Chrome 136 marks /user/login?redirect_to=%2f as "Dangerous site" — does not occur in other browsers #14439

New Issue

Closed

opened 2025-11-02 11:12:59 -06:00 by GiteaMirror · 2 comments

GiteaMirror commented 2025-11-02 11:12:59 -06:00

Owner

Copy Link

Originally created by @DimaFantasy on GitHub (May 2, 2025).

Description

Issue Summary

When accessing the login page at:
https://399221.ddns.net:3000/user/login?redirect_to=%2f
Google Chrome (Version: 136.0.7103.49, official build, 64-bit) shows a warning:

⚠️ Dangerous site — Attackers might trick you into installing software or revealing personal information such as passwords, phone numbers, or credit cards.
This behavior only occurs:

• In Google Chrome desktop
• On the login page only
• With the above URL containing redirect_to=%2f
  Other pages (such as /explore, /user/repo, etc.) do not trigger the warning.
  Tested and confirmed not reproducible in:
• Firefox (desktop)
• Edge (desktop)
• Chrome for Android

---

Notes

• This is a test installation — the URL is temporary and may be taken down soon.
• HTTPS and SSL certificates (Let's Encrypt) are valid and pass SSL Labs tests.
• Cache and DNS were cleared; issue persists in incognito mode.

---

Question

Is it possible that the redirect_to=%2f parameter on the login URL is being flagged by Chrome's Safe Browsing?
Is there anything in Gitea's redirect logic that could be triggering this?

Browser: Google Chrome Version: 136.0.7103.49 (Official Build, 64-bit)
OS: Linux server with Gitea installed (test deployment)

Gitea Version

1.21.11

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

Git Version

No response

Operating System

No response

How are you running Gitea?

Gitea was installed manually using the official binary from gitea.io.
It is running as a system service via systemd on a Linux server.

Details:
Installation method: Manual (official Gitea binary)
Service manager: systemd
OS / Distro: Ubuntu 22.04 LTS
Database: SQLite (configured in /etc/gitea/app.ini)
Reverse proxy: No (accessed directly via port 3000 for testing)
HTTPS: Configured using Let's Encrypt certificate
Access URL: https://399221.ddns.net:3000/ (temporary test instance)

Database

None

Originally created by @DimaFantasy on GitHub (May 2, 2025). ### Description ### Issue Summary When accessing the login page at: [https://399221.ddns.net:3000/user/login?redirect_to=%2f](https://399221.ddns.net:3000/user/login?redirect_to=%2f) Google Chrome (Version: 136.0.7103.49, official build, 64-bit) shows a warning: > ⚠️ **Dangerous site** — Attackers might trick you into installing software or revealing personal information such as passwords, phone numbers, or credit cards. This behavior only occurs: - In **Google Chrome desktop** - On the **login page only** - With the above URL containing `redirect_to=%2f` Other pages (such as `/explore`, `/user/repo`, etc.) **do not trigger the warning**. Tested and confirmed not reproducible in: - Firefox (desktop) - Edge (desktop) - Chrome for Android --- ### Notes - This is a **test installation** — the URL is temporary and may be taken down soon. - **HTTPS and SSL certificates** (Let's Encrypt) are valid and pass SSL Labs tests. - **Cache and DNS were cleared**; issue persists in incognito mode. --- ### Question Is it possible that the `redirect_to=%2f` parameter on the login URL is being flagged by Chrome's Safe Browsing? Is there anything in Gitea's redirect logic that could be triggering this? --- **Browser:** Google Chrome Version: `136.0.7103.49` (Official Build, 64-bit) **OS:** Linux server with Gitea installed (test deployment) ### Gitea Version 1.21.11 ### Can you reproduce the bug on the Gitea demo site? Yes ### Log Gist _No response_ ### Screenshots  ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? Gitea was installed manually using the official binary from [gitea.io](https://gitea.io/). It is running as a system service via systemd on a Linux server. Details: Installation method: Manual (official Gitea binary) Service manager: systemd OS / Distro: Ubuntu 22.04 LTS Database: SQLite (configured in /etc/gitea/app.ini) Reverse proxy: No (accessed directly via port 3000 for testing) HTTPS: Configured using Let's Encrypt certificate Access URL: https://399221.ddns.net:3000/ (temporary test instance) ### Database None

GiteaMirror added the issue/not-a-bug label 2025-11-02 11:12:59 -06:00

GiteaMirror closed this issue 2025-11-02 11:13:00 -06:00

GiteaMirror commented 2025-11-02 11:13:01 -06:00

Author

Owner

Copy Link

@DimaFantasy commented on GitHub (May 2, 2025):

Update:
After my previous message, the "Dangerous site" warning in Google Chrome disappeared! The login page is now accessible without any issues.

The problem no longer occurs when visiting the login page with the same URL.

@DimaFantasy commented on GitHub (May 2, 2025): Update: After my previous message, the "Dangerous site" warning in Google Chrome disappeared! The login page is now accessible without any issues. The problem no longer occurs when visiting the login page with the same URL.

GiteaMirror commented 2025-11-02 11:13:01 -06:00

Author

Owner

Copy Link

@H0llyW00dzZ commented on GitHub (May 2, 2025):

I think it's because your domain 399221.ddns.net got flagged by Chrome, and it's not related to any bugs in this repo.

@H0llyW00dzZ commented on GitHub (May 2, 2025): I think it's because your domain `399221.ddns.net` got flagged by Chrome, and it's not related to any bugs in this repo.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label issue/not-a-bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#14439