Implementing mixed content for forms posting to insecure location from secure ones.

When a form "action" attribute is pointing to insecure location from a secure one, this is flagged as mixed content. This is even checked if the pages dynamically changes the "action" attribute after the initial loading. The mixed content is non-blocking by default, however, this can be overridden in the preferences, and this will cause a submit to silently fail, other than a console message. Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=175714 Review URL: https://codereview.chromium.org/311033003 git-svn-id: svn://svn.chromium.org/blink/trunk@175926 bbb929c8-8fbe-4397-9dbb-9b2b20218538

Implementing mixed content for forms posting to insecure location from secure ones.
When a form "action" attribute is pointing to insecure location from a secure one, this is flagged as mixed content. This is even checked if the pages dynamically changes the "action" attribute after the initial loading. The mixed content is non-blocking by default, however, this can be overridden in the preferences, and this will cause a submit to silently fail, other than a console message. Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=175714 Review URL: https://codereview.chromium.org/311033003 git-svn-id: svn://svn.chromium.org/blink/trunk@175926 bbb929c8-8fbe-4397-9dbb-9b2b20218538
8fd99238 · mohammed@chromium.org · 27e08ca5 · 8fd99238 · 8fd99238 · 8fd99238
Commit 8fd99238 authored Jun 10, 2014 by mohammed@chromium.org
14 changed files
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame-allowed-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame-allowed-expected.txt
+CONSOLE WARNING: line 2: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-formSubmission.html' was loaded over HTTPS, but is submitting data to an insecure location at 'http://127.0.0.1:8080/security/resources/boring.html': this content should also be submitted over HTTPS.
+This test opens a window that shows a form with "action" pointing to insecure location. We should trigger a mixed content callback even though we've set the preference to block this, because we've overriden the preferences via a web permission client callback.
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame-allowed.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame-allowed.html
+<html>
+<body>
+<script>
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+    testRunner.setCanOpenWindows();
+    testRunner.setCloseRemainingWindowsWhenComplete(true);
+    testRunner.overridePreference("WebKitAllowDisplayingInsecureContent", false);
+    testRunner.setAllowDisplayOfInsecureContent(true);
+}
+window.addEventListener("message", function (e) {
+  if (window.testRunner)
+    testRunner.notifyDone();
+}, false);
+</script>
+<p>This test opens a window that shows a form with "action" pointing to insecure
+location. We should trigger a mixed content callback even though we've set the preference to block this, because we've overriden the preferences via a web permission client callback.</p>
+<script>
+window.open("https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-formSubmission.html");
+</script>
+</body>
+</html>
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame-blocked-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame-blocked-expected.txt
+CONSOLE ERROR: line 2: [blocked] The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-formSubmission.html' was loaded over HTTPS, but is submitting data to an insecure location at 'http://127.0.0.1:8080/security/resources/boring.html': this content should also be submitted over HTTPS.
+This test opens a window that shows a form with "action" pointing to an insecure location. We should not trigger a mixed content callback even though the main frame in the window is HTTPS and the form is pointing to insecure content, because we've set the preference to block this.
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame-blocked.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame-blocked.html
+<html>
+<body>
+<script>
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+    testRunner.setCanOpenWindows();
+    testRunner.setCloseRemainingWindowsWhenComplete(true);
+    testRunner.overridePreference("WebKitAllowDisplayingInsecureContent", false);
+}
+window.addEventListener("message", function (e) {
+  if (window.testRunner)
+    testRunner.notifyDone();
+}, false);
+</script>
+<p>This test opens a window that shows a form with "action" pointing to an insecure
+location. We should not trigger a mixed content callback even though the main frame in the window is HTTPS and the form is pointing to insecure content, because we've set the preference to block this.</p>
+<script>
+window.open("https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-formSubmission.html");
+</script>
+</body>
+</html>
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame-expected.txt
+CONSOLE WARNING: line 2: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-formSubmission.html' was loaded over HTTPS, but is submitting data to an insecure location at 'http://127.0.0.1:8080/security/resources/boring.html': this content should also be submitted over HTTPS.
+This test opens a window that shows a form with "action" pointing to an insecure location. We should trigger a mixed content callback because the main frame in the window is HTTPS but is posting to insecure location.
