Bug 218977

Summary: Don't treat data: URLs as mixed content
Product: WebKit Reporter: Frédéric Wang (:fredw) <fred.wang>
Component: Page LoadingAssignee: Nobody <webkit-unassigned>
Status: ASSIGNED    
Severity: Normal CC: beidson, cdumez, changseok, clopez, eric.carlson, esprehn+autocc, ews-watchlist, glenn, gyuyoung.kim, hi, japhet, jer.noble, mcatanzaro, mkwst, philipj, sergio, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://github.com/w3c/webappsec-mixed-content/issues/35
Bug Depends on: 218623, 218627    
Bug Blocks: 140625    
Attachments:
Description Flags
WIP Patch
none
218623+218627+218977 for EWS ews-feeder: commit-queue-

Frédéric Wang (:fredw)
Reported 2020-11-16 05:15:49 PST
From https://w3c.github.io/webappsec-mixed-content/#a-priori-authenticated-url : --------- a priori authenticated URL We know a priori that a request to a particular URL (url) will be delivered in a way that mitigates the risks of interception and modifications if either of the following statements is true: url is a potentially trustworthy URL [SECURE-CONTEXTS]. url’s scheme is "data". Note: We special case data URLs here, as we don’t consider them particularly trustworthy, but we also don’t wish to block them as mixed content, as they never hit the network. --------- We need to do more work for "potentially trustworthy", including bug 218623 and bug 218627. This bug is about the case when the scheme is "data".
Attachments
WIP Patch (860 bytes, patch)
2020-11-16 05:20 PST, Frédéric Wang (:fredw) 		no flags
DetailsFormatted DiffDiff
218623+218627+218977 for EWS (103.46 KB, patch)
2020-11-16 05:25 PST, Frédéric Wang (:fredw) 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Frédéric Wang (:fredw)
Comment 1 2020-11-16 05:20:52 PST
Created attachment 414218 [details] WIP Patch
Frédéric Wang (:fredw)
Comment 2 2020-11-16 05:25:49 PST
Created attachment 414221 [details] 218623+218627+218977 for EWS
EWS Watchlist
Comment 3 2020-11-16 05:26:42 PST
This patch modifies the imported WPT tests. Please ensure that any changes on the tests (not coming from a WPT import) are exported to WPT. Please see https://trac.webkit.org/wiki/WPTExportProcess
Radar WebKit Bug Importer
Comment 4 2020-12-17 14:13:08 PST
<rdar://problem/72440600>
Note You need to log in before you can comment on or make changes to this bug.