New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 785287 link

Starred by 4 users

Issue metadata

Status: Fixed
Owner:
Buried. Ping if important.
Closed: Jan 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Bug

Blocking:
issue 388650


Show other hotlists

Hotlists containing this issue:
Hotlist-1


Sign in to add a comment

`prefetch` should be treated as blockable mixed content.

Project Member Reported by mkwst@chromium.org, Nov 15 2017

Issue description

Currently, Blink treats non-secure usage of `<link rel="prefetch">` as "optionally-blockable" content, similar to `<img>`. We'd like to align with Firefox's behavior, which blocks non-secure prefetch by default.

Spec: https://w3c.github.io/webappsec-mixed-content/#should-block-fetch

Bug against Resource Hints at https://github.com/w3c/resource-hints/issues/70.
 

Comment 1 by mkwst@chromium.org, Nov 15 2017

Blocking: 388650
Project Member

Comment 2 by bugdroid1@chromium.org, Nov 20 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f51545f74eba6bc1cc11a0a87453513c19b2c4a4

commit f51545f74eba6bc1cc11a0a87453513c19b2c4a4
Author: Mike West <mkwst@chromium.org>
Date: Mon Nov 20 07:28:01 2017

Treat prefetches as blockable mixed content.

This aligns Blink's behavior with Firefox and the Mixed Content spec,
and updates web platform tests accordingly.

Intent to Ship: https://groups.google.com/a/chromium.org/d/msg/blink-dev/x0ROz-Io2bc/B9-sd6_dBwAJ

Bug:  785287 
Change-Id: Ic50a23419b95709bab0abd370df6c2e16c3bb7b7
Reviewed-on: https://chromium-review.googlesource.com/771192
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Commit-Queue: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#517773}
[rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/http-csp/cross-origin-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html
[rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/http-csp/cross-origin-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/http-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/http-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html.headers
[rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/http-csp/cross-origin-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html
[rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/http-csp/cross-origin-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/http-csp/same-host-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html
[rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/http-csp/same-host-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/http-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/http-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html.headers
[rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/http-csp/same-host-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html
[rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/http-csp/same-host-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/meta-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/meta-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/no-opt-in/cross-origin-http/top-level/keep-scheme-redirect/blockable/no-opt-in-blocks.https.html
[rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/no-opt-in/cross-origin-http/top-level/no-redirect/blockable/no-opt-in-blocks.https.html
[rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/no-opt-in/cross-origin-http/top-level/swap-scheme-redirect/blockable/no-opt-in-blocks.https.html
[copy] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/no-opt-in/same-host-http/top-level/keep-scheme-redirect/blockable/no-opt-in-blocks.https.html
[delete] https://crrev.com/07308a5e0d199ac171c59fb5db5c23a940f797e3/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/no-opt-in/same-host-http/top-level/keep-scheme-redirect/optionally-blockable/no-opt-in-allows.https.html
[copy] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/no-opt-in/same-host-http/top-level/no-redirect/blockable/no-opt-in-blocks.https.html
[delete] https://crrev.com/07308a5e0d199ac171c59fb5db5c23a940f797e3/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/no-opt-in/same-host-http/top-level/no-redirect/optionally-blockable/no-opt-in-allows.https.html
[copy] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/no-opt-in/same-host-http/top-level/swap-scheme-redirect/blockable/no-opt-in-blocks.https.html
[delete] https://crrev.com/07308a5e0d199ac171c59fb5db5c23a940f797e3/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/no-opt-in/same-host-http/top-level/swap-scheme-redirect/optionally-blockable/no-opt-in-allows.https.html
[modify] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/spec.src.json
[modify] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/spec_json.js
[delete] https://crrev.com/07308a5e0d199ac171c59fb5db5c23a940f797e3/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-prefetch-in-main-frame-expected.txt
[delete] https://crrev.com/07308a5e0d199ac171c59fb5db5c23a940f797e3/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-prefetch-in-main-frame.html
[modify] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/Source/platform/exported/WebMixedContent.cpp

Comment 4 by mkwst@chromium.org, Jan 22 2018

Status: Fixed (was: Started)
The CSP work is tracked in https://bugs.chromium.org/p/chromium/issues/detail?id=801561. The mixed content blocking is done.

Sign in to add a comment