We know a priori that a request to a particular URL (url) will be delivered in a way that mitigates the risks of interception and modifications if either of the following statements is true:
url is a potentially trustworthy URL [SECURE-CONTEXTS].
url’s scheme is "data".
Note: We special case data URLs here, as we don’t consider them particularly trustworthy, but we also don’t wish to block them as mixed content, as they never hit the network.
Given a URL (url), the following algorithm returns "Potentially Trustworthy" or "Not Trustworthy" as appropriate:
If url is "about:blank" or "about:srcdoc", return "Potentially Trustworthy".
If url’s scheme is "data", return "Potentially Trustworthy".
Return the result of executing § 3.2 Is origin potentially trustworthy? on url’s origin.
Note: The origin of blob: and filesystem: URLs is the origin of the context in which they were created. Therefore, blobs created in a trustworthy origin will themselves be potentially trustworthy.
So it looks like "a priori authenticated URL" is now just equivalent to "potentially trustworthy URL" and the text can be simplified & cleaned up.
From https://w3c.github.io/webappsec-mixed-content/#a-priori-authenticated-url :
But the case when url’s scheme is "data" is actually already included in https://w3c.github.io/webappsec-secure-contexts/#potentially-trustworthy-url defines :
So it looks like "a priori authenticated URL" is now just equivalent to "potentially trustworthy URL" and the text can be simplified & cleaned up.