Open Bug 1647033 Opened 5 years ago Updated 1 year ago

Redirects to different subdomains can cause multiple error pages in https only mode

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

People

(Reporter: arthur, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

Attachments

(1 obsolete file)

To reproduce:

  1. Set dom.security.https_only_mode to true
  2. go to http://neverssl.com

Results:

  1. We see an error page for https://neverssl.com/
  2. After clicking "continue" we then see an error page for https://kbcnhfdlmzrwsvxt.neverssl.com/online
  3. After clicking "continue" a second time, we see the content of the site.

Expected results:
We should expect to see only one error page.

Possible solution: index the https-only-mode whitelist to eTLD+1.

Severity: -- → S4
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Summary: Redirects can cause multiple error messages in https only mode → Redirects to different subdomains can cause multiple error pages in https only mode
Assignee: nobody → mjurgens
Status: NEW → ASSIGNED
Whiteboard: [domsecurity-backlog1] → [domsecurity-active]

After talking to Freddy about this again, we have decided to leave this as it is right now, because setting the exceptions to the eTLD+1 would introduce a lot of new problems and edgecases as we would probably still want to keep the per-origin exceptions, and even undesirable behaviour in regards of setting an exception for the whole site, while the user only wants it for the subdomain. Still leaving this open, as those multiple HTTPS-Only error pages are still an annoyance.

Assignee: mjurgens → nobody
Status: ASSIGNED → NEW
Whiteboard: [domsecurity-active] → [domsecurity-backlog1]
Attachment #9352471 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: