Stop blocking 'http://127.0.0.1/' as mixed content.
Currently, mixed content checks block http://127.0.0.1 from loading in a
page delivered over TLS. I'm (belatedly) coming around to the idea that
that restriction does more harm than good. In particular, I'll note that
folks are installing new trusted roots and self-signing certs for that
IP address, exposing themselves to additional risk for minimal benefit.
Helpful locally installed software is doing the same, with even more
associated risk.
This patch aligns our mixed content checks with the Secure Contexts
notion of "potentially trustworthy", allowing 'http://127.0.0.1'
accordingly.
BUG=607878
R=estark@chromium.org,rsleevi@chromium.org
Review-Url: https://codereview.chromium.org/1931063004
Cr-Commit-Position: refs/heads/master@{#401363}
diff --git a/chrome/browser/ssl/chrome_security_state_model_client_browser_tests.cc b/chrome/browser/ssl/chrome_security_state_model_client_browser_tests.cc
index 8eb3ba3..ffcfc3b 100644
--- a/chrome/browser/ssl/chrome_security_state_model_client_browser_tests.cc
+++ b/chrome/browser/ssl/chrome_security_state_model_client_browser_tests.cc
@@ -341,12 +341,17 @@
ASSERT_TRUE(embedded_test_server()->Start());
ASSERT_TRUE(https_server_.Start());
SetUpMockCertVerifierForHttpsServer(0, net::OK);
+ host_resolver()->AddRule("example.test",
+ https_server_.GetURL("/").host());
+
+ net::HostPortPair replacement_pair = embedded_test_server()->host_port_pair();
+ replacement_pair.set_host("example.test");
// Navigate to an HTTPS page that displays mixed content.
std::string replacement_path;
GetFilePathWithHostAndPortReplacement(
"/ssl/page_displays_insecure_content.html",
- embedded_test_server()->host_port_pair(), &replacement_path);
+ replacement_pair, &replacement_path);
ui_test_utils::NavigateToURL(browser(),
https_server_.GetURL(replacement_path));
CheckSecurityInfoForSecure(
@@ -358,7 +363,7 @@
// Navigate to an HTTPS page that displays mixed content dynamically.
GetFilePathWithHostAndPortReplacement(
"/ssl/page_with_dynamic_insecure_content.html",
- embedded_test_server()->host_port_pair(), &replacement_path);
+ replacement_pair, &replacement_path);
ui_test_utils::NavigateToURL(browser(),
https_server_.GetURL(replacement_path));
CheckSecurityInfoForSecure(
@@ -381,7 +386,7 @@
// Navigate to an HTTPS page that runs mixed content.
GetFilePathWithHostAndPortReplacement(
"/ssl/page_runs_insecure_content.html",
- embedded_test_server()->host_port_pair(), &replacement_path);
+ replacement_pair, &replacement_path);
ui_test_utils::NavigateToURL(browser(),
https_server_.GetURL(replacement_path));
CheckSecurityInfoForSecure(
@@ -394,7 +399,7 @@
// Navigate to an HTTPS page that runs and displays mixed content.
GetFilePathWithHostAndPortReplacement(
"/ssl/page_runs_and_displays_insecure_content.html",
- embedded_test_server()->host_port_pair(), &replacement_path);
+ replacement_pair, &replacement_path);
ui_test_utils::NavigateToURL(browser(),
https_server_.GetURL(replacement_path));
CheckSecurityInfoForSecure(
@@ -436,11 +441,17 @@
SetUpMockCertVerifierForHttpsServer(net::CERT_STATUS_SHA1_SIGNATURE_PRESENT,
net::OK);
+ host_resolver()->AddRule("example.test",
+ https_server_.GetURL("/").host());
+
+ net::HostPortPair replacement_pair = embedded_test_server()->host_port_pair();
+ replacement_pair.set_host("example.test");
+
// Navigate to an HTTPS page that displays mixed content.
std::string replacement_path;
GetFilePathWithHostAndPortReplacement(
"/ssl/page_displays_insecure_content.html",
- embedded_test_server()->host_port_pair(), &replacement_path);
+ replacement_pair, &replacement_path);
ui_test_utils::NavigateToURL(browser(),
https_server_.GetURL(replacement_path));
CheckSecurityInfoForSecure(
@@ -453,7 +464,7 @@
// Navigate to an HTTPS page that displays mixed content dynamically.
GetFilePathWithHostAndPortReplacement(
"/ssl/page_with_dynamic_insecure_content.html",
- embedded_test_server()->host_port_pair(), &replacement_path);
+ replacement_pair, &replacement_path);
ui_test_utils::NavigateToURL(browser(),
https_server_.GetURL(replacement_path));
CheckSecurityInfoForSecure(
@@ -478,7 +489,7 @@
// Navigate to an HTTPS page that runs mixed content.
GetFilePathWithHostAndPortReplacement(
"/ssl/page_runs_insecure_content.html",
- embedded_test_server()->host_port_pair(), &replacement_path);
+ replacement_pair, &replacement_path);
ui_test_utils::NavigateToURL(browser(),
https_server_.GetURL(replacement_path));
CheckSecurityInfoForSecure(
@@ -491,7 +502,7 @@
// Navigate to an HTTPS page that runs and displays mixed content.
GetFilePathWithHostAndPortReplacement(
"/ssl/page_runs_and_displays_insecure_content.html",
- embedded_test_server()->host_port_pair(), &replacement_path);
+ replacement_pair, &replacement_path);
ui_test_utils::NavigateToURL(browser(),
https_server_.GetURL(replacement_path));
CheckSecurityInfoForSecure(
diff --git a/chrome/browser/ssl/ssl_browser_tests.cc b/chrome/browser/ssl/ssl_browser_tests.cc
index 55a290c..298e804c 100644
--- a/chrome/browser/ssl/ssl_browser_tests.cc
+++ b/chrome/browser/ssl/ssl_browser_tests.cc
@@ -414,7 +414,7 @@
base::StringPairs replacement_text_frame_left;
replacement_text_frame_left.push_back(
- make_pair("REPLACE_WITH_HTTP_PAGE", http_url.spec()));
+ make_pair("REPLACE_WITH_HTTP_PORT", http_url.port()));
replacement_text_frame_left.push_back(
make_pair("REPLACE_WITH_GOOD_HTTPS_PAGE", good_https_url.spec()));
replacement_text_frame_left.push_back(
@@ -1617,10 +1617,16 @@
ASSERT_TRUE(embedded_test_server()->Start());
ASSERT_TRUE(https_server_.Start());
+ host_resolver()->AddRule("example.test",
+ https_server_.GetURL("/").host());
+
+ net::HostPortPair replacement_pair = embedded_test_server()->host_port_pair();
+ replacement_pair.set_host("example.test");
+
std::string replacement_path;
GetFilePathWithHostAndPortReplacement(
"/ssl/page_with_dynamic_insecure_content.html",
- embedded_test_server()->host_port_pair(), &replacement_path);
+ replacement_pair, &replacement_path);
ui_test_utils::NavigateToURL(browser(), https_server_.GetURL(
replacement_path));
@@ -2119,7 +2125,7 @@
CheckAuthenticationBrokenState(
tab,
CertError::NONE,
- AuthState::DISPLAYED_INSECURE_CONTENT | AuthState::RAN_INSECURE_CONTENT);
+ AuthState::RAN_INSECURE_CONTENT);
// Go back, our state should be unchanged.
{
@@ -2133,7 +2139,7 @@
CheckAuthenticationBrokenState(
tab,
CertError::NONE,
- AuthState::DISPLAYED_INSECURE_CONTENT | AuthState::RAN_INSECURE_CONTENT);
+ AuthState::RAN_INSECURE_CONTENT);
}
// From a bad HTTPS top frame:
diff --git a/chrome/test/data/ssl/frame_left.html b/chrome/test/data/ssl/frame_left.html
index 61aab85..8ad23a3 100644
--- a/chrome/test/data/ssl/frame_left.html
+++ b/chrome/test/data/ssl/frame_left.html
@@ -2,6 +2,6 @@
<body>
<a id="goodHTTPSLink" href="REPLACE_WITH_GOOD_HTTPS_PAGE" TARGET="contentFrame">Good HTTPS page</a><br>
<a id="badHTTPSLink" href="REPLACE_WITH_BAD_HTTPS_PAGE" TARGET="contentFrame">Bad HTTPS page</a><br>
-<a id="HTTPLink" href="REPLACE_WITH_HTTP_PAGE" TARGET="contentFrame">HTTP page</a><br>
+<a id="HTTPLink" href="http://example.test:REPLACE_WITH_HTTP_PORT/ssl/google.html" TARGET="contentFrame">HTTP page</a><br>
</body>
</html>
diff --git a/chrome/test/data/ssl/page_displays_insecure_content.html b/chrome/test/data/ssl/page_displays_insecure_content.html
index a4c8709..9b8d7841 100644
--- a/chrome/test/data/ssl/page_displays_insecure_content.html
+++ b/chrome/test/data/ssl/page_displays_insecure_content.html
@@ -9,7 +9,7 @@
<body>
This page contains an image which is served over an http connection,
causing insecure content (when this page is loaded over https).<br>
-<img id="bad_image" src="http://REPLACE_WITH_HOST_AND_PORT/ssl/google_files/logo.gif"/>
+<img id="bad_image" src="http://does-not-exist.test/ssl/google_files/logo.gif"/>
</body>
</html>
diff --git a/chrome/test/data/ssl/page_runs_insecure_content.html b/chrome/test/data/ssl/page_runs_insecure_content.html
index 93b9abeec..32be097 100644
--- a/chrome/test/data/ssl/page_runs_insecure_content.html
+++ b/chrome/test/data/ssl/page_runs_insecure_content.html
@@ -3,6 +3,6 @@
<body>
This page contains an script which is served over an http connection,
causing insecure content (when this page is loaded over https).<br>
-<script src="http://REPLACE_WITH_HOST_AND_PORT/ssl/randomize_hash.js"></script>
+<script src="http://does-not-exist.test/ssl/randomize_hash.js"></script>
</body>
</html>
diff --git a/third_party/WebKit/LayoutTests/http/tests/fetch/resources/fetch-test-helpers.js b/third_party/WebKit/LayoutTests/http/tests/fetch/resources/fetch-test-helpers.js
index 0fb8dd7..0d8426e 100644
--- a/third_party/WebKit/LayoutTests/http/tests/fetch/resources/fetch-test-helpers.js
+++ b/third_party/WebKit/LayoutTests/http/tests/fetch/resources/fetch-test-helpers.js
@@ -187,7 +187,7 @@
return fetch(HTTPS_REDIRECT_URL +
encodeURIComponent(HTTPS_BASE_URL + 'test4-' + mode),
{mode: mode})
- .then(function(res) {assert_equals(res.status, 200); },
+ .then(function(res) {assert_equals(res.status, mode == 'no-cors' ? 0 : 200); },
t.unreached_func('Test 4: Must success (' +
mode + ', HTTPS->HTTPS->HTTPS)'));
})
diff --git a/third_party/WebKit/LayoutTests/http/tests/fetch/script-tests/block-mixed-content-nocors.js b/third_party/WebKit/LayoutTests/http/tests/fetch/script-tests/block-mixed-content-nocors.js
index 1ff8821..859f6352 100644
--- a/third_party/WebKit/LayoutTests/http/tests/fetch/script-tests/block-mixed-content-nocors.js
+++ b/third_party/WebKit/LayoutTests/http/tests/fetch/script-tests/block-mixed-content-nocors.js
@@ -4,16 +4,16 @@
}
var BASE_URL =
- 'http://127.0.0.1:8000/serviceworker/resources/fetch-access-control.php?ACAOrigin=*&label=';
+ 'http://example.test:8000/serviceworker/resources/fetch-access-control.php?ACAOrigin=*&label=';
