Bug 218977 - Don't treat data: URLs as mixed content
Summary: Don't treat data: URLs as mixed content
Status: ASSIGNED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: Other
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on: 218623 218627
Blocks: 140625
  Show dependency treegraph
 
Reported: 2020-11-16 05:15 PST by Frédéric Wang (:fredw)
Modified: 2020-12-17 14:13 PST (History)
18 users (show)

See Also:


Attachments
WIP Patch (860 bytes, patch)
2020-11-16 05:20 PST, Frédéric Wang (:fredw)
no flags Details | Formatted Diff | Diff
218623+218627+218977 for EWS (103.46 KB, patch)
2020-11-16 05:25 PST, Frédéric Wang (:fredw)
ews-feeder: commit-queue-
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Frédéric Wang (:fredw) 2020-11-16 05:15:49 PST
From https://w3c.github.io/webappsec-mixed-content/#a-priori-authenticated-url :

---------
 a priori authenticated URL
    We know a priori that a request to a particular URL (url) will be delivered in a way that mitigates the risks of interception and modifications if either of the following statements is true:

        url is a potentially trustworthy URL [SECURE-CONTEXTS].

        url’s scheme is "data".

        Note: We special case data URLs here, as we don’t consider them particularly trustworthy, but we also don’t wish to block them as mixed content, as they never hit the network.
---------

We need to do more work for "potentially trustworthy", including bug 218623 and bug 218627.

This bug is about the case when the scheme is "data".
Comment 1 Frédéric Wang (:fredw) 2020-11-16 05:20:52 PST
Created attachment 414218 [details]
WIP Patch
Comment 2 Frédéric Wang (:fredw) 2020-11-16 05:25:49 PST
Created attachment 414221 [details]
218623+218627+218977 for EWS
Comment 3 EWS Watchlist 2020-11-16 05:26:42 PST
This patch modifies the imported WPT tests. Please ensure that any changes on the tests (not coming from a WPT import) are exported to WPT. Please see https://trac.webkit.org/wiki/WPTExportProcess
Comment 4 Radar WebKit Bug Importer 2020-12-17 14:13:08 PST
<rdar://problem/72440600>