Closed Bug 1665057 Opened 2 years ago Closed 1 year ago

HTTPS-Only: Add error page suggestions on how to proceed

Categories

(Core :: DOM: Security, enhancement, P3)

enhancement

Tracking

()

RESOLVED FIXED
88 Branch
Tracking Status
firefox88 --- fixed

People

(Reporter: julianwels, Assigned: leli, NeedInfo)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [domsecurity-backlog1])

Attachments

(6 files, 1 obsolete file)

Attached image mockup.png

There are a couple of common mistakes websites make that cause an error-page in HTTPS-Only Mode. The most common one is that a domain is only meant to redirect the user to a different website and therefore has no certificate (see for example bug 1650779).

Although we can check for these mistakes, redirecting the user anyway would pose a security risk. What we could do instead is show some kind of UI on the error page, to inform the user of the attempted redirect and about possible risks.

Duplicate of this bug: 1670765
Assignee: nobody → leli

Thank you for the screenshot and your work on this bug! I have some comments:

I believe the blue color is supposed to indicate the recommended or default action. So the "Continue to Secure WWW Site" button should be grey, not blue. Also, I think the button text "Continue to Secure WWW Site" probably needs revision. I would recommend something like "Try https://www.speedofanimals.com".

Lastly, I would still prefer that we make trying "https://www..." automatic rather than adding a button, because a third button adds unnecessary cognitive load for the user.

my thoughts

  • Possible Alternatives should be singular
  • There is a secure version... - you don't know that. Perhaps use There may be a secure version...

thx yes you are right it should be singular.
What do you mean by not knowing? this part only shows up if the www. page can be reached via https ... is secure the wrong term?

this part only shows up if the www. page can be reached via https

Oh. My mistake then. I thought that hadn't been determined yet. In which case the part about trying seems misleading

In order to know that the insecure http: request is trying to redirect the user to an https: URL on a different domain, wouldn't the browser need to first make the insecure request (to inspect the response headers)? Which in doing so would violate HTTPS-Only Mode.

I don't use the response header, so it does not violate HTTPS-only mode.

we start with a http request to <page> and HTTPS-Only tries to upgrade. If that doesn't work we end on the error page.
If <page> does not start with www. I try to reach https://www.<page> and if a secure connection is possible, the suggestion-text with a button to the secure www.<page> appears.

Depends on D101468

Attachment #9202070 - Attachment description: Bug 1665057 - Add www button on https-only error page - browsertest → Bug 1665057 - Add www button on https-only error page - test click on www suggestion button
Flags: needinfo?(mwalkington)
Attachment #9205414 - Attachment is obsolete: true

Feedback from Mikal was to keep this message short, so we should keep that in mind in the next revision. Will also want to limit the number of actions to reduce cognitive load.

Next week is Proton hand-off so ideally, I would look at this the week of March 8. Is that too late? Please let me know if I am a blocker.

Flags: needinfo?(mwalkington) → needinfo?(arthur)
Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/autoland/rev/21d33ceefa30
Add www button on https-only error page r=ckerschb,JulianWels,Gijs
https://hg.mozilla.org/integration/autoland/rev/b09ac7fc26b1
Add www button on https-only error page - test r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/44bb81629125
Add www button on https-only error page - test click on www suggestion button r=ckerschb
Depends on: 1698452
Blocks: 1699421
You need to log in before you can comment on or make changes to this bug.