Bug 165438

Summary: Implement Strict Mixed Content Checking
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebCore Misc.Assignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: aestes, ap, bfulgham, buildbot, cdumez, commit-queue, esprehn+autocc, japhet, kangil.han, mkwst, rniwa, sam, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar, WebExposed
Version: WebKit Local Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch and layout tests
none
Archive of layout-test-results from ews101 for mac-yosemite
none
Archive of layout-test-results from ews112 for mac-yosemite
none
Archive of layout-test-results from ews125 for ios-simulator-wk2
none
Patch and layout tests
none
Patch and layout tests
none
Patch and layout tests bfulgham: review+

Description Daniel Bates 2016-12-05 16:50:55 PST
We should implement strict mixed content checking as per <https://www.w3.org/TR/2016/CR-mixed-content-20160802/#strict-checking> (2 August 2016).
Comment 1 Daniel Bates 2016-12-05 16:51:55 PST
<rdar://problem/26103867>
Comment 2 Daniel Bates 2016-12-05 17:13:32 PST
Created attachment 296225 [details]
Patch and layout tests
Comment 3 Build Bot 2016-12-05 18:18:07 PST
Comment on attachment 296225 [details]
Patch and layout tests

Attachment 296225 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/2630361

New failing tests:
http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame.html
Comment 4 Build Bot 2016-12-05 18:18:11 PST
Created attachment 296238 [details]
Archive of layout-test-results from ews101 for mac-yosemite

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews101  Port: mac-yosemite  Platform: Mac OS X 10.10.5
Comment 5 Build Bot 2016-12-05 18:30:30 PST
Comment on attachment 296225 [details]
Patch and layout tests

Attachment 296225 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/2630418

New failing tests:
http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame.html
Comment 6 Build Bot 2016-12-05 18:30:33 PST
Created attachment 296241 [details]
Archive of layout-test-results from ews112 for mac-yosemite

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews112  Port: mac-yosemite  Platform: Mac OS X 10.10.5
Comment 7 Build Bot 2016-12-05 21:15:56 PST
Comment on attachment 296225 [details]
Patch and layout tests

Attachment 296225 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/2631455

New failing tests:
http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe.html
Comment 8 Build Bot 2016-12-05 21:16:01 PST
Created attachment 296262 [details]
Archive of layout-test-results from ews125 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews125  Port: ios-simulator-wk2  Platform: Mac OS X 10.11.6
Comment 9 Daniel Bates 2016-12-06 09:06:25 PST
Created attachment 296292 [details]
Patch and layout tests
Comment 10 Daniel Bates 2016-12-06 15:45:43 PST
Created attachment 296337 [details]
Patch and layout tests

Updated patch to apply strict mixed content checking to XSLT transformed documents and added a test.
Comment 11 Daniel Bates 2016-12-06 15:48:28 PST
Created attachment 296339 [details]
Patch and layout tests

Unskip test insecure-plugin-in-main-frame.html when running in WebKitTestRunner as bug #165410 was fixed.
Comment 12 Brent Fulgham 2016-12-08 09:29:52 PST
Comment on attachment 296339 [details]
Patch and layout tests

Looks great! r=me.
Comment 13 Andy Estes 2016-12-08 15:45:14 PST
Comment on attachment 296339 [details]
Patch and layout tests

View in context: https://bugs.webkit.org/attachment.cgi?id=296339&action=review

> Source/WebCore/dom/SecurityContext.h:84
> +    bool isStrictMixedContentMode() { return m_isStrictMixedContentMode; }

Can this be const-qualified?
Comment 14 Daniel Bates 2016-12-08 15:50:35 PST
(In reply to comment #13)
> Comment on attachment 296339 [details]
> Patch and layout tests
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=296339&action=review
> 
> > Source/WebCore/dom/SecurityContext.h:84
> > +    bool isStrictMixedContentMode() { return m_isStrictMixedContentMode; }
> 
> Can this be const-qualified?

Will fix before landing.
Comment 15 Daniel Bates 2016-12-08 15:54:49 PST
Committed r209577: <http://trac.webkit.org/changeset/209577>