search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Updating trunk VERSION from 2139.0 to 2140.0
[chromium-blink-merge.git] / chrome / renderer / content_settings_observer.cc
blob57de0757f4b3e8869a2f264e1855cbefe7a370b1
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "chrome/renderer/content_settings_observer.h"
6
7 #include "base/command_line.h"
8 #include "base/metrics/histogram.h"
9 #include "chrome/common/chrome_switches.h"
10 #include "chrome/common/render_messages.h"
11 #include "chrome/common/url_constants.h"
12 #include "content/public/renderer/document_state.h"
13 #include "content/public/renderer/navigation_state.h"
14 #include "content/public/renderer/render_frame.h"
15 #include "content/public/renderer/render_view.h"
16 #include "third_party/WebKit/public/platform/WebPermissionCallbacks.h"
17 #include "third_party/WebKit/public/platform/WebURL.h"
18 #include "third_party/WebKit/public/web/WebDataSource.h"
19 #include "third_party/WebKit/public/web/WebDocument.h"
20 #include "third_party/WebKit/public/web/WebFrame.h"
21 #include "third_party/WebKit/public/web/WebFrameClient.h"
22 #include "third_party/WebKit/public/web/WebSecurityOrigin.h"
23 #include "third_party/WebKit/public/web/WebView.h"
24
25 #if defined(ENABLE_EXTENSIONS)
26 #include "chrome/common/extensions/chrome_extension_messages.h"
27 #include "extensions/common/constants.h"
28 #include "extensions/common/extension.h"
29 #include "extensions/renderer/dispatcher.h"
30 #endif
31
32 using blink::WebDataSource;
33 using blink::WebDocument;
34 using blink::WebFrame;
35 using blink::WebPermissionCallbacks;
36 using blink::WebSecurityOrigin;
37 using blink::WebString;
38 using blink::WebURL;
39 using blink::WebView;
40 using content::DocumentState;
41 using content::NavigationState;
42
43 namespace {
44
45 enum {
46 INSECURE_CONTENT_DISPLAY = 0,
47 INSECURE_CONTENT_DISPLAY_HOST_GOOGLE,
48 INSECURE_CONTENT_DISPLAY_HOST_WWW_GOOGLE,
49 INSECURE_CONTENT_DISPLAY_HTML,
50 INSECURE_CONTENT_RUN,
51 INSECURE_CONTENT_RUN_HOST_GOOGLE,
52 INSECURE_CONTENT_RUN_HOST_WWW_GOOGLE,
53 INSECURE_CONTENT_RUN_TARGET_YOUTUBE,
54 INSECURE_CONTENT_RUN_JS,
55 INSECURE_CONTENT_RUN_CSS,
56 INSECURE_CONTENT_RUN_SWF,
57 INSECURE_CONTENT_DISPLAY_HOST_YOUTUBE,
58 INSECURE_CONTENT_RUN_HOST_YOUTUBE,
59 INSECURE_CONTENT_RUN_HOST_GOOGLEUSERCONTENT,
60 INSECURE_CONTENT_DISPLAY_HOST_MAIL_GOOGLE,
61 INSECURE_CONTENT_RUN_HOST_MAIL_GOOGLE,
62 INSECURE_CONTENT_DISPLAY_HOST_PLUS_GOOGLE,
63 INSECURE_CONTENT_RUN_HOST_PLUS_GOOGLE,
64 INSECURE_CONTENT_DISPLAY_HOST_DOCS_GOOGLE,
65 INSECURE_CONTENT_RUN_HOST_DOCS_GOOGLE,
66 INSECURE_CONTENT_DISPLAY_HOST_SITES_GOOGLE,
67 INSECURE_CONTENT_RUN_HOST_SITES_GOOGLE,
68 INSECURE_CONTENT_DISPLAY_HOST_PICASAWEB_GOOGLE,
69 INSECURE_CONTENT_RUN_HOST_PICASAWEB_GOOGLE,
70 INSECURE_CONTENT_DISPLAY_HOST_GOOGLE_READER,
71 INSECURE_CONTENT_RUN_HOST_GOOGLE_READER,
72 INSECURE_CONTENT_DISPLAY_HOST_CODE_GOOGLE,
73 INSECURE_CONTENT_RUN_HOST_CODE_GOOGLE,
74 INSECURE_CONTENT_DISPLAY_HOST_GROUPS_GOOGLE,
75 INSECURE_CONTENT_RUN_HOST_GROUPS_GOOGLE,
76 INSECURE_CONTENT_DISPLAY_HOST_MAPS_GOOGLE,
77 INSECURE_CONTENT_RUN_HOST_MAPS_GOOGLE,
78 INSECURE_CONTENT_DISPLAY_HOST_GOOGLE_SUPPORT,
79 INSECURE_CONTENT_RUN_HOST_GOOGLE_SUPPORT,
80 INSECURE_CONTENT_DISPLAY_HOST_GOOGLE_INTL,
81 INSECURE_CONTENT_RUN_HOST_GOOGLE_INTL,
82 INSECURE_CONTENT_NUM_EVENTS
83 };
84
85 // Constants for UMA statistic collection.
86 static const char kWWWDotGoogleDotCom[] = "www.google.com";
87 static const char kMailDotGoogleDotCom[] = "mail.google.com";
88 static const char kPlusDotGoogleDotCom[] = "plus.google.com";
89 static const char kDocsDotGoogleDotCom[] = "docs.google.com";
90 static const char kSitesDotGoogleDotCom[] = "sites.google.com";
91 static const char kPicasawebDotGoogleDotCom[] = "picasaweb.google.com";
92 static const char kCodeDotGoogleDotCom[] = "code.google.com";
93 static const char kGroupsDotGoogleDotCom[] = "groups.google.com";
94 static const char kMapsDotGoogleDotCom[] = "maps.google.com";
95 static const char kWWWDotYoutubeDotCom[] = "www.youtube.com";
96 static const char kDotGoogleUserContentDotCom[] = ".googleusercontent.com";
97 static const char kGoogleReaderPathPrefix[] = "/reader/";
98 static const char kGoogleSupportPathPrefix[] = "/support/";
99 static const char kGoogleIntlPathPrefix[] = "/intl/";
100 static const char kDotJS[] = ".js";
101 static const char kDotCSS[] = ".css";
102 static const char kDotSWF[] = ".swf";
103 static const char kDotHTML[] = ".html";
104
105 // Constants for mixed-content blocking.
106 static const char kGoogleDotCom[] = "google.com";
107
108 static bool IsHostInDomain(const std::string& host, const std::string& domain) {
109 return (EndsWith(host, domain, false) &&
110 (host.length() == domain.length() ||
111 (host.length() > domain.length() &&
112 host[host.length() - domain.length() - 1] == '.')));
113 }
114
115 GURL GetOriginOrURL(const WebFrame* frame) {
116 WebString top_origin = frame->top()->document().securityOrigin().toString();
117 // The the |top_origin| is unique ("null") e.g., for file:// URLs. Use the
118 // document URL as the primary URL in those cases.
119 if (top_origin == "null")
120 return frame->top()->document().url();
121 return GURL(top_origin);
122 }
123
124 ContentSetting GetContentSettingFromRules(
125 const ContentSettingsForOneType& rules,
126 const WebFrame* frame,
127 const GURL& secondary_url) {
128 ContentSettingsForOneType::const_iterator it;
129 // If there is only one rule, it's the default rule and we don't need to match
130 // the patterns.
131 if (rules.size() == 1) {
132 DCHECK(rules[0].primary_pattern == ContentSettingsPattern::Wildcard());
133 DCHECK(rules[0].secondary_pattern == ContentSettingsPattern::Wildcard());
134 return rules[0].setting;
135 }
136 const GURL& primary_url = GetOriginOrURL(frame);
137 for (it = rules.begin(); it != rules.end(); ++it) {
138 if (it->primary_pattern.Matches(primary_url) &&
139 it->secondary_pattern.Matches(secondary_url)) {
140 return it->setting;
141 }
142 }
143 NOTREACHED();
144 return CONTENT_SETTING_DEFAULT;
145 }
146
147 } // namespace
148
149 ContentSettingsObserver::ContentSettingsObserver(
150 content::RenderFrame* render_frame,
151 extensions::Dispatcher* extension_dispatcher)
152 : content::RenderFrameObserver(render_frame),
153 content::RenderFrameObserverTracker<ContentSettingsObserver>(
154 render_frame),
155 #if defined(ENABLE_EXTENSIONS)
156 extension_dispatcher_(extension_dispatcher),
157 #endif
158 allow_displaying_insecure_content_(false),
159 allow_running_insecure_content_(false),
160 content_setting_rules_(NULL),
161 is_interstitial_page_(false),
162 npapi_plugins_blocked_(false),
163 current_request_id_(0) {
164 ClearBlockedContentSettings();
165 render_frame->GetWebFrame()->setPermissionClient(this);
166
167 if (render_frame->GetRenderView()->GetMainRenderFrame() != render_frame) {
168 // Copy all the settings from the main render frame to avoid race conditions
169 // when initializing this data. See http://crbug.com/333308.
170 ContentSettingsObserver* parent = ContentSettingsObserver::Get(
171 render_frame->GetRenderView()->GetMainRenderFrame());
172 allow_displaying_insecure_content_ =
173 parent->allow_displaying_insecure_content_;
174 allow_running_insecure_content_ = parent->allow_running_insecure_content_;
175 temporarily_allowed_plugins_ = parent->temporarily_allowed_plugins_;
176 is_interstitial_page_ = parent->is_interstitial_page_;
177 npapi_plugins_blocked_ = parent->npapi_plugins_blocked_;
178 }
179 }
180
181 ContentSettingsObserver::~ContentSettingsObserver() {
182 }
183
184 void ContentSettingsObserver::SetContentSettingRules(
185 const RendererContentSettingRules* content_setting_rules) {
186 content_setting_rules_ = content_setting_rules;
187 }
188
189 bool ContentSettingsObserver::IsPluginTemporarilyAllowed(
190 const std::string& identifier) {
191 // If the empty string is in here, it means all plug-ins are allowed.
192 // TODO(bauerb): Remove this once we only pass in explicit identifiers.
193 return (temporarily_allowed_plugins_.find(identifier) !=
194 temporarily_allowed_plugins_.end()) ||
195 (temporarily_allowed_plugins_.find(std::string()) !=
196 temporarily_allowed_plugins_.end());
197 }
198
199 void ContentSettingsObserver::DidBlockContentType(
200 ContentSettingsType settings_type) {
201 if (!content_blocked_[settings_type]) {
202 content_blocked_[settings_type] = true;
203 Send(new ChromeViewHostMsg_ContentBlocked(routing_id(), settings_type));
204 }
205 }
206
207 bool ContentSettingsObserver::OnMessageReceived(const IPC::Message& message) {
208 bool handled = true;
209 IPC_BEGIN_MESSAGE_MAP(ContentSettingsObserver, message)
210 IPC_MESSAGE_HANDLER(ChromeViewMsg_SetAsInterstitial, OnSetAsInterstitial)
211 IPC_MESSAGE_HANDLER(ChromeViewMsg_NPAPINotSupported, OnNPAPINotSupported)
212 IPC_MESSAGE_HANDLER(ChromeViewMsg_SetAllowDisplayingInsecureContent,
213 OnSetAllowDisplayingInsecureContent)
214 IPC_MESSAGE_HANDLER(ChromeViewMsg_SetAllowRunningInsecureContent,
215 OnSetAllowRunningInsecureContent)
216 IPC_MESSAGE_HANDLER(ChromeViewMsg_ReloadFrame, OnReloadFrame);
217 IPC_MESSAGE_HANDLER(ChromeViewMsg_RequestFileSystemAccessAsyncResponse,
218 OnRequestFileSystemAccessAsyncResponse)
219 IPC_MESSAGE_UNHANDLED(handled = false)
220 IPC_END_MESSAGE_MAP()
221 if (handled)
222 return true;
223
224 // Don't swallow LoadBlockedPlugins messages, as they're sent to every
225 // blocked plugin.
226 IPC_BEGIN_MESSAGE_MAP(ContentSettingsObserver, message)
227 IPC_MESSAGE_HANDLER(ChromeViewMsg_LoadBlockedPlugins, OnLoadBlockedPlugins)
228 IPC_END_MESSAGE_MAP()
229
230 return false;
231 }
232
233 void ContentSettingsObserver::DidCommitProvisionalLoad(bool is_new_navigation) {
234 WebFrame* frame = render_frame()->GetWebFrame();
235 if (frame->parent())
236 return; // Not a top-level navigation.
237
238 DocumentState* document_state = DocumentState::FromDataSource(
239 frame->dataSource());
240 NavigationState* navigation_state = document_state->navigation_state();
241 if (!navigation_state->was_within_same_page()) {
242 // Clear "block" flags for the new page. This needs to happen before any of
243 // |allowScript()|, |allowScriptFromSource()|, |allowImage()|, or
244 // |allowPlugins()| is called for the new page so that these functions can
245 // correctly detect that a piece of content flipped from "not blocked" to
246 // "blocked".
247 ClearBlockedContentSettings();
248 temporarily_allowed_plugins_.clear();
249 }
250
251 GURL url = frame->document().url();
252 // If we start failing this DCHECK, please makes sure we don't regress
253 // this bug: http://code.google.com/p/chromium/issues/detail?id=79304
254 DCHECK(frame->document().securityOrigin().toString() == "null" ||
255 !url.SchemeIs(url::kDataScheme));
256 }
257
258 bool ContentSettingsObserver::allowDatabase(const WebString& name,
259 const WebString& display_name,
260 unsigned long estimated_size) {
261 WebFrame* frame = render_frame()->GetWebFrame();
262 if (frame->document().securityOrigin().isUnique() ||
263 frame->top()->document().securityOrigin().isUnique())
264 return false;
265
266 bool result = false;
267 Send(new ChromeViewHostMsg_AllowDatabase(
268 routing_id(), GURL(frame->document().securityOrigin().toString()),
269 GURL(frame->top()->document().securityOrigin().toString()),
270 name, display_name, &result));
271 return result;
272 }
273
274 void ContentSettingsObserver::requestFileSystemAccessAsync(
275 const WebPermissionCallbacks& callbacks) {
276 WebFrame* frame = render_frame()->GetWebFrame();
277 if (frame->document().securityOrigin().isUnique() ||
278 frame->top()->document().securityOrigin().isUnique()) {
279 WebPermissionCallbacks permissionCallbacks(callbacks);
280 permissionCallbacks.doDeny();
281 return;
282 }
283 ++current_request_id_;
284 std::pair<PermissionRequestMap::iterator, bool> insert_result =
285 permission_requests_.insert(
286 std::make_pair(current_request_id_, callbacks));
287
288 // Verify there are no duplicate insertions.
289 DCHECK(insert_result.second);
290
291 Send(new ChromeViewHostMsg_RequestFileSystemAccessAsync(
292 routing_id(),
293 current_request_id_,
294 GURL(frame->document().securityOrigin().toString()),
295 GURL(frame->top()->document().securityOrigin().toString())));
296 }
297
298 bool ContentSettingsObserver::allowImage(bool enabled_per_settings,
299 const WebURL& image_url) {
300 bool allow = enabled_per_settings;
301 if (enabled_per_settings) {
302 if (is_interstitial_page_)
303 return true;
304
305 if (IsWhitelistedForContentSettings(render_frame()))
306 return true;
307
308 if (content_setting_rules_) {
309 GURL secondary_url(image_url);
310 allow =
311 GetContentSettingFromRules(content_setting_rules_->image_rules,
312 render_frame()->GetWebFrame(),
313 secondary_url) != CONTENT_SETTING_BLOCK;
314 }
315 }
316 if (!allow)
317 DidBlockContentType(CONTENT_SETTINGS_TYPE_IMAGES);
318 return allow;
319 }
320
321 bool ContentSettingsObserver::allowIndexedDB(const WebString& name,
322 const WebSecurityOrigin& origin) {
323 WebFrame* frame = render_frame()->GetWebFrame();
324 if (frame->document().securityOrigin().isUnique() ||
325 frame->top()->document().securityOrigin().isUnique())
326 return false;
327
328 bool result = false;
329 Send(new ChromeViewHostMsg_AllowIndexedDB(
330 routing_id(), GURL(frame->document().securityOrigin().toString()),
331 GURL(frame->top()->document().securityOrigin().toString()),
332 name, &result));
333 return result;
334 }
335
336 bool ContentSettingsObserver::allowPlugins(bool enabled_per_settings) {
337 return enabled_per_settings;
338 }
339
340 bool ContentSettingsObserver::allowScript(bool enabled_per_settings) {
341 if (!enabled_per_settings)
342 return false;
343 if (is_interstitial_page_)
344 return true;
345
346 WebFrame* frame = render_frame()->GetWebFrame();
347 std::map<WebFrame*, bool>::const_iterator it =
348 cached_script_permissions_.find(frame);
349 if (it != cached_script_permissions_.end())
350 return it->second;
351
352 // Evaluate the content setting rules before
353 // |IsWhitelistedForContentSettings|; if there is only the default rule
354 // allowing all scripts, it's quicker this way.
355 bool allow = true;
356 if (content_setting_rules_) {
357 ContentSetting setting = GetContentSettingFromRules(
358 content_setting_rules_->script_rules,
359 frame,
360 GURL(frame->document().securityOrigin().toString()));
361 allow = setting != CONTENT_SETTING_BLOCK;
362 }
363 allow = allow || IsWhitelistedForContentSettings(render_frame());
364
365 cached_script_permissions_[frame] = allow;
366 return allow;
367 }
368
369 bool ContentSettingsObserver::allowScriptFromSource(
370 bool enabled_per_settings,
371 const blink::WebURL& script_url) {
372 if (!enabled_per_settings)
373 return false;
374 if (is_interstitial_page_)
375 return true;
376
377 bool allow = true;
378 if (content_setting_rules_) {
379 ContentSetting setting =
380 GetContentSettingFromRules(content_setting_rules_->script_rules,
381 render_frame()->GetWebFrame(),
382 GURL(script_url));
383 allow = setting != CONTENT_SETTING_BLOCK;
384 }
385 return allow || IsWhitelistedForContentSettings(render_frame());
386 }
387
388 bool ContentSettingsObserver::allowStorage(bool local) {
389 WebFrame* frame = render_frame()->GetWebFrame();
390 if (frame->document().securityOrigin().isUnique() ||
391 frame->top()->document().securityOrigin().isUnique())
392 return false;
393 bool result = false;
394
395 StoragePermissionsKey key(
396 GURL(frame->document().securityOrigin().toString()), local);
397 std::map<StoragePermissionsKey, bool>::const_iterator permissions =
398 cached_storage_permissions_.find(key);
399 if (permissions != cached_storage_permissions_.end())
400 return permissions->second;
401
402 Send(new ChromeViewHostMsg_AllowDOMStorage(
403 routing_id(), GURL(frame->document().securityOrigin().toString()),
404 GURL(frame->top()->document().securityOrigin().toString()),
405 local, &result));
406 cached_storage_permissions_[key] = result;
407 return result;
408 }
409
410 bool ContentSettingsObserver::allowReadFromClipboard(bool default_value) {
411 bool allowed = false;
412 #if defined(ENABLE_EXTENSIONS)
413 WebFrame* frame = render_frame()->GetWebFrame();
414 // TODO(dcheng): Should we consider a toURL() method on WebSecurityOrigin?
