estark@ or lgarron@, do you have any pointers on where to look for why security info is missing in the devtools security panel?

In the past, the security info flows to the DevTools by way of WebURLLoaderImpl::PopulateURLResponse which calls SetSecurityStyleAndDetails to populate the security data on the response object. The JavaScript code in the DevTools (see e.g. https://codereview.chromium.org/2763563003/) looks for the data on the response object when populating its objects.

Weirdly, I think this may have to do with an HTTP error code on the navigation request...? I can't reproduce on https://google.com or any other page that results in a 200 response, but I can on https://horo-t.github.io/ and https://example.com/asdfasdfasf, both of which are 404s.

Thanks to estark@ for her help investigating this! It looks like inside ResourceResponse::DeepCopy(), we don't copy the parts relating to the security info of the response:

* head.certificate
* head.cert_status
* head.ssl_connection_status
* head.ssl_key_exchange_group

Per offline discussion, estark@ will try to put up a CL for review. Since there seems to be lack of test coverage, it will be great to have a proper test for this functionality, however due to the complexity of it, it might be done in a separate CL.

CL at https://codereview.chromium.org/2871303002
For the historical record, my comment about 404s in #4 was totally a red herring. 200 responses tend to load subresources which overwrite the missing security info so that it looks correct.

Oops, the CL didn't contain the bug id, so the bots didn't update it. I just tried the latest canary and the issue is fixed, so marking it as such.

Thanks, nasko. Filed issue 721363 for adding a test as a follow-up.