Bug 165726

Summary: On HTTPS pages, .ts files loaded from insecure origins via XHR are allowed
Product: WebKit Reporter: Paul Schreiber <paulschreiber>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: ap, bfulgham, dbates, mkwst, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: Safari 10   
Hardware: Mac   
OS: OS X 10.11   

Paul Schreiber
Reported 2016-12-10 09:00:07 PST
In Safari 10.0.1 (11602.2.14.0.7), On HTTPS pages, .ts files loaded from insecure origins via XHR are allowed. Chrome 55 and Firefox 50 block these, as expected. Chrome: The page at 'https://xyxxxxxx.com/features/new-video-player/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://media.video-cdn.espn.com/motion/2016/0119/dm_160119_538_Bernie/hls/447489_MBR3_00001.ts'. This request has been blocked; the content must be served over HTTPS. XMLHttpRequest cannot load http://media.video-cdn.espn.com/motion/2016/0119/dm_160119_538_Bernie/hls/447489_MBR3_00001.ts. Failed to start loading.
Attachments
Add attachment proposed patch, testcase, etc.
Paul Schreiber
Comment 1 2016-12-10 09:04:05 PST
Note: https://www.ssllabs.com/ssltest/viewMyClient.html The XHR test passes in Safari, but Safari doesn't actually block the request: it fails due to bad/missing CORS headers: ("XMLHttpRequest cannot load http://plaintext.ssllabs.com/plaintext/xhr.txt?t=1481389281271 due to access control checks.")
Mike West
Comment 2 2016-12-10 09:05:27 PST
CCing relevant folks. https://www.w3.org/TR/mixed-content/#category-blockable is the relevant bit of the spec.
Radar WebKit Bug Importer
Comment 3 2017-02-26 17:07:21 PST
<rdar://problem/30725477>
Note You need to log in before you can comment on or make changes to this bug.