The Mixed Content specification describes how a user agent should handle fetching of unsecure content from a secure context. For that purpose, Chrome currently treats any blob: and filesystem: content as secure although the spec says their origin should be checked instead (i.e. blob://https://... is secure but blob://http://... is not). This change is about making the mixed content checker follow this stricter behavior.
Interop: Currently browsers implement different rules but in general they seem to agree about increasing security, so this is going into the right direction. Compat: There is a possible regression since Chrome will now treat some pages like blob://http://... as unsecure for the purpose of mixed content check.
-- Frédéric Wang
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4dfdf5af-0fb7-bed8-b346-fabae6506a53%40google.com.
LGTM3
But please make a reasonable attempt at a WPT so that we ensure interoperability in the future.
/Daniel
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/33181379-22cb-44a5-b1d1-6ee73204271dn%40chromium.org.
This is simply a bug in our implementation, counter to the spec (and good sense!). I'd be comfortable shipping it as a bug fix. So, at least LGTM1. :)I agree with both Domenic that we really do need WPT for this, and with Mike that `.tentative` is a reasonable way of supporting `filesystem:` tests in WPT (possibly with an `assert_implements_optional("webkitRequestFileSystem" in window)` gate).
-mike--On Mon, Feb 1, 2021 at 10:28 PM 'Mike Taylor' via blink-dev <blin...@chromium.org> wrote:On 2/1/21 1:28 PM, Frédéric Wang wrote:
> The current CL (
> https://chromium-review.googlesource.com/c/chromium/src/+/2662116 ) does
> not have WPT tests, but yeah new one should probably be added. Note
> however that despite the fact that the filesystem: scheme is mentioned
> on the Secure Contexts spec, it's really a chrome-specific one and is
> not considered by the WHATWG's URL spec (
> https://url.spec.whatwg.org/#concept-url-origin ). So not sure we can
> really write a test for that one.
A ".tentative" test may be an option for the filesystem stuff:
<https://web-platform-tests.org/writing-tests/file-names.html>
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4dfdf5af-0fb7-bed8-b346-fabae6506a53%40google.com.
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3DcKTUAkFH5tXsiRRXUkzY%3D8oeAMCz7sU0uxRfhHp7upQA%40mail.gmail.com.
Minor aside on this - we're not attempting to push for adoption of "filesystem:" URLs beyond Chrome, so consider landing those tests in third_party/blink/web_tests/wpt_internal/ instead. Tests should be written and executed in exactly the same way and could easily be upstreamed if our stance ever changes.
Thank you everybody. I'll look into how I can write a WPT test. I
think I prefer the option of putting filesystem in wpt_internal,
though.
-- Frédéric Wang
Hi,
I tried a WPT with a https page opening a (http or https) popup
which in turns create a blob. Then using the fetch API or a
<script src> to request the blob url gives the following
errors:
CONSOLE ERROR: line 16: Fetch API cannot load blob:http://web-platform.test:8001/818acb4f-1c92-4188-896d-bde429ccd113. URL scheme must be "http" or "https" for CORS request. CONSOLE ERROR: line 29: Not allowed to load local resource: blob:http://web-platform.test:8001/818acb4f-1c92-4188-896d-bde429ccd113
This seems to happen before the mixed content check, so it actually does not detect the behavior change of the CL. I'm not sure there is a way to play with the definitions of "potentially trustworthy origin" and "mixed content" to write a test that actually exhibits the behavior change ; or whether the change is just not web-exposed. In any case, my CL now has an internal test for blob/filesystem and this wpt test for blob. At the end, I believe I'll skip the internal wpt test for filesystem given previous feedback that we don't plan to standardize this scheme.
-- Frédéric Wang
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/289e4365-fdd7-7a9e-22c6-7ef2f5322773%40igalia.com.