165726 – On HTTPS pages, .ts files loaded from insecure origins via XHR are allowed

NEW 165726

On HTTPS pages, .ts files loaded from insecure origins via XHR are allowed

https://bugs.webkit.org/show_bug.cgi?id=165726

Summary On HTTPS pages, .ts files loaded from insecure origins via XHR are allowed

Paul Schreiber

Reported 2016-12-10 09:00:07 PST

In Safari 10.0.1 (11602.2.14.0.7), On HTTPS pages, .ts files loaded from insecure origins via XHR are allowed. Chrome 55 and Firefox 50 block these, as expected. Chrome: The page at 'https://xyxxxxxx.com/features/new-video-player/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://media.video-cdn.espn.com/motion/2016/0119/dm_160119_538_Bernie/hls/447489_MBR3_00001.ts'. This request has been blocked; the content must be served over HTTPS. XMLHttpRequest cannot load http://media.video-cdn.espn.com/motion/2016/0119/dm_160119_538_Bernie/hls/447489_MBR3_00001.ts. Failed to start loading.

Attachments
Add attachment proposed patch, testcase, etc.

Paul Schreiber

Comment 1 2016-12-10 09:04:05 PST

Note: https://www.ssllabs.com/ssltest/viewMyClient.html The XHR test passes in Safari, but Safari doesn't actually block the request: it fails due to bad/missing CORS headers: ("XMLHttpRequest cannot load http://plaintext.ssllabs.com/plaintext/xhr.txt?t=1481389281271 due to access control checks.")

Mike West

Comment 2 2016-12-10 09:05:27 PST

Radar WebKit Bug Importer

Comment 3 2017-02-26 17:07:21 PST

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version Safari 10

Hardware Mac

OS OS X 10.11

Product WebKit

Component WebCore Misc.

Assignee

Nobody

Reported

2016-12-10 09:00 PST

Modified

2017-02-26 17:07 PST History

CC List

6 users Show

URL

Keywords InRadar

Depends on

Blocks