Origin isn't listed in Security tab
Reported by
komm...@googlemail.com,
Sep 26
|
|||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Steps to reproduce the problem: 1. Open DevTools --> Security tab 2. Go to https://www.verivox.de/risikolebensversicherung/vergleich/?todesfallleistung=100000&subid=risikolebensversicherung 3. What is the expected behavior? I expected to see https://ic-frame.asuro.de listed in the Secure Origins because in the Network tab I see requests to this origin which get a HTTP 200 response. What went wrong? https://ic-frame.asuro.de isn't listed in the Security tab. I assumed that I find every origin belonging to a request I see in the Network tab also listed in the Security tab. Did this work before? N/A Chrome version: 69.0.3497.100 Channel: stable OS Version: 10.0 Flash Version: In Version 71.0.3562.0 (Official Build) canary (64-bit) I see the origin listed in "Unknown / canceled" because the domain's certificate is affected by the Symantec distrust.
,
Sep 27
Able to reproduce the issue on the latest stable 69.0.3497.100 on Windows-10, Mac OS 10.13.6 and Linux Debian Rodete. Seeing similar behavior on canary 71.0.3562.0 as updated in C#0. This is non=regressed behavior also showing the same on older chrome version 60.0.3112.20(screenshot attached). Marking this as Untriaged for further investigation by the respective team.
,
Sep 29
Those seem to use Symantec certificates, so perhaps they're meant to appear under "insecure", but I don't see subtree for insecure either.
,
Sep 29
Is it wise to assign this to Emily while she is on parental leave?
,
Oct 11
livvie, could you please help figure out what's going on in this bug?
,
Oct 17
As an update, it looks like the reason they're not showing is that the origins are coming from subframes and not otherwise bubbling up to the top-level frame (attaching a screenshot of the Sources panel). I'll look into why Security panel isn't picking up on these.
,
Jan 8
Does this bug still reproduce? I don't see any requests to https://ic-frame.asuro.de on the page.
,
Jan 9
I wasn't able to reproduce it either, for the same reason. I'll mark this as WontFix for now, but we can reopen and take another look if it starts happening again.
,
Jan 9
The site seems to have changed since October. But on the same site there is another case of the same bug: There is a request to https://a106541357.cdn.optimizely.com/client_storage/a106541357.html but the origin https://a106541357.cdn.optimizely.com isn't listed in the Security tab.
,
Jan 9
Thanks for the pointer! estark@ could this be related to site isolation?
,
Jan 9
Ah, thanks for the additional repro! Livvie: Yeah, site isolation seems like a good theory. I can't reproduce with site isolation disabled in chrome://flags. https://bugs.chromium.org/p/chromium/issues/detail?id=834771 might be related/relevant. This will probably need some investigation, but I'm somewhat limited because I don't have a build set up right now since getting back from leave. Livvie, some good places to start investigating might be: - see if _onResponseReceived is getting called in SecurityPanel.js for the missing request - if not, see if ResponseReceived in NetworkManager.js is getting called (https://cs.chromium.org/chromium/src/third_party/blink/renderer/devtools/front_end/sdk/NetworkManager.js?q=NetworkManager.js&sq=package:chromium&g=0&l=500) and what it's doing. I assume that method must be getting called because the request properly shows up in the network panel, but maybe not? |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by vamshi.kommuri@chromium.org
, Sep 26