|
|
Mixed Content: Implement strict mode.
https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode defines
strict mixed content checking, which allows authors to opt-into stricter
mixed content checking with the following effects:
1. "Optionally-blockable" mixed content will be treated as "blockable"
mixed content, meaning that mixed content of all types will be blocked
by default.
2. Embedder notification is suppressed, meaning that users will not be
offered the ability to choose to enable mixed content for a particular
document, even if they really really want to (similar to HSTS's effect
on TLS violations).
Together, this has the effect of allowing a site to avoid degraded security
UI, which removes some of the risk of migrating to HTTPS.
This patch lands the 'strict-mixed-content-checking' CSP directive behind
the experimental flag, as I suspect we'll bikeshed the name a bit before
shipping the spec.
BUG= 442662
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=187241
|
Unified diffs |
Side-by-side diffs |
Delta from patch set |
Stats (+134 lines, -8 lines) |
Patch |
 |
M |
LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-image.html
|
View
|
|
1 chunk |
+2 lines, -0 lines |
0 comments
|
Download
|
|
A |
LayoutTests/http/tests/security/mixedContent/strict-mode-image-blocked.https.html
|
View
|
1
|
1 chunk |
+15 lines, -0 lines |
0 comments
|
Download
|
|
A |
LayoutTests/http/tests/security/mixedContent/strict-mode-image-blocked.https-expected.txt
|
View
|
1
2
|
1 chunk |
+4 lines, -0 lines |
0 comments
|
Download
|
|
A |
LayoutTests/http/tests/security/mixedContent/strict-mode-image-in-frame-blocked.https.html
|
View
|
1
|
1 chunk |
+20 lines, -0 lines |
0 comments
|
Download
|
|
A |
LayoutTests/http/tests/security/mixedContent/strict-mode-image-in-frame-blocked.https-expected.txt
|
View
|
1
|
1 chunk |
+4 lines, -0 lines |
0 comments
|
Download
|
|
M |
Source/core/dom/Document.cpp
|
View
|
|
1 chunk |
+2 lines, -0 lines |
0 comments
|
Download
|
|
M |
Source/core/dom/DocumentInit.h
|
View
|
|
1 chunk |
+1 line, -0 lines |
0 comments
|
Download
|
|
M |
Source/core/dom/DocumentInit.cpp
|
View
|
|
1 chunk |
+6 lines, -0 lines |
0 comments
|
Download
|
|
M |
Source/core/dom/ExecutionContext.h
|
View
|
|
2 chunks |
+5 lines, -0 lines |
0 comments
|
Download
|
|
M |
Source/core/dom/ExecutionContext.cpp
|
View
|
|
1 chunk |
+1 line, -0 lines |
0 comments
|
Download
|
|
M |
Source/core/frame/csp/CSPDirectiveList.h
|
View
|
|
2 chunks |
+3 lines, -0 lines |
0 comments
|
Download
|
|
M |
Source/core/frame/csp/CSPDirectiveList.cpp
|
View
|
|
3 chunks |
+19 lines, -0 lines |
0 comments
|
Download
|
|
M |
Source/core/frame/csp/ContentSecurityPolicy.h
|
View
|
|
5 chunks |
+8 lines, -1 line |
0 comments
|
Download
|
|
M |
Source/core/frame/csp/ContentSecurityPolicy.cpp
|
View
|
|
8 chunks |
+22 lines, -5 lines |
0 comments
|
Download
|
|
M |
Source/core/loader/FrameLoader.h
|
View
|
|
1 chunk |
+2 lines, -0 lines |
0 comments
|
Download
|
|
M |
Source/core/loader/FrameLoader.cpp
|
View
|
|
1 chunk |
+14 lines, -0 lines |
0 comments
|
Download
|
|
M |
Source/core/loader/MixedContentChecker.cpp
|
View
|
|
2 chunks |
+6 lines, -2 lines |
0 comments
|
Download
|
Total messages: 7 (3 generated)
|
Chromium Code Reviews
Issue
811773002:
Mixed Content: Implement strict mode. (Closed)
