Merge branch 'block-mixed-content' of github.com:zcorpan/picturefill …

…into zcorpan-block-mixed-content
jcwcheng · Aug 20, 2014 · 9753bcf · 9753bcf
2 parents 16b37fb + a51d170
commit 9753bcf
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 12 deletions.
diff --git a/dist/picturefill.js b/dist/picturefill.js
@@ -1,4 +1,4 @@
-/*! Picturefill - v2.1.0 - 2014-07-25
+/*! Picturefill - v2.1.0 - 2014-08-12
 * http://scottjehl.github.io/picturefill
 * Copyright (c) 2014 https://github.com/scottjehl/picturefill/blob/master/Authors.txt; Licensed MIT */
 /*! matchMedia() polyfill - Test a CSS media type/query in JS. Authors & copyright (c) 2012: Scott Jehl, Paul Irish, Nicholas Zakas, David Knight. Dual MIT/BSD license */
@@ -85,6 +85,12 @@ window.matchMedia || (window.matchMedia = function() {
 		return str.endsWith ? str.endsWith( suffix ) : str.indexOf( suffix, str.length - suffix.length ) !== -1;
 	};
 
+	/**
+	 * Shortcut method for https://w3c.github.io/webappsec/specs/mixedcontent/#restricts-mixed-content ( for easy overriding in tests )
+	 */
+	pf.restrictsMixedContent = function() {
+		return w.location.protocol === "https:";
+	};
 	/**
 	 * Shortcut method for matchMedia ( for easy overriding in tests )
 	 */
@@ -394,10 +400,16 @@ window.matchMedia || (window.matchMedia = function() {
 		}
 
 		if ( bestCandidate && !pf.endsWith( picImg.src, bestCandidate.url ) ) {
-			picImg.src = bestCandidate.url;
-			// currentSrc attribute and property to match
-			// http://picture.responsiveimages.org/#the-img-element
-			picImg.currentSrc = picImg.src;
+			if ( pf.restrictsMixedContent() && bestCandidate.url.substr(0, "http:".length).toLowerCase() === "http:" ) {
+				if ( typeof console !== undefined ) {
+					console.warn( "Blocked mixed content image " + bestCandidate.url );
+				}
+			} else {
+				picImg.src = bestCandidate.url;
+				// currentSrc attribute and property to match
+				// http://picture.responsiveimages.org/#the-img-element
+				picImg.currentSrc = picImg.src;
+			}
 		}
 	};
 

diff --git a/dist/picturefill.min.js b/dist/picturefill.min.js
diff --git a/src/picturefill.js b/src/picturefill.js
@@ -36,6 +36,12 @@
 		return str.endsWith ? str.endsWith( suffix ) : str.indexOf( suffix, str.length - suffix.length ) !== -1;
 	};
 
+	/**
+	 * Shortcut method for https://w3c.github.io/webappsec/specs/mixedcontent/#restricts-mixed-content ( for easy overriding in tests )
+	 */
+	pf.restrictsMixedContent = function() {
+		return w.location.protocol === "https:";
+	};
 	/**
 	 * Shortcut method for matchMedia ( for easy overriding in tests )
 	 */
@@ -345,10 +351,16 @@
 		}
 
 		if ( bestCandidate && !pf.endsWith( picImg.src, bestCandidate.url ) ) {
-			picImg.src = bestCandidate.url;
-			// currentSrc attribute and property to match
-			// http://picture.responsiveimages.org/#the-img-element
-			picImg.currentSrc = picImg.src;
+			if ( pf.restrictsMixedContent() && bestCandidate.url.substr(0, "http:".length).toLowerCase() === "http:" ) {
+				if ( typeof console !== undefined ) {
+					console.warn( "Blocked mixed content image " + bestCandidate.url );
+				}
+			} else {
+				picImg.src = bestCandidate.url;
+				// currentSrc attribute and property to match
+				// http://picture.responsiveimages.org/#the-img-element
+				picImg.currentSrc = picImg.src;
+			}
 		}
 	};
 

diff --git a/tests/tests.js b/tests/tests.js
@@ -12,7 +12,8 @@
 		originalVideoShimMethod,
 		originalMatchesMedia,
 		originalProcessSourceSet,
-		originalGetWidthFromLength;
+		originalGetWidthFromLength,
+		originalRestrictsMixedContentMethod;
 
 	pf = picturefill._;
 
@@ -24,13 +25,15 @@
 			originalMatchesMedia = pf.matchesMedia;
 			originalProcessSourceSet = pf.processSourceSet;
 			originalGetWidthFromLength = pf.getWidthFromLength;
+			originalrestrictsMixedContentMethod = pf.restrictsMixedContent;
 		},
 
 		teardown: function() {
 			pf.getDpr = originalDprMethod;
 			pf.removeVideoShim = originalVideoShimMethod;
 			pf.matchesMedia = originalMatchesMedia;
 			pf.processSourceSet = originalProcessSourceSet;
+			pf.restrictsMixedContent = originalrestrictsMixedContentMethod;
 		}
 	});
 
@@ -542,4 +545,24 @@
 		try { picturefill({ reevaluate: false, elements: document.querySelector( ".no-src" ) }); } catch (e) { console.log( e ); ok( false ); }
 	});
 
+	test( "Mixed content should be blocked", function() {
+		pf.restrictsMixedContent = function() {
+			return true;
+		};
+		var image, candidates;
+
+		candidates = [
+			{ resolution: 1, url: "http://example.org/bar" },
+		];
+
+		image = {
+			src: "foo"
+		};
+
+		pf.applyBestCandidate( candidates, image );
+
+		equal( image.src, "foo" );
+
+	});
+
 })( window, jQuery );