Bug 179049
| Summary: | `<picture>` and `<img srcset>` ought to be treated as "blockable" mixed content. | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Mike West <mkwst> |
| Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | ahmad.saleem792, annevk, bfulgham, dbates, webkit-bug-importer, wilander |
| Priority: | P2 | Keywords: | BrowserCompat, InRadar, WPTImpact |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Bug Depends on: | |||
| Bug Blocks: | 140625 | ||
Mike West
The Mixed Content spec carves out blockable subsets of `<img>` (step 4 of https://w3c.github.io/webappsec-mixed-content/#should-block-fetch) as a first step towards tightening mixed content restrictions more generally. WebKit currently treats these as optionally-blockable.
See, for example, tests at https://w3c-test.org/mixed-content/picture-tag/no-opt-in/same-host-http/top-level/swap-scheme-redirect/blockable/no-opt-in-blocks.https.html and https://w3c-test.org/mixed-content/imageset.https.sub.html, which Chrome and Firefox currently agree on.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/35275253>
Ahmad Saleem
WPT - https://wpt.live/mixed-content/imageset.https.sub.html
I am unable to find other one. Might be? https://wpt.fyi/results/mixed-content/gen/top.meta/unset/picture-tag.https.html?label=master&label=experimental&aligned=&q=picture
Anne van Kesteren
The requirement for `imageset` (which <picture> and <img srcset> both use) is here these days: https://w3c.github.io/webappsec-mixed-content/#upgrade-algorithm