[webkit-changes] [WebKit/WebKit] 8a3335: Upgrade upgradable content in mixed security contexts

Matthew Finkel noreply at github.com
Fri Feb 9 21:12:19 PST 2024


  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 8a3335648a55dacd22afee2ebdd7e40e5fd2259e
      https://github.com/WebKit/WebKit/commit/8a3335648a55dacd22afee2ebdd7e40e5fd2259e
  Author: Matthew Finkel <sysrqb at apple.com>
  Date:   2024-02-09 (Fri, 09 Feb 2024)

  Changed paths:
    A LayoutTests/http/tests/blink/sendbeacon/beacon-cross-origin-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/blink/sendbeacon/beacon-cross-origin-UpgradeMixedContent.https.html
    M LayoutTests/http/tests/blink/sendbeacon/beacon-cross-origin.https-expected.txt
    A LayoutTests/http/tests/inspector/network/loadResource-insecure-resource-UpgradeMixedContent-expected.txt
    A LayoutTests/http/tests/inspector/network/loadResource-insecure-resource-UpgradeMixedContent.html
    A LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https-UpgradeMixedContent-expected.txt
    A LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https-UpgradeMixedContent.html
    M LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https-expected.txt
    A LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https-UpgradeMixedContent-expected.txt
    A LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https-UpgradeMixedContent.html
    M LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https-expected.txt
    A LayoutTests/http/tests/navigation/ping-attribute/secure-anchor-cross-origin-UpgradeMixedContent-expected.txt
    A LayoutTests/http/tests/navigation/ping-attribute/secure-anchor-cross-origin-UpgradeMixedContent.html
    M LayoutTests/http/tests/navigation/ping-attribute/secure-anchor-cross-origin-expected.txt
    M LayoutTests/http/tests/navigation/resources/check-ping.py
    A LayoutTests/http/tests/referrer-policy-iframe/no-referrer-when-downgrade/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/referrer-policy-iframe/no-referrer-when-downgrade/cross-origin-http-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/referrer-policy-iframe/no-referrer/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/referrer-policy-iframe/no-referrer/cross-origin-http-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/referrer-policy-iframe/origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/referrer-policy-iframe/origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/referrer-policy-iframe/origin/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/referrer-policy-iframe/origin/cross-origin-http-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/referrer-policy-iframe/same-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/referrer-policy-iframe/same-origin/cross-origin-http-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/referrer-policy-iframe/strict-origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/referrer-policy-iframe/strict-origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/referrer-policy-iframe/strict-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/referrer-policy-iframe/strict-origin/cross-origin-http-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/referrer-policy-iframe/unsafe-url/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/referrer-policy-iframe/unsafe-url/cross-origin-http-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/referrer-policy-img/no-referrer-when-downgrade/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/referrer-policy-img/no-referrer-when-downgrade/cross-origin-http-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/referrer-policy-img/no-referrer/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/referrer-policy-img/no-referrer/cross-origin-http-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/referrer-policy-img/origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/referrer-policy-img/origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/referrer-policy-img/origin/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/referrer-policy-img/origin/cross-origin-http-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/referrer-policy-img/strict-origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/referrer-policy-img/strict-origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/referrer-policy-img/strict-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/referrer-policy-img/strict-origin/cross-origin-http-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/referrer-policy-img/unsafe-url/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/referrer-policy-img/unsafe-url/cross-origin-http-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/referrer-policy/no-referrer-when-downgrade/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/referrer-policy/no-referrer-when-downgrade/cross-origin-http-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/referrer-policy/no-referrer/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/referrer-policy/no-referrer/cross-origin-http-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/referrer-policy/origin/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/referrer-policy/origin/cross-origin-http-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/referrer-policy/same-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/referrer-policy/same-origin/cross-origin-http-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/referrer-policy/strict-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/referrer-policy/strict-origin/cross-origin-http-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/referrer-policy/unsafe-url/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/referrer-policy/unsafe-url/cross-origin-http-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades-UpgradeMixedContent-expected.txt
    A LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades-UpgradeMixedContent.html
    A LayoutTests/http/tests/security/mixedContent/import-insecure-script-in-iframe-UpgradeMixedContent-expected.txt
    A LayoutTests/http/tests/security/mixedContent/import-insecure-script-in-iframe-UpgradeMixedContent.html
    A LayoutTests/http/tests/security/mixedContent/insecure-audio-video-in-main-frame-UpgradeMixedContent-expected.txt
    A LayoutTests/http/tests/security/mixedContent/insecure-audio-video-in-main-frame-UpgradeMixedContent.html
    A LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/security/mixedContent/insecure-css-with-secure-cookies-UpgradeMixedContent-expected.txt
    A LayoutTests/http/tests/security/mixedContent/insecure-css-with-secure-cookies-UpgradeMixedContent.html
    A LayoutTests/http/tests/security/mixedContent/insecure-executable-css-with-secure-cookies-UpgradeMixedContent-expected.txt
    A LayoutTests/http/tests/security/mixedContent/insecure-executable-css-with-secure-cookies-UpgradeMixedContent.html
    A LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-main-frame-UpgradeMixedContent-expected.txt
    A LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-main-frame-UpgradeMixedContent.html
