Introduce a browser.urlbar.default-to-https pref
Categories
(Firefox :: Address Bar, task, P3)
Tracking
()
People
(Reporter: robwu, Unassigned)
Details
(Keywords: parity-chrome, sec-want)
There is current active work to experiment with a https only mode (bug 1613063), which works by upgrading insecure requests where possible (bug 1620242).
These changes operate at a low layer and aren't visible to the UI, however: When I type example.com, autocomplete still suggests http://example.com/, and the urlbar clearly shows the attempt to load http://example.com when I press Enter (set browser.urlbar.trimURLs=false via about:config to see the scheme). The navigation will eventually end up at https, but this is not obvious to the user.
I'd like to have a preference to default to https instead of http. Whether the load is going to succeed or not is not a concern; that can be handled as part of bug 1613063.
For the past five years I have used this behavior with patches for Chromium and extensions for Firefox and from a usability perspective this wasn't too bad. The usability actually went down when I had to hook up at the request level (and thus not know whether the user specified a scheme or not) instead of the UI level when support for legacy add-ons were dropped in Firefox 57.
|
||
Updated•4 years ago
|
|
||
Comment 1•4 years ago
|
||
(In reply to Rob Wu [:robwu] from comment #0)
I'd like to have a preference to default to https instead of http. Whether the load is going to succeed or not is not a concern; that can be handled as part of bug 1613063.
Do you mean a user-facing preference or just a way to tell the urlbar to default to https from another part of Firefox?
|
|
||
Comment 2•4 years ago
|
||
https://searchfox.org/mozilla-central/rev/9120151ddb35f2d4c37bfe613a54a4f10a9a3dc5/docshell/base/URIFixup.jsm#698 should be set to "https" if a new pref called browser.urlbar.default-to-https was manually set to true on about:config.
The default-to-https behavior could be tested by typing neverssl.com into the address bar: Then, the first suggestion is "https://neverssl.com -- Visit". If you press enter, https://neverssl.com is opened. If you want http, then you have to type http://neverssl.com. Mozilla Servo has this behavior already.
|
|
||
Comment 3•4 years ago
•
|
||
This would be the first of two steps.
As browser.urlbar.trimURLs is true, you would type in http://neverssl.com, but "neverssl.com" is shown after pressing enter. If you then edit the path and press enter, you would try to open "neverssl.com/path", hence it would be https://neverssl.com/path. That's a temporary unsoundness, but also self-bullying into https.
("hstspreload.org" would open https://hstspreload.org/ and editing the path does not change the protocol.)
This unsoundness would be fixed by bug 1067293: The protocol of http://neverssl.com/ would not be hidden by browser.urlbar.trimURLs if browser.urlbar.default-to-https is true. You could edit http://neverssl.com/ to http://neverssl.com/path or hstspreload.org to hstspreload.org/path.
bug 1067293 should also imply security.insecure_connection_text.enabled if browser.urlbar.default-to-https is true. (Highlight danger instead of security. That's why the EV bar was removed. The padlock is enough for https.)
|
||
Comment 4•4 years ago
|
||
P3 for now, it sounds like a good starting point for a soft release, there's many code points and tests to adapt before it could be flipped for everyone.
|
|
||
Updated•4 years ago
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Comment 5•11 months ago
|
||
Hi there Frederick, do you think this preference is necessary or if it'll be handled by the work you're doing?
|
||
Comment 6•11 months ago
|
||
I think this one can be duplicated against bug 1812192
|
|
||
Comment 7•11 months ago
|
||
Makes sense as in the WIP patch, it looks like you're creating dom.security.https_first_schemeless.
|
||
Updated•8 months ago
|
Description
•