Problem
A Mobile app that uses OIDC to authenticate users and custom URI scheme for handling redirect works fine in iOS but in Android Chrome, mixed content error is observed..
Symptoms
Following errors observed in browser network trace:
Mixed Content: The page at 'https://URL...' was loaded over a secure connection, but contains a form that targets an insecure endpoint '<Custom_URI>'. This endpoint should be made available over a secure connection. |
Solution
The IntentBlockExternalFormRedirectsNoGesture setting exists on Chrome Android. And the issue happens when redirect_uri is handled by mobile app using "intent filter" (see below). This is because Chrome does not allow form.submit to reach a uri registered as "intent", even if form submit uses "http get".
...