Index: components/security_state/core/security_state.cc |
diff --git a/components/security_state/core/security_state.cc b/components/security_state/core/security_state.cc |
index 160c6de8cc13314d23ba9fcaea713f6bd9dce9e2..42f2a5772320baccf2722b370de42e61754612d1 100644 |
--- a/components/security_state/core/security_state.cc |
+++ b/components/security_state/core/security_state.cc |
@@ -147,6 +147,12 @@ SecurityLevel GetSecurityLevelForRequest( |
return DANGEROUS; |
} |
+ // data: URLs don't define a secure context, and are a vector for spoofing. |
+ // Display a "Not secure" badge for all data URLs, regardless of whether |
+ // they show a password or credit card field. |
+ if (url.SchemeIs(url::kDataScheme)) |
+ return SecurityLevel::HTTP_SHOW_WARNING; |
+ |
// Choose the appropriate security level for HTTP requests. |
if (!is_cryptographic_with_certificate) { |
if (!is_origin_secure_callback.Run(url) && url.IsStandard()) { |