247197 – Upgrade requests in mixed content settings

Bug 247197 - Upgrade requests in mixed content settings

Summary: Upgrade requests in mixed content settings

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Page Loading (show other bugs)
Version:	Safari Technology Preview
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Matthew Finkel

URL:
Keywords:	InRadar

Depends on:
Blocks:	140625 219396
	Show dependency tree / graph

Reported:	2022-10-28 08:08 PDT by Matthew Finkel
Modified:	2024-02-12 12:21 PST (History)
CC List:	5 users (show)

See Also:	269172

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthew Finkel 2022-10-28 08:08:31 PDT

Upgrading inactive/passive subresource requests and fetches in would-be mixed security contexts is the new standard: https://www.w3.org/TR/mixed-content/#category-upgradeable

Comment 1 Radar WebKit Bug Importer 2022-10-28 08:08:44 PDT

<rdar://problem/101678657>

Comment 2 Frederik Braun (Mozilla) 2022-11-22 04:31:16 PST

Drive-by comment, is this the same as bug 219396 (though the other seems to have more details)?

Comment 3 Michael Catanzaro 2022-11-22 06:58:22 PST

More or less the same, yes. I was tempted to mark this as a duplicate, but there is a slight difference in scope: bug #219396 additionally envisions removing internal settings and deprecating public settings, and that requires some Linux-specific changes that Apple engineers might not be comfortable with making, but would be very easy for me to do in a follow-up patch in that bug if the main work were to be handled in this bug. So I'll leave it for Matthew to decide whether to leave them both open or mark this one as a duplicate.

Comment 4 Matthew Finkel 2022-11-28 08:34:24 PST

(In reply to Frederik Braun (Mozilla) from comment #2)
> Drive-by comment, is this the same as bug 219396 (though the other seems to
> have more details)?

Oh, indeed! My apologies for missing that bug 219396 already includes this.

(In reply to Michael Catanzaro from comment #3)
> More or less the same, yes. I was tempted to mark this as a duplicate, but
> there is a slight difference in scope: bug #219396 additionally envisions
> removing internal settings and deprecating public settings, and that
> requires some Linux-specific changes that Apple engineers might not be
> comfortable with making, but would be very easy for me to do in a follow-up
> patch in that bug if the main work were to be handled in this bug. So I'll
> leave it for Matthew to decide whether to leave them both open or mark this
> one as a duplicate.

I like that plan. Let's focus on only upgrading http requests here, and then bug 219396 can track the remaining pieces (possibly as a meta bug).

Comment 5 Matthew Finkel 2023-02-02 18:55:35 PST

Pull request: https://github.com/webkit/WebKit/pull/9577

Comment 6 Matthew Finkel 2023-03-02 19:22:33 PST

Pull request: https://github.com/WebKit/WebKit/pull/9577

Comment 7 EWS 2024-02-09 21:12:11 PST

Committed 274409@main (8a3335648a55): <https://commits.webkit.org/274409@main>

Reviewed commits have been landed. Closing PR #9577 and removing active labels.

Comment 8 Fujii Hironori 2024-02-12 12:21:29 PST

http/tests/navigation/ping-attribute/area-cross-origin-from-https-UpgradeMixedContent.html is a flaky failure. bug#269223 tracks the bug.