[Webkit-unassigned] [Bug 140624] New: Web sockets should be treated as active mixed content

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jan 19 10:30:23 PST 2015


https://bugs.webkit.org/show_bug.cgi?id=140624

            Bug ID: 140624
           Summary: Web sockets should be treated as active mixed content
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Enhancement
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at igalia.com

A page loaded via HTTPS should not be allowed to open insecure (ws://) web sockets; only secure (wss://) web sockets should be permitted.

Chrome, Internet Explorer, and Firefox all block mixed content web sockets by default [1] (although Chrome began blocking after [1] was published) so there should be no compatibility concerns.

[1] https://community.qualys.com/blogs/securitylabs/2014/03/19/https-mixed-content-still-the-easiest-way-to-break-ssl

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150119/36969d49/attachment-0002.html>


More information about the webkit-unassigned mailing list