    A LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-sandboxed-iframe-UpgradeMixedContent-expected.txt
    A LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-sandboxed-iframe-UpgradeMixedContent.html
    A LayoutTests/http/tests/security/mixedContent/insecure-image-in-iframe-UpgradeMixedContent-expected.txt
    A LayoutTests/http/tests/security/mixedContent/insecure-image-in-iframe-UpgradeMixedContent.html
    A LayoutTests/http/tests/security/mixedContent/insecure-image-in-main-frame-UpgradeMixedContent-expected.txt
    A LayoutTests/http/tests/security/mixedContent/insecure-image-in-main-frame-UpgradeMixedContent.html
    A LayoutTests/http/tests/security/mixedContent/insecure-image-in-main-frame-with-cors-UpgradeMixedContent-expected.txt
    A LayoutTests/http/tests/security/mixedContent/insecure-image-in-main-frame-with-cors-UpgradeMixedContent.html
    A LayoutTests/http/tests/security/mixedContent/insecure-image-with-securecookie-UpgradeMixedContent-expected.txt
    A LayoutTests/http/tests/security/mixedContent/insecure-image-with-securecookie-UpgradeMixedContent.html
    A LayoutTests/http/tests/security/mixedContent/insecure-script-redirects-to-basic-auth-secure-script-UpgradeMixedContent-expected.txt
    A LayoutTests/http/tests/security/mixedContent/insecure-script-redirects-to-basic-auth-secure-script-UpgradeMixedContent.html
    A LayoutTests/http/tests/security/mixedContent/insecure-script-with-secure-cookies-UpgradeMixedContent-expected.txt
    A LayoutTests/http/tests/security/mixedContent/insecure-script-with-secure-cookies-UpgradeMixedContent.html
    A LayoutTests/http/tests/security/mixedContent/insecure-stylesheet-redirects-to-basic-auth-secure-stylesheet-UpgradeMixedContent-expected.txt
    A LayoutTests/http/tests/security/mixedContent/insecure-stylesheet-redirects-to-basic-auth-secure-stylesheet-UpgradeMixedContent.html
    A LayoutTests/http/tests/security/mixedContent/redirect-http-to-https-script-in-iframe-UpgradeMixedContent-expected.txt
    A LayoutTests/http/tests/security/mixedContent/redirect-http-to-https-script-in-iframe-UpgradeMixedContent.html
    A LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-UpgradeMixedContent-expected.txt
    A LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-UpgradeMixedContent.html
    A LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-block-UpgradeMixedContent-expected.txt
    A LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-block-UpgradeMixedContent.html
    M LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-expected.txt
    A LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-script-in-iframe-UpgradeMixedContent-expected.txt
    A LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-script-in-iframe-UpgradeMixedContent.html
    A LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-cors-image.html
    M LayoutTests/http/tests/security/mixedContent/resources/frame-with-redirect-https-to-http-image-secure-cookie.html
    A LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-UpgradeMixedContent.https.html
    A LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe-UpgradeMixedContent-expected.txt
    A LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe-UpgradeMixedContent.html
    A LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-UpgradeMixedContent.https-expected.txt
    A LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-UpgradeMixedContent.https.html
    M LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.http-rp/opt-in/beacon.https-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/opt-in/beacon.https-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/unset/beacon.https-expected.txt
    M LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.http-rp/opt-in/beacon.https-expected.txt
    R LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/opt-in/beacon.https-expected.txt
    R LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/unset/beacon.https-expected.txt
    M LayoutTests/platform/mac-wk1/TestExpectations
    A LayoutTests/platform/mac-wk1/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https-UpgradeMixedContent-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/navigation/ping-attribute/area-cross-origin-from-https-UpgradeMixedContent-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/navigation/ping-attribute/area-cross-origin-from-https-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/navigation/ping-attribute/secure-anchor-cross-origin-UpgradeMixedContent-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/referrer-policy-img/no-referrer/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/referrer-policy-img/origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/referrer-policy-img/strict-origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/referrer-policy-img/strict-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-basic-auth-image-UpgradeMixedContent.https-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-css-with-secure-cookies-UpgradeMixedContent-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-executable-css-with-secure-cookies-UpgradeMixedContent-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-iframe-in-main-frame-UpgradeMixedContent-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-iframe-in-sandboxed-iframe-UpgradeMixedContent-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-image-in-iframe-UpgradeMixedContent-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/redirect-http-to-https-script-in-iframe-UpgradeMixedContent-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-UpgradeMixedContent-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-block-UpgradeMixedContent-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/redirect-https-to-http-script-in-iframe-UpgradeMixedContent-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-UpgradeMixedContent.https-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-UpgradeMixedContent.https-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe-UpgradeMixedContent-expected.txt
    M LayoutTests/platform/wk2/http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-expected.txt
    M Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml
    M Source/WebCore/Modules/websockets/WebSocket.cpp
    M Source/WebCore/Modules/websockets/WorkerThreadableWebSocketChannel.cpp
    M Source/WebCore/loader/DocumentLoader.cpp
    M Source/WebCore/loader/DocumentThreadableLoader.cpp
    M Source/WebCore/loader/MixedContentChecker.cpp
    M Source/WebCore/loader/MixedContentChecker.h
    M Source/WebCore/loader/SubframeLoader.cpp
    M Source/WebCore/loader/cache/CachedResourceLoader.cpp
    M Source/WebCore/loader/cache/CachedResourceRequest.cpp
    M Source/WebCore/loader/cache/CachedResourceRequest.h
    M Source/WebCore/page/csp/ContentSecurityPolicy.cpp
    M Source/WebCore/page/csp/ContentSecurityPolicy.h
    M Tools/DumpRenderTree/TestRunner.h
    M Tools/DumpRenderTree/mac/DumpRenderTree.mm
    M Tools/DumpRenderTree/mac/UIDelegate.mm
    M Tools/WebKitTestRunner/cocoa/TestControllerCocoa.mm

