Blocked Mixed content only in popup

[HyksosSowo]

Hi,
One of our web page is loading a http content inside an iframe that is hosted inside a https page.
If I open this webpage from the main Cefsharp page it is working, but if I do it from a popup it's blocked.
In both case it is the exact same html content, only difference is it is loaded inside a popup.

The popup are created by CEF, I return false in the OnBeforePopup, I tried with and without rehosting the popup and it does not change anything.

The error I get:
Mixed Content: The page at 'https://*****' was loaded over HTTPS, but requested an insecure frame 'http://'. This request has been blocked; the content must be served over HTTPS.

When I open it in the main browser I get a warning for the mix content but it still load.
I'm using the setting: allow-running-insecure-content
If I remove this setting it stop working in the main browser window also, so the setting does work but somehow the popup ignore it.

My understanding is that that the settings are global and not per browser window, so is it a bug?

[amaitland]

Does sound like a bug in CEF and a quick search yields https://bitbucket.org/chromiumembedded/cef/issues/2832/allow-running-insecure-content-take-no

Unfortunately it's marked as wontfix so you'll need to find a workaround.

You can try --disable-request-handling-for-testing to disable CEFs network interceptor and see if that helps.

[HyksosSowo]

I tried with disable-request-handling-for-testing and it does not work.
I updated to the latest CefSharp and still not working.

If I remove the allow-running-insecure-content and only keep disable-request-handling-for-testing it does not work in the main browser window neither, so its seens this option does not affect the mixed content check.

I also tried using the flag single-process, it still have the same issue.

If I cancel the popup creation and I create my own popup window it does work, but my popup lose its parent link and the content I'm loading require it this to work, and I do not control that content.

Any others ideas I can try?
I can also check in the CEF code but I'd need to get the general section where the popup are handled.

Thanks

[amaitland]

If you own the http server then generate a self signed certificate and allow the invalid certificate. https://github.com/cefsharp/CefSharp/wiki/General-Usage#option-1-preferred

[amaitland]

There's also https://peter.sh/experiments/chromium-command-line-switches/#unsafely-treat-insecure-origin-as-secure though I suspect you'll have the same issue, might be worth a test if you haven't already.