Is there any specific webpage that can be used to test and confirm the regression?

I don't have any sites with invalid/self-signed SSL certificates at the
moment that are publically accessible. You can reproduce this issue quite
easily on your local machine by generating a self-signed SSL certificate
and use it in apache/nginx though. That's how I encountered the problem.

Kind Regards,

*Nick van der Meij *
Webdeveloper
MyCademy.com


*-------------------------------------------------------*

 n.vandermeij@mycademy.com
 +31 (0)262051333 <+31%2026%20205%201333>

2017-09-19 12:47 GMT+02:00 a… via monorail <
monorail+v2.463707639@chromium.org>:

Thank you for providing more feedback. Adding requester "ajha@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

n.vandermeij:  Do you see the proceed link when you go to https://self-signed.badssl.com/

+lgarron

The button is missing because all of .dev is HSTS. The issue is that .dev is a real TLD. It shouldn't be used for local testing. In particular, the operators for .dev decided to set HSTS on the whole TLD for security.

Per RFC 2606, you should one of the TLDs reserved like .test for localy testing. So kms.test rather than kms.dev. Those names won't collide with real sites.

Indeed, this is desired behaviour of preloading .dev for HSTS.
As davidben@ describes, you should be using one of the TLDs described in RFC 2606 to avoid collisions with possible future domains:

                   .test
                .example
                .invalid
              .localhost

I'm marking this bug as WontFix because this behaviour is intended, but people are welcome to comment here if they have situations that are not a case of "we assumed we could use .dev like .test".

Interesting, I didn't know that it was actually a TLD. Sorry for the
inconvenience, we will change our test domains to .test as soon as possible.
Thanks for the helpful insight!

Kind Regards,

*Nick van der Meij *
Webdeveloper
MyCademy.com


*-------------------------------------------------------*

 n.vandermeij@mycademy.com
 +31 (0)262051333 <+31%2026%20205%201333>

2017-09-19 21:21 GMT+02:00 david… via monorail <
monorail+v2.294852074@chromium.org>:

 Issue 767167  has been merged into this issue.

 Issue 772033  has been merged into this issue.

 Issue 778198  has been merged into this issue.

 Issue 793770  has been merged into this issue.

 Issue 794160  has been merged into this issue.

 Issue 793994  has been merged into this issue.

 Issue 795678  has been merged into this issue.

 Issue 795748  has been merged into this issue.

Yes, in Chrome 63 it is working as intended that all *.dev and *.app sites redirect to HTTPS.

https://textslashplain.com/2017/12/05/strict-transport-security-for-dev/

 Issue 795654  has been merged into this issue.

 Issue 799039  has been merged into this issue.

 Issue 797290  has been merged into this issue.