diff --git a/android_webview/javatests/src/org/chromium/android_webview/test/GeolocationTest.java b/android_webview/javatests/src/org/chromium/android_webview/test/GeolocationTest.java index 3fddb029577f8..efc827f29567e 100644 --- a/android_webview/javatests/src/org/chromium/android_webview/test/GeolocationTest.java +++ b/android_webview/javatests/src/org/chromium/android_webview/test/GeolocationTest.java @@ -123,8 +123,8 @@ public Boolean call() throws Exception { @Feature({"AndroidWebView"}) public void testGetPosition() throws Throwable { initAwContents(new GrantPermisionAwContentClient()); - loadDataSync(mAwContents, mContentsClient.getOnPageFinishedHelper(), - RAW_HTML, "text/html", false); + loadDataWithBaseUrlSync(mAwContents, mContentsClient.getOnPageFinishedHelper(), RAW_HTML, + "text/html", false, "https://google.com/", "about:blank"); mAwContents.evaluateJavaScriptForTests("initiate_getCurrentPosition();", null); @@ -151,8 +151,8 @@ public Boolean call() throws Exception { @Feature({"AndroidWebView"}) public void testWatchPosition() throws Throwable { initAwContents(new GrantPermisionAwContentClient()); - loadDataSync(mAwContents, mContentsClient.getOnPageFinishedHelper(), - RAW_HTML, "text/html", false); + loadDataWithBaseUrlSync(mAwContents, mContentsClient.getOnPageFinishedHelper(), RAW_HTML, + "text/html", false, "https://google.com/", "about:blank"); mAwContents.evaluateJavaScriptForTests("initiate_watchPosition();", null); @@ -169,8 +169,8 @@ public Boolean call() throws Exception { public void testPauseGeolocationOnPause() throws Throwable { initAwContents(new GrantPermisionAwContentClient()); // Start a watch going. - loadDataSync(mAwContents, mContentsClient.getOnPageFinishedHelper(), - RAW_HTML, "text/html", false); + loadDataWithBaseUrlSync(mAwContents, mContentsClient.getOnPageFinishedHelper(), RAW_HTML, + "text/html", false, "https://google.com/", "about:blank"); mAwContents.evaluateJavaScriptForTests("initiate_watchPosition();", null); @@ -228,8 +228,8 @@ public void run() { }); // Start a watch going. - loadDataSync(mAwContents, mContentsClient.getOnPageFinishedHelper(), - RAW_HTML, "text/html", false); + loadDataWithBaseUrlSync(mAwContents, mContentsClient.getOnPageFinishedHelper(), RAW_HTML, + "text/html", false, "https://google.com/", "about:blank"); mAwContents.evaluateJavaScriptForTests("initiate_watchPosition();", null); @@ -265,8 +265,8 @@ public void run() { } }); - loadDataSync(mAwContents, mContentsClient.getOnPageFinishedHelper(), - RAW_HTML, "text/html", false); + loadDataWithBaseUrlSync(mAwContents, mContentsClient.getOnPageFinishedHelper(), RAW_HTML, + "text/html", false, "https://google.com/", "about:blank"); getInstrumentation().runOnMainSync(new Runnable() { @Override @@ -282,8 +282,8 @@ public void run() { @SmallTest public void testDenyAccessByDefault() throws Throwable { initAwContents(new DefaultPermisionAwContentClient()); - loadDataSync(mAwContents, mContentsClient.getOnPageFinishedHelper(), - RAW_HTML, "text/html", false); + loadDataWithBaseUrlSync(mAwContents, mContentsClient.getOnPageFinishedHelper(), RAW_HTML, + "text/html", false, "https://google.com/", "about:blank"); mAwContents.evaluateJavaScriptForTests("initiate_getCurrentPosition();", null); diff --git a/android_webview/native/aw_settings.cc b/android_webview/native/aw_settings.cc index a8dc571ca9850..3ba4ac533cdbb 100644 --- a/android_webview/native/aw_settings.cc +++ b/android_webview/native/aw_settings.cc @@ -433,6 +433,10 @@ void AwSettings::PopulateWebPreferencesLocked(JNIEnv* env, Java_AwSettings_getFullscreenSupportedLocked(env, obj); web_prefs->record_whole_document = Java_AwSettings_getRecordFullDocument(env, obj); + + // TODO(jww): This should be removed once sufficient warning