var HTTPS_BASE_URL =
- 'https://127.0.0.1:8443/serviceworker/resources/fetch-access-control.php?ACAOrigin=*&label=';
+ 'https://example.test:8443/serviceworker/resources/fetch-access-control.php?ACAOrigin=*&label=';
var HTTPS_OTHER_BASE_URL =
'https://localhost:8443/serviceworker/resources/fetch-access-control.php?ACAOrigin=*&label=';
var REDIRECT_URL =
- 'http://127.0.0.1:8000/serviceworker/resources/redirect.php?ACAOrigin=*&Redirect=';
+ 'http://example.test:8000/serviceworker/resources/redirect.php?ACAOrigin=*&Redirect=';
var HTTPS_REDIRECT_URL =
- 'https://127.0.0.1:8443/serviceworker/resources/redirect.php?ACAOrigin=*&Redirect=';
+ 'https://example.test:8443/serviceworker/resources/redirect.php?ACAOrigin=*&Redirect=';
var HTTPS_OTHER_REDIRECT_URL =
'https://localhost:8443/serviceworker/resources/redirect.php?ACAOrigin=*&Redirect=';
diff --git a/third_party/WebKit/LayoutTests/http/tests/fetch/script-tests/block-mixed-content.js b/third_party/WebKit/LayoutTests/http/tests/fetch/script-tests/block-mixed-content.js
index 40e1bdca..368138b 100644
--- a/third_party/WebKit/LayoutTests/http/tests/fetch/script-tests/block-mixed-content.js
+++ b/third_party/WebKit/LayoutTests/http/tests/fetch/script-tests/block-mixed-content.js
@@ -4,14 +4,14 @@
}
var BASE_URL =
- 'http://127.0.0.1:8000/serviceworker/resources/fetch-access-control.php?ACAOrigin=*&label=';
+ 'http://example.test:8000/serviceworker/resources/fetch-access-control.php?ACAOrigin=*&label=';
var HTTPS_BASE_URL =
'https://127.0.0.1:8443/serviceworker/resources/fetch-access-control.php?ACAOrigin=*&label=';
var HTTPS_OTHER_BASE_URL =
'https://localhost:8443/serviceworker/resources/fetch-access-control.php?ACAOrigin=*&label=';
var REDIRECT_URL =
- 'http://127.0.0.1:8000/serviceworker/resources/redirect.php?ACAOrigin=*&Redirect=';
+ 'http://example.test:8000/serviceworker/resources/redirect.php?ACAOrigin=*&Redirect=';
var HTTPS_REDIRECT_URL =
'https://127.0.0.1:8443/serviceworker/resources/redirect.php?ACAOrigin=*&Redirect=';
var HTTPS_OTHER_REDIRECT_URL =
diff --git a/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/request-mixed-content-status-blockable-expected.txt b/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/request-mixed-content-status-blockable-expected.txt
index 25e8d6cf..b31b6f4 100644
--- a/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/request-mixed-content-status-blockable-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/request-mixed-content-status-blockable-expected.txt
@@ -1,7 +1,7 @@
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/inspector-protocol/resources/active-mixed-content-iframe.html' was loaded over HTTPS, but requested an insecure script 'http://127.0.0.1:8000/inspector-protocol/resources/blank.js'. This content should also be served over HTTPS.
+CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/inspector-protocol/resources/active-mixed-content-iframe.html' was loaded over HTTPS, but requested an insecure script 'http://example.test:8000/inspector-protocol/resources/blank.js'. This content should also be served over HTTPS.
Tests that willSendRequest contains the correct mixed content status for active mixed content.
Network agent enabled
Mixed content type of https://127.0.0.1:8443/inspector-protocol/resources/active-mixed-content-iframe.html: none
-Mixed content type of http://127.0.0.1:8000/inspector-protocol/resources/blank.js: blockable
+Mixed content type of http://example.test:8000/inspector-protocol/resources/blank.js: blockable
diff --git a/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/request-mixed-content-status-optionally-blockable-expected.txt b/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/request-mixed-content-status-optionally-blockable-expected.txt
index 8fc07b9..7015f6d 100644
--- a/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/request-mixed-content-status-optionally-blockable-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/request-mixed-content-status-optionally-blockable-expected.txt
@@ -1,7 +1,7 @@
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/inspector-protocol/resources/passive-mixed-content-iframe.html' was loaded over HTTPS, but requested an insecure image 'http://127.0.0.1:8000/resources/square.png'. This content should also be served over HTTPS.
+CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/inspector-protocol/resources/passive-mixed-content-iframe.html' was loaded over HTTPS, but requested an insecure image 'http://example.test:8000/resources/square.png'. This content should also be served over HTTPS.
Tests that willSendRequest contains the correct mixed content status for passive mixed content.
Network agent enabled
Mixed content type of https://127.0.0.1:8443/inspector-protocol/resources/passive-mixed-content-iframe.html: none
-Mixed content type of http://127.0.0.1:8000/resources/square.png: optionally-blockable
+Mixed content type of http://example.test:8000/resources/square.png: optionally-blockable
diff --git a/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/resources/active-mixed-content-iframe.html b/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/resources/active-mixed-content-iframe.html
index 10adcdb..091b81ea 100644
--- a/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/resources/active-mixed-content-iframe.html
+++ b/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/resources/active-mixed-content-iframe.html
@@ -1 +1 @@
-<script src="http://127.0.0.1:8000/inspector-protocol/resources/blank.js"></script>
+<script src="http://example.test:8000/inspector-protocol/resources/blank.js"></script>
diff --git a/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/resources/passive-mixed-content-iframe.html b/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/resources/passive-mixed-content-iframe.html
index f15fba9..cf1e7f9 100644
--- a/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/resources/passive-mixed-content-iframe.html
+++ b/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/resources/passive-mixed-content-iframe.html
@@ -1,7 +1,7 @@
<script>
window.onload = function() {
var img = document.createElement('img');
- img.src = 'http://127.0.0.1:8000/resources/square.png';
+ img.src = 'http://example.test:8000/resources/square.png';
document.body.appendChild(img);
}
</script>
diff --git a/third_party/WebKit/LayoutTests/http/tests/navigation/beacon-cross-origin.https-expected.txt b/third_party/WebKit/LayoutTests/http/tests/navigation/beacon-cross-origin.https-expected.txt
index e2c6b6d..f97af10 100644
--- a/third_party/WebKit/LayoutTests/http/tests/navigation/beacon-cross-origin.https-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/navigation/beacon-cross-origin.https-expected.txt
@@ -1,10 +1,10 @@
-CONSOLE ERROR: line 1: Mixed Content: The page at 'https://127.0.0.1:8443/navigation/beacon-cross-origin.https.html' was loaded over HTTPS, but requested an insecure Beacon endpoint 'http://localhost:8000/navigation/resources/save-beacon.php?name=cross-origin'. This request has been blocked; the content must be served over HTTPS.
+CONSOLE ERROR: line 1: Mixed Content: The page at 'https://127.0.0.1:8443/navigation/beacon-cross-origin.https.html' was loaded over HTTPS, but requested an insecure Beacon endpoint 'http://example.test:8000/navigation/resources/save-beacon.php?name=cross-origin'. This request has been blocked; the content must be served over HTTPS.
Verify navigator.sendBeacon() mixed content checking.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-PASS navigator.sendBeacon("http://localhost:8000/navigation/resources/save-beacon.php?name=cross-origin", "CrossOrigin"); is false
+PASS navigator.sendBeacon("http://example.test:8000/navigation/resources/save-beacon.php?name=cross-origin", "CrossOrigin"); is false
PASS successfullyParsed is true
TEST COMPLETE
diff --git a/third_party/WebKit/LayoutTests/http/tests/navigation/beacon-cross-origin.https.html b/third_party/WebKit/LayoutTests/http/tests/navigation/beacon-cross-origin.https.html
index 4902e09..86bc7bf9 100644
--- a/third_party/WebKit/LayoutTests/http/tests/navigation/beacon-cross-origin.https.html
+++ b/third_party/WebKit/LayoutTests/http/tests/navigation/beacon-cross-origin.https.html
@@ -13,7 +13,7 @@
testRunner.waitUntilDone();
}
- shouldBeFalse('navigator.sendBeacon("http://localhost:8000/navigation/resources/save-beacon.php?name=cross-origin", "CrossOrigin");');
+ shouldBeFalse('navigator.sendBeacon("http://example.test:8000/navigation/resources/save-beacon.php?name=cross-origin", "CrossOrigin");');
finishJSTest();
}
</script>
diff --git a/third_party/WebKit/LayoutTests/http/tests/navigation/ping-cross-origin-from-https-expected.txt b/third_party/WebKit/LayoutTests/http/tests/navigation/ping-cross-origin-from-https-expected.txt
index 967f4da..fa52faf 100644
--- a/third_party/WebKit/LayoutTests/http/tests/navigation/ping-cross-origin-from-https-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/navigation/ping-cross-origin-from-https-expected.txt
@@ -1,2 +1,2 @@
-CONSOLE ERROR: line 25: Mixed Content: The page at 'https://127.0.0.1:8443/navigation/resources/ping-cross-origin-from-https-target.html' was loaded over HTTPS, but requested an insecure hyperlink auditing endpoint 'http://localhost:8000/navigation/resources/save-Ping.php?test=cross-origin-from-https'. This request has been blocked; the content must be served over HTTPS.
+CONSOLE ERROR: line 25: Mixed Content: The page at 'https://127.0.0.1:8443/navigation/resources/ping-cross-origin-from-https-target.html' was loaded over HTTPS, but requested an insecure hyperlink auditing endpoint 'http://example.test:8000/navigation/resources/save-Ping.php?test=cross-origin-from-https'. This request has been blocked; the content must be served over HTTPS.
This page calls testRunner.notifyDone().
diff --git a/third_party/WebKit/LayoutTests/http/tests/navigation/resources/ping-cross-origin-from-https-target.html b/third_party/WebKit/LayoutTests/http/tests/navigation/resources/ping-cross-origin-from-https-target.html
index 83f5cf3..2a0c27fb 100644
--- a/third_party/WebKit/LayoutTests/http/tests/navigation/resources/ping-cross-origin-from-https-target.html
+++ b/third_party/WebKit/LayoutTests/http/tests/navigation/resources/ping-cross-origin-from-https-target.html
@@ -30,5 +30,5 @@
</head>
<body onload="test();">
<img src="resources/delete-ping.php?test=cross-origin-from-https" onload="test();" onerror="test();"></img>
-<a id="a" href="/navigation/resources/notify-done.html" ping="http://localhost:8000/navigation/resources/save-Ping.php?test=cross-origin-from-https">Navigate and send ping</a>
+<a id="a" href="/navigation/resources/notify-done.html" ping="http://example.test:8000/navigation/resources/save-Ping.php?test=cross-origin-from-https">Navigate and send ping</a>
</body></html>
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/active-subresource-in-http-iframe-not-blocked.https-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/active-subresource-in-http-iframe-not-blocked.https-expected.txt
deleted file mode 100644
index 35d72ae1..0000000
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/active-subresource-in-http-iframe-not-blocked.https-expected.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/active-subresource-in-http-iframe-not-blocked.https.html' was loaded over HTTPS, but requested an insecure resource 'http://127.0.0.1:8000/security/mixedContent/resources/frame-loads-insecure-script.html'. This content should also be served over HTTPS.
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/active-subresource-in-http-iframe-not-blocked.https.html' was loaded over HTTPS, but requested an insecure script 'http://127.0.0.1:8000/security/mixedContent/resources/script-post-message.js'. This content should also be served over HTTPS.
-This is a testharness.js-based test.
-PASS Testing an insecure script in a mixed iframe
-Harness: the test ran to completion.
-
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/active-subresource-in-http-iframe-not-blocked.https.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/active-subresource-in-http-iframe-not-blocked.https.html
index 4e77901..88ab6b91 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/active-subresource-in-http-iframe-not-blocked.https.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/active-subresource-in-http-iframe-not-blocked.https.html
@@ -20,6 +20,6 @@
</head>
<body>
<p>This test passes if the active subresource in the frame below is allowed.</p>
- <iframe src="http://127.0.0.1:8000/security/mixedContent/resources/frame-loads-insecure-script.html"></iframe>
+ <iframe src="http://example.test:8000/security/mixedContent/resources/frame-loads-insecure-script.html"></iframe>
</body>
</html>
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/active-subresource-in-iframe-blocked.https-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/active-subresource-in-iframe-blocked.https-expected.txt
index 109e3adc..2de3301 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/active-subresource-in-iframe-blocked.https-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/active-subresource-in-iframe-blocked.https-expected.txt
@@ -1,4 +1,4 @@
-CONSOLE ERROR: line 4: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/active-subresource-in-iframe-blocked.https.html' was loaded over HTTPS, but requested an insecure stylesheet 'http://127.0.0.1:8080/security/mixedContent/resources/style.css'. This request has been blocked; the content must be served over HTTPS.
+CONSOLE ERROR: line 4: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/active-subresource-in-iframe-blocked.https.html' was loaded over HTTPS, but requested an insecure stylesheet 'http://example.test:8080/security/mixedContent/resources/style.css'. This request has been blocked; the content must be served over HTTPS.
This test passes if the active subresource in the frame below is blocked.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-async-post-xhr-blocked-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-async-post-xhr-blocked-expected.txt
index fee78a7..cdcb3b0 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-async-post-xhr-blocked-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-async-post-xhr-blocked-expected.txt
@@ -1,5 +1,5 @@
-CONSOLE ERROR: line 14: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-async-xhr-post.html' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*'. This request has been blocked; the content must be served over HTTPS.
-CONSOLE ERROR: line 14: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*. Failed to start loading.
+CONSOLE ERROR: line 14: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-async-xhr-post.html' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://example.test:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*'. This request has been blocked; the content must be served over HTTPS.
+CONSOLE ERROR: line 14: XMLHttpRequest cannot load http://example.test:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*. Failed to start loading.
This is a testharness.js-based test.
PASS Opens an HTTPS window that loads insecure data via XHR. We should trigger a mixed content callback and block the load.
Harness: the test ran to completion.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-audio-video-in-main-frame-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-audio-video-in-main-frame-expected.txt
index 142bb10..c0c088a8 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-audio-video-in-main-frame-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-audio-video-in-main-frame-expected.txt
@@ -1,3 +1,3 @@
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-audio-video.html' was loaded over HTTPS, but requested an insecure video 'http://127.0.0.1:8080/resources/test.mp4'. This content should also be served over HTTPS.
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-audio-video.html' was loaded over HTTPS, but requested an insecure video 'http://127.0.0.1:8080/resources/test.mp4'. This content should also be served over HTTPS.
+CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-audio-video.html' was loaded over HTTPS, but requested an insecure video 'http://example.test:8080/resources/test.mp4'. This content should also be served over HTTPS.
+CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-audio-video.html' was loaded over HTTPS, but requested an insecure video 'http://example.test:8080/resources/test.mp4'. This content should also be served over HTTPS.
This test opens a window that loads insecure HTML5 audio and video. We should trigger a mixed content callback because the main frame in the window is HTTPS but is displaying insecure content.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-css-image-with-reload-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-css-image-with-reload-expected.txt
index 38d63e8e..607bd51 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-css-image-with-reload-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-css-image-with-reload-expected.txt
@@ -1,5 +1,5 @@
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-subframe-and-reload.html' was loaded over HTTPS, but requested an insecure image 'http://127.0.0.1:8080/security/resources/compass.jpg'. This content should also be served over HTTPS.
+CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-subframe-and-reload.html' was loaded over HTTPS, but requested an insecure image 'http://example.test:8080/security/resources/compass.jpg'. This content should also be served over HTTPS.
CONSOLE MESSAGE: line 12: Reloading...
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-subframe-and-reload.html' was loaded over HTTPS, but requested an insecure image 'http://127.0.0.1:8080/security/resources/compass.jpg'. This content should also be served over HTTPS.
+CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-subframe-and-reload.html' was loaded over HTTPS, but requested an insecure image 'http://example.test:8080/security/resources/compass.jpg'. This content should also be served over HTTPS.
CONSOLE MESSAGE: line 17: Second load finished.
This test opens a window that loads a frame with a subframe which contains insecure css image. The subframe is refreshed after it loads. We should trigger a mixed content callback twice despite the fact that on a second load of the subframe a css cache might be used to fetch an image.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-css-in-iframe-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-css-in-iframe-expected.txt
index d571547e..6e4ea32 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-css-in-iframe-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-css-in-iframe-expected.txt
@@ -1,4 +1,4 @@
-CONSOLE WARNING: line 4: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-css.html' was loaded over HTTPS, but requested an insecure stylesheet 'http://127.0.0.1:8080/security/mixedContent/resources/style.css'. This content should also be served over HTTPS.
+CONSOLE WARNING: line 4: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-css.html' was loaded over HTTPS, but requested an insecure stylesheet 'http://example.test:8080/security/mixedContent/resources/style.css'. This content should also be served over HTTPS.
This test loads a secure iframe that loads an insecure style sheet. We should trigger a mixed content callback because an active network attacker can use CSS3 to breach the confidentiality of the HTTPS security origin.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-css-in-main-frame-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-css-in-main-frame-expected.txt
index db62132..31f63eaa 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-css-in-main-frame-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-css-in-main-frame-expected.txt
@@ -1,2 +1,2 @@
-CONSOLE WARNING: line 4: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-css.html' was loaded over HTTPS, but requested an insecure stylesheet 'http://127.0.0.1:8080/security/mixedContent/resources/style.css'. This content should also be served over HTTPS.
+CONSOLE WARNING: line 4: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-css.html' was loaded over HTTPS, but requested an insecure stylesheet 'http://example.test:8080/security/mixedContent/resources/style.css'. This content should also be served over HTTPS.
This test opens a window that loads an insecure style sheet. We should trigger a mixed content callback because the main frame in the window is HTTPS but is running insecure content.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-css-resources-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-css-resources-expected.txt
index 5e06e6d..46f7b82 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-css-resources-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-css-resources-expected.txt
@@ -1,4 +1,4 @@
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-css-resources.html' was loaded over HTTPS, but requested an insecure font 'http://127.0.0.1:8080/css/resources/cors-ahem.php'. This content should also be served over HTTPS.
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-css-resources.html' was loaded over HTTPS, but requested an insecure image 'http://127.0.0.1:8080/resources/square20.png'. This content should also be served over HTTPS.
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-css-resources.html' was loaded over HTTPS, but requested an insecure font 'http://127.0.0.1:8080/css/resources/cors-ahem.php'. This content should also be served over HTTPS.
+CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-css-resources.html' was loaded over HTTPS, but requested an insecure font 'http://example.test:8080/css/resources/cors-ahem.php'. This content should also be served over HTTPS.
+CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-css-resources.html' was loaded over HTTPS, but requested an insecure image 'http://example.test:8080/resources/square20.png'. This content should also be served over HTTPS.
+CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-css-resources.html' was loaded over HTTPS, but requested an insecure font 'http://example.test:8080/css/resources/cors-ahem.php'. This content should also be served over HTTPS.
This test opens a window that loads a style sheet which fetches an insecure background image and an insecure web font. We should trigger a mixed content callback because the main frame in the window is HTTPS but is running insecure content.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-empty-srcset-in-main-frame-blocked-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-empty-srcset-in-main-frame-blocked-expected.txt
index 0fbe493..5dd36fc3 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-empty-srcset-in-main-frame-blocked-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-empty-srcset-in-main-frame-blocked-expected.txt
@@ -1,2 +1,2 @@
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-empty-srcset.html' was loaded over HTTPS, but requested an insecure image 'http://127.0.0.1:8080/security/resources/compass.jpg'. This content should also be served over HTTPS.
+CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-empty-srcset.html' was loaded over HTTPS, but requested an insecure image 'http://example.test:8080/security/resources/compass.jpg'. This content should also be served over HTTPS.
This test opens a window that loads an insecure image with a srcset attribute.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-eventsource-in-main-frame-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-eventsource-in-main-frame-expected.txt
index 4807960..2ae9adb 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-eventsource-in-main-frame-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-eventsource-in-main-frame-expected.txt
@@ -1,2 +1,2 @@
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-eventsource.html' was loaded over HTTPS, but requested an insecure EventSource endpoint 'http://127.0.0.1:8000/security/mixedContent/resources/simple-event-stream.pl'. This content should also be served over HTTPS.
+CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-eventsource.html' was loaded over HTTPS, but requested an insecure EventSource endpoint 'http://example.test:8000/security/mixedContent/resources/simple-event-stream.pl'. This content should also be served over HTTPS.
