New issue
Advanced search Search tips

Issue 808797 link

Starred by 2 users
Status: Fixed
Owner:
est...@chromium.org
Closed: Feb 2018
Cc:
elawrence@chromium.org
carlosil@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Bug
Team-Security-UX

Blocking:
issue 448486



Sign in to add a comment

Committed interstitials: SSL throttle handles subframe requests

Project Member Reported by est...@chromium.org, Feb 3 2018 
SSLErrorNavigationThrottle::WillFailRequest() doesn't distinguish subframe navigations from main-frame. That means that an interstitial-style error page can show up in a subframe for certificate errors.

This is not necessarily a bad thing, but we should think about it because it was an unintended change. If we're going to keep the behavior, we should use the WebView interstitial styling which shows up better at a smaller size.
subframe.jpg_large
76.5 KB Download

Comment 1 by est...@chromium.org, Feb 3 2018

Summary: Committed interstitials: SSL throttle handles subframe requests (was: Committed interstitial: SSL throttle handles subframe requests)

Comment 2 by est...@chromium.org, Feb 4 2018

Blocking: 448486

Comment 3 by est...@chromium.org, Feb 5 2018

Owner: est...@chromium.org
Status: Started (was: Available)
Project Member

Comment 4 by bugdroid1@chromium.org, Feb 5 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/431dafe4c09b182955032dafe7dbecda6f6c5e99

commit 431dafe4c09b182955032dafe7dbecda6f6c5e99
Author: Emily Stark <estark@google.com>
Date: Mon Feb 05 21:00:51 2018

Disable committed SSL interstitials for subframes

This change reverts to our current (pre-committed-interstitials) behavior for
cert errors in subframes: a generic net error page instead of the SSL
interstitial.

As mentioned in the bug, enabling committed SSL interstitials for subframes is
not necessarily a bad idea, but we should do it carefully because we've often
made the assumption that frames don't show interstitials. (In particular, we
should be careful not to introduce clickjackable Proceed links.)

To test manually, open https://example.com and use DevTools to insert a frame
with a cert error, e.g. `var i = document.createElement('iframe');
i.src='https://expired.badssl.com'; document.body.appendChild(i);'

Bug:  808797 
Change-Id: Iaf018e030f62fe6c10e083bd374cc7af37457489
Reviewed-on: https://chromium-review.googlesource.com/902171
Reviewed-by: Carlos IL <carlosil@chromium.org>
Commit-Queue: Emily Stark <estark@chromium.org>
Cr-Commit-Position: refs/heads/master@{#534491}
[modify] https://crrev.com/431dafe4c09b182955032dafe7dbecda6f6c5e99/chrome/browser/ssl/ssl_browsertest.cc
[modify] https://crrev.com/431dafe4c09b182955032dafe7dbecda6f6c5e99/chrome/browser/ssl/ssl_error_navigation_throttle.cc

Comment 5 by est...@chromium.org, Feb 5 2018

Status: Fixed (was: Started)

Sign in to add a comment