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame.html
+<html>
+<body>
+<script>
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+    testRunner.setCanOpenWindows();
+    testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+window.addEventListener("message", function (e) {
+    if (window.testRunner)
+        testRunner.notifyDone();
+}, false);
+</script>
+<p>This test opens a window that shows a form with "action" pointing to an insecure
+location. We should trigger a mixed content callback because the main frame
+in the window is HTTPS but is posting to insecure location.</p>
+<script>
+window.open("https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-formSubmission.html");
+</script>
+</body>
+</html>
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-formSubmission.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-formSubmission.html
+<form action="http://127.0.0.1:8080/security/resources/boring.html"
+      method="post">
+</form>
+<script>
+window.onload = function() {
+    if (window.opener)
+        window.opener.postMessage('done', '*');
+};
+</script>
--- a/third_party/WebKit/LayoutTests/http/tests/security/originHeader/resources/origin-header-post-to-http.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/originHeader/resources/origin-header-post-to-http.html
-<form action="http://127.0.0.1:8000/security/originHeader/resources/print-origin.cgi"
+<form action="https://127.0.0.1:8443/security/originHeader/resources/print-origin.cgi"
      method="POST">
 </form>
 <script>document.forms[0].submit();</script>
--- a/third_party/WebKit/Source/core/frame/UseCounter.h
+++ b/third_party/WebKit/Source/core/frame/UseCounter.h
@@ -438,6 +438,8 @@ public:
        MixedContentImage = 438,
        MixedContentMedia = 439,
        DocumentFonts = 440,
+        MixedContentFormsSubmitted = 441,
+        FormsSubmitted = 442,
        // Add new features immediately above this line. Don't change assigned
        // numbers of any item, and don't reuse removed slots.
        // Also, run update_use_counter_feature_enum.py in chromium/src/tools/metrics/histograms/

--- a/third_party/WebKit/Source/core/html/HTMLFormElement.cpp
+++ b/third_party/WebKit/Source/core/html/HTMLFormElement.cpp
@@ -37,6 +37,10 @@
 #include "core/events/Event.h"
 #include "core/events/GenericEventQueue.h"
 #include "core/events/ScopedEventQueue.h"
+#include "core/frame/DOMWindow.h"
+#include "core/frame/LocalFrame.h"
+#include "core/frame/UseCounter.h"
+#include "core/frame/csp/ContentSecurityPolicy.h"
 #include "core/html/HTMLCollection.h"
 #include "core/html/HTMLDialogElement.h"
 #include "core/html/HTMLImageElement.h"
@@ -46,12 +50,10 @@
 #include "core/html/forms/FormController.h"
 #include "core/loader/FrameLoader.h"
 #include "core/loader/FrameLoaderClient.h"
-#include "core/frame/DOMWindow.h"
+#include "core/loader/MixedContentChecker.h"
-#include "core/frame/LocalFrame.h"
-#include "core/frame/UseCounter.h"
-#include "core/frame/csp/ContentSecurityPolicy.h"
 #include "core/rendering/RenderTextControl.h"
 #include "platform/UserGestureIndicator.h"
+#include "wtf/text/AtomicString.h"
 using namespace std;
@@ -392,7 +394,7 @@ void HTMLFormElement::scheduleFormSubmission(PassRefPtr<FormSubmission> submissi
    }
    if (protocolIsJavaScript(submission->action())) {
-        if (!document().contentSecurityPolicy()->allowFormAction(KURL(submission->action())))
+        if (!document().contentSecurityPolicy()->allowFormAction(submission->action()))
            return;
        document().frame()->script().executeScriptIfJavaScriptURL(submission->action());
        return;
@@ -409,6 +411,14 @@ void HTMLFormElement::scheduleFormSubmission(PassRefPtr<FormSubmission> submissi
    if (!targetFrame->page())
        return;
+    if (MixedContentChecker::isMixedContent(document().securityOrigin(), submission->action())) {
+        UseCounter::count(document(), UseCounter::MixedContentFormsSubmitted);
+        if (!document().frame()->loader().mixedContentChecker()->canSubmitToInsecureForm(document().securityOrigin(), submission->action()))
+            return;
+    } else {
+        UseCounter::count(document(), UseCounter::FormsSubmitted);
+    }
    submission->setReferrer(Referrer(document().outgoingReferrer(), document().referrerPolicy()));
    submission->setOrigin(document().outgoingOrigin());
@@ -476,9 +486,14 @@ void HTMLFormElement::finishRequestAutocomplete(AutocompleteResult result)
 void HTMLFormElement::parseAttribute(const QualifiedName& name, const AtomicString& value)
 {
-    if (name == actionAttr)
+    if (name == actionAttr) {
-        m_attributes.parseAction(value);
+        m_attributes.parseAction(document(), value);
-    else if (name == targetAttr)
+        // If the new action attribute is pointing to insecure "action" location from a secure page
+        // it is marked as "passive" mixed content.
