Making the Google API's & CDN websites calls goes with the secured protocols recursively?

[nishanthj6]

Description

As I'm trying to make the unsecured hosted server(non-SSL based) that which are coded calling the standard Google API's & CDN websites Thereby, making that connections goes via encrypted.

Steps to Reproduce

For instance say I had included this script below to our hosted server

<style type="text/css">
  @import url(http://fonts.googleapis.com/css?family=Oswald:400,300);
  @import url(http://fonts.googleapis.com/css?family=Open+Sans);
</style>

<section class="divider parallax layer-overlay overlay-deep" data-stellar-background-ratio="0.2"  data-bg-img="http://placehold.it/1920x1280"> ... </section>
<div class="thumb"><img alt="" src="http://placehold.it/270x270" class="img-fullwidth"></div>

<script src="http://maps.google.com/maps/api/js"></script>

By enabling the Connections encrypted feature & thereby, calling the Google API's and some other sites connected with website, it encrypts only the

1. fonts.googleapis.com, , and
2. placehold.it
3. AuthenticationService of Google Map API

Actual result:

https://maps.googleapis.com/maps/api/js/AuthenticationService.Authenticate?1shttp%3A%2F%2Fsomedomain.org%2F&5shttp%3A%2F%2Fsomedomain.org%2F&callback=_xdc_._l5b8s4&token=72548

and rest of the following calls mentioned below didn't encrypt at all.

http://maps.google.com/maps/api/js

http://maps.google.com/maps-api-v3/api/js/37/6/common.js

http://maps.google.com/maps-api-v3/api/js/37/6/util.js

Expected result:

The below sites should be encrypted: http://maps.google.com/maps/api/js

http://maps.google.com/maps-api-v3/api/js/37/6/common.js

http://maps.google.com/maps-api-v3/api/js/37/6/util.js

Reproduces how often: Every time

Brave version (brave://version info)

Brave 0.62.51 Chromium: 73.0.3683.103 (Official Build) (64-bit) Revision e82a658d8159cabbd4938c1660f9bb00b4a82a23-refs/branch-heads/3683@{#902} OS Windows 10 OS Build 10586.1176

Version/Channel Information:

• Can you reproduce this issue with the current release? Yes
• Can you reproduce this issue with the beta channel? Don't now
• Can you reproduce this issue with the dev channel? Don't now
• Can you reproduce this issue with the nightly channel? Don't now

Other Additional Information:

• Does the issue resolve itself when disabling Brave Shields? No
• Does the issue resolve itself when disabling Brave Rewards? No

[rebron]

cc: @fmarier Can you take a look?

[fmarier]

I can reproduce using http://fmarier.com/same-site/brave-browser-5115.html:

We are making the following HTTP requests even with HTTPS upgrades turned on:

GET http://maps.google.com/maps/api/js
GET http://maps.google.com/maps-api-v3/api/js/37/6/intl/en_gb/common.js
GET http://maps.google.com/maps-api-v3/api/js/37/6/intl/en_gb/util.js

and that's despite the fact that HTTPS Everywhere includes a rule for maps.google.com.

For comparison, on Firefox using the HTTPS Everywhere extension, the requests to maps.google.com are correctly upgraded to HTTPS:

[nishanthj6]

That sounds great.

If there are any browser addons to your knowledge known, when browsing through non-secured version(HTTP) of website goes via encryption only to the calls made by CDN's and Google API???... Because when you are browsing via Non-secured version(HTTP) of website. The browser extension HTTPS Everywhere disables after clicking Open insecure Page. But tested with SKN SSL Enforcer won't disables & there by making every Google API calls goes via encrypted. Something that might be sufficient but the drawback is we need to manually include rules for other websites

By default, Loading Non-secured version of CDN over HTTPS would give rises error on console

Mixed Content: The page at 'https://somedomain.in' was loaded over HTTPS, but requested an insecure script 'http://code.jquery.com/jquery-migrate-3.0.0.min.js'. This request has been blocked; the content must be served over HTTPS.

@fmarier

[nishanthj6]

For instance, If we are going to surf for eg.: http://www.memo.tv. The extension doesn't connect to https://www.memo.tv/ with SSL enabled

@fmarier