New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 650855 link

Starred by 1 user
Status: Duplicate
Merged: issue 616204
Owner: ----
Closed: Sep 2016
Cc:
mkwst@chromium.org
est...@chromium.org
f...@chromium.org
nasko@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Compat



Sign in to add a comment

Mixed content is incorrectly blocked on some pages

Project Member Reported by bjohn...@brave.com, Sep 27 2016 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/601.6.17 (KHTML, like Gecko) Version/9.1.1 Safari/601.6.17

Example URL:
https://www.gq.com

Steps to reproduce the problem:
1. Go to https://www.gq.com
2. http images are incorrectly blocked regardless of mixed content settings

What is the expected behavior?
passive mixed content should be displayed by default

What went wrong?
It appears that some of the images are somehow bypassing the `blink::WebContentSettingsClient` callback
If I add some logging I see http://media.gq.com/photos/57ea9c5a436f78925d2b2837/3:2/w_1000/prince-of-fashion.jpg is accepted by `allowDisplayingInsecureContent`, but `http://media.gq.com/photos/57ea9c5a436f78925d2b2837/1:1/w_288/prince-of-fashion.jpg` is blocked and never appears in the logs

Does it occur on multiple sites: N/A

Is it a problem with a plugin? No 

Did this work before? N/A 

Does this work in other browsers? Yes 

Chrome version: 53.0.2785.116 (Official Build) (64-bit)  Channel: stable
OS Version: OS X 10.11.5
Flash Version: 

appears to also be broken on 52.x, but not sure before that

Comment 1 by shrike@chromium.org, Sep 27 2016

Components: Internals>Sandbox>SiteIsolation

Comment 2 by nasko@chromium.org, Sep 27 2016

Cc: mkwst@chromium.org nasko@chromium.org est...@chromium.org
Components: -Internals>Sandbox>SiteIsolation Blink>SecurityFeature
This seems orthogonal to Site Isolation, so putting a Blink>SecurityFeature label and some knowledgeable folks.

Comment 3 by est...@chromium.org, Sep 27 2016

Cc: f...@chromium.org
Mergedinto: 616204
Status: Duplicate (was: Unconfirmed)
Hi, thanks for the report! I'm looking at this and it seems that the blocked images are loaded from srcsets. This is therefore both a duplicate of an open issue and working as intended. :) That is, it was decided in  issue 390158  and the thread linked therein that srcsets should be blocked as active mixed content. The reasoning there, as I understand it, is more-or-less "if we can get away with blocking a type of mixed content, we should block it."

On the other hand, this is confusing to developers and I know felt@ feels differently: see  issue 616204 .

I'm going to dup this into  issue 616204 , though the decision on that might turn out to be working as intended/specified.

Sign in to add a comment