[webkit-gtk] Mixed content blocking

Michael Catanzaro mcatanzaro at igalia.com
Tue Jul 22 13:13:51 PDT 2014 

Hi,

I'm an intern with Igalia, working on adding active mixed content
blocking in Epiphany. Background: WebKit already has a mixed content
checker that allows browsers to decide whether they want to allow
displaying passive mixed content or allow running active mixed content.
All are allowed by default. For a good summary of what mixed content is,
see [1] or [2]. (For Epiphany, I plan to block active mixed content and
only display a warning icon for passive mixed content, since this is
what major browsers do.)

I doubt we want to turn on mixed content blocking unconditionally, so we
need some new API in WebKitGTK+ to allow browsers to configure this.
I've implemented two obvious possibilities:

Possibility 1: Just directly expose the existing internal preferences
with WebKitSettings. WebKitSettings would gain two new properties,
allow-display-of-insecure-content and allow-running-of-insecure-content,
plus associated getters/setters.

The disadvantage of Possibility 1 is that it's not a good parallel to
webkit_web_context_[gs]et_tls_errors_policy(), and this would not allow
browsers to override the policy on a per-page basis. For example,
Firefox and Chromium both allow reloading the current page with insecure
context enabled if you click an icon in the address bar.

Possibility 2: Introduce a new enum, WebKitInsecureContentPolicy:

WEBKIT_INSECURE_CONTENT_POLICY_ALLOW_ALL,
WEBKIT_INSECURE_CONTENT_POLICY_ALLOW_DISPLAY,
WEBKIT_INSECURE_CONTENT_POLICY_ALLOW_NONE

(It's trivial to also add WEBKIT_INSECURE_CONTENT_POLICY_ALLOW_RUNNING,
but no sane browser would want to block mixed passive content and not
mixed active content, so I think we should just omit this.)

I propose three associated functions:

* webkit_web_context_[gs]et_insecure_content_policy(), 
* webkit_web_view_reload_with_insecure_content_policy()

A browser could then set a default policy and also allow the user to
change the policy for the current web page if content is blocked, which
it can detect with the existing WebKitWebView::insecure-content-detected
signal. We haven't decided if we want to do this in Epiphany, but since
it's how other major browsers work I think WebKitGTK+ should make this
easy regardless.

Does this API seem good? If so, I will open a bug with a patch.

There is one other minor problem: WebKit currently treats frames as
passive content, since this is what Chromium originally did, but
nowadays all major browsers treat frames as active content. Would it be
permissible to change this in WebCore, so that the
allow-running-insecure-content setting is checked to decide whether to
block a frame, rather than the allow-display-of-insecure-content
setting? I think no ports currently allow mixed content blocking (it was
used by Chromium), so we probably have free reign to make changes here?

Happy Tuesday,

Michael Catanzaro

[1]
https://community.qualys.com/blogs/securitylabs/2014/03/19/https-mixed-content-still-the-easiest-way-to-break-ssl
[2]
https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/

More information about the webkit-gtk mailing list