[Webkit-unassigned] [Bug 61946] FrameLoaderClient::didRunInsecureContent - no way to distinguish between blocked/run cases.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jun 3 12:01:46 PDT 2011


Alexey Proskuryakov <ap at webkit.org> changed:

           What    |Removed                     |Added
          Component|Frames                      |WebKit API

--- Comment #4 from Alexey Proskuryakov <ap at webkit.org>  2011-06-03 12:01:46 PST ---
I still don't quite understand the use case. If didRunInsecureContent() is called, the browser hides its https lock icon. What are the didBlock notifications good for? Will the browser say "bwa-ha-ha, go use a different browser if you really want to use this site"? Or "dice a coin to decide whether to disable security content policy for this page, and then reload it"?

A broken site is just a broken site. When a CSS stylesheet is served with an incorrect Content-Type, we don't ask the user whether to load it - we just ignore it. Should content security policies be different?

+        String message = "The page at " + m_frame->document()->url().string() + " ran insecure content from " + url.string() + ".\n";
+        m_frame->domWindow()->console()->addMessage(HTMLMessageSource, LogMessageType, WarningMessageLevel, message, 1, String());

That might be too chatty, not sure. But more importantly, this is too vague. What should a developer do when seeing this message? Does this only mean that their code potentially won't work in other browsers? We generally don't log things like that.

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list