RESOLVED FIXED 247197
Upgrade requests in mixed content settings 
https://bugs.webkit.org/show_bug.cgi?id=247197
Summary Upgrade requests in mixed content settings
Matthew Finkel
Reported 2022-10-28 08:08:31 PDT
Upgrading inactive/passive subresource requests and fetches in would-be mixed security contexts is the new standard: https://www.w3.org/TR/mixed-content/#category-upgradeable
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-10-28 08:08:44 PDT
<rdar://problem/101678657>
Frederik Braun (Mozilla)
Comment 2 2022-11-22 04:31:16 PST
Drive-by comment, is this the same as bug 219396 (though the other seems to have more details)?
Michael Catanzaro
Comment 3 2022-11-22 06:58:22 PST
More or less the same, yes. I was tempted to mark this as a duplicate, but there is a slight difference in scope: bug #219396 additionally envisions removing internal settings and deprecating public settings, and that requires some Linux-specific changes that Apple engineers might not be comfortable with making, but would be very easy for me to do in a follow-up patch in that bug if the main work were to be handled in this bug. So I'll leave it for Matthew to decide whether to leave them both open or mark this one as a duplicate.
Matthew Finkel
Comment 4 2022-11-28 08:34:24 PST
(In reply to Frederik Braun (Mozilla) from comment #2) > Drive-by comment, is this the same as bug 219396 (though the other seems to > have more details)? Oh, indeed! My apologies for missing that bug 219396 already includes this. (In reply to Michael Catanzaro from comment #3) > More or less the same, yes. I was tempted to mark this as a duplicate, but > there is a slight difference in scope: bug #219396 additionally envisions > removing internal settings and deprecating public settings, and that > requires some Linux-specific changes that Apple engineers might not be > comfortable with making, but would be very easy for me to do in a follow-up > patch in that bug if the main work were to be handled in this bug. So I'll > leave it for Matthew to decide whether to leave them both open or mark this > one as a duplicate. I like that plan. Let's focus on only upgrading http requests here, and then bug 219396 can track the remaining pieces (possibly as a meta bug).
Matthew Finkel
Comment 5 2023-02-02 18:55:35 PST
Pull request: https://github.com/webkit/WebKit/pull/9577
Matthew Finkel
Comment 6 2023-03-02 19:22:33 PST
Pull request: https://github.com/WebKit/WebKit/pull/9577
EWS
Comment 7 2024-02-09 21:12:11 PST
Committed 274409@main (8a3335648a55): <https://commits.webkit.org/274409@main> Reviewed commits have been landed. Closing PR #9577 and removing active labels.
Fujii Hironori
Comment 8 2024-02-12 12:21:29 PST
http/tests/navigation/ping-attribute/area-cross-origin-from-https-UpgradeMixedContent.html is a flaky failure. bug#269223 tracks the bug.
Note You need to log in before you can comment on or make changes to this bug.