Chromium now blocking mixed-content iframes by default

Chris Evans

unread,

May 24, 2013, 9:08:14 PM5/24/13

to chromium-dev, Tom Sepez

Hi,

With Chrome 29, we're continuing to lock down on the problem of mixed content security bugs in web pages.

We started this war and failed to launch back in Chrome 14: http://googleonlinesecurity.blogspot.com/2011/06/trying-to-end-mixed-scripting.html

We finally launched in Chrome 19 and got a refined UI in place for Chrome 21: http://blog.chromium.org/2012/08/ending-mixed-scripting-vulnerabilities.html

For Chrome 29, we'll be blocking mixed-content iframes by default (in addition to existing blocks on script, CSS and plug-in loads). This will bring us mostly in sync (date wise and implementation wise) with Firefox's plans, due to land in Firefox 23: https://blog.mozilla.org/security/2013/05/16/mixed-content-blocking-in-firefox-aurora/

If you find any websites which don't work well with this change, you can e-mail me or assign a bug to me and I'll try and get the website to fix itself (it's likely already broken in modern IE, FWIW, so we're not expecting droves of issues). Google Reader's embedded videos are a known issue, but Google Reader's retirement date of Jul 1st 2013 is before Chrome 29 and Firefox 23 will hit the stable channel.

Cheers

Chris

Konstantin Welke

unread,

Nov 9, 2013, 6:03:57 AM11/9/13

to chromi...@chromium.org, Tom Sepez

Hi!

With Chrome 29, we're continuing to lock down on the problem of mixed content security bugs in web pages.

For Chrome 29, we'll be blocking mixed-content iframes by default (in addition to existing blocks on script, CSS and plug-in loads). This will bring us mostly in sync (date wise and implementation wise) with Firefox's plans, due to land in Firefox 23: https://blog.mozilla.org/security/2013/05/16/mixed-content-blocking-in-firefox-aurora/

Sorry for the very late reply - but this breaks launching custom protocol handlers via iframe, e.g. <iframe src="ssh://...">.

The only other browser that I know of that considers custom protocols in iframes "mixed content" is IE 8 (and below). Safari, Firefox and IE9+ just launch the application (after asking the user, if appropriate).

Was this on purpose? Should I file a bug and assign to you?

Thanks in advance for your time and efforts!

Cheers,

Kosta

Adam Barth

unread,

Nov 10, 2013, 10:26:29 PM11/10/13

to konstant...@citrix.com, chromi...@chromium.org, Tom Sepez

Yes, please file a bug and CC me. I can help make sure this issue gets routed to the right folks. Thanks for contacting us.

Adam

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev

Konstantin Welke

unread,

Nov 11, 2013, 1:25:51 PM11/11/13

to chromi...@chromium.org, konstant...@citrix.com, Tom Sepez

Hi!

I just re-tested this, the behavior seems to be fixed in a subsequent Chrome 30 release.

Sorry for the noise!

Cheers,

Kosta

Konstantin Welke

unread,

Nov 13, 2013, 12:03:38 PM11/13/13

to chromi...@chromium.org, konstant...@citrix.com, Tom Sepez

Am Montag, 11. November 2013 04:26:29 UTC+1 schrieb Adam Barth:

Yes, please file a bug and CC me. I can help make sure this issue gets routed to the right folks. Thanks for contacting us.

Am Montag, 11. November 2013 19:25:51 UTC+1 schrieb Konstantin Welke:

I just re-tested this, the behavior seems to be fixed in a subsequent Chrome 30 release.

Sorry I made a mistake - the bug still is still there.

Could you take a look at this bug? It really breaks important use cases for us.

https://code.google.com/p/chromium/issues/detail?id=318788

Thanks in advance!

Cheers,

Kosta

Message has been deleted

Paweł Hajdan, Jr.

unread,

Apr 4, 2014, 9:58:52 AM4/4/14

to konstant...@citrix.com, chromium-dev, Tom Sepez

Do you mean https://codereview.chromium.org/205213004 and https://codereview.chromium.org/205453003 ?

Thank you for the patches. Please make sure to follow the process from http://dev.chromium.org/developers/contributing-code carefully.

For example, you need to find reviewers and click "Publish+Mail comments" in Rietveld.

Paweł

On Tue, Apr 1, 2014 at 5:49 PM, Konstantin Welke <konstant...@citrix.com> wrote:

Hi,

we wrote a fix for this bug.

Could you take a look?

https://code.google.com/p/chromium/issues/detail?id=318788

Thanks in advance!

Cheers,
Kosta

--

Michael Snyder

unread,

Apr 11, 2014, 9:35:16 PM4/11/14

to chromi...@chromium.org

This should not happen on the same domain. Please fix.

Konstantin Welke

unread,

Apr 23, 2014, 9:53:07 AM4/23/14

to chromi...@chromium.org, michael....@gmail.com

Michael Snyder wrote:

This should not happen on the same domain. Please fix.

Sorry for the late reply.

This has nothing to do with same-domain vs cross-domain. It's about blocking content from insecure sources (http, ftp) on HTTPS pages.

However, I think that HTTPS pages should still be able to start external applications (ssh, ...), hence this bug report.