This test opens a HTTPS window that loads insecure data via EventSource. We should trigger a mixed content callback because the main frame in the window is HTTPS but now has insecure data.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-font-in-main-frame-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-font-in-main-frame-expected.txt
index 2207846..026fe68 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-font-in-main-frame-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-font-in-main-frame-expected.txt
@@ -1,3 +1,3 @@
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-font.html' was loaded over HTTPS, but requested an insecure font 'http://127.0.0.1:8080/css/resources/cors-ahem.php'. This content should also be served over HTTPS.
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-font.html' was loaded over HTTPS, but requested an insecure font 'http://127.0.0.1:8080/css/resources/cors-ahem.php'. This content should also be served over HTTPS.
+CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-font.html' was loaded over HTTPS, but requested an insecure font 'http://example.test:8080/css/resources/cors-ahem.php'. This content should also be served over HTTPS.
+CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-font.html' was loaded over HTTPS, but requested an insecure font 'http://example.test:8080/css/resources/cors-ahem.php'. This content should also be served over HTTPS.
This test opens a window that loads an insecure font. We should trigger a mixed content callback because the main frame in the window is HTTPS but is displaying insecure content.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame-allowed-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame-allowed-expected.txt
index f1307f4b..627dc41d 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame-allowed-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame-allowed-expected.txt
@@ -1,2 +1,2 @@
-CONSOLE WARNING: line 2: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-formSubmission.html' was loaded over a secure connection, but contains a form which targets an insecure endpoint 'http://127.0.0.1:8080/security/resources/boring.html'. This endpoint should be made available over a secure connection.
+CONSOLE WARNING: line 2: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-formSubmission.html' was loaded over a secure connection, but contains a form which targets an insecure endpoint 'http://example.test:8080/security/resources/boring.html'. This endpoint should be made available over a secure connection.
This test opens a window that shows a form with "action" pointing to insecure location. We should trigger a mixed content callback even though we've set the preference to block this, because we've overriden the preferences via a web permission client callback.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame-blocked-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame-blocked-expected.txt
index f53b9d41..31242dc8 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame-blocked-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame-blocked-expected.txt
@@ -1,2 +1,2 @@
-CONSOLE WARNING: line 2: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-formSubmission.html' was loaded over a secure connection, but contains a form which targets an insecure endpoint 'http://127.0.0.1:8080/security/resources/boring.html'. This endpoint should be made available over a secure connection.
+CONSOLE WARNING: line 2: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-formSubmission.html' was loaded over a secure connection, but contains a form which targets an insecure endpoint 'http://example.test:8080/security/resources/boring.html'. This endpoint should be made available over a secure connection.
This test opens a window that shows a form with "action" pointing to an insecure location. We should not trigger a mixed content callback even though the main frame in the window is HTTPS and the form is pointing to insecure content, because we've set the preference to block this.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame-expected.txt
index 2281780..beec0170 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-formSubmission-in-main-frame-expected.txt
@@ -1,2 +1,2 @@
-CONSOLE WARNING: line 2: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-formSubmission.html' was loaded over a secure connection, but contains a form which targets an insecure endpoint 'http://127.0.0.1:8080/security/resources/boring.html'. This endpoint should be made available over a secure connection.
+CONSOLE WARNING: line 2: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-formSubmission.html' was loaded over a secure connection, but contains a form which targets an insecure endpoint 'http://example.test:8080/security/resources/boring.html'. This endpoint should be made available over a secure connection.
This test opens a window that shows a form with "action" pointing to an insecure location. We should trigger a mixed content callback because the main frame in the window is HTTPS but is posting to insecure location.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-frame-in-data-iframe-in-main-frame-blocked-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-frame-in-data-iframe-in-main-frame-blocked-expected.txt
index bf3d5473..69d77a50 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-frame-in-data-iframe-in-main-frame-blocked-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-frame-in-data-iframe-in-main-frame-blocked-expected.txt
@@ -1,2 +1,2 @@
-CONSOLE ERROR: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-data-url-frame-with-frame.html' was loaded over HTTPS, but requested an insecure resource 'http://127.0.0.1:8080/security/mixedContent/resources/boring.html'. This request has been blocked; the content must be served over HTTPS.
+CONSOLE ERROR: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-data-url-frame-with-frame.html' was loaded over HTTPS, but requested an insecure resource 'http://example.test:8080/security/mixedContent/resources/boring.html'. This request has been blocked; the content must be served over HTTPS.
This test opens a window that loads a data: iframe that loads an insecure frame, and that the frame is still blocked.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-iframe-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-iframe-expected.txt
index c4d88439..b25b58e 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-iframe-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-iframe-expected.txt
@@ -1,4 +1,4 @@
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-frame.html' was loaded over HTTPS, but requested an insecure resource 'http://127.0.0.1:8080/security/mixedContent/resources/boring.html'. This content should also be served over HTTPS.
+CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-frame.html' was loaded over HTTPS, but requested an insecure resource 'http://example.test:8080/security/mixedContent/resources/boring.html'. This content should also be served over HTTPS.
This test loads a secure iframe that loads an insecure iframe. We should get a mixed content callback becase the child frame is HTTPS.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-main-frame-allowed-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-main-frame-allowed-expected.txt
index 55e67f1..19ff66ea 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-main-frame-allowed-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-main-frame-allowed-expected.txt
@@ -1,2 +1,2 @@
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-iframe.html' was loaded over HTTPS, but requested an insecure resource 'http://127.0.0.1:8080/security/mixedContent/resources/boring.html'. This content should also be served over HTTPS.
+CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-iframe.html' was loaded over HTTPS, but requested an insecure resource 'http://example.test:8080/security/mixedContent/resources/boring.html'. This content should also be served over HTTPS.
This test opens a window that loads an insecure iframe. We should trigger a mixed content callback even though we've set the preference to block this, because we've overriden the preference via a web permission client callback.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-main-frame-blocked-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-main-frame-blocked-expected.txt
index 2d38a9b5..fbb8e76aa 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-main-frame-blocked-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-main-frame-blocked-expected.txt
@@ -1,2 +1,2 @@
-CONSOLE ERROR: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-iframe.html' was loaded over HTTPS, but requested an insecure resource 'http://127.0.0.1:8080/security/mixedContent/resources/boring.html'. This request has been blocked; the content must be served over HTTPS.
+CONSOLE ERROR: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-iframe.html' was loaded over HTTPS, but requested an insecure resource 'http://example.test:8080/security/mixedContent/resources/boring.html'. This request has been blocked; the content must be served over HTTPS.
This test opens a window that loads an insecure iframe. We should not trigger a mixed content callback even though the main frame in the window is HTTPS and is displaying insecure content, because we've set the preference to block this.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-main-frame-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-main-frame-expected.txt
index b270262..246c15c2 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-main-frame-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-main-frame-expected.txt
@@ -1,4 +1,4 @@
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-frame.html' was loaded over HTTPS, but requested an insecure resource 'http://127.0.0.1:8080/security/mixedContent/resources/boring.html'. This content should also be served over HTTPS.
+CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-frame.html' was loaded over HTTPS, but requested an insecure resource 'http://example.test:8080/security/mixedContent/resources/boring.html'. This content should also be served over HTTPS.
This test opens a window that loads an insecure iframe. We should trigger a mixed content callback because the main frame in the window is HTTPS but is running insecure content.
============== Back Forward List ==============
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-image-in-iframe-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-image-in-iframe-expected.txt
index 773cf06..a16488cd 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-image-in-iframe-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-image-in-iframe-expected.txt
@@ -1,4 +1,4 @@
-CONSOLE WARNING: line 9: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image.html' was loaded over HTTPS, but requested an insecure image 'http://127.0.0.1:8080/security/resources/compass.jpg'. This content should also be served over HTTPS.
+CONSOLE WARNING: line 9: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image.html' was loaded over HTTPS, but requested an insecure image 'http://example.test:8080/security/resources/compass.jpg'. This content should also be served over HTTPS.
This test loads a secure iframe that loads an insecure image. We should get a mixed content callback becase the frame is HTTPS and the image is not.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-image-in-main-frame-allowed-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-image-in-main-frame-allowed-expected.txt
index fa612037..6da067d 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-image-in-main-frame-allowed-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-image-in-main-frame-allowed-expected.txt
@@ -1,2 +1,2 @@
-CONSOLE WARNING: line 9: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image.html' was loaded over HTTPS, but requested an insecure image 'http://127.0.0.1:8080/security/resources/compass.jpg'. This content should also be served over HTTPS.
+CONSOLE WARNING: line 9: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image.html' was loaded over HTTPS, but requested an insecure image 'http://example.test:8080/security/resources/compass.jpg'. This content should also be served over HTTPS.
This test opens a window that loads an insecure image. We should trigger a mixed content callback even though we've set the preference to block this, because we've overriden the preference via a web permission client callback.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-image-in-main-frame-blocked-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-image-in-main-frame-blocked-expected.txt
index bbc1131..3aee773 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-image-in-main-frame-blocked-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-image-in-main-frame-blocked-expected.txt
@@ -1,2 +1,2 @@
-CONSOLE ERROR: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image.html' was loaded over HTTPS, but requested an insecure image 'http://127.0.0.1:8080/security/resources/compass.jpg'. This request has been blocked; the content must be served over HTTPS.
+CONSOLE ERROR: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image.html' was loaded over HTTPS, but requested an insecure image 'http://example.test:8080/security/resources/compass.jpg'. This request has been blocked; the content must be served over HTTPS.
This test opens a window that loads an insecure image. We should not trigger a mixed content callback even though the main frame in the window is HTTPS and is displaying insecure content, because we've set the preference to block this.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-image-in-main-frame-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-image-in-main-frame-expected.txt
index e7b608a..ded4259 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-image-in-main-frame-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-image-in-main-frame-expected.txt
@@ -1,2 +1,2 @@
-CONSOLE WARNING: line 9: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image.html' was loaded over HTTPS, but requested an insecure image 'http://127.0.0.1:8080/security/resources/compass.jpg'. This content should also be served over HTTPS.
+CONSOLE WARNING: line 9: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image.html' was loaded over HTTPS, but requested an insecure image 'http://example.test:8080/security/resources/compass.jpg'. This content should also be served over HTTPS.
This test opens a window that loads an insecure image. We should trigger a mixed content callback because the main frame in the window is HTTPS but is displaying insecure content.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-localhost-allowed.https.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-localhost-allowed.https.html
new file mode 100644
index 0000000..82e002b
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-localhost-allowed.https.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<body>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script>
+ if (window.testRunner)
+ testRunner.overridePreference("WebKitAllowRunningInsecureContent", false);
+
+ async_test(t => {
+ fetch("http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*", {method: "POST"})
+ .then(t.step_func(r => r.json()))
+ .then(t.step_func_done(j => assert_equals("127.0.0.1:8000", j.host)))
+ .catch(t.unreached_func("Fetch should not be blocked."));
+ }, "Fetching 'http://127.0.0.1/' should not be blocked.");
+
+ async_test(t => {
+ fetch("http://example.test:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*", {method: "POST"})
+ .then(t.unreached_func("Fetch should be blocked."))
