mixed content infobar doesn't appear |
||||
Issue descriptionwe're supposed to show a mixed content infobar for pages like https://rawgit.com/google/WebFundamentals/master/src/content/en/fundamentals/security/prevent-mixed-content/_code/passive-mixed-content.html (best I can tell, it's been broken for 2 years, since crrev.com/64ffefaba14b831 ) I have a patch to fix it here[1] but the alternative would be to just remove the infobar, since apparently no one even notices when it's absent for years.
,
Jul 18 2016
I thought I could trigger this infobar (with the patch applied) on Friday but now I find I have to pass a flag. This command line does the trick: ./out/Release/chrome --no-displaying-insecure-content https://www.bennish.net/mixed-content.html But given that (a) we don't care to show this by default (b) it hasn't worked for 2 years (c) we now have a somewhat related page action/bubble, and (d) we removed the mixed content warning omnibox icon in M46, it seems pretty likely we just want to remove this infobar? +felt please advise.
,
Jul 19 2016
The passive mixed content infobar was deprecated a long time ago, I believe intentionally. It ceased to be displayed before I joined the team ~3 yrs ago. I don't know why the code was never deleted. +tsepez, I have an extremely vague memory of you(?) telling me in 2012 why the code wasn't deleted when I asked about it. Do you happen to know what I'm talking about?
,
Jul 19 2016
My recollection: We removed the infobar for active content a long time ago, in favor of a much simpler UI. However, for passive content, the presence of the --no-displaying flag is an unusual condition, and may cause pages to render improperly, so we wanted to give a strong hint that the reason your page may not look right was your flag -- and not the site owner. I'd be fine with just removing it all together, if you'd like. Do we have a UMA on how often the flag is used? The flag could probably be removed, too.
,
Jul 19 2016
s/all together/altogether/ sheesh.
,
Jul 19 2016
> Do we have a UMA on how often the flag is used? The flag could probably be removed, too. I don't know but if we actually want to support this shouldn't it be something besides a flag? An option in chrome://settings, a pref settable via policy, etc. I see zero instances of INSECURE_CONTENT_INFOBAR_DELEGATE in the InfoBar.Shown histogram for any date range. I'm in favor of deleting the flag as well as the infobar.
,
Jul 19 2016
I'm also in favor of deleting both the flag and the infobar. If we really wanted to support this for end users, we would surface it somewhere. Perhaps there is some testing case where this is used that I'm not aware of, though. estade@, could you ping security-dev@chromium.org with notice that this is being removed when you do it, just to give a heads up to anyone whose use case is being broken?
,
Jul 19 2016
ah, I almost forgot the point of this bug... the infobar is broken and has been for two years. That's why there are exactly zero instances of it showing up. Thus I don't think anyone could rely on its existence, even for testing. I'll send an email just to be sure.
,
Jul 19 2016
i mean the flag-- someone could still be using the flag for testing, even if there is no infobar
,
Jul 19 2016
(since the infobar has been busted forever i agree no one cares about the infobar & no notice is needed for that)
,
Jul 19 2016
Sure, and I did find at least one test that uses it (SSLUITestBlock), so i'll have to investigate if it's still needed for that purpose.
,
Jul 20 2016
We have the `--enable-strict-mixed-content-checking`, which encompasses the behavior (minus infobar) of `--no-displaying-insecure-content`, I'm all for removing the latter.
,
Jul 26 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/76fe1a62ccf75926531c6db9a434514846c20a63 commit 76fe1a62ccf75926531c6db9a434514846c20a63 Author: estade <estade@chromium.org> Date: Tue Jul 26 17:06:43 2016 Remove InsecureContentInfobarDelegate, which has been broken for a while anyway and was only available behind a flag. Also remove said flag (--no-displaying-insecure-content) Originally it was used for all mixed content but a while ago it was constrained to passive mixed content (i.e. display of insecure content). BUG= 628812 Review-Url: https://codereview.chromium.org/2167513002 Cr-Commit-Position: refs/heads/master@{#407833} [modify] https://crrev.com/76fe1a62ccf75926531c6db9a434514846c20a63/chrome/browser/infobars/infobar_service.cc [modify] https://crrev.com/76fe1a62ccf75926531c6db9a434514846c20a63/chrome/browser/infobars/infobar_service.h [delete] https://crrev.com/f49dfc99b3f56809c450a79446bec728e0ca7cef/chrome/browser/infobars/insecure_content_infobar_delegate.cc [delete] https://crrev.com/f49dfc99b3f56809c450a79446bec728e0ca7cef/chrome/browser/infobars/insecure_content_infobar_delegate.h [modify] https://crrev.com/76fe1a62ccf75926531c6db9a434514846c20a63/chrome/browser/prefs/command_line_pref_store.cc [modify] https://crrev.com/76fe1a62ccf75926531c6db9a434514846c20a63/chrome/browser/ssl/ssl_browser_tests.cc [modify] https://crrev.com/76fe1a62ccf75926531c6db9a434514846c20a63/chrome/chrome_browser.gypi [modify] https://crrev.com/76fe1a62ccf75926531c6db9a434514846c20a63/chrome/common/chrome_switches.cc [modify] https://crrev.com/76fe1a62ccf75926531c6db9a434514846c20a63/chrome/common/chrome_switches.h [modify] https://crrev.com/76fe1a62ccf75926531c6db9a434514846c20a63/chrome/renderer/content_settings_observer.cc [modify] https://crrev.com/76fe1a62ccf75926531c6db9a434514846c20a63/chrome/renderer/content_settings_observer.h [modify] https://crrev.com/76fe1a62ccf75926531c6db9a434514846c20a63/components/content_settings/content/common/content_settings_messages.h
,
Jul 26 2016
filed 631525 for additional cleanup.
,
Dec 9 2016
Security>UX component is deprecated in favor of the Team-Security-UX label
,
May 19 2017
Issue 350440 has been merged into this issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by est...@chromium.org
, Jul 16 2016