The reason is that CSS3 selectors injected into a document via mixed-content load can in fact query, retrieve and egress the document content. That's serious (unlike mixed content images loads and frame loads).
A useful reference: http://www.stratsec.net/getattachment/c1be603c-84f4-4c3f-a449-3107f30c3164/stratsec---Ruxcon-2008---Attacking-Rich-Internet-Applications.pdf Slide 4 covers the attack.
Created attachment 90465 [details] Patch
Comment on attachment 90465 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=90465&action=review Let's give Sam a chance to see this patch too. > Source/WebCore/loader/cache/CachedResourceLoader.cpp:238 > + // XSL) or recover the content of the current document (CSS). recover? maybe exfiltrate ?
Exfiltrate it is. Landing. Chatted to Sam out-of-band. He raised the interesting point of naming -- do "run" and "display" cover it well any more? I can be persuaded that they still do, because I see the ever-more powerful CSS as more like running a language than displaying pixels. But if you have any better naming ideas, I can uptake them on the next patch.
Created attachment 90785 [details] Patch
I'm not sure whether those are the best names. What did you have in mind?
I don't have any great ideas at this time. Sam?
Comment on attachment 90785 [details] Patch Rejecting attachment 90785 [details] from commit-queue. Failed to run "['./Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '--bot-id=cr-jail-3', 'land-a..." exit_code: 1 Last 500 characters of output: 56&ctype=xml Processing 1 patch from 1 bug. Cleaning working directory Updating working directory Processing patch 90785 from bug 59056. NOBODY (OOPS!) found in /mnt/git/webkit-commit-queue/LayoutTests/ChangeLog does not appear to be a valid reviewer according to committers.py. ERROR: /mnt/git/webkit-commit-queue/LayoutTests/ChangeLog neither lists a valid reviewer nor contains the string "Unreviewed" or "Rubber stamp" (case insensitive). Updating OpenSource Current branch master is up to date. Full output: http://queues.webkit.org/results/8494732
Comment on attachment 90785 [details] Patch If you post a patch with commit-queue+, you need to fill in the reviewer yourself because the tools don't know who reviewed the patch. The command "webkit-patch land-safely" with do that automatically for you.
The commit-queue encountered the following flaky tests while processing attachment 90785 [details]: http/tests/appcache/reload.html bug 59275 The commit-queue is continuing to process your patch.
Comment on attachment 90785 [details] Patch Clearing flags on attachment: 90785 Committed r84739: <http://trac.webkit.org/changeset/84739>
All reviewed patches have been landed. Closing bug.