Having issues with Content Blocking.
97 views
Skip to first unread message
![Jamison, Eliza (NIH/NCI) [C]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Jamison, Eliza (NIH/NCI) [C]
Mar 18, 2021, 12:08:52 PM3/18/21
to securi...@chromium.org
Some of my users use an Atlassian Wiki application that has links to an external file share that serves pages with IIS. Right now no office document links can be opened any more, only PDF’s. The file server pages are https….and we wet up an auto redirect to HTTPS for any requests. Do you have any more documentation on this for IIS? Chrome is controlled by enterprise group policy and I doubt we can add InsecureContentAllowedForUrls.
Any guidance will be greatly appreciated.
Eliza Jamison
Applications Administrator
National Cancer Institute at Frederick
Computer & Statistical Services
Joe DeBlasio
Mar 18, 2021, 12:59:06 PM3/18/21
to Jamison, Eliza (NIH/NCI) [C]
(security-dev@ to BCC)
Hi Eliza,
Chrome blocks insecure downloads from secure pages (like the NCL wiki) if any HTTP URL was used along the way, even if the HTTP server redirects HTTP to HTTPS. You can read more in the original announcement.
In your case, if I had to guess from that error message, I suspect that the page on the wiki that has the download link links to something like http://cs-fs-02.nih.gov.../Sample%20Detailsb.docx", and then the cs-fs-02 server is redirecting to the https:// URL shown in the message. If that's right, then you need to change the links in the wiki page to directly link to https to avoid blocking.
If my guess is wrong (for instance, if the wiki download page links to an https URL), then that https URL is redirecting to an http URL and you'll have to get that server reconfigured. You can see exactly what's happening by opening up the "Network" pane in DevTools, then clicking on the download link, and looking through the list of requests for HTTP-based URLs. Importantly, you can't rely on reconfiguring the HTTP server to respond differently to requests -- you have to stop the user from hitting the HTTP URL in the first place (so have to reconfigure whatever system provided the HTTP URL).
Does that make sense?
Joe
PhistucK
Mar 18, 2021, 4:09:29 PM3/18/21
to Joe DeBlasio, Jamison, Eliza (NIH/NCI) [C], security-dev
Will Upgrade-Insecure-Requests: 1 HTTP response header be a workaround in this case?
☆PhistucK
--
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.
Reply all
Reply to author
Forward
0 new messages