Open Bug 1696954 Opened 5 years ago Updated 4 years ago

HTTPS Only Mode breaks http://shakespeare.mit.edu/

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

People

(Reporter: arthur, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

Bug 1696954 - HTTPS Only Mode breaks http://shakespeare.mit.edu/
48 bytes, text/x-phabricator-request
Details | Review

If you visit http://shakespeare.mit.edu/ with HTTPS-Only Mode enabled, it redirects to HTTPS and shows an HTTP Auth dialog. Pressing cancel leads to a "401 Unauthorized" page.

If you open the lock doorhanger and turn off HTTPS-Only Mode for the site, it still then fails the same way as described above. Not sure why!

Hey Leli, do you wanna take a look and find out what's causing the problem here?

Flags: needinfo?(leli)

For some reason the httpsOnlyStatus flag for the doorhanger exemption is not set ... haven't figured out yet where this is (not) happening

Ok I have a basic understanding question about the doorhanger and what the expected behaviour should be:

  • am I allowing this specific page to be exempt or
  • am I allowing this specific tab to be exempt?

It seems to me to be a mix of both. If I have previously exempted the page I can switch in the exempt tab to this page. but if i delete the history of the page even if I'm in an exempt tab I will end up on the error page.

So for this shakespeare page I can't exempt the page itself since the doorhanger is not visible before I deal with the auth pop up and the exemption from the tab only works if I also exempt the page specifically.

Flags: needinfo?(leli) → needinfo?(julianwels)
Severity: -- → S3
Priority: -- → P3
Assignee: nobody → leli
Status: NEW → ASSIGNED
Priority: P3 → P2
Whiteboard: [domsecurity-active]

When users change the permission in the site-identity panel, this function gets called: https://searchfox.org/mozilla-central/rev/1a47a74bd5ba89f2474aa27c40bd478e853f3276/browser/base/content/browser-siteIdentity.js#505,533-542

When this._isAboutHttpsOnlyErrorPage is true we set the exemption for HTTP, instead of HTTPS.

I hope we can somehow get the response-code, maybe this would be similar to this:
https://searchfox.org/mozilla-central/rev/1a47a74bd5ba89f2474aa27c40bd478e853f3276/toolkit/components/thumbnails/PageThumbUtils.jsm#369,385,390,393

Assignee: leli → nobody
Status: ASSIGNED → NEW
Flags: needinfo?(julianwels)
Priority: P2 → P3
Whiteboard: [domsecurity-active]

Sorry, I messed that up :(

Assignee: nobody → leli
Status: NEW → ASSIGNED
Priority: P3 → P2
Whiteboard: [domsecurity-active]

The bug assignee didn't login in Bugzilla in the last 7 months.
:ckerschb, could you have a look please?
For more information, please visit auto_nag documentation.

Assignee: leli → nobody
Status: ASSIGNED → NEW
Flags: needinfo?(ckerschb)

This is blocking the right meta bug - backlog seems fine for now.

Flags: needinfo?(ckerschb)
Priority: P2 → P3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: