From 86f2c578890551d708b89a0f1541b389fcf09aeb Mon Sep 17 00:00:00 2001
From: corvid <devnull@localhost>
Date: Sat, 4 Jul 2015 17:11:33 +0000
Subject: permit secure->insecure redirection for now, add large comment

---
 src/capi.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

(limited to 'src/capi.c')

diff --git a/src/capi.c b/src/capi.c
index 11761687..0e561b77 100644
--- a/src/capi.c
+++ b/src/capi.c
@@ -350,9 +350,21 @@ static bool_t Capi_request_permitted(DilloWeb *web)
    if (!web->requester)
       return TRUE;
 
-   if (!dStrAsciiCasecmp(URL_SCHEME(web->requester), "https")) {
+   if (web->flags & ~WEB_RootUrl &&
+       !dStrAsciiCasecmp(URL_SCHEME(web->requester), "https")) {
       const char *s = URL_SCHEME(web->url);
 
+      /* As of 2015, blocking of "active" mixed content is widespread
+       * (style sheets, javascript, fonts, etc.), but the big browsers aren't
+       * quite in a position to block "passive" mixed content (images) yet.
+       * (Not clear whether there's consensus on which category to place
+       * background images in.)
+       *
+       * We are blocking both, and only permitting secure->insecure page
+       * redirection for now (e.g., duckduckgo has been seen providing links
+       * to https URLs that redirect to http). As the web security landscape
+       * evolves, we may be able to remove that permission.
+       */
       if (dStrAsciiCasecmp(s, "https") && dStrAsciiCasecmp(s, "data")) {
          MSG("capi: Blocked mixed content: %s -> %s\n",
              URL_STR(web->requester), URL_STR(web->url));
-- 
cgit v1.2.3