+ .catch(t.step_func_done(e => assert_equals(e.message, "Failed to fetch")));
+ }, "Fetching 'http://example.test/' should be blocked.");
+ </script>
+</body>
+</html>
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-picture-in-main-frame-blocked.https.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-picture-in-main-frame-blocked.https.html
index 14fd148..cd8b644 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-picture-in-main-frame-blocked.https.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-picture-in-main-frame-blocked.https.html
@@ -26,7 +26,7 @@
}));
document.querySelector('picture').appendChild(img);
- img.src = "http://127.0.0.1:8080/security/resources/compass.jpg";
+ img.src = "http://example.test:8080/security/resources/compass.jpg";
});
</script>
</body>
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-plugin-in-iframe-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-plugin-in-iframe-expected.txt
index 26fe4cc..a2b383fb 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-plugin-in-iframe-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-plugin-in-iframe-expected.txt
@@ -1,4 +1,4 @@
-CONSOLE WARNING: line 10: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-plugin.html' was loaded over HTTPS, but requested an insecure plugin resource 'http://127.0.0.1:8000/security/mixedContent/resources/dummy.swf'. This content should also be served over HTTPS.
+CONSOLE WARNING: line 10: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-plugin.html' was loaded over HTTPS, but requested an insecure plugin resource 'http://example.test:8000/security/mixedContent/resources/dummy.swf'. This content should also be served over HTTPS.
CONSOLE MESSAGE: Blink Test Plugin: initializing
This test loads a secure iframe that loads an insecure plugin. We should get a mixed content callback because the insecure plugin can script the secure origin.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-prefetch-in-main-frame-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-prefetch-in-main-frame-expected.txt
index 348430e4..e73f7fd 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-prefetch-in-main-frame-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-prefetch-in-main-frame-expected.txt
@@ -1,2 +1,2 @@
-CONSOLE WARNING: line 8: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/insecure-prefetch-in-main-frame.html' was loaded over HTTPS, but requested an insecure prefetch resource 'http://127.0.0.1:8080/resources/square.png'. This content should also be served over HTTPS.
+CONSOLE WARNING: line 8: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/insecure-prefetch-in-main-frame.html' was loaded over HTTPS, but requested an insecure prefetch resource 'http://example.test:8080/resources/square.png'. This content should also be served over HTTPS.
Prefetching from insecure source must trigger a mixed content callback.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-prefetch-in-main-frame.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-prefetch-in-main-frame.html
index 3fe7b97..691c8c1c 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-prefetch-in-main-frame.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-prefetch-in-main-frame.html
@@ -5,7 +5,7 @@
Prefetching from insecure source must trigger a mixed content callback.
</p>
-<link rel="prefetch" href="http://127.0.0.1:8080/resources/square.png" onload="prefetch_onload()" />
+<link rel="prefetch" href="http://example.test:8080/resources/square.png" onload="prefetch_onload()" />
<script>
if (location.protocol != 'https:')
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-script-in-data-iframe-in-main-frame-blocked-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-script-in-data-iframe-in-main-frame-blocked-expected.txt
index 61dcf77b..0108e03 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-script-in-data-iframe-in-main-frame-blocked-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-script-in-data-iframe-in-main-frame-blocked-expected.txt
@@ -1,2 +1,2 @@
-CONSOLE ERROR: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-data-url-frame-with-script.html' was loaded over HTTPS, but requested an insecure script 'http://127.0.0.1:8080/security/mixedContent/resources/script.js'. This request has been blocked; the content must be served over HTTPS.
+CONSOLE ERROR: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-data-url-frame-with-script.html' was loaded over HTTPS, but requested an insecure script 'http://example.test:8080/security/mixedContent/resources/script.js'. This request has been blocked; the content must be served over HTTPS.
This test opens a window that loads a data: iframe that loads an insecure script, and that the script is still blocked. Although the data: frame has a separate origin, the script can still navigate top.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-script-in-iframe-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-script-in-iframe-expected.txt
index 61555b22..29022f1 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-script-in-iframe-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-script-in-iframe-expected.txt
@@ -1,4 +1,4 @@
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-script.html' was loaded over HTTPS, but requested an insecure script 'http://127.0.0.1:8080/security/mixedContent/resources/script.js'. This content should also be served over HTTPS.
+CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-script.html' was loaded over HTTPS, but requested an insecure script 'http://example.test:8080/security/mixedContent/resources/script.js'. This content should also be served over HTTPS.
This test loads a secure iframe that loads an insecure script. We should trigger a mixed content callback even though the main frame is HTTP because the HTTPS frame's origin is contaminated with an insecure script.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-script-in-main-frame-allowed-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-script-in-main-frame-allowed-expected.txt
index 875d31f..2e0aed4 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-script-in-main-frame-allowed-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-script-in-main-frame-allowed-expected.txt
@@ -1,2 +1,2 @@
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-script.html' was loaded over HTTPS, but requested an insecure script 'http://127.0.0.1:8080/security/mixedContent/resources/script.js'. This content should also be served over HTTPS.
+CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-script.html' was loaded over HTTPS, but requested an insecure script 'http://example.test:8080/security/mixedContent/resources/script.js'. This content should also be served over HTTPS.
This test opens a window that loads an insecure script. We should trigger a mixed content callback even though we've set the preference to block this, because we've overriden the preference via a web permission client callback.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-script-in-main-frame-blocked-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-script-in-main-frame-blocked-expected.txt
index cc00495..ddde79c 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-script-in-main-frame-blocked-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-script-in-main-frame-blocked-expected.txt
@@ -1,2 +1,2 @@
-CONSOLE ERROR: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-script.html' was loaded over HTTPS, but requested an insecure script 'http://127.0.0.1:8080/security/mixedContent/resources/script.js'. This request has been blocked; the content must be served over HTTPS.
+CONSOLE ERROR: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-script.html' was loaded over HTTPS, but requested an insecure script 'http://example.test:8080/security/mixedContent/resources/script.js'. This request has been blocked; the content must be served over HTTPS.
This test opens a window that loads an insecure script. We should not trigger a mixed content callback even though the main frame in the window is HTTPS and is running insecure scripts, because we've set the preference to block this.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-script-through-redirection-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-script-through-redirection-expected.txt
index bf47133..ef7462c0 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-script-through-redirection-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-script-through-redirection-expected.txt
@@ -1,2 +1,2 @@
-CONSOLE ERROR: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-script-through-redirection.html' was loaded over HTTPS, but requested an insecure script 'http://127.0.0.1:8000/security/mixedContent/resources/script.js'. This request has been blocked; the content must be served over HTTPS.
+CONSOLE ERROR: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-script-through-redirection.html' was loaded over HTTPS, but requested an insecure script 'http://example.test:8000/security/mixedContent/resources/script.js'. This request has been blocked; the content must be served over HTTPS.
This test opens a window that loads an insecure script through redirection. We should block it.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-srcset-in-main-frame-blocked-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-srcset-in-main-frame-blocked-expected.txt
index 57ba5cd..74ff6d0 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-srcset-in-main-frame-blocked-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-srcset-in-main-frame-blocked-expected.txt
@@ -1,2 +1,2 @@
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-srcset.html' was loaded over HTTPS, but requested an insecure image 'http://127.0.0.1:8080/security/resources/compass.jpg'. This content should also be served over HTTPS.
+CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-srcset.html' was loaded over HTTPS, but requested an insecure image 'http://example.test:8080/security/resources/compass.jpg'. This content should also be served over HTTPS.
This test opens a window that loads an insecure image with a srcset attribute.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-sync-post-xhr-allowed-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-sync-post-xhr-allowed-expected.txt
index 0a3e0cb..1993cfe 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-sync-post-xhr-allowed-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-sync-post-xhr-allowed-expected.txt
@@ -1,6 +1,6 @@
ALERT: Executing script in the child window.
CONSOLE WARNING: line 4: Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check https://xhr.spec.whatwg.org/.
ALERT: XHR POST opened.
-CONSOLE WARNING: line 7: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-sync-xhr-post.html' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://localhost:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*&headers=Content-Type'. This content should also be served over HTTPS.
+CONSOLE WARNING: line 7: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-sync-xhr-post.html' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://example.test:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*&headers=Content-Type'. This content should also be served over HTTPS.
ALERT: XHR POST sent.
This test opens a HTTPS window that loads insecure data via XHR. We should trigger a mixed content callback because the main frame in the window is HTTPS but now has insecure data.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-sync-post-xhr-blocked-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-sync-post-xhr-blocked-expected.txt
index 79f509b..f71ee1f01 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-sync-post-xhr-blocked-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-sync-post-xhr-blocked-expected.txt
@@ -1,6 +1,6 @@
ALERT: Executing script in the child window.
CONSOLE WARNING: line 4: Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check https://xhr.spec.whatwg.org/.
ALERT: XHR POST opened.
-CONSOLE ERROR: line 7: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-sync-xhr-post.html' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://localhost:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*&headers=Content-Type'. This request has been blocked; the content must be served over HTTPS.
-ALERT: exception! NetworkError: Failed to execute 'send' on 'XMLHttpRequest': Failed to load 'http://localhost:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*&headers=Content-Type'.
+CONSOLE ERROR: line 7: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-sync-xhr-post.html' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://example.test:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*&headers=Content-Type'. This request has been blocked; the content must be served over HTTPS.
+ALERT: exception! NetworkError: Failed to execute 'send' on 'XMLHttpRequest': Failed to load 'http://example.test:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*&headers=Content-Type'.
This test opens a HTTPS window that loads insecure data via XHR. We should trigger a mixed content callback and block the load.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-texttrack-in-main-frame-blocked-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-texttrack-in-main-frame-blocked-expected.txt
index 7e1743d..8ae98aa 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-texttrack-in-main-frame-blocked-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-texttrack-in-main-frame-blocked-expected.txt
@@ -1,3 +1,3 @@
-CONSOLE ERROR: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-texttrack.html' was loaded over HTTPS, but requested an insecure Text Track 'http://localhost:8000/security/resources/captions-with-access-control-headers.php?origin=1'. This request has been blocked; the content must be served over HTTPS.
+CONSOLE ERROR: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-texttrack.html' was loaded over HTTPS, but requested an insecure Text Track 'http://example.test:8000/security/resources/captions-with-access-control-headers.php?origin=1'. This request has been blocked; the content must be served over HTTPS.
ALERT: Failed to load.
This test opens a window that loads an insecure track. We should trigger a mixed content callback as the main frame in the window is HTTPS and is running insecure track.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-xhr-in-main-frame-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-xhr-in-main-frame-expected.txt
deleted file mode 100644
index 2a742da..0000000
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-xhr-in-main-frame-expected.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-CONSOLE WARNING: line 26: Mixed Content: The page at 'https://127.0.0.1:8443/xmlhttprequest/access-control-response-with-body.html' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://localhost:8000/xmlhttprequest/resources/access-control-allow-with-body.php'. This content should also be served over HTTPS.
