So I looked a bit further into the clickjacking part, and I don't think there is any risk here, as: - As previously mentioned, the exception will only be added for the https:// principal, effectively only exempting subresource loads on the page from HTTPS-Only, not the top-level host itself - Mixed Content Level 2 should then handle these subresources instead, either by upgrading or blocking them, which is exactly the same behavior as HTTPS-Only So this would only be a problem when mixed content level 2 is disabled. For that case I have set up a small testcase [here](https://a.httpsonly.polar.onl/iframe-tests/a.html) (also see the attached video), where the user could actually be tricked into allowing mixed passive content to load. --- While writing that testcase, I also noticed two unrelated bugs, which I will file seperately: - Despite a HTTPS-Only exception being added for the top-level page, it is not showing up in the lock icon, only in the settings (you can also see this in the video). - The mixed content blocking opt-out in the lock icon ("Disable protection for now") doesn't actually seem to do anything when mixed content lvl2 is enabled. At least passive mixed content will still either be upgraded or blocked.
Bug 1909396 Comment 3 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
So I looked a bit further into the clickjacking part, and I don't think there is any risk here, as: - As previously mentioned, the exception will only be added for the https:// principal, effectively only exempting subresource loads on the page from HTTPS-Only, not the top-level host itself - Mixed Content Level 2 should then handle these subresources instead, either by blocking or upgrading them, which is almost the same behavior as HTTPS-Only. The only difference is that active mixed content won't be upgraded anymore. So this would only be a problem when mixed content level 2 is disabled. For that case I have set up a small testcase [here](https://a.httpsonly.polar.onl/iframe-tests/a.html) (also see the attached video), where the user could actually be tricked into allowing mixed passive content to load. --- While writing that testcase, I also noticed two unrelated bugs, which I will file seperately: - Despite a HTTPS-Only exception being added for the top-level page, it is not showing up in the lock icon, only in the settings (you can also see this in the video). - The mixed content blocking opt-out in the lock icon ("Disable protection for now") doesn't actually seem to do anything when mixed content lvl2 is enabled. At least passive mixed content will still either be upgraded or blocked.