Closed Bug 1620242 Opened 25 days ago Closed 12 days ago

HTTPS Only Mode - Basic implementation

Categories

(Core :: DOM: Security, enhancement, P2)

enhancement

Tracking

()

RESOLVED FIXED
mozilla76
Tracking Status
firefox76 --- fixed

People

(Reporter: julianwels, Assigned: julianwels)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

Basic implementation of the HTTPS Only Mode, which upgrades all insecure requests to https:// when a pref is set.

Should contain:

  • Basic upgrade behind a pref
  • Upgrade tests for requests, sub-resources, and redirects.
  • Logging to console

Meta Bug 1613063

Blocks: 1620244
Priority: -- → P2
Whiteboard: [domsecurity-active]
Pushed by rgurzau@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/46dfbb4de902
Basic implementation for HTTPS Only Mode. r=ckerschb,mixedpuppy

Ah, good that we have that test, this is a problem indeed. Probably we should add a test for CSP frame-ancestors in combination with upgrade-insecure-requests as well to avoid that problem.

For XFO specifically we have to update code here:
https://searchfox.org/mozilla-central/rev/fb3b0075d1a9c4dafbdf339b835d462b5ae55a0e/dom/security/FramingChecker.cpp#137

This test failure didn't seem related to this revision and I could not reproduce it locally either.
Made another try-run where the test didn't fail, so added Check-in Needed again.

Flags: needinfo?(julianwels)
Pushed by aiakab@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/21f62488a5b5
Basic implementation for HTTPS Only Mode. r=ckerschb,mixedpuppy
Pushed by csabou@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f6d98a73d50a
Basic implementation for HTTPS Only Mode. r=ckerschb,mixedpuppy
Status: ASSIGNED → RESOLVED
Closed: 12 days ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla76
Flags: needinfo?(julianwels)
You need to log in before you can comment on or make changes to this bug.