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/xmlhttprequest/access-control-response-with-body.html' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://localhost:8000/xmlhttprequest/resources/access-control-allow-with-body.php'. This content should also be served over HTTPS.
-This test opens a HTTPS window that loads insecure data via XHR. We should trigger a mixed content callback because the main frame in the window is HTTPS but now has insecure data.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-xhr-in-main-frame.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-xhr-in-main-frame.html
deleted file mode 100644
index be882fcc..0000000
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-xhr-in-main-frame.html
+++ /dev/null
@@ -1,25 +0,0 @@
-<html>
-<body>
-<script>
-if (window.testRunner) {
- testRunner.waitUntilDone();
- testRunner.dumpAsText();
- testRunner.setCanOpenWindows();
- testRunner.setCloseRemainingWindowsWhenComplete(true);
- testRunner.overridePreference("WebKitAllowRunningInsecureContent", true);
-}
-
-window.addEventListener("message", function (e) {
- if (window.testRunner)
- testRunner.notifyDone();
-}, false);
-
-</script>
-<p>This test opens a HTTPS window that loads insecure data via XHR. We should
-trigger a mixed content callback because the main frame in the window is HTTPS but
-now has insecure data.</p>
-<script>
-window.open("https://127.0.0.1:8443/xmlhttprequest/access-control-response-with-body.html");
-</script>
-</body>
-</html>
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-xhr-in-main-frame.https.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-xhr-in-main-frame.https.html
new file mode 100644
index 0000000..407cd61
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-xhr-in-main-frame.https.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<body>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script>
+ if (window.testRunner)
+ testRunner.overridePreference("WebKitAllowRunningInsecureContent", false);
+
+ async_test(t => {
+ var xhr = new XMLHttpRequest();
+ xhr.onload = t.unreached_func("XHR should be blocked.");
+ xhr.onerror = t.step_func_done(e => assert_equals(e.total, 0));
+
+ xhr.open("GET", "http://example.test:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*");
+ xhr.send(null);
+ }, "XHR to http://example.test:8000/ should be blocked.");
+ </script>
+</body>
+</html>
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/preload-insecure-image-in-main-frame-blocked-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/preload-insecure-image-in-main-frame-blocked-expected.txt
index 727ed3a6..e3b5ad5 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/preload-insecure-image-in-main-frame-blocked-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/preload-insecure-image-in-main-frame-blocked-expected.txt
@@ -1,2 +1,2 @@
-CONSOLE ERROR: line 8: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-preloads-insecure-image.html' was loaded over HTTPS, but requested an insecure image 'http://127.0.0.1:8080/security/resources/compass.jpg'. This request has been blocked; the content must be served over HTTPS.
+CONSOLE ERROR: line 8: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-preloads-insecure-image.html' was loaded over HTTPS, but requested an insecure image 'http://example.test:8080/security/resources/compass.jpg'. This request has been blocked; the content must be served over HTTPS.
This test opens a window that loads an insecure image. We should not trigger a mixed content callback even though the main frame in the window is HTTPS and is displaying insecure content, because we've set the preference to block this.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/redirect-http-to-https-iframe-in-main-frame-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/redirect-http-to-https-iframe-in-main-frame-expected.txt
index f7a3beb0..c3a867b 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/redirect-http-to-https-iframe-in-main-frame-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/redirect-http-to-https-iframe-in-main-frame-expected.txt
@@ -1,2 +1,2 @@
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-redirect-http-to-https-frame.html' was loaded over HTTPS, but requested an insecure resource 'http://127.0.0.1:8080/security/resources/redir.php?url=https://127.0.0.1:8443/security/mixedContent/resources/boring.html'. This content should also be served over HTTPS.
+CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-redirect-http-to-https-frame.html' was loaded over HTTPS, but requested an insecure resource 'http://example.test:8080/security/resources/redir.php?url=https://127.0.0.1:8443/security/mixedContent/resources/boring.html'. This content should also be served over HTTPS.
This test opens a window that loads an insecure iframe (via a tricky redirect). We should trigger a mixed content callback because the main frame in the window is HTTPS but is running content that can be controlled by an active network attacker.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/redirect-http-to-https-script-in-iframe-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/redirect-http-to-https-script-in-iframe-expected.txt
index 7cec3263..180d89b 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/redirect-http-to-https-script-in-iframe-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/redirect-http-to-https-script-in-iframe-expected.txt
@@ -1,4 +1,4 @@
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-redirect-http-to-https-script.html' was loaded over HTTPS, but requested an insecure script 'http://127.0.0.1:8080/security/resources/redir.php?url=https://127.0.0.1:8443/security/mixedContent/resources/script.js'. This content should also be served over HTTPS.
+CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-redirect-http-to-https-script.html' was loaded over HTTPS, but requested an insecure script 'http://example.test:8080/security/resources/redir.php?url=https://127.0.0.1:8443/security/mixedContent/resources/script.js'. This content should also be served over HTTPS.
This test loads a secure iframe that loads an insecure script (but with a tricky redirect). We should trigger a mixed content callback because an active network attacker could have redirected the script load to https://attacker.com.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-iframe-in-main-frame-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-iframe-in-main-frame-expected.txt
index f7a3beb0..c3a867b 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-iframe-in-main-frame-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-iframe-in-main-frame-expected.txt
@@ -1,2 +1,2 @@
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-redirect-http-to-https-frame.html' was loaded over HTTPS, but requested an insecure resource 'http://127.0.0.1:8080/security/resources/redir.php?url=https://127.0.0.1:8443/security/mixedContent/resources/boring.html'. This content should also be served over HTTPS.
+CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-redirect-http-to-https-frame.html' was loaded over HTTPS, but requested an insecure resource 'http://example.test:8080/security/resources/redir.php?url=https://127.0.0.1:8443/security/mixedContent/resources/boring.html'. This content should also be served over HTTPS.
This test opens a window that loads an insecure iframe (via a tricky redirect). We should trigger a mixed content callback because the main frame in the window is HTTPS but is running content that can be controlled by an active network attacker.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-script-in-iframe-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-script-in-iframe-expected.txt
index 3ebdc43..9724502 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-script-in-iframe-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/redirect-https-to-http-script-in-iframe-expected.txt
@@ -1,4 +1,4 @@
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-redirect-https-to-http-script.html' was loaded over HTTPS, but requested an insecure script 'http://127.0.0.1:8080/security/mixedContent/resources/script.js'. This content should also be served over HTTPS.
+CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-redirect-https-to-http-script.html' was loaded over HTTPS, but requested an insecure script 'http://example.test:8080/security/mixedContent/resources/script.js'. This content should also be served over HTTPS.
This test loads a secure iframe that loads an insecure script (but with a tricky redirect). We should trigger a mixed content callback because an active network attacker can end up controling the script.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/fetch-insecure-css-image.css b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/fetch-insecure-css-image.css
index b734759..673f51f 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/fetch-insecure-css-image.css
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/fetch-insecure-css-image.css
@@ -1,3 +1,3 @@
#insecure-css-img {
- content: url("http://127.0.0.1:8080/security/resources/compass.jpg");
+ content: url("http://example.test:8080/security/resources/compass.jpg");
}
\ No newline at end of file
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/fetch-insecure-css-resources.css b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/fetch-insecure-css-resources.css
index f76b24a4..a410502 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/fetch-insecure-css-resources.css
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/fetch-insecure-css-resources.css
@@ -1,9 +1,9 @@
@font-face {
font-family: ahem;
- src: url(http://127.0.0.1:8080/css/resources/cors-ahem.php);
+ src: url(http://example.test:8080/css/resources/cors-ahem.php);
}
html {
font-family: ahem;
- background-image: url(http://127.0.0.1:8080/resources/square20.png);
+ background-image: url(http://example.test:8080/resources/square20.png);
}
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-preloads-insecure-image.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-preloads-insecure-image.html
index 648dd7a..0acab9c 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-preloads-insecure-image.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-preloads-insecure-image.html
@@ -1,5 +1,5 @@
<script src="https://127.0.0.1:8080/resources/slow-script.pl?delay=3000"></script>
-<img src="http://127.0.0.1:8080/security/resources/compass.jpg">
+<img src="http://example.test:8080/security/resources/compass.jpg">
<script>
window.onload = function() {
if (window.opener)
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-data-url-frame-with-frame.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-data-url-frame-with-frame.html
index 4cf4380..c26760a 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-data-url-frame-with-frame.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-data-url-frame-with-frame.html
@@ -4,4 +4,4 @@
window.opener.postMessage('done', '*');
}
</script>
-<iframe onload="frameLoaded()" src="data:text/html,<html><iframe src='http://127.0.0.1:8080/security/mixedContent/resources/boring.html'></iframe></html>"></iframe>
+<iframe onload="frameLoaded()" src="data:text/html,<html><iframe src='http://example.test:8080/security/mixedContent/resources/boring.html'></iframe></html>"></iframe>
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-data-url-frame-with-script.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-data-url-frame-with-script.html
index f59a430..f059527 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-data-url-frame-with-script.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-data-url-frame-with-script.html
@@ -4,4 +4,4 @@
window.opener.postMessage('done', '*');
}
</script>
-<iframe onload="frameLoaded()" src="data:text/html,<html><script src='http://127.0.0.1:8080/security/mixedContent/resources/script.js'></script></html>"></iframe>
+<iframe onload="frameLoaded()" src="data:text/html,<html><script src='http://example.test:8080/security/mixedContent/resources/script.js'></script></html>"></iframe>
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-async-xhr-post.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-async-xhr-post.html
index a465b94..e16db5d 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-async-xhr-post.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-async-xhr-post.html
@@ -10,6 +10,6 @@
xhr.onerror = function() {
report('DONE');
};
-xhr.open("POST", "http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*", true);
+xhr.open("POST", "http://example.test:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*", true);
xhr.send("foo");
</script>
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-audio-video.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-audio-video.html
index 522ac47..c0864d1 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-audio-video.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-audio-video.html
@@ -16,14 +16,14 @@
// markup in order to avoid the console's flaky "what line am I on?"
