The page load in the actual result has mixed content, as can be seen from the third icon in the Security panel overview. The security state is working as expected in this case.

Large sites like Twitter often have non-deterministic mixed content; there's nothing to do on our end.

Actually, I can reproduce this on Canary now. It requires opening DevTools *after* opening Twitter.

There does seem to be mixed content, but the fact that it shows up exactly when you open DevTools makes this a bit tricky to debug.

Deleted: Screen Shot 2016-06-29 at 01.15.15.png 35.9 KB

	Screen Shot 2016-06-29 at 01.15.15.png 35.9 KB View Download

Adding RB label as this is a recent regression.

rkote: It is completely impossible that r401380 is the cause. That CL only touched unit tests.

https://chromium.googlesource.com/chromium/src/+/130ee686fa00b617bfc001ceb3bb49782da2cb4e is much more likely. Tossing to mkwst. Also mixed content is usually your area anyway.

@mkwst: Hey, would you mind providing an update on the above issue ?

As this is reproducible on latest canary '54.0.2787.0' .

Thank you!

https://chromium.googlesource.com/chromium/src/+/130ee686fa00b617bfc001ceb3bb49782da2cb4e should have relaxed processing, so I'd be a tiny bit surprised if it caused this error. But, who knows. I'll take a look. :)

It was indeed my fault. Patch is up at https://codereview.chromium.org/2123463002.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c6a3b5007b8aa2dbe513411b030032fef42b5b66

commit c6a3b5007b8aa2dbe513411b030032fef42b5b66
Author: mkwst <mkwst@chromium.org>
Date: Mon Jul 04 09:45:14 2016

`about:blank` is not mixed content.

The refactoring in [1] broke our handling of `about:blank` by moving from
`SecurityOrigin::isSecure(url)` to `SecurityOrigin::create(url)`. The
latter treats contextually-bound URLs like `about:blank` as unique security
origins, which I completely missed when writing tests.

This patch corrects the error, and adds a unit test that I should have
added a long time ago. :)

[1]: https://chromium.googlesource.com/chromium/src/+/130ee686fa00b617bfc001ceb3bb49782da2cb4e

BUG= 624275 
R=yoav@yoav.ws

Review-Url: https://codereview.chromium.org/2123463002
Cr-Commit-Position: refs/heads/master@{#403655}

[modify] https://crrev.com/c6a3b5007b8aa2dbe513411b030032fef42b5b66/third_party/WebKit/Source/core/loader/MixedContentChecker.cpp
[modify] https://crrev.com/c6a3b5007b8aa2dbe513411b030032fef42b5b66/third_party/WebKit/Source/core/loader/MixedContentCheckerTest.cpp

Looks like this made it in for the branch, closing it out.

Ah, no. I'm wrong. :) Requesting a merge to 53. What say ye, oh great and powerful release managers?

Your change meets the bar and is auto-approved for M53 (branch: 2785)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0d2188b5c55d4ad2014b93682f5d1ace3008846b

commit 0d2188b5c55d4ad2014b93682f5d1ace3008846b
Author: Mike West <mkwst@google.com>
Date: Wed Jul 06 10:52:28 2016

`about:blank` is not mixed content.

The refactoring in [1] broke our handling of `about:blank` by moving from
`SecurityOrigin::isSecure(url)` to `SecurityOrigin::create(url)`. The
latter treats contextually-bound URLs like `about:blank` as unique security
origins, which I completely missed when writing tests.

This patch corrects the error, and adds a unit test that I should have
added a long time ago. :)

[1]: https://chromium.googlesource.com/chromium/src/+/130ee686fa00b617bfc001ceb3bb49782da2cb4e

BUG= 624275 
R=yoav@yoav.ws

Review-Url: https://codereview.chromium.org/2123463002
Cr-Commit-Position: refs/heads/master@{#403655}
(cherry picked from commit c6a3b5007b8aa2dbe513411b030032fef42b5b66)

Review URL: https://codereview.chromium.org/2126753003 .

Cr-Commit-Position: refs/branch-heads/2785@{#23}
Cr-Branched-From: 68623971be0cfc492a2cb0427d7f478e7b214c24-refs/heads/master@{#403382}

[modify] https://crrev.com/0d2188b5c55d4ad2014b93682f5d1ace3008846b/third_party/WebKit/Source/core/loader/MixedContentChecker.cpp
[modify] https://crrev.com/0d2188b5c55d4ad2014b93682f5d1ace3008846b/third_party/WebKit/Source/core/loader/MixedContentCheckerTest.cpp

Verified the issue on Mac 10.11.5,Ubuntu 14.04 and Win 7 using 53.0.2785.8 and its working fine.Please find the attached screen shot for the same.

Deleted: 624275_July_7.png 37.6 KB

	624275_July_7.png 37.6 KB View Download

Adding the TE-Verified Labels as per # 15

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c9d34b4a2d425b25bdf90e9bf785cd7132f73037

commit c9d34b4a2d425b25bdf90e9bf785cd7132f73037
Author: carlosk <carlosk@chromium.org>
Date: Mon Jul 18 15:45:33 2016

Small improvements to MixedContentChecker.

Just a couple of improvements to MixedContentChecker:
- Remove uneeded check for data protocol: it's already included in the protocols
checked in SecurityOrigin::isSecure.
- Improved check for localhost by name to be more complete.

BUG= 607878 , 624275 

Review-Url: https://codereview.chromium.org/2151473002
Cr-Commit-Position: refs/heads/master@{#406000}

[modify] https://crrev.com/c9d34b4a2d425b25bdf90e9bf785cd7132f73037/third_party/WebKit/Source/core/loader/MixedContentChecker.cpp
[modify] https://crrev.com/c9d34b4a2d425b25bdf90e9bf785cd7132f73037/third_party/WebKit/Source/platform/network/NetworkUtils.cpp
[modify] https://crrev.com/c9d34b4a2d425b25bdf90e9bf785cd7132f73037/third_party/WebKit/Source/platform/network/NetworkUtils.h
[modify] https://crrev.com/c9d34b4a2d425b25bdf90e9bf785cd7132f73037/third_party/WebKit/Source/platform/weborigin/SecurityOrigin.cpp