Bug 218977 - Don't treat data: URLs as mixed content
Summary: Don't treat data: URLs as mixed content
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: Other
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
Keywords: InRadar
Depends on: 218623 218627
Blocks: 140625
  Show dependency treegraph
Reported: 2020-11-16 05:15 PST by Frédéric Wang (:fredw)
Modified: 2020-12-17 14:13 PST (History)
18 users (show)

See Also:

WIP Patch (860 bytes, patch)
2020-11-16 05:20 PST, Frédéric Wang (:fredw)
no flags Details | Formatted Diff | Diff
218623+218627+218977 for EWS (103.46 KB, patch)
2020-11-16 05:25 PST, Frédéric Wang (:fredw)
ews-feeder: commit-queue-
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Frédéric Wang (:fredw) 2020-11-16 05:15:49 PST
From https://w3c.github.io/webappsec-mixed-content/#a-priori-authenticated-url :

 a priori authenticated URL
    We know a priori that a request to a particular URL (url) will be delivered in a way that mitigates the risks of interception and modifications if either of the following statements is true:

        url is a potentially trustworthy URL [SECURE-CONTEXTS].

        url’s scheme is "data".

        Note: We special case data URLs here, as we don’t consider them particularly trustworthy, but we also don’t wish to block them as mixed content, as they never hit the network.

We need to do more work for "potentially trustworthy", including bug 218623 and bug 218627.

This bug is about the case when the scheme is "data".
Comment 1 Frédéric Wang (:fredw) 2020-11-16 05:20:52 PST
Created attachment 414218 [details]
WIP Patch
Comment 2 Frédéric Wang (:fredw) 2020-11-16 05:25:49 PST
Created attachment 414221 [details]
218623+218627+218977 for EWS
Comment 3 EWS Watchlist 2020-11-16 05:26:42 PST
This patch modifies the imported WPT tests. Please ensure that any changes on the tests (not coming from a WPT import) are exported to WPT. Please see https://trac.webkit.org/wiki/WPTExportProcess
Comment 4 Radar WebKit Bug Importer 2020-12-17 14:13:08 PST