// autodetection.
var audioElement = document.querySelector('audio');
- audioElement.src = "http://127.0.0.1:8080/resources/test.mp4";
+ audioElement.src = "http://example.test:8080/resources/test.mp4";
audioElement.addEventListener("loadstart", function(event) {
isAudioLoaded = true;
checkTestCompletion();
});
var videoElement = document.querySelector('video');
- videoElement.src = "http://127.0.0.1:8080/resources/test.mp4";
+ videoElement.src = "http://example.test:8080/resources/test.mp4";
videoElement.addEventListener("loadstart", function(event) {
isVideoLoaded = true;
checkTestCompletion();
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-css.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-css.html
index c207edef..e10de57 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-css.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-css.html
@@ -1,7 +1,7 @@
<!DOCTYPE html>
<html>
<head>
-<link rel="stylesheet" href="http://127.0.0.1:8080/security/mixedContent/resources/style.css">
+<link rel="stylesheet" href="http://example.test:8080/security/mixedContent/resources/style.css">
</head>
<body>
This background color should be blue.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-empty-srcset.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-empty-srcset.html
index af1ce4a..c80aeb46 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-empty-srcset.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-empty-srcset.html
@@ -1,7 +1,7 @@
<script>
window.onload = function() {
var img = document.createElement('img');
- img.src = 'http://127.0.0.1:8080/security/resources/compass.jpg';
+ img.src = 'http://example.test:8080/security/resources/compass.jpg';
img.srcset = '';
img.addEventListener('load', function () {
if (window.opener)
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-eventsource.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-eventsource.html
index 58bb46b..617f21f 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-eventsource.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-eventsource.html
@@ -1,5 +1,5 @@
<script>
-var es = new EventSource("http://127.0.0.1:8000/security/mixedContent/resources/simple-event-stream.pl");
+var es = new EventSource("http://example.test:8000/security/mixedContent/resources/simple-event-stream.pl");
es.addEventListener("error", function() {
if (window.opener)
window.opener.postMessage('done', '*');
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-fetch.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-fetch.html
index 6c9d952..4a1571a0 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-fetch.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-fetch.html
@@ -1,5 +1,5 @@
<script>
-fetch("http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*", {method: "POST"})
+fetch("http://example.test:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*", {method: "POST"})
.then(() => {
window.opener.postMessage('FAIL: Fetch API succeeded unexpectedly', '*');
}, e => {
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-font.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-font.html
index 06e4428f..7a2a126 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-font.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-font.html
@@ -1,7 +1,7 @@
<style>
@font-face {
font-family: "AhemTest";
- src: url(http://127.0.0.1:8080/css/resources/cors-ahem.php);
+ src: url(http://example.test:8080/css/resources/cors-ahem.php);
}
p { font-family: AhemTest; }
</style>
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-formSubmission.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-formSubmission.html
index bc20246f..2e3671ce 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-formSubmission.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-formSubmission.html
@@ -1,4 +1,4 @@
-<form action="http://127.0.0.1:8080/security/resources/boring.html"
+<form action="http://example.test:8080/security/resources/boring.html"
method="post">
</form>
<script>
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-frame.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-frame.html
index c89a859..1845af1a 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-frame.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-frame.html
@@ -5,4 +5,4 @@
}
</script>
<iframe onload="frameLoaded()"
- src="http://127.0.0.1:8080/security/mixedContent/resources/boring.html"></iframe>
+ src="http://example.test:8080/security/mixedContent/resources/boring.html"></iframe>
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-iframe.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-iframe.html
index 0c0cb561d..e307983 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-iframe.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-iframe.html
@@ -6,5 +6,5 @@
window.opener.postMessage('done', '*');
}
</script>
-<iframe src="http://127.0.0.1:8080/security/mixedContent/resources/boring.html"></iframe>
+<iframe src="http://example.test:8080/security/mixedContent/resources/boring.html"></iframe>
</body>
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-image.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-image.html
index 3173d06d..a08d648 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-image.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-image.html
@@ -6,4 +6,4 @@
window.parent.postMessage('done', '*');
};
</script>
-<img src="http://127.0.0.1:8080/security/resources/compass.jpg">
+<img src="http://example.test:8080/security/resources/compass.jpg">
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-picture.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-picture.html
index 3c57e8a..ccf6f55a 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-picture.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-picture.html
@@ -1,5 +1,5 @@
<picture>
- <img src="http://127.0.0.1:8080/security/resources/compass.jpg">
+ <img src="http://example.test:8080/security/resources/compass.jpg">
</picture>
<script>
window.onload = function() {
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-plugin.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-plugin.html
index 3c930e0..8b65f62a 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-plugin.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-plugin.html
@@ -5,5 +5,5 @@
}
</script>
<object name='plugin' type='application/x-blink-test-plugin'>
- <param name='movie' value='http://127.0.0.1:8000/security/mixedContent/resources/dummy.swf' />
+ <param name='movie' value='http://example.test:8000/security/mixedContent/resources/dummy.swf' />
</object>
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-script-through-redirection.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-script-through-redirection.html
index f60503a..23db8c95 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-script-through-redirection.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-script-through-redirection.html
@@ -1,4 +1,4 @@
-<script src="https://127.0.0.1:8443/security/resources/redir.php?url=http://127.0.0.1:8000/security/mixedContent/resources/script.js"></script>
+<script src="https://127.0.0.1:8443/security/resources/redir.php?url=http://example.test:8000/security/mixedContent/resources/script.js"></script>
<script>
window.onload = function() {
if (window.opener)
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-script.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-script.html
index 198ce58..4f9678a 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-script.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-script.html
@@ -1,4 +1,4 @@
-<script src="http://127.0.0.1:8080/security/mixedContent/resources/script.js"></script>
+<script src="http://example.test:8080/security/mixedContent/resources/script.js"></script>
<script>
window.onload = function() {
if (window.opener)
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-srcset.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-srcset.html
index e4a2d3c..c155f547 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-srcset.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-srcset.html
@@ -1,8 +1,8 @@
<script>
window.onload = function() {
var img = document.createElement('img');
- img.src = 'http://127.0.0.1:8080/security/resources/compass.jpg';
- img.srcset = 'http://127.0.0.1:8080/security/resources/compass.jpg 2x';
+ img.src = 'http://example.test:8080/security/resources/compass.jpg';
+ img.srcset = 'http://example.test:8080/security/resources/compass.jpg 2x';
img.addEventListener('load', function () {
if (window.opener)
window.opener.postMessage('done', '*');
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-sync-xhr-post.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-sync-xhr-post.html
index 366cacb..6ae22a1d 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-sync-xhr-post.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-sync-xhr-post.html
@@ -1,7 +1,7 @@
<script>
alert("Executing script in the child window.");
var x = new XMLHttpRequest();
-x.open("POST", "http://localhost:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*&headers=Content-Type", false);
+x.open("POST", "http://example.test:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*&headers=Content-Type", false);
alert("XHR POST opened.");
try {
x.send(1);
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-texttrack.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-texttrack.html
index 0c5742f..28dc916 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-texttrack.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-texttrack.html
@@ -19,7 +19,7 @@
var track = document.querySelector('track');
var video = document.querySelector('video');
track.track.mode = "hidden";
- url = "http://localhost:8000/security/resources/captions-with-access-control-headers.php?origin=1";
+ url = "http://example.test:8000/security/resources/captions-with-access-control-headers.php?origin=1";
video.setAttribute('crossorigin', 'anonymous');
track.setAttribute('src', url);
};
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-invisible-DOM-with-insecure-form.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-invisible-DOM-with-insecure-form.html
index 06f9fad..6ffa00d 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-invisible-DOM-with-insecure-form.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-invisible-DOM-with-insecure-form.html
@@ -1,7 +1,7 @@
<script>
function load_content() {
var invisible_doc = document.implementation.createHTMLDocument("");
- invisible_doc.body.innerHTML = '<html><body><form action="http://127.0.0.1:8080/security/resources/boring.html" method="post"></form></body></html>';
+ invisible_doc.body.innerHTML = '<html><body><form action="http://example.test:8080/security/resources/boring.html" method="post"></form></body></html>';
}
window.addEventListener("DOMContentLoaded", function listener() { load_content(); }, false);
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-redirect-http-to-https-frame.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-redirect-http-to-https-frame.html
index 4322c87d22..e0937f4 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-redirect-http-to-https-frame.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-redirect-http-to-https-frame.html
@@ -5,4 +5,4 @@
}
</script>
<iframe onload="frameLoaded()"
- src="http://127.0.0.1:8080/security/resources/redir.php?url=https://127.0.0.1:8443/security/mixedContent/resources/boring.html"></iframe>
+ src="http://example.test:8080/security/resources/redir.php?url=https://127.0.0.1:8443/security/mixedContent/resources/boring.html"></iframe>
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-redirect-http-to-https-script.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-redirect-http-to-https-script.html
index 3fe85941..14ab32e 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-redirect-http-to-https-script.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-redirect-http-to-https-script.html
@@ -1 +1 @@
-<script src="http://127.0.0.1:8080/security/resources/redir.php?url=https://127.0.0.1:8443/security/mixedContent/resources/script.js"></script>
+<script src="http://example.test:8080/security/resources/redir.php?url=https://127.0.0.1:8443/security/mixedContent/resources/script.js"></script>
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-redirect-https-to-http-frame.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-redirect-https-to-http-frame.html
index 78b2ec06..3a676042 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-redirect-https-to-http-frame.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-redirect-https-to-http-frame.html
@@ -5,4 +5,4 @@
}
</script>
<iframe onload="frameLoaded()"
- src="https://127.0.0.1:8443/security/resources/redir.php?url=http://127.0.0.1:8080/security/mixedContent/resources/boring.html"></iframe>
+ src="https://127.0.0.1:8443/security/resources/redir.php?url=http://example.test:8080/security/mixedContent/resources/boring.html"></iframe>
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-redirect-https-to-http-script.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-redirect-https-to-http-script.html
index 7d5537c..96186d8 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-redirect-https-to-http-script.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/resources/frame-with-redirect-https-to-http-script.html
@@ -1 +1 @@
-<script src="https://127.0.0.1:8443/security/resources/redir.php?url=http://127.0.0.1:8080/security/mixedContent/resources/script.js"></script>
+<script src="https://127.0.0.1:8443/security/resources/redir.php?url=http://example.test:8080/security/mixedContent/resources/script.js"></script>
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-image-blocked.https.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-image-blocked.https.html
index 09681bc..47b6eda 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-image-blocked.https.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-image-blocked.https.html
@@ -21,7 +21,7 @@
var expectations = {
'documentURI': document.location.toString(),
'referrer': document.referrer,
- 'blockedURI': 'http://127.0.0.1:8080/security/resources/compass.jpg?t=1',
+ 'blockedURI': 'http://example.test:8080/security/resources/compass.jpg?t=1',
'violatedDirective': 'block-all-mixed-content',
'effectiveDirective': 'block-all-mixed-content',
'originalPolicy': 'block-all-mixed-content',
@@ -35,6 +35,6 @@
})
]).then(t.step_func_done());
- i.src = "http://127.0.0.1:8080/security/resources/compass.jpg?t=1";
+ i.src = "http://example.test:8080/security/resources/compass.jpg?t=1";
}, "Mixed images are blocked and generate CSP violation reports in the presence of 'block-all-mixed-content'.");
</script>
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-image-in-frame-blocked.https-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-image-in-frame-blocked.https-expected.txt
index ad3fc2b..a59adab 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-image-in-frame-blocked.https-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-image-in-frame-blocked.https-expected.txt
@@ -1,4 +1,4 @@
-CONSOLE ERROR: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/strict-mode-image-in-frame-blocked.https.html' was loaded over HTTPS, but requested an insecure image 'http://127.0.0.1:8080/security/resources/compass.jpg'. This request has been blocked; the content must be served over HTTPS.
