← All tests

What this tests

The test loads an insecure HTTP image (http://http.badssl.com/icons/icon-red.png) in two contexts on this HTTPS page:

  1. Directly in the main frame.
  2. Inside a dynamically created about:blank iframe.

An about:blank frame inherits its security origin from the parent, so mixed content rules should apply identically in both contexts.

A vulnerable browser may resolve the frame’s context from window.location.href (about:blank) rather than the inherited HTTPS origin, causing mixed content checks to be skipped inside the frame.

Expected results

Scenario Main frame about:blank frame Verdict
Protected browser Blocked Blocked Pass
Vulnerable browser Blocked Loads Fail — about:blank bypasses mixed content blocking