iframe with http content in https page should only give a warning, not be blocked
Reported by
teo8...@gmail.com,
Jan 2 2017
|
|||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Steps to reproduce the problem: 1. visit a https://whatever.com page that contains an iframe with src="http://otherdomain.com" What is the expected behavior? The content should not be blocked; you should get just a warning in the console, and the grey "https" in the address bar (as opposed to the green "https" with a lock icon) to indicate mixed content, just like when you have images whose src is http What went wrong? The content is blocked and not loaded at all, like with scripts. Did this work before? N/A Chrome version: 55.0.2883.87 Channel: stable OS Version: Flash Version: Shockwave Flash 24.0 r0 There is already a security model that sandboxes the content of an iframe ans won't allow any active script in it to access whatever is outside it, right? So, unless that model is broken (which would be a separate issue), there shouldn't be any need to block the iframe content any more than an image, video, audio or (!!) <object>.
,
Jan 4 2017
,
Jan 9 2017
This is the model browsers have generally agreed upon, specified in https://w3c.github.io/webappsec-mixed-content/#categorize-settings-object. I think if we're going to make changes to our mixed content blocking, we'd be making it stricter, rather than more lax. |
|||
►
Sign in to add a comment |
|||
Comment 1 by kenrb@chromium.org
, Jan 2 2017Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -Via-Wizard-Security Type-Bug