Custom Schemes cause "This content should also be served over HTTPS" error
Reported by
ed.go...@gmail.com,
Jun 17 2016
|
|||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36 Steps to reproduce the problem: 1. Visit https://jsfiddle.net/g9wrh3ds/2/ 2. Verify that jsfiddle.net has an HTTPS certificate 3. Click the link. On a mobile device with WhatsApp installed, the app should open. On a desktop, I currently get nothing. In either case (WhatsApp opening or on desktop), the jsfiddle.net certificate warning shows and a console error appears with the message: Mixed Content: The page at 'https://jsfiddle.net/g9wrh3ds/' was loaded over HTTPS, but requested an insecure resource 'whatsapp://send?text=Hello'. This content should also be served over HTTPS. What is the expected behavior? No mixed content warning, and the certificate stays green. What went wrong? The whatsapp scheme was marked as insecure. Did this work before? Yes < 3 months ago Chrome version: 51.0.2704.84 Channel: stable OS Version: OS X 10.11.5 Flash Version: Shockwave Flash 21.0 r0 I've tested with Chrome 51.0.2704.84 (desktop) and 51.0.2704.84 (mobile). Firefox and Safari both have different behaviours regarding the custom protocol (which is fine and somewhat expected), but neither mark the certificate as insecure.
,
Jun 19 2016
Hi, thanks for the report! Is there any difference between the issue you're reporting and issue 422213? They seem to me to be the same. Which is odd because it seems like that issue should have been fixed back in https://codereview.chromium.org/657353002. I'm removing the security labels from this because the browser is failing closed (not opening the app and showing a warning message), which does not present a security risk to users.
,
Jun 19 2016
Sorry, that was bad tagging on my part! I think that issue 422213 refers to using a custom scheme with an iframe (the example given is <iframe src="bankapp://foobar" />. I also assumed that that specific issue was fixed, hence me seeing problems now. Having said that, I think I can still confirm that issue as well with this example use case: https://jsfiddle.net/vnvp988s/ Happy for the two to be merged and I can add more detailed repro steps to the other issues as well.
,
Jan 5 2017
Was this issue ever merged into 422213? I too am seeing this (mixed content warnings related to custom protocols).
,
Feb 14 2017
I see a console warning, not a console error. That is, the framed resource will load correctly, but we'll degrade the UI. Is that the behavior you're seeing as well?
,
Mar 5 2017
Sorry for the slow response - yes, I'm seeing a console warning but I'm also seeing the SSL cert green bar removed. I've attached a before and after screenshot (the blurred out content is just to make it clearer, not to actually hide anything). The url is the same as in the original post (https://jsfiddle.net/g9wrh3ds/2/)
,
Nov 10 2017
,
Feb 18 2018
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ed.go...@gmail.com
, Jun 17 2016