Add two new settings, allow_insecure_content and

allow_insecure_scripts, which, if WebKitWebSettings has the
enable-display-of-insecure-content and/or
enable-running-of-insecure-content properties, sets those to enable or
disable viewing or running of insecure content from secure websites.
Make these default to 0 in whitelist mode, and 1 otherwise.
* * *
Document in manpage.

5 files changed, 95 insertions, 1 deletions

diff --git a/settings.c b/settings.c
index cac7485..2537908 100644
--- a/settings.c
+++ b/settings.c
@@ -109,6 +109,8 @@ int		referer_mode = XT_DS_REFERER_MODE;
 char		*referer_custom = NULL;
 int		download_notifications = XT_DS_DOWNLOAD_NOTIFICATIONS;
 int		warn_cert_changes = 0;
+int		allow_insecure_content = XT_DS_ALLOW_INSECURE_CONTENT;
+int		allow_insecure_scripts = XT_DS_ALLOW_INSECURE_SCRIPTS;
 
 char		*cmd_font_name = NULL;	/* these are all set at startup */
 char		*oops_font_name = NULL;
@@ -199,6 +201,8 @@ int		set_userstyle_global(char *);
 int		set_external_editor(char *);
 int		set_xterm_workaround(char *);
 int		set_warn_cert_changes(char *);
+int		set_allow_insecure_content(char *);
+int		set_allow_insecure_scripts(char *);
 
 void		walk_mime_type(struct settings *, void (*)(struct settings *,
 		    char *, void *), void *);
@@ -456,6 +460,8 @@ struct settings		rs[] = {
 	{ "download_notifications",	XT_S_INT, 0,		&download_notifications, NULL, NULL, NULL, set_download_notifications },
 	{ "include_config",		XT_S_STR, 0, NULL,	&include_config, NULL, NULL, NULL },
 	{ "warn_cert_changes",		XT_S_INT, 0,		&warn_cert_changes, NULL, NULL, NULL, set_warn_cert_changes },
+	{ "allow_insecure_content",	XT_S_INT, 0,		&allow_insecure_content, NULL, NULL, NULL, set_allow_insecure_content },
+	{ "allow_insecure_scripts",	XT_S_INT, 0,		&allow_insecure_scripts, NULL, NULL, NULL, set_allow_insecure_scripts },
 
 	/* font settings */
 	{ "cmd_font",			XT_S_STR, 0, NULL, &cmd_font_name, NULL, NULL, set_cmd_font },
@@ -734,6 +740,8 @@ set_browser_mode(struct settings *s, char *val)
 		enable_js_whitelist = 1;
 		enable_localstorage = 0;
 		referer_mode = XT_REFERER_SAME_DOMAIN;
+		allow_insecure_content = 0;
+		allow_insecure_scripts = 0;
 	} else if (!strcmp(val, "normal")) {
 		browser_mode = XT_BM_NORMAL;
 		allow_volatile_cookies = 0;
@@ -749,6 +757,8 @@ set_browser_mode(struct settings *s, char *val)
 		enable_js_whitelist = 0;
 		enable_localstorage = 1;
 		referer_mode = XT_REFERER_ALWAYS;
+		allow_insecure_content = 1;
+		allow_insecure_scripts = 1;
 	} else if (!strcmp(val, "kiosk")) {
 		browser_mode = XT_BM_KIOSK;
 		allow_volatile_cookies = 0;
@@ -764,6 +774,8 @@ set_browser_mode(struct settings *s, char *val)
 		enable_js_whitelist = 0;
 		enable_localstorage = 1;
 		referer_mode = XT_REFERER_ALWAYS;
+		allow_insecure_content = 1;
+		allow_insecure_scripts = 1;
 		show_tabs = 0;
 		tabless = 1;
 	} else
@@ -1500,6 +1512,58 @@ walk_cmd_alias(struct settings *s,
 }
 
