Closed Bug 1656027 Opened 5 years ago Closed 5 years ago

Incorrect icon for whitelisted site in HTTPS Only Mode

Categories

(Firefox :: Site Identity, defect, P3)

Product:
Firefox
Component:
Site Identity
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
81 Branch
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- unaffected
firefox79 --- disabled
firefox80 --- disabled
firefox81 --- fixed

People

(Reporter: julianwels, Assigned: julianwels)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, Whiteboard: [domsecurity-active])

Attachments

(1 file)

Bug 1656027 - Added cached property 'isSecureContext' as an additional condition when the security UI should be updated.
47 bytes, text/x-phabricator-request
Details | Review

This bug was initially created as a clone of Bug #1647336, which fixed another issue.

But in the meantime, I was able to track down what is happening.

How to reproduce: Enable HTTPS-Only mode (HOM), visit http://http-login.badssl.com/, and click on "Accept the risk and continue".

Result: The adress-bar icon says the website is a local resource
Expected Results: A "disabled lock" icon should be shown when we are on the content page.

Why is this happening, but not always?

Usually, when a user visits a website like http://foo.com, HOM upgrades the connection and URI to https://foo.com. If the error-page shows up, the URI of the page remains https://foo.com and when they click on the "Accept the risk and continue" they get redirected to the HTTP-Version.

Sometimes, websites have a valid certificate to redirect users back to the HTTP version which causes a redirect loop. The error page shows up again, but the URI will be http://foo.com (because the loop ends on an uneven number). When the user now clicks on "Accept the risk and continue" they, again, get redirected to the HTTP-page. But because the URI spec of the error page and the loaded page are the same, part of the UI code determines to only "refresh the IdentityBlock" instead of "updating it".

When the IdentityBlock is only "refreshed", the code doesn't check that we left the secure context of the error page and entered the insecure context of the actual site. That's why the wrong icon shows up.

Set release status flags based on info from the regressing bug 1570678

status-firefox79: --- → affected
status-firefox80: --- → affected
status-firefox81: --- → affected
status-firefox-esr68: --- → unaffected
status-firefox-esr78: --- → unaffected
Pushed by ncsoregi@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/796a95f974b6 Added cached property 'isSecureContext' as an additional condition when the security UI should be updated. r=pbz

https://hg.mozilla.org/mozilla-central/rev/796a95f974b6

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox81: fix-optionalfixed
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch
Flags: qe-verify+
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: