Changeset 55335 in webkit


Ignore:
Timestamp:
Feb 26, 2010 7:20:22 PM (14 years ago)
Author:
eric@webkit.org
Message:

2010-02-26 Adam Barth <abarth@webkit.org>

Reviewed by Darin Fisher.

Expose an API for ports to add schemes to the mixed content whitelist
https://bugs.webkit.org/show_bug.cgi?id=35438

Add a notion of a "secure" scheme that doesn't trigger mixed content
warnings. Let folks register new secure schemes in the same way they
can register "local" schemes.

  • loader/FrameLoader.cpp: (WebCore::FrameLoader::isMixedContent):
  • page/SecurityOrigin.cpp: (WebCore::secureSchemes): (WebCore::SecurityOrigin::registerURLSchemeAsSecure): (WebCore::SecurityOrigin::shouldTreatURLSchemeAsSecure):
  • page/SecurityOrigin.h:

2010-02-26 Adam Barth <abarth@webkit.org>

Reviewed by Darin Fisher.

Expose an API for ports to add schemes to the mixed content whitelist
https://bugs.webkit.org/show_bug.cgi?id=35438

Expose registerURLSchemeAsSecure via the WebKit API.

  • public/WebSecurityPolicy.h:
  • src/WebSecurityPolicy.cpp: (WebKit::WebSecurityPolicy::registerURLSchemeAsSecure):
Location:
trunk
Files:
7 edited

Legend:

Unmodified
Added
Removed

  • trunk/WebCore/ChangeLog

    r55334 r55335  
     12010-02-26  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Darin Fisher.
     4
     5        Expose an API for ports to add schemes to the mixed content whitelist
     6        https://bugs.webkit.org/show_bug.cgi?id=35438
     7
     8        Add a notion of a "secure" scheme that doesn't trigger mixed content
     9        warnings.  Let folks register new secure schemes in the same way they
     10        can register "local" schemes.
     11
     12        * loader/FrameLoader.cpp:
     13        (WebCore::FrameLoader::isMixedContent):
     14        * page/SecurityOrigin.cpp:
     15        (WebCore::secureSchemes):
     16        (WebCore::SecurityOrigin::registerURLSchemeAsSecure):
     17        (WebCore::SecurityOrigin::shouldTreatURLSchemeAsSecure):
     18        * page/SecurityOrigin.h:
     19
    1202010-02-26  Noam Rosenthal  <noam.rosenthal@nokia.com>
    221

  • trunk/WebCore/loader/FrameLoader.cpp

    r55207 r55335  
    14011401        return false;  // We only care about HTTPS security origins.
    14021402
    1403     if (!url.isValid() || url.protocolIs("https") || url.protocolIs("about") || url.protocolIs("data"))
     1403    if (!url.isValid() || SecurityOrigin::shouldTreatURLSchemeAsSecure(url.protocol()))
    14041404        return false;  // Loading these protocols is secure.
    14051405

  • trunk/WebCore/page/SecurityOrigin.cpp

    r54873 r55335  
    6464
    6565    return localSchemes;
     66}
     67
     68static URLSchemesMap& secureSchemes()
     69{
     70    DEFINE_STATIC_LOCAL(URLSchemesMap, secureSchemes, ());
     71
     72    if (secureSchemes.isEmpty()) {
     73        secureSchemes.add("https");
     74        secureSchemes.add("about");
     75        secureSchemes.add("data");
     76    }
     77
     78    return secureSchemes;
    6679}
    6780
     
    478491}
    479492
     493void SecurityOrigin::registerURLSchemeAsSecure(const String& scheme)
     494{
     495    secureSchemes().add(scheme);
     496}
     497
     498bool SecurityOrigin::shouldTreatURLSchemeAsSecure(const String& scheme)
     499{
     500    return secureSchemes().contains(scheme);
     501}
     502
    480503bool SecurityOrigin::shouldHideReferrer(const KURL& url, const String& referrer)
    481504{

  • trunk/WebCore/page/SecurityOrigin.h

    r54873 r55335  
    175175    static bool shouldTreatURLSchemeAsLocal(const String&);
    176176
     177    // Secure schemes do not trigger mixed content warnings. For example,
     178    // https and data are secure schemes because they cannot be corrupted by
     179    // active network attackers.
     180    static void registerURLSchemeAsSecure(const String&);
     181    static bool shouldTreatURLSchemeAsSecure(const String&);
     182
    177183    static bool shouldHideReferrer(const KURL&, const String& referrer);
    178184

  • trunk/WebKit/chromium/ChangeLog

    r55321 r55335  
     12010-02-26  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Darin Fisher.
     4
     5        Expose an API for ports to add schemes to the mixed content whitelist
     6        https://bugs.webkit.org/show_bug.cgi?id=35438
     7
     8        Expose registerURLSchemeAsSecure via the WebKit API.
     9
     10        * public/WebSecurityPolicy.h:
     11        * src/WebSecurityPolicy.cpp:
     12        (WebKit::WebSecurityPolicy::registerURLSchemeAsSecure):
     13
    1142010-02-26  Brett Wilson  <brettw@chromium.org>
    215

  • trunk/WebKit/chromium/public/WebSecurityPolicy.h

    r52027 r55335  
    5151    WEBKIT_API static void registerURLSchemeAsNoAccess(const WebString&);
    5252
     53    // Registers a URL scheme to not generate mixed content warnings when
     54    // included by an HTTPS page.
     55    WEBKIT_API static void registerURLSchemeAsSecure(const WebString&);
     56
    5357    // Support for whitelisting access to origins beyond the same-origin policy.
    5458    WEBKIT_API static void whiteListAccessFromOrigin(

  • trunk/WebKit/chromium/src/WebSecurityPolicy.cpp

    r52027 r55335  
    5252}
    5353
     54void WebSecurityPolicy::registerURLSchemeAsSecure(const WebString& scheme)
     55{
     56    SecurityOrigin::registerURLSchemeAsSecure(scheme);
     57}
     58
    5459void WebSecurityPolicy::whiteListAccessFromOrigin(const WebURL& sourceOrigin,
    5560    const WebString& destinationProtocol,
Note: See TracChangeset for help on using the changeset viewer.