Closed Bug 1672153 Opened 4 years ago Closed 4 years ago

Outreachy contribution to HTTPS-Only: Adelaide

Categories

(Core :: DOM: Security, task, P4)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
RESOLVED INACTIVE
Tracking Flags:
Tracking Status
firefox84 --- affected

People

(Reporter: adelaide.atakora, Assigned: adelaide.atakora, Mentored)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Attachments

(3 files)

Screenshot of Enable HTTPS-Only Mode in all windows.PNG
61.65 KB, image/png
Details
Not secure error on dvla.gov.gh website.PNG
46.10 KB, image/png
Details
dvla.gov.gh http page.PNG
1.67 MB, image/png
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36

Steps to reproduce:

Start Firefox
Enable HTTPS-Only Mode
Visit http://www.dvla.gov.gh/
Actual results:

The page loaded with a 'Secure Connection Not Available' error

Expected results:

Page loads as expected with 'Secure Connection Not Available' error since an HTTPS version of the website is not available.

Clicking 'Continue to HTTP Site' temporarily disables HTTPS-Only Mode for this site and loads the HTTP version of the site.

Secure Connection Not Available on the http://www.dvla.gov.gh/ website.
The website supports only an HTTP version.

The HTTP version of the dvla.gov.gh website after HTTPS-Only Mode is temporarily disabled for this site.

Assignee: nobody → adelaide.atakora
Blocks: https-only-mode
Mentor: ckerschb
Severity: -- → S4
OS: Windows 10 → Unspecified
Priority: -- → P4
Hardware: Desktop → Unspecified
Whiteboard: [domsecurity-active]
Version: Firefox 84 → unspecified

Your first contribution to HTTPS-Only

HTTPS-Only Mode upgrades every connection from http: to https:. If a web site does not support https:, then Firefox displays an error page. You can test this yourself when following these steps:

  • Start Firefox
  • Enable HTTPS-Only Mode (Enter about:preferences#privacy, scroll to the end of the page and "Enable HTTPS-Only Mode in all Windows")
  • Visit http.rip (and wait for 3 seconds)
  • The HTTPS-Only Error Page appears stating that the page http.rip does not support https.

In some cases however it's also possible that adding 'www' makes the https request succeed. To reproduce:

  • Start Firefox
  • Enable HTTPS-Only Mode
  • Visit http://speedofanimals.com (and wait for 3 seconds)
  • The HTTPS-Only Error Page appears stating that http://speedofanimals.com does not support https.
    However, if you enter http://www.speedofanimals.com (note the www) then the upgrading to https succeeds.

Here is the task: "Provide Suggestions in the HTTPS-Only error page what requests would succeed."
In detail, modify the HTML, CSS and JS in the HTTPS-Error Page ( errorpage.html, errorpage.js, aboutHttpsOnlyError.css ) by providing suggestions to the end user what request would succeed, e.g in that case adding 'www'.

In more detail, once the error page appears because upgrading to https does not succeed, you could query the URL from the page that HTTPS-Only Mode tried to upgrade (e.g. in our example from above http://speedofanimals.com).
Take that URL, add 'www' (e.g. http://www.speedofanimals.com) and perform a request (e.g. fetch request) to that page. If the server responds, then provide a link (e.g. a href="") in the error page which the end user could then click on.

Bonus points for making the newly added mechanism visually attractive to the end user.

Please upload your contribution in the form of a phabricator code patch to this Bug. To set up Phabricator please follow these instructions: https://wiki.mozilla.org/Phabricator

Good Luck!

Flags: needinfo?(adelaide.atakora)

Closing as INACTIVE.

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(adelaide.atakora)
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: