1 // Copyright 2017 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "content/browser/renderer_host/mixed_content_navigation_throttle.h"
6
7 #include <vector>
8
9 #include "base/memory/ptr_util.h"
10 #include "base/metrics/histogram_macros.h"
11 #include "base/stl_util.h"
12 #include "content/browser/renderer_host/frame_tree.h"
13 #include "content/browser/renderer_host/frame_tree_node.h"
14 #include "content/browser/renderer_host/navigation_request.h"
15 #include "content/browser/renderer_host/render_frame_host_delegate.h"
16 #include "content/browser/renderer_host/render_frame_host_impl.h"
17 #include "content/browser/renderer_host/render_view_host_impl.h"
18 #include "content/common/frame_messages.h"
19 #include "content/common/navigation_params.mojom.h"
20 #include "content/public/browser/content_browser_client.h"
21 #include "content/public/common/content_client.h"
22 #include "content/public/common/navigation_policy.h"
23 #include "content/public/common/origin_util.h"
24 #include "net/base/url_util.h"
25 #include "third_party/blink/public/common/loader/network_utils.h"
26 #include "third_party/blink/public/common/security_context/insecure_request_policy.h"
27 #include "third_party/blink/public/common/web_preferences/web_preferences.h"
28 #include "third_party/blink/public/mojom/fetch/fetch_api_request.mojom.h"
29 #include "third_party/blink/public/mojom/frame/frame.mojom.h"
30 #include "third_party/blink/public/mojom/security_context/insecure_request_policy.mojom.h"
31 #include "url/gurl.h"
32 #include "url/origin.h"
33 #include "url/url_constants.h"
34 #include "url/url_util.h"
35
36 namespace content {
37
38 namespace {
39
40 // Should return the same value as SchemeRegistry::shouldTreatURLSchemeAsSecure.
IsSecureScheme(const std::string & scheme)41 bool IsSecureScheme(const std::string& scheme) {
42 return base::Contains(url::GetSecureSchemes(), scheme);
43 }
44
45 // Should return the same value as SecurityOrigin::isLocal and
46 // SchemeRegistry::shouldTreatURLSchemeAsCorsEnabled.
ShouldTreatURLSchemeAsCorsEnabled(const GURL & url)47 bool ShouldTreatURLSchemeAsCorsEnabled(const GURL& url) {
48 return base::Contains(url::GetCorsEnabledSchemes(), url.scheme());
49 }
50
51 // Should return the same value as the resource URL checks assigned to
52 // |isAllowed| made inside MixedContentChecker::isMixedContent.
IsUrlPotentiallySecure(const GURL & url)53 bool IsUrlPotentiallySecure(const GURL& url) {
54 // blob: and filesystem: URLs never hit the network, and access is restricted
55 // to same-origin contexts, so they are not blocked.
56 return url.SchemeIs(url::kBlobScheme) ||
57 url.SchemeIs(url::kFileSystemScheme) ||
58 blink::network_utils::IsOriginSecure(url) ||
59 IsPotentiallyTrustworthyOrigin(url::Origin::Create(url));
60 }
61
62 // This method should return the same results as
63 // SchemeRegistry::shouldTreatURLSchemeAsRestrictingMixedContent.
DoesOriginSchemeRestrictMixedContent(const url::Origin & origin)64 bool DoesOriginSchemeRestrictMixedContent(const url::Origin& origin) {
65 return origin.scheme() == url::kHttpsScheme;
66 }
67
UpdateRendererOnMixedContentFound(NavigationRequest * navigation_request,const GURL & mixed_content_url,bool was_allowed,bool for_redirect)68 void UpdateRendererOnMixedContentFound(NavigationRequest* navigation_request,
69 const GURL& mixed_content_url,
70 bool was_allowed,
71 bool for_redirect) {
72 // TODO(carlosk): the root node should never be considered as being/having
73 // mixed content for now. Once/if the browser should also check form submits
74 // for mixed content than this will be allowed to happen and this DCHECK
75 // should be updated.
