Bug 356371

Summary: missing option / default behaviour to disable mixed (insecure http) content within https sites
Product: [Applications] konqueror Reporter: Thomas Bettler <thomas.bettler>
Component: khtml partAssignee: Konqueror Bugs <konqueror-bugs-null>
Status: RESOLVED FIXED    
Severity: major    
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Gentoo Packages   
OS: Linux   
Latest Commit: https://invent.kde.org/network/konqueror/commit/6689f1a8f53436dbd5bcf4b5f898d5d479fd8f69 Version Fixed/Implemented In:
Sentry Crash Report:

Description Thomas Bettler 2015-12-07 19:10:40 UTC 
Other browsers provide an option to disable mixed/insecure content within https connections.
See https://www.ssllabs.com/ssltest/viewMyClient.html --> see Mixed Content Handling Test to see more details.

Reproducible: Always

Steps to Reproduce:
Open any https connection containing insecure http content.

Actual Results:  
Insecure http content will be loaded. 
Considering this as a major bug regarding SSL/TLS security.

Expected Results:  
Insecure content should be disabled / blocked by default.
Optional: A warning should ask whether to display the insecure/mixed content.
Optional: A config option could be provided to allow display of insecure content permanently.

A Dangerous Mix: Large-scale analysis of mixed-content websites:
http://www.securitee.org/files/mixedinc_isc2013.pdf
Comment 1 Justin Zobel 2022-10-19 02:59:54 UTC 
Thank you for reporting this bug in KDE software. As it has been a while since this issue was reported, can we please ask you to see if you can reproduce the issue with a recent software version?

If you can reproduce the issue, please change the status to "CONFIRMED" when replying. Thank you!
Comment 2 Thomas Bettler 2022-10-19 17:30:53 UTC 
current state: still reproducible
Mixed Content Tests
Images	Passive	Yes
Comment 3 Bug Janitor Service 2022-10-27 09:39:50 UTC 
A possibly relevant merge request was started @ https://invent.kde.org/network/konqueror/-/merge_requests/145
Comment 4 Stefano Crocco 2022-12-29 09:08:57 UTC 
Git commit 6689f1a8f53436dbd5bcf4b5f898d5d479fd8f69 by Stefano Crocco.
Committed on 29/12/2022 at 08:49.
Pushed by stefanocrocco into branch 'master'.

Block images with HTTP URLs from HTTPS pages

M  +4    -0    webenginepart/src/webengineurlrequestinterceptor.cpp

https://invent.kde.org/network/konqueror/commit/6689f1a8f53436dbd5bcf4b5f898d5d479fd8f69