Shan Journey

Summary:  Mixed content when logout merchants.google.com , mixed content load when user logout from https://merchants.google.com/ and redirect to http://www.google.co.id/accounts/Logout2?ilo=1&ils=s.ID&ilc=0&continue=https://merchants.google.com/mc&zx=-2055164642 Steps to reproduce: 1. Sign in to https://merchants.google.com/ 2. and then logout 3. load mixed content to http://www.google.co.id/accounts/Logout2?ilo=1&ils=s.ID&ilc=0&continue=https://merchants.google.com/mc&zx=-2055164642 Browser/OS: Mozilla Video : https://youtu.be/85BtW_4PVzQ ( unlisted) Picture : Timeline :  Google confirming it but this is duplicate. maybe next time got the bounty :D , wish me luck !

Summary Still can change wishlist URL although wishlist set to private, in conditional, when URL set to private, user can't change wishlist URL, but i found how to change URL although user set wishlist URL to Private Step To Reproduce :  1. login to store.line.me 2. go to wishlist -> setting, 3. turn on burp suite -> catch request when change url 4. set wishlist to private again. 5. and replay the request from step 3, This is not eligibly for bounty, although line side it's say this is bug, but not security bug. This mean, i need to try learn more and more. hehehe, wish me luck. Video : https://youtu.be/gyp3T7Cnw5c