218977 – Don't treat data: URLs as mixed content

Bug 218977 - Don't treat data: URLs as mixed content

Summary: Don't treat data: URLs as mixed content

Status:	ASSIGNED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Page Loading (show other bugs)
Version:	Other
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:	218623 218627
Blocks:	140625
	Show dependency tree / graph

Reported:	2020-11-16 05:15 PST by Frédéric Wang (:fredw)
Modified:	2020-12-17 14:13 PST (History)
CC List:	18 users (show)

See Also:	https://github.com/w3c/webappsec-mixed-content/issues/35

Attachments
WIP Patch (860 bytes, patch) 2020-11-16 05:20 PST, Frédéric Wang (:fredw)	no flags	Details \| Formatted Diff \| Diff
218623+218627+218977 for EWS (103.46 KB, patch) 2020-11-16 05:25 PST, Frédéric Wang (:fredw)	ews-feeder: commit-queue-	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Frédéric Wang (:fredw) 2020-11-16 05:15:49 PST

From https://w3c.github.io/webappsec-mixed-content/#a-priori-authenticated-url :

---------
 a priori authenticated URL
    We know a priori that a request to a particular URL (url) will be delivered in a way that mitigates the risks of interception and modifications if either of the following statements is true:

        url is a potentially trustworthy URL [SECURE-CONTEXTS].

        url’s scheme is "data".

        Note: We special case data URLs here, as we don’t consider them particularly trustworthy, but we also don’t wish to block them as mixed content, as they never hit the network.
---------

We need to do more work for "potentially trustworthy", including bug 218623 and bug 218627.

This bug is about the case when the scheme is "data".

Comment 1 Frédéric Wang (:fredw) 2020-11-16 05:20:52 PST

Created attachment 414218 [details]
WIP Patch

Comment 2 Frédéric Wang (:fredw) 2020-11-16 05:25:49 PST

Created attachment 414221 [details]
218623+218627+218977 for EWS

Comment 3 EWS Watchlist 2020-11-16 05:26:42 PST

This patch modifies the imported WPT tests. Please ensure that any changes on the tests (not coming from a WPT import) are exported to WPT. Please see https://trac.webkit.org/wiki/WPTExportProcess

Comment 4 Radar WebKit Bug Importer 2020-12-17 14:13:08 PST

<rdar://problem/72440600>