  Log Message:
  -----------
  Upgrade upgradable content in mixed security contexts
https://bugs.webkit.org/show_bug.cgi?id=247197
rdar://problem/101678657

Reviewed by Youenn Fablet.

This change aligns WebKit with the current Mixed Content Level 2 specification.

When mixed content (e.g., http: resource from a https: document) is requested,
the request is either blocked or "upgraded" to https:. Previously, some
insecure content was blocked and other insecure content was loaded (without
modification). In this change, all previously blocked content is still blocked,
but now content that was loaded from an insecure channel is now "upgraded" to a
secure connection ("https") before attempting the request.

All requests are "blockable" except for "upgradable" requests, and upgradable requests are defined as:
https://www.w3.org/TR/mixed-content/#upgrade-algorithm

1. If one or more of the following conditions is met, return without modifying request:
  1. request’s URL is a potentially trustworthy URL.
  2. request’s URL’s host is an IP address.
  3. § 4.3 Does settings prohibit mixed security contexts? returns "Does Not Restrict Mixed Security Contents" when applied to request’s client.
  4. request’s destination is not "image", "audio", or "video".
  5. request’s destination is "image" and request’s initiator is "imageset".
2. If request’s URL’s scheme is http, set request’s URL’s scheme to https, and return.

This change also improves support for mixed content beacon and ping requests.

Most of the tests are duplicates of existing tests but with the
UpgradeMixedContentEnabled preference enabled.

