[webkit-dev] Mixed content checking

Michael Catanzaro mcatanzaro at igalia.com
Wed Jul 23 17:08:08 PDT 2014


I'm an intern with Igalia currently working on mixed content blocking in
WebKitGTK+. I see WebCore already has decent support for mixed content
blocking using the settings allow-display-of-insecure-content and
allow-running-of-insecure-content, which were previously used by the
Chromium port.

One problem with these settings is that frames are treated as mixed
passive content rather than mixed active content. For the WebKitGTK+ API
I want frames to be treated as active content, which is what most major
browsers currently do. Is it OK if I change this, so that
allow-running-of-insecure-content and not
allow-display-of-insecure-content will be checked to determine whether
or not to block a frame? These settings seem to be currently unused, so
I don't think this will be an unexpected behavior change for anyone.

I'm also planning to block mixed XMLHttpRequest and WebSocket
connections when allow-running-of-insecure-content is false. 


Michael Catanzaro

More information about the webkit-dev mailing list