DevTools Security tab shows HTTP pages as broken HTTPS when the HTTP-bad flag is enabled
Reported by
93m4qau...@gmail.com,
Feb 25 2018
|
|||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3354.0 Safari/537.36 Steps to reproduce the problem: 1. Open chrome://flags/#enable-mark-http-as and enable the flag. 2. Relaunch Chrome as prompted. 3. Open an insecure HTTP site (not an invalid HTTPS site) such as http://www.chromium.org. 4. Press Ctrl+Shift+I to open Developer Tools. 5. Click on the Security tab. What is the expected behavior? Developer Tools reports the page security state as "This page is not secure (unencrypted HTTP)", and in red since the HTTP-bad flag is enabled. What went wrong? Developer Tools reports the page security state as "This page is not secure (broken HTTPS)". This is not true, as the page is actually plain HTTP, not broken HTTPS. This is only an issue when the HTTP-bad flag is enabled. Did this work before? N/A Chrome version: 66.0.3354.0 Channel: canary OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version:
,
Feb 28 2018
Thanks for filing the issue! Unable top reproduce the issue on reported chrome version 66.0.3354.0 using windows 10 with the below mentioned steps. 1. Launched Chrome 2. Enabled the flag mentioned in comment#0 and relaunched chrome 3. Navigated to http://www.chromium.org 4. Opened DevTools -> Security We didn't observe any text like "This page is not secure (broken HTTPS)". Attaching the screen shot of the same. @Reporter: Could you please have a look at the screen shot and let us know if anything missed from our end. Any further inputs from your end may help us.
,
Feb 28 2018
Can you provide a full screenshot with the browser chrome as well, so that I can confirm that the flag is actually enabled?
,
Mar 1 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 2 2018
93m4qau783 Thanks for the feedback. As per comment #3, attached is the screen shot with the chrome//version showing the flag #enable-mark-http-as Enabled. Request you to please check and confirm if anything is missed from our end, which will help in further triaging. Thanks..
,
Mar 2 2018
You may need to set the flag to "Always mark HTTP as actively dangerous", so you get a red "Not secure" next to the URL.
,
Mar 2 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 6 2018
Able to reproduce this issue on Mac 10.13.3, Win-10 and Ubuntu 14.04 using chrome reported version #66.0.3354.0 and latest canary #67.0.3362.0. This is a non-regression issue as it is observed from M65 old builds i.e the flag got introduced in M-65 only. Hence, marking it as untriaged to get more inputs from dev team. Thanks...!!
,
Mar 12 2018
,
Mar 12 2018
Sorry, wrong triage. Emily, mind taking a look?
,
Sep 14
Issue 882202 has been merged into this issue.
,
Sep 27
see issue 882202 for further repro steps. Assigning to cthomp as estark is away.
,
Oct 11
,
Oct 29
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/addf5286b849bdcc235e63e170c948f60cf8892c commit addf5286b849bdcc235e63e170c948f60cf8892c Author: Christopher Thompson <cthomp@chromium.org> Date: Mon Oct 29 22:28:01 2018 Add security summary override for HTTP-Really-Bad This adds a new summary and sets the explanation for non-secure form edits on HTTP pages in the DevTools security panel. This fixes a bug where HTTP pages downgraded to the DANGEROUS security level (under the HTTP-Really-Bad changes) would get treated as broken HTTPS instead. Bug: 816184 Change-Id: I9440a20f970ff4daffd9c3a11a6a5a86a0b39160 Reviewed-on: https://chromium-review.googlesource.com/c/1277650 Reviewed-by: Adrienne Porter Felt <felt@chromium.org> Commit-Queue: Christopher Thompson <cthomp@chromium.org> Cr-Commit-Position: refs/heads/master@{#603657} [modify] https://crrev.com/addf5286b849bdcc235e63e170c948f60cf8892c/components/security_state/content/content_utils.cc [modify] https://crrev.com/addf5286b849bdcc235e63e170c948f60cf8892c/components/security_state/content/content_utils_unittest.cc [modify] https://crrev.com/addf5286b849bdcc235e63e170c948f60cf8892c/components/security_state_strings.grdp
,
Dec 3
Marking this as fixed as I don't think there is anything remaining to do. |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by susan.boorgula@chromium.org
, Feb 25 2018