Index: third_party/WebKit/Source/core/loader/MixedContentChecker.cpp |
diff --git a/third_party/WebKit/Source/core/loader/MixedContentChecker.cpp b/third_party/WebKit/Source/core/loader/MixedContentChecker.cpp |
index 7e93384f0b99cea593cc969970e56594e8cf159b..639a7fd273737b48434ac3b0496d3774e76f56d4 100644 |
--- a/third_party/WebKit/Source/core/loader/MixedContentChecker.cpp |
+++ b/third_party/WebKit/Source/core/loader/MixedContentChecker.cpp |
@@ -88,13 +88,14 @@ bool MixedContentChecker::isMixedContent(SecurityOrigin* securityOrigin, const K |
if (!SchemeRegistry::shouldTreatURLSchemeAsRestrictingMixedContent(securityOrigin->protocol())) |
return false; |
- // |url| is mixed content if its origin is not potentially trustworthy, and |
- // its protocol is not 'data'. We do a quick check against `SecurityOrigin::isSecure` |
- // to catch things like `about:blank`, which cannot be sanely passed into |
+ // |url| is mixed content if its origin is not potentially trustworthy nor |
+ // secure. We do a quick check against `SecurityOrigin::isSecure` to catch |
+ // things like `about:blank`, which cannot be sanely passed into |
// `SecurityOrigin::create` (as their origin depends on their context). |
- bool isAllowed = url.protocolIsData() || SecurityOrigin::isSecure(url) || SecurityOrigin::create(url)->isPotentiallyTrustworthy(); |
- // TODO(mkwst): Remove this once 'localhost' is no longer considered potentially trustworthy: |
- if (isAllowed && url.protocolIs("http") && url.host() == "localhost") |
+ bool isAllowed = SecurityOrigin::isSecure(url) || SecurityOrigin::create(url)->isPotentiallyTrustworthy(); |
+ // TODO(mkwst): Remove this once 'localhost' is no longer considered |
+ // potentially trustworthy. |
+ if (isAllowed && url.protocolIs("http") && NetworkUtils::isLocalHostname(url.host(), nullptr)) |
isAllowed = false; |
return !isAllowed; |
} |