Chromium Code Reviews
Help | Chromium Project | Gerrit Changes | Sign in
(5)

Issue 1731103007: Apply strict blocking of active mixed content in HTTPS subframes only (Closed)

Created:
3 years, 2 months ago by estark
Modified:
3 years, 1 month ago
Reviewers:
palmer, Mike West
CC:
blink-reviews, chromium-reviews, gavinp+loader_chromium.org, Nate Chapin, loading-reviews_chromium.org, tyoshino+watch_chromium.org
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Apply strict blocking of active mixed content in HTTPS subframes only As of https://codereview.chromium.org/1392993002, we started strictly blocking active mixed content loading inside subframes. However, this turned out to break a lot of sites. Many of the broken sites are secure sites framing insecure sites which load insecure subresources, and those insecure subresources are strictly blocked because they are considered mixed with respect to the top-level frame. The strict blocking doesn't add a lot of security benefit in this situation, so this CL only applies the strict iframe-subresource blocking when the subresource is mixed with respect to the frame that loads it. BUG=582603 Committed: https://crrev.com/f9aced4a99289d153e4536affaa36618bb23dbd8 Cr-Commit-Position: refs/heads/master@{#377921}

Patch Set 1 #

Total comments: 2

Messages

Total messages: 11 (3 generated)
estark
mkwst, palmer, seeking your opinion on whether this change is sensible... I've come to understand ...
3 years, 2 months ago (2016-02-26 01:17:59 UTC) #2
Mike West
On 2016/02/26 at 01:17:59, estark wrote: > mkwst, palmer, seeking your opinion on whether this ...
3 years, 2 months ago (2016-02-26 08:42:58 UTC) #3
Mike West
https://codereview.chromium.org/1731103007/diff/1/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/active-subresource-in-http-iframe-not-blocked.https-expected.txt File third_party/WebKit/LayoutTests/http/tests/security/mixedContent/active-subresource-in-http-iframe-not-blocked.https-expected.txt (right): https://codereview.chromium.org/1731103007/diff/1/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/active-subresource-in-http-iframe-not-blocked.https-expected.txt#newcode1 third_party/WebKit/LayoutTests/http/tests/security/mixedContent/active-subresource-in-http-iframe-not-blocked.https-expected.txt:1: CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/active-subresource-in-http-iframe-not-blocked.https.html' was ...
3 years, 2 months ago (2016-02-26 08:43:02 UTC) #4
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1731103007/1 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1731103007/1
3 years, 1 month ago (2016-02-26 18:00:45 UTC) #6
commit-bot: I haz the power
Committed patchset #1 (id:1)
3 years, 1 month ago (2016-02-26 18:11:45 UTC) #7
commit-bot: I haz the power
Patchset 1 (id:??) landed as https://crrev.com/f9aced4a99289d153e4536affaa36618bb23dbd8 Cr-Commit-Position: refs/heads/master@{#377921}
3 years, 1 month ago (2016-02-26 18:13:17 UTC) #9
palmer
Oops, it landed right as I was about to say LGTM. :)
3 years, 1 month ago (2016-02-26 18:15:07 UTC) #10
estark
3 years, 1 month ago (2016-02-26 18:18:26 UTC) #11
Message was sent while issue was closed.
On 2016/02/26 18:15:07, palmer wrote:
> Oops, it landed right as I was about to say LGTM. :)

Hehe, sorry about that... I was hoping to get it in for 50. Thanks!

Powered by Google App Engine
This is Rietveld 408576698