Bug 219396 - Remove mixed content blocking, deprecate insecure-content-detected signals, and automatically upgrade insecure requests
Summary: Remove mixed content blocking, deprecate insecure-content-detected signals, a...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: PC Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords: DoNotImportToRadar
Depends on:
Blocks: 140625
  Show dependency treegraph
 
Reported: 2020-12-01 06:19 PST by Michael Catanzaro
Modified: 2021-09-27 13:57 PDT (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Catanzaro 2020-12-01 06:19:47 PST
Nowadays, Chrome has started blocking all mixed content unconditionally (except form targets, but it will block those too very soon), per https://www.feistyduck.com/bulletproof-tls-newsletter/issue_70_chrome_developers_want_to_eliminate_mixed_content. If we were to implement that, then we could deprecate the insecure-content-detected WPE/GTK API signal and remove the API tests for it. The relevant internal APIs can be removed, and the corresponding Cocoa API can also be deprecated.

To make this work, we need to automatically rewrite insecure URLs to https:// (or wss://), and allow the content to fail to load if that doesn't work. An exception would be in place for loopback.

This will obsolete bug #142469 and some (but not all) of the other bugs blocking bug #140625. We just need to make sure all the various types of resource loads are properly upgraded.
Comment 1 Michael Catanzaro 2021-09-27 13:57:41 PDT
There is a spec developing somewhat differently: https://w3c.github.io/webappsec-mixed-content/

We probably want to match the spec.