Opening a https iframe on a webpage without https triggers the "Not secure" notice in the URL
Reported by
i...@bizify.me,
Dec 9 2016
|
|||
Issue description
Chrome Version : 56.0.2924.21
URLs (if applicable) :
Other browsers tested:
Add OK or FAIL, along with the version, after other browsers where you
have tested this issue:
Safari: OK
Firefox: OK
IE: OK
What steps will reproduce the problem?
(1) Go to a (unsecure) http website.
(2) Open a secure https iframe with a login form from another third party domain.
(3) The "Not secure" notice in the URL is being activated, even if the https iframe is secure.
What is the expected result?
If the iframe contains a secure https website from another domain, where the login form is present, the "Not secure" notice should not be activated.
What happens instead?
The "Not secure" notice is being activated.
,
Dec 9 2016
If the secure iframe is being replace by a phishing version of it by a MiM attack the warning is valid. The main problem is that it's not possible for a user to easily verify where the iframe originates from. A possible solution would be that the URL in the address bar changes when the user hovers the iframe making it possible for the user to easily check where the iframe originates from and if it's secure or not.
,
Dec 9 2016
,
Dec 9 2016
Hi, thanks for the report. This is working as intended. As you pointed out in comment 2, a MITM could replace the https iframe to steal the login data. This is also noted in https://developers.google.com/web/updates/2016/10/avoid-not-secure-warn ("This means that the top-level page must be HTTPS and, if the input is in an iframe, that iframe must also be served over HTTPS.") |
|||
►
Sign in to add a comment |
|||
Comment 1 by nyerramilli@chromium.org
, Dec 9 2016Labels: M-56