Chrome Extension injecting iframe - google-chrome

I have my personal Google Chrome extension that adds an iframe to every page.
Now, it worked perfectly until a couple of days earlier.
Now it wont work on https pages!
The iframe source is HTTP.
The console is reporting:
[blocked] The page at https://example.com ran insecure content from http://mysite.com
Now, I know about mixed content issue, but it worked perfectly before. Why isnt it working now and how to fix it?
Anyone?
Thanks

Well, a new chrome update was released a couple of days ago. Check the patch notes from that release if they changed anything security related to make Chrome extensions require both HTTP or both HTTPS, not mixed.

Related

My site goes to login page when loaded in an iframe in chrome 84.0.4147.125

We are trying to load our site in an iframe and the site goes to login page when checked in chrome Version 84.0.4147.125. The page loads fine in other browsers. Please help in fixing this.
From what I've found researching this it's related to needing to set the samesite=none header on cookies if it's loaded in an iframe. Since session id is stored in a cookie, that won't work either. Unfortunately, I haven't found any solution that works with .net 4.6.2 which is what we're on, so we have to upgrade everything to 4.7.2 to be able to set the cookie's SameSite property.
For reference.
https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite
https://portswigger.net/daily-swig/google-chrome-84-released-next-week-with-revived-samesite-cookie-changes

Chrome Forcing HTTPS

Chrome is forcing https (as well as adding https to every internal link) to everything on my site, even though I have https support disabled/don't want to use it.
This occurred after I went to my site's cpanel (which requires you go through https). I changed no settings, and after that Chrome forces it. Only occurring on Chrome (firefox is working fine), and only on one computer.
Of course, I tried restarting, clearing cache/cookies as well as going to chrome://net-internals and deleting the domain from HSTS. Nothing works.
Any ideas? Thank you
I had the same issue and to all odds it had something to do with my website itself. In my case I'm running WordPress & WooCommerce on my site and it seems like by deactivating WooCommerce my issue was solved. Still not sure how to properly fix this since as soon as I activate WooCommerce again the same issue re-appears. However, at least I know now where the issue is coming from and can dig around further.
I noticed the same issue with WooCommerce 2.3. Earlier versions don't have the same issue. My workaround was to load my site using Internet Explorer {the horror}.

Chrome v. 39 and Content-Security-Policy HTTP header

We recently discovered an interesting bug in newly released Chrome v.39.
It just crashed with standard "Aw Snap!" message on every page with an iframe if that iframe loads a page with Content-Security-Policy HTTP header. This blocked out web-site because we host some third-party ads.
From what i found the "Content-Security-Policy" header is a W3C standard and Google Chrome used to support in between v.25 and v.38 releases. But from now they don't.
Does anyone know a nice practical solution for this issue? Is there a way to prevent Chrome from crashing without this workaround?
If you want support Chrome 39/40, I found that adding the protocol in front of domain would prevent the crash (It's not required in CSP 2.0, but it's better than crash).
If you want support Chrome 41, it didn't crash even without protocol name.
Hope this helps.
In order to fix the issue we had to add a logic that sends X-Content-Security-Policy to all but IE and Content-Security-Policy to IE only. This is ugly code/solution but at least it stopped crashing.

