/* * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved. * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies) * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmobile.com/) * Copyright (C) 2008 Alp Toker * Copyright (C) Research In Motion Limited 2009. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of Apple Inc. ("Apple") nor the names of * its contributors may be used to endorse or promote products derived * from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "config.h" #include "SubframeLoader.h" #include "Chrome.h" #include "ChromeClient.h" #include "ContentSecurityPolicy.h" #include "DiagnosticLoggingClient.h" #include "DiagnosticLoggingKeys.h" #include "Frame.h" #include "FrameLoader.h" #include "FrameLoaderClient.h" #include "HTMLAppletElement.h" #include "HTMLAudioElement.h" #include "HTMLFrameElementBase.h" #include "HTMLNames.h" #include "HTMLObjectElement.h" #include "MIMETypeRegistry.h" #include "MainFrame.h" #include "Page.h" #include "PluginData.h" #include "PluginDocument.h" #include "RenderEmbeddedObject.h" #include "RenderView.h" #include "ScriptController.h" #include "SecurityOrigin.h" #include "SecurityPolicy.h" #include "Settings.h" namespace WebCore { using namespace HTMLNames; SubframeLoader::SubframeLoader(Frame& frame) : m_containsPlugins(false) , m_frame(frame) { } void SubframeLoader::clear() { m_containsPlugins = false; } bool SubframeLoader::requestFrame(HTMLFrameOwnerElement& ownerElement, const String& urlString, const AtomicString& frameName, LockHistory lockHistory, LockBackForwardList lockBackForwardList) { // Support for URL scriptURL; URL url; if (protocolIsJavaScript(urlString)) { scriptURL = completeURL(urlString); // completeURL() encodes the URL. url = blankURL(); } else url = completeURL(urlString); if (!url.isValid()) url = blankURL(); Frame* frame = loadOrRedirectSubframe(ownerElement, url, frameName, lockHistory, lockBackForwardList); if (!frame) return false; if (!scriptURL.isEmpty()) frame->script().executeIfJavaScriptURL(scriptURL); return true; } bool SubframeLoader::resourceWillUsePlugin(const String& url, const String& mimeType) { URL completedURL; if (!url.isEmpty()) completedURL = completeURL(url); bool useFallback; return shouldUsePlugin(completedURL, mimeType, false, useFallback); } bool SubframeLoader::isPluginContentAllowedByContentSecurityPolicy(HTMLPlugInImageElement& pluginElement, const URL& url, const String& mimeType) const { if (!document()) return true; ASSERT(document()->contentSecurityPolicy()); const ContentSecurityPolicy& contentSecurityPolicy = *document()->contentSecurityPolicy(); String declaredMimeType = document()->isPluginDocument() && document()->ownerElement() ? document()->ownerElement()->fastGetAttribute(HTMLNames::typeAttr) : pluginElement.fastGetAttribute(HTMLNames::typeAttr); bool isInUserAgentShadowTree = pluginElement.isInUserAgentShadowTree(); return contentSecurityPolicy.allowObjectFromSource(url, isInUserAgentShadowTree) && contentSecurityPolicy.allowPluginType(mimeType, declaredMimeType, url, isInUserAgentShadowTree); } bool SubframeLoader::pluginIsLoadable(HTMLPlugInImageElement& pluginElement, const URL& url, const String& mimeType) { if (MIMETypeRegistry::isJavaAppletMIMEType(mimeType)) { if (!m_frame.settings().isJavaEnabled()) return false; if (document() && document()->securityOrigin()->isLocal() && !m_frame.settings().isJavaEnabledForLocalFiles()) return false; } if (document()) { if (document()->isSandboxed(SandboxPlugins)) return false; if (!document()->securityOrigin()->canDisplay(url)) { FrameLoader::reportLocalLoadFailed(&m_frame, url.string()); return false; } if (!isPluginContentAllowedByContentSecurityPolicy(pluginElement, url, mimeType)) { RenderEmbeddedObject* renderer = pluginElement.renderEmbeddedObject(); renderer->setPluginUnavailabilityReason(RenderEmbeddedObject::PluginBlockedByContentSecurityPolicy); return false; } if (!m_frame.loader().mixedContentChecker().canRunInsecureContent(document()->securityOrigin(), url)) return false; } return true; } bool SubframeLoader::requestPlugin(HTMLPlugInImageElement& ownerElement, const URL& url, const String& mimeType, const Vector& paramNames, const Vector& paramValues, bool useFallback) { // Application plug-ins are plug-ins implemented by the user agent, for example Qt plug-ins, // as opposed to third-party code such as Flash. The user agent decides whether or not they are // permitted, rather than WebKit. if ((!allowPlugins() && !MIMETypeRegistry::isApplicationPluginMIMEType(mimeType))) return false; if (!pluginIsLoadable(ownerElement, url, mimeType)) return false; ASSERT(ownerElement.hasTagName(objectTag) || ownerElement.hasTagName(embedTag)); return loadPlugin(ownerElement, url, mimeType, paramNames, paramValues, useFallback); } static String findPluginMIMETypeFromURL(Page* page, const String& url) { if (!url) return String(); size_t dotIndex = url.reverseFind('.'); if (dotIndex == notFound) return String(); String extension = url.substring(dotIndex + 1); const PluginData& pluginData = page->pluginData(); Vector mimes; Vector mimePluginIndices; pluginData.getWebVisibleMimesAndPluginIndices(mimes, mimePluginIndices); for (auto& mime : mimes) { for (auto& mimeExtension : mime.extensions) { if (equalIgnoringASCIICase(extension, mimeExtension)) return mime.type; } } return String(); } static void logPluginRequest(Page* page, const String& mimeType, const String& url, bool success) { if (!page) return; String newMIMEType = mimeType; if (!newMIMEType) { // Try to figure out the MIME type from the URL extension. newMIMEType = findPluginMIMETypeFromURL(page, url); if (!newMIMEType) return; } String pluginFile = page->pluginData().pluginFileForWebVisibleMimeType(newMIMEType); String description = !pluginFile ? newMIMEType : pluginFile; DiagnosticLoggingClient& diagnosticLoggingClient = page->mainFrame().diagnosticLoggingClient(); diagnosticLoggingClient.logDiagnosticMessage(success ? DiagnosticLoggingKeys::pluginLoadedKey() : DiagnosticLoggingKeys::pluginLoadingFailedKey(), description, ShouldSample::No); if (!page->hasSeenAnyPlugin()) diagnosticLoggingClient.logDiagnosticMessage(DiagnosticLoggingKeys::pageContainsAtLeastOnePluginKey(), emptyString(), ShouldSample::No); if (!page->hasSeenPlugin(description)) diagnosticLoggingClient.logDiagnosticMessage(DiagnosticLoggingKeys::pageContainsPluginKey(), description, ShouldSample::No); page->sawPlugin(description); } bool SubframeLoader::requestObject(HTMLPlugInImageElement& ownerElement, const String& url, const AtomicString& frameName, const String& mimeType, const Vector& paramNames, const Vector& paramValues) { if (url.isEmpty() && mimeType.isEmpty()) return false; URL completedURL; if (!url.isEmpty()) completedURL = completeURL(url); bool hasFallbackContent = is(ownerElement) && downcast(ownerElement).hasFallbackContent(); bool useFallback; if (shouldUsePlugin(completedURL, mimeType, hasFallbackContent, useFallback)) { bool success = requestPlugin(ownerElement, completedURL, mimeType, paramNames, paramValues, useFallback); logPluginRequest(document()->page(), mimeType, completedURL, success); return success; } if (!isPluginContentAllowedByContentSecurityPolicy(ownerElement, completedURL, mimeType)) { RenderEmbeddedObject* renderer = ownerElement.renderEmbeddedObject(); renderer->setPluginUnavailabilityReason(RenderEmbeddedObject::PluginBlockedByContentSecurityPolicy); return false; } // If the plug-in element already contains a subframe, loadOrRedirectSubframe will re-use it. Otherwise, // it will create a new frame and set it as the RenderWidget's Widget, causing what was previously // in the widget to be torn down. return loadOrRedirectSubframe(ownerElement, completedURL, frameName, LockHistory::Yes, LockBackForwardList::Yes); } PassRefPtr SubframeLoader::createJavaAppletWidget(const IntSize& size, HTMLAppletElement& element, const Vector& paramNames, const Vector& paramValues) { String baseURLString; String codeBaseURLString; for (size_t i = 0; i < paramNames.size(); ++i) { if (equalLettersIgnoringASCIICase(paramNames[i], "baseurl")) baseURLString = paramValues[i]; else if (equalLettersIgnoringASCIICase(paramNames[i], "codebase")) codeBaseURLString = paramValues[i]; } if (!codeBaseURLString.isEmpty()) { URL codeBaseURL = completeURL(codeBaseURLString); if (!element.document().securityOrigin()->canDisplay(codeBaseURL)) { FrameLoader::reportLocalLoadFailed(&m_frame, codeBaseURL.string()); return nullptr; } const char javaAppletMimeType[] = "application/x-java-applet"; bool isInUserAgentShadowTree = element.isInUserAgentShadowTree(); if (!element.document().contentSecurityPolicy()->allowObjectFromSource(codeBaseURL, isInUserAgentShadowTree) || !element.document().contentSecurityPolicy()->allowPluginType(javaAppletMimeType, javaAppletMimeType, codeBaseURL, isInUserAgentShadowTree)) return nullptr; } if (baseURLString.isEmpty()) baseURLString = m_frame.document()->baseURL().string(); URL baseURL = completeURL(baseURLString); RefPtr widget; if (allowPlugins()) widget = m_frame.loader().client().createJavaAppletWidget(size, &element, baseURL, paramNames, paramValues); logPluginRequest(document()->page(), element.serviceType(), String(), widget); if (!widget) { RenderEmbeddedObject* renderer = element.renderEmbeddedObject(); if (!renderer->isPluginUnavailable()) renderer->setPluginUnavailabilityReason(RenderEmbeddedObject::PluginMissing); return nullptr; } m_containsPlugins = true; return widget; } Frame* SubframeLoader::loadOrRedirectSubframe(HTMLFrameOwnerElement& ownerElement, const URL& url, const AtomicString& frameName, LockHistory lockHistory, LockBackForwardList lockBackForwardList) { Frame* frame = ownerElement.contentFrame(); if (frame) frame->navigationScheduler().scheduleLocationChange(m_frame.document(), m_frame.document()->securityOrigin(), url, m_frame.loader().outgoingReferrer(), lockHistory, lockBackForwardList); else frame = loadSubframe(ownerElement, url, frameName, m_frame.loader().outgoingReferrer()); if (!frame) return nullptr; ASSERT(ownerElement.contentFrame() == frame || !ownerElement.contentFrame()); return ownerElement.contentFrame(); } Frame* SubframeLoader::loadSubframe(HTMLFrameOwnerElement& ownerElement, const URL& url, const String& name, const String& referrer) { Ref protect(m_frame); bool allowsScrolling = true; int marginWidth = -1; int marginHeight = -1; if (is(ownerElement)) { HTMLFrameElementBase& frameElementBase = downcast(ownerElement); allowsScrolling = frameElementBase.scrollingMode() != ScrollbarAlwaysOff; marginWidth = frameElementBase.marginWidth(); marginHeight = frameElementBase.marginHeight(); } if (!ownerElement.document().securityOrigin()->canDisplay(url)) { FrameLoader::reportLocalLoadFailed(&m_frame, url.string()); return nullptr; } if (!SubframeLoadingDisabler::canLoadFrame(ownerElement)) return nullptr; String referrerToUse = SecurityPolicy::generateReferrerHeader(ownerElement.document().referrerPolicy(), url, referrer); // Prevent initial empty document load from triggering load events. m_frame.document()->incrementLoadEventDelayCount(); RefPtr frame = m_frame.loader().client().createFrame(url, name, &ownerElement, referrerToUse, allowsScrolling, marginWidth, marginHeight); m_frame.document()->decrementLoadEventDelayCount(); if (!frame) { m_frame.loader().checkCallImplicitClose(); return