2009-09-10 Adam Barth <abarth@webkit.org>
authorabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 11 Sep 2009 05:48:06 +0000 (05:48 +0000)
committerabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 11 Sep 2009 05:48:06 +0000 (05:48 +0000)
commitb904be7167980b261933be19ada68be37405139c
tree90a36f7eda6ff23a016c0641f0e1ee3834f9dcb5
parentadf7768547242da0dce043b3f682a29079fd2ec5
2009-09-10  Adam Barth  <abarth@webkit.org>

        Reviewed by Sam Weinig.

        Detect mixed content
        https://bugs.webkit.org/show_bug.cgi?id=29003

        Add some tests for mixed content.  All but one of these tests pass
        currently.  The one that fails is pretty tricky, but I wanted to get it
        into the tree with a FIXME so we won't forget it.  I'll file a followup
        bug about fixing it.

        * http/tests/security/mixedContent/about-blank-iframe-in-main-frame-expected.txt: Added.
        * http/tests/security/mixedContent/about-blank-iframe-in-main-frame.html: Added.
        * http/tests/security/mixedContent/data-url-iframe-in-main-frame-expected.txt: Added.
        * http/tests/security/mixedContent/data-url-iframe-in-main-frame.html: Added.
        * http/tests/security/mixedContent/data-url-script-in-iframe-expected.txt: Added.
        * http/tests/security/mixedContent/data-url-script-in-iframe.html: Added.
        * http/tests/security/mixedContent/insecure-css-in-iframe-expected.txt: Added.
        * http/tests/security/mixedContent/insecure-css-in-iframe.html: Added.
        * http/tests/security/mixedContent/insecure-css-in-main-frame-expected.txt: Added.
        * http/tests/security/mixedContent/insecure-css-in-main-frame.html: Added.
        * http/tests/security/mixedContent/insecure-iframe-in-iframe-expected.txt: Added.
        * http/tests/security/mixedContent/insecure-iframe-in-iframe.html: Added.
        * http/tests/security/mixedContent/insecure-iframe-in-main-frame-expected.txt: Added.
        * http/tests/security/mixedContent/insecure-iframe-in-main-frame.html: Added.
        * http/tests/security/mixedContent/insecure-image-in-iframe-expected.txt: Added.
        * http/tests/security/mixedContent/insecure-image-in-iframe.html: Added.
        * http/tests/security/mixedContent/insecure-image-in-main-frame-expected.txt: Added.
        * http/tests/security/mixedContent/insecure-image-in-main-frame.html: Added.
        * http/tests/security/mixedContent/insecure-script-in-iframe-expected.txt: Added.
        * http/tests/security/mixedContent/insecure-script-in-iframe.html: Added.
        * http/tests/security/mixedContent/redirect-http-to-https-iframe-in-main-frame-expected.txt: Added.
        * http/tests/security/mixedContent/redirect-http-to-https-iframe-in-main-frame.html: Added.
        * http/tests/security/mixedContent/redirect-http-to-https-script-in-iframe-expected.txt: Added.
        * http/tests/security/mixedContent/redirect-http-to-https-script-in-iframe.html: Added.
        * http/tests/security/mixedContent/redirect-https-to-http-iframe-in-main-frame-expected.txt: Added.
        * http/tests/security/mixedContent/redirect-https-to-http-iframe-in-main-frame.html: Added.
        * http/tests/security/mixedContent/redirect-https-to-http-script-in-iframe-expected.txt: Added.
        * http/tests/security/mixedContent/redirect-https-to-http-script-in-iframe.html: Added.
        * http/tests/security/mixedContent/resources/boring.html: Added.
        * http/tests/security/mixedContent/resources/frame-with-about-blank-frame.html: Added.
        * http/tests/security/mixedContent/resources/frame-with-data-url-frame.html: Added.
        * http/tests/security/mixedContent/resources/frame-with-data-url-script.html: Added.
        * http/tests/security/mixedContent/resources/frame-with-insecure-css.html: Added.
        * http/tests/security/mixedContent/resources/frame-with-insecure-frame.html: Added.
        * http/tests/security/mixedContent/resources/frame-with-insecure-image.html: Added.
        * http/tests/security/mixedContent/resources/frame-with-insecure-script.html: Added.
        * http/tests/security/mixedContent/resources/frame-with-redirect-http-to-https-frame.html: Added.
        * http/tests/security/mixedContent/resources/frame-with-redirect-http-to-https-script.html: Added.
        * http/tests/security/mixedContent/resources/frame-with-redirect-https-to-http-frame.html: Added.
        * http/tests/security/mixedContent/resources/frame-with-redirect-https-to-http-script.html: Added.
        * http/tests/security/mixedContent/resources/script.js: Added.
        * http/tests/security/mixedContent/resources/style.css: Added.
2009-09-10  Adam Barth  <abarth@webkit.org>

