There is a spec developing somewhat differently: https://w3c.github.io/webappsec-mixed-content/ We probably want to match the spec.

Basically we want to: * Upgrade any mixed content that we do not block today, block if secure connection is unavailable * Continue blocking everything that we block today (unchanged) (unless upgrade-insecure-requests CSP is used, unchanged) * Make sure to block mixed downloads The spec offers the possibility of an option to disable all of this and just load mixed content, but WebKit should not allow that. We can also remove preferences for AllowDisplayOfInsecureContent and AllowDisplayAndRunningOfInsecureContent.

I think this is now implemented after bug #268823, albeit only conditionally, behind a runtime preference. This makes it unclear what we should do with the various insecure content detected APIs. The various layers of signals still exist, but are generally unused now. I'm inclined to deprecate the GTK/WPE API simply to avoid confusion from having API that doesn't do anything anymore. Not sure about the cross-platform bits, though. They're still theoretically useful if you change the runtime setting. And the GTK/WPE ports do allow this via the WebKitFeature API, so in theory, they could still be fired. In practice, though, we can still safely deprecate them; no developers are likely to ever do that, and even if so, it's OK to tell developers "don't do that."

Pull request: https://github.com/WebKit/WebKit/pull/24770

Committed 275056@main (9cf4048416d8): <https://commits.webkit.org/275056@main> Reviewed commits have been landed. Closing PR #24770 and removing active labels.