Bug 218795 - Layout test imported/w3c/web-platform-tests/service-workers/service-worker/fetch-mixed-content-to-inscope.https.html and fetch-mixed-content-to-outscope.https.html failing
Summary: Layout test imported/w3c/web-platform-tests/service-workers/service-worker/fe...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Tools / Tests (show other bugs)
Version: Other
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on: 127676 218623
Blocks: 140625 171934
  Show dependency treegraph
 
Reported: 2020-11-11 01:59 PST by Frédéric Wang (:fredw)
Modified: 2020-11-20 03:06 PST (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Frédéric Wang (:fredw) 2020-11-11 01:59:39 PST 
After bug 218623,

imported/w3c/web-platform-tests/service-workers/service-worker/fetch-mixed-content-to-inscope.https.html
imported/w3c/web-platform-tests/service-workers/service-worker/fetch-mixed-content-to-outscope.https.html 

are failing. They do a complicate nesting of resource loading which arrives at service-workers/service-worker/resources/fetch-mixed-content-iframe-inscope-to-*html which loads

   http://127.0.0.1:8800(...)fetch-access-control.py?PNGIMAGE" 
  ./dummy?url=http://127.0.0.1:8800(...)fetch-access-control.py?PNGIMAGE" 

as images. The test expects page load to fail but that's no longer the case with loopback IP addresses treated as secure. 

The corresponding tests at wpt.live

https://wpt.live/service-workers/service-worker/fetch-mixed-content-to-inscope.https.html
https://wpt.live/service-workers/service-worker/fetch-mixed-content-to-outscop.https.html

still pass, since they don't use loopback IP addresses. So maybe it's a problem in our test infra as suggested in bug 218623 comment 9.

An alternative would be to force TrustworthyLoopbackIPAddressesEnabled to be disabled during these tests, so that these PNG images are not treated as secure, but I was not able to do that even by adding a

<!-- webkit-test-runner [ TrustworthyLoopbackIPAddressesEnabled=false ] -->

header in the various HTML files involved in these tests.
Comment 1 Michael Catanzaro 2020-11-16 06:56:27 PST 
(In reply to Frédéric Wang (:fredw) from comment #0)
> An alternative would be to force TrustworthyLoopbackIPAddressesEnabled to be
> disabled during these tests, so that these PNG images are not treated as
> secure, but I was not able to do that even by adding a
> 
> <!-- webkit-test-runner [ TrustworthyLoopbackIPAddressesEnabled=false ] -->
> 
> header in the various HTML files involved in these tests.

Uh... maybe that indicates that the ServiceWorker code is missing mixed content checks where required? That seems much more likely than a problem with the preferences, right?
Comment 2 Frédéric Wang (:fredw) 2020-11-17 03:40:01 PST 
(In reply to Michael Catanzaro from comment #1)
> (In reply to Frédéric Wang (:fredw) from comment #0)
> > An alternative would be to force TrustworthyLoopbackIPAddressesEnabled to be
> > disabled during these tests, so that these PNG images are not treated as
> > secure, but I was not able to do that even by adding a
> > 
> > <!-- webkit-test-runner [ TrustworthyLoopbackIPAddressesEnabled=false ] -->
> > 
> > header in the various HTML files involved in these tests.
> 
> Uh... maybe that indicates that the ServiceWorker code is missing mixed
> content checks where required? That seems much more likely than a problem
> with the preferences, right?

Yes, that makes sense. I guess we'll need to investigate this a bit more...
Comment 3 Radar WebKit Bug Importer 2020-11-18 02:00:35 PST 
<rdar://problem/71529894>