Closed Bug 1678870 Opened 4 years ago Closed 4 years ago

Firefox 83 "Don't enable https-only" shouldn't alter bookmarks; nor be default

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
78 Branch
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: bendov, Unassigned)

References

(Blocks 1 open bug)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

Installed Firefox 83 64 bit in Linux Mint 18.1 64 bit.
Full, clean install of Mozilla's version (not Mint's).

Actual results:

"Don't enable HTTPS-Only Mode" is CHECKED as default setting - shouldn't be.

  • That also changed all my bookmarks' location url from https to http.
  • Many average users won't know they're not using https anymore (by default). It shouldn't be default setting.
    After I enabled HTTPS mode & restarted Fx, most but not all bookmarks changed back to https URLs. Quick scan of some larger BM folders show a few BMs in each checked folders were still http.

Bookmarks still http had mostly added or modified dates of 2018 to 2020. I haven't added http URLs in years, save a few, rare sites. So no, they weren't already http.

Expected results:

Make the default setting "Enable HTTPS-Only Mode in all windows" the default.
Regardless of that setting, it shouldn't change bookmarks' URLs, that were https for years. We don't want average users getting more infections than usual.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Bookmarks & History

Moving across to Core / DOM: Security as that's where this was implemented.

Blocks: https-only-mode
Component: Bookmarks & History → DOM: Security
Product: Firefox → Core

Hi Ben,
when HTTPS-Only Mode is enabled, every new connection that is insecure will get upgraded to HTTPS.
Because these upgrades carry a risk that the connection will fail, HTTPS-Only Mode is not enabled by default.

HTTPS-Only Mode does not affect your bookmarks directly. So if you go to Menu > Library > Bookmarks > Show all Bookmarks, the links listed there should always stay the same, no matter if HTTPS-Only Mode is enabled or not.
But if it is enabled and you click on a bookmark, the connection will get upgraded to HTTPS (without changing the bookmarked link).

Does this clear things up, or did I misunderstand anything? :)

Flags: needinfo?(bendov)

"Don't enable HTTPS-Only Mode" is CHECKED as default setting - shouldn't be.

HTTPS-only mode is a new feature. When it is disabled (the default) everything will work the way it has for the last 20 years of the web. http: links will be loaded insecurely as specified, and https: links will use TLS encryption as specified. If this feature is turned on then Firefox will try to use https: every time it sees an http: link, but this sometimes breaks so we're not yet ready to make that the default behavior. In no case will it turn an https: link into http:. This is an active measure that takes place as links are loaded--it will never touch the way your bookmarks are stored.

Closing as INCOMPLETE due to lack of interaction.

Flags: needinfo?(bendov)
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.