From 3be77f10f09af0dbba6743c31eed36cdc40ac78a Mon Sep 17 00:00:00 2001
From: Johannes Passing <jpassing@hotmail.com>
Date: Fri, 8 Mar 2024 09:58:11 +1100
Subject: [PATCH] b/328541430 Document resolution for HSTS sign-in issues
 (#1316)

Ref #1313
---
 .../sources/docs/troubleshooting-signin.md    | 35 ++++++++++++++++++-
 1 file changed, 34 insertions(+), 1 deletion(-)

diff --git a/doc/site/sources/docs/troubleshooting-signin.md b/doc/site/sources/docs/troubleshooting-signin.md
index b183f4b7e..0c07c733e 100644
--- a/doc/site/sources/docs/troubleshooting-signin.md
+++ b/doc/site/sources/docs/troubleshooting-signin.md
@@ -59,4 +59,37 @@ As a Cloud Identity or Workspace administrator, you can fix this error by allow-
     !!!Note
         IAP Desktop doesn't use any [restricted API scopes :octicons-link-external-16:](https://support.google.com/cloud/answer/13464325).
     
-1.  On the **Review** page, confiirm your choice of settings and click **Finish**.
\ No newline at end of file
+1.  On the **Review** page, confiirm your choice of settings and click **Finish**.
+
+
+
+## :material-message-alert:  "This site can't provide a secure connection" 
+
+**Symptom**: After completing the Google sign-in process, Chrome shows an error page:
+
+<blockquote>
+    This site can't provide a secure connection
+    <br>
+    localhost sent an invalid response
+    <br><br>
+    Try running Windows Network diagnostics.
+    <br><br>
+    SSL_PROTOCOL_ERROR
+</blockquote>
+
+This error indicates an [HTTP Strict Transport Security (HSTS) :octicons-link-external-16:](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) issue.
+
+You might have previously ran a web server on your local computer that instructed Chrome 
+to only accept HTTPS connections from `localhost` by setting an `Strict-Transport-Security` 
+header. This setting now prevents Chrome from passing the sign-in result back to IAP Desktop
+over HTTP.
+
+You can fix this error by doing the following:
+
+1.   In Chrome, navigate to `chrome://net-internals/#hsts`
+1.   Under **Delete domain security policies**, enter `localhost` and click **Delete**.
+
+Now try signing in again:
+
+1.   On the IAP Desktop sign-in screen, click **Cancel sign-in**.
+1.   Click **Sign-in** to start a new sign-in attempt.
\ No newline at end of file