nullptr; } // All new frames will have m_isComplete set to true at this point due to synchronously loading // an empty document in FrameLoader::init(). But many frames will now be starting an // asynchronous load of url, so we set m_isComplete to false and then check if the load is // actually completed below. (Note that we set m_isComplete to false even for synchronous // loads, so that checkCompleted() below won't bail early.) // FIXME: Can we remove this entirely? m_isComplete normally gets set to false when a load is committed. frame->loader().started(); auto* renderer = ownerElement.renderer(); FrameView* view = frame->view(); if (is(renderer) && view) downcast(*renderer).setWidget(view); m_frame.loader().checkCallImplicitClose(); // Some loads are performed synchronously (e.g., about:blank and loads // cancelled by returning a null ResourceRequest from requestFromDelegate). // In these cases, the synchronous load would have finished // before we could connect the signals, so make sure to send the // completed() signal for the child by hand and mark the load as being // complete. // FIXME: In this case the Frame will have finished loading before // it's being added to the child list. It would be a good idea to // create the child first, then invoke the loader separately. if (frame->loader().state() == FrameStateComplete && !frame->loader().policyDocumentLoader()) frame->loader().checkCompleted(); return frame.get(); } bool SubframeLoader::allowPlugins() { return m_frame.settings().arePluginsEnabled(); } bool SubframeLoader::shouldUsePlugin(const URL& url, const String& mimeType, bool hasFallback, bool& useFallback) { if (m_frame.loader().client().shouldAlwaysUsePluginDocument(mimeType)) { useFallback = false; return true; } ObjectContentType objectType = m_frame.loader().client().objectContentType(url, mimeType); // If an object's content can't be handled and it has no fallback, let // it be handled as a plugin to show the broken plugin icon. useFallback = objectType == ObjectContentNone && hasFallback; return objectType == ObjectContentNone || objectType == ObjectContentNetscapePlugin || objectType == ObjectContentOtherPlugin; } Document* SubframeLoader::document() const { return m_frame.document(); } bool SubframeLoader::loadPlugin(HTMLPlugInImageElement& pluginElement, const URL& url, const String& mimeType, const Vector& paramNames, const Vector& paramValues, bool useFallback) { if (useFallback) return false; RenderEmbeddedObject* renderer = pluginElement.renderEmbeddedObject(); // FIXME: This code should not depend on renderer! if (!renderer) return false; pluginElement.subframeLoaderWillCreatePlugIn(url); IntSize contentSize = roundedIntSize(LayoutSize(renderer->contentWidth(), renderer->contentHeight())); bool loadManually = is(*document()) && !m_containsPlugins && downcast(*document()).shouldLoadPluginManually(); #if PLATFORM(IOS) // On iOS, we only tell the plugin to be in full page mode if the containing plugin document is the top level document. if (document()->ownerElement()) loadManually = false; #endif WeakPtr weakRenderer = renderer->createWeakPtr(); // createPlugin *may* cause this renderer to disappear from underneath. RefPtr widget = m_frame.loader().client().createPlugin(contentSize, &pluginElement, url, paramNames, paramValues, mimeType, loadManually); if (!weakRenderer) return false; if (!widget) { if (!renderer->isPluginUnavailable()) renderer->setPluginUnavailabilityReason(RenderEmbeddedObject::PluginMissing); return false; } pluginElement.subframeLoaderDidCreatePlugIn(*widget); renderer->setWidget(widget); m_containsPlugins = true; return true; } URL SubframeLoader::completeURL(const String& url) const { ASSERT(m_frame.document()); return m_frame.document()->completeURL(url); } } // namespace WebCore