From a7790b655ca0f298aee29cf15d094ed2ef805a4f Mon Sep 17 00:00:00 2001 From: corvid Date: Fri, 3 Jul 2015 22:43:11 +0000 Subject: let's disallow mixed content --- src/capi.c | 34 +++++++++++++++++++++++++++++----- 1 file changed, 29 insertions(+), 5 deletions(-) (limited to 'src/capi.c') diff --git a/src/capi.c b/src/capi.c index 8c4a1ae2..11761687 100644 --- a/src/capi.c +++ b/src/capi.c @@ -339,6 +339,34 @@ static void Capi_dpi_send_source(BrowserWindow *bw, DilloUrl *url) dFree(cmd); } +/* + * Shall we permit this request to open a URL? + */ +static bool_t Capi_request_permitted(DilloWeb *web) +{ + bool_t permit = FALSE; + + /* web->requester is NULL if the action is initiated by user */ + if (!web->requester) + return TRUE; + + if (!dStrAsciiCasecmp(URL_SCHEME(web->requester), "https")) { + const char *s = URL_SCHEME(web->url); + + if (dStrAsciiCasecmp(s, "https") && dStrAsciiCasecmp(s, "data")) { + MSG("capi: Blocked mixed content: %s -> %s\n", + URL_STR(web->requester), URL_STR(web->url)); + return FALSE; + } + } + + if (a_Capi_get_flags(web->url) & CAPI_IsCached || + a_Domain_permit(web->requester, web->url)) { + permit = TRUE; + } + return permit; +} + /* * Most used function for requesting a URL. * TODO: clean up the ad-hoc bindings with an API that allows dynamic @@ -355,11 +383,7 @@ int a_Capi_open_url(DilloWeb *web, CA_Callback_t Call, void *CbData) const char *scheme = URL_SCHEME(web->url); int safe = 0, ret = 0, use_cache = 0; - /* web->requester is NULL if the action is initiated by user */ - if (a_Capi_get_flags(web->url) & CAPI_IsCached || - web->requester == NULL || - a_Domain_permit(web->requester, web->url)) { - + if (Capi_request_permitted(web)) { /* reload test */ reload = (!(a_Capi_get_flags(web->url) & CAPI_IsCached) || (URL_FLAGS(web->url) & URL_E2EQuery)); -- cgit v1.2.3