Bug 218795

Summary: Layout test imported/w3c/web-platform-tests/service-workers/service-worker/fetch-mixed-content-to-inscope.https.html and fetch-mixed-content-to-outscope.https.html failing
Product: WebKit Reporter: Frédéric Wang (:fredw) <fred.wang>
Component: Tools / TestsAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: fran, mcatanzaro, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 127676, 218623    
Bug Blocks: 140625, 171934    

Frédéric Wang (:fredw)
Reported 2020-11-11 01:59:39 PST
After bug 218623, imported/w3c/web-platform-tests/service-workers/service-worker/fetch-mixed-content-to-inscope.https.html imported/w3c/web-platform-tests/service-workers/service-worker/fetch-mixed-content-to-outscope.https.html are failing. They do a complicate nesting of resource loading which arrives at service-workers/service-worker/resources/fetch-mixed-content-iframe-inscope-to-*html which loads http://127.0.0.1:8800(...)fetch-access-control.py?PNGIMAGE" ./dummy?url=http://127.0.0.1:8800(...)fetch-access-control.py?PNGIMAGE" as images. The test expects page load to fail but that's no longer the case with loopback IP addresses treated as secure. The corresponding tests at wpt.live https://wpt.live/service-workers/service-worker/fetch-mixed-content-to-inscope.https.html https://wpt.live/service-workers/service-worker/fetch-mixed-content-to-outscop.https.html still pass, since they don't use loopback IP addresses. So maybe it's a problem in our test infra as suggested in bug 218623 comment 9. An alternative would be to force TrustworthyLoopbackIPAddressesEnabled to be disabled during these tests, so that these PNG images are not treated as secure, but I was not able to do that even by adding a <!-- webkit-test-runner [ TrustworthyLoopbackIPAddressesEnabled=false ] --> header in the various HTML files involved in these tests.
Attachments
Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2020-11-16 06:56:27 PST
(In reply to Frédéric Wang (:fredw) from comment #0) > An alternative would be to force TrustworthyLoopbackIPAddressesEnabled to be > disabled during these tests, so that these PNG images are not treated as > secure, but I was not able to do that even by adding a > > <!-- webkit-test-runner [ TrustworthyLoopbackIPAddressesEnabled=false ] --> > > header in the various HTML files involved in these tests. Uh... maybe that indicates that the ServiceWorker code is missing mixed content checks where required? That seems much more likely than a problem with the preferences, right?
Frédéric Wang (:fredw)
Comment 2 2020-11-17 03:40:01 PST
(In reply to Michael Catanzaro from comment #1) > (In reply to Frédéric Wang (:fredw) from comment #0) > > An alternative would be to force TrustworthyLoopbackIPAddressesEnabled to be > > disabled during these tests, so that these PNG images are not treated as > > secure, but I was not able to do that even by adding a > > > > <!-- webkit-test-runner [ TrustworthyLoopbackIPAddressesEnabled=false ] --> > > > > header in the various HTML files involved in these tests. > > Uh... maybe that indicates that the ServiceWorker code is missing mixed > content checks where required? That seems much more likely than a problem > with the preferences, right? Yes, that makes sense. I guess we'll need to investigate this a bit more...
Radar WebKit Bug Importer
Comment 3 2020-11-18 02:00:35 PST
<rdar://problem/71529894>
Note You need to log in before you can comment on or make changes to this bug.