[Webkit-unassigned] [Bug 165726] New: On HTTPS pages, .ts files loaded from insecure origins via XHR are allowed
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Dec 10 09:00:07 PST 2016
https://bugs.webkit.org/show_bug.cgi?id=165726
Bug ID: 165726
Summary: On HTTPS pages, .ts files loaded from insecure origins
via XHR are allowed
Classification: Unclassified
Product: WebKit
Version: Safari 10
Hardware: Macintosh
OS: OS X 10.11
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: paulschreiber at gmail.com
In Safari 10.0.1 (11602.2.14.0.7), On HTTPS pages, .ts files loaded from insecure origins via XHR are allowed.
Chrome 55 and Firefox 50 block these, as expected.
Chrome:
The page at 'https://xyxxxxxx.com/features/new-video-player/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://media.video-cdn.espn.com/motion/2016/0119/dm_160119_538_Bernie/hls/447489_MBR3_00001.ts'. This request has been blocked; the content must be served over HTTPS.
XMLHttpRequest cannot load http://media.video-cdn.espn.com/motion/2016/0119/dm_160119_538_Bernie/hls/447489_MBR3_00001.ts. Failed to start loading.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161210/ac1b6582/attachment.html>
More information about the webkit-unassigned
mailing list