[Webkit-unassigned] [Bug 258711] New: make-https rule doesn't cause hasOnlySecureContent to be true

Thu Jun 29 22:32:42 PDT 2023

https://bugs.webkit.org/show_bug.cgi?id=258711

            Bug ID: 258711
           Summary: make-https rule doesn't cause hasOnlySecureContent to
                    be true
           Product: WebKit
           Version: Safari 17
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: meacer at chromium.org

If a content blocking rule with `make-https` upgrades a subresource from http:// to https://, webkit still reports `hasOnlySecureContent=false` even if the page never loads any http:// resource.

Here is a sample app (the whole repo should be buildable): https://github.com/meacer/swift-ios-wkwebview-demo-make-https/blob/master/wkwebview/ViewController.swift

In this app, line 63 will print `hasOnlySecureContent: false` even though the image subresource is loaded over https.

(We recently implemented mixed content upgrading in Chromium on iOS using a make-https content rule, and this bug is preventing us from showing the correct page security state in the omnibox.)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230630/8c4f9ecc/attachment.htm>