* LayoutTests/http/tests/blink/sendbeacon/beacon-cross-origin-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/blink/sendbeacon/beacon-cross-origin-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/blink/sendbeacon/beacon-cross-origin.https-expected.txt:
* LayoutTests/http/tests/inspector/network/loadResource-insecure-resource-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/http/tests/inspector/network/loadResource-insecure-resource-UpgradeMixedContent.html: Added.
* LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https-UpgradeMixedContent.html: Added.
* LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https-expected.txt:
* LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https-UpgradeMixedContent.html: Added.
* LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https-expected.txt:
* LayoutTests/http/tests/navigation/ping-attribute/secure-anchor-cross-origin-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/http/tests/navigation/ping-attribute/secure-anchor-cross-origin-UpgradeMixedContent.html: Added.
* LayoutTests/http/tests/navigation/ping-attribute/secure-anchor-cross-origin-expected.txt:
* LayoutTests/http/tests/navigation/resources/check-ping.py:
* LayoutTests/http/tests/referrer-policy-iframe/no-referrer-when-downgrade/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/referrer-policy-iframe/no-referrer-when-downgrade/cross-origin-http-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/referrer-policy-iframe/no-referrer/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/referrer-policy-iframe/no-referrer/cross-origin-http-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/referrer-policy-iframe/origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/referrer-policy-iframe/origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/referrer-policy-iframe/origin/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/referrer-policy-iframe/origin/cross-origin-http-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/referrer-policy-iframe/same-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/referrer-policy-iframe/same-origin/cross-origin-http-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/referrer-policy-iframe/strict-origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/referrer-policy-iframe/strict-origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/referrer-policy-iframe/strict-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/referrer-policy-iframe/strict-origin/cross-origin-http-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/referrer-policy-iframe/unsafe-url/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/referrer-policy-iframe/unsafe-url/cross-origin-http-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/referrer-policy-img/no-referrer-when-downgrade/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/referrer-policy-img/no-referrer-when-downgrade/cross-origin-http-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/referrer-policy-img/no-referrer/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/referrer-policy-img/no-referrer/cross-origin-http-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/referrer-policy-img/origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/referrer-policy-img/origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/referrer-policy-img/origin/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/referrer-policy-img/origin/cross-origin-http-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/referrer-policy-img/strict-origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/referrer-policy-img/strict-origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/referrer-policy-img/strict-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/referrer-policy-img/strict-origin/cross-origin-http-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/referrer-policy-img/unsafe-url/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/referrer-policy-img/unsafe-url/cross-origin-http-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/referrer-policy/no-referrer-when-downgrade/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/referrer-policy/no-referrer-when-downgrade/cross-origin-http-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/referrer-policy/no-referrer/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/referrer-policy/no-referrer/cross-origin-http-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/referrer-policy/origin/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/referrer-policy/origin/cross-origin-http-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/referrer-policy/same-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/referrer-policy/same-origin/cross-origin-http-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/referrer-policy/strict-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/referrer-policy/strict-origin/cross-origin-http-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/referrer-policy/unsafe-url/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/referrer-policy/unsafe-url/cross-origin-http-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades-UpgradeMixedContent.html: Added.
* LayoutTests/http/tests/security/mixedContent/import-insecure-script-in-iframe-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/http/tests/security/mixedContent/import-insecure-script-in-iframe-UpgradeMixedContent.html: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-audio-video-in-main-frame-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-audio-video-in-main-frame-UpgradeMixedContent.html: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-css-with-secure-cookies-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-css-with-secure-cookies-UpgradeMixedContent.html: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-executable-css-with-secure-cookies-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-executable-css-with-secure-cookies-UpgradeMixedContent.html: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-main-frame-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-main-frame-UpgradeMixedContent.html: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-sandboxed-iframe-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-sandboxed-iframe-UpgradeMixedContent.html: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-image-in-iframe-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-image-in-iframe-UpgradeMixedContent.html: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-image-in-main-frame-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-image-in-main-frame-UpgradeMixedContent.html: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-image-in-main-frame-with-cors-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-image-in-main-frame-with-cors-UpgradeMixedContent.html: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-image-with-securecookie-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-image-with-securecookie-UpgradeMixedContent.html: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-script-redirects-to-basic-auth-secure-script-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-script-redirects-to-basic-auth-secure-script-UpgradeMixedContent.html: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-script-with-secure-cookies-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-script-with-secure-cookies-UpgradeMixedContent.html: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-stylesheet-redirects-to-basic-auth-secure-stylesheet-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/http/tests/security/mixedContent/insecure-stylesheet-redirects-to-basic-auth-secure-stylesheet-UpgradeMixedContent.html: Added.
