Sites served over insecure connections should not be allowed to use geolocation.
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 26 May 2016 18:19:30 +0000 (18:19 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 26 May 2016 18:19:30 +0000 (18:19 +0000)
commitf387440c8b9a394082b5f462184fa6d4645279ed
tree558330847fa73ac746c4a7334bc72ab27025cce1
parent94ad05c1ec899448942ae405495aa469319fd264
Sites served over insecure connections should not be allowed to use geolocation.
https://bugs.webkit.org/show_bug.cgi?id=157423
<rdar://problem/23751632>

Patch by Pranjal Jumde <pjumde@apple.com> on 2016-05-26
Reviewed by Brent Fulgham.

Source/WebCore:

Tests: http/tests/security/insecure-geolocation.html
       http/tests/security/mixedcontent-geolocation-block-insecure-content.html
       http/tests/security/mixedcontent-geolocation.html

* Modules/geolocation/Geolocation.cpp:
(WebCore::logError):
Logs an error to the console if geolocation is blocked.
(WebCore::Geolocation::startRequest):
Access to Geolocation will be blocked if site is not secure. An error will be logged when access to Geolocation is blocked.
(WebCore::Geolocation::shouldBlockGeolocationRequests)
Returns true if the access to geolocation should be blocked.
* Modules/geolocation/Geolocation.h:
* dom/SecurityContext.h:
(WebCore::SecurityContext::foundMixedContent):
Returns true if insecure content was accessed over secure connection.
(WebCore::SecurityContext::setFoundMixedContent):
Sets m_foundMixedContent to true if insecure content is accessed over secure connection.
(WebCore::SecurityContext::geolocationAccessed):
Returns true if geolocation was accessed
(WebCore::SecurityContext::setGeolocationAccessed):
Sets m_geolocationAccessed to true if geolocation was accessed.
* loader/MixedContentChecker.cpp:
(WebCore::MixedContentChecker::canDisplayInsecureContent):
Insecure content will be blocked if geolocation was accessed by the page. Updates document to keep track of mixed content.
(WebCore::MixedContentChecker::canRunInsecureContent):
Insecure content will be blocked if geolocation was accessed by the page. Updates document to keep track of mixed content.

LayoutTests:

* http/tests/security/geolocation-over-insecure-content.html: Added.
* http/tests/security/geolocation-over-mixed-content-block.html: Added.
* http/tests/security/geolocation-over-mixed-content.html: Added.
* http/tests/security/insecure-geolocation-expected.txt: Added.
* http/tests/security/insecure-geolocation.html: Added.
* http/tests/security/mixedcontent-geolocation-block-insecure-content-expected.txt: Added.
* http/tests/security/mixedcontent-geolocation-block-insecure-content.html: Added.
* http/tests/security/mixedcontent-geolocation-expected.txt: Added.
* http/tests/security/mixedcontent-geolocation.html: Added.
* http/tests/security/sandboxed-iframe-geolocation-watchPosition.html:
  iframe is loaded over secure connection to avoid geolocation failures
* http/tests/security/sandboxed-iframe-geolocation-getCurrentPosition.html:
  iframe is loaded over secure connection to avoid geolocation failures

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@201423 268f45cc-cd09-0410-ab3c-d52691b4dbfc
14 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/insecure-geolocation-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/insecure-geolocation.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedcontent-geolocation-block-insecure-content-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedcontent-geolocation-block-insecure-content.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedcontent-geolocation-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedcontent-geolocation.html [new file with mode: 0644]
LayoutTests/http/tests/security/sandboxed-iframe-geolocation-getCurrentPosition.html
LayoutTests/http/tests/security/sandboxed-iframe-geolocation-watchPosition.html
Source/WebCore/ChangeLog
Source/WebCore/Modules/geolocation/Geolocation.cpp
Source/WebCore/Modules/geolocation/Geolocation.h
Source/WebCore/dom/SecurityContext.h
Source/WebCore/loader/MixedContentChecker.cpp