UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

Steps to reproduce the problem:
1. Create a self-signed certificate
2. Set up a HTTP/2 web server locally using that certificate
3. Push a resource for the home page
4. Visit https://localhost
5. Skip past certificate error to load the page
6. Note the pushed resource is NOT marked as "Push/Other" in Network developers tools Initiator column and is fetched as a regular resource.
7. Add the self-signed certificate to your trust store
8. Restart Chrome and load the page
9. Note there is no certificate error.
10. Note the pushed resource IS not marked as "Push/Other" in Network developers tools Initiator column
11. Removing the certificate from the trust store means Push is not  accepted again.

What is the expected behavior?
Pushed resources should be used even over untrusted certificates (other non-pushed resources are, and the user has chosen to skip past the certificate warning).

What went wrong?
The pushed resources is received by the browser as can be seen in the attached net-internals log (Push Promish and the actual Header and Data frames). However it is ignore and the resource is fetched again.

I can perhaps understand that you may not want to accepted pushed resources for untrusted HTTPS connections, but I think it is confusing - especially to developers using untrusted self-signed certificates to develop on locally.

Additionally localhost is usually accepted as a secure origin over HTTP so should the same be true over self-signed HTTPS?

There should at least be a warning in console log and/or net-internals to state that pushed resource is ignored in this situation. Also perhaps additionally the push promise frame should be rejected in this case?

Did this work before? N/A 

Chrome version: 65.0.3325.181  Channel: stable
OS Version: 10.0
Flash Version:
 

Deleted: net-internals-http2-logs.txt 37.1 KB

net-internals-http2-logs.txt 37.1 KB View Download