Need mixed image test that doesn't auto-upgrade to HTTPS

chromium / badssl.com

:lock: Memorable site for testing clients against bad SSL configs.

https://badssl.com

Apache License 2.0

2.78k stars 186 forks source link

Need mixed image test that doesn't auto-upgrade to HTTPS #459

Open djcater opened 3 years ago

djcater commented 3 years ago

https://mixed.badssl.com/

In Chrome 86, the http: image is auto-upgraded to https: (https://mixed.badssl.com/image.jpg), which works on the mixed.badssl.com subdomain as it supports https:.

I wanted a test case to see if an http: image gets blocked on an https: page if the image domain doesn't support https:, therefore I can't use this page as a testcase for that.

Could we have an example where the image comes from a domain which doesn't support https:?

christhompson commented 3 years ago

Good idea, especially now that Firefox is experimenting with autoupgrade as well. Maybe "mixed-no-upgrade.badssl.com" and it can include the image via http://http.badssl.com/resources/image.jpg instead (which downgrades HTTPS back to HTTP).