From 60c465352506b4ee35ec2b8f5c43afbfab80d801 Mon Sep 17 00:00:00 2001 From: "tsepez@chromium.org" Date: Tue, 26 Jun 2012 23:18:31 +0000 Subject: [PATCH] [chromium] HTML5 audio/video tags - loading http content from https page doesn't trigger warning. https://bugs.webkit.org/show_bug.cgi?id=89906 Reviewed by Nate Chapin. This patch treats mixed CachedRawResources as affecting the display of insecure content. Source/WebCore: Tests: http/tests/security/mixedContent/insecure-audio-video-in-main-frame.html http/tests/security/mixedContent/insecure-xhr-in-main-frame.html * loader/cache/CachedResourceLoader.cpp: (WebCore::CachedResourceLoader::checkInsecureContent): LayoutTests: * http/tests/security/mixedContent/insecure-audio-video-in-main-frame-expected.txt: Added. * http/tests/security/mixedContent/insecure-audio-video-in-main-frame.html: Added. * http/tests/security/mixedContent/insecure-xhr-in-main-frame-expected.txt: Added. * http/tests/security/mixedContent/insecure-xhr-in-main-frame.html: Added. * http/tests/security/mixedContent/resources/frame-with-insecure-audio-video.html: Added. * platform/efl/TestExpectations: * platform/gtk/TestExpectations: * platform/mac/TestExpectations: * platform/qt/TestExpectations: * platform/win/TestExpectations: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@121297 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- LayoutTests/ChangeLog | 20 ++++++++++++++++++ ...insecure-audio-video-in-main-frame-expected.txt | 5 +++++ .../insecure-audio-video-in-main-frame.html | 24 ++++++++++++++++++++++ .../insecure-xhr-in-main-frame-expected.txt | 5 +++++ .../mixedContent/insecure-xhr-in-main-frame.html | 24 ++++++++++++++++++++++ .../resources/frame-with-insecure-audio-video.html | 10 +++++++++ LayoutTests/platform/efl/TestExpectations | 2 ++ LayoutTests/platform/gtk/TestExpectations | 2 ++ LayoutTests/platform/mac/TestExpectations | 1 + LayoutTests/platform/qt/TestExpectations | 2 ++ LayoutTests/platform/win/TestExpectations | 2 ++ Source/WebCore/ChangeLog | 15 ++++++++++++++ .../WebCore/loader/cache/CachedResourceLoader.cpp | 2 +- 13 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 LayoutTests/http/tests/security/mixedContent/insecure-audio-video-in-main-frame-expected.txt create mode 100644 LayoutTests/http/tests/security/mixedContent/insecure-audio-video-in-main-frame.html create mode 100644 LayoutTests/http/tests/security/mixedContent/insecure-xhr-in-main-frame-expected.txt create mode 100644 LayoutTests/http/tests/security/mixedContent/insecure-xhr-in-main-frame.html create mode 100644 LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-audio-video.html diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog index b75dec6..0da6bfc 100644 --- a/LayoutTests/ChangeLog +++ b/LayoutTests/ChangeLog @@ -1,3 +1,23 @@ +2012-06-26 Tom Sepez + + [chromium] HTML5 audio/video tags - loading http content from https page doesn't trigger warning. + https://bugs.webkit.org/show_bug.cgi?id=89906 + + Reviewed by Nate Chapin. + + This patch treats mixed CachedRawResources as affecting the display of insecure content. + + * http/tests/security/mixedContent/insecure-audio-video-in-main-frame-expected.txt: Added. + * http/tests/security/mixedContent/insecure-audio-video-in-main-frame.html: Added. + * http/tests/security/mixedContent/insecure-xhr-in-main-frame-expected.txt: Added. + * http/tests/security/mixedContent/insecure-xhr-in-main-frame.html: Added. + * http/tests/security/mixedContent/resources/frame-with-insecure-audio-video.html: Added. + * platform/efl/TestExpectations: + * platform/gtk/TestExpectations: + * platform/mac/TestExpectations: + * platform/qt/TestExpectations: + * platform/win/TestExpectations: + 2012-06-26 Joe Thomas background-size:0 shows as 1px instead of invisible diff --git a/LayoutTests/http/tests/security/mixedContent/insecure-audio-video-in-main-frame-expected.txt b/LayoutTests/http/tests/security/mixedContent/insecure-audio-video-in-main-frame-expected.txt new file mode 100644 index 0000000..34ddd3c --- /dev/null +++ b/LayoutTests/http/tests/security/mixedContent/insecure-audio-video-in-main-frame-expected.txt @@ -0,0 +1,5 @@ +CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-audio-video.html displayed insecure content from http://127.0.0.1:8080/resources/test.mp4. + +CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-audio-video.html displayed insecure content from http://127.0.0.1:8080/resources/test.mp4. + +This test opens a window that loads insecure HTML5 audio and video. We should trigger a mixed content callback because the main frame in the window is HTTPS but is displaying insecure content. diff --git a/LayoutTests/http/tests/security/mixedContent/insecure-audio-video-in-main-frame.html b/LayoutTests/http/tests/security/mixedContent/insecure-audio-video-in-main-frame.html new file mode 100644 index 0000000..dce3527 --- /dev/null +++ b/LayoutTests/http/tests/security/mixedContent/insecure-audio-video-in-main-frame.html @@ -0,0 +1,24 @@ + + + +

This test opens a window that loads insecure HTML5 audio and video. We should +trigger a mixed content callback because the main frame in the window is HTTPS but is +displaying insecure content.

+ + + diff --git a/LayoutTests/http/tests/security/mixedContent/insecure-xhr-in-main-frame-expected.txt b/LayoutTests/http/tests/security/mixedContent/insecure-xhr-in-main-frame-expected.txt new file mode 100644 index 0000000..aa920f0 --- /dev/null +++ b/LayoutTests/http/tests/security/mixedContent/insecure-xhr-in-main-frame-expected.txt @@ -0,0 +1,5 @@ +CONSOLE MESSAGE: The page at https://127.0.0.1:8443/xmlhttprequest/access-control-response-with-body.html displayed insecure content from http://localhost:8000/xmlhttprequest/resources/access-control-allow-with-body.php. + +CONSOLE MESSAGE: The page at https://127.0.0.1:8443/xmlhttprequest/access-control-response-with-body.html displayed insecure content from http://localhost:8000/xmlhttprequest/resources/access-control-allow-with-body.php. + +This test opens a HTTPS window that loads insecure data via XHR. We should trigger a mixed content callback because the main frame in the window is HTTPS but now has insecure data. diff --git a/LayoutTests/http/tests/security/mixedContent/insecure-xhr-in-main-frame.html b/LayoutTests/http/tests/security/mixedContent/insecure-xhr-in-main-frame.html new file mode 100644 index 0000000..bf422e9 --- /dev/null +++ b/LayoutTests/http/tests/security/mixedContent/insecure-xhr-in-main-frame.html @@ -0,0 +1,24 @@ + + + +

This test opens a HTTPS window that loads insecure data via XHR. We should +trigger a mixed content callback because the main frame in the window is HTTPS but +now has insecure data.

+ + + diff --git a/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-audio-video.html b/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-audio-video.html new file mode 100644 index 0000000..3cd204c --- /dev/null +++ b/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-audio-video.html @@ -0,0 +1,10 @@ + + + + + diff --git a/LayoutTests/platform/efl/TestExpectations b/LayoutTests/platform/efl/TestExpectations index 508cae5..0738706 100644 --- a/LayoutTests/platform/efl/TestExpectations +++ b/LayoutTests/platform/efl/TestExpectations @@ -714,3 +714,5 @@ BUGWK88984 : css3/flexbox/flexitem.html = TEXT // Failing after r121121 on both GTK and EFL BUGWK89845 : fast/forms/input-set-composition-scroll.html = TEXT + +BUGWK90007 : http/tests/security/mixedContent/insecure-audio-video-in-main-frame.html = TEXT diff --git a/LayoutTests/platform/gtk/TestExpectations b/LayoutTests/platform/gtk/TestExpectations index 5a11e3b..6684401 100644 --- a/LayoutTests/platform/gtk/TestExpectations +++ b/LayoutTests/platform/gtk/TestExpectations @@ -1244,6 +1244,8 @@ BUGWK84037 : fast/text/international/spaces-combined-in-vertical-text.html = TEX // Failing after r121121 on both GTK and EFL BUGWK89845 : fast/forms/input-set-composition-scroll.html = TEXT +BUGWK90007 : http/tests/security/mixedContent/insecure-audio-video-in-main-frame.html = TEXT + ////////////////////////////////////////////////////////////////////////////////////////// // End of Tests failing ////////////////////////////////////////////////////////////////////////////////////////// diff --git a/LayoutTests/platform/mac/TestExpectations b/LayoutTests/platform/mac/TestExpectations index 9dec4f9..ef124b6 100644 --- a/LayoutTests/platform/mac/TestExpectations +++ b/LayoutTests/platform/mac/TestExpectations @@ -279,3 +279,4 @@ BUGWK85918 : compositing/backface-visibility/backface-visibility-non3d.html = IM // Disable webaudio codec tests, including proprietary codecs. BUGWK88794 SKIP : webaudio/codec-tests = PASS +BUGWK90007 : http/tests/security/mixedContent/insecure-audio-video-in-main-frame.html = TEXT diff --git a/LayoutTests/platform/qt/TestExpectations b/LayoutTests/platform/qt/TestExpectations index 5dc35a5..5f5bc19 100644 --- a/LayoutTests/platform/qt/TestExpectations +++ b/LayoutTests/platform/qt/TestExpectations @@ -102,3 +102,5 @@ BUGWK85463 SKIP : editing/inserting/typing-space-to-trigger-smart-link.html = PA // Disable webaudio codec tests, including proprietary codecs. BUGWK88794 SKIP : webaudio/codec-tests = PASS + +BUGWK90007 : http/tests/security/mixedContent/insecure-audio-video-in-main-frame.html = TEXT diff --git a/LayoutTests/platform/win/TestExpectations b/LayoutTests/platform/win/TestExpectations index 03cc69c..5646811 100644 --- a/LayoutTests/platform/win/TestExpectations +++ b/LayoutTests/platform/win/TestExpectations @@ -4,3 +4,5 @@ // Requires rebaseline after bug 85031 BUGWK85565 : fast/block/float/016.html = IMAGE BUGWK85565 : fast/css/border-solid-single-edge-antialias.html = IMAGE + +BUGWK90007 : http/tests/security/mixedContent/insecure-audio-video-in-main-frame.html = TEXT \ No newline at end of file diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog index 2a6a372..11f789a 100755 --- a/Source/WebCore/ChangeLog +++ b/Source/WebCore/ChangeLog @@ -1,3 +1,18 @@ +2012-06-26 Tom Sepez + + [chromium] HTML5 audio/video tags - loading http content from https page doesn't trigger warning. + https://bugs.webkit.org/show_bug.cgi?id=89906 + + Reviewed by Nate Chapin. + + This patch treats mixed CachedRawResources as affecting the display of insecure content. + + Tests: http/tests/security/mixedContent/insecure-audio-video-in-main-frame.html + http/tests/security/mixedContent/insecure-xhr-in-main-frame.html + + * loader/cache/CachedResourceLoader.cpp: + (WebCore::CachedResourceLoader::checkInsecureContent): + 2012-06-26 Joe Thomas background-size:0 shows as 1px instead of invisible diff --git a/Source/WebCore/loader/cache/CachedResourceLoader.cpp b/Source/WebCore/loader/cache/CachedResourceLoader.cpp index 7e0c8fb..9006047 100644 --- a/Source/WebCore/loader/cache/CachedResourceLoader.cpp +++ b/Source/WebCore/loader/cache/CachedResourceLoader.cpp @@ -267,6 +267,7 @@ bool CachedResourceLoader::checkInsecureContent(CachedResource::Type type, const #if ENABLE(CSS_SHADERS) case CachedResource::ShaderResource: #endif + case CachedResource::RawResource: case CachedResource::ImageResource: case CachedResource::FontResource: { // These resources can corrupt only the frame's pixels. @@ -277,7 +278,6 @@ bool CachedResourceLoader::checkInsecureContent(CachedResource::Type type, const } break; } - case CachedResource::RawResource: #if ENABLE(LINK_PREFETCH) case CachedResource::LinkPrefetch: case CachedResource::LinkSubresource: -- 2.7.4