Outreachy Contribution to HTTPS-Only (Shemika)
Categories
(Core :: DOM: Security, task, P4)
Tracking
()
People
(Reporter: slamare15, Assigned: slamare15, Mentored)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-active])
Attachments
(6 files)
Firefox Build - HTTPS enabled .png
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:81.0) Gecko/20100101 Firefox/81.0
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Comment 2•5 years ago
|
||
Your first contribution to HTTPS-Only
HTTPS-Only Mode upgrades every connection from http: to https:. If a web site does not support https:, then Firefox displays an error page. You can test this yourself when following these steps:
- Start Firefox
- Enable HTTPS-Only Mode (Enter about:preferences#privacy, scroll to the end of the page and "Enable HTTPS-Only Mode in all Windows")
- Visit
http.rip(and wait for 3 seconds) - The HTTPS-Only Error Page appears stating that the page
http.ripdoes not support https.
In some cases however it's also possible that adding 'www' makes the https request succeed. To reproduce:
- Start Firefox
- Enable HTTPS-Only Mode
- Visit
http://speedofanimals.com(and wait for 3 seconds) - The HTTPS-Only Error Page appears stating that
http://speedofanimals.comdoes not support https.
However, if you enterhttp://www.speedofanimals.com(note the www) then the upgrading to https succeeds.
Here is the task: "Provide Suggestions in the HTTPS-Only error page what requests would succeed."
In detail, modify the HTML, CSS and JS in the HTTPS-Error Page ( errorpage.html, errorpage.js, aboutHttpsOnlyError.css ) by providing suggestions to the end user what request would succeed, e.g in that case adding 'www'.
In more detail, once the error page appears because upgrading to https does not succeed, you could query the URL from the page that HTTPS-Only Mode tried to upgrade (e.g. in our example from above http://speedofanimals.com).
Take that URL, add 'www' (e.g. http://www.speedofanimals.com) and perform a request (e.g. fetch request) to that page. If the server responds, then provide a link (e.g. a href="") in the error page which the end user could then click on.
Bonus points for making the newly added mechanism visually attractive to the end user.
Please upload your contribution in the form of a phabricator code patch to this Bug. To set up Phabricator please follow these instructions: https://wiki.mozilla.org/Phabricator
Good Luck!
Here is my screenshot to show my firefox build works and I am able to enable HTTPS-Only Mode
User: Mac OS X 10.12.6
Reproduce HTTPS Error:
-Open Browser
-Enable HTTPS ONLY Mode
-Search URL: https://statenislandzoo.org/
Expected Result: Image attached of the site temporarily turning off HTTPS Only Mode
Actual Result: Image attached(below this comment) - there was no workaround that would allow me to get to the site without temporarily turning off HTTPS Only Mode
SUMMARY of 3 attachments:
I tried using the Phabricator and ran into issues it wasn't finding my changes (I usually use git so I'm used to making changes to my src code on my computer then pushing them to the issue), but it doesn't seem like that is the way this works.
I didn't get a Dynamic iframe. I was only able to do it with HTML. I am attaching a screenshot of that.
I went through and tried to figure out how to do the Iframe dynamically. What I was trying to do was add another variable that would swap add the www. I was trying to mimic the code chunk (below), but I'm not that familiar with javascript (I program in python and do analysis -- so this is quite different).
const pageUrl = new URL(window.location.href.replace(/^view-source:/, ""));
document.l10n.setAttributes(
explanation1,
"about-httpsonly-explanation-unavailable2",
{ websiteUrl: pageUrl.host }
);
|
|
||
Comment 10•5 years ago
|
||
Closing as INACTIVE.
Description
•