UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

Steps to reproduce the problem:
1. Place a hidden, secure iframe (src="https://b.com") within an insecure page (http://a.com)
2. Let the java script loaded on b.com request for a Notification permission using Notification.requestPermission()
3. This request will be honoured, and the browser will display the native opt-in pop-up with the message "b.com wants to: Show Notifications"

What is the expected behavior?
The Notification.permission() request should be declined by the browser since the original, top level page (a.com) is still on HTTP.

What went wrong?
As per the below mentioned chromium bugs, which were already closed, this behaviour should not be allowed at all.

https://bugs.chromium.org/p/chromium/issues/detail?id=430496
https://bugs.chromium.org/p/chromium/issues/detail?id=559480

However, the design appears to be broken.

Did this work before? N/A 

Does this work in other browsers? No
 Browser: Chrome -55	Chrome-56	Firefox-49	Firefox-50	Firefox-51
OS: Windows 7 Windows 10
    Mac os Sierra Mac os El Capitan

Chrome version: 55.0.2883.87  Channel: n/a
OS Version: 
Flash Version: Shockwave Flash 25.0 r0

I was exploring a solution around this, and later realized that it is actually a security loophole! And, the overall theme discussed, and the conclusion reached in the above mentioned tickets appears to be violated.