New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 664528 link

Starred by 2 users
Status: Fixed
Owner: ----
Closed: Feb 2017
Cc:
tkonch...@chromium.org
f...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Regression



Sign in to add a comment

FileReader inside data: iframe inside https is broken

Reported by d.huig...@gmail.com, Nov 11 2016 
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36

Example URL:
https://jsbin.com/yeragog

Steps to reproduce the problem:
On a page on HTTPS,

1. Create an iframe with a Data URL. Inside that,
2. Get a File handle
3. Try to read it with FileReader

What is the expected behavior?
FileReader can read the File.

What went wrong?
A Mixed Content error is thrown.

The underlying cause, AFAIK, is that Object URLs inside Data URL contexts are always considered insecure, even if the Data URL context is considered secure (because it's inside HTTPS).

That is not new, but what is new is that FileReader apparently tries to use the Object URL of the File to read it, triggering the Mixed Content error.

Did this work before? Yes 53

Chrome version: 54.0.2840.71  Channel: n/a
OS Version: 
Flash Version: Shockwave Flash 23.0 r0

Comment 1 by rdsmith@chromium.org, Nov 11 2016

Cc: f...@chromium.org
Components: -Internals>Network Internals>Network>SSL
Labels: Team-Security-UX
Hmmm.  Interesting.  Throwing on a few relevant components and people in hopes that someone more wise in the ways of security restrictions than I can route this appropriately.

Comment 2 by mmenke@chromium.org, Nov 11 2016

Components: -Internals>Network>SSL Blink>SecurityFeature
Mixed content errors fall under SecurityFeature, I believe?

Comment 3 by est...@chromium.org, Nov 12 2016

Labels: -Team-Security-UX
[Enamel sheriffing] Removing Security>UX label since this is mixed content / Blink>SecurityFeature which doesn't really fall under Security>UX.

Comment 4 by tkonch...@chromium.org, Nov 15 2016

Cc: tkonch...@chromium.org
Labels: Needs-Feedback
Status: Untriaged (was: Unconfirmed)
Able to reproduce the issue on Linux chrome version 54.0.2840.100 and Beta 55.0.2883.44 - A Mixed Content error is thrown.

But the issue is not seen on latest dev 56.0.2914.3 and 56.0.2920.0 - FileReader read the File.

d.huigens@, seems the issue got fixed on later versions. Could you please check the issue on latest dev and update the thread

@dev, Please let me know if a reverse bisect is needed in this case

Comment 5 by d.huig...@gmail.com, Nov 16 2016 

Can confirm fixed in 56.

> The underlying cause, AFAIK, is that Object URLs inside Data URL contexts are always considered insecure

This is also fixed. Thanks!

Comment 6 by mkwst@chromium.org, Feb 23 2017

Status: Fixed (was: Untriaged)

Sign in to add a comment