_insecure_form_in_iframe.html
+++ b/chrome/test/data/ssl/page_displays_insecure_form_in_iframe.html
+<html>
+<head><title>Page that displays an insecure form inside an iframe</title>
+<script>
+function submitForm() {
+  subframe = document.getElementById("insecureFormFrame");
+  subframe.contentWindow.submitForm();
+}
+</script>
+</head>
+<body>
+This page contains an iframe, which contains a form that targets a non-secure URL,
+causing insecure content.<br>
+<iframe id="insecureFormFrame" src="https://REPLACE_WITH_HOST_AND_PORT/ssl/page_displays_insecure_form.html"></iframe>
+</body>
+</html>
\ No newline at end of file
--- a/components/security_interstitials/content/insecure_form_navigation_throttle.cc
+++ b/components/security_interstitials/content/insecure_form_navigation_throttle.cc
@@ -44,6 +44,12 @@ InsecureFormNavigationThrottle::WillStartRequest() {
    return content::NavigationThrottle::PROCEED;
  content::WebContents* contents = handle->GetWebContents();

+  // Do not set special error page HTML for insecure forms in subframes; those
+  // are already hard blocked.
+  if (!handle->IsInMainFrame()) {
+    return content::NavigationThrottle::PROCEED;
+  }
+
  url::Origin form_originating_origin =
      handle->GetInitiatorOrigin().value_or(url::Origin());
  if (!IsInsecureFormAction(handle->GetURL()) ||