Bug 218977

Summary: Don't treat data: URLs as mixed content
Product: WebKit Reporter: Frédéric Wang (:fredw) <fred.wang>
Component: Page LoadingAssignee: Nobody <webkit-unassigned>
Status: ASSIGNED ---    
Severity: Normal CC: beidson, cdumez, changseok, clopez, eric.carlson, esprehn+autocc, ews-watchlist, glenn, gyuyoung.kim, hi, japhet, jer.noble, mcatanzaro, mkwst, philipj, sergio, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://github.com/w3c/webappsec-mixed-content/issues/35
Bug Depends on: 218623, 218627    
Bug Blocks: 140625    
Attachments:
Description Flags
WIP Patch
none
218623+218627+218977 for EWS ews-feeder: commit-queue-

Description Frédéric Wang (:fredw) 2020-11-16 05:15:49 PST 
From https://w3c.github.io/webappsec-mixed-content/#a-priori-authenticated-url :

---------
 a priori authenticated URL
    We know a priori that a request to a particular URL (url) will be delivered in a way that mitigates the risks of interception and modifications if either of the following statements is true:

        url is a potentially trustworthy URL [SECURE-CONTEXTS].

        url’s scheme is "data".

        Note: We special case data URLs here, as we don’t consider them particularly trustworthy, but we also don’t wish to block them as mixed content, as they never hit the network.
---------

We need to do more work for "potentially trustworthy", including bug 218623 and bug 218627.

This bug is about the case when the scheme is "data".
Comment 1 Frédéric Wang (:fredw) 2020-11-16 05:20:52 PST 
Created attachment 414218 [details]
WIP Patch
Comment 2 Frédéric Wang (:fredw) 2020-11-16 05:25:49 PST 
Created attachment 414221 [details]
218623+218627+218977 for EWS
Comment 3 EWS Watchlist 2020-11-16 05:26:42 PST 
This patch modifies the imported WPT tests. Please ensure that any changes on the tests (not coming from a WPT import) are exported to WPT. Please see https://trac.webkit.org/wiki/WPTExportProcess
Comment 4 Radar WebKit Bug Importer 2020-12-17 14:13:08 PST 
<rdar://problem/72440600>