 int
+set_allow_insecure_content(char *value)
+{
+	struct tab		*t;
+	int			tmp;
+	const char		*errstr;
+
+	if (value == NULL || strlen(value) == 0)
+		allow_insecure_content = XT_DS_ALLOW_INSECURE_CONTENT;
+	else {
+		tmp = strtonum(value, 0, 1, &errstr);
+		if (errstr)
+			return (-1);
+		allow_insecure_content = tmp;
+	}
+	TAILQ_FOREACH(t, &tabs, entry)
+		if (is_g_object_setting(G_OBJECT(t->settings),
+		    "enable-display-of-insecure-content")) {
+			g_object_set(G_OBJECT(t->settings),
+			    "enable-display-of-insecure-content",
+			    allow_insecure_content, (char *)NULL);
+			webkit_web_view_set_settings(t->wv, t->settings);
+		}
+	return (0);
+}
+
+int
+set_allow_insecure_scripts(char *value)
+{
+	struct tab		*t;
+	int			tmp;
+	const char		*errstr;
+
+	if (value == NULL || strlen(value) == 0)
+		allow_insecure_scripts = XT_DS_ALLOW_INSECURE_SCRIPTS;
+	else {
+		tmp = strtonum(value, 0, 1, &errstr);
+		if (errstr)
+			return (-1);
+		allow_insecure_scripts = tmp;
+	}
+	TAILQ_FOREACH(t, &tabs, entry)
+		if (is_g_object_setting(G_OBJECT(t->settings),
+		    "enable-running-of-insecure-content")) {
+			g_object_set(G_OBJECT(t->settings),
+			    "enable-running-of-insecure-content",
+			    allow_insecure_scripts, (char *)NULL);
+			webkit_web_view_set_settings(t->wv, t->settings);
+		}
+	return (0);
+}
+
+int
 set_auto_load_images(char *value)
 {
 	struct tab		*t;
diff --git a/xombrero.1 b/xombrero.1
index 3c0e735..d5dbd0e 100644
--- a/xombrero.1
+++ b/xombrero.1
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 28 2012 $
+.Dd $Mdocdate: July 02 2012 $
 .Dt XOMBRERO 1
 .Os
 .Sh NAME
@@ -979,6 +979,15 @@ the alias on the address bar is substituted.
 For example, if g,http://www.google.com/search?q=%s is defined as an alias,
 then the URL http://www.google.com/search?q=foo is loaded when navigating to
 "g foo".
+.It Cm allow_insecure_content
+If set, all content referenced by a page will be loaded.
+If unset, encrypted pages will refuse to load content that is linked
+from an insecure location.
+.It Cm allow_insecure_scripts
+If set, all scripts referenced by a page will be loaded and run using
+the current javascript policy.
+If unset, encrypted pages will refuse to run scripts that are linked
+from an insecure location.
 .It Cm allow_volatile_cookies
 If set cookies are stored in the session cache but will be discarded once
 .Nm
@@ -1021,6 +1030,8 @@ items.
 If a domain does not appear in the whitelists
 .Nm
 disallows cookies, Java Script and plugin execution.
+If insecure web content or scripts are referenced by a secure website,
+they will be blocked from loading or running.
 .Pp
 In
 .Pa kiosk
diff --git a/xombrero.c b/xombrero.c
index 98c1b23..ab03aef 100644
--- a/xombrero.c
+++ b/xombrero.c
@@ -6664,6 +6664,16 @@ setup_webkit(struct tab *t)
 	    "full-content-zoom", TRUE, (char *)NULL);
 	g_object_set(G_OBJECT(t->settings),
 	    "auto-load-images", auto_load_images, (char *)NULL);
+	if (is_g_object_setting(G_OBJECT(t->settings),
+	    "enable-display-of-insecure-content"))
+		g_object_set(G_OBJECT(t->settings),
+		    "enable-display-of-insecure-content",
+		    allow_insecure_content, (char *)NULL);
+	if (is_g_object_setting(G_OBJECT(t->settings),
+	    "enable-running-of-insecure-content"))
+		g_object_set(G_OBJECT(t->settings),
+		    "enable-running-of-insecure-content",
+		    allow_insecure_scripts, (char *)NULL);
 
 	webkit_web_view_set_settings(t->wv, t->settings);
 }
diff --git a/xombrero.conf b/xombrero.conf
index c9b81a4..859e146 100644
--- a/xombrero.conf
+++ b/xombrero.conf
@@ -243,6 +243,8 @@
 # enable_localstorage		= 1
 # enable_plugins		= 1
 # enable_plugin_whitelist	= 0
+# allow_insecure_content	= 1
+# allow_insecure_scripts	= 1
 
 # The settings for "browser_mode = whitelist" are as follows:
 
@@ -258,6 +260,8 @@
 # enable_localstorage		= 0
 # enable_plugins		= 0
 # enable_plugin_whitelist	= 1
+# allow_insecure_content	= 0
+# allow_insecure_scripts	= 0
 
 
 ##
diff --git a/xombrero.h b/xombrero.h
index a1511e9..31b01bc 100644
--- a/xombrero.h
+++ b/xombrero.h
@@ -639,6 +639,8 @@ int		command_mode(struct tab *, struct karg *);
 #define XT_DS_OOPS_FONT_NAME	("monospace normal 9")
 #define XT_DS_STATUSBAR_FONT_NAME	("monospace normal 9")
 #define XT_DS_TABBAR_FONT_NAME	("monospace normal 9")
+#define XT_DS_ALLOW_INSECURE_CONTENT	(TRUE)
+#define XT_DS_ALLOW_INSECURE_SCRIPTS	(TRUE)
 
 
 /* actions */
@@ -728,6 +730,7 @@ struct tab	*get_current_tab(void);
 int		resizetab(struct tab *, struct karg *);
 int		cert_cmd(struct tab *, struct karg *);
 void		focus_webview(struct tab *);
+int		is_g_object_setting(GObject *, char *);
 
 #define		XT_DL_START	(0)
 #define		XT_DL_RESTART	(1)
@@ -814,6 +817,8 @@ extern char	*referer_custom;
 extern int	download_notifications;
 extern int	warn_cert_changes;
 extern regex_t	url_re;
+extern int	allow_insecure_content;
+extern int	allow_insecure_scripts;
 
 /* globals */
 extern void		(*os_init)(void);