415 Send(new ChromeViewHostMsg_CanTriggerClipboardRead(
416 GURL(frame->document().securityOrigin().toString()), &allowed));
417 #endif
418 return allowed;
419 }
420
421 bool ContentSettingsObserver::allowWriteToClipboard(bool default_value) {
422 bool allowed = false;
423 #if defined(ENABLE_EXTENSIONS)
424 WebFrame* frame = render_frame()->GetWebFrame();
425 Send(new ChromeViewHostMsg_CanTriggerClipboardWrite(
426 GURL(frame->document().securityOrigin().toString()), &allowed));
427 #endif
428 return allowed;
429 }
430
431 bool ContentSettingsObserver::allowMutationEvents(bool default_value) {
432 return IsPlatformApp() ? false : default_value;
433 }
434
435 bool ContentSettingsObserver::allowPushState() {
436 return !IsPlatformApp();
437 }
438
439 static void SendInsecureContentSignal(int signal) {
440 UMA_HISTOGRAM_ENUMERATION("SSL.InsecureContent", signal,
441 INSECURE_CONTENT_NUM_EVENTS);
442 }
443
444 bool ContentSettingsObserver::allowDisplayingInsecureContent(
445 bool allowed_per_settings,
446 const blink::WebSecurityOrigin& origin,
447 const blink::WebURL& resource_url) {
448 SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY);
449
450 std::string origin_host(origin.host().utf8());
451 WebFrame* frame = render_frame()->GetWebFrame();
452 GURL frame_gurl(frame->document().url());
453 if (IsHostInDomain(origin_host, kGoogleDotCom)) {
454 SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_GOOGLE);
455 if (StartsWithASCII(frame_gurl.path(), kGoogleSupportPathPrefix, false)) {
456 SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_GOOGLE_SUPPORT);
457 } else if (StartsWithASCII(frame_gurl.path(),
458 kGoogleIntlPathPrefix,
459 false)) {
460 SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_GOOGLE_INTL);
461 }
462 }
463
464 if (origin_host == kWWWDotGoogleDotCom) {
465 SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_WWW_GOOGLE);
466 if (StartsWithASCII(frame_gurl.path(), kGoogleReaderPathPrefix, false))
467 SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_GOOGLE_READER);
468 } else if (origin_host == kMailDotGoogleDotCom) {
469 SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_MAIL_GOOGLE);
470 } else if (origin_host == kPlusDotGoogleDotCom) {
471 SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_PLUS_GOOGLE);
472 } else if (origin_host == kDocsDotGoogleDotCom) {
473 SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_DOCS_GOOGLE);
474 } else if (origin_host == kSitesDotGoogleDotCom) {
475 SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_SITES_GOOGLE);
476 } else if (origin_host == kPicasawebDotGoogleDotCom) {
477 SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_PICASAWEB_GOOGLE);
478 } else if (origin_host == kCodeDotGoogleDotCom) {
479 SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_CODE_GOOGLE);
480 } else if (origin_host == kGroupsDotGoogleDotCom) {
481 SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_GROUPS_GOOGLE);
482 } else if (origin_host == kMapsDotGoogleDotCom) {
483 SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_MAPS_GOOGLE);
484 } else if (origin_host == kWWWDotYoutubeDotCom) {
485 SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HOST_YOUTUBE);
486 }
487
488 GURL resource_gurl(resource_url);
489 if (EndsWith(resource_gurl.path(), kDotHTML, false))
490 SendInsecureContentSignal(INSECURE_CONTENT_DISPLAY_HTML);
491
492 if (allowed_per_settings || allow_displaying_insecure_content_)
493 return true;
494
495 Send(new ChromeViewHostMsg_DidBlockDisplayingInsecureContent(routing_id()));
496
497 return false;
498 }
499
500 bool ContentSettingsObserver::allowRunningInsecureContent(
501 bool allowed_per_settings,
502 const blink::WebSecurityOrigin& origin,
503 const blink::WebURL& resource_url) {