        Reviewed by Sam Weinig.

        Detect mixed content
        https://bugs.webkit.org/show_bug.cgi?id=29003

        Detect some basic kinds of mixed content (HTTP content loaded into an
        HTTPS context).  This new detection logic isn't perfect, but it's a
        place to start.

        Tests: http/tests/security/mixedContent/about-blank-iframe-in-main-frame.html
               http/tests/security/mixedContent/data-url-iframe-in-main-frame.html
               http/tests/security/mixedContent/data-url-script-in-iframe.html
               http/tests/security/mixedContent/insecure-css-in-iframe.html
               http/tests/security/mixedContent/insecure-css-in-main-frame.html
               http/tests/security/mixedContent/insecure-iframe-in-iframe.html
               http/tests/security/mixedContent/insecure-iframe-in-main-frame.html
               http/tests/security/mixedContent/insecure-image-in-iframe.html
               http/tests/security/mixedContent/insecure-image-in-main-frame.html
               http/tests/security/mixedContent/insecure-script-in-iframe.html
               http/tests/security/mixedContent/redirect-http-to-https-iframe-in-main-frame.html
               http/tests/security/mixedContent/redirect-http-to-https-script-in-iframe.html
               http/tests/security/mixedContent/redirect-https-to-http-iframe-in-main-frame.html
               http/tests/security/mixedContent/redirect-https-to-http-script-in-iframe.html

        * loader/DocLoader.cpp:
        (WebCore::DocLoader::canRequest):
        (WebCore::DocLoader::requestResource):
        (WebCore::DocLoader::checkCacheObjectStatus):
        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::isMixedContent):
        (WebCore::FrameLoader::checkIfDisplayInsecureContent):
        (WebCore::FrameLoader::checkIfRunInsecureContent):
        * loader/FrameLoader.h:
        * loader/MainResourceLoader.cpp:
        (WebCore::MainResourceLoader::willSendRequest):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@48284 268f45cc-cd09-0410-ab3c-d52691b4dbfc
48 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/mixedContent/about-blank-iframe-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/about-blank-iframe-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/data-url-iframe-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/data-url-iframe-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/data-url-script-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/data-url-script-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/insecure-css-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/insecure-css-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/insecure-css-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/insecure-css-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/insecure-image-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/insecure-image-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/insecure-image-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/insecure-image-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/insecure-script-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/insecure-script-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/redirect-http-to-https-iframe-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/redirect-http-to-https-iframe-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/redirect-http-to-https-script-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/redirect-http-to-https-script-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-iframe-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-iframe-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-script-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-script-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/resources/boring.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/resources/frame-with-about-blank-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/resources/frame-with-data-url-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/resources/frame-with-data-url-script.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-css.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-image.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-script.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/resources/frame-with-redirect-http-to-https-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/resources/frame-with-redirect-http-to-https-script.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/resources/frame-with-redirect-https-to-http-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/resources/frame-with-redirect-https-to-http-script.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/resources/script.js [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/resources/style.css [new file with mode: 0644]
WebCore/ChangeLog
WebCore/loader/DocLoader.cpp
WebCore/loader/FrameLoader.cpp
WebCore/loader/FrameLoader.h
WebCore/loader/MainResourceLoader.cpp