New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 816899 link

Starred by 1 user
Status: Duplicate
Merged: issue 615885
Owner:
mkwst@chromium.org
Buried. Ping if important.
Closed: Apr 2018
Cc:
carlosil@chromium.org
est...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 2
Type: Bug



Sign in to add a comment

upgrade-insecure-requests doesn't seem to be obeyed for redirections

Reported by fel...@gmail.com, Feb 27 2018 
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.119 Safari/537.36

Steps to reproduce the problem:
1. Go to https://everlong.org/mozilla/testcase-csp.html with the network monitor open.
2. Look at the requests list.
3. Press play.
4. Look at the requests list again.

The HTML page is as simple as:
```
<!doctype html>
<html>
  <head>
    <meta charset='utf-8'>
    <meta name='viewport' content='initial-scale=1'>
    <meta http-equiv='Content-Security-Policy' content='upgrade-insecure-requests'>
  </head>
  <body>
    <audio
      src='http://rf.proxycast.org/1406104647436869632/15275-27.02.2018-ITEMA_21601361-3.mp3'
      controls></audio>
  </body>
</html>
```

I used a URL that I know exhibits a behavior that makes Chromium behaves wrongly. But in case it changes eventually, I describe below with great details what happens with this URL.

What is the expected behavior?
* We should see only requests with https. But only the last one is actually requested with https (NOTE: in dev edition that last one isn't present).
* This shouldn't play because the first host doesn't work on https. It doesn't play in Firefox for this reason.

What went wrong?
The requested URL is http://rf.proxycast.org/1406104647436869632/15275-27.02.2018-ITEMA_21601361-3.mp3

Chromium properly requests the https version of it.

But then that URL redirects to http://podcast-redirect.radiofrance.fr/podcast09/15275-27.02.2018-ITEMA_21601361-3.mp3. Chromium doesn't automatically upgrade this redirection to https. If Chromium did it, it wouldn't work because that website doesn't listen to https.

This HTTP URL redirects itself to http://media.radiofrance-podcast.net/podcast09/15275-27.02.2018-ITEMA_21601361-3.mp3. Again Chromium doesn't upgrade this insecure request to https.

But it does it when pressing play.

Here is the list of requested URLs:
* https://everlong.org/mozilla/testcase-csp.html
* https://rf.proxycast.org/1406104647436869632/15275-27.02.2018-ITEMA_21601361-3.mp3
* http://podcast-redirect.radiofrance.fr/podcast09/15275-27.02.2018-ITEMA_21601361-3.mp3
* http://media.radiofrance-podcast.net/podcast09/15275-27.02.2018-ITEMA_21601361-3.mp3
* https://media.radiofrance-podcast.net/podcast09/15275-27.02.2018-ITEMA_21601361-3.mp3 (after pressing play)

NOTE: this last URL isn't present in v66 (dev edition).

Did this work before? N/A 

Does this work in other browsers? Yes

Chrome version: 64.0.3282.119  Channel: n/a
OS Version: Debian Stable
Flash Version:

Comment 1 by fel...@gmail.com, Feb 27 2018 

The behavior in Firefox has been very recently changed in https://bugzilla.mozilla.org/show_bug.cgi?id=1435733

Comment 2 by susan.boorgula@chromium.org, Feb 27 2018

Labels: Needs-Triage-M64

Comment 3 by jochen@chromium.org, Feb 28 2018

Cc: est...@chromium.org
Labels: OS-Android OS-Chrome OS-Fuchsia OS-Mac OS-Windows
Owner: mkwst@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 4 by carlosil@chromium.org, Mar 1 2018

Cc: carlosil@chromium.org

Comment 5 by carlosil@chromium.org, Apr 17 2018

Mergedinto: 615885
Status: Duplicate (was: Assigned)

Sign in to add a comment