New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 923867 link

Starred by 2 users
Status: Assigned
Owner:
carlosil@chromium.org
Cc:
goanuj@google.com
emilyschechter@chromium.org
nparker@chromium.org
kiran@chromium.org
privard@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows , Mac
Pri: 1
Type: Bug
Team-Security-UX



Sign in to add a comment

Policy DisableSafeBrowsingProceedAnyway recognised but not applied

Reported by richard....@oaktyres.co.uk, Yesterday (41 hours ago) 
UserAgent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

Steps to reproduce the problem:
1. Enabled the policy setting to 'DisableSafeBrowsingProceedAnyway' in an OU linked at domain level
2. Verify the policy is picked up in chrome://policy/
3. Test at badssl.com

What is the expected behavior?
That the user would be unable to ignore certificate warnings and select 'proceed anyway'

What went wrong?
User is able to ignore warnings and proceed anyway

Did this work before? N/A 

Chrome version: 71.0.3578.98  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: 

Issue affecting Windows 7 32-bit VM and macOS 10.14.2 mojave
policies(mac).json
1.7 KB View Download
policies.json
4.6 KB View Download

Comment 1 by pastarmovj@chromium.org, Yesterday (41 hours ago)

Cc: privard@chromium.org kiran@chromium.org pastarmovj@chromium.org
Components: Services>Safebrowsing
Labels: EnterpriseTriaged OS-Mac
Owner: nparker@chromium.org
Nathan, can you take a look at this bug? Looks like the policy to prevent clicking through interstitals might not be working as expected.

Comment 2 by bheenan@chromium.org, Yesterday (35 hours ago)

Status: Assigned (was: Unconfirmed)

Comment 3 by nparker@chromium.org, Yesterday (31 hours ago)

Cc: nparker@chromium.org
Components: -Services>Safebrowsing UI>Browser>Interstitials
Labels: -Pri-2 Pri-1
Owner: carlosil@chromium.org
Summary: Policy DisableSafeBrowsingProceedAnyway recognised but not applied (was: Policy Recognised but not Applied)
The interstitial code looks at pref "safebrowsing.proceed_anyway_disabled." Julian, can you point us to the code that is supposed to set that from policy DisableSafeBrowsingProceedAnyway? I'm not familiar with that part.

--> carlosil, owner of interstitials

Comment 4 by pastarmovj@chromium.org, Today (20 hours ago) 

The pref is mapped to the policy correctly and works but the problem is that it only covers Safe Browsing interstitials like Phishing sites e.g. the ones listed here https://testsafebrowsing.appspot.com/ but not SSL related interstitials like the ones at https://badssl.com. 

I guess the solution would be to either document the limitations of this policy or if possible expand its scope to SSL related errors as well.

Comment 5 by carlosil@chromium.org, Today (12 hours ago) 

This feels like it's working as intended since the policy is explicitly named "SafeBrowsing". My (uneducated) guess is that covering SSL on the same policy might not be desirable (e.g. you might want to prevent users clicking through SB since those are almost certainly bad sites, but you might have some broken/misconfigured enterprise tool that requires them to click through an SSL warning). I'd say a separate policy for blocking SSL clickthroughs would be better if we want to offer that choice.

Comment 6 by goanuj@google.com, Today (10 hours ago)

Cc: goanuj@google.com

Comment 7 by nparker@chromium.org, Today (9 hours ago)

Cc: -pastarmovj@chromium.org emilyschechter@chromium.org
emilyschechter -- Any thoughts Julian's comment #4?

Sign in to add a comment