Plaintext Ping requests not blocked by mixed-content checks (262117)

rdar://116054889

Reviewed by Alex Christensen.

Enforce mixed content checks for beacons and poings, like we do for regular xhr/fetch.
This aligns the behavior with Chrome and Firefox.

We have to change some tests so that preloads kick in deterministically.
Preloads might not kick in if an early JS resource is already in the cache.
We therefore clear the memory cache to ensure dump-securitypolicyviolation-and-notify-done.js gets fetched again, which will trigger both preload and resource load.
Otherwise, we will get only one CONSOLE MESSAGE for the actual blocked load.

We also have to change some tests so that they use HTTPS and not HTTP.

* LayoutTests/http/tests/blink/sendbeacon/beacon-cross-origin.https-expected.txt:
* LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https-expected.txt:
* LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https.html:
* LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https-expected.txt:
* LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https.html:
* LayoutTests/http/tests/navigation/ping-attribute/resources/secure-anchor-cross-origin.html:
* LayoutTests/http/tests/navigation/ping-attribute/secure-anchor-cross-origin-expected.txt:
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-beacon-in-iframe-expected.txt: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-beacon-in-iframe.html: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt:
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt:
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe-expected.txt: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe.https-expected.txt: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe.https.html: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-expected.txt:
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt:
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-beacon.html: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html:
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html:
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html:
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-ping.html: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html:
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html:
* LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.http-rp/opt-in/beacon.https-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/opt-in/beacon.https-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/unset/beacon.https-expected.txt:
* LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.http-rp/opt-in/beacon.https-expected.txt: Removed.
* LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/opt-in/beacon.https-expected.txt: Removed.
* LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/unset/beacon.https-expected.txt: Removed.
* LayoutTests/platform/ios/TestExpectations:
* LayoutTests/platform/mac-wk1/TestExpectations:
* LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt:
* LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt:
* LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt:
* Source/WebCore/loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::checkInsecureContent const):

Canonical link: https://commits.webkit.org/272448.10@safari-7618-branch

LayoutTests/http/tests/blink/sendbeacon/beacon-cross-origin.https-expected.txt

@@ -1,5 +1,6 @@
-Blocked access to external URL http://example.test:8000/blink/sendbeacon/resources/save-beacon.py?name=cross-origin
-CONSOLE MESSAGE: Beacon API cannot load http://example.test:8000/blink/sendbeacon/resources/save-beacon.py?name=cross-origin due to access control checks.
+CONSOLE MESSAGE: [blocked] The page at https://127.0.0.1:8443/blink/sendbeacon/beacon-cross-origin.https.html was not allowed to display insecure content from http://example.test:8000/blink/sendbeacon/resources/save-beacon.py?name=cross-origin.
+
+CONSOLE MESSAGE: Beacon API cannot load http://example.test:8000/blink/sendbeacon/resources/save-beacon.py?name=cross-origin. Not allowed to request resource
 Verify navigator.sendBeacon() mixed content checking.
 
 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".

LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https-expected.txt

@@ -1,6 +1,6 @@
 Ping sent successfully
 CONTENT_TYPE: text/ping
-HTTP_HOST: localhost:8000
+HTTP_HOST: localhost:8443
 HTTP_PING_TO: https://127.0.0.1:8443/navigation/resources/check-ping.py
 REQUEST_METHOD: POST
 REQUEST_URI: /navigation/resources/save-ping.py?test=/navigation/ping-attribute/anchor-cross-origin-from-https.html

LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https.html

@@ -35,5 +35,5 @@
 </head>
 <body onload="test();">
 <img src="../resources/delete-ping.py" onload="test();" onerror="test();"></img>
-<a id="a" href="../resources/check-ping.py" ping="http://localhost:8000/navigation/resources/save-ping.py?test=/navigation/ping-attribute/anchor-cross-origin-from-https.html">Navigate and send ping</a>
+<a id="a" href="../resources/check-ping.py" ping="https://localhost:8443/navigation/resources/save-ping.py?test=/navigation/ping-attribute/anchor-cross-origin-from-https.html">Navigate and send ping</a>
 </body></html>

LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https-expected.txt

@@ -1,6 +1,6 @@
 Ping sent successfully
 CONTENT_TYPE: text/ping
-HTTP_HOST: localhost:8000
+HTTP_HOST: localhost:8443
 HTTP_PING_TO: https://127.0.0.1:8443/navigation/resources/check-ping.py
 REQUEST_METHOD: POST
 REQUEST_URI: /navigation/resources/save-ping.py?test=/navigation/ping-attribute/area-cross-origin-from-https.html

LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https.html

@@ -26,7 +26,7 @@
 <body>
     <img src="non-existent-image.jpg" width="128" height="128" usemap="#imagemap">
     <map name="imagemap">
-        <area shape="rect" coords="0,0,128,128" href="../resources/check-ping.py" ping="http://localhost:8000/navigation/resources/save-ping.py?test=/navigation/ping-attribute/area-cross-origin-from-https.html">
+        <area shape="rect" coords="0,0,128,128" href="../resources/check-ping.py" ping="https://localhost:8443/navigation/resources/save-ping.py?test=/navigation/ping-attribute/area-cross-origin-from-https.html">
     </map>
 </body>
 </html>

LayoutTests/http/tests/navigation/ping-attribute/resources/secure-anchor-cross-origin.html

@@ -9,5 +9,5 @@
 </head>
 <body>
 <img src="../../resources/delete-ping.py?test=secure-anchor-cross-origin" onload="test();" onerror="test();"></img>
-<a id="a" href="../../resources/check-ping.py?test=secure-anchor-cross-origin" ping="http://localhost:8000/navigation/resources/save-ping.py?test=secure-anchor-cross-origin">Navigate and send ping</a>
+<a id="a" href="../../resources/check-ping.py?test=secure-anchor-cross-origin" ping="https://localhost:8443/navigation/resources/save-ping.py?test=secure-anchor-cross-origin">Navigate and send ping</a>
 </body></html>

LayoutTests/http/tests/navigation/ping-attribute/secure-anchor-cross-origin-expected.txt

@@ -1,6 +1,6 @@
 Ping sent successfully
 CONTENT_TYPE: text/ping
-HTTP_HOST: localhost:8000
+HTTP_HOST: localhost:8443
 HTTP_PING_TO: https://127.0.0.1:8443/navigation/resources/check-ping.py?test=secure-anchor-cross-origin
 REQUEST_METHOD: POST
 REQUEST_URI: /navigation/resources/save-ping.py?test=secure-anchor-cross-origin

LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-beacon-in-iframe-expected.txt

@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi because 'block-all-mixed-content' appears in the Content Security Policy.
+CONSOLE MESSAGE: Beacon API cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi. Not allowed to request resource
+This test loads a secure iframe that triggers an insecure beacon load. We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content.
+
+

LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-beacon-in-iframe.html

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that triggers an insecure beacon load.  We should trigger a
+mixed content block because the child frame has CSP directive block-all-mixed-content.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-beacon.html" width="100%" height="300"></iframe>
+</body>
+</html>

LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt

@@ -2,6 +2,7 @@ frame "<!--frame1-->" - didStartProvisionalLoadForFrame
 main frame - didFinishDocumentLoadForFrame
 frame "<!--frame1-->" - didCommitLoadForFrame
 CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/resources/compass.jpg because 'block-all-mixed-content' appears in the Content Security Policy.
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/resources/compass.jpg because 'block-all-mixed-content' appears in the Content Security Policy.
 frame "<!--frame1-->" - didFinishDocumentLoadForFrame
 frame "<!--frame1-->" - didHandleOnloadEventsForFrame
 main frame - didHandleOnloadEventsForFrame

LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt

@@ -4,6 +4,7 @@ main frame - didHandleOnloadEventsForFrame
 main frame - didFinishLoadForFrame
 main frame - didCommitLoadForFrame
 CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/resources/compass.jpg because 'block-all-mixed-content' appears in the Content Security Policy.
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/resources/compass.jpg because 'block-all-mixed-content' appears in the Content Security Policy.
 main frame - didFinishDocumentLoadForFrame
 main frame - didHandleOnloadEventsForFrame
 main frame - didFinishLoadForFrame

LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe-expected.txt

@@ -0,0 +1,3 @@
+This test loads a secure iframe that triggers an insecure ping load. We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content.
+
+

LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe.https-expected.txt

@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi because 'block-all-mixed-content' appears in the Content Security Policy.
+This test loads a secure iframe that triggers an insecure ping load. We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content.
+
+

LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe.https.html

@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that triggers an insecure ping load.  We should trigger a
+mixed content block because the child frame has CSP directive block-all-mixed-content.</p>
+<iframe id="pingFrame" src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-ping.html" width="100%" height="300"></iframe>
+<script>
+function clickOnLinkWithPing() {
+  const pingFrameDoc = pingFrame.contentDocument;
+  if (window.eventSender) {
+    const a = pingFrameDoc.getElementById("pingElement");
+    const x = pingFrame.offsetLeft + a.offsetLeft + 2;
+    const y = pingFrame.offsetTop + a.offsetTop + 2;
+    eventSender.mouseMoveTo(x, y);
+    eventSender.mouseDown();
+    eventSender.mouseUp();
+  }
+}
+
+function done()
+{
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+onload = () => {
+  window.setTimeout(done, 10000);
+  clickOnLinkWithPing();
+}
+</script>
+</body>
+</html>

LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-expected.txt

@@ -2,6 +2,7 @@ frame "<!--frame1-->" - didStartProvisionalLoadForFrame
 main frame - didFinishDocumentLoadForFrame
 frame "<!--frame1-->" - didCommitLoadForFrame
 CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/mixedContent/resources/script.js because 'block-all-mixed-content' appears in the Content Security Policy.
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/mixedContent/resources/script.js because 'block-all-mixed-content' appears in the Content Security Policy.
 frame "<!--frame1-->" - didFinishDocumentLoadForFrame
 frame "<!--frame1-->" - didHandleOnloadEventsForFrame
 main frame - didHandleOnloadEventsForFrame

LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt

@@ -4,6 +4,7 @@ main frame - didHandleOnloadEventsForFrame
 main frame - didFinishLoadForFrame
 main frame - didCommitLoadForFrame
 CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/mixedContent/resources/script.js because 'block-all-mixed-content' appears in the Content Security Policy.
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/mixedContent/resources/script.js because 'block-all-mixed-content' appears in the Content Security Policy.
 main frame - didFinishDocumentLoadForFrame
 main frame - didHandleOnloadEventsForFrame
 main frame - didFinishLoadForFrame

LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-beacon.html

@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script>
+if (window.internals)
+    internals.clearMemoryCache();
+</script>
+<script src="dump-securitypolicyviolation-and-notify-done.js"></script>
+</head>
+<body>
+<script>
+function done()
+{
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+onload = () => {
+    navigator.sendBeacon("http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi");
+    window.setTimeout(done, 10000);
+}
+</script>
+</body>
+</html>

LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html

@@ -2,6 +2,10 @@
 <html>
 <head>
 <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script>
+if (window.internals)
+    internals.clearMemoryCache();
+</script>
 <script src="dump-securitypolicyviolation-and-notify-done.js"></script>
 <style>
 body {

LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html

@@ -2,6 +2,10 @@
 <html>
 <head>
 <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script>
+if (window.internals)
+    internals.clearMemoryCache();
+</script>
 <script src="dump-securitypolicyviolation-and-notify-done.js"></script>
 </head>
 <body>

LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html

@@ -2,6 +2,10 @@
 <html>
 <head>
 <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script>
+if (window.internals)
+    internals.clearMemoryCache();
+</script>
 <script src="dump-securitypolicyviolation-and-notify-done.js"></script>
 </head>
 <body>

LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-ping.html

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script>
+if (window.internals)
+    internals.clearMemoryCache();
+</script>
+<script src="dump-securitypolicyviolation-and-notify-done.js?insecure-ping"></script>
+</head>
+<body>
+ <a id="pingElement" href="#" ping="http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi">link</a>
+</body>
+</html>

LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html

@@ -2,6 +2,10 @@
 <html>
 <head>
 <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script>
+if (window.internals)
+    internals.clearMemoryCache();
+</script>
 <script src="dump-securitypolicyviolation-and-notify-done.js"></script>
 </head>
 <body>

LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html

@@ -2,6 +2,10 @@
 <html>
 <head>
 <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script>
+if (window.internals)
+    internals.clearMemoryCache();
+</script>
 <script src="dump-securitypolicyviolation-and-notify-done.js"></script>
 </head>
 <body>

LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.http-rp/opt-in/beacon.https-expected.txt

@@ -1,6 +1,3 @@
-Blocked access to external URL http://www1.localhost:8800/common/security-features/subresource/empty.py?redirection=keep-scheme&action=purge&key=GENERATED_KEY&path=%2Fmixed-content
-Blocked access to external URL http://www1.localhost:8800/common/security-features/subresource/empty.py?redirection=no-redirect&action=purge&key=GENERATED_KEY&path=%2Fmixed-content
-Blocked access to external URL http://www1.localhost:8800/common/security-features/subresource/empty.py?redirection=swap-scheme&action=purge&key=GENERATED_KEY&path=%2Fmixed-content
 Blocked access to external URL https://www1.localhost:9443/common/security-features/subresource/empty.py?redirection=swap-scheme&action=purge&key=GENERATED_KEY&path=%2Fmixed-content
 
