Open Bug 1915607 Opened 5 months ago Updated 2 months ago

Investigate wether propagating HTTPS-Only status flag into subresource loads is still nescessary

Categories

(Core :: DOM: Security, task, P3)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

People

(Reporter: maltejur, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog])

We currently propagate the HTTPS-Only status flag in the loadinfo to all subresource loads to ensure the subresources are also exempt if the top-level load is exempt. But we also have logic separate from that here, serving the same purpose by checking if the triggering principal of a given request is exempt. So if the code copying over the HTTPS-Only status into subresource loads is removed, the behavior largely seems to be the same. I wonder if this could be a good opportunity to simplify the HTTPS-Only code a bit by removing that code.

The is only place where I currently still observe a difference when removing the propagation. Deeply nested iframes (so a iframe in another iframe) don't seem to be exempted when the top-level document is exempted. But that should be relatively easy to also fix, as I think it shouldn't be that hard to determine if the top-level document is exempt when needing to decide whether to upgrade the iframe.

I may also still be missing another fundamental reason why we copy the flag into subresource loads.

Assignee: nobody → maltejur
Status: NEW → ASSIGNED
Priority: -- → P3
Whiteboard: [domsecurity-backlog]
Assignee: maltejur → nobody
Status: ASSIGNED → NEW
You need to log in before you can comment on or make changes to this bug.