Issue 769825 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	----
Closed:	Sep 2017
Components:	Blink>SecurityFeature
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	----
Type:	Bug-Security
allpublic

Security: Mixed content iframe showing without warning (http inside of https)

Reported by 4ajlapo...@gmail.com, Sep 28 2017

Issue description

VULNERABILITY DETAILS
Mixed IFRAME content is being shown. An http iframe can be loaded inside of an https site.

VERSION
Chrome Version: Version 61.0.3163.100 (Official Build) (64-bit)
Operating System: [Windows 10 Pro, 1607]

REPRODUCTION CASE
When looking at a site built upon the HubSpot platform, an http iframe can be loaded inside of an https site without the mixed content warning. An example of this is here: https://blog.wsol.com/how-to-build-better-social-engagement the video in the bottom portion is an IFRAME with http src.

	http iframe in https.jpg 490 KB View Download

Comment 1 by elawrence@chromium.org, Sep 28 2017

Components: Blink>SecurityFeature
Status: WontFix (was: Unconfirmed)

Working as intended.

The blog.wsol.com server is sending a Content-Security-Policy header with the value 'upgrade-insecure-requests'. This converts the HTTP URL shown to HTTPS before it is requested from the network. 

The UIR directive is designed for exactly this purpose-- to prevent mixed content problems. :)

Comment 2 by elawrence@chromium.org, Sep 28 2017

Labels: -Restrict-View-SecurityTeam allpublic

Comment 3 by 4ajlapo...@gmail.com, Sep 28 2017

Would this be shown on the front end in view source? or is this done server side and not reflected in source?

►

Issue 769825 link

Issue metadata

Security: Mixed content iframe showing without warning (http inside of https)

Issue description

Comment 1 by elawrence@chromium.org, Sep 28 2017

Comment 1 Deleted

Comment 2 by elawrence@chromium.org, Sep 28 2017

Comment 2 Deleted

Comment 3 by 4ajlapo...@gmail.com, Sep 28 2017

Comment 3 Deleted

Sign in to add a comment