Bug 140625 - Support mixed content blocking
Summary: Support mixed content blocking
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Linux
: P2 Enhancement
Assignee: Michael Catanzaro
URL:
Keywords:
Depends on: 138127 140392 140940 142340 142342 142413 142469 171934 179049 179116 140621 140624 140793 140876 142341 142378 142387 142412 145717 145718
Blocks:
  Show dependency treegraph
 
Reported: 2015-01-19 10:38 PST by Michael Catanzaro
Modified: 2018-05-29 01:17 PDT (History)
9 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Catanzaro 2015-01-19 10:38:33 PST
Tracker bug for mixed content blocking implementation
Comment 1 Michael Catanzaro 2015-03-06 15:08:34 PST
I will need to update all of the patches now that bug #142378 unexpectedly occurred. But that was a good step in the right direction, so I'll keep pushing forward:

* Bug #140621, mixed content frames, is now obsolete. I have closed that.

* Bug #142341, mixed content fonts, is also obsolete. I have closed it and opened a new bug to add tests.

* Bug #140940 is just for the layout tests. We should coordinate there to get the layout tests into a nice state. If you don't want any of my tests, we can close the bug, but we should probably add at least the ones that aren't redundant with yours, Oliver. We should probably also consider restoring the tests that detected but did not block content.

* Bug #140793, mixed XHR, is probably obsolete. I changed XHR to trigger the XHR's onerror handler when the XHR gets blocked, which the WIP mixed content spec strongly implied we should do, but it doesn't actually tell us to do it (it seems to presume that we're *already* doing it). I don't quite understand how your version works (where in the code does the XHR get blocked? I guess it gets handled by CachedResourceLoader and so no explicit handling of XHR is required!), but judging by your test it's working properly, and I can't properly explain my own expected results looking at them now (well I can, if the insecure load is blocked by CachedResourceLoader, that makes sense :). I've closed the bug.

* I still need a review in bug #138127, the page cache bug. That should be largely unaffected by your work, but we'll need to rethink the console warnings I add in that bug, and maybe the solution as well since I'm not entirely comfortable with marking the entire cached page as mixed content. Alternatives would be to not cache pages with mixed content, or remember each individual piece of mixed content for each page.

* Bug #140624, mixed content web sockets, is largely unaffected by these changes, asides from the function signature change. A preliminary review there would be great, since it depends on bug #140940 for the test directory layout.

* Bug #140392 exists for new GTK+ API, and also adds a new WebCore event to signal when content was blocked. I'll need to update that patch now, but a preliminary review here would also be super.

* The other bugs here don't have any patches yet.