1678468 - Always allow user to temporarily disable https-only

Status: RESOLVED DUPLICATE of bug 1662710

(Core :: DOM: Security, enhancement)

Description

[Daniel Jost]

I've been trying out the https only mode in Firefox 84.0b2 (on Windows 10) for the last couple of days and overall it works surprisingly smooth. However, when a site serves a broken page over https, instead of not supporting https at all, there seems no easy way to (temporarily) disable https-only for this site.

Steps to reproduce:

• Turn on https only mode.
• Enter http://globepaddler.ch into the URL bar.
• Observe the generic error message "No index site defined / uploaded" on that page in comparison to a working site served over http.
• Follow the instructions of https://support.mozilla.org/en-US/kb/https-only-prefs to "turn off HTTPS-Only Mode for a particular site" as it "does not seem to be rendering certain elements of the page correctly" by clicking on the lock icon.
• Observe that the mentioned option is missing and there seems to be no easy way to display the http-page without having to turn of https only mode entirely. The mentioned user interface does show up if I visit a site such as http://geek-and-poke.com that does not support https at all.

Expected result:

• There should always be a way to easily go the the http-page if the user feels the https version is broken.
• Ideally, a smarter heuristic would automatically catch such misconfigured sites and offer a downgrade.

I realize that the particular page is more a case for tech-evangelism, but I do think that for the mode to be useful one should not simply be stuck in such a case.

Comment 1

[Julian Gaibler]

Hi Daniel, thanks for reporting this!

You're right that this is an issue. We already created bug 1662710 to give users UI to add exceptions from about:preferences.

Also I wrote a more detailed explanation here on why this edge case is complicated :)