about:blank Frame
Tests whether mixed content blocking applies inside about:blank iframes
The test loads an insecure HTTP image
(http://http.badssl.com/icons/icon-red.png) in two contexts
on this HTTPS page:
about:blank iframe.
An about:blank frame inherits its security origin from the parent, so
mixed content rules should apply identically in both contexts.
A vulnerable browser may resolve the frame’s context from
window.location.href (about:blank) rather than the inherited
HTTPS origin, causing mixed content checks to be skipped inside the frame.
| Scenario | Main frame | about:blank frame |
Verdict |
|---|---|---|---|
| Protected browser | Blocked | Blocked | Pass |
| Vulnerable browser | Blocked | Loads | Fail — about:blank bypasses mixed content blocking |