Bug 247197

Summary: Upgrade requests in mixed content settings
Product: WebKit Reporter: Matthew Finkel <m_finkel>
Component: Page LoadingAssignee: Matthew Finkel <m_finkel>
Status: RESOLVED FIXED    
Severity: Normal CC: beidson, fbraun, Hironori.Fujii, mcatanzaro, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Safari Technology Preview   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=269172
Bug Depends on:    
Bug Blocks: 140625, 219396    

Description Matthew Finkel 2022-10-28 08:08:31 PDT 
Upgrading inactive/passive subresource requests and fetches in would-be mixed security contexts is the new standard: https://www.w3.org/TR/mixed-content/#category-upgradeable
Comment 1 Radar WebKit Bug Importer 2022-10-28 08:08:44 PDT 
<rdar://problem/101678657>
Comment 2 Frederik Braun (Mozilla) 2022-11-22 04:31:16 PST 
Drive-by comment, is this the same as bug 219396 (though the other seems to have more details)?
Comment 3 Michael Catanzaro 2022-11-22 06:58:22 PST 
More or less the same, yes. I was tempted to mark this as a duplicate, but there is a slight difference in scope: bug #219396 additionally envisions removing internal settings and deprecating public settings, and that requires some Linux-specific changes that Apple engineers might not be comfortable with making, but would be very easy for me to do in a follow-up patch in that bug if the main work were to be handled in this bug. So I'll leave it for Matthew to decide whether to leave them both open or mark this one as a duplicate.
Comment 4 Matthew Finkel 2022-11-28 08:34:24 PST 
(In reply to Frederik Braun (Mozilla) from comment #2)
> Drive-by comment, is this the same as bug 219396 (though the other seems to
> have more details)?

Oh, indeed! My apologies for missing that bug 219396 already includes this.

(In reply to Michael Catanzaro from comment #3)
> More or less the same, yes. I was tempted to mark this as a duplicate, but
> there is a slight difference in scope: bug #219396 additionally envisions
> removing internal settings and deprecating public settings, and that
> requires some Linux-specific changes that Apple engineers might not be
> comfortable with making, but would be very easy for me to do in a follow-up
> patch in that bug if the main work were to be handled in this bug. So I'll
> leave it for Matthew to decide whether to leave them both open or mark this
> one as a duplicate.

I like that plan. Let's focus on only upgrading http requests here, and then bug 219396 can track the remaining pieces (possibly as a meta bug).
Comment 5 Matthew Finkel 2023-02-02 18:55:35 PST 
Pull request: https://github.com/webkit/WebKit/pull/9577
Comment 6 Matthew Finkel 2023-03-02 19:22:33 PST 
Pull request: https://github.com/WebKit/WebKit/pull/9577
Comment 7 EWS 2024-02-09 21:12:11 PST 
Committed 274409@main (8a3335648a55): <https://commits.webkit.org/274409@main>

Reviewed commits have been landed. Closing PR #9577 and removing active labels.
Comment 8 Fujii Hironori 2024-02-12 12:21:29 PST 
http/tests/navigation/ping-attribute/area-cross-origin-from-https-UpgradeMixedContent.html is a flaky failure. bug#269223 tracks the bug.