has been given of + // possible API breakage because of disabling insecure use of geolocation. + web_prefs->allow_geolocation_on_insecure_origins = true; } static jlong Init(JNIEnv* env, diff --git a/chrome/browser/geolocation/geolocation_permission_context.cc b/chrome/browser/geolocation/geolocation_permission_context.cc index df58163836c72..a8db90b050dd8 100644 --- a/chrome/browser/geolocation/geolocation_permission_context.cc +++ b/chrome/browser/geolocation/geolocation_permission_context.cc @@ -89,5 +89,5 @@ void GeolocationPermissionContext::UpdateTabContext( } bool GeolocationPermissionContext::IsRestrictedToSecureOrigins() const { - return false; + return true; } diff --git a/chrome/browser/geolocation/geolocation_permission_context_unittest.cc b/chrome/browser/geolocation/geolocation_permission_context_unittest.cc index 3b2f58aac3de0..02e9dc504c3c4 100644 --- a/chrome/browser/geolocation/geolocation_permission_context_unittest.cc +++ b/chrome/browser/geolocation/geolocation_permission_context_unittest.cc @@ -385,7 +385,7 @@ base::string16 GeolocationPermissionContextTests::GetPromptText() { // Tests ---------------------------------------------------------------------- TEST_F(GeolocationPermissionContextTests, SinglePermissionBubble) { - GURL requesting_frame("http://www.example.com/geolocation"); + GURL requesting_frame("https://www.example.com/geolocation"); NavigateAndCommit(requesting_frame); BubbleManagerDocumentLoadCompleted(); @@ -395,9 +395,21 @@ TEST_F(GeolocationPermissionContextTests, SinglePermissionBubble) { ASSERT_EQ(1U, GetNumberOfPrompts()); } +TEST_F(GeolocationPermissionContextTests, + SinglePermissionBubbleFailsOnInsecureOrigin) { + GURL requesting_frame("http://www.example.com/geolocation"); + NavigateAndCommit(requesting_frame); + BubbleManagerDocumentLoadCompleted(); + + EXPECT_EQ(0U, GetNumberOfPrompts()); + RequestGeolocationPermission(web_contents(), RequestID(0), requesting_frame, + true); + ASSERT_EQ(0U, GetNumberOfPrompts()); +} + #if BUILDFLAG(ANDROID_JAVA_UI) TEST_F(GeolocationPermissionContextTests, SinglePermissionInfobar) { - GURL requesting_frame("http://www.example.com/geolocation"); + GURL requesting_frame("https://www.example.com/geolocation"); NavigateAndCommit(requesting_frame); EXPECT_EQ(0U, infobar_service()->infobar_count()); RequestGeolocationPermission( @@ -415,7 +427,7 @@ TEST_F(GeolocationPermissionContextTests, SinglePermissionInfobar) { // Infobar-only tests; Android doesn't support permission bubbles. TEST_F(GeolocationPermissionContextTests, GeolocationEnabledDisabled) { - GURL requesting_frame("http://www.example.com/geolocation"); + GURL requesting_frame("https://www.example.com/geolocation"); NavigateAndCommit(requesting_frame); MockLocationSettings::SetLocationStatus(true, true); EXPECT_EQ(0U, infobar_service()->infobar_count()); @@ -437,7 +449,7 @@ TEST_F(GeolocationPermissionContextTests, GeolocationEnabledDisabled) { } TEST_F(GeolocationPermissionContextTests, MasterEnabledGoogleAppsEnabled) { - GURL requesting_frame("http://www.example.com/geolocation"); + GURL requesting_frame("https://www.example.com/geolocation"); NavigateAndCommit(requesting_frame); MockLocationSettings::SetLocationStatus(true, true); EXPECT_EQ(0U, infobar_service()->infobar_count()); @@ -453,7 +465,7 @@ TEST_F(GeolocationPermissionContextTests, MasterEnabledGoogleAppsEnabled) { } TEST_F(GeolocationPermissionContextTests, MasterEnabledGoogleAppsDisabled) { - GURL requesting_frame("http://www.example.com/geolocation"); + GURL requesting_frame("https://www.example.com/geolocation"); NavigateAndCommit(requesting_frame); MockLocationSettings::SetLocationStatus(true, false); EXPECT_EQ(0U, infobar_service()->infobar_count()); @@ -464,8 +476,8 @@ TEST_F(GeolocationPermissionContextTests, MasterEnabledGoogleAppsDisabled) { #endif TEST_F(GeolocationPermissionContextTests, QueuedPermission) { - GURL requesting_frame_0("http://www.example.com/geolocation"); - GURL requesting_frame_1("http://www.example-2.com/geolocation"); + GURL requesting_frame_0("https://www.example.com/geolocation"); + GURL requesting_frame_1("https://www.example-2.com/geolocation"); EXPECT_EQ( CONTENT_SETTING_ASK, GetGeolocationContentSetting(requesting_frame_0, requesting_frame_1)); @@ -530,8 +542,8 @@ TEST_F(GeolocationPermissionContextTests, QueuedPermission) { } TEST_F(GeolocationPermissionContextTests, HashIsIgnored) { - GURL url_a("http://www.example.com/geolocation#a"); - GURL url_b("http://www.example.com/geolocation#b"); + GURL url_a("https://www.example.com/geolocation#a"); + GURL url_b("https://www.example.com/geolocation#b"); // Navigate to the first url. NavigateAndCommit(url_a); @@ -597,8 +609,8 @@ TEST_F(GeolocationPermissionContextTests, MAYBE_PermissionForFileScheme) { } TEST_F(GeolocationPermissionContextTests, CancelGeolocationPermissionRequest) { - GURL frame_0("http://www.example.com/geolocation"); - GURL frame_1("http://www.example-2.com/geolocation"); + GURL frame_0("https://www.example.com/geolocation"); + GURL frame_1("https://www.example-2.com/geolocation"); EXPECT_EQ( CONTENT_SETTING_ASK, GetGeolocationContentSetting(frame_0, frame_0)); EXPECT_EQ( @@ -662,8 +674,8 @@ TEST_F(GeolocationPermissionContextTests, InvalidURL) { } TEST_F(GeolocationPermissionContextTests, SameOriginMultipleTabs) { - GURL url_a("http://www.example.com/geolocation"); - GURL url_b("http://www.example-2.com/geolocation"); + GURL url_a("https://www.example.com/geolocation"); + GURL url_b("https://www.example-2.com/geolocation"); NavigateAndCommit(url_a); // Tab A0 AddNewTab(url_b); // Tab B (extra_tabs_[0]) AddNewTab(url_a); // Tab A1 (extra_tabs_[1]) @@ -723,8 +735,8 @@ TEST_F(GeolocationPermissionContextTests, SameOriginMultipleTabs) { } TEST_F(GeolocationPermissionContextTests, QueuedOriginMultipleTabs) { - GURL url_a("http://www.example.com/geolocation"); - GURL url_b("http://www.example-2.com/geolocation"); + GURL url_a("https://www.example.com/geolocation"); + GURL url_b("https://www.example-2.com/geolocation"); NavigateAndCommit(url_a); // Tab A0. AddNewTab(url_a); // Tab A1. #if !BUILDFLAG(ANDROID_JAVA_UI) @@ -798,8 +810,8 @@ TEST_F(GeolocationPermissionContextTests, QueuedOriginMultipleTabs) { } TEST_F(GeolocationPermissionContextTests, TabDestroyed) { - GURL requesting_frame_0("http://www.example.com/geolocation"); - GURL requesting_frame_1("http://www.example-2.com/geolocation"); + GURL requesting_frame_0("https://www.example.com/geolocation"); + GURL requesting_frame_1("https://www.example-2.com/geolocation"); EXPECT_EQ( CONTENT_SETTING_ASK, GetGeolocationContentSetting(requesting_frame_0, requesting_frame_0)); @@ -837,7 +849,7 @@ TEST_F(GeolocationPermissionContextTests, TabDestroyed) { } TEST_F(GeolocationPermissionContextTests, LastUsageAudited) { - GURL requesting_frame("http://www.example.com/geolocation"); + GURL requesting_frame("https://www.example.com/geolocation"); NavigateAndCommit(requesting_frame); BubbleManagerDocumentLoadCompleted(); @@ -889,8 +901,8 @@ TEST_F(GeolocationPermissionContextTests, LastUsageAuditedMultipleFrames) { HostContentSettingsMapFactory::GetForProfile(profile()); map->SetPrefClockForTesting(scoped_ptr(test_clock)); - GURL requesting_frame_0("http://www.example.com/geolocation"); - GURL requesting_frame_1("http://www.example-2.com/geolocation"); + GURL requesting_frame_0("https://www.example.com/geolocation"); + GURL requesting_frame_1("https://www.example-2.com/geolocation"); // The permission shouldn't have been used yet. EXPECT_EQ(map->GetLastUsage(requesting_frame_0.GetOrigin(), diff --git a/content/public/common/common_param_traits_macros.h b/content/public/common/common_param_traits_macros.h index a9811c4688d61..45a95165857a5 100644 --- a/content/public/common/common_param_traits_macros.h +++ b/content/public/common/common_param_traits_macros.h @@ -168,6 +168,7 @@ IPC_STRUCT_TRAITS_BEGIN(content::WebPreferences) IPC_STRUCT_TRAITS_MEMBER(disable_reading_from_canvas) IPC_STRUCT_TRAITS_MEMBER(strict_mixed_content_checking) IPC_STRUCT_TRAITS_MEMBER(strict_powerful_feature_restrictions) + IPC_STRUCT_TRAITS_MEMBER(allow_geolocation_on_insecure_origins) IPC_STRUCT_TRAITS_MEMBER(strictly_block_blockable_mixed_content) IPC_STRUCT_TRAITS_MEMBER(block_mixed_plugin_content) IPC_STRUCT_TRAITS_MEMBER(enable_scroll_animator) diff --git a/content/public/common/content_switches.cc b/content/public/common/content_switches.cc index b7d4010e1c5d3..53a14c2707296 100644 --- a/content/public/common/content_switches.cc +++ b/content/public/common/content_switches.cc @@ -456,8 +456,8 @@ const char kEnableStatsTable[] = "enable-stats-table"; const char kEnableStrictMixedContentChecking[] = "enable-strict-mixed-content-checking"; -// Blocks insecure usage of number of powerful features (geolocation, for -// example) that we haven't yet deprecated for the web at large. +// Blocks insecure usage of a number of powerful features (device orientation, +// for example) that we haven't yet deprecated for the web at large. const char kEnableStrictPowerfulFeatureRestrictions[] = "enable-strict-powerful-feature-restrictions"; diff --git a/content/public/common/web_preferences.cc b/content/public/common/web_preferences.cc index 4a83a707f37d8..62af1cedfbc42 100644 --- a/content/public/common/web_preferences.cc +++ b/content/public/common/web_preferences.cc @@ -123,6 +123,7 @@ WebPreferences::WebPreferences() disable_reading_from_canvas(false), strict_mixed_content_checking(false), strict_powerful_feature_restrictions(false), + allow_geolocation_on_insecure_origins(false), strictly_block_blockable_mixed_content(false), block_mixed_plugin_content(false), password_echo_enabled(false), diff --git a/content/public/common/web_preferences.h b/content/public/common/web_preferences.h index de5a3c5419fd4..7d6ca7dc72d3b 100644 --- a/content/public/common/web_preferences.h +++ b/content/public/common/web_preferences.h @@ -135,9 +135,11 @@ struct CONTENT_EXPORT WebPreferences { // requested (thereby preventing user override). bool strict_mixed_content_checking; // Strict powerful feature restrictions block insecure usage of powerful - // features (like geolocation) that we haven't yet disabled for the web at - // large. + // features (like device orientation) that we haven't yet disabled for the web + // at large. bool strict_powerful_feature_restrictions; + // TODO(jww): Remove when WebView no longer needs this exception. + bool allow_geolocation_on_insecure_origins; // Disallow user opt-in for blockable mixed content. bool strictly_block_blockable_mixed_content; bool block_mixed_plugin_content; diff --git a/content/renderer/render_view_impl.cc b/content/renderer/render_view_impl.cc index 8e6b887898ab8..f5f66e04b6f36 100644 --- a/content/renderer/render_view_impl.cc +++ b/content/renderer/render_view_impl.cc @@ -1004,6 +1004,8 @@ void RenderView::ApplyWebPreferences(const WebPreferences& prefs, settings->setStrictPowerfulFeatureRestrictions( prefs.strict_powerful_feature_restrictions); + settings->setAllowGeolocationOnInsecureOrigins( + prefs.allow_geolocation_on_insecure_origins); settings->setPasswordEchoEnabled(prefs.password_echo_enabled); settings->setShouldPrintBackgrounds(prefs.should_print_backgrounds); settings->setShouldClearDocumentBackground( diff --git