Outreachy contribution to HTTPS-Only: Leli
Categories
(Core :: DOM: Security, task, P4)
Tracking
()
People
(Reporter: leli, Assigned: leli, Mentored)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-active])
Attachments
(5 files)
screenshot_firefox_nightly_https-only_mode.png
outreachy application task.
not really a bug :)
| Comment hidden (off-topic) |
| Comment hidden (off-topic) |
| Comment hidden (off-topic) |
| Comment hidden (off-topic) |
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
||
Comment 6•4 years ago
|
||
Your first contribution to HTTPS-Only
HTTPS-Only Mode upgrades every connection from http: to https:. If a web site does not support https:, then Firefox displays an error page. You can test this yourself when following these steps:
- Start Firefox
- Enable HTTPS-Only Mode (Enter about:preferences#privacy, scroll to the end of the page and "Enable HTTPS-Only Mode in all Windows")
- Visit
http.rip(and wait for 3 seconds) - The HTTPS-Only Error Page appears stating that the page
http.ripdoes not support https.
In some cases however it's also possible that adding 'www' makes the https request succeed. To reproduce:
- Start Firefox
- Enable HTTPS-Only Mode
- Visit
http://speedofanimals.com(and wait for 3 seconds) - The HTTPS-Only Error Page appears stating that
http://speedofanimals.comdoes not support https.
However, if you enterhttp://www.speedofanimals.com(note the www) then the upgrading to https succeeds.
Here is the task: "Provide Suggestions in the HTTPS-Only error page what requests would succeed."
In detail, modify the HTML, CSS and JS in the HTTPS-Error Page ( errorpage.html, errorpage.js, aboutHttpsOnlyError.css ) by providing suggestions to the end user what request would succeed, e.g in that case adding 'www'.
In more detail, once the error page appears because upgrading to https does not succeed, you could query the URL from the page that HTTPS-Only Mode tried to upgrade (e.g. in our example from above http://speedofanimals.com).
Take that URL, add 'www' (e.g. http://www.speedofanimals.com) and perform a request (e.g. fetch request) to that page. If the server responds, then provide a link (e.g. a href="") in the error page which the end user could then click on.
Bonus points for making the newly added mechanism visually attractive to the end user.
Please upload your contribution in the form of a phabricator code patch to this Bug. To set up Phabricator please follow these instructions: https://wiki.mozilla.org/Phabricator
Good Luck!
Hey one question ...
I played around with it for a while, but this framework is very new to me and I'm a bit confused how to make a request with the Content Security Policy telling me, that it is blocked ... probably super simple, but maybe you could direct me in the right direction, since I'm stuck on it for some time now ... thx
|
|
||
Comment 8•4 years ago
|
||
(In reply to Leli from comment #7)
Hey one question ...
I played around with it for a while, but this framework is very new to me and I'm a bit confused how to make a request with the Content Security Policy telling me, that it is blocked ... probably super simple, but maybe you could direct me in the right direction, since I'm stuck on it for some time now ... thx
Very solid question, and the fact that you are hitting that problem confirms that our browser security mechanisms are working.
For now it's easiest to simply remove META CSP (https://searchfox.org/mozilla-central/source/toolkit/components/httpsonlyerror/content/errorpage.html#9) -> just remove that line.
Going forward we probably need add something like connect-src https: to the CSP if you are using an XHR request for example. But we will figure that as we go along. For now it's fine to simply remove the CSP in your patch.
now I'm running into CORS problems ... and I hoped I could use the fact, that the error message is different, depending on if the site exists at all or not but apparantly due to security, that information is not provided to javascript .. which makes sense ... but also everything more complicated :)
(no direct question, just journaling my (not) progress with the problem)
|
Assignee | |
Comment 10•4 years ago
|
||
I found a solution, but it is not very elengant since I'm using a proxy to pass the CORS problem and it is not the best security to use some proxies you don't controll ... but I couldn't figure out a different solution and I don't have the time to build my own proxy :)
|
|
||
Comment 11•4 years ago
|
||
(In reply to Leli from comment #10)
I found a solution, but it is not very elengant since I'm using a proxy to pass the CORS problem and it is not the best security to use some proxies you don't controll ... but I couldn't figure out a different solution and I don't have the time to build my own proxy :)
Running into all those problems indicates you are on the right track. Alternatively, and probably easier could be to try to load the 'www' version into an iframe and then communicate back to the main page (e.g. using onload, or postmessage) if the load succeeded.
|
|
Assignee | |
Comment 12•4 years ago
|
||
Oh thx ... that sounds much better :)
I will try to find time this week to change that.
But first I have to find out how the Phabricator works because after reading the documentation for 2 hours I have not figured it out yet ...
|
|
Assignee | |
Comment 13•4 years ago
|
||
|
|
Assignee | |
Comment 14•4 years ago
|
||
My solution uses an external Proxy and I am aware that that might not be the best security, but server-server communication does not run into the same CORS problems than client-sever communication
If a 200 code is sent back, a button is attached to the DOM to go to the secure version of the web site.
Depending on the traffic on the proxy this might take a moment and is therefor also not very convinient because the user might already have left at this point
|
|
Assignee | |
Comment 15•4 years ago
|
||
|
||
Updated•4 years ago
|
Description
•