New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 652249 link

Starred by 3 users
Status: WontFix
Owner: ----
Closed: Dec 2016
Cc:
lgar...@chromium.org
est...@chromium.org
sureshkumari@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All , Chrome , Mac
Pri: 3
Type: Bug
Team-Security-UX



Sign in to add a comment

No mixed-content warning when favicon is http

Reported by paulschr...@gmail.com, Oct 3 2016 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.34 Safari/537.36

Steps to reproduce the problem:
The favicon on our HTTPS site redirects to an HTTP URL. (Yes, we will fix this.)

$ curl -i https://site.com/favicon.ico 
HTTP/1.1 301 Moved Permanently 
...
Location: http://0.gravatar.com/blavatar/2a2b628e813bd94080c4b8714f73bfcd?s=16 

Chrome does not display mixed-content warning in the console as I would expected. It does show the (i) instead of the lock in the address bar.

What is the expected behavior?
- i icon in address bar
- Mixed-content warning in console
- Details in security pane

What went wrong?
- i icon in address bar
- NO Mixed-content warning in console
- NO Details in security pane

Did this work before? N/A 

Chrome version: 54.0.2840.34  Channel: n/a
OS Version: OS X 10.11.6
Flash Version: Shockwave Flash 23.0 r0

Comment 1 by ligim...@chromium.org, Oct 3 2016

Components: -UI Security Internals>Network>HTTP
Labels: M-54 Needs-Bisect

Comment 2 by mmenke@chromium.org, Oct 3 2016

Components: -Internals>Network>HTTP Blink>SecurityFeature

Comment 3 by rsleevi@chromium.org, Oct 3 2016

Components: -Security Security>UX

Comment 4 by sureshkumari@chromium.org, Oct 4 2016

Cc: sureshkumari@chromium.org
Labels: -Needs-Bisect Needs-Feedback
Executed the following command in MAC terminal “curl -i http://0.gravatar.com/blavatar/2a2b628e813bd94080c4b8714f73bfcd?s=16” and got the following output

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 04 Oct 2016 13:22:22 GMT

Content-Type: image/vnd.microsoft.icon

Content-Length: 11078

Connection: keep-alive

Last-Modified: Mon, 11 Jan 2016 19:39:06 GMT

Link: <https://www.gravatar.com/blavatar/2a2b628e813bd94080c4b8714f73bfcd?s=16>; rel="canonical"

Content-Disposition: inline; filename="2a2b628e813bd94080c4b8714f73bfcd.ico"

Access-Control-Allow-Origin: *

X-nc: HIT sin 2

Accept-Ranges: bytes

Expires: Tue, 04 Oct 2016 13:27:22 GMT

Cache-Control: max-age=300

Source-Age: 1034174


in this observed that link generated is dispelled in https, request you to please help us if we have followed the correct way else could you please provide more details on the same.

Comment 5 by f...@chromium.org, Oct 4 2016

Cc: lgar...@chromium.org est...@chromium.org
Status: Available (was: Unconfirmed)
This is odd, somehow we are ending up with mixed-content UI in the omnibox but not on DevTools. Maybe it has something to do with the redirect, but I wouldn't expect the SecurityStateModel to be able to do this -- it should be providing the same state in all three places.

Comment 6 by lgar...@chromium.org, Oct 26 2016 

If the favicon was cached, this is  Issue 611731 .

Comment 7 by lgar...@chromium.org, Oct 26 2016

Components: -Blink>SecurityFeature -Security>UX Internals>PageSecurityState
Labels: -Pri-2 -Needs-Feedback -M-54 OS-Chrome OS-All Pri-3

Comment 8 by est...@chromium.org, Dec 13 2016

Components: -Internals>PageSecurityState Platform>DevTools>Security
Status: WontFix (was: Available)
I can't reproduce in 57.0.2950.4 on https://mixed-favicon.badssl.com. Please let me know if you can still reproduce on canary and we can reopen this bug.

Comment 9 by paulschr...@gmail.com, Dec 14 2016 

I'm seeing a mixed-content warning with 55.0.2883.95 https://www.npr.org/player/embed/505512664/505512665

Sign in to add a comment