504 std::string origin_host(origin.host().utf8());
505 WebFrame* frame = render_frame()->GetWebFrame();
506 GURL frame_gurl(frame->document().url());
507 DCHECK_EQ(frame_gurl.host(), origin_host);
508
509 bool is_google = IsHostInDomain(origin_host, kGoogleDotCom);
510 if (is_google) {
511 SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_GOOGLE);
512 if (StartsWithASCII(frame_gurl.path(), kGoogleSupportPathPrefix, false)) {
513 SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_GOOGLE_SUPPORT);
514 } else if (StartsWithASCII(frame_gurl.path(),
515 kGoogleIntlPathPrefix,
516 false)) {
517 SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_GOOGLE_INTL);
518 }
519 }
520
521 if (origin_host == kWWWDotGoogleDotCom) {
522 SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_WWW_GOOGLE);
523 if (StartsWithASCII(frame_gurl.path(), kGoogleReaderPathPrefix, false))
524 SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_GOOGLE_READER);
525 } else if (origin_host == kMailDotGoogleDotCom) {
526 SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_MAIL_GOOGLE);
527 } else if (origin_host == kPlusDotGoogleDotCom) {
528 SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_PLUS_GOOGLE);
529 } else if (origin_host == kDocsDotGoogleDotCom) {
530 SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_DOCS_GOOGLE);
531 } else if (origin_host == kSitesDotGoogleDotCom) {
532 SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_SITES_GOOGLE);
533 } else if (origin_host == kPicasawebDotGoogleDotCom) {
534 SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_PICASAWEB_GOOGLE);
535 } else if (origin_host == kCodeDotGoogleDotCom) {
536 SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_CODE_GOOGLE);
537 } else if (origin_host == kGroupsDotGoogleDotCom) {
538 SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_GROUPS_GOOGLE);
539 } else if (origin_host == kMapsDotGoogleDotCom) {
540 SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_MAPS_GOOGLE);
541 } else if (origin_host == kWWWDotYoutubeDotCom) {
542 SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_YOUTUBE);
543 } else if (EndsWith(origin_host, kDotGoogleUserContentDotCom, false)) {
544 SendInsecureContentSignal(INSECURE_CONTENT_RUN_HOST_GOOGLEUSERCONTENT);
545 }
546
547 GURL resource_gurl(resource_url);
548 if (resource_gurl.host() == kWWWDotYoutubeDotCom)
549 SendInsecureContentSignal(INSECURE_CONTENT_RUN_TARGET_YOUTUBE);
550
551 if (EndsWith(resource_gurl.path(), kDotJS, false))
552 SendInsecureContentSignal(INSECURE_CONTENT_RUN_JS);
553 else if (EndsWith(resource_gurl.path(), kDotCSS, false))
554 SendInsecureContentSignal(INSECURE_CONTENT_RUN_CSS);
555 else if (EndsWith(resource_gurl.path(), kDotSWF, false))
556 SendInsecureContentSignal(INSECURE_CONTENT_RUN_SWF);
557
558 if (!allow_running_insecure_content_ && !allowed_per_settings) {
559 DidBlockContentType(CONTENT_SETTINGS_TYPE_MIXEDSCRIPT);
560 return false;
561 }
562
563 return true;
564 }
565
566 void ContentSettingsObserver::didNotAllowPlugins() {
567 DidBlockContentType(CONTENT_SETTINGS_TYPE_PLUGINS);
568 }
569
570 void ContentSettingsObserver::didNotAllowScript() {
571 DidBlockContentType(CONTENT_SETTINGS_TYPE_JAVASCRIPT);
572 }
573
574 bool ContentSettingsObserver::AreNPAPIPluginsBlocked() const {
575 return npapi_plugins_blocked_;
576 }
577
578 void ContentSettingsObserver::OnLoadBlockedPlugins(
579 const std::string& identifier) {
580 temporarily_allowed_plugins_.insert(identifier);
581 }
582
583 void ContentSettingsObserver::OnSetAsInterstitial() {
584 is_interstitial_page_ = true;
585 }
586
587 void ContentSettingsObserver::OnNPAPINotSupported() {
588 npapi_plugins_blocked_ = true;
589 }
590
591 void ContentSettingsObserver::OnSetAllowDisplayingInsecureContent(bool allow) {
