mikewest
commented
1 year ago Are there web platform tests you could put into place to support this change?
Closed moztomer closed 1 year ago
mikewest
commented
1 year ago Are there web platform tests you could put into place to support this change?
moztomer
commented
1 year ago Right, that's a good idea. We already implemented a WPT for CORS and mixed content auto-upgrading (currently the WPT is checking if MC works according the spec) and planned to push it. I will make a PR to the web platform testing repo. ( current state of our web platform test: https://phabricator.services.mozilla.com/D166136. scroll down to last file in patch)
mikewest
commented
1 year ago Great. Since Emily's on board, I think we can land this once you put up the WPT PR.
moztomer
commented
1 year ago (Sorry for the delay. I had some technical issues :) )
mikewest
commented
1 year ago Merged, thanks!
moztomer
commented
1 year ago Thank you @carlosjoan91 @estark37 and @mikewest :)
mozfreddyb
commented
1 year ago Thanks for merging! Kind reminder that the https://github.com/web-platform-tests/wpt/pull/38113 is still in need of a review.
As mentioned in https://github.com/w3c/webappsec-mixed-content/issues/63#issuecomment-1386714463. It might be worth to update the spec's upgrading algorithm. Because exempting CORS requests could lead to insecure loads via HTTP.
Also, if we were blocking CORS request we wouldn't break any CORS request with trying to autoupgrade it.