a/third_party/WebKit/LayoutTests/http/tests/security/powerfulFeatureRestrictions/old-powerful-features-on-insecure-origin-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/powerfulFeatureRestrictions/old-powerful-features-on-insecure-origin-expected.txt index 0df2fb89e8bfd..856190af94cd3 100644 --- a/third_party/WebKit/LayoutTests/http/tests/security/powerfulFeatureRestrictions/old-powerful-features-on-insecure-origin-expected.txt +++ b/third_party/WebKit/LayoutTests/http/tests/security/powerfulFeatureRestrictions/old-powerful-features-on-insecure-origin-expected.txt @@ -1,14 +1,14 @@ -CONSOLE WARNING: getCurrentPosition() and watchPosition() are deprecated on insecure origins, and support will be removed in the future. You should consider switching your application to a secure origin, such as HTTPS. See https://goo.gl/rStTGz for more details. CONSOLE WARNING: The devicemotion event is deprecated on insecure origins, and support will be removed in the future. You should consider switching your application to a secure origin, such as HTTPS. See https://goo.gl/rStTGz for more details. CONSOLE WARNING: The deviceorientation event is deprecated on insecure origins, and support will be removed in the future. You should consider switching your application to a secure origin, such as HTTPS. See https://goo.gl/rStTGz for more details. +CONSOLE WARNING: getCurrentPosition() and watchPosition() are deprecated on insecure origins. To use this feature, you should consider switching your application to a secure origin, such as HTTPS. See https://goo.gl/rStTGz for more details. CONSOLE WARNING: getUserMedia() no longer works on insecure origins. To use this feature, you should consider switching your application to a secure origin, such as HTTPS. See https://goo.gl/rStTGz for more details. CONSOLE WARNING: requestMediaKeySystemAccess() is deprecated on insecure origins in the specification. Support will be removed in the future. You should consider switching your application to a secure origin, such as HTTPS. See https://goo.gl/rStTGz for more details. This is a testharness.js-based test. -PASS getCurrentPosition -PASS watchPosition PASS device motion PASS device orientation PASS requestMediaKeySystemAccess +PASS getCurrentPosition +PASS watchPosition PASS navigator.webkitGetUserMedia PASS navigator.mediaDevices.getUserMedia Harness: the test ran to completion. diff --git a/third_party/WebKit/LayoutTests/http/tests/security/powerfulFeatureRestrictions/old-powerful-features-on-insecure-origin.html b/third_party/WebKit/LayoutTests/http/tests/security/powerfulFeatureRestrictions/old-powerful-features-on-insecure-origin.html index d6f795161da9a..e210885375af2 100644 --- a/third_party/WebKit/LayoutTests/http/tests/security/powerfulFeatureRestrictions/old-powerful-features-on-insecure-origin.html +++ b/third_party/WebKit/LayoutTests/http/tests/security/powerfulFeatureRestrictions/old-powerful-features-on-insecure-origin.html @@ -29,48 +29,17 @@ // Tests for APIs that are deprecated, but still allowed, on // insecure origins - async_test(function() { - navigator.geolocation.getCurrentPosition( - this.step_func(function() { - this.done(); - }), - this.step_func(function(error) { - assert_unreached('getCurrentPosition should succeed, but failed.'); - this.done(); - })); - }, 'getCurrentPosition'); - - // Note that the deprecation message for watchPosition() will be supressed - // because it is an exact duplicate of the getCurrentPosition() message. - // Thus, this test is really to confirm that it still executes. - async_test(function() { - navigator.geolocation.watchPosition( - this.step_func(function() { - this.done(); - }), - this.step_func(function(error) { - assert_unreached('watchPosition should succeed, but failed.'); - this.done(); - })); - }, 