+        KURL actionURL = m_attributes.action().isEmpty() ? document().url() : m_attributes.action();
+        if (MixedContentChecker::isMixedContent(document().securityOrigin(), actionURL))
+            document().frame()->loader().mixedContentChecker()->canSubmitToInsecureForm(document().securityOrigin(), actionURL);
+    } else if (name == targetAttr)
        m_attributes.setTarget(value);
    else if (name == methodAttr)
        m_attributes.updateMethodType(value);

--- a/third_party/WebKit/Source/core/loader/FormSubmission.cpp
+++ b/third_party/WebKit/Source/core/loader/FormSubmission.cpp
@@ -83,10 +83,9 @@ static void appendMailtoPostFormDataToURL(KURL& url, const FormData& data, const
    url.setQuery(query.toString());
 }
-void FormSubmission::Attributes::parseAction(const String& action)
+void FormSubmission::Attributes::parseAction(const Document& document, const String& action)
 {
-    // FIXME: Can we parse into a KURL?
+    m_action = action.isEmpty() ? KURL() : document.completeURL(stripLeadingAndTrailingHTMLSpaces(action));
-    m_action = stripLeadingAndTrailingHTMLSpaces(action);
 }
 AtomicString FormSubmission::Attributes::parseEncodingType(const String& type)
@@ -180,7 +179,7 @@ PassRefPtr<FormSubmission> FormSubmission::create(HTMLFormElement* form, const A
    if (submitButton) {
        AtomicString attributeValue;
        if (!(attributeValue = submitButton->fastGetAttribute(formactionAttr)).isNull())
-            copiedAttributes.parseAction(attributeValue);
+            copiedAttributes.parseAction(form->document(), attributeValue);
        if (!(attributeValue = submitButton->fastGetAttribute(formenctypeAttr)).isNull())
            copiedAttributes.updateEncodingType(attributeValue);
        if (!(attributeValue = submitButton->fastGetAttribute(formmethodAttr)).isNull())
@@ -196,7 +195,7 @@ PassRefPtr<FormSubmission> FormSubmission::create(HTMLFormElement* form, const A
    }
    Document& document = form->document();
-    KURL actionURL = document.completeURL(copiedAttributes.action().isEmpty() ? document.url().string() : copiedAttributes.action());
+    KURL actionURL = copiedAttributes.action().isEmpty() ? document.url() : copiedAttributes.action();
    bool isMailtoForm = actionURL.protocolIs("mailto");
    bool isMultiPartForm = false;
    AtomicString encodingType = copiedAttributes.encodingType();

--- a/third_party/WebKit/Source/core/loader/FormSubmission.h
+++ b/third_party/WebKit/Source/core/loader/FormSubmission.h
@@ -67,8 +67,8 @@ public:
        void updateMethodType(const String&);
        static String methodString(Method);
-        const String& action() const { return m_action; }
+        const KURL& action() const { return m_action; }
-        void parseAction(const String&);
+        void parseAction(const Document&, const String&);
        const AtomicString& target() const { return m_target; }
        void setTarget(const AtomicString& target) { m_target = target; }
@@ -87,7 +87,7 @@ public:
        Method m_method;
        bool m_isMultiPartForm;
-        String m_action;
+        KURL m_action;
        AtomicString m_target;
        AtomicString m_encodingType;
        String m_acceptCharset;

--- a/third_party/WebKit/Source/core/loader/MixedContentChecker.cpp
+++ b/third_party/WebKit/Source/core/loader/MixedContentChecker.cpp
@@ -35,6 +35,7 @@
 #include "core/loader/FrameLoader.h"
 #include "core/loader/FrameLoaderClient.h"
 #include "platform/weborigin/SecurityOrigin.h"
+#include "wtf/text/StringBuilder.h"
 namespace WebCore {
@@ -58,14 +59,14 @@ bool MixedContentChecker::isMixedContent(SecurityOrigin* securityOrigin, const K
    return !SecurityOrigin::isSecure(url);
 }
-bool MixedContentChecker::canDisplayInsecureContent(SecurityOrigin* securityOrigin, const KURL& url) const
+bool MixedContentChecker::canDisplayInsecureContentInternal(SecurityOrigin* securityOrigin, const KURL& url, const MixedContentType type) const
 {
    if (!isMixedContent(securityOrigin, url))
        return true;
    Settings* settings = m_frame->settings();
    bool allowed = client()->allowDisplayingInsecureContent(settings && settings->allowDisplayOfInsecureContent(), securityOrigin, url);
-    logWarning(allowed, "displayed", url);
+    logWarning(allowed, url, type);
    if (allowed)
        client()->didDisplayInsecureContent();
@@ -73,15 +74,15 @@ bool MixedContentChecker::canDisplayInsecureContent(SecurityOrigin* securityOrig
    return allowed;
 }
-bool MixedContentChecker::canRunInsecureContentInternal(SecurityOrigin* securityOrigin, const KURL& url, bool isWebSocket) const