 PASS Mixed-Content: Expects allowed for beacon to same-https origin and keep-scheme redirection from https context.
@@ -9,8 +6,8 @@ PASS Mixed-Content: Expects blocked for beacon to cross-http origin and keep-sch
 PASS Mixed-Content: Expects blocked for beacon to cross-http origin and no-redirect redirection from https context.
 PASS Mixed-Content: Expects blocked for beacon to cross-http origin and swap-scheme redirection from https context.
 PASS Mixed-Content: Expects blocked for beacon to cross-https origin and swap-scheme redirection from https context.
-FAIL Mixed-Content: Expects blocked for beacon to same-http origin and keep-scheme redirection from https context. assert_equals: The resource request should be 'blocked'. expected "blocked" but got "allowed"
-FAIL Mixed-Content: Expects blocked for beacon to same-http origin and no-redirect redirection from https context. assert_equals: The resource request should be 'blocked'. expected "blocked" but got "allowed"
-FAIL Mixed-Content: Expects blocked for beacon to same-http origin and swap-scheme redirection from https context. assert_equals: The resource request should be 'blocked'. expected "blocked" but got "allowed"
-FAIL Mixed-Content: Expects blocked for beacon to same-https origin and swap-scheme redirection from https context. assert_equals: The resource request should be 'blocked'. expected "blocked" but got "allowed"
+PASS Mixed-Content: Expects blocked for beacon to same-http origin and keep-scheme redirection from https context.
+PASS Mixed-Content: Expects blocked for beacon to same-http origin and no-redirect redirection from https context.
+PASS Mixed-Content: Expects blocked for beacon to same-http origin and swap-scheme redirection from https context.
+PASS Mixed-Content: Expects blocked for beacon to same-https origin and swap-scheme redirection from https context.
 

LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/opt-in/beacon.https-expected.txt

@@ -1,6 +1,5 @@
-Blocked access to external URL http://www1.localhost:8800/common/security-features/subresource/empty.py?redirection=no-redirect&action=purge&key=GENERATED_KEY&path=%2Fmixed-content
 
 PASS Mixed-Content: Expects allowed for beacon to same-https origin and no-redirect redirection from https context.
 PASS Mixed-Content: Expects blocked for beacon to cross-http origin and no-redirect redirection from https context.
-FAIL Mixed-Content: Expects blocked for beacon to same-http origin and no-redirect redirection from https context. assert_equals: The resource request should be 'blocked'. expected "blocked" but got "allowed"
+PASS Mixed-Content: Expects blocked for beacon to same-http origin and no-redirect redirection from https context.
 

LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/unset/beacon.https-expected.txt

@@ -1,13 +1,10 @@
-Blocked access to external URL http://www1.localhost:8800/common/security-features/subresource/empty.py?redirection=keep-scheme&action=purge&key=GENERATED_KEY&path=%2Fmixed-content
-Blocked access to external URL http://www1.localhost:8800/common/security-features/subresource/empty.py?redirection=no-redirect&action=purge&key=GENERATED_KEY&path=%2Fmixed-content
-Blocked access to external URL http://www1.localhost:8800/common/security-features/subresource/empty.py?redirection=swap-scheme&action=purge&key=GENERATED_KEY&path=%2Fmixed-content
 
 PASS Mixed-Content: Expects allowed for beacon to same-https origin and keep-scheme redirection from https context.
 PASS Mixed-Content: Expects allowed for beacon to same-https origin and no-redirect redirection from https context.
 PASS Mixed-Content: Expects blocked for beacon to cross-http origin and keep-scheme redirection from https context.
 PASS Mixed-Content: Expects blocked for beacon to cross-http origin and no-redirect redirection from https context.
 PASS Mixed-Content: Expects blocked for beacon to cross-http origin and swap-scheme redirection from https context.
-FAIL Mixed-Content: Expects blocked for beacon to same-http origin and keep-scheme redirection from https context. assert_equals: The resource request should be 'blocked'. expected "blocked" but got "allowed"
-FAIL Mixed-Content: Expects blocked for beacon to same-http origin and no-redirect redirection from https context. assert_equals: The resource request should be 'blocked'. expected "blocked" but got "allowed"
-FAIL Mixed-Content: Expects blocked for beacon to same-http origin and swap-scheme redirection from https context. assert_equals: The resource request should be 'blocked'. expected "blocked" but got "allowed"
+PASS Mixed-Content: Expects blocked for beacon to same-http origin and keep-scheme redirection from https context.
+PASS Mixed-Content: Expects blocked for beacon to same-http origin and no-redirect redirection from https context.
+PASS Mixed-Content: Expects blocked for beacon to same-http origin and swap-scheme redirection from https context.