[Webkit-unassigned] [Bug 140621] New: Frames should be treated as active mixed content

Mon Jan 19 10:11:52 PST 2015

https://bugs.webkit.org/show_bug.cgi?id=140621

            Bug ID: 140621
           Summary: Frames should be treated as active mixed content
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Enhancement
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at igalia.com

Frames should be treated as active mixed content. When the top frame (other browsers check the parent frame) is loaded via HTTPS and a subframe is loaded via HTTP, a mixed content callback should be triggered to allow browsers to warn the user or block the content. It's true that the insecure frame cannot modify the contents of the secure frame, but it should not be possible for a substantial portion of the page to be loaded with no security despite the presence of a browser security indicator.

Chrome, Firefox, and Internet Explorer all block mixed content frames by default [1].

[1] https://community.qualys.com/blogs/securitylabs/2014/03/19/https-mixed-content-still-the-easiest-way-to-break-ssl

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150119/2a983635/attachment-0002.html>