Enhancement Request: error messages about insecure content

[TOMHTML]

Hi Google Chrome / Chromium dev team,

First of all, I'd like to thank you for your great job.

Chrome is good but there is a problem I often get. I work with
different sites, domains, protocols. Sometimes I have to include the
content of a site into another. I know about the same-origin policy
and chrome which doesn't allow loading non-HTTPS elements from a HTTPS
site. In the console, the error and warning messages are clear:

- The page at https://secure.com displayed insecure content from http:/
insecure.com/logo.png.
- XMLHttpRequest cannot load http://example.com. Origin https://example.net
is not allowed by Access-Control-Allow-Origin.
- Unsafe javascript attempt to access http://url1.com frame with url
http://url2.com. Domains, protocols and ports must match.
- Unable to post message to http://exemple.com. Recipient has origin
http://www.exemple.com.
- ...

These messages are clear but the problem is that you don't know what
is the *real source* of the problem! In which part of page does I
include unsecure image/frame? Wich JavaScript attempts to access
"unsecured" frame? At which line number?
It would be awesome to get details (in the tooltip? by clicking on the
link?) about that type of problems.

You might think it's not really that useful, but try to debug this
message:
"Unsafe JavaScript attempt to access frame with URL
http://www.youtube.com/embed/lpDQF2lFnBU from frame with URL
http://www.youtube.com/embed/lpDQF2lFnBU. Domains, protocols and ports
must match." Is this an error on my website or on Youtube? It's not
clear and nothing can help.

If you can't do anything because it's not your job, please feel free
to share this post to your colleagues in charge of development of the
Console.

Thanks in advance and keep up the good work!

[Vsevolod Vlasov]

Hi,

Thank you for your report. We already have this issue tracked here:  http://code.google.com/p/chromium/issues/detail?id=88885

You can star this issue to receive updates on the progress.

Thank you,

Vsevolod

--
Thank you,

Vsevolod Vlasov (vse...@google.com)

[TOMHTML]

Thank you Vsevolod!
I'm now tracking this issue, hoping it will be fixed soon!
By the way, I was also expecting to see at least a trace of the
attempt to download insecure content in chrome://net-internals/#events
tab. This might be absolutely logical but I'm not sure. So perhaps the
attempt could be also logged, even if it's not as important as
previous issue.
Have a nice day!

On Nov 22, 1:34 am, Vsevolod Vlasov <vse...@google.com> wrote:
> Hi,
>
> Thank you for your report. We already have this issue tracked here:http://code.google.com/p/chromium/issues/detail?id=88885
> You can star this issue to receive updates on the progress.
>
> Thank you,
> Vsevolod
>
>
>
>
>
>
>
>
>
> On Tue, Nov 22, 2011 at 2:37 AM, TOMHTML <tomh...@gmail.com> wrote:
> > Hi Google Chrome / Chromium dev team,
>
> > First of all, I'd like to thank you for your great job.
>
> > Chrome is good but there is a problem I often get. I work with
> > different sites, domains, protocols. Sometimes I have to include the
> > content of a site into another. I know about the same-origin policy
> > and chrome which doesn't allow loading non-HTTPS elements from a HTTPS
> > site. In the console, the error and warning messages are clear:
>

> > - The page athttps://secure.comdisplayed insecure content from http:/
> > insecure.com/logo.png.
> > - XMLHttpRequest cannot loadhttp://example.com. Origin

> >https://example.net
> > is not allowed by Access-Control-Allow-Origin.

> > - Unsafe javascript attempt to accesshttp://url1.comframe with url

> >http://url2.com. Domains, protocols and ports must match.

> > - Unable to post message tohttp://exemple.com. Recipient has origin

> >http://www.exemple.com.
> > - ...
>
> > These messages are clear but the problem is that you don't know what
> > is the *real source* of the problem! In which part of page does I
> > include unsecure image/frame? Wich JavaScript attempts to access
> > "unsecured" frame? At which line number?
> > It would be awesome to get details (in the tooltip? by clicking on the
> > link?) about that type of problems.
>
> > You might think it's not really that useful, but try to debug this
> > message:
> > "Unsafe JavaScript attempt to access frame with URL

> >http://www.youtube.com/embed/lpDQF2lFnBUfrom frame with URL

[Vsevolod Vlasov]

chrome://net-internals/#events shows activity on the chromium's network stack.

Cross origin requests are stopped on the webkit level, so they never get to the network stack.

Unfortunately you will not be able to see them.

[TOMHTML]

Thank you again for this great, simple and efficient explaination,
it's what I expected.
Keep up the good work!

> > > > - The page athttps://secure.comdisplayedinsecure content from http:/

> > > > insecure.com/logo.png.
> > > > - XMLHttpRequest cannot loadhttp://example.com. Origin
> > > >https://example.net
> > > > is not allowed by Access-Control-Allow-Origin.

> > > > - Unsafe javascript attempt to accesshttp://url1.comframewith url

> > > >http://url2.com. Domains, protocols and ports must match.
> > > > - Unable to post message tohttp://exemple.com. Recipient has origin
> > > >http://www.exemple.com.
> > > > - ...
>
> > > > These messages are clear but the problem is that you don't know what
> > > > is the *real source* of the problem! In which part of page does I
> > > > include unsecure image/frame? Wich JavaScript attempts to access
> > > > "unsecured" frame? At which line number?
> > > > It would be awesome to get details (in the tooltip? by clicking on the
> > > > link?) about that type of problems.
>
> > > > You might think it's not really that useful, but try to debug this
> > > > message:
> > > > "Unsafe JavaScript attempt to access frame with URL

> > > >http://www.youtube.com/embed/lpDQF2lFnBUfromframe with URL