[webkit-reviews] review denied: [Bug 84054] webkitURL.createObjectURL uris generated from an SSL site are marked insecure : [Attachment 146095] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jun 6 13:53:22 PDT 2012
Adam Barth <abarth at webkit.org> has denied Mike West <mkwst at chromium.org>'s
request for review:
Bug 84054: webkitURL.createObjectURL uris generated from an SSL site are marked
insecure
https://bugs.webkit.org/show_bug.cgi?id=84054
Attachment 146095: Patch
https://bugs.webkit.org/attachment.cgi?id=146095&action=review
------- Additional Comments from Adam Barth <abarth at webkit.org>
View in context: https://bugs.webkit.org/attachment.cgi?id=146095&action=review
I'm sorry I don't have time at the moment to sort out the correct patch for
this problem.
> Source/WebCore/loader/FrameLoader.cpp:872
> - if (!url.isValid() ||
SchemeRegistry::shouldTreatURLSchemeAsSecure(url.protocol()))
> + if (!url.isValid() ||
SchemeRegistry::shouldTreatURLSchemeAsSecure(url.protocol()) ||
SchemeRegistry::canDisplayOnlyIfCanRequest(url.protocol()))
This is not correct. The fact that you can only display the scheme if you can
request it has no bearing on whether it's mixed content. In particular,
imagine a document with universal access. It can request every URL, even
insecure ones.
More information about the webkit-reviews
mailing list