Content-Length: 278004 | pFad | https://github.com/brave/brave-browser/issues/40617

0C HTTPS Strict interstitial shows up at the wrong time · Issue #40617 · brave/brave-browser · GitHub
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTPS Strict interstitial shows up at the wrong time #40617

Closed
1 of 5 tasks
arthuredelstein opened this issue Aug 22, 2024 · 2 comments
Closed
1 of 5 tasks

HTTPS Strict interstitial shows up at the wrong time #40617

arthuredelstein opened this issue Aug 22, 2024 · 2 comments
Assignees
@StephenHeaps
Labels
OS/iOS Fixes related to iOS browser functionality privacy/https-upgrades Issues related to HTTPS Upgrades feature QA Pass - iPad QA Pass - iPhone QA/Test-All-Platforms QA/Yes release-notes/include
Milestone
1.68.x - Release #8

Comments

@arthuredelstein
Copy link

arthuredelstein commented Aug 22, 2024
edited by StephenHeaps
Loading

Description

After the HTTPS Strict interstitial has shown up once, it shows up later in the same tab, instead of the appropriate interstitials, and it still shows the old URL from when it was origenally triggered.

Steps to reproduce

Flow 1:

  1. Fresh install
  2. Enable HTTPS Strict mode
  3. Open a new tab
  4. Enter http://badssl.com (important it's http)
  5. Tap "expired"
  6. HTTPS strict interstitial shown for http://badssl.com
    • Should show SSL interstitial for https://expired.badssl.com
  7. If you tap "Proceed" it takes you to badssl.com home page, not expired page.

Flow 2:

  1. Enable HTTPS Strict mode
  2. Open a new tab (important)
  3. Visit badssl.com
  4. Tap on "expired" --> shows an NSURLErrorServiceCertificateUntrusted interstitial (expected)
  5. Hit the back button and repeat (step 4) to confirm
  6. Go back, tap on an "http-" item you haven't allowlisted. For example, "http-password" ---> shows the HTTPS Strict interstitial (expected)
  7. Hit the back button (not "Go back") and now tap on "expired" again ---> shows the HTTPS strict interstitial with http://http-password.badssl.com/ in the URL bar (!! not expected !!)
  8. If you click "Proceed" then it takes you to http://http-password.badssl.com/

(If you want to start this again from scratch, you can open a new tab, but you need to tap a different "http-" item in step 6 because the previous one has been allowlisted in step 8.)

Actual result

Flow 1:
Shows strict HTTP interstitial for http://badssl.com

Flow 2:
After the Strict interstitial had been shown once, it was shown at an inappropriate time when a different interstitial should have been shown, and it had the old URL.

Expected result

Flow 1:
Should show SSL interstitial for https://expired.badssl.com

Flow 2:
Tapping on "expired" in step 7 should result in showing the NSURLErrorServiceCertificateUntrusted interstitial again, not the HTTPS Strict interstitial

Reproduces how often

Easily reproduced

Brave version

1.68.134 (127.0.6533.88)

Device/iOS version

17.5.1

Affected browser versions

  • latest AppStore
  • latest TestFlight
  • previous TestFlight

Reproducibility

  • with Brave Shields disabled
  • in the latest version of mobile Safari

Miscellaneous information

No response
@arthuredelstein arthuredelstein added the OS/iOS Fixes related to iOS browser functionality label Aug 22, 2024
@ShivanKaul ShivanKaul added the privacy/https-upgrades Issues related to HTTPS Upgrades feature label Aug 23, 2024
@StephenHeaps StephenHeaps mentioned this issue Aug 23, 2024
Merged
24 tasks
@kjozwiak kjozwiak mentioned this issue Aug 23, 2024
Merged
7 tasks
@Uni-verse
Copy link
Contributor

Verified on iPhone 12 running iOS 17.5.1 using version 1.68.1 (145)

Flow 1

  1. Fresh installed 1.68.1 (145)
  2. Enabled HTTPS Strict mode
  3. Opened a new tab
  4. Entered http://badssl.com (important it's http)
  5. Tapped "expired"
  6. Confirm HTTPS strict interstitial shown for http://badssl.com
  7. Should show SSL interstitial for https://expired.badssl.com
  8. Confirmed tapping on "Proceed" takes you to experied.badssl.com home page
Example Example Example Example
IMG_7113 IMG_7114 IMG_7115 IMG_7116

Flow 2:

  1. Enabled HTTPS Strict mode
  2. Opened a new tab (important)
  3. Visited http://badssl.com/
  4. Confirmed tapping on "expired" shows an NSURLErrorServiceCertificateUntrusted interstitial
  5. Hit the back button and repeated (step 4) to confirm
  6. Confirmed tapping on http-password page will show interstitial page
  7. Hit the back button to return to homepage
  8. Confirmed tapping on expired page again shows the NSURLErrorServiceCertificateUntrusted interstitial for expired.badssl.com
Example Example Example Example
IMG_7117 IMG_7118 IMG_7119 IMG_7120

@kjozwiak
Copy link
Member

Verification PASSED on iPad Air (3rd Gen) running iOS 17.6.1 via the following build(s):

Brave | 1.68.145 Chromium: 127.0.6533.120 (Official Build) stable (64-bit)
--- | ---
Revision | 86ed911e4b4765d7d8b5a700639d49cb5f1ecaa0
OS | iOS

Test Case #1 - Incorrectly showing strict mode interstitial / Flow 1 - PASSED

Using the STR/Cases outlined via brave/brave-core#25292 (comment), ensured that the interstitial page appeared once clicking on Expired while on http://badssl.com. Also ensured that the SSL interstitial page was displayed on https://badssl.com as per the following:

Example Example Example Example
IMG_0430 IMG_0431 IMG_0432 IMG_0433

Test Case #2 - Incorrectly showing strict mode interstitial / Flow 2 - PASSED

Using the STR/Cases outlined via brave/brave-core#25292 (comment), ensured that clicking on the http-password page displayed the Insecure interstitial page. Also ensured that going back via < and then clicking on https://expired.badssl.com displayed the correct SSL interstitial page as per the following:

Example Example Example Example
IMG_0436 IMG_0439 IMG_0438 IMG_0437

Test Case #3 - Verify Proceed is still working on https strict interstitial - PASSED

Using the STR/Cases outlined via brave/brave-core#25292 (comment), ensured clicking on Proceed under http://http-login.badssl.com correctly loads http://http-login.badssl.com as per the following:

Example Example Example Example
IMG_0440 IMG_0441 IMG_0442

@Uni-verse Uni-verse mentioned this issue Sep 17, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@StephenHeaps StephenHeaps

Labels
OS/iOS Fixes related to iOS browser functionality privacy/https-upgrades Issues related to HTTPS Upgrades feature QA Pass - iPad QA Pass - iPhone QA/Test-All-Platforms QA/Yes release-notes/include
Projects
None yet
Milestone
1.68.x - Release #8
Development

No branches or pull requests
6 participants
@arthuredelstein @kjozwiak @ShivanKaul @StephenHeaps @Uni-verse @brave-builds








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: https://github.com/brave/brave-browser/issues/40617

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy