Added opt out for mixed content autouptrade experiment.

Bug: 894513
Change-Id: Ic1d07c820cfce2aa4eae54a54e748fd0450ca7ab
Reviewed-on: https://chromium-review.googlesource.com/c/1347797Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Carlos IL <carlosil@chromium.org>
Cr-Commit-Position: refs/heads/master@{#611868}

third_party/blink/renderer/core/execution_context/security_context.h

@@ -125,6 +125,11 @@ class CORE_EXPORT SecurityContext : public GarbageCollectedMixin {
     return insecure_request_policy_;
   }
 
+  void SetMixedAutoupgradeOptOut(bool opt_out) {
+    mixed_autoupgrade_opt_out_ = opt_out;
+  }
+  bool GetMixedAutoUpgradeOptOut() { return mixed_autoupgrade_opt_out_; }
+
   FeaturePolicy* GetFeaturePolicy() const { return feature_policy_.get(); }
   FeaturePolicy* GetReportOnlyFeaturePolicy() const {
     return report_only_feature_policy_.get();
@@ -176,6 +181,7 @@ class CORE_EXPORT SecurityContext : public GarbageCollectedMixin {
 
   mojom::IPAddressSpace address_space_;
   WebInsecureRequestPolicy insecure_request_policy_;
+  bool mixed_autoupgrade_opt_out_;
   InsecureNavigationsSet insecure_navigations_to_upgrade_;
   bool require_safe_types_;
   DISALLOW_COPY_AND_ASSIGN(SecurityContext);

third_party/blink/renderer/core/loader/document_loader.cc

@@ -653,6 +653,12 @@ void DocumentLoader::ResponseReceived(
 
   content_security_policy_ = ContentSecurityPolicy::Create();
   content_security_policy_->SetOverrideURLForSelf(response.Url());
+
+  AtomicString mixed_content_header = response.HttpHeaderField("mixed-content");
+  if (EqualIgnoringASCIICase(mixed_content_header, "noupgrade")) {
+    frame_->GetDocument()->SetMixedAutoupgradeOptOut(true);
+  }
+
   if (!frame_->GetSettings()->BypassCSP()) {
     content_security_policy_->DidReceiveHeaders(
         ContentSecurityPolicyResponseHeaders(response));

third_party/blink/renderer/core/loader/document_loader_test.cc

@@ -195,4 +195,33 @@ TEST_F(DocumentLoaderTest, isCommittedButEmpty) {
                   ->IsCommittedButEmpty());
 }
 
+TEST_F(DocumentLoaderTest, MixedContentOptOutSetIfHeaderReceived) {
+  WebURL url =
+      url_test_helpers::ToKURL("https://examplenoupgrade.com/foo.html");
+  WebURLResponse response(url);
+  response.SetHTTPStatusCode(200);
+  response.SetHTTPHeaderField("mixed-content", "noupgrade");
+  url_test_helpers::RegisterMockedURLLoadWithCustomResponse(
+      url, test::CoreTestDataPath("foo.html"), response);
+  WebViewImpl* web_view_impl = web_view_helper_.InitializeAndLoad(
+      "https://examplenoupgrade.com/foo.html");
+  EXPECT_TRUE(ToLocalFrame(web_view_impl->GetPage()->MainFrame())
+                  ->Loader()
+                  .GetDocumentLoader()
+                  ->GetFrame()
+                  ->GetDocument()
+                  ->GetMixedAutoUpgradeOptOut());
+}
+
+TEST_F(DocumentLoaderTest, MixedContentOptOutNotSetIfNoHeaderReceived) {
+  WebViewImpl* web_view_impl =
+      web_view_helper_.InitializeAndLoad("https://example.com/foo.html");
+  EXPECT_FALSE(ToLocalFrame(web_view_impl->GetPage()->MainFrame())
+                   ->Loader()
+                   .GetDocumentLoader()
+                   ->GetFrame()
+                   ->GetDocument()
+                   ->GetMixedAutoUpgradeOptOut());
+}
+
 }  // namespace blink

third_party/blink/renderer/core/loader/frame_loader.cc

@@ -1695,6 +1695,7 @@ void FrameLoader::UpgradeInsecureRequest(ResourceRequest& resource_request,
     // correctly.
     if (context != mojom::RequestContextType::UNSPECIFIED &&
         resource_request.Url().ProtocolIs("http") &&
+        !origin_context->GetSecurityContext().GetMixedAutoUpgradeOptOut() &&
         MixedContentChecker::ShouldAutoupgrade(
             origin_context->Url(),
             WebMixedContent::ContextTypeFromRequestContext(context, false))) {