Closed Bug 1657891 Opened 4 years ago Closed 4 years ago

Avoid HTTPS-Only upgrades in case AltSvc record is present

Categories

(Core :: DOM: Security, defect, P1)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: ckerschb, Assigned: ckerschb)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Currently we upgrade all requests from http to https, though we should not upgrade http requests in case there is an AltSvc record with opportunistically encrypts the connection.

Whiteboard: [domsecurity-backlog1]
No longer depends on: 1652655
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Priority: P2 → P1
Whiteboard: [domsecurity-backlog1] → [domsecurity-active]

I discussed things with Dragana today which renders this bug as INVALID. In detail, the flow would look like the following:

  • User enters http://foo.com in the address bar
  • HOM tries to upgrade to https
  • load would encounter an error (or timeout) and we would display an exception page allowing the user to load using HTTP
  • User hits load using HTTP
  • AltSvc mapping is happening in the background (e.g. <domain>/.well-known/http-opportunistic)
  • AltSvc record would be applied and the page would be loaded securely but with HTTP in the address bar
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.