'watchPosition'); - async_test(function() { testRunner.setMockDeviceMotion(true, 0, true, 0, true, 0, true, 0, true, 0, true, 0, true, 0, true, 0, true, 0, 0); - - window.addEventListener('devicemotion', this.step_func(function() { - this.done(); - })); + window.addEventListener('devicemotion', this.step_func_done()); }, 'device motion'); async_test(function() { testRunner.setMockDeviceOrientation(11.1, 22.2, 33.3, true); - - window.addEventListener('deviceorientation', this.step_func(function() { - this.done(); - })); + window.addEventListener('deviceorientation', this.step_func_done()); }, 'device orientation'); promise_test(function(test) { @@ -78,6 +47,21 @@ }, 'requestMediaKeySystemAccess'); // Tests for APIs that have been turned off on insecure origins + async_test(function() { + navigator.geolocation.getCurrentPosition( + this.unreached_func('getCurrentPosition should fail, but succeeded.'), + this.step_func_done()); + }, 'getCurrentPosition'); + + // Note that the deprecation message for watchPosition() will be suppressed + // because it is an exact duplicate of the getCurrentPosition() message. + // Thus, this test is really to confirm that it still executes (and fails). + async_test(function() { + navigator.geolocation.watchPosition( + this.unreached_func('watchPosition should fail, but succeeded.'), + this.step_func_done()); + }, 'watchPosition'); + async_test(function() { navigator.webkitGetUserMedia({ audio: true, video: true }, this.unreached_func('navigator.webkitGetUserMedia should call the error callback, but called the success callback instead.'), diff --git a/third_party/WebKit/Source/core/frame/Settings.in b/third_party/WebKit/Source/core/frame/Settings.in index d78914934edeb..c62afe0a61673 100644 --- a/third_party/WebKit/Source/core/frame/Settings.in +++ b/third_party/WebKit/Source/core/frame/Settings.in @@ -332,6 +332,7 @@ strictMixedContentChecking initial=false strictMixedContentCheckingForPlugin initial=false strictPowerfulFeatureRestrictions initial=false strictlyBlockBlockableMixedContent initial=false +allowGeolocationOnInsecureOrigins initial=false logDnsPrefetchAndPreconnect initial=false logPreload initial=false diff --git a/third_party/WebKit/Source/core/frame/UseCounter.cpp b/third_party/WebKit/Source/core/frame/UseCounter.cpp index 640c8109986dd..17b3d3639ed04 100644 --- a/third_party/WebKit/Source/core/frame/UseCounter.cpp +++ b/third_party/WebKit/Source/core/frame/UseCounter.cpp @@ -899,7 +899,11 @@ String UseCounter::deprecationMessage(Feature feature) return "The deviceorientationabsolute event is deprecated on insecure origins, and support will be removed in the future. You should consider switching your application to a secure origin, such as HTTPS. See https://goo.gl/rStTGz for more details."; case GeolocationInsecureOrigin: - return "getCurrentPosition() and watchPosition() are deprecated on insecure origins, and support will be removed in the future. You should consider switching your application to a secure origin, such as HTTPS. See https://goo.gl/rStTGz for more details."; + // TODO(jww): This message should be made less ambigous after WebView + // is fixed so geolocation can be removed there. After that, this + // should be updated to read similarly to GetUserMediaInsecureOrigin's + // message. + return "getCurrentPosition() and watchPosition() are deprecated on insecure origins. To use this feature, you should consider switching your application to a secure origin, such as HTTPS. See https://goo.gl/rStTGz for more details."; case GetUserMediaInsecureOrigin: return "getUserMedia() no longer works on insecure origins. To use this feature, you should consider switching your application to a secure origin, such as HTTPS. See https://goo.gl/rStTGz