Issue 805667 link

Starred by 2 users

Issue metadata

Status:	Duplicate
Merged:	issue 554509
Owner:	----
Closed:	Jan 2018
Cc:	est...@chromium.org
Components:	Internals>PageSecurityState UI>Browser>Omnibox>SecurityIndicators>VerboseChip
EstimatedDays:	----
NextAction:	----
OS:	Linux , Windows , Mac
Pri:	2
Type:	Bug
Arch-x86_64 Via-Wizard-UI M-66 Triaged-ET Needs-Triage-M64 FoundIn-66 Target-66
Team-Security-UX

Verbose chip fails to point out insecurity when typing into an insecure text box on an https page

Reported by 93m4qau...@gmail.com, Jan 24 2018

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.119 Safari/537.36

Steps to reproduce the problem:
1. Open https://radar.weather.gov/Conus/pacsouthwest.php
2. Type into the "City, St" text box.
3. Watch the verbose chip.

What is the expected behavior?
Since you are typing into an insecure text box, the verbose chip points that out, similar to how it would if you were typing into a text box on a fully http page.

What went wrong?
The verbose chip fails to point out that you are typing into an insecure text box, since the main origin is https and only the text box is http.

Did this work before? N/A 

Chrome version: 64.0.3282.119  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: 

I am not sure how to test this, but this might also affect insecure password entry fields on https pages as well.

Comment 1 by manoranj...@chromium.org, Jan 25 2018

Labels: Needs-Triage-M64 Needs-Bisect

Comment 2 by susanjun...@techmahindra.com, Jan 25 2018

Cc: est...@chromium.org
Components: UI>Browser>Omnibox>SecurityIndicators>VerboseChip
Labels: -Needs-Bisect Triaged-ET M-66 FoundIn-66 Target-66 OS-Linux OS-Mac
Status: Untriaged (was: Unconfirmed)

Reporter@ Thanks for the issue.

Able to reproduce this issue on Windows 10, Mac OS 10.12.6 and Ubuntu 14.04 the latest Canary 66.0.3330.0 and Stable 64.0.3282.119 by following the steps mentioned in the original comment.

On typing some text in the insecure text box, the verbose chip is not showing as 'Not Secure'.
Attached is the screen cast for reference.

This is a Non-Regression issue as this is observed from M-60 chrome builds. Hence marking this as Untriaged

Adding component UI>Browser>Omnibox>SecurityIndicators>VerboseChip and CC'ing estark@ for further updates on this issue.

Thanks..

Comment 3 by susanjun...@techmahindra.com, Jan 25 2018

	805667.webm 3.6 MB View Download

Comment 4 by 93m4qau...@gmail.com, Jan 25 2018

What I mean is that if I were to start typing into a text box on an HTTP page, it would expand with the text "Not secure". In this situation, the main origin is HTTPS, but the "City, ST" text box in particular is submitted over insecure HTTP as you can see under the Developer Tools Security tab. In both cases, you are submitting text over an insecure connection, but the verbose chip only expands with the text "Not secure" if the main origin is HTTP.

Comment 5 by est...@chromium.org, Jan 29 2018

Components: -UI Internals>PageSecurityState
Mergedinto: 554509
Status: Duplicate (was: Untriaged)

Thanks for the suggestion. We already have a bug on file for various ways that we could warn more aggressively about mixed form submissions.

►

Issue 805667 link

Issue metadata

Verbose chip fails to point out insecurity when typing into an insecure text box on an https page

Issue description

Comment 1 by manoranj...@chromium.org, Jan 25 2018

Comment 1 Deleted

Comment 2 by susanjun...@techmahindra.com, Jan 25 2018

Comment 2 Deleted

Comment 3 by susanjun...@techmahindra.com, Jan 25 2018

Comment 3 Deleted

Comment 4 by 93m4qau...@gmail.com, Jan 25 2018

Comment 4 Deleted

Comment 5 by est...@chromium.org, Jan 29 2018

Comment 5 Deleted

Sign in to add a comment