[HTTPS-Only Mode ] IP address handling
Categories
(Core :: DOM: Security, enhancement, P3)
Tracking
()
People
(Reporter: zorroguevara, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog1])
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Steps to reproduce:
- Go to some IP adress (not 192.168.x.x)
- Firefox will block it and ask if want to allow HTTP
Actual results:
Firefox gave a warning about HTTP.
Expected results:
An option should be added to not give that warning for IP address. Why? Because it slow down some page providing download files via http address.
I can't really give a real example for the download part (I've two example one professional and one I'd rather give by PM).
|
||
Comment 1•4 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
|
||
Comment 2•4 years ago
|
||
Reporter, can you please be more specific with the steps to reproduce and explain a bit more what e.g. the settings and firefox version you reproduce this with are? The HTTPS-Only Mode tag in the bug title doesn't say much, as well as "warning about HTTP" is not very specific.
Thanks.
(In reply to Honza Bambas (:mayhemer) from comment #2)
Reporter, can you please be more specific with the steps to reproduce and explain a bit more what e.g. the settings and firefox version you reproduce this with are? The
HTTPS-Only Modetag in the bug title doesn't say much, as well as "warning about HTTP" is not very specific.Thanks.
Of course.
- Latest Nigthly (81.0a1) , I update daily.
- Go to about:preferences#privacy and activate the HTTPS-Only Mode on all the windows (not just private, though it doesn't matter)
Go to: https://37.187.20.239/ (if you want to know what's in it before: https://old.reddit.com/r/opendirectories/comments/i2oc2e/the_simp_and_sons_latin_spanish_t1_to_t21/)
You'll end up with a warning because this not a secure HTTPS connexion. I wish an option would make ALL the IP address not showing that warning.
Why? Because
- it takes a bit longer to load the page, I checked with HTTPS-Only Mode disable and it's faster to load.
- IP address are HTTP in the first place, so we can't have HTTPS
- This option already exist 192.168.x.x doesn't get the warning message
- Last but not least: you would say 'just allow it yourself', indeed that could work but in some website there is multiple IP Addresses (mostly to request downloading something) so I would need to allow a lot of IP address to not have that message. Because I will go from 0.0.0.0 (landing page) to 1.1.1.1 (article x) to 2.2.2.2 (requestion a .zip for download located in another ip adress)
|
||
Updated•4 years ago
|
|
||
Comment 5•4 years ago
|
||
(In reply to Kershaw Chang [:kershaw] from comment #4)
Thanks for Reporting - we can consider adding an exception for IP addresses. Gotta have to put this one in the backlog for now though because we have to finish some other usability problems first.
|
|
||
Updated•4 years ago
|
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #5)
(In reply to Kershaw Chang [:kershaw] from comment #4)
Thanks for Reporting - we can consider adding an exception for IP addresses. Gotta have to put this one in the backlog for now though because we have to finish some other usability problems first.
Thank you! It's not very critical, it's more a matter of 'ease of life' feature, so it can wait :)
|
|
||
Comment 7•4 years ago
|
||
After thinking about it and some discussions I'm closing this because the use case seems too narrow to implement it right now.
For the specific issue, you mentioned I'd suggest to just disable HTTPS-Only Mode while doing the downloads and then enable it again later :)
I'm really not satisfied with that. I don't see the point of forcing https on ip server, they are more than often not having https. Like I said before 192.168.x.x doesn't have that problem.
Anyway, I can't code it myself (no knowledge) so it's all up yo y'all. Thank you anyway for thinking about implanting it.
Description
•