Open Bug 1653898 Opened 2 years ago Updated 7 months ago

Sometimes HTTPS Only Mode works if you add "www"


(Core :: DOM: Security, enhancement, P3)





(Reporter: arthur, Unassigned)


(Blocks 1 open bug)


(Whiteboard: [domsecurity-backlog1]) is an example. With HTTPS-Only Mode enabled, if I enter
in the address bar then we experience a long timeout (90s). But if I enter
then it upgrades to and the site immediately loads.

Here's an idea to fix this problem: if the browser is trying to load an HTTP URL with domain "foo.example" and that is failing to upgrade, could we try "" in the background?

(This behavior could be controlled by the existing prefs
browser.fixup.alternate.enabled and browser.fixup.alternate.prefix.)

Severity: -- → S4
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]

FWIW, the approach for fixing this is problem is very similar to Bug 1658924. In detail what we would need to do is:

  • Within DocumentLoadistener::Cancel() check if the error is an https-only-error, if so, we could then
  • call something similar to MaybeHandleLoadErrorWithURIFixup where we would take the current URI and add www and instead of actually cancelling the load we would call bc->LoadURI(newURIWIthwwwAdded)
  • if that load then fails we would go back to displaying the error page as we would have done in the first place.

Downside here is that that we would increase load time before displaying an error page. Consider the following example:

  • User wants to visit -> connection would time out, so 3 seconds (+ roundtrip time) our shortening approach would call ::Cancel()
  • The mechanism in this bug detects there is no www so we would add that and start the load again
  • Again 3 seconds later (+ roundtrip time from the background channel) we would detect that adding www also doesn't allow to connect using https.
  • Finally we display the error page but the user has already waited for more than 6 seconds.
See Also: → 1665057

I was made aware that Firefox already supports redirecting to www, even though currently behind a pref, the Bug implementing that is Bug 1617987. I haven't tested if it works with HTTPS feature enabled, but it's probably wise doing before moving foward with this bug. It seems the pref is security.bad_cert_domain_error.url_fix_enabled.

Also, to add to the downsides, the error page will be for instead of, which might cause other issues.

Duplicate of this bug: 1682231

Another example of this:

Duplicate of this bug: 1684735
Duplicate of this bug: 1709540

I think that this is down to different redirect behaviour on the different domains. is another example. That works, but does not, unless you disable HTTPS-Only.

You need to log in before you can comment on or make changes to this bug.