christhompson
commented
4 years ago We could probably add this as a test case rather than a new subdomain.
A quick sketch:
- Add
common/test/insecure-download/ - Add an
index.htmlthere that has an<a href="http://http.badssl.com/test/insecure-download/example.exe" download>HTTP EXE download</a>or similar for each category of file.
It feels easier to do this with example files rather than setting up more nginx configuration (but if we need to explicitly set up the mime-types we can do that and explicitly mark them as nosniff).
That way users could load the test case for any TLS configuration test: to test the mixed downloads that would be https://badssl.com/test/insecure-download/, and for non-blocked insecure downloads it would be http://http.badssl.com/test/insecure-download/.
redcatpaw
As per the Chromium plan to block insecure downloads: https://blog.chromium.org/2020/02/protecting-users-from-insecure.html?m=1
This wouldn't appear in the dashboard test, as it needs to trigger a download, but, as a separate test that can be done manually, I think it would be helpful.
This could be done by having a new HTTPS page which has a link to an "exe" file hosted on the HTTP endpoint. The .exe file could actually just be some plain text content served as application/octet-stream for example.
There are multiple cases on the Chromium page, covering executables, archives, and images etc. but I think just one example to start with would be useful.