Open Bug 1680934 Opened 4 years ago Updated 2 years ago

privacy.firstparty.isolate=true breaks HTTP-Website if dom.security.https_only_mode is enabled

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
Firefox 83
Type:
defect

Tracking

()

Status:
REOPENED

People

(Reporter: MyLogins, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0

Steps to reproduce:

  • Navigate to about:config
  • Search for privacy.firstparty.isolate
  • Set privacy.firstparty.isolate to true
  • Set dom.security.https_only_mode to true
  • Set dom.security.https_only_mode_ever_enabled to true
  • Navigate to any intranet http only host without domain part, e.g. http://settopbox
  • click HTTP-Website Button

Actual results:

Nothing.

Browser Console shows:
NS_ERROR_INSUFFICIENT_DOMAIN_LEVELS: Component returned failure code: 0x804b0050

Expected results:

open http website

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → DOM: Security
Product: Firefox → Core

Possibly a dupe of Bug 1678252?

Blocks: https-only-mode
Severity: -- → S3
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]

I could reproduce it. Thanks for reporting this bug!

I think it's different from bug 1678252, but the problem is probably somewhere here as well.

Bug 1678916 is a duplicate ?

Since there are multiple problems with HTTPS-Only when FPI is enabled, which probably all come from the same lines of code, I created a new bug to track the issue.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE

Bug 1687969 is closed, but this bug is not fixed.

Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
See Also: → 1678252
You need to log in before you can comment on or make changes to this bug.