+bool MixedContentChecker::canRunInsecureContentInternal(SecurityOrigin* securityOrigin, const KURL& url, const MixedContentType type) const
 {
    if (!isMixedContent(securityOrigin, url))
        return true;
    Settings* settings = m_frame->settings();
-    bool allowedPerSettings = settings && (settings->allowRunningOfInsecureContent() || (isWebSocket && settings->allowConnectingInsecureWebSocket()));
+    bool allowedPerSettings = settings && (settings->allowRunningOfInsecureContent() || ((type == WebSocket) && settings->allowConnectingInsecureWebSocket()));
    bool allowed = client()->allowRunningInsecureContent(allowedPerSettings, securityOrigin, url);
-    logWarning(allowed, "ran", url);
+    logWarning(allowed, url, type);
    if (allowed)
        client()->didRunInsecureContent(securityOrigin, url);
@@ -89,11 +90,25 @@ bool MixedContentChecker::canRunInsecureContentInternal(SecurityOrigin* security
    return allowed;
 }
-void MixedContentChecker::logWarning(bool allowed, const String& action, const KURL& target) const
+void MixedContentChecker::logWarning(bool allowed, const KURL& target, const MixedContentType type) const
 {
-    String message = String(allowed ? "" : "[blocked] ") + "The page at '" + m_frame->document()->url().elidedString() + "' was loaded over HTTPS, but " + action + " insecure content from '" + target.elidedString() + "': this content should also be loaded over HTTPS.\n";
+    StringBuilder message;
+    message.append((allowed ? "" : "[blocked] "));
+    message.append("The page at '" + m_frame->document()->url().elidedString() + "' was loaded over HTTPS, but ");
+    switch (type) {
+    case Display:
+        message.append("displayed insecure content from '" + target.elidedString() + "': this content should also be loaded over HTTPS.\n");
+        break;
+    case Execution:
+    case WebSocket:
+        message.append("ran insecure content from '" + target.elidedString() + "': this content should also be loaded over HTTPS.\n");
+        break;
+    case Submission:
+        message.append("is submitting data to an insecure location at '" + target.elidedString() + "': this content should also be submitted over HTTPS.\n");
+        break;
+    }
    MessageLevel messageLevel = allowed ? WarningMessageLevel : ErrorMessageLevel;
-    m_frame->document()->addConsoleMessage(SecurityMessageSource, messageLevel, message);
+    m_frame->document()->addConsoleMessage(SecurityMessageSource, messageLevel, message.toString());
 }
 } // namespace WebCore
--- a/third_party/WebKit/Source/core/loader/MixedContentChecker.h
+++ b/third_party/WebKit/Source/core/loader/MixedContentChecker.h
@@ -45,24 +45,41 @@ class MixedContentChecker {
 public:
    MixedContentChecker(LocalFrame*);
-    bool canDisplayInsecureContent(SecurityOrigin*, const KURL&) const;
+    bool canDisplayInsecureContent(SecurityOrigin* securityOrigin, const KURL& url) const
+    {
+        return canDisplayInsecureContentInternal(securityOrigin, url, MixedContentChecker::Display);
+    }
+    bool canSubmitToInsecureForm(SecurityOrigin* securityOrigin, const KURL& url) const
+    {
+        return canDisplayInsecureContentInternal(securityOrigin, url, MixedContentChecker::Submission);
+    }
    bool canRunInsecureContent(SecurityOrigin* securityOrigin, const KURL& url) const
    {
-        return canRunInsecureContentInternal(securityOrigin, url, false);
+        return canRunInsecureContentInternal(securityOrigin, url, MixedContentChecker::Execution);
    }
    bool canConnectInsecureWebSocket(SecurityOrigin* securityOrigin, const KURL& url) const
    {
-        return canRunInsecureContentInternal(securityOrigin, url, true);
+        return canRunInsecureContentInternal(securityOrigin, url, MixedContentChecker::WebSocket);
    }
    static bool isMixedContent(SecurityOrigin*, const KURL&);
 private:
+    enum MixedContentType {
+        Display,
+        Execution,
+        WebSocket,
+        Submission
+    };
    // FIXME: This should probably have a separate client from FrameLoader.
    FrameLoaderClient* client() const;
-    bool canRunInsecureContentInternal(SecurityOrigin*, const KURL&, bool isWebSocket) const;
+    bool canDisplayInsecureContentInternal(SecurityOrigin*, const KURL&, const MixedContentType) const;
+    bool canRunInsecureContentInternal(SecurityOrigin*, const KURL&, const MixedContentType) const;
-    void logWarning(bool allowed, const String& action, const KURL&) const;
+    void logWarning(bool allowed, const KURL& i, const MixedContentType) const;
    LocalFrame* m_frame;
 };