179049 – `<picture>` and `<img srcset>` ought to be treated as "blockable" mixed content.

NEW Bug 179049

`<picture>` and `<img srcset>` ought to be treated as "blockable" mixed content.

https://bugs.webkit.org/show_bug.cgi?id=179049

Summary `<picture>` and `<img srcset>` ought to be treated as "blockable" mixed content.

Mike West

Reported 2017-10-31 01:58:04 PDT

The Mixed Content spec carves out blockable subsets of `<img>` (step 4 of https://w3c.github.io/webappsec-mixed-content/#should-block-fetch) as a first step towards tightening mixed content restrictions more generally. WebKit currently treats these as optionally-blockable. See, for example, tests at https://w3c-test.org/mixed-content/picture-tag/no-opt-in/same-host-http/top-level/swap-scheme-redirect/blockable/no-opt-in-blocks.https.html and https://w3c-test.org/mixed-content/imageset.https.sub.html, which Chrome and Firefox currently agree on.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2017-10-31 10:46:40 PDT

Ahmad Saleem

Comment 2 2023-06-29 15:15:48 PDT

Anne van Kesteren

Comment 3 2023-07-05 16:09:05 PDT

The requirement for `imageset` (which <picture> and <img srcset> both use) is here these days: https://w3c.github.io/webappsec-mixed-content/#upgrade-algorithm

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebCore Misc.

Assignee

Nobody

Reported

2017-10-31 01:58 PDT

Modified

2023-07-05 16:09 PDT History

CC List

6 users Show

URL

Keywords BrowserCompat, InRadar, WPTImpact

Depends on

Blocks

140625

Dependancies

tree graph