76 DCHECK(navigation_request->frame_tree_node()->parent());
77 RenderFrameHostImpl* rfh =
78 navigation_request->frame_tree_node()->current_frame_host();
79 DCHECK(!navigation_request->GetRedirectChain().empty());
80 GURL url_before_redirects = navigation_request->GetRedirectChain()[0];
81 rfh->GetAssociatedLocalFrame()->MixedContentFound(
82 mixed_content_url, navigation_request->GetURL(),
83 navigation_request->request_context_type(), was_allowed,
84 url_before_redirects, for_redirect,
85 navigation_request->common_params().source_location.Clone());
86 }
87
88 } // namespace
89
90 // static
91 std::unique_ptr<NavigationThrottle>
CreateThrottleForNavigation(NavigationHandle * navigation_handle)92 MixedContentNavigationThrottle::CreateThrottleForNavigation(
93 NavigationHandle* navigation_handle) {
94 return std::make_unique<MixedContentNavigationThrottle>(navigation_handle);
95 }
96
MixedContentNavigationThrottle(NavigationHandle * navigation_handle)97 MixedContentNavigationThrottle::MixedContentNavigationThrottle(
98 NavigationHandle* navigation_handle)
99 : NavigationThrottle(navigation_handle) {}
100
~MixedContentNavigationThrottle()101 MixedContentNavigationThrottle::~MixedContentNavigationThrottle() {}
102
103 NavigationThrottle::ThrottleCheckResult
WillStartRequest()104 MixedContentNavigationThrottle::WillStartRequest() {
105 bool should_block = ShouldBlockNavigation(false);
106 return should_block ? CANCEL : PROCEED;
107 }
108
109 NavigationThrottle::ThrottleCheckResult
WillRedirectRequest()110 MixedContentNavigationThrottle::WillRedirectRequest() {
111 // Upon redirects the same checks are to be executed as for requests.
112 bool should_block = ShouldBlockNavigation(true);
113 return should_block ? CANCEL : PROCEED;
114 }
115
116 NavigationThrottle::ThrottleCheckResult
WillProcessResponse()117 MixedContentNavigationThrottle::WillProcessResponse() {
118 // TODO(carlosk): At this point we are about to process the request response.
119 // So if we ever need to, here/now it is a good moment to check for the final
120 // attained security level of the connection. For instance, does it use an
121 // outdated protocol? The implementation should be based off
122 // MixedContentChecker::handleCertificateError. See https://crbug.com/576270.
123 return PROCEED;
124 }
125
GetNameForLogging()126 const char* MixedContentNavigationThrottle::GetNameForLogging() {
127 return "MixedContentNavigationThrottle";
128 }
129
130 // Based off of MixedContentChecker::shouldBlockFetch.
ShouldBlockNavigation(bool for_redirect)131 bool MixedContentNavigationThrottle::ShouldBlockNavigation(bool for_redirect) {
132 NavigationRequest* request = NavigationRequest::From(navigation_handle());
133 FrameTreeNode* node = request->frame_tree_node();
134
135 // Find the parent frame where mixed content is characterized, if any.
136 RenderFrameHostImpl* mixed_content_frame =
137 InWhichFrameIsContentMixed(node, request->GetURL());
138 if (!mixed_content_frame) {
139 MaybeSendBlinkFeatureUsageReport();
140 return false;
141 }
142
143 // From this point on we know this is not a main frame navigation and that
144 // there is mixed content. Now let's decide if it's OK to proceed with it.
145
146 ReportBasicMixedContentFeatures(request->request_context_type(),
147 request->mixed_content_context_type());
148
149 // If we're in strict mode, we'll automagically fail everything, and
150 // intentionally skip the client/embedder checks in order to prevent degrading
151 // the site's security UI.
152 bool block_all_mixed_content =
153 (mixed_content_frame->frame_tree_node()
154 ->current_replication_state()
155 .insecure_request_policy &
156 blink::mojom::InsecureRequestPolicy::kBlockAllMixedContent) !=
157 blink::mojom::InsecureRequestPolicy::kLeaveInsecureRequestsAlone;
158 const auto& prefs = mixed_content_frame->GetOrCreateWebPreferences();
159 bool strict_mode =
160 prefs.strict_mixed_content_checking || block_all_mixed_content;
161
162 blink::WebMixedContentContextType mixed_context_type =
163 request->mixed_content_context_type();
164
165 // Do not treat non-webby schemes as mixed content when loaded in subframes.
166 // Navigations to non-webby schemes cannot return data to the browser, so
167 // insecure content will not be run or displayed to the user as a result of
168 // loading a non-webby scheme. It is potentially dangerous to navigate to a
169 // non-webby scheme (e.g., the page could deliver a malicious payload to a
170 // vulnerable native application), but loading a non-webby scheme is no more
171 // dangerous in this respect than navigating the main frame to the non-webby
172 // scheme directly. See https://crbug.com/621131.
