250418 – Secure Contexts: Documents whose environment has a data: top-level creation URL are not considered a secure context.

Bug 250418 - Secure Contexts: Documents whose environment has a data: top-level creation URL are not considered a secure context.

Summary: Secure Contexts: Documents whose environment has a data: top-level creation U...

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Ryan Reno

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2023-01-10 15:26 PST by Ryan Reno
Modified:	2023-01-11 18:05 PST (History)
CC List:	1 user (show)

See Also:	11885

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ryan Reno 2023-01-10 15:26:53 PST

data:text/html,<h1>Hello World!</h1>

window.isSecureContext returns false.

My reading of https://html.spec.whatwg.org/multipage/webappapis.html#secure-contexts says we should get a result of "Potentially Trustworthy" which should imply a secure context (step 2 of the linked algorithm).

Comment 1 Radar WebKit Bug Importer 2023-01-10 15:27:04 PST

<rdar://problem/104096486>

Comment 2 Ryan Reno 2023-01-10 16:18:04 PST

We are intentionally treating data URLs as opaque origins.
https://bugs.webkit.org/show_bug.cgi?id=11885

Comment 3 Ryan Reno 2023-01-11 18:05:57 PST

Pull request: https://github.com/WebKit/WebKit/pull/8556