Closed Bug 1507515 Opened 6 years ago Closed 6 years ago

Protocol is set http when missing in the url bar

Categories

(Firefox :: Address Bar, defect)

Product:
Firefox
Component:
Address Bar
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1158191

People

(Reporter: f35531337, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Steps to reproduce: Entered the url: "mywebsite.com" in the url bar Actual results: It auto prepends the protocol "http://" to the entered url to: "http://mywebbsite.com" Expected results: First check if "https://mywebbsite.com" exsists and have a valid cert, use this uri then. Otherwise use "http://mywebbsite.com". This to prevent MITM attack during an http -> https redirect. When redirecting from a webserver. With a "307 Temporary Redirect" or a "308 Permanent Redirect". This is prevented on subsequent loads if HSTS is used. But an attacker can drop that header on the first http->https redirect. Background information of this issue: We want to disable http (port 80) on our web application servers. But our users will have to type "https://" explicit in the url bar. And that will never happen. Is this possible to change this? Or is there to much breakage to change this behaviour?
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Component: Untriaged → Address Bar
You need to log in before you can comment on or make changes to this bug.