New issue
Advanced search Search tips

Issue 808797 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Feb 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Bug
Team-Security-UX

Blocking:
issue 448486



Sign in to add a comment

Committed interstitials: SSL throttle handles subframe requests

Project Member Reported by est...@chromium.org, Feb 3 2018

Issue description

SSLErrorNavigationThrottle::WillFailRequest() doesn't distinguish subframe navigations from main-frame. That means that an interstitial-style error page can show up in a subframe for certificate errors.

This is not necessarily a bad thing, but we should think about it because it was an unintended change. If we're going to keep the behavior, we should use the WebView interstitial styling which shows up better at a smaller size.
 
subframe.jpg_large
76.5 KB Download
Summary: Committed interstitials: SSL throttle handles subframe requests (was: Committed interstitial: SSL throttle handles subframe requests)
Blocking: 448486
Owner: est...@chromium.org
Status: Started (was: Available)
Project Member

Comment 4 by bugdroid1@chromium.org, Feb 5 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/431dafe4c09b182955032dafe7dbecda6f6c5e99

commit 431dafe4c09b182955032dafe7dbecda6f6c5e99
Author: Emily Stark <estark@google.com>
Date: Mon Feb 05 21:00:51 2018

Disable committed SSL interstitials for subframes

This change reverts to our current (pre-committed-interstitials) behavior for
cert errors in subframes: a generic net error page instead of the SSL
interstitial.

As mentioned in the bug, enabling committed SSL interstitials for subframes is
not necessarily a bad idea, but we should do it carefully because we've often
made the assumption that frames don't show interstitials. (In particular, we
should be careful not to introduce clickjackable Proceed links.)

To test manually, open https://example.com and use DevTools to insert a frame
with a cert error, e.g. `var i = document.createElement('iframe');
i.src='https://expired.badssl.com'; document.body.appendChild(i);'

Bug:  808797 
Change-Id: Iaf018e030f62fe6c10e083bd374cc7af37457489
Reviewed-on: https://chromium-review.googlesource.com/902171
Reviewed-by: Carlos IL <carlosil@chromium.org>
Commit-Queue: Emily Stark <estark@chromium.org>
Cr-Commit-Position: refs/heads/master@{#534491}
[modify] https://crrev.com/431dafe4c09b182955032dafe7dbecda6f6c5e99/chrome/browser/ssl/ssl_browsertest.cc
[modify] https://crrev.com/431dafe4c09b182955032dafe7dbecda6f6c5e99/chrome/browser/ssl/ssl_error_navigation_throttle.cc

Status: Fixed (was: Started)

Sign in to add a comment