+CONSOLE ERROR: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/strict-mode-image-in-frame-blocked.https.html' was loaded over HTTPS, but requested an insecure image 'http://example.test:8080/security/resources/compass.jpg'. This request has been blocked; the content must be served over HTTPS.
This test passes if the image in the frame below is treated as blockable content.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-image-reportonly.https.php b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-image-reportonly.https.php
index 7b2c280..808bf02 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-image-reportonly.https.php
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-image-reportonly.https.php
@@ -23,7 +23,7 @@
var expectations = {
'documentURI': document.location.toString(),
'referrer': document.referrer,
- 'blockedURI': 'http://127.0.0.1:8080/security/resources/compass.jpg?t=1',
+ 'blockedURI': 'http://example.test:8080/security/resources/compass.jpg?t=1',
'violatedDirective': 'block-all-mixed-content',
'effectiveDirective': 'block-all-mixed-content',
'originalPolicy': 'block-all-mixed-content',
@@ -37,6 +37,6 @@
})
]).then(t.step_func_done());
- i.src = "http://127.0.0.1:8080/security/resources/compass.jpg?t=1";
+ i.src = "http://example.test:8080/security/resources/compass.jpg?t=1";
}, "Mixed images are allowed and generate CSP violation reports in the presence of 'block-all-mixed-content' in report-only mode.");
</script>
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-via-pref-image-blocked.https-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-via-pref-image-blocked.https-expected.txt
index b7a6eafc..c0e6df2 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-via-pref-image-blocked.https-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-via-pref-image-blocked.https-expected.txt
@@ -1,4 +1,4 @@
-CONSOLE ERROR: line 13: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/strict-mode-via-pref-image-blocked.https.html' was loaded over HTTPS, but requested an insecure image 'http://127.0.0.1:8080/security/resources/compass.jpg'. This request has been blocked; the content must be served over HTTPS.
+CONSOLE ERROR: line 13: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/strict-mode-via-pref-image-blocked.https.html' was loaded over HTTPS, but requested an insecure image 'http://example.test:8080/security/resources/compass.jpg'. This request has been blocked; the content must be served over HTTPS.
This test passes if the image below is treated as blockable content.
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-via-pref-image-blocked.https.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-via-pref-image-blocked.https.html
index e11a107..482beb2 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-via-pref-image-blocked.https.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-via-pref-image-blocked.https.html
@@ -10,6 +10,6 @@
</head>
<body>
<p>This test passes if the image below is treated as blockable content.</p>
- <img src="http://127.0.0.1:8080/security/resources/compass.jpg">
+ <img src="http://example.test:8080/security/resources/compass.jpg">
</body>
</html>
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-websocket-blocked.https.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-websocket-blocked.https.html
index 62d3874b..181553a 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-websocket-blocked.https.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-websocket-blocked.https.html
@@ -10,7 +10,7 @@
test(function () {
assert_throws("SecurityError",
function () {
- new WebSocket("ws://127.0.0.1:8880/echo");
+ new WebSocket("ws://example.test:8880/echo");
});
}, "Test that insecure websocket construction throws.");
</script>
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/websocket/resources/expect-successful-construction.js b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/websocket/resources/expect-successful-construction.js
index 083fd8f..d6094e65 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/websocket/resources/expect-successful-construction.js
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/websocket/resources/expect-successful-construction.js
@@ -6,7 +6,7 @@
}
new Promise(function (resolve, reject) {
- var ws = new WebSocket("ws://127.0.0.1:8880/echo");
+ var ws = new WebSocket("ws://example.test:8880/echo");
ws.onopen = function () {
resolve();
};
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/websocket/resources/expect-throw-on-construction.js b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/websocket/resources/expect-throw-on-construction.js
index e39cf14..2bc31e46 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/websocket/resources/expect-throw-on-construction.js
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/websocket/resources/expect-throw-on-construction.js
@@ -9,7 +9,7 @@
(function () {
try {
- var ws = new WebSocket("ws://127.0.0.1:8880/echo");
+ var ws = new WebSocket("ws://example.test:8880/echo");
} catch (e) {
reportResult("DONE");
return;
diff --git a/third_party/WebKit/LayoutTests/http/tests/serviceworker/fetch-mixed-content-to-outscope-expected.txt b/third_party/WebKit/LayoutTests/http/tests/serviceworker/fetch-mixed-content-to-outscope-expected.txt
index 5e9a805..16bf639 100644
--- a/third_party/WebKit/LayoutTests/http/tests/serviceworker/fetch-mixed-content-to-outscope-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/serviceworker/fetch-mixed-content-to-outscope-expected.txt
@@ -1,5 +1,4 @@
-CONSOLE ERROR: Mixed Content: The page at 'https://127.0.0.1:8443/serviceworker/resources/fetch-mixed-content-iframe-inscope-to-outscope.html' was loaded over HTTPS, but requested an insecure image 'http://127.0.0.1:8000/serviceworker/resources/fetch-access-control.php?PNGIMAGE'. This request has been blocked; the content must be served over HTTPS.
-CONSOLE ERROR: Mixed Content: The page at 'https://127.0.0.1:8443/serviceworker/resources/fetch-mixed-content-iframe-inscope-to-outscope.html' was loaded over HTTPS, but requested an insecure image 'http://localhost:8000/serviceworker/resources/fetch-access-control.php?PNGIMAGE'. This request has been blocked; the content must be served over HTTPS.
+CONSOLE ERROR: Mixed Content: The page at 'https://127.0.0.1:8443/serviceworker/resources/fetch-mixed-content-iframe-inscope-to-outscope.html' was loaded over HTTPS, but requested an insecure image 'http://example.test:8000/serviceworker/resources/fetch-access-control.php?PNGIMAGE'. This request has been blocked; the content must be served over HTTPS.
This is a testharness.js-based test.
PASS Verify Mixed content of fetch() in a Service Worker
Harness: the test ran to completion.
diff --git a/third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/fetch-mixed-content-iframe-inscope-to-inscope.html b/third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/fetch-mixed-content-iframe-inscope-to-inscope.html
index 4ddb528..d35b3807b 100644
--- a/third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/fetch-mixed-content-iframe-inscope-to-inscope.html
+++ b/third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/fetch-mixed-content-iframe-inscope-to-inscope.html
@@ -38,27 +38,13 @@
document.body.appendChild(img);
img.onload = function() {
results += 'FAIL(3)';
- test4();
- };
- img.onerror = function() {
- test4();
- };
- img.src = './dummy?mode=no-cors&url=' +
- encodeURIComponent(host_info['HTTP_ORIGIN'] + image_path);
-}
-
-function test4() {
- var img = document.createElement('img');
- document.body.appendChild(img);
- img.onload = function() {
- results += 'FAIL(4)';
finish();
};
img.onerror = function() {
finish();
};
img.src = './dummy?mode=no-cors&url=' +
- encodeURIComponent(host_info['HTTP_REMOTE_ORIGIN'] + image_path);
+ encodeURIComponent(host_info['UNAUTHENTICATED_ORIGIN'] + image_path);
}
function finish() {
diff --git a/third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/fetch-mixed-content-iframe-inscope-to-outscope.html b/third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/fetch-mixed-content-iframe-inscope-to-outscope.html
index a2c5aec7..dc7c47b 100644
--- a/third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/fetch-mixed-content-iframe-inscope-to-outscope.html
+++ b/third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/fetch-mixed-content-iframe-inscope-to-outscope.html
@@ -41,30 +41,17 @@
img.onerror = function() {
test4();
};
- img.src = host_info['HTTP_ORIGIN'] + image_path;
+ img.src = host_info['UNAUTHENTICATED_ORIGIN'] + image_path;
}
function test4() {
var img = document.createElement('img');
document.body.appendChild(img);
img.onload = function() {
- results += 'FAIL(4)';
- test5();
- };
- img.onerror = function() {
- test5();
- };
- img.src = host_info['HTTP_REMOTE_ORIGIN'] + image_path;
-}
-
-function test5() {
- var img = document.createElement('img');
- document.body.appendChild(img);
- img.onload = function() {
finish();
};
img.onerror = function() {
- results += 'FAIL(5)';
+ results += 'FAIL(4)';
finish();
};
img.src = './dummy?generate-png';
diff --git a/third_party/WebKit/Source/core/loader/MixedContentChecker.cpp b/third_party/WebKit/Source/core/loader/MixedContentChecker.cpp
index 5bb8e4b1..9f5c405b1 100644
--- a/third_party/WebKit/Source/core/loader/MixedContentChecker.cpp
+++ b/third_party/WebKit/Source/core/loader/MixedContentChecker.cpp
@@ -88,8 +88,13 @@
if (!SchemeRegistry::shouldTreatURLSchemeAsRestrictingMixedContent(securityOrigin->protocol()))
return false;
- // We're in a secure context, so |url| is mixed content if it's insecure.
- return !SecurityOrigin::isSecure(url);
+ // |url| is mixed content if its origin is not potentially trustworthy, and
+ // its protocol is not 'data'.
+ bool isAllowed = url.protocolIsData() || SecurityOrigin::create(url)->isPotentiallyTrustworthy();
+ // TODO(mkwst): Remove this once 'localhost' is no longer considered potentially trustworthy:
+ if (isAllowed && url.protocolIs("http") && url.host() == "localhost")
+ isAllowed = false;
+ return !isAllowed;
}
// static
diff --git a/third_party/WebKit/Source/core/loader/MixedContentCheckerTest.cpp b/third_party/WebKit/Source/core/loader/MixedContentCheckerTest.cpp
index 5d59282..291c92f 100644
--- a/third_party/WebKit/Source/core/loader/MixedContentCheckerTest.cpp
+++ b/third_party/WebKit/Source/core/loader/MixedContentCheckerTest.cpp
@@ -27,12 +27,19 @@
} cases[] = {
{"http://example.com/foo", "http://example.com/foo", false},
{"http://example.com/foo", "https://example.com/foo", false},
+ {"http://example.com/foo", "data:text/html,<p>Hi!</p>", false},
{"https://example.com/foo", "https://example.com/foo", false},
{"https://example.com/foo", "wss://example.com/foo", false},
+ {"https://example.com/foo", "data:text/html,<p>Hi!</p>", false},
+ {"https://example.com/foo", "http://127.0.0.1/", false},
+ {"https://example.com/foo", "http://[::1]/", false},
+
{"https://example.com/foo", "http://example.com/foo", true},
{"https://example.com/foo", "http://google.com/foo", true},
{"https://example.com/foo", "ws://example.com/foo", true},
{"https://example.com/foo", "ws://google.com/foo", true},
+ {"https://example.com/foo", "http://192.168.1.1/", true},
+ {"https://example.com/foo", "http://localhost/", true},
};
for (size_t i = 0; i < WTF_ARRAY_LENGTH(cases); ++i) {
