Nightly is upgrading an insecure display request to using https, without the option to tell it not to, and without backing off to http again if https fails

RESOLVED FIXED in Firefox 60

Status

()

RESOLVED FIXED
a year ago
a year ago

People

(Reporter: pomax, Assigned: jkt)

Tracking

60 Branch
mozilla60
Points:
---

Firefox Tracking Flags

(firefox60 fixed)

Details

Attachments

(1 attachment)

(Reporter)

Description

a year ago
After firing up Nightly today, it appears that it now outside of user control force-upgrades at least some resource URLs from http to https, regardless of whether those URLs actually resolve. Additionally, the upgraded URL request does not show up in the dev tools networking tab, and so also does not allow any further debugging by me in the browser itself.

It would be very helpful if this there was a way to add exceptions for this behaviour, and at the very least have an about:config flag that can be found through google when searching "Nightly is upgrading an insecure display request" (there does not appear to be one, but that could also mean there is a flag but it's not easily discoverable) to turn this behaviour off when necessary.

I'm running into this on a ton of image boards that are themselves on https but use resource domains on http, so as a PoC: https://pomax.github.io/nightly-is-upgrading-an-insecure-display-request/

This will quite obviously fail, because there is no https equivalent to the http URL, and is a case where the browser is overbearing in its security behaviour without a way to tell it to stop doing that for the duration of a session.

Also made all the more problematic because instead of confronting users with https/http security concerns (which should go to the people running the site, not the users who have no adequate way of contacting them), this works fine in Chrome and Edge, so as a behaviour that might land into the main release this has the potential to drive normal users away again.

Comment 1

a year ago
I have run into this issue as well. 

Nightly is upgrading an insecure display request ‘[SOME_INSECURE_URL_HERE]’ to use ‘https’

And because the image does not exist at the new https address the image load fails.

I have found a quick work around to get by in the mean time.
Setting
  security.mixed_content.upgrade_display_content
to "true" allows images to load on sites I was previously having issues with

Of course full disclaimer modify security settings at your own risk and don't blame me when things go horribly wrong.

Cheers

Comment 2

a year ago
Sorry in my previous post I meant to say setting "security.mixed_content.upgrade_display_content" to "FALSE" allows things to work again for me
(Reporter)

Comment 3

a year ago
that's certainly one setting I wish I'd found on my own, and will be switching that to false, but it would be incredibly valuable to have some UI to turn that behaviour off per session, a la "Firefox is preventing this website from loading images over http. [OK] [add exception]" and then in the dialog for adding an exception off the "for this session", "permanently for this site", "disable entirely" options.
(Assignee)

Comment 4

a year ago
This is an experiment into how much this breaks pages.

See the announcement here https://groups.google.com/forum/#!topic/mozilla.dev.platform/xjZQq0kEauM
Blocks: 1435733

Comment 5

a year ago
Interesting. I will say for the most part this change only caused issues on community ran sites (i.e. mostly forums) for me.

Overall I do support the idea of trying to force everything to use HTTPS, but as Pomax said some sort of way to add exceptions, much like you can add exceptions for SSL certs, would be appreciated.
(Assignee)

Updated

a year ago
Assignee: nobody → jkt
Comment hidden (mozreview-request)

Comment 7

a year ago
mozreview-review
Comment on attachment 8954463 [details]
Bug 1440709 - Disabling mixed content upgrading for now.

https://reviewboard.mozilla.org/r/223534/#review229652
Attachment #8954463 - Flags: review?(ckerschb) → review+

Comment 8

a year ago
Pushed by jkingston@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/822867d9e176
Disabling mixed content upgrading for now. r=ckerschb

Comment 9

a year ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/822867d9e176
Status: NEW → RESOLVED
Last Resolved: a year ago
status-firefox60: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
You need to log in before you can comment on or make changes to this bug.