Default 404 response results in "Your connection to this site isn't secure" error

[danroth27]

The default 404 response returned when a request isn't handled results in a "Your connection to this site isn't secure" error in browsers. Is that expected?

Repro steps:

• In VS create an empty ASP.NET Core web app
• Run it and browse to an address path that doesn't exist

Expected result: 404 with no security warning
Actual result:

[Tratcher]

What's the explanation if you click on that message?

[DamianEdwards]

[DamianEdwards]

From app's logs the requests are both on Tls connections from Kestrel's point of view:

dbug: Microsoft.AspNetCore.Server.Kestrel.Connections[39]
      Connection id "0HMQDODVBSJBE" accepted.
dbug: Microsoft.AspNetCore.Server.Kestrel.Connections[1]
      Connection id "0HMQDODVBSJBE" started.
dbug: Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware[3]
      Connection 0HMQDODVBSJBE established using the following protocol: Tls13
info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
      Request starting HTTP/2 GET https://localhost:7134/test - - -
dbug: Microsoft.AspNetCore.Routing.Matching.DfaMatcher[1000]
      No candidates found for the request path '/test'
dbug: Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware[2]
      Request did not match any endpoints
info: Microsoft.AspNetCore.Builder.ApplicationBuilder[1]
      Request reached the end of the middleware pipeline without being handled by application code. Request path: GET https://localhost:7134/test, Response status code: 404
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
      Request finished HTTP/2 GET https://localhost:7134/test - 404 0 - 4.1177ms

[DamianEdwards]

This is really strange.

Here's my app:

var builder = WebApplication.CreateBuilder(args);
var app = builder.Build();

app.MapGet("/", () => "Hello World!");

app.MapGet("/404", (HttpContext context) =>
{
    context.Response.StatusCode = 404;
    return Task.CompletedTask;
});

app.Run();

Here's the result in the browser. The one that's a 404 from Kestrel is "insecure". The one from the request pipeline is fine.

[Tratcher]

Here's the result in the browser. The one that's a 404 from Kestrel is "insecure". The one from the request pipeline is fine.

I see both as insecure. In fact, any 4xx or 5xx response without a response body is flagged as insecure. Responses with a body are considered secure. This is consistent in Chrome and Edge.

[DamianEdwards]

I see both as insecure.

I do too as of this morning. I'm assuming this is a browser issue then.

[ericlaw1979]

This is https://bugs.chromium.org/p/chromium/issues/detail?id=757279. Tl;dr: It's a known issue, of very low priority. If you want to avoid it, return some content on the error page rather than sending an empty body.