New issue
Advanced search Search tips

Issue 657739 link

Starred by 1 user
Status: Fixed
Owner:
dominickn@chromium.org
Closed: Jan 2017
Cc:
krav...@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 2
Type: Bug



Sign in to add a comment

Progressive web app install banner is shown despite mixed content

Reported by andre...@opera.com, Oct 20 2016 
Steps to reproduce the problem:
1. Go to chrome://flags#bypass-app-banner-engagement-checks and Enable + relaunch.
2. Go to https://app.kompas.com
3. Note the lack of a padlock in the address bar, because of mixed content.

What is the expected behavior?
App install banner should not be shown, because the page is not secure.

What went wrong?
App install banner is shown. 

(additionally, the installed web app is shown in standalone mode, which is an issue on its own, given the mixed content)

Did this work before? N/A 

Does this work in other browsers? N/A

Chrome version: 55.0.2883.18  Channel: n/a
OS Version: Android 7.0.0
Flash Version:

Comment 1 by rsgav...@chromium.org, Oct 21 2016

Cc: krav...@chromium.org
Labels: triage-te

Comment 2 by krav...@chromium.org, Oct 21 2016

Labels: -triage-te
Owner: dfalcant...@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 3 by krav...@chromium.org, Oct 21 2016

Labels: M-55

Comment 4 by dfalcant...@chromium.org, Oct 24 2016

Owner: dominickn@chromium.org

Comment 5 by dominickn@chromium.org, Oct 26 2016 

We currently just check whether the origin is secure, and not if the page as a whole is secure. You're probably right, we should make this test more strict.

Comment 6 by dominickn@chromium.org, Jan 12 2017

Status: Started (was: Assigned)
Project Member

Comment 7 by bugdroid1@chromium.org, Jan 17 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/24f1eede17d4d2515fb0fb0d168f8a35cef9a851

commit 24f1eede17d4d2515fb0fb0d168f8a35cef9a851
Author: dominickn <dominickn@chromium.org>
Date: Tue Jan 17 03:37:40 2017

Ensure the entire page is secure for PWAs.

This CL changes app banners and WebAPKs to use SecurityTabHelper to
check the entire page's security level, rather than just the top level
origin. This makes the secure origin requirement more rigorous, and
prevents sites with mixed content warnings from erroneously being
permitted to display banners and install WebAPKs.

Localhost is whitelisted to ensure local machine development is not
blocked.

BUG= 657739 

Review-Url: https://codereview.chromium.org/2630523002
Cr-Commit-Position: refs/heads/master@{#443979}

[modify] https://crrev.com/24f1eede17d4d2515fb0fb0d168f8a35cef9a851/chrome/browser/android/webapps/add_to_homescreen_manager.cc
[modify] https://crrev.com/24f1eede17d4d2515fb0fb0d168f8a35cef9a851/chrome/browser/banners/app_banner_manager.cc
[modify] https://crrev.com/24f1eede17d4d2515fb0fb0d168f8a35cef9a851/chrome/browser/installable/installable_manager.cc
[modify] https://crrev.com/24f1eede17d4d2515fb0fb0d168f8a35cef9a851/chrome/browser/installable/installable_manager.h

Comment 8 by dominickn@chromium.org, Jan 17 2017

Status: Fixed (was: Started)
Should be fixed as of #7. Thanks for reporting!

Sign in to add a comment