Closed Bug 1440709 Opened 6 years ago Closed 6 years ago

Nightly is upgrading an insecure display request to using https, without the option to tell it not to, and without backing off to http again if https fails

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
60 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla60
Tracking Flags:
Tracking Status
firefox60 --- fixed

People

(Reporter: michiel, Assigned: jkt)

References

Details

Attachments

(1 file)

Bug 1440709 - Disabling mixed content upgrading for now.
59 bytes, text/x-review-board-request
ckerschb
: review+
Details 
After firing up Nightly today, it appears that it now outside of user control force-upgrades at least some resource URLs from http to https, regardless of whether those URLs actually resolve. Additionally, the upgraded URL request does not show up in the dev tools networking tab, and so also does not allow any further debugging by me in the browser itself.

It would be very helpful if this there was a way to add exceptions for this behaviour, and at the very least have an about:config flag that can be found through google when searching "Nightly is upgrading an insecure display request" (there does not appear to be one, but that could also mean there is a flag but it's not easily discoverable) to turn this behaviour off when necessary.

I'm running into this on a ton of image boards that are themselves on https but use resource domains on http, so as a PoC: https://pomax.github.io/nightly-is-upgrading-an-insecure-display-request/

This will quite obviously fail, because there is no https equivalent to the http URL, and is a case where the browser is overbearing in its security behaviour without a way to tell it to stop doing that for the duration of a session.

Also made all the more problematic because instead of confronting users with https/http security concerns (which should go to the people running the site, not the users who have no adequate way of contacting them), this works fine in Chrome and Edge, so as a behaviour that might land into the main release this has the potential to drive normal users away again.
I have run into this issue as well. 

Nightly is upgrading an insecure display request ‘[SOME_INSECURE_URL_HERE]’ to use ‘https’

And because the image does not exist at the new https address the image load fails.

I have found a quick work around to get by in the mean time.
Setting
  security.mixed_content.upgrade_display_content
to "true" allows images to load on sites I was previously having issues with

Of course full disclaimer modify security settings at your own risk and don't blame me when things go horribly wrong.

Cheers
Sorry in my previous post I meant to say setting "security.mixed_content.upgrade_display_content" to "FALSE" allows things to work again for me
that's certainly one setting I wish I'd found on my own, and will be switching that to false, but it would be incredibly valuable to have some UI to turn that behaviour off per session, a la "Firefox is preventing this website from loading images over http. [OK] [add exception]" and then in the dialog for adding an exception off the "for this session", "permanently for this site", "disable entirely" options.
This is an experiment into how much this breaks pages.

See the announcement here https://groups.google.com/forum/#!topic/mozilla.dev.platform/xjZQq0kEauM
Blocks: 1435733
Interesting. I will say for the most part this change only caused issues on community ran sites (i.e. mostly forums) for me.

Overall I do support the idea of trying to force everything to use HTTPS, but as Pomax said some sort of way to add exceptions, much like you can add exceptions for SSL certs, would be appreciated.
Assignee: nobody → jkt
Comment on attachment 8954463 [details]
Bug 1440709 - Disabling mixed content upgrading for now.

https://reviewboard.mozilla.org/r/223534/#review229652
Attachment #8954463 - Flags: review?(ckerschb) → review+
Pushed by jkingston@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/822867d9e176
Disabling mixed content upgrading for now. r=ckerschb
https://hg.mozilla.org/mozilla-central/rev/822867d9e176
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox60: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: