Closed Bug 1642387 Opened 5 years ago Closed 5 years ago

Avoid timeouts within HTTPS-Only Mode by sending background http request

Categories

(Core :: DOM: Security, defect, P2)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
81 Branch
Tracking Flags:
Tracking Status
firefox81 --- fixed

People

(Reporter: arthur, Assigned: ckerschb)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [domsecurity-active][tor-P1])

Attachments

(3 files)

Screen Shot 2020-06-01 at 9.58.41 AM.png
139.73 KB, image/png
Details
Bug 1642387: Prevent HTTPS-Only timeouts by sending http request in the background with a 3000ms delay. If that http request returns before the upgraded request, it's an indicator the https request will result in a timeout and we show the error...
47 bytes, text/x-phabricator-request
Details | Review
Bug 1642387: Prevent HTTPS-Only timeouts tests.
47 bytes, text/x-phabricator-request
Details | Review

Steps to reproduce:

  1. Set dom.security.https_only_mode to true
  2. Enter "people.cn" in the URL bar

Actual results:
The browser waits for 90 seconds and then shows the "Secure Connection Unavailable" error page, with a "Timed Out" status bar message. During this time, the user can get the impression that the website isn't working at all.

Desired results:
The browser rapidly shows the "Secure Connection Unavailable" error page. If that isn't possible, then a non-blocking notification bar or doorhanger that gives the user an option to "Accept the Risk and Continue to Site" before waiting the full 90 seconds.

Hi Arthur,
thanks for opening this bug! I'll look into fixing this ^^

Assignee: nobody → julianwels
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]

Thanks, Julian!

Another website with the same behavior:
moonlander.seb.ly

The severity field is not set for this bug.
:ckerschb, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(ckerschb)
Severity: -- → S3
Flags: needinfo?(ckerschb)

I assume websites like this are not responding at all to HTTPS requests. One idea for fixing this failure mode might be: if no response is received from an upgraded HTTPS connection attempt after 500 ms (or similar timeout), send an HTTP request in the background. If we then receive an HTTP response before any HTTPS response, show the HTTPS Only Mode error page.

Another site:
http://speedofanimals.com

Another site:
http://randomwalker.info

Summary: Loading people.cn stalls with https_only_mode → Loading some domains stall with https_only_mode
Assignee: julianwels → ckerschb
Summary: Loading some domains stall with https_only_mode → Avoid timeouts within HTTPS-Only Mode by sending background http request
Blocks: 1658266
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/autoland/rev/5349b1df5595 Prevent HTTPS-Only timeouts tests. r=JulianWels https://hg.mozilla.org/integration/autoland/rev/f09be3d0ab1b Prevent HTTPS-Only timeouts by sending http request in the background with a 500ms delay. If that http request returns before the upgraded request, it's an indicator the https request will result in a timeout and we show the error... r=mattwoodrow,dragana,JulianWels

(In reply to Razvan Maries from comment #11)

Backed out for perma failures.

Huh, is that really a perma failure? I can't imagine because it works locally on mac and linux. Currently I can't reproduce the problem. I'll see what I can do here.

Flags: needinfo?(ckerschb)
Attachment #9166852 - Attachment description: Bug 1642387: Prevent HTTPS-Only timeouts by sending http request in the background with a 500ms delay. If that http request returns before the upgraded request, it's an indicator the https request will result in a timeout and we show the error... → Bug 1642387: Prevent HTTPS-Only timeouts by sending http request in the background with a 3000ms delay. If that http request returns before the upgraded request, it's an indicator the https request will result in a timeout and we show the error...
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/autoland/rev/d31509a36f35 Prevent HTTPS-Only timeouts tests. r=JulianWels https://hg.mozilla.org/integration/autoland/rev/863cf62af994 Prevent HTTPS-Only timeouts by sending http request in the background with a 3000ms delay. If that http request returns before the upgraded request, it's an indicator the https request will result in a timeout and we show the error... r=mattwoodrow,dragana,JulianWels

https://hg.mozilla.org/mozilla-central/rev/d31509a36f35
https://hg.mozilla.org/mozilla-central/rev/863cf62af994

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox81: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch
Whiteboard: [domsecurity-active] → [domsecurity-active][tor-P1]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: