View Page Source systematically issues a new GET request if viewing self-signed https page
Reported by
teo8...@gmail.com,
Apr 12 2018
|
|||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Example URL: Steps to reproduce the problem: 1. visit a page over https that has a self-signed certificate 2. go to advanced->proceed at my own risk 3. right-click -> View Page Source What is the expected behavior? When you do "view page source", the browser should NEVER, FUCKING EVER make a new request, under any circumstances, full stop. There's no one single case when that is expected or acceptable. It should show you the source of the page that was downloaded when it was displayed. And if for whatever reason you don't have it anymore, then you did something wrong in the first place. And if in some very rare corner cases you have a very good reason for not having the original source anymore, and you are going to make a new request, then you MUST warn the user and ask for confirmation before you do that. What went wrong? a new request is made to load the page again and the source of the reloaded page is shown, which may be completely different from the one of which I asked to view the source code. And no clue is given to the user that this is the case. Does it occur on multiple sites: Yes Is it a problem with a plugin? No Did this work before? N/A Does this work in other browsers? Yes Chrome version: 65.0.3325.181 Channel: stable OS Version: Flash Version: I'm sick of this kind of shit
,
Apr 13 2018
Thanks for filing the issue! Tried checking the issue on reported chrome version 65.0.3325.181 using Ubuntu 14.04 with the below mentioned steps. 1. Launched Chrome 2. Navigated to https://www.badssl.com 3. Clicked on Self-signed under certificate -> advanced -> proceed at own risk 4. Right click on page -> View page source. We are able to see a new tab being opened with a source code. Attaching the screen cast of the same. @Reporter: As we are not very clear about the expected behaviour, could you please have a look at the screen cast and let us know if the attached video has an issue, your confirmation helps us to triage the issue in a better way.
,
Apr 13 2018
> We are able to see a new tab being opened with a source code Yes, but is it it doing a new request to the server? There's no way to tell from your screencast. The whole point of the issue (was it really not clear in the report??) is that "view source" should show the source that was downloaded when displaying the original page, and should not do a new request to the server, and usually it behaves as expected but in the case of self-signed https pages it does do a new request. The only way to tell the difference is either - if the server returns different contents OR - if you have control on the server side and can check (e.g. in access logs) Or via Developer Tools, but since this involves a new tab I never know if I can trust what I see there.
,
Apr 13 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 13 2018
,
Apr 17 2018
teo8976@ Thanks for the update. As per comment #3, as the issue needs to be checked on the server side, adding 'TE-NeedsTriageHelp' label and requesting someone from Blink>ViewSource team to look into the issue and help in further triaging. Thanks..
,
Apr 17 2018
I'm pretty sure this is working as intended and can be closed WontFix. view-source just loads from the HTTP cache and, if uncached, it fetches it fresh. For security reasons, a site with an invalid certificate never goes into the HTTP cache. Storing an extra copy of the original source purely just in case someone hits view-source would not be a good use of memory. If your goal is to look precisely at the current live page, you should use DevTools, which will capture all aspects of it, including what copy of each loaded JavaScript file.
,
Apr 17 2018
> view-source just loads from the HTTP cache and, if uncached... Yeah, I know. That's WRONG, and it is the cause of this and a few other issues with "view source". There's this stupid paradigm that is used in a lot of places in chrome that is: if I need to retrieve something for whatever reason, that I previously downloaded, I just pick it from the http cache. That's STUPID. Things may or may not be stored in the cache according to many criteria (such as security, as you mention, but also other, such as cache-control-related headers etc). If you need under certain conditions to retrieve something that was previously loaded, and it is not guaranteed to be in the http cache under these conditions, then you need to store it somewhere else. > Storing an extra copy of the original source purely just in case someone hits view-source would not > be a good use of memory Well, then you should provide an option in Developer Tools where I can choose to waste memory for the sake of being able to debug stuff. > If your goal is to look precisely at the current live page, you should use DevTools, Yeah but I'm talking about the case where my goal is another one: to see the exact html code that I got from the server. Sometimes, the DOM structure that I can see in DevTools, which is what the browser has interpreted from the html code and may have been manipulated by javascript, is not what I need to see. I can't believe I still have to answer to people telling me to use one or the other as if they were interchangeable. And finally, at the very least, this MUST be fixed: > And if you have a very good reason for not having the original source anymore, > and you are going to make a new request, then you MUST warn the user and ask for confirmation > before you do that. You can't SILENTLY make a new request and show the newly-loaded source without even letting the user know.
,
Apr 17 2018
> Yeah but I'm talking about the case where my goal is another one: to see the exact html code that I got from the server. Sometimes, the DOM structure that I can see in DevTools, which is what the browser has interpreted from the html code and may have been manipulated by javascript, is not what I need to see. I can't believe I still have to answer to people telling me to use one or the other as if they were interchangeable. DevTools -> Sources
,
Apr 17 2018
Oh, interesting. You are still ignoring this part, though: > then you MUST warn the user and ask for confirmation > You can't SILENTLY make a new request [..] without even letting the user know. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by susan.boorgula@chromium.org
, Apr 12 2018