[webkit-changes] [WebKit/WebKit] 464e3e: Allow some access to localhost as mixed content

Thu, 18 Apr 2024 15:50:29 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 464e3e51f7c8b5a6d8ce6f077d0455307cf5721d
      
https://github.com/WebKit/WebKit/commit/464e3e51f7c8b5a6d8ce6f077d0455307cf5721d
  Author: Matthew Finkel <m_fin...@apple.com>
  Date:   2024-04-18 (Thu, 18 Apr 2024)

  Changed paths:
    A 
LayoutTests/http/tests/security/mixedContent/insecure-localhost-image-in-main-frame-UpgradeMixedContent-expected.txt
    A 
LayoutTests/http/tests/security/mixedContent/insecure-localhost-image-in-main-frame-UpgradeMixedContent.html
    A 
LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-localhost-image.html
    M Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml
    M Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h
    M Source/WebCore/loader/MixedContentChecker.cpp
    M Source/WebCore/page/SecurityOrigin.cpp
    M Source/WebCore/page/SecurityOrigin.h
    M Source/WebCore/page/csp/ContentSecurityPolicy.cpp

  Log Message:
  -----------
  Allow some access to localhost as mixed content
https://bugs.webkit.org/show_bug.cgi?id=272461
rdar://125851000

Reviewed by Alex Christensen.

Historically, WebKit has viewed localhost as insecure, but it allowed
unrestricted access to localhost. In 274409@main, I added support for Mixed
Content Level 2 where subresources are either upgraded from http: to https:, or
they are blocked.  But, we don't upgrade all subresources, we only upgrade a
subset of passive (image/video/audio) resources. If the resource fetch requires
CORS, then we block.

This change contains two fixes:

1) On iOS, continuing using the previous mixed content behavior via a 
Linked-On-Or-After check
2) Don't upgrade connections to localhost, but continue enforcing all other 
requirements

I also renamed the testing preference that controls whether we upgrade IP
addresses so that it now covers upgrading localhost, as well. The console log
message is adjusted to reflect this change, too.

This change includes one additional test that loads mixed content from
localhost, and I manually verified that the LOOA check.

* 
LayoutTests/http/tests/security/mixedContent/insecure-localhost-image-in-main-frame-UpgradeMixedContent-expected.txt:
 Added.
* 
LayoutTests/http/tests/security/mixedContent/insecure-localhost-image-in-main-frame-UpgradeMixedContent.html:
 Added.
* 
LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-localhost-image.html:
 Added.
* Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml:
* Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h:
* Source/WebCore/loader/MixedContentChecker.cpp:
(WebCore::logConsoleWarningForUpgrade):
(WebCore::isUpgradeMixedContentEnabled):
(WebCore::frameAndAncestorsCanDisplayInsecureContent):
(WebCore::MixedContentChecker::frameAndAncestorsCanRunInsecureContent):
(WebCore::MixedContentChecker::shouldUpgradeInsecureContent):
(WebCore::shouldBlockInsecureContent):
* Source/WebCore/page/SecurityOrigin.cpp:
(WebCore::SecurityOrigin::isLocalhostAddress):
(WebCore::SecurityOrigin::isLocalHostOrLoopbackIPAddress):
* Source/WebCore/page/SecurityOrigin.h:
* Source/WebCore/page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::upgradeInsecureRequestIfNeeded const):

Canonical link: https://commits.webkit.org/277709@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to