New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 461808 link

Starred by 3 users

Issue metadata

Status: Fixed
Owner: ----
Closed: Feb 2017
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug

Sign in to add a comment shouldn't be treated as Mixed Content from Apps / Extensions

Reported by, Feb 25 2015

Issue description

Version: 41.0.2272.65
OS: Chrome OS

What steps will reproduce the problem?
1. Open
2. Exec with(new XMLHttpRequest)open('get', ''),send();

What is the expected output? What do you see instead?
I expect the request to succeed.

I see a warning about mixed content.

jschuh@ told me this was a bug, and that was supposed to be treated as not-mixed-content.

Please use labels and text to provide additional information.

Full error, in case it matters

Mixed Content: The page at '' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint ''. This request has been blocked; the content must be served over HTTPS.VM257:2 (anonymous function)VM256:847 InjectedScript._evaluateOnVM256:780 InjectedScript._evaluateAndWrapVM256:646 InjectedScript.evaluate

Comment 2 by, Feb 25 2015

The spec disagrees with jschuh@, but maybe we should make an exception for localhost.

That said, I don't think we should be making it easier to request internal resources from public webpages (see issue #378566 for discussion on that topic). What's the use-case this behavior is blocking?

Comment 3 by, Feb 25 2015

I think there's a bit of confusion about what I said. So, to be clear, we do not want to make it easier to request internal/local resources from the public web. To the contrary, we want to block it unless there's explicit opt-in.

That stated, we do want to treat localhost and file URLs as having a secure transport, because they don't expose data to the network and are not vulnerable to MitM (ignoring local network shares, but that's really a burden for the OS).
yeah, fwiw the full context was about chrome extensions not being able to talk to localhost. I used but I now realize it's not really the same.
Summary: shouldn't be treated as Mixed Content from Apps / Extensions (was: shouldn't be treated as Mixed Content)
Labels: -Cr-Blink Cr-Blink-SecurityFeature

Comment 7 by, Feb 23 2017

Status: Fixed (was: Untriaged)
We no longer consider `` mixed content. We do aim to make it harder to talk to in the future, but MIX is the wrong place to do it.

Sign in to add a comment