[Webkit-unassigned] [Bug 165726] New: On HTTPS pages, .ts files loaded from insecure origins via XHR are allowed

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Dec 10 09:00:07 PST 2016 

https://bugs.webkit.org/show_bug.cgi?id=165726

            Bug ID: 165726
           Summary: On HTTPS pages, .ts files loaded from insecure origins
                    via XHR are allowed
    Classification: Unclassified
           Product: WebKit
           Version: Safari 10
          Hardware: Macintosh
                OS: OS X 10.11
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: paulschreiber at gmail.com

In Safari 10.0.1 (11602.2.14.0.7), On HTTPS pages, .ts files loaded from insecure origins via XHR are allowed.

Chrome 55 and Firefox 50 block these, as expected.

Chrome:
The page at 'https://xyxxxxxx.com/features/new-video-player/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://media.video-cdn.espn.com/motion/2016/0119/dm_160119_538_Bernie/hls/447489_MBR3_00001.ts'. This request has been blocked; the content must be served over HTTPS.

XMLHttpRequest cannot load http://media.video-cdn.espn.com/motion/2016/0119/dm_160119_538_Bernie/hls/447489_MBR3_00001.ts. Failed to start loading.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161210/ac1b6582/attachment.html>

More information about the webkit-unassigned mailing list