* LayoutTests/http/tests/security/mixedContent/redirect-http-to-https-script-in-iframe-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/http/tests/security/mixedContent/redirect-http-to-https-script-in-iframe-UpgradeMixedContent.html: Added.
* LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-UpgradeMixedContent.html: Added.
* LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-block-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-block-UpgradeMixedContent.html: Added.
* LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-script-in-iframe-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-script-in-iframe-UpgradeMixedContent.html: Added.
* LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-cors-image.html: Added.
* LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-UpgradeMixedContent.https.html: Added.
* LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe-UpgradeMixedContent.html: Added.
* LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-UpgradeMixedContent.https.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.http-rp/opt-in/beacon.https-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/opt-in/beacon.https-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/unset/beacon.https-expected.txt:
* LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.http-rp/opt-in/beacon.https-expected.txt:
* LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/opt-in/beacon.https-expected.txt: Removed.
* LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/unset/beacon.https-expected.txt: Removed.
* LayoutTests/platform/mac-wk1/TestExpectations:
* LayoutTests/platform/mac-wk1/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https-UpgradeMixedContent-expected.txt: Copied from LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https-expected.txt.
* LayoutTests/platform/mac-wk1/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https-expected.txt: Copied from LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https-expected.txt.
* LayoutTests/platform/mac-wk1/http/tests/navigation/ping-attribute/area-cross-origin-from-https-UpgradeMixedContent-expected.txt: Copied from LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https-expected.txt.
* LayoutTests/platform/mac-wk1/http/tests/navigation/ping-attribute/area-cross-origin-from-https-expected.txt: Copied from LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https-expected.txt.
* LayoutTests/platform/mac-wk1/http/tests/navigation/ping-attribute/secure-anchor-cross-origin-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/platform/mac-wk1/http/tests/referrer-policy-img/no-referrer/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/platform/mac-wk1/http/tests/referrer-policy-img/origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/platform/mac-wk1/http/tests/referrer-policy-img/strict-origin-when-cross-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/platform/mac-wk1/http/tests/referrer-policy-img/strict-origin/cross-origin-http-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-basic-auth-image-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-css-with-secure-cookies-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-executable-css-with-secure-cookies-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-iframe-in-main-frame-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-iframe-in-sandboxed-iframe-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-image-in-iframe-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/redirect-http-to-https-script-in-iframe-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-block-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/redirect-https-to-http-script-in-iframe-UpgradeMixedContent-expected.txt: Added.
* LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-UpgradeMixedContent.https-expected.txt: Added.
* LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe-UpgradeMixedContent-expected.txt: Added.
* Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml:
* Source/WebCore/Modules/websockets/WebSocket.cpp:
(WebCore::WebSocket::connect):
* Source/WebCore/Modules/websockets/WorkerThreadableWebSocketChannel.cpp:
(WebCore::WorkerThreadableWebSocketChannel::Bridge::connect):
* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::willSendRequest):
* Source/WebCore/loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::loadRequest):
* Source/WebCore/loader/MixedContentChecker.cpp:
(WebCore::isMixedContent):
(WebCore::logConsoleWarning):
(WebCore::logConsoleWarningForUpgrade):
(WebCore::MixedContentChecker::frameAndAncestorsCanDisplayInsecureContent):
(WebCore::MixedContentChecker::frameAndAncestorsCanRunInsecureContent):
(WebCore::MixedContentChecker::shouldUpgradeInsecureContent):
(WebCore::MixedContentChecker::shouldBlockInsecureContent):
(WebCore::logWarning): Deleted.
* Source/WebCore/loader/MixedContentChecker.h:
* Source/WebCore/loader/SubframeLoader.cpp:
(WebCore::FrameLoader::SubframeLoader::pluginIsLoadable):
* Source/WebCore/loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::requestImage):
(WebCore::isUpgradableTypeFromResourceType):
(WebCore::CachedResourceLoader::checkInsecureContent const):
(WebCore::CachedResourceLoader::canRequest):
(WebCore::CachedResourceLoader::canRequestAfterRedirection const):
(WebCore::CachedResourceLoader::updateRequestAfterRedirection):
(WebCore::CachedResourceLoader::requestResource):
* Source/WebCore/loader/cache/CachedResourceLoader.h:
* Source/WebCore/loader/cache/CachedResourceRequest.cpp:
(WebCore::upgradeInsecureResourceRequestIfNeeded):
(WebCore::CachedResourceRequest::upgradeInsecureRequestIfNeeded):
* Source/WebCore/loader/cache/CachedResourceRequest.h:
* Source/WebCore/page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::upgradeInsecureRequestIfNeeded const):
* Source/WebCore/page/csp/ContentSecurityPolicy.h:

Canonical link: https://commits.webkit.org/274409@main




More information about the webkit-changes mailing list