Stricter mixed content check for blob and filesystem URLs

Feature: Stricter mixed content check for blob and filesystem URLs

The Mixed Content specification describes how a user agent should handle fetching of unsecure content from a secure context. For that purpose, Chrome currently treats any blob: and filesystem: content as secure although the spec says their origin should be checked instead (i.e. blob://https://... is secure but blob://http://... is not). This change is about making the mixed content checker follow this stricter behavior.

Motivation

- Alignment with the specification - Stricter security

Specification

Editor's draft

Status in Chromium

Blink components: Blink>SecurityFeature>SecureContexts

No active development (tracking bug) in:

Chrome for desktop release 90
Chrome for Android release 90
Android WebView release 90

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Firefox: No signal
Edge: No signal
Safari: No signal
Web Developers: No signals

Owner

fwang@chromium.org

Last updated on 2021-04-30