New issue
Advanced search Search tips

Issue 724314 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: May 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

No ability to whitelist insecure domains

Reported by fireant...@gmail.com, May 18 2017 
Chrome Version       : 58.0.3029.110 (Official Build) (64-bit)
URLs (if applicable) : local domains
Other browsers tested:
  Add OK or FAIL, along with the version, after other browsers where you
have tested this issue:
     Safari:
    Firefox: OK
         IE:

What steps will reproduce the problem?
(1) Working on local domain with bad SSL certificate
(2) Try to load local URL
(3) Proceed through safety warning

What is the expected result?
I should be able to whitelist a domain in some fashion, even if it has a bad SSL certificate, so I can use it normally. I need this for testing a local website since I don't have valid SSL certificates for my local domain.

What happens instead?
Every time I click a link in my local page I have to confirm I'm ok proceeding with a bad SSL certificate. Moreover even after a page has loaded with my approval, any further requests (such as AJAX) fails.

Please provide any additional information below. Attach a screenshot if
possible.
There should be an option to whitelist a domain and ignore the bad certificate warnings. Even if that ability is hidden for power users/coders that's fine. I just need some way to properly test a local HTTPS site in Chrome for debugging.

Comment 1 by kavvaru@chromium.org, May 19 2017

Components: Internals>Network
Labels: TE-NeedsTriageHelp

Comment 2 by mmenke@chromium.org, May 19 2017

Components: -Internals>Network Internals>Network>Certificate
Chrome respects locally installed root certs, or you could run with --ignore-certificate-errors (Though implementation of the latter option is hacky, and certainly not something you should be using for remote sites)

Comment 3 by rsleevi@chromium.org, May 19 2017

Labels: Needs-Feedback
Not just hacky - we're in the process of removing --ignore-certificate-errors :)

Installing the trust anchor locally is a correct response for such development practices. Alternatively, several CAs provide free (reduced validity) certificates for testing domains, provided they're anchored in public domains (i.e. you can get a cert for https://test.example.com, but you cannot get a cert for https://test)

Chrome remembers these interstitial bypasses, even if you have not installed the certificate, for some time. The report of AJAX requests failing sounds like a bug, and attaching a chrome://net-internals or chrome://net-export log demonstrating the problem can help identify and resolve whether this is a regression.

Comment 4 by mmenke@chromium.org, May 22 2017

Status: WontFix (was: Unconfirmed)

Sign in to add a comment