[Webkit-unassigned] [Bug 218977] New: Don't treat data: URLs as mixed content

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=218977

            Bug ID: 218977
           Summary: Don't treat data: URLs as mixed content
           Product: WebKit
           Version: Other
          Hardware: Unspecified
                OS: Unspecified
            Status: ASSIGNED
          Severity: Normal
          Priority: P2
         Component: Page Loading
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: fred.wang at free.fr
                CC: beidson at apple.com
        Depends on: 218623, 218627

>From https://w3c.github.io/webappsec-mixed-content/#a-priori-authenticated-url :

---------
 a priori authenticated URL
    We know a priori that a request to a particular URL (url) will be delivered in a way that mitigates the risks of interception and modifications if either of the following statements is true:

        url is a potentially trustworthy URL [SECURE-CONTEXTS].

        url’s scheme is "data".

        Note: We special case data URLs here, as we don’t consider them particularly trustworthy, but we also don’t wish to block them as mixed content, as they never hit the network.
---------

We need to do more work for "potentially trustworthy", including bug 218623 and bug 218627.

This bug is about the case when the scheme is "data".


Referenced Bugs:

https://bugs.webkit.org/show_bug.cgi?id=218623
[Bug 218623] Don't treat loopback IP addresses (127.0.0.0/8, ::1/128) as mixed content
https://bugs.webkit.org/show_bug.cgi?id=218627
[Bug 218627] Introduce preference not to treat localhost and .localhost as mixed content
-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201116/16918997/attachment.htm>