New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 799770 link

Starred by 1 user
Status: Duplicate
Merged: issue 496670
Owner:
nasko@chromium.org
Out until 24 Jan
Closed: Jan 2018
Cc:
est...@chromium.org
creis@chromium.org
sc00335...@techmahindra.com
alex...@chromium.org
wfh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 3
Type: Bug



Sign in to add a comment

"Load unsafe scripts" not working with OOPIFs

Reported by dan...@orodu.net, Jan 7 2018 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36

Example URL:
https://chuo.fm/show/rockers/

Steps to reproduce the problem:
1. Go to https://chuo.fm/show/rockers/
2. Scroll down, click on one of the dates on the left.
3. Nothing appears to happen, until you notice a tiny icon appeared in the omnibox right side
4. Click said icon, the popup appears
5. Click "Load unsafe scripts", the page reloads
6. Scroll down again and click on one of the dates on the left.

What is the expected behavior?
A media player appears below and lets you play music.

What went wrong?
Either nothing appears, or eventually some html buttons appear that do not work.

Does it occur on multiple sites: N/A

Is it a problem with a plugin? No 

Did this work before? Yes I believe this worked in M62

Does this work in other browsers? Yes

Chrome version: 63.0.3239.132  Channel: stable
OS Version: 10.0
Flash Version: 28.0.0.126 

I will attach screenshots. This reproduces with and without OOPIF (top documenot isolation) enabled.

In edge the document has an <audio> tag and a number of <divs> and <buttons> to make up the player.

Comment 1 by dan...@orodu.net, Jan 7 2018

badchrome.png
24.1 KB View Download
badchrome2.png
13.1 KB View Download
goodedge.png
31.5 KB View Download

Comment 2 by krajshree@chromium.org, Jan 7 2018

Labels: Needs-Triage-M63 Needs-Bisect

Comment 3 by sc00335...@techmahindra.com, Jan 8 2018

Cc: sc00335...@techmahindra.com
Components: Blink>Media
Labels: Needs-Feedback Triaged-ET
danakj@ Thanks for the issue.

Tested this issue on Windows 10, Mac OS 10.12.6 on the latest Stable 63.0.3239.132 and Canary 65.0.3314.0 and unable to reproduce the issue by following the steps mentioned in original comment.

On Navigating to the given website and loading the site with unsafe scripts, a media player is appearing and music is playing without any issues.
Attached is the screen cast for reference.

Request you to please retry the issue on a new chrome profile without any flags/extensions and update the thread with the observations.

Thanks..
799770.webm
7.6 MB View Download

Comment 4 by dan...@orodu.net, Jan 8 2018 

Thanks, you're right. My command line looks like

Command Line	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --enable-features=top-document-isolation --flag-switches-begin --flag-switches-end

Even though I have put OOPIF back to "default" state in chrome://flags. When I force it off then the page behaves. So this is a bug in top-document-isolation/OOPIF.
Project Member

Comment 5 by sheriffbot@chromium.org, Jan 8 2018

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "sc00335628@techmahindra.com" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by krajshree@chromium.org, Jan 9 2018

Labels: -Type-Compat -Needs-Bisect M-65 OS-Linux OS-Mac Type-Bug
Status: Untriaged (was: Unconfirmed)
Able to reproduce the issue on Windows 10, mac 10.12.6 and Ubuntu 14.04 using chrome reported version #63.0.3239.132 and latest canary #65.0.3315.3.
But unable to provide bisect results as on digging to get the good and bad range, at chrome version #60.0.3112.0 and upper builds till M-62 on performing the 5th and 6th steps from comment #0, again a tiny icon appeared in the omnibox right side to load unsafe scripts and nothing happened. Loaded the unsafe scripts 2-3 times, still it remained the same and media player was not seen.
Attaching screen cast of M-60 for reference 
Hence, marking it as untriaged for further inputs from dev team.

Thanks...!!
799770.mp4
3.9 MB View Download

Comment 7 by mlamouri@chromium.org, Jan 10 2018

Components: -Blink>Media Blink>SecurityFeature

Comment 8 by mkwst@chromium.org, Jan 11 2018

Cc: est...@chromium.org
Components: Internals>Sandbox>SiteIsolation
Labels: -Pri-2 Pri-3
Owner: nasko@chromium.org
Nasko: Can you triage this in your team? Based on #4 above, it sounds like the mixed content opt-out is broken in some way related to site isolation.

(Lowering this to P3, as we're kinda thinking about removing that mechanism altogether: +estark@ for opinions)

Comment 9 by creis@chromium.org, Jan 11 2018

Cc: creis@chromium.org alex...@chromium.org
Summary: "Load unsafe scripts" not working with OOPIFs (was: "Load unsafe scripts" not working)
alexmos@: We have another bug about this, right?  Is it issue 496670, or is there something more recent?

Comment 10 by creis@chromium.org, Jan 11 2018 

Sorry, I was getting content settings and mixed content confused in comment 9.  (Content settings was found to be working as intended in  issue 767539 .)  This is about mixed content instead.

Comment 11 by nasko@chromium.org, Jan 11 2018

Mergedinto: 496670
Status: Duplicate (was: Untriaged)
Yes, this is indeed problem with mixed content settings not propagating to out-of-process iframes (OOPIFs). The conclusion about mixed content in issue 496670 comment 3 is not correct. The problem is that after "Load unsafe scripts" is clicked, the main frame reloads and all its child frames are gone. When an iframe is then navigated to a new process, that new process does not get the correct value for allow_running_insecure_content_ inside ContentSettingsObserver.

I'll resolve this one as duplicate of issue 496670 and add more details there with potentially a simplified repro.
Project Member

Comment 12 by bugdroid1@chromium.org, Jan 13 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/72c8c945f44b515aa30ac9f6a34f46314eb9dd92

commit 72c8c945f44b515aa30ac9f6a34f46314eb9dd92
Author: Nasko Oskov <nasko@chromium.org>
Date: Sat Jan 13 01:01:26 2018

Set correct value for allowing mixed content in out-of-process iframes.

When mixed content is detected, it is blocked by default. The user can
chose to allow it, in which case the browser tells the renderer to
set its value for "allow mixed content" to true. Within a single renderer
process, frames inherit this value from the main frame, but in the face
of out-of-process iframes, this does not work.
This CL adds an observer for new frames being created and if mixed content
is allowed, it sets the proper value on its RenderFrame.

Bug: 496670,  799770 
Change-Id: Ica7e2f4122d54b14b2186e2941f59c93d7738e51
Reviewed-on: https://chromium-review.googlesource.com/862700
Commit-Queue: Nasko Oskov <nasko@chromium.org>
Reviewed-by: Martin Šrámek <msramek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#529126}
[modify] https://crrev.com/72c8c945f44b515aa30ac9f6a34f46314eb9dd92/chrome/browser/content_settings/mixed_content_settings_tab_helper.cc
[modify] https://crrev.com/72c8c945f44b515aa30ac9f6a34f46314eb9dd92/chrome/browser/content_settings/mixed_content_settings_tab_helper.h
[modify] https://crrev.com/72c8c945f44b515aa30ac9f6a34f46314eb9dd92/chrome/browser/ui/content_settings/content_setting_bubble_model_browsertest.cc
[modify] https://crrev.com/72c8c945f44b515aa30ac9f6a34f46314eb9dd92/chrome/test/data/content_setting_bubble/mixed_script.html
[add] https://crrev.com/72c8c945f44b515aa30ac9f6a34f46314eb9dd92/chrome/test/data/content_setting_bubble/mixed_script.js
[add] https://crrev.com/72c8c945f44b515aa30ac9f6a34f46314eb9dd92/chrome/test/data/content_setting_bubble/mixed_script_in_cross_site_iframe.html

Sign in to add a comment