173 //
174 // TODO(https://crbug.com/1030307): decide whether CORS-enabled is really the
175 // right way to draw this distinction.
176 if (!ShouldTreatURLSchemeAsCorsEnabled(request->GetURL())) {
177 // Record non-webby mixed content to see if it is rare enough that it can be
178 // gated behind an enterprise policy. This excludes URLs that are considered
179 // potentially-secure such as blob: and filesystem:, which are special-cased
180 // in IsUrlPotentiallySecure() and cause an early-return because of the
181 // InWhichFrameIsContentMixed() check above.
182 UMA_HISTOGRAM_BOOLEAN("SSL.NonWebbyMixedContentLoaded", true);
183 return false;
184 }
185
186 bool allowed = false;
187 RenderFrameHostDelegate* frame_host_delegate =
188 node->current_frame_host()->delegate();
189 switch (mixed_context_type) {
190 case blink::WebMixedContentContextType::kOptionallyBlockable:
191 allowed = !strict_mode;
192 if (allowed) {
193 frame_host_delegate->PassiveInsecureContentFound(request->GetURL());
194 frame_host_delegate->DidDisplayInsecureContent();
195 }
196 break;
197
198 case blink::WebMixedContentContextType::kBlockable: {
199 // Note: from the renderer side implementation it seems like we don't need
200 // to care about reporting
201 // blink::UseCounter::BlockableMixedContentInSubframeBlocked because it is
202 // only triggered for sub-resources which are not checked for in the
203 // browser.
204 bool should_ask_delegate =
205 !strict_mode && (!prefs.strictly_block_blockable_mixed_content ||
206 prefs.allow_running_insecure_content);
207 allowed =
208 should_ask_delegate &&
209 frame_host_delegate->ShouldAllowRunningInsecureContent(
210 prefs.allow_running_insecure_content,
211 mixed_content_frame->GetLastCommittedOrigin(), request->GetURL());
212 if (allowed) {
213 const GURL& origin_url =
214 mixed_content_frame->GetLastCommittedOrigin().GetURL();
215 frame_host_delegate->DidRunInsecureContent(origin_url,
216 request->GetURL());
217 mixed_content_features_.insert(
218 blink::mojom::WebFeature::kMixedContentBlockableAllowed);
219 }
220 break;
221 }
222
223 case blink::WebMixedContentContextType::kShouldBeBlockable:
224 allowed = !strict_mode;
225 if (allowed)
226 frame_host_delegate->DidDisplayInsecureContent();
227 break;
228
229 case blink::WebMixedContentContextType::kNotMixedContent:
230 NOTREACHED();
231 break;
232 };
233
234 UpdateRendererOnMixedContentFound(request,
235 mixed_content_frame->GetLastCommittedURL(),
236 allowed, for_redirect);
237 MaybeSendBlinkFeatureUsageReport();
238
239 return !allowed;
240 }
241
242 // This method mirrors MixedContentChecker::inWhichFrameIsContentMixed but is
243 // implemented in a different form that seems more appropriate here.
InWhichFrameIsContentMixed(FrameTreeNode * node,const GURL & url)244 RenderFrameHostImpl* MixedContentNavigationThrottle::InWhichFrameIsContentMixed(
245 FrameTreeNode* node,
246 const GURL& url) {
247 // Main frame navigations cannot be mixed content.
248 // TODO(carlosk): except for form submissions which might be supported in the
249 // future.
250 if (node->IsMainFrame())
251 return nullptr;
252
253 // There's no mixed content if any of these are true:
254 // - The navigated URL is potentially secure.
255 // - Neither the root nor parent frames have secure origins.
256 // This next section diverges in how the Blink version is implemented but
257 // should get to the same results. Especially where isMixedContent calls
258 // exist, here they are partially fulfilled here and partially replaced by
259 // DoesOriginSchemeRestrictMixedContent.
260 RenderFrameHostImpl* mixed_content_frame = nullptr;
261 RenderFrameHostImpl* root = node->parent()->GetMainFrame();
262 RenderFrameHostImpl* parent = node->parent();
263 if (!IsUrlPotentiallySecure(url)) {
264 // TODO(carlosk): we might need to check more than just the immediate parent
265 // and the root. See https://crbug.com/623486.
266
267 // Checks if the root and then the immediate parent frames' origins are
268 // secure.