Webpage displayed in Incognito, not in regular Chrome

So i have been running into this problem with a lot of Wordpress sites lately, usually occurring when i am logged in as Admin, so i couldn't post here because no one would be able to view the problem. However, i just found a site that it happens on that doesn't require admin creds.
http://www.otisports.com/
When i visit this site in Chrome (Version 34.0.1847.137 m), it just displays a blank page. No errors, just the (what now seems standard) event.returnValue is deprecated. Please use the standard event.preventDefault() instead. warning. I have seen that warning signify problems on the site, but they are usually minor, not to the extent that the above URL displays. However, if i open an Incognito window and visit the site everything works perfectly and there is no warning. Does the Incognito window deal with webpages in a way that is so entirely different that it would cause something like this to happen?
I have been racking my brain trying to figure this out. Can anyone reproduce this? is it a bug in chrome?
EDIT: I just tried to open a bounty on this question and the EXACT same thing happened. In Regular Chrome, nothing happened when i clicked the start a bounty link and i saw various errors Undefined is not a function however in incognito everything worked perfectly. what gives?!
EDIT: Yes, i have cleared the cache, history, cookies, everything, and i still get the same errors. I cant even post a comment on this question because of errors...
I came across the same issue when trying to open evernote.com. It loaded successfully while using incognito mode in chrome. Let me share how I fixed this even though the original post is way too old. But maybe someone can find it useful.
I'm using chrome (Version 73.0.3683.103 (Official Build) (64-bit)) running on Linux Ubuntu 18.04.2 LTS.
I tried disabling all extensions and clearing browser data/cache but nothing worked. PS: Disabling adblock previously worked for me. Yes, I stumbled over the same issue before and whitelisting evernote in adblock solved the issue. But it didn't now.
The following is what worked for me:
Open developers tools (CTRL + SHIFT + J).
Navigate to Applications tab.
Choose Clear storage from the side menu
Hit Clear site data button.
After reading the comments I dug into chrome and saw there was a bunch of extensions still sitting around that were definitely malware and I thought I had previously deleted. Instead of picking through them one-by-one, I just deleted everything, re-installed Chrome, and now everything works great!
I had the same issue. My application was working in Incognito mode and in Firefox but not in Regular Chrome. I even disabled all the extensions but no luck. I eventually cleared the Cached images and files because on developer console I found out that the regular chrome was still picking up the old file due to caching. So as soon as I cleared it, my app showed up like a rocket :)
Try removing any non required extension .
Specifically AdBlock
I resolved the problem post that.
Since on Incognito , extensions are disabled, hence page run as expected.
I resolved this unforeseen issue using following steps.
CTRL + SHIFT + DEL > Clear Browsing Data.
Cookies and other site data
Cached images and files
This is for Chrome Browser.
Open Console (Ctl+Shift+I) first.
Then under the application tab, you will find some options on the left, find out the application there, you will find it at the top.
There you will find Service Workers.
Under Service Workers, there will be three checkboxes. Select Update on reload checkbox and reload again.
I had the same issue after installing React-Sight Extention.
The Page hanged but not in the incognito mode.
Try deleting any recently added or junk extension.
Delete your cache.
That worked for me
I had a similar issue in chrome, in my case the problem was that I could log in to my university library's website only in incognito mode. After some digging, I figured out that Google Translate extension was set to automatically translate any page. When I turned that off and instead selected never translate that specific page, it started working in the usual mode as well.
This is rather an old issue but still happens. None of the solutions recommended here and there did not solve the issue in my case.
I somehow noticed this is related with a -some kind of- corruption on the user profile.
This is how I solved it:
Close all Chrome browsers.
Open a Google page on Chrome.
Sign-out from Google (rigt click your profile picture on a Google page, not on the Chrome itself), and sign-in.
If this doesn't work:
Close all Chrome browsers.
Right click Chrome icon and select Google Chrome.
Delete your Google profile on the "select your profile" page.
Close Chrome.
Open Chrome, sign-in.
uBlock Origin was the culprit in my case. Once I allowed the site in uBlock Origin, pages loaded correctly in normal Chrome.

Custom Protocol blocked By Chrome Version 30

When I try to launch a custom protocol from https connection, Chrome version 30 is giving the following error.
[blocked] The page at https://something.com ran insecure content from custom-protocol://somethingelse.com/myapp
Chrome version 29 works fine.
Did anyone come across similar issue?
Is this a new issue/feature in chrome?
Appreciate any response.
Thanks in advance.
I did, and the problem was that I was using https to access the page, the link was in an iframe and most of all, the certificate used in the https was not trusted. After moving to https works fine.
And by the way, it was working in FireFox.
Hope it helps!