Bug 165726 - On HTTPS pages, .ts files loaded from insecure origins via XHR are allowed
Summary: On HTTPS pages, .ts files loaded from insecure origins via XHR are allowed
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: Safari 10
Hardware: Mac OS X 10.11
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2016-12-10 09:00 PST by Paul Schreiber
Modified: 2017-02-26 17:07 PST (History)
6 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Paul Schreiber 2016-12-10 09:00:07 PST 
In Safari 10.0.1 (11602.2.14.0.7), On HTTPS pages, .ts files loaded from insecure origins via XHR are allowed.

Chrome 55 and Firefox 50 block these, as expected.

Chrome:
The page at 'https://xyxxxxxx.com/features/new-video-player/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://media.video-cdn.espn.com/motion/2016/0119/dm_160119_538_Bernie/hls/447489_MBR3_00001.ts'. This request has been blocked; the content must be served over HTTPS.

XMLHttpRequest cannot load http://media.video-cdn.espn.com/motion/2016/0119/dm_160119_538_Bernie/hls/447489_MBR3_00001.ts. Failed to start loading.
Comment 1 Paul Schreiber 2016-12-10 09:04:05 PST 
Note:
https://www.ssllabs.com/ssltest/viewMyClient.html

The XHR test passes in Safari, but Safari doesn't actually block the request: it fails due to bad/missing CORS headers: ("XMLHttpRequest cannot load http://plaintext.ssllabs.com/plaintext/xhr.txt?t=1481389281271 due to access control checks.")
Comment 2 Mike West 2016-12-10 09:05:27 PST 
CCing relevant folks. https://www.w3.org/TR/mixed-content/#category-blockable is the relevant bit of the spec.
Comment 3 Radar WebKit Bug Importer 2017-02-26 17:07:21 PST 
<rdar://problem/30725477>