New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 607824 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Apr 2016
Cc:
mkwst@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Mixed scripts blocked applied before HSTS

Reported by ole...@olegon.ru, Apr 29 2016 
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36

Example URL:
http://inima.org

Steps to reproduce the problem:
1. Goto to site with included http scripts
2. Scripts blocked

curl -I https://inima.org
HTTP/1.1 200 OK
.......
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload

What is the expected behavior?
Correct rendering of site pages, even scripts in http-links

What went wrong?
All scripts and CSS blocked

Does it occur on multiple sites: Yes

Is it a problem with a plugin? No 

Did this work before? Yes Suppose, about year ago

Does this work in other browsers? Yes 

Chrome version: 50.0.2661.86  Channel: stable
OS Version: Fedora 23
Flash Version: Shockwave Flash 21.0 r0

See at attachment, page did'nt render correctly, when cached http links is appeared... In FF it's no problem...
Selection_052.png
543 KB View Download

Comment 1 by yutak@chromium.org, Apr 29 2016

Components: -Blink Internals>Network Blink>SecurityFeature
Not clear if this is due to Blink or net...

Comment 2 by ole...@olegon.ru, Apr 29 2016 

And example URL is HTTPS://inima.org, not http, of course... Sorry.

Comment 3 by jkarlin@chromium.org, Apr 29 2016

Components: -Internals>Network Internals>Network>SSL

Comment 4 by davidben@chromium.org, Apr 29 2016

Cc: mkwst@chromium.org
Status: WontFix (was: Unconfirmed)
HSTS does not avoid mixed scripting warnings in Chrome or any other browser. It's not supposed to work that way.

You can look into the upgrade-insecure-requests (+mkwst) feature which is supported by Firefox, Chrome, and Opera:
https://w3c.github.io/webappsec-upgrade-insecure-requests/
http://caniuse.com/#feat=upgradeinsecurerequests

Though it won't resolve mixed content issues on browsers that don't support this, so I would still suggest working towards ultimately fixing the links on your site.

Comment 5 by ole...@olegon.ru, Apr 30 2016 

Excuse me, but this is not warning... This is blocked contents... And in Chrome and FF it's displayed correctly... In screenshot above all scripts and CSS ignored...

Comment 6 by rsleevi@chromium.org, Apr 30 2016 

That's correct - as the spec David mentioned says, active content like scripts are blocked if included as HTTP URLs. HSTS is applied after, not before, mixed content blocking.

Comment 7 by davidben@chromium.org, Apr 30 2016 

Yes, sorry, I mis-spoke when I said "warning". I meant both the mixed scripting warnings (for passive content) and the blocking (for active content). Both are, per spec, applied before HSTS.

Comment 8 by lgar...@chromium.org, May 2 2016

Summary: Mixed scripts blocked applied before HSTS (was: Ignored Strict-Transport-Security header)
Changing the title to be about what's actually going.

Sign in to add a comment