Open djcater opened 4 years ago
We could probably add this as a test case rather than a new subdomain.
A quick sketch:
common/test/insecure-download/
index.html
there that has an <a href="http://http.badssl.com/test/insecure-download/example.exe" download>HTTP EXE download</a>
or similar for each category of file.It feels easier to do this with example files rather than setting up more nginx configuration (but if we need to explicitly set up the mime-types we can do that and explicitly mark them as nosniff).
That way users could load the test case for any TLS configuration test: to test the mixed downloads that would be https://badssl.com/test/insecure-download/, and for non-blocked insecure downloads it would be http://http.badssl.com/test/insecure-download/.
Chrome has tests for malicious downloads at test safe browsing appspot, but not for an insecure one.
As per the Chromium plan to block insecure downloads: https://blog.chromium.org/2020/02/protecting-users-from-insecure.html?m=1
This wouldn't appear in the dashboard test, as it needs to trigger a download, but, as a separate test that can be done manually, I think it would be helpful.
This could be done by having a new HTTPS page which has a link to an "exe" file hosted on the HTTP endpoint. The .exe file could actually just be some plain text content served as application/octet-stream for example.
There are multiple cases on the Chromium page, covering executables, archives, and images etc. but I think just one example to start with would be useful.