Closed Bug 1714661 Opened 4 years ago Closed 2 years ago

"Turn off HTTPS-Only Mode for this site" does not work

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
Firefox 89
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1757297

People

(Reporter: m3r3nix, Assigned: t.yavor)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

Attachments

(1 file)

Firefox_bug.png
11.41 KB, image/png
Details
Attached image Firefox_bug.png

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0

Steps to reproduce:

HTTPS_Only Mode is enabled in the main settings.
Then go to the Proxmox package repository website:
http://download.proxmox.com/debian/pve/dists/buster/pve-no-subscription/binary-amd64/
It redirects to HTTPS and asks for a password. This repository does not have any authentication on standard HTTP protocol and available packages can be listed. So I clicked the padlock icon next to the URL and set HTTPS_Only Mode to OFF for this specific website. Then changed the URL back to HTTP, but Firefox still redirects to HTTPS and I can't access the repository.

Actual results:

Firefox still redirects to HTTPS protocol, thus I can't access this repository.

Expected results:

Firefox should not redirect to HTTPS protocol if an exception for a specific website is set. See attached screenshot.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → DOM: Security
Product: Firefox → Core

Initially this site works for me fine -- I go straight to that link and can download stuff. I don't get asked for a password. In order to get the page open I got the HTTPS-only error page saying that the site doesn't appear to support HTTPs. This error is detected because the cert doesn't match download.proxmox.com -- it's for "enterprise.proxmox.com" and a couple other subdomains.

If instead I go first to the https version of that site I get the cert error page because of the mismatch. If I add an exception for the cert then I'm shown an HTTP-auth prompt, and then a 403 page because I don't have a login.

Now that I've entered the cert exception for that site I get the behavior you describe.

Thanks for reporting.

There is something wrong with redirections from https -> https.
This error can be reproduced with any website that only supports http. Once you reached the error page and reload it, https-only "thinks" that the website supports https.
Still unsure why the 401 occurs. But I will investigate it.

Thank you again.

I don't understand your image though. If I go to preferences (in nightly only, sorry) and explicitly add that site to the exceptions list as "turn off HTTP-only" then even with the cert exception I don't get upgraded, and I don't get bounced to the Auth dialog. How did you add the exception?

Flags: needinfo?(m3r3nix)

In the release version of Firefox, there is NO exception list for HTTPS-Only mode under Settings -> Privacy and Security (URL: about:preferences#privacy)
The only way to add an HTTPS-Only exception is this:
https://support.mozilla.org/en-US/kb/https-only-prefs?as=u&utm_source=inproduct#w_turn-off-https-only-mode-for-certain-sites

And this is exactly what I did.

Flags: needinfo?(m3r3nix)

Setting the option as shown in the picture turns off HTTPSonly for https://download... -- is that part of the problem? Although now when I try to reproduce what I did in comment 5 (adding the http: version to the explicit exception list) I still get the same broken behavior you're reporting. I even tried clearing my cache. There's no HSTS for that site -- where is the upgrade coming from?

Flags: needinfo?(ckerschb)
Status: UNCONFIRMED → NEW
Ever confirmed: true

I can't reproduce the problem. I have tried several times. I always get the exception page saying Secure Connection Not Available and when I continue to http site it works just fine. Alternatively if I choose off temporarily from the doorhanger it also works.

Blocking our main Bug fow now (Bug 1613063).

Tomer, can you try to reproduce?

Blocks: https-only-mode
Severity: -- → S3
Flags: needinfo?(ckerschb) → needinfo?(lyavor)
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]

Yes,
I can reproduce it but a bit different than described in the initial post.

STR:

  1. Enable https-only mode
  2. Visit http://download.proxmox.com/debian/pve/dists/buster/pve-no-subscription/binary-amd64/
  3. After the exception page is loaded, reload current page.
  4. Now the user gets warned by firefox. The browser received an error (SSL_ERROR_BAD_CERT_DOMAIN).
  5. Click on Advanced and then on Accept Risk and continue.
  6. At this step the user gets asked for a login and if no login is provided an 401 error code occurs.

There is some redirection problem.
Those steps can be done with every site (I tested so far) that isn't supporting https. Only the error code might be a different one of the 40x status codes.
I will investigate why it happens.

Flags: needinfo?(lyavor)
Assignee: nobody → lyavor

I can reproduce the bug summary and the problem shown in attached picture quite easily without all the cert exceptions and logging in and redirecting confusion. I think those are distractions to the original problem. The problem is that when you use the site identity panel to turn off https-only for that site, it saves the preference with the current, post-upgrade, origin. When you encounter the insecure http: version of the site again there is no preference saved for that origin, so we go ahead and upgrade it. As the summary says, "Turn off HTTPS-Only Mode for this site" does not work.

STR:
0. make sure https-only mode is turned on

  1. try to load the site http://mlb.mlb.com
    ---> this "successfully" upgrades to https://mlb.mlb.com, a bit of plain text saying HTTPS isn't supported
  2. Click the lock to open the site identity panel
  3. The panel shows HTTPS-only mode is "On". Change it to "Off"
  4. In a new tab repeat step 2
    ---> It still upgrades!

If you open the "Manage Exceptions" dialog you will see that https://mlb.mlb.com is in the list. We never try to upgrade that site because it's already secure, so this setting does nothing. If you add insecure http://mlb.mlb.com set to "Off" (and save it) and then http://mlb.mlb.com then the site will work: we load the insecure URL which redirects to http://www.mlb.com, which in turn successfully upgrades to https:

To fix this,

  • the panel widget will need to change the current origin's scheme from "https:" to "http:" before it saves the preference.
  • to display the current status correctly the panel needs to check the "http:" version of the permission, not the https: version. This will avoid the state shown in the attached picture where the panel claims HTTPS-Only is "Off" for the site but you clearly just got upgraded.
Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1757297
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: