New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 693982 link

Starred by 1 user
Status: Available
Owner: ----
Cc:
mkwst@chromium.org
domfarolino@gmail.com
jmukthavaram@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Fetch API: When redirect mode is set to error, HTTPS => HTTP redirect must not invoke mixed-content checking

Reported by ivoju...@gmail.com, Feb 19 2017 
Chrome Version       : 58.0.3016.0 (Build oficial) canary (64 bits)
URLs (if applicable) : Any HTTPs origin
Other browsers tested:
  Add OK or FAIL after other browsers where you have tested this issue:
    Firefox: PASS (51.0.1 (32-bit), 53.0a2 (32-bit))
         IE: N/A

What steps will reproduce the problem?
(1) Perform a HEAD request with 'error' redirect mode via the Fetch API to
an HTTPs location which redirects (301) to HTTP.

Sample code:

var targetUrl = 'https://www.animatedimages.org/data/media/209/animated-cat-image-0031.gif';

function checkResourceLocation(src) {
	var request = new Request(src, {
		method: 'HEAD',
		mode: 'no-cors',
		redirect: 'error'		
	});

	return fetch(request).then(response => {
		if (!response.ok) return Promise.reject(new Error(`Response status not OK.`));
	});
}

checkResourceLocation(targetUrl).catch(err => {
	console.log(err.message);
});


What is the expected result?

The fetch fails, and only the error message handling the promise rejection is written the console.


What happens instead?

The fetch fails, and multiple errors are written to the console at once.
E.g., when run in https://www.google.com.pe:

Mixed Content: The page at 'https://www.google.com.pe/' was loaded over HTTPS, but requested an insecure resource 'http://www.animatedimages.org/data/media/209/animated-cat-image-0031.gif'. This request has been blocked; the content must be served over HTTPS.

Fetch API cannot load https://www.animatedimages.org/data/media/209/animated-cat-image-0031.gif. Redirect failed.

Please provide any additional information below. Attach a screenshot if
possible.

- Making a GET request instead makes no difference in the result.
- Firefox works exactly as expected, and only warns when `mode` is set to 'cors' due to no Access-Control-Allow-Origin header.
chrome-mixed-content-warnings.png
50.1 KB View Download

Comment 1 by ranjitkan@chromium.org, Feb 20 2017

Labels: Needs-Triage-M58

Comment 2 by jmukthavaram@chromium.org, Feb 21 2017

Cc: jmukthavaram@chromium.org
Components: Blink>JavaScript>API
Labels: -Needs-Triage-M58 M-58 OS-Linux OS-Mac
Status: Untriaged (was: Unconfirmed)
Able to reproduce the issue on Windows7, Mac 10.12.2 & Linux Ubuntu 14.04 using stable-56.0.2924.87, canary-58.0.3018.0 & reported version-58.0.3016.0 as per the below steps:
1. Launched chrome
2. Opened new Tab
3. press F12 to open dev tools
4. Navigate to Console 
5. Copy & paste the above sample code & hit enter
6. Observed same error which is mentioned in the above attached screenshot

same behaviour observed from M45-45.0.2454.101 to latest Canary & observed 'Uncaught exception error' for the earlier builds of M45.Since it is non regression issue marking this as 'Untriaged'.
Please find the attached screencast for reference.

Thank you!!
693982.mp4
517 KB View Download

Comment 3 by ivoju...@gmail.com, Feb 24 2017 

Maybe this should be tagged Blink > Network > FetchAPI?

Comment 4 by hablich@chromium.org, Apr 5 2017

Components: -Blink>JavaScript>API Blink

Comment 5 by schenney@chromium.org, Apr 5 2017

Components: -Blink Blink>Network>FetchAPI

Comment 6 by tyoshino@chromium.org, Apr 17 2017

Components: Blink>SecurityFeature
Labels: Needs-Feedback
Why do you want to get rid of the console messages? You would see it only when you attempt to perform mixed content loading which shouldn't bother you when writing real production apps.

Comment 7 by tyoshino@chromium.org, Apr 17 2017 

Ah, sorry. I understood. Given that the redirect options is error, it should reach the point where mixed content check happens.

Comment 8 by tyoshino@chromium.org, Apr 17 2017 

s/should/shouldn't/

Comment 9 by ivoju...@gmail.com, Apr 17 2017 

Indeed. I expect the warnings not to be emitted since I request an HTTPs resource and I disallow redirections.

As for the use case, this is part of a client-side-only solution I came up with to prevent my app users from embedding mixed content that other users would be unable to see if using HTTPs.

Comment 10 by ivoju...@gmail.com, Apr 17 2017 

In the last sentence I meant: "if using HTTPs Everywhere".

There is also the loss of the green lock for normal HTTPs users, which I want to prevent.

Comment 11 by tyoshino@chromium.org, Apr 17 2017

Labels: -Pri-3 Pri-2
Status: Available (was: Untriaged)
Summary: Fetch API: When redirect mode is set to error, HTTPS => HTTP redirect must not invoke mixed-content checking (was: Fetch API: failed HTTPS => HTTP redirections yield too many console warnings.)
This is because mixed-content checking is performed in ResourceLoader::WillFollowRedirect() before the ResourceLoader forwards the redirect to RawResource and then RawResourceClient which is DocumentThreadableLoader where Chrome stops loading when the redirect option is set to "error".

This is not conformant to the Fetch Standard. When the redirect mode is set to "error", the fetch algorithm should return a network error right after the destination URL is extracted. Mixed-content check shouldn't happen.

Comment 12 by tyoshino@chromium.org, Apr 17 2017

Labels: -Needs-Feedback
Thanks for providing the additional rationale.

Comment 13 by tyoshino@chromium.org, Apr 17 2017

Cc: mkwst@chromium.org

Comment 14 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 15 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Comment 16 by domfarolino@gmail.com, Apr 16 2018

Cc: domfarolino@gmail.com

Sign in to add a comment