592 allow_displaying_insecure_content_ = allow;
593 }
594
595 void ContentSettingsObserver::OnSetAllowRunningInsecureContent(bool allow) {
596 allow_running_insecure_content_ = allow;
597 OnSetAllowDisplayingInsecureContent(allow);
598 }
599
600 void ContentSettingsObserver::OnReloadFrame() {
601 DCHECK(!render_frame()->GetWebFrame()->parent()) <<
602 "Should only be called on the main frame";
603 render_frame()->GetWebFrame()->reload();
604 }
605
606 void ContentSettingsObserver::OnRequestFileSystemAccessAsyncResponse(
607 int request_id,
608 bool allowed) {
609 PermissionRequestMap::iterator it = permission_requests_.find(request_id);
610 if (it == permission_requests_.end())
611 return;
612
613 WebPermissionCallbacks callbacks = it->second;
614 permission_requests_.erase(it);
615
616 if (allowed) {
617 callbacks.doAllow();
618 return;
619 }
620 callbacks.doDeny();
621 }
622
623 void ContentSettingsObserver::ClearBlockedContentSettings() {
624 for (size_t i = 0; i < arraysize(content_blocked_); ++i)
625 content_blocked_[i] = false;
626 cached_storage_permissions_.clear();
627 cached_script_permissions_.clear();
628 }
629
630 bool ContentSettingsObserver::IsPlatformApp() {
631 #if defined(ENABLE_EXTENSIONS)
632 WebFrame* frame = render_frame()->GetWebFrame();
633 WebSecurityOrigin origin = frame->document().securityOrigin();
634 const extensions::Extension* extension = GetExtension(origin);
635 return extension && extension->is_platform_app();
636 #else
637 return false;
638 #endif
639 }
640
641 #if defined(ENABLE_EXTENSIONS)
642 const extensions::Extension* ContentSettingsObserver::GetExtension(
643 const WebSecurityOrigin& origin) const {
644 if (!EqualsASCII(origin.protocol(), extensions::kExtensionScheme))
645 return NULL;
646
647 const std::string extension_id = origin.host().utf8().data();
648 if (!extension_dispatcher_->IsExtensionActive(extension_id))
649 return NULL;
650
651 return extension_dispatcher_->extensions()->GetByID(extension_id);
652 }
653 #endif
654
655 bool ContentSettingsObserver::IsWhitelistedForContentSettings(
656 content::RenderFrame* frame) {
657 // Whitelist Instant processes.
658 if (CommandLine::ForCurrentProcess()->HasSwitch(switches::kInstantProcess))
659 return true;
660
661 // Whitelist ftp directory listings, as they require JavaScript to function
662 // properly.
663 if (frame->IsFTPDirectoryListing())
664 return true;
665
666 WebFrame* web_frame = frame->GetWebFrame();
667 return IsWhitelistedForContentSettings(web_frame->document().securityOrigin(),
668 web_frame->document().url());
669 }
670
671 bool ContentSettingsObserver::IsWhitelistedForContentSettings(
672 const WebSecurityOrigin& origin,
673 const GURL& document_url) {
674 if (document_url == GURL(content::kUnreachableWebDataURL))
675 return true;
676
677 if (origin.isUnique())
678 return false; // Uninitialized document?
679
680 if (EqualsASCII(origin.protocol(), content::kChromeUIScheme))
681 return true; // Browser UI elements should still work.
682
683 if (EqualsASCII(origin.protocol(), content::kChromeDevToolsScheme))
684 return true; // DevTools UI elements should still work.
685
686 #if defined(ENABLE_EXTENSIONS)
687 if (EqualsASCII(origin.protocol(), extensions::kExtensionScheme))
688 return true;
689 #endif
690
691 // TODO(creis, fsamuel): Remove this once the concept of swapped out
692 // RenderFrames goes away.
693 if (document_url == GURL(content::kSwappedOutURL))
694 return true;
695
696 // If the scheme is file:, an empty file name indicates a directory listing,
697 // which requires JavaScript to function properly.
698 if (EqualsASCII(origin.protocol(), url::kFileScheme)) {
699 return document_url.SchemeIs(url::kFileScheme) &&
700 document_url.ExtractFileName().empty();
701 }
702
703 return false;
704 }