1715253 - HTTPS-First ends up in an redirecting endless loop for https://radio.garden/visit/berlin/6lcