Bug 140621 - Frames should be treated as active mixed content
Summary: Frames should be treated as active mixed content
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Linux
: P2 Enhancement
Assignee: Michael Catanzaro
URL:
Keywords:
Depends on:
Blocks: 140625 140940
  Show dependency treegraph
 
Reported: 2015-01-19 10:11 PST by Michael Catanzaro
Modified: 2015-03-28 18:00 PDT (History)
7 users (show)

See Also:

Attachments
Patch (7.93 KB, patch)
2015-01-19 10:21 PST, Michael Catanzaro 		no flags Details | Formatted Diff | Diff
Patch (7.90 KB, patch)
2015-02-01 10:47 PST, Michael Catanzaro 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Catanzaro 2015-01-19 10:11:52 PST 
Frames should be treated as active mixed content. When the top frame (other browsers check the parent frame) is loaded via HTTPS and a subframe is loaded via HTTP, a mixed content callback should be triggered to allow browsers to warn the user or block the content. It's true that the insecure frame cannot modify the contents of the secure frame, but it should not be possible for a substantial portion of the page to be loaded with no security despite the presence of a browser security indicator.

Chrome, Firefox, and Internet Explorer all block mixed content frames by default [1].

[1] https://community.qualys.com/blogs/securitylabs/2014/03/19/https-mixed-content-still-the-easiest-way-to-break-ssl
Comment 1 Michael Catanzaro 2015-01-19 10:21:28 PST 
Created attachment 244905 [details]
Patch
Comment 2 Michael Catanzaro 2015-02-01 10:47:54 PST 
Created attachment 245835 [details]
Patch
Comment 3 Michael Catanzaro 2015-03-06 14:38:37 PST 
This is fixed by r181134. I'm not going to file a bug for the minor behavioral difference because our way is easier :)