[webkit-dev] Mixed content checking

Alexey Proskuryakov ap at webkit.org
Wed Jul 23 22:59:42 PDT 2014

23 июля 2014 г., в 17:08, Michael Catanzaro <mcatanzaro at igalia.com> написал(а):

> One problem with these settings is that frames are treated as mixed
> passive content rather than mixed active content. For the WebKitGTK+ API
> I want frames to be treated as active content, which is what most major
> browsers currently do.

Thank you for the heads up!

Can you elaborate on why this is desirable? A non-https frame always has a different origin, so it can't script the main frame.

In other words, how is "active content" defined here?

> I'm also planning to block mixed XMLHttpRequest and WebSocket
> connections when allow-running-of-insecure-content is false. 

Same question, why? Cross origin XMLHttpRequest is different from cross origin scripts in that it takes quite a bit of effort to make it work, so it's not the same case of accidentally loading a subresource using http instead of https.

- Alexey

More information about the webkit-dev mailing list