Issue metadata
Sign in to add a comment
|
MixedContentChecker::handleCertificateErrors() does not downgrade lock icon for active broken-https subresource loads in iframes |
||||||||||||||||||||||
Issue descriptionSuppose https://a.com frames https://b.com which loads a script from https://expired.badssl.com (for which a user has previously clicked through an SSL warning). MixedContentChecker::handleCertificateErrors() will notify the browser about a broken-https subresource load on the subresource's effective frame (in this case, https://b.com), so the browser will mark b.com as having run insecure content. If b.com were the top-level frame, this would mean that the page would get marked with a red slashy lock icon. However, since b.com is not the top-level frame, a.com goes unmarked and the lock icon doesn't change. When a subresource loads over broken-https, we should mark all ancestors in the frame tree as having run insecure content, so that all the origins in the frame tree get marked with a red slashy lock icon.
,
Jul 13 2016
,
Jul 13 2016
,
Sep 1 2016
,
Sep 6 2016
,
Oct 13 2016
,
Nov 22 2016
,
Nov 22 2016
,
Nov 22 2016
,
Nov 30 2016
,
Dec 2 2016
,
Jan 26 2017
,
Mar 10 2017
,
Apr 20 2017
,
Jun 6 2017
,
Jul 26 2017
,
Sep 6 2017
,
Oct 6 2017
This seems to have gotten fixed in a refactor in which we started using the top-level frame's origin.
,
Oct 7 2017
,
Jan 13 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by est...@chromium.org
, Jun 9 2016