Bug 179049 - `<picture>` and `<img srcset>` ought to be treated as "blockable" mixed content.
Summary: `<picture>` and `<img srcset>` ought to be treated as "blockable" mixed content.
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
Keywords: InRadar
Depends on:
Blocks: 140625
  Show dependency treegraph
Reported: 2017-10-31 01:58 PDT by Mike West
Modified: 2018-05-28 08:15 PDT (History)
4 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Mike West 2017-10-31 01:58:04 PDT
The Mixed Content spec carves out blockable subsets of `<img>` (step 4 of https://w3c.github.io/webappsec-mixed-content/#should-block-fetch) as a first step towards tightening mixed content restrictions more generally. WebKit currently treats these as optionally-blockable.

See, for example, tests at https://w3c-test.org/mixed-content/picture-tag/no-opt-in/same-host-http/top-level/swap-scheme-redirect/blockable/no-opt-in-blocks.https.html and https://w3c-test.org/mixed-content/imageset.https.sub.html, which Chrome and Firefox currently agree on.
Comment 1 Radar WebKit Bug Importer 2017-10-31 10:46:40 PDT