Unable to reproduce the issue on reported chrome version 67.0.3378.0 using Windows 7 with the below mentioned steps.
1. Launched chrome
2. Navigated to jsfiddle.net in two tabs.
3. In the HTML box of the first tab, wrote: <iframe src="http://www.chromium.org"></iframe>
4. Clicked Update-> Run
5. Clicked the mixed script indicator in the omnibox.
6. Clicked "Load unsafe scripts".
7. Closed the current tab and refreshed the second tab.
8. Opened Devtools-> Security tab-> Reloaded the page.
We didn't observe any "Non-secure" sites. Attaching the screen shot of the same.

@Reporter: Could you please have a look at the screen shot any let us know if we have missed anything in the process. Please check the same in a new profile with out any apps and extensions and let us know if the issue still persists.

Thanks!

Deleted: 825060.PNG 172 KB

	825060.PNG 172 KB View Download

The reporter's screenshot shows chrome-extension:// origins being marked as insecure which means we need to install those extensions to reproduce the bug. It's not even clear if the bug is caused by Chrome or by those extensions. Without extensions I can reproduce the buggy behavior only in old Chrome 51-59.

Just retested in the latest raw Chromium build (from download-chromium.appspot.com), with no extensions and no flags. The issue is still reproducible.

Deleted: Developer Tools Security tab.PNG 130 KB

	Developer Tools Security tab.PNG 130 KB View Download

Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The bug is reproducible only if "Strict site isolation" is enabled in chrome://flags

I can reproduce the issue with site isolation disabled.

Finally nailed it, here's a simplified instruction, the important step is 2:

1. open https://jsfiddle.net/wOxxOm/zsrsv7r3/
2. duplicate that tab by rightclicking it in the tabstrip
3. click the shield icon in the address bar and "Load unsafe scripts"
4. switch to the original tab

Expected: green "JSFiddle, Ltd" is shown before URL
Observed: red "Not secure" is shown before URL

As you can see no unsafe scripts are running (the iframe in the bottom right corner is empty), but the tab is shown as insecure.
Looks like tab duplication does not create a new security context or a site instance etc.
The bug is observed since at least Chrome 36, including current Canary.

Able to reproduce the issue on reported chrome version 67.0.3378.0(as per comment# 9) and on the latest chrome version 67.0.3387.0 using Windows-10, Mac 10.12.6 and Ubuntu 14.04. As the issue is seen from M60(60.0.3112.0) considering it as non-regression and marking it as Untriaged.

Thanks!

So to be clear, the bug is if you have two tabs open to the same origin, with one running mixed content and one not, both are shown as 'not secure'? Is that right?

Emily - is this an intentional thing? Assigning to you to triage.

Correct.

Thanks for the report! This is WAI. Once we load active mixed content, we keep the downgraded security indicator for the same site when it is running in the same renderer process. Please see the duped bug ( issue 24152 ) for some more discussion about why this is the case.

I do think it would be reasonable to consider changing this behavior, but very few people use the mixed content shield and we would like to get rid of it all together, so we're probably not going to invest any time in this right now.