for more details."; diff --git a/third_party/WebKit/Source/modules/geolocation/Geolocation.cpp b/third_party/WebKit/Source/modules/geolocation/Geolocation.cpp index a4c056a99843c..c39dc507b8c19 100644 --- a/third_party/WebKit/Source/modules/geolocation/Geolocation.cpp +++ b/third_party/WebKit/Source/modules/geolocation/Geolocation.cpp @@ -168,8 +168,6 @@ void Geolocation::getCurrentPosition(PositionCallback* successCallback, Position if (!frame()) return; - recordOriginTypeAccess(); - GeoNotifier* notifier = GeoNotifier::create(this, successCallback, errorCallback, options); startRequest(notifier); @@ -181,8 +179,6 @@ int Geolocation::watchPosition(PositionCallback* successCallback, PositionErrorC if (!frame()) return 0; - recordOriginTypeAccess(); - GeoNotifier* notifier = GeoNotifier::create(this, successCallback, errorCallback, options); startRequest(notifier); @@ -196,12 +192,11 @@ int Geolocation::watchPosition(PositionCallback* successCallback, PositionErrorC void Geolocation::startRequest(GeoNotifier *notifier) { - if (frame()->settings()->strictPowerfulFeatureRestrictions()) { - String errorMessage; - if (!executionContext()->isSecureContext(errorMessage)) { - notifier->setFatalError(PositionError::create(PositionError::POSITION_UNAVAILABLE, errorMessage)); - return; - } + recordOriginTypeAccess(); + String errorMessage; + if (!frame()->settings()->allowGeolocationOnInsecureOrigins() && !executionContext()->isSecureContext(errorMessage)) { + notifier->setFatalError(PositionError::create(PositionError::POSITION_UNAVAILABLE, errorMessage)); + return; } if (RuntimeEnabledFeatures::restrictIFramePermissionsEnabled()) { diff --git a/third_party/WebKit/Source/web/WebSettingsImpl.cpp b/third_party/WebKit/Source/web/WebSettingsImpl.cpp index 9259522e70db1..252512323161f 100644 --- a/third_party/WebKit/Source/web/WebSettingsImpl.cpp +++ b/third_party/WebKit/Source/web/WebSettingsImpl.cpp @@ -458,6 +458,11 @@ void WebSettingsImpl::setAllowFileAccessFromFileURLs(bool allow) m_settings->setAllowFileAccessFromFileURLs(allow); } +void WebSettingsImpl::setAllowGeolocationOnInsecureOrigins(bool allow) +{ + m_settings->setAllowGeolocationOnInsecureOrigins(allow); +} + void WebSettingsImpl::setThreadedScrollingEnabled(bool enabled) { m_settings->setThreadedScrollingEnabled(enabled); diff --git a/third_party/WebKit/Source/web/WebSettingsImpl.h b/third_party/WebKit/Source/web/WebSettingsImpl.h index 9c6f1617e2fec..1f6aca83a642e 100644 --- a/third_party/WebKit/Source/web/WebSettingsImpl.h +++ b/third_party/WebKit/Source/web/WebSettingsImpl.h @@ -58,6 +58,7 @@ class WebSettingsImpl final : public WebSettings { void setAllowDisplayOfInsecureContent(bool) override; void setAllowFileAccessFromFileURLs(bool) override; void setAllowCustomScrollbarInMainFrame(bool) override; + void setAllowGeolocationOnInsecureOrigins(bool) override; void setAllowRunningOfInsecureContent(bool) override; void setAllowScriptsToCloseWindows(bool) override; void setAllowUniversalAccessFromFileURLs(bool) override; diff --git a/third_party/WebKit/public/web/WebSettings.h b/third_party/WebKit/public/web/WebSettings.h index e9114aa5e71d5..efea84d6cd0e6 100644 --- a/third_party/WebKit/public/web/WebSettings.h +++ b/third_party/WebKit/public/web/WebSettings.h @@ -110,6 +110,7 @@ class WebSettings { virtual void setAllowDisplayOfInsecureContent(bool) = 0; virtual void setAllowFileAccessFromFileURLs(bool) = 0; virtual void setAllowCustomScrollbarInMainFrame(bool) = 0; + virtual void setAllowGeolocationOnInsecureOrigins(bool) = 0; // If set to true, allows frames with an https origin to run active // contents at an insecure URL. This includes WebSockets. Otherwise, // disallows it. The FrameLoaderClient set to the frame may override the