Bug 258711

Summary: make-https rule doesn't cause hasOnlySecureContent to be true
Product: WebKit Reporter: meacer
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: achristensen, bfulgham, meacer, m_finkel, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: Safari 17   
Hardware: Unspecified   
OS: Unspecified   

Description meacer 2023-06-29 22:32:42 PDT 
If a content blocking rule with `make-https` upgrades a subresource from http:// to https://, webkit still reports `hasOnlySecureContent=false` even if the page never loads any http:// resource.

Here is a sample app (the whole repo should be buildable): https://github.com/meacer/swift-ios-wkwebview-demo-make-https/blob/master/wkwebview/ViewController.swift

In this app, line 63 will print `hasOnlySecureContent: false` even though the image subresource is loaded over https.

(We recently implemented mixed content upgrading in Chromium on iOS using a make-https content rule, and this bug is preventing us from showing the correct page security state in the omnibox.)
Comment 1 Radar WebKit Bug Importer 2023-07-06 22:33:17 PDT 
<rdar://problem/111889557>