[Webkit-unassigned] [Bug 246606] [GTK][WPE] Add provision to enable / disable websecurity
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Oct 17 06:23:18 PDT 2022
https://bugs.webkit.org/show_bug.cgi?id=246606
Miguel Gomez <magomez at igalia.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |magomez at igalia.com
--- Comment #2 from Miguel Gomez <magomez at igalia.com> ---
(In reply to Michael Catanzaro from comment #1)
> The mixed content settings are obsolete nowadays. See also: bug #219396. API
> to expose the internal settings would be at risk, because the internal
> settings are no longer needed: mixed content was a problem of the 2010s, but
> we're in the 2020s now and https://w3c.github.io/webappsec-mixed-content/
> describes how mixed content should be handled.
>
> Then the WebSecurity setting appears to turn off the same origin policy...
> is this needed for a test harness or something? Surely you don't need this
> for normal web content? Can you explain your use case?
The PR we're basing on is not exactly what's going to be implemented. The idea was to check whether the mixed content setting were needed or whether the websecurity one superseeds those. From what you say it seems that the websecurity one should be enough, so we'll go for that only.
The use case for the websecurity setting is that some users run their apps in controlled environments and they don't need it, so having it enabled makes things for complicated. Also, for testing and development it's quite convenient.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221017/a8e913b9/attachment.htm>
More information about the webkit-unassigned
mailing list