Currently, Blink treats non-secure usage of `<link rel="prefetch">` as "optionally-blockable" content, similar to `<img>`. We'd like to align with Firefox's behavior, which blocks non-secure prefetch by default. Spec: https://w3c.github.io/webappsec-mixed-content/#should-block-fetch Bug against Resource Hints at https://github.com/w3c/resource-hints/issues/70.
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f51545f74eba6bc1cc11a0a87453513c19b2c4a4 commit f51545f74eba6bc1cc11a0a87453513c19b2c4a4 Author: Mike West <mkwst@chromium.org> Date: Mon Nov 20 07:28:01 2017 Treat prefetches as blockable mixed content. This aligns Blink's behavior with Firefox and the Mixed Content spec, and updates web platform tests accordingly. Intent to Ship: https://groups.google.com/a/chromium.org/d/msg/blink-dev/x0ROz-Io2bc/B9-sd6_dBwAJ Bug: 785287 Change-Id: Ic50a23419b95709bab0abd370df6c2e16c3bb7b7 Reviewed-on: https://chromium-review.googlesource.com/771192 Reviewed-by: Jochen Eisinger <jochen@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#517773} [rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/http-csp/cross-origin-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html [rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/http-csp/cross-origin-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html.headers [rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/http-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html [rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/http-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html.headers [rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/http-csp/cross-origin-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html [rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/http-csp/cross-origin-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html.headers [rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/http-csp/same-host-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html [rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/http-csp/same-host-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html.headers [rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/http-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html [rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/http-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html.headers [rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/http-csp/same-host-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html [rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/http-csp/same-host-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html.headers [rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/meta-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html [rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/meta-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html [rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/no-opt-in/cross-origin-http/top-level/keep-scheme-redirect/blockable/no-opt-in-blocks.https.html [rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/no-opt-in/cross-origin-http/top-level/no-redirect/blockable/no-opt-in-blocks.https.html [rename] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/no-opt-in/cross-origin-http/top-level/swap-scheme-redirect/blockable/no-opt-in-blocks.https.html [copy] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/no-opt-in/same-host-http/top-level/keep-scheme-redirect/blockable/no-opt-in-blocks.https.html [delete] https://crrev.com/07308a5e0d199ac171c59fb5db5c23a940f797e3/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/no-opt-in/same-host-http/top-level/keep-scheme-redirect/optionally-blockable/no-opt-in-allows.https.html [copy] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/no-opt-in/same-host-http/top-level/no-redirect/blockable/no-opt-in-blocks.https.html [delete] https://crrev.com/07308a5e0d199ac171c59fb5db5c23a940f797e3/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/no-opt-in/same-host-http/top-level/no-redirect/optionally-blockable/no-opt-in-allows.https.html [copy] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/no-opt-in/same-host-http/top-level/swap-scheme-redirect/blockable/no-opt-in-blocks.https.html [delete] https://crrev.com/07308a5e0d199ac171c59fb5db5c23a940f797e3/third_party/WebKit/LayoutTests/external/wpt/mixed-content/link-prefetch-tag/no-opt-in/same-host-http/top-level/swap-scheme-redirect/optionally-blockable/no-opt-in-allows.https.html [modify] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/spec.src.json [modify] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/LayoutTests/external/wpt/mixed-content/spec_json.js [delete] https://crrev.com/07308a5e0d199ac171c59fb5db5c23a940f797e3/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-prefetch-in-main-frame-expected.txt [delete] https://crrev.com/07308a5e0d199ac171c59fb5db5c23a940f797e3/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-prefetch-in-main-frame.html [modify] https://crrev.com/f51545f74eba6bc1cc11a0a87453513c19b2c4a4/third_party/WebKit/Source/platform/exported/WebMixedContent.cpp
there is a attack example using prefetch, CSP ignored it https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5 the "Suck it, CSPs" part (https://gist.github.com/davidgilbertson/132497d7e0a9a815b150e35d44660893#file-csp-bypass-js)
The CSP work is tracked in https://bugs.chromium.org/p/chromium/issues/detail?id=801561. The mixed content blocking is done.
Comment 1 by mkwst@chromium.org
, Nov 15 2017