Closed Bug 1401805 Opened 8 years ago Closed 4 years ago

HTTPS-only domain suggestions are copied as HTTP

Categories

(Firefox :: Address Bar, defect, P5)

Product:
Firefox
Component:
Address Bar
Version:
57 Branch
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox57 --- affected

People

(Reporter: giul.mus, Unassigned)

Details

Steps to reproduce: - Visit an HTTPS-only website, e.g. Mozilla.org. (With `curl -I http://mozilla.org`, you can verify that it redirects to the HTTPS version with HTTP 301 Moved Permanently). - In a new tab, start typing "mozilla". The browser should autocomplete to "mozilla.org". - Do not press Enter. Rather, select the domain and copy it to the clipboard, either with Ctrl+A Ctrl+C or manually (use the mouse to select the domain, right click, "Copy"). - Paste the contents of the clipboard somewhere. Expected results: The clipboard contains https://mozilla.org/. What happens instead: The clipboard contains http://mozilla.org/. ============ For domains that use simple redirection to HTTPS, this is a minor performance issue at best (whoever will click the link will have to wait for the redirect to complete), and a minor privacy/security issue at worst (potentially exposing whoever clicks the link to MITM and protocol downgrade); for sites that use HSTS, it is arguably a violation of the core principle of HSTS (forbid plaintext connections to avoid protocol downgrade attacks).
confirmed with Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 ID:20170920220431
Status: UNCONFIRMED → NEW
status-firefox57: --- → affected
Ever confirmed: true
what you typed is the scheme-less version of mozilla.org, since you didn't confirm the load the browser doesn't know that it's an https only domain. It's true we could track that internally, but I'm not sure where are we with that work (I think it was named Seer and became the Network Predictor). Regardless is a lot of additional work for a small benefit, since even if you load the scheme-less url, it will go to the secure version per remote settings.
Priority: -- → P5

This is still valid, since we could use the autofill result to set the protocol. still not a priority.

Hi, I think that this bug is no longer valid in the face of the latest changes on the browser. If I'm mistaken, please reopen it.
Regards, Flor.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.