Bug 250418

Summary: Secure Contexts: Documents whose environment has a data: top-level creation URL are not considered a secure context.
Product: WebKit Reporter: Ryan Reno <rreno>
Component: DOMAssignee: Ryan Reno <rreno>
Status: NEW ---    
Severity: Normal CC: webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=11885

Description Ryan Reno 2023-01-10 15:26:53 PST 
data:text/html,<h1>Hello World!</h1>

window.isSecureContext returns false.

My reading of https://html.spec.whatwg.org/multipage/webappapis.html#secure-contexts says we should get a result of "Potentially Trustworthy" which should imply a secure context (step 2 of the linked algorithm).
Comment 1 Radar WebKit Bug Importer 2023-01-10 15:27:04 PST 
<rdar://problem/104096486>
Comment 2 Ryan Reno 2023-01-10 16:18:04 PST 
We are intentionally treating data URLs as opaque origins.
https://bugs.webkit.org/show_bug.cgi?id=11885
Comment 3 Ryan Reno 2023-01-11 18:05:57 PST 
Pull request: https://github.com/WebKit/WebKit/pull/8556