Block HTTP Auth prompt for same-domain but mixed content images

Bug: 774197
Change-Id: I244988d0653d9964ff31bade09316f541f5dc537
Reviewed-on: https://chromium-review.googlesource.com/728712
Commit-Queue: Mustafa Emre Acer <meacer@chromium.org>
Reviewed-by: Eric Lawrence <elawrence@chromium.org>
Reviewed-by: Charlie Harrison <csharrison@chromium.org>
Reviewed-by: Asanka Herath <asanka@chromium.org>
Cr-Commit-Position: refs/heads/master@{#512335}

chrome/browser/ui/login/login_handler_browsertest.cc

@@ -754,6 +754,40 @@ IN_PROC_BROWSER_TEST_F(LoginPromptBrowserTest,
   EXPECT_EQ(1, observer.auth_needed_count());
 }
 
+// Block same domain image resource if the top level frame is HTTPS and the
+// image resource is HTTP.
+// E.g. Top level: https://example.com, Image resource: http://example.com/image
+IN_PROC_BROWSER_TEST_F(LoginPromptBrowserTest,
+                       BlockCrossdomainPromptForSubresourcesMixedContent) {
+  ASSERT_TRUE(embedded_test_server()->Start());
+  net::EmbeddedTestServer https_server(net::EmbeddedTestServer::TYPE_HTTPS);
+  https_server.SetSSLConfig(net::EmbeddedTestServer::CERT_OK);
+  https_server.ServeFilesFromSourceDirectory("chrome/test/data");
+  ASSERT_TRUE(https_server.Start());
+
+  content::WebContents* contents =
+      browser()->tab_strip_model()->GetActiveWebContents();
+  NavigationController* controller = &contents->GetController();
+  LoginPromptBrowserTestObserver observer;
+  observer.Register(content::Source<NavigationController>(controller));
+
+  GURL image_url = embedded_test_server()->GetURL("/auth-basic/index.html");
+  GURL test_page = https_server.GetURL(
+      std::string("/login/load_img_from_same_domain_mixed_content.html?") +
+      image_url.spec());
+  GURL::Replacements replacements;
+  replacements.SetHostStr("a.com");
+  test_page = test_page.ReplaceComponents(replacements);
+  image_url = image_url.ReplaceComponents(replacements);
+
+  WindowedLoadStopObserver load_stop_waiter(controller, 1);
+  browser()->OpenURL(OpenURLParams(test_page, Referrer(),
+                                   WindowOpenDisposition::CURRENT_TAB,
+                                   ui::PAGE_TRANSITION_TYPED, false));
+  load_stop_waiter.Wait();
+  EXPECT_EQ(0, observer.auth_needed_count());
+}
+
 // Allow crossdomain iframe login prompting despite the above.
 IN_PROC_BROWSER_TEST_F(LoginPromptBrowserTest,
                        AllowCrossdomainPromptForSubframes) {

chrome/test/data/login/load_img_from_same_domain_mixed_content.html

@@ -0,0 +1,9 @@
+<html>
+<body>
+<img id="i">
+<script>
+  var url = window.location.search.substring(1);
+  document.getElementById("i").src = url;
+</script>
+</body>
+</html>

content/browser/loader/resource_dispatcher_host_impl.cc

@@ -88,6 +88,7 @@
 #include "content/public/browser/stream_info.h"
 #include "content/public/common/browser_side_navigation_policy.h"
 #include "content/public/common/content_features.h"
+#include "content/public/common/origin_util.h"
 #include "content/public/common/resource_request.h"
 #include "content/public/common/resource_request_body.h"
 #include "content/public/common/resource_request_completion_status.h"
@@ -2583,8 +2584,15 @@ ResourceDispatcherHostImpl::HttpAuthRelationTypeOf(
 
   if (net::registry_controlled_domains::SameDomainOrHost(
           first_party, request_url,
-          net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES))
+          net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES)) {
+    // If the first party is secure but the subresource is not, this is
+    // mixed-content. Do not allow the image.
+    if (!allow_cross_origin_auth_prompt() && IsOriginSecure(first_party) &&
+        !IsOriginSecure(request_url)) {
+      return HTTP_AUTH_RELATION_BLOCKED_CROSS;
+    }
     return HTTP_AUTH_RELATION_SAME_DOMAIN;
+  }
 
   if (allow_cross_origin_auth_prompt())
     return HTTP_AUTH_RELATION_ALLOWED_CROSS;