Bug 140392 - [GTK] Add API to control mixed-content blocking
Summary: [GTK] Add API to control mixed-content blocking
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Linux
: P2 Enhancement
Assignee: Michael Catanzaro
URL:
Keywords:
Depends on:
Blocks: 140625
  Show dependency treegraph
 
Reported: 2015-01-13 08:47 PST by Michael Catanzaro
Modified: 2017-03-11 10:48 PST (History)
7 users (show)

See Also:


Attachments
Patch (52.51 KB, patch)
2015-01-13 09:08 PST, Michael Catanzaro
cgarcia: review-
cgarcia: commit-queue-
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Catanzaro 2015-01-13 08:47:17 PST
Browsers should be able to block mixed content. For Epiphany, I want all active mixed content to be blocked. Privacy-focused browsers need to block passive mixed content as well (but we can't do this in Epiphany as it would break too many sites), so this needs to be a browser-controlled setting.

Major browsers notify users when they block mixed content, and allow the user to reload the page with mixed content unblocked. I've never needed to do this to make a site work, so I wonder if we can get away with not providing this functionality in Epiphany, but our API should make this possible since I'm not aware of any browser that blocks mixed content without allowing the user to load it anyway.
Comment 1 Michael Catanzaro 2015-01-13 08:57:09 PST
One note: this patch sets the default insecure content policy to WEBKIT_INSECURE_CONTENT_POLICY_ALLOW_SOME. This is the setting most apps want to use, but it means that WebKitWebView:insecure-content-event could be emitted with WEBKIT_INSECURE_CONTENT_BLOCKED, which existing apps might not handle correctly (e.g. if they assert if the enum value is unrecognized, or check if it's one of the original two values and assume it's the other if not). Therefore we should consider either defaulting to WEBKIT_INSECURE_CONTENT_POLICY_ALLOW_ALL instead (in which case the new value would never be emitted), or addding a new signal WebKitWebView:insecure-content-blocked.
Comment 2 Michael Catanzaro 2015-01-13 09:08:56 PST
Created attachment 244520 [details]
Patch
Comment 3 Michael Catanzaro 2015-01-13 21:19:20 PST
Generating webkit2gtk documentation...
/home/slave/WebKit/Source/WebKit2/UIProcess/API/gtk/WebKitWebContext.h:121: warning: Value descriptions for WebKitInsecureContentPolicy are missing in source code comment block.
/home/slave/WebKit/Source/WebKit2/UIProcess/API/gtk/WebKitWebView.h:150: warning: Value described in source code comment block but does not exist. ENUM: WebKitInsecureContentEvent Value: WEBKIT_INSECURE_CONTENT_BLOCKED.
/home/slave/WebKit/Source/WebKit2/UIProcess/API/gtk/WebKitWebView.h:150: warning: Value description for WebKitInsecureContentEvent::WEBKIT_INSECURE_CONTENT_BLOCKED is missing in source code comment block.

^ I guess I need to talk to the gtkdoc people, as I can't figure out why it doesn't see the documentation.
Comment 4 Michael Catanzaro 2015-01-13 21:22:54 PST
Actually I have a guess: the bots need clean builds after r178103 to get rid of their tmpl directories.
Comment 5 Carlos Garcia Campos 2015-03-07 01:25:05 PST
Comment on attachment 244520 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=244520&action=review

I think this patch could be split in two, one with the cross-platform changes including layout tests (and maybe even API tests as well) and then the GTK+ API one. That will make it easier for WebKit2 owners to review the cross-platform code, and for GTK+ reviewers the GTK+ part. I haven't looked at it in detail, so I have just a few general comments/questions.

> Source/WebKit2/UIProcess/API/gtk/WebKitWebContext.cpp:944
> + * Since: 2.8

All Since tags should be 2.10 now.

> Source/WebKit2/UIProcess/API/gtk/WebKitWebContext.cpp:956
> +    for (WebKitWebView* webView : context->priv->webViews.values())
> +        webkitWebViewSetPageInsecureContentPolicy(webView, policy);

If this is actually a per page thing why not adding the API to the WebView? or even as a setting, so that you can share the policy with multiple web views.

> Source/WebKit2/UIProcess/API/gtk/WebKitWebContext.h:112
> + * @WEBKIT_INSECURE_CONTENT_POLICY_ALLOW_SOME: Block some mixed content. Some
> + *   mixed content will be permitted to preserve compatibility with web sites.
> + *   For example, insecure images, audio, video, and forms are currently
> + *   permitted. The set of permitted insecure content is subject to change.

Is this still true? or are only images allowed. We should probably say here that insecure-content-detected will be called for the allowed as a mode of warning.

> Source/WebKit2/UIProcess/API/gtk/WebKitWebView.cpp:2496
> +void webkit_web_view_reload_with_insecure_content(WebKitWebView* webView)
> +{
> +    g_return_if_fail(WEBKIT_IS_WEB_VIEW(webView));
> +
> +    webkitWebViewSetPageInsecureContentPolicy(webView, WEBKIT_INSECURE_CONTENT_POLICY_ALLOW_ALL);
> +    webkit_web_view_reload(webView);

I'm not sure about this, I think it would be easier if the app does this. Change the setting/policy, and the reload.

> Source/WebKit2/UIProcess/WebPageProxy.cpp:5363
> +void WebPageProxy::allowDisplayOfInsecureContent(bool allowed)
> +{
> +    if (!isValid())
> +        return;
> +
> +    process().send(Messages::WebPage::AllowDisplayOfInsecureContent(allowed), m_pageID);
> +}
> +
> +void WebPageProxy::allowRunningOfInsecureContent(bool allowed)
> +{
> +    if (!isValid())
> +        return;
> +
> +    process().send(Messages::WebPage::AllowRunningOfInsecureContent(allowed), m_pageID);

I think it would be quite common to call both methods. Maybe we could use a single message allowInsecureContent with flags as parameter.

> Source/WebKit2/WebProcess/WebPage/WebPage.cpp:2664
> +void WebPage::allowDisplayOfInsecureContent(bool allowed)
> +{
> +    m_page->settings().setAllowDisplayOfInsecureContent(allowed);
> +}
> +
> +void WebPage::allowRunningOfInsecureContent(bool allowed)
> +{
> +    m_page->settings().setAllowRunningOfInsecureContent(allowed);
> +}

Since they are indeed settings, why not exposing them as settings? I think everythihng will be easier.
Comment 6 Michael Catanzaro 2015-03-08 18:54:41 PDT
(In reply to comment #5)
> I think this patch could be split in two, one with the cross-platform
> changes including layout tests (and maybe even API tests as well) and then
> the GTK+ API one. 

The cross-platform changes here are (a) new load event didBlockInsecureContent and (b) control of the existing WebCore insecure content settings from WK2. Neither of that can be tested with layout tests; they need API tests. (Using a setting from a layout test requires a completely different code path.) I don't want to write cross-platform API tests since they would not be easy to write (HTTP server required: I want libsoup for that!).

But see bug #140940 for related layout tests.

> If this is actually a per page thing why not adding the API to the WebView?
> or even as a setting, so that you can share the policy with multiple web
> views.

I think allowing this setting to be changed for each webview would be unnecessary complexity in the API. We only need to expose one global policy that affects all web views. The only reason to expose it as a per-webview setting would be if the application could change the setting for the web view after the load is committed but before loading begins: that way we don't have API to allow changing insecure content settings per host. But I'm not sure if that's how WebKit works or not: when the load-event signal is fired in the UI process, is the web process waiting patiently for the browser to handle that signal before it starts loading, or is it already loading things? If it's already loading things then I don't think the browser would have any use for a per-webview setting. But if it's waiting patiently, then that would be a great idea.

I can't remember for sure what my reason for not using normal settings was. I think it was because I was brand new when I wrote most of this and didn't know what I was doing, but maybe I had a good reason I forgot. Probably it was that I did not want an important security feature to be hidden as a setting, and at the time I was thinking that we would not want to change the default behavior since it would be an incompatible change. Anyway I will try removing the API from WebKitWebContent and changing it to use settings and then see what breaks.

> Is this still true? or are only images allowed. We should probably say here
> that insecure-content-detected will be called for the allowed as a mode of
> warning.

I think it's still true. At least, it needs to be still true. :) I think we would break too many sites if we block videos or forms. My tests in bug #140940 will catch a change regarding videos. I'm not sure what we do for forms, that's bug #142342.
 
> I'm not sure about this, I think it would be easier if the app does this.
> Change the setting/policy, and the reload.

Eh... I'm not sure about this API either. What we really want is a way to whitelist specific hosts.

> I think it would be quite common to call both methods. Maybe we could use a
> single message allowInsecureContent with flags as parameter.

Let's wait for bug #142469 (yes another bug!) before deciding how to handle this. Those settings have poor names, and I need to be on the same page as Apple on what the semantics of them should be.
Comment 7 Carlos Garcia Campos 2015-03-09 00:10:07 PDT
(In reply to comment #6)
> (In reply to comment #5)
> > I think this patch could be split in two, one with the cross-platform
> > changes including layout tests (and maybe even API tests as well) and then
> > the GTK+ API one. 
> 
> The cross-platform changes here are (a) new load event
> didBlockInsecureContent and (b) control of the existing WebCore insecure
> content settings from WK2. Neither of that can be tested with layout tests;

why not?

> they need API tests. (Using a setting from a layout test requires a
> completely different code path.) I don't want to write cross-platform API
> tests since they would not be easy to write (HTTP server required: I want
> libsoup for that!).

Right, that's why I said *maybe* an API test.

> But see bug #140940 for related layout tests.

So, they are layout tests for this then, I'm confused.
Comment 8 Michael Catanzaro 2015-03-09 07:55:00 PDT
> why not?

Well to test the didBlockInsecureContent event we would need to hook into that event somehow: that requires an API test. Same for exposing the didRunInsecureContent and didDisplayInsecureContent events, which already existed in WebCore but are new to WK2. And we can't test WK2 things with layout tests anyway, since they need to work for WK1.

> So, they are layout tests for this then, I'm confused.

They are "related" layout tests, to make sure blocking insecure content works properly, but they don't actually test any of the functionality added in this patch. WebCore already supports mixed content blocking as did WK1. It's only new functionality for WK2.
Comment 9 Michael Catanzaro 2015-03-13 10:00:28 PDT
(In reply to comment #6)
> I can't remember for sure what my reason for not using normal settings was.
> I think it was because I was brand new when I wrote most of this and didn't
> know what I was doing, but maybe I had a good reason I forgot. 

Well I guess I still did not know what I was doing, because up until today I assumed WebKitSettings were applied to the WebKitWebContext, not the WebKitWebView. As they're per-view settings I think we can use WebKitSettings just fine. That simplifies things considerably.