All sites except for Chrome internal pages show a "This page is trying to load scripts from unauthenticated sources" error after updating to Chrome Beta 57.0.2987.98
Reported by
jfz30...@gmail.com,
Mar 10 2017
|
||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36 Steps to reproduce the problem: 1. Update Chrome Beta to version 57.0.2987.98 2. Load any page other than chrome:// pages What is the expected behavior? Pages such as Google Drive or Gmail load as secure with no unsafe page script What went wrong? After updating to Chrome Beta 57.0.2987.98, all pages other than internal Chrome pages show up as trying to load unauthenticated scripts. Pages like Gmail or drive.google.com now show up as trying to load unauthenticated scripts, which never occurred before updating. Did this work before? Yes 57.0.2987.88 Chrome version: 57.0.2987.98 Channel: stable OS Version: OS X 10.12.3 Flash Version: Either every page, even known secure ones, such as Google Drive and Gmail, now load unauthenticated scripts, or there is a bug making every page show up as loading unauthenticated scripts.
,
Mar 10 2017
My guess would be that this is caused by one of the user's browser extensions. If you hit CTRL+Shift+J to open the Developer Tools console (or click the More Tools > Developer Tools menu item) it will show you the URLs of the unauthenticated resources that are attempting to load. Can you try that jfz30302@, and paste the result into a comment on this bug?
,
Mar 10 2017
It is an extension, here's what the error said: chrome-extension://gngocbkfmikdgphklgmmehbjjlfgdemm/inject/js/SBPageExtension.js:211 Mixed Content: The page at 'https://bugs.chromium.org/p/chromium/issues/detail?id=700361#c2' was loaded over HTTPS, but requested an insecure script 'http://www.sbx-media.com/extn/inject/js/ads_advertisement.js'. This request has been blocked; the content must be served over HTTPS. What's strange is this only began happening after I updated to the newest Chrome Beta channel release.
,
Mar 10 2017
Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 10 2017
Interesting. A HTTP reference should always have resulted in this warning. However, as noted in Issue 700397 , distrust of StartCom certificates is getting broader. https://www.sbx-media.com uses a StartCom certificate. It seems entirely possible that this extension tries to use HTTPS://www.sbx-media.com, sees that the request fails (due to the untrusted root) and then falls back to a HTTP URL (which is blocked as mixed content). Ultimately this is a bug in the extension (which appears to be an ad-injector).
,
Mar 10 2017
I see. So should I disable the extension as it is falling back to a less secure HTTP URL, or is it okay to continue to use it? (Is it putting my browser's security at risk?)
,
Mar 10 2017
Actually, no, this isn't related to the StartCom deprecation, and this error is observed in Chrome 56 as well as shown in the attached screenshot. Mixed Content: The page at 'https://example/' was loaded over HTTPS, but requested an insecure script 'http://www.sbx-media.com/extn/inject/js/ads_advertisement.js'. This request has been blocked; the content must be served over HTTPS. adBlockerCheck @ SBPageExtension.js:211 As this is a bug in the extension, there isn't anything Chrome can do about it. As to the question in Comment #6: This extension appears to be injecting third-party content into all pages; this is inherently dangerous and I personally would not install any extension that did this. Having said that, the "Blocked Script" notification means that by default, at least, the script that is injected via HTTP into HTTPS pages is blocked. But that doesn't stop the extension author from updating their extension to use HTTPS injection and running their code on all of the pages you visit.
,
Mar 10 2017
I understand. I think I will uninstall the extension, now knowing this. I hadn't seen the message before updating, so I thought it might have been a bug in Chrome. Thanks for the information! |
||||
►
Sign in to add a comment |
||||
Comment 1 by gov...@chromium.org
, Mar 10 2017Labels: M-57