Some pages flagging as Dangerous on Chrome

[vickytnz]

Bug Report

What is the issue?

When going on some pages they show up as dangerous

What steps are required to reproduce the issue?

Go to any of the pages replicating the nhs website :

• https://nhsuk-prototype-kit.azurewebsites.net/templates/nhsuk-healthaz
• https://nhsuk-prototype-kit.azurewebsites.net/templates/nhsuk-mentalhealth
• https://nhsuk-prototype-kit.azurewebsites.net/templates/nhsuk-livewell
• https://nhsuk-prototype-kit.azurewebsites.net/templates/nhsuk-socialcare
• https://nhsuk-prototype-kit.azurewebsites.net/templates/nhsuk-pregnancy
• https://nhsuk-prototype-kit.azurewebsites.net/templates/nhsuk-nhs-services
• https://nhsuk-prototype-kit.azurewebsites.net/templates/nhsuk-coronavirus-hub

It is possible to bypass them (for now) by clicking the link in show details but still not great.

What was the environment where this issue occurred?

• Device: Macbook
• Operating System: Mac Sequoia
• Browser: Google Chrome

Is there anything else you think would be useful in recreating the issue?

GOV.UK had some issues with login prototype pages in the past, particularly with Chrome

[chrimesdev]

Been having the same issue on Vercel deployed apps (non NHS apps) - looks like Chrome must have changed something recently.

[frankieroberto]

@vickytnz @chrimesdev yeah this happened with some govuk sites and the govuk prototype kit website! 😬

The fix in both cases was to move to an official domain. Hopefully we can do that soon for the NHS Prototype Kit website!

[vickytnz]

err ... won't this just be a problem for anyone doing prototype testing on heroku domains (unless it gets set up with custom prototype domains like HMRC did for a while?) with one login it was so bad that we had to skip pages in testing for a while since once it showed up on one page it blocked the entire prototype

[frankieroberto]

Possibly!? As I understand it, the warning in Chrome is based entirely on unknowable heuristics, so is hard to predict! Possibly prototypes behind a password might be safer (although I think the heuristics run client-side so perhaps not?).

The pages linked to above likely trigger the warning as they're deliberately exact copies of pages on the NHS website. You can report it as a false-positive but not sure how quickly that updates...

Perhaps sticking a 'this is an example page' banner at the top would help?

[frankieroberto]

@vickytnz this seems to have resolved itself somehow - the links no longer flag as dangerous for me in Chrome or Safari, even on the Azure URLs.

In any case, the new nhs.uk should fix it. But we can re-open this again in future if it recurs.