New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 605167 link

Starred by 1 user
Status: WontFix
Owner:
lgar...@chromium.org
Last visit > 30 days ago
Closed: Apr 2016
Cc:
eugene...@chromium.org
justincohen@chromium.org
ios-bugs-priority@chromium.org
ios-bugs@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: iOS
Pri: 1
Type: Bug
Team-Security-UX



Sign in to add a comment

The lock icon should not be green on a mixed content page on iOS

Reported by chromium...@gmail.com, Apr 20 2016 
Chrome Version       : 49.0.2623.109
OS                   : iOS

What steps will reproduce the problem?
(1) Visit https://mixed.badssl.com
(2) Note the lock icon is green as in result.png

What is the expected result?
The lock icon should not be green. as in screenshot-android.png
result.jpg
33.0 KB View Download
screenshot-android.jpg
41.0 KB View Download

Comment 1 by davidben@chromium.org, Apr 20 2016

Cc: eugene...@chromium.org
Components: Security>UX

Comment 2 by lgar...@chromium.org, Apr 20 2016

Cc: -eugene...@chromium.org
Labels: -Pri-3 M-51 OS-iOS Pri-1
Owner: eugene...@chromium.org
Status: Assigned (was: Unconfirmed)
Confirmed; definitely a regression: https://docs.google.com/document/d/1Z7HL9q2Rk9c_BZIjxfuJmuqmUifytT-jfvrJs-lWDE8/edit#heading=h.nz6p0ppeaij8

M50 might be soon, but could you look into it, Eugene?

Comment 3 by eugene...@chromium.org, Apr 20 2016

Cc: eugene...@chromium.org justincohen@chromium.org
Labels: ReleaseBlock-Stable M-50 Restrict-View-SecurityNotify
Owner: lgar...@chromium.org
web// correctly reports ContentStatus as DISPLAYED_INSECURE_CONTENT. The bug seems to be in the omnibox padlock. Assigning to Lucas, who should be more aware about recent changes in the padlock code.

Adding M50 and M51 RBS, as it may worth to include the fix in respin.

Comment 4 by lgar...@chromium.org, Apr 20 2016 

I haven't touched anything, but I'll take a look.

Do we need Restrict-View-SecurityNotify for this?

Comment 5 by eugene...@chromium.org, Apr 20 2016 

>> Do we need Restrict-View-SecurityNotify for this?
I'm not sure about this. I saw this label on other security bugs, that's why I added it here.

Comment 6 by mbarbe...@chromium.org, Apr 20 2016

Labels: -Restrict-View-SecurityNotify Restrict-View-SecurityTeam
Restrictions don't seem necessary to me in this case, but I'll leave it to someone more familiar with this to decide. If we're treating this as a vulnerability, it should have Restrict-View-SecurityTeam and type Bug-Security.

Restrict-View-SecurityNotify is generally only applied by automated tools, and should only be used on fixed bugs.

Comment 7 Deleted

Comment 8 by chromium...@gmail.com, Apr 25 2016 

I've verified on M50 with using https://mixed.badssl.com seems like fixed, but when I use https://sha1-2016.badssl.com/ and https://sha1-2017.badssl.com/ the lock icon still green.
result-1.jpg
79.2 KB View Download
result-2.jpg
62.3 KB View Download

Comment 9 by lgar...@chromium.org, Apr 25 2016 

Interestingly, I can't reproduce on Chrome 50.0.2661.77/iOS 9.3 on iPad.
IMG_0042.png
210 KB View Download

Comment 10 by lgar...@chromium.org, Apr 25 2016

Status: WontFix (was: Assigned)
Oh, as noted in comment #8, this also appears to be fixed on iPhone for Chrome 50. Seems everything is working as intended.

The SHA-1 domains are a known problem on iOS because of WKWebView API limitations.

Comment 11 by lgar...@chromium.org, Apr 25 2016

Labels: -Restrict-View-SecurityTeam

Comment 12 by palmer@chromium.org, Apr 26 2016

Summary: The lock icon should not be green on a mixed content page on iOS (was: The lock icon should not be green of a mixed content page on iOS)

Comment 13 by lgar...@chromium.org, Nov 24 2016

Components: -Security>UX Internals>PageSecurityState

Sign in to add a comment