Why Mixed Content fetch is blocked ?

[Xiaoming Ding]

I am going to fetch a local video clip ( mp4 ) to display at my https site. In service worker I use the following code to retrieve the clip : 

self.addEventListener('message', function(event) {

   //fetch(    'http://localhost/index.htm').then( function ( response ){

   var init = { method: 'GET',

                 headers: {

                        "Content-Type": "video/mp4",

                                }

        };

   fetch(    'http://localhost/my.mp4', init ).then( function ( response ){

            event.ports[0].postMessage( response.json() );

         }, function ( error_message ) {

        console.log ( error_message ) ;

        event.ports[0].postMessage(  error_message ) ;

   });

   

});

 

However , this fetch is blocked with error : 

Mixed Content: The page at 'https://www.mysite.info/sw.js' was loaded over HTTPS, but requested an insecure resource 'http://localhost/my.mp4'. This request has been blocked; the content must be served over HTTPS.

According to https://w3c.github.io/webappsec-mixed-content/#should-block-fetch  chapter 5.3 it said : 

Given a Request request, a user agent determines whether the Request request should proceed or not via the following algorithm:

...

4.Return allowed if one or more of the following conditions are met:

request’s initiator is "fetch" and destination is "subresource", and request is a passthrough request.

request’s type is "image", and initiator is not "imageset".

request’s type is "video".

request’s type is "audio".

So what is wrong ?

Regards !

Xiaoming Ding

[PhistucK]

HTTPS (secure) cannot call HTTP (insecure). This is by design. However, this case is special, because localhost is considered secure even on HTTP... I am not sure about the right behavior here.

​

You can search crbug.com for an existing issue and star it. If you cannot find one, file a new issue using the "New issue" link on the same page.

Please, do not add a "+1" or "Me too" or "Confirmed" (or similar) comment. It just wastes the time of Chrome engineers and sends unnecessary e-mails to all of the people who starred the issue.

You can reply with a link to the found or created issue and might get triaged (and fixed) faster.

Thank you.

​

☆PhistucK

--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

---
You received this message because you are subscribed to the Google Groups "Chromium-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discuss+unsubscribe@chromium.org.