269 if (DoesOriginSchemeRestrictMixedContent(root->GetLastCommittedOrigin()))
270 mixed_content_frame = root;
271 else if (DoesOriginSchemeRestrictMixedContent(
272 parent->GetLastCommittedOrigin())) {
273 mixed_content_frame = parent;
274 }
275 }
276
277 // Note: The code below should behave the same way as the two calls to
278 // measureStricterVersionOfIsMixedContent from inside
279 // MixedContentChecker::inWhichFrameIs.
280 if (mixed_content_frame) {
281 // We're currently only checking for mixed content in `https://*` contexts.
282 // What about other "secure" contexts the SchemeRegistry knows about? We'll
283 // use this method to measure the occurrence of non-webby mixed content to
284 // make sure we're not breaking the world without realizing it.
285 if (mixed_content_frame->GetLastCommittedOrigin().scheme() !=
286 url::kHttpsScheme) {
287 mixed_content_features_.insert(
288 blink::mojom::WebFeature::
289 kMixedContentInNonHTTPSFrameThatRestrictsMixedContent);
290 }
291 } else if (!blink::network_utils::IsOriginSecure(url) &&
292 (IsSecureScheme(root->GetLastCommittedOrigin().scheme()) ||
293 IsSecureScheme(parent->GetLastCommittedOrigin().scheme()))) {
294 mixed_content_features_.insert(
295 blink::mojom::WebFeature::
296 kMixedContentInSecureFrameThatDoesNotRestrictMixedContent);
297 }
298 return mixed_content_frame;
299 }
300
MaybeSendBlinkFeatureUsageReport()301 void MixedContentNavigationThrottle::MaybeSendBlinkFeatureUsageReport() {
302 if (!mixed_content_features_.empty()) {
303 NavigationRequest* request = NavigationRequest::From(navigation_handle());
304 RenderFrameHostImpl* rfh = request->frame_tree_node()->current_frame_host();
305 rfh->GetAssociatedLocalFrame()->ReportBlinkFeatureUsage(
306 std::vector<blink::mojom::WebFeature>(mixed_content_features_.begin(),
307 mixed_content_features_.end()));
308 mixed_content_features_.clear();
309 }
310 }
311
312 // Based off of MixedContentChecker::count.
ReportBasicMixedContentFeatures(blink::mojom::RequestContextType request_context_type,blink::WebMixedContentContextType mixed_content_context_type)313 void MixedContentNavigationThrottle::ReportBasicMixedContentFeatures(
314 blink::mojom::RequestContextType request_context_type,
315 blink::WebMixedContentContextType mixed_content_context_type) {
316 mixed_content_features_.insert(
317 blink::mojom::WebFeature::kMixedContentPresent);
318
319 // Report any blockable content.
320 if (mixed_content_context_type ==
321 blink::WebMixedContentContextType::kBlockable) {
322 mixed_content_features_.insert(
323 blink::mojom::WebFeature::kMixedContentBlockable);
324 return;
325 }
326
327 // Note: as there's no mixed content checks for sub-resources on the browser
328 // side there should only be a subset of RequestContextType values that could
329 // ever be found here.
330 blink::mojom::WebFeature feature;
331 switch (request_context_type) {
332 case blink::mojom::RequestContextType::INTERNAL:
333 feature = blink::mojom::WebFeature::kMixedContentInternal;
334 break;
335 case blink::mojom::RequestContextType::PREFETCH:
336 feature = blink::mojom::WebFeature::kMixedContentPrefetch;
337 break;
338
339 case blink::mojom::RequestContextType::AUDIO:
340 case blink::mojom::RequestContextType::DOWNLOAD:
341 case blink::mojom::RequestContextType::FAVICON:
342 case blink::mojom::RequestContextType::IMAGE:
343 case blink::mojom::RequestContextType::PLUGIN:
344 case blink::mojom::RequestContextType::VIDEO:
345 default:
346 NOTREACHED() << "RequestContextType has value " << request_context_type
347 << " and has WebMixedContentContextType of "
348 << static_cast<int>(mixed_content_context_type);
349 return;
350 }
351 mixed_content_features_.insert(feature);
352 }
353
354 // static
IsMixedContentForTesting(const GURL & origin_url,const GURL & url)355 bool MixedContentNavigationThrottle::IsMixedContentForTesting(
356 const GURL& origin_url,
357 const GURL& url) {
358 const url::Origin origin = url::Origin::Create(origin_url);
359 return !IsUrlPotentiallySecure(url) &&
360 DoesOriginSchemeRestrictMixedContent(origin);
361 }
362
363 } // namespace content
364