Bug 250418

Summary:	Secure Contexts: Documents whose environment has a data: top-level creation URL are not considered a secure context.
Product:	WebKit	Reporter:	Ryan Reno <rreno>
Component:	DOM	Assignee:	Ryan Reno <rreno>
Status:	NEW
Severity:	Normal	CC:	webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified
See Also:	https://bugs.webkit.org/show_bug.cgi?id=11885

Ryan Reno

Reported 2023-01-10 15:26:53 PST

data:text/html,<h1>Hello World!</h1> window.isSecureContext returns false. My reading of https://html.spec.whatwg.org/multipage/webappapis.html#secure-contexts says we should get a result of "Potentially Trustworthy" which should imply a secure context (step 2 of the linked algorithm).

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2023-01-10 15:27:04 PST

<rdar://problem/104096486>

Ryan Reno

Comment 2 2023-01-10 16:18:04 PST

We are intentionally treating data URLs as opaque origins. https://bugs.webkit.org/show_bug.cgi?id=11885

Ryan Reno

Comment 3 2023-01-11 18:05:57 PST

Pull request: https://github.com/WebKit/WebKit/pull/8556

Note You need to log in before you can comment on or make changes to this bug.