Security: Mismatched security indicators while waiting for first-byte response
- Visit https://www.paypal.com
- Focus the address field, type in any website that is really slow to load (time-to-first-byte), and press Enter
- Click on the security indicator in the address field while the slow page is still doing its thing slowly
Expected:
- Address field shows the address of the loading page.
- The security indicator should either show the new page or be empty/insecure
Actual:
- Address field shows the address of the loading page.
- The security indicator shows the domains is www.paypal.com and you get PayPal’s certificate
This can also be reproduced by clicking on links, but it doesn’t happen every time. Not sure what the difference is.