Closed Bug 1234186 Opened 8 years ago Closed 8 years ago

Unified autocompletion "Visit" feature doesn't use https for https-only websites

Categories

(Firefox :: Address Bar, defect, P1)

43 Branch
defect

Tracking

()

VERIFIED FIXED
Firefox 46
Tracking Status
firefox42 --- unaffected
firefox43 --- wontfix
firefox44 --- wontfix
firefox45 --- verified
firefox46 --- verified

People

(Reporter: ws.bugzilla, Assigned: mak)

References

Details

(Keywords: regression, Whiteboard: [fxsearch][unifiedcomplete])

Attachments

(1 file)

Much of our infrastructure is hosted on https-only sites that simply do not respond over insecure http. The new "Visit" feature in the location bar autocompletion doesn't work in this scenario: it takes you to http, which simply times out.

It is unlikely that we can add an insecure redirect just to accommodate this Firefox autocompletion oddity. The net effect is a degraded experience for Firefox users.
(In reply to Roman from comment #0)
> Much of our infrastructure is hosted on https-only sites that simply do not
> respond over insecure http. The new "Visit" feature in the location bar
> autocompletion doesn't work in this scenario: it takes you to http, which
> simply times out.

it is not a new feature, the previous versions were doing exactly the same, just that there was no entry. You can try, just type the same string and press enter, it will do the same.

> It is unlikely that we can add an insecure redirect just to accommodate this
> Firefox autocompletion oddity.

Autocomplete suggests what the user typed, if the user typed the http version it will suggest http, if he typed the https version it will suggest https. https has priority over http. In your case you likely entered an url containing non secure version of the page and never entered an https url to it, and thus it is just respecting what you did.

This is something that can happen with any autocomplete implementation, with other browsers and with previous versions of firefox, if you want to enforce https you should use HSTS for the good of your users.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
(In reply to Marco Bonardo [::mak] from comment #1)
> it is not a new feature, the previous versions were doing exactly the same,
> just that there was no entry. You can try, just type the same string and
> press enter, it will do the same.

To clarify, I'm talking about the case where the https URL is already in the history. I did in fact test this and it did in fact work on Firefox 42: visit https://somesite.com, then type "some..." and press Enter. You will be taken to the https URL in Firefox 42, but not in Firefox 43.

> Autocomplete suggests what the user typed, if the user typed the http
> version it will suggest http, if he typed the https version it will suggest
> https. https has priority over http. In your case you likely entered an url
> containing non secure version of the page and never entered an https url to
> it, and thus it is just respecting what you did.

That's exactly the thing. It doesn't. It goes to http, even though my history contains https.

I'm going to reopen this on the basis of this misunderstanding.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
(note that regardless we having a bug or not you should really use HSTS since we can't protect your users from malicious third parties abusing the http part)
I think that I can reproduce something like you are reporting, let me double check.
Assignee: nobody → mak77
(In reply to Marco Bonardo [::mak] from comment #3)
> Doesn't this work?

Nope. Thanks for looking at this Marco. I agree about HSTS; our current setup is far from ideal, I was just reporting what looks like a regression.
Flags: needinfo?(paolo.mozmail)
Flags: needinfo?(dolske)
Flags: needinfo?(adw)
Looks like there's also a regression in unified complete that I'm still investigating... so I'll likely have to move all the enhancement discussion elsewhere :(
Flags: needinfo?(past)
Flags: needinfo?(paolo.mozmail)
Flags: needinfo?(dolske)
Flags: needinfo?(adw)
moved the enhancements to bug 1239708. Investigating the regression here.

STR:
1. Open a new profile
2. visit https://amazon.ca/
3. type "amaz" in the locationbar
4. the https version should be visited, instead the http version is visited
The bug is in EnterMatch, we basically don't force anymore the finalCompleteValue for the defaultIndex cause now we have an entry in the popup.

We don't enter anymore the "else if (shouldComplete) {" branch cause "if (selectedIndex >= 0) {" is now true.
in the first branch we fail both "if (!completeSelection || aIsPopupSelection) {" and "else if (mCompletedSelectionIndex != -1)" so nothing is reading the finalCompleteValue from the result.
Priority: -- → P1
Keywords: regression
Whiteboard: [fxsearch][unifiedcomplete]
sigh, Try failures, this needs a little bit more work. To check:
toolkit/components/passwordmgr/test/test_basic_form_autocomplete.html
toolkit/components/passwordmgr/test/test_case_differences.html
toolkit/components/satchel/test/test_form_autocomplete.html
toolkit/components/satchel/test/test_popup_enter_event.html
toolkit/components/satchel/test/test_form_autocomplete_with_list.html
toolkit/content/tests/chrome/test_autocomplete_change_after_focus.html
toolkit/components/autocomplete/tests/unit/test_finalCompleteValue.js
[Tracking Requested - why for this release]:
Comment on attachment 8709077 [details]
MozReview Request: Bug 1234186 - Unified autocompletion Visit feature doesn't use https for https-only websites. r=adw

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/31245/diff/1-2/
I'm triggering a new try run on mozreview.
ok, looks like this passes all the tests.
Comment on attachment 8709077 [details]
MozReview Request: Bug 1234186 - Unified autocompletion Visit feature doesn't use https for https-only websites. r=adw

https://reviewboard.mozilla.org/r/31245/#review28337
Attachment #8709077 - Flags: review?(adw) → review+
Comment on attachment 8709077 [details]
MozReview Request: Bug 1234186 - Unified autocompletion Visit feature doesn't use https for https-only websites. r=adw

Approval Request Comment
[Feature/regressing bug #]: Unified Complete
[User impact if declined]: Instead of suggesting the secure version of a website, autofill ends up suggesting the unsecure one.
[Describe test coverage new/current, TreeHerder]: unit-test
[Risks and why]: Risk should be limited by the fact the change is tiny and has decent test coverage
[String/UUID change made/needed]: none
Attachment #8709077 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/55dd1f2654bd
Status: REOPENED → RESOLVED
Closed: 8 years ago8 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 46
Comment on attachment 8709077 [details]
MozReview Request: Bug 1234186 - Unified autocompletion Visit feature doesn't use https for https-only websites. r=adw

Fix a regression, has tests, taking it.
Attachment #8709077 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Flags: qe-verify+
Verified as fixed using "https://example.com" and "https://amazon.ca/" on Firefox 45 beta 6 and latest Aurora 46.0a2 2016-02-17 under Win 7 64-bit, Ubuntu 14.04 64-bit and Mac OS X 10.9.5.
Status: RESOLVED → VERIFIED
Depends on: 1292310
You need to log in before you can comment on or make changes to this bug.