Closed Bug 1601408 Opened 5 years ago Closed 4 years ago

Enable security.mixed_content.upgrade_display_content (Upgrade all mixed content to https)

Categories

(Core :: Security, enhancement, P3)

Product:
Core
Component:
Security
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1633743
Project Flags:
Webcompat Priority ?

People

(Reporter: jan, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: nightly-community, parity-chrome, privacy)

https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html
Chrome 81 will upgrade all mixed content to https. Firefox should do it, too.

https://chromiumdash.appspot.com/schedule
Chrome's 81 circle begins this month, feature freeze will be 2019-01-17. It will become Beta 2020-02-13 and be released 2020-03-17.
https://wiki.mozilla.org/Release_Management/Calendar
Nightly 74: 2020-01-06, Beta 74: 2020-02-10, Stable 74: 2020-03-10.

As long as this is implemented in a way that allows for automatic fallback if the content request that was upgraded is not available over https or users are given the option to "white-list" domains/urls so that upgrades are not performed. I still see lots of passive content served over http without the option of https and it would be annoying if all of that broke... again

If you visit an https:// site, http:// resources would then be fetched via https://, otherwise fail to load. Your concern could be a strong argument to withhold this going into release by one or two versions, until server administrators have fixed their https setup. Then you could still manually turn this privacy feature off on about:config.

Chrome Blog:

Users will be able to enable a setting to opt out of mixed content blocking on particular websites

It seems you cannot whitelist such sites at the moment as this option is not present: https://support.mozilla.org/en-US/kb/mixed-content-blocking-firefox#w_unblock-mixed-content

Currently implementation upgrades subresources to https before mixed content blocking kicks in.
Are you intending to keep current implementation or to replace actual blocking with upgrading to keep mixed content blocking opt out UI (though without showing a yellow triangle anymore)?

Flags: needinfo?(jkt)

We don't have immediate plans for implementing this at the moment. We may re-address this in the new year. I suspect that we would want to also add in the exemption UI much as we have for mixed content.

Flags: needinfo?(jkt)

I'm surprised we didn't already have this bug filed. We've certainly discussed this--amongst ourselves and in the standards group that wrote the mixed-content-blocking spec--and are actively watching the results of Chrome's experiments. Our current impression is that it will break too much stuff, and we're not keen to add a fallback. We've experimented with fallback and the experience sucks -- you have to wait for the original request to time out before you try the load that's going to work.

Anyway, the engineering work is relatively simple: we already have a pref because we've experimented with it. The hard part is knowing when we could do it without causing a user revolt.

Type: task → enhancement
Priority: -- → P3
Summary: Enable security.mixed_content.upgrade_display_content with Nightly 73 or 74. (Upgrade all mixed content to https) → Enable security.mixed_content.upgrade_display_content (Upgrade all mixed content to https)

I have found a bug? Sometimes when searching startpage.com with this setting enabled it won't return any results and the page shows this error message: "Startpage.com has encountered an error. Please try again. Many thanks for your patience and understanding. "

Anyway chrome 81 has been released with this feature.

"Autoupgrade Image Mixed Content" is getting enabled in Chrome 84, after being through trials/experiments: https://blog.chromium.org/2020/05/chrome-84-beta-web-otp-web-animations.html?m=1

Webcompat Priority: --- → ?

In latest version of Chrome Canary (at least on my Windows 10 machine) I can confirm that this change is already deployed. If you go to https://www.bennish.net/mixed-content.html while running Canary, all mixed content is autoupgraded to HTTPS without fallback (hence blocked). This includes not only images but audio and video as well

security.mixed_content.upgrade_display_content was enabled in Nightly by bug 1633743, so I think you can mark this as a duplicate of that bug.

Bug 1672106 was filed to enable the pref for release.

Flags: needinfo?(dveditz)

Yes, I would consider this as fixed. Thank you :)

Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(dveditz)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.