ASSIGNED Bug 218977
Don't treat data: URLs as mixed content 
https://bugs.webkit.org/show_bug.cgi?id=218977
Summary Don't treat data: URLs as mixed content
Frédéric Wang (:fredw)
Reported 2020-11-16 05:15:49 PST
From https://w3c.github.io/webappsec-mixed-content/#a-priori-authenticated-url : --------- a priori authenticated URL We know a priori that a request to a particular URL (url) will be delivered in a way that mitigates the risks of interception and modifications if either of the following statements is true: url is a potentially trustworthy URL [SECURE-CONTEXTS]. url’s scheme is "data". Note: We special case data URLs here, as we don’t consider them particularly trustworthy, but we also don’t wish to block them as mixed content, as they never hit the network. --------- We need to do more work for "potentially trustworthy", including bug 218623 and bug 218627. This bug is about the case when the scheme is "data".
Attachments
WIP Patch (860 bytes, patch)
2020-11-16 05:20 PST, Frédéric Wang (:fredw) 		no flags
DetailsFormatted DiffDiff
218623+218627+218977 for EWS (103.46 KB, patch)
2020-11-16 05:25 PST, Frédéric Wang (:fredw) 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Frédéric Wang (:fredw)
Comment 1 2020-11-16 05:20:52 PST
Created attachment 414218 [details] WIP Patch
Frédéric Wang (:fredw)
Comment 2 2020-11-16 05:25:49 PST
Created attachment 414221 [details] 218623+218627+218977 for EWS
EWS Watchlist
Comment 3 2020-11-16 05:26:42 PST
This patch modifies the imported WPT tests. Please ensure that any changes on the tests (not coming from a WPT import) are exported to WPT. Please see https://trac.webkit.org/wiki/WPTExportProcess
Radar WebKit Bug Importer
Comment 4 2020-12-17 14:13:08 PST
<rdar://problem/72440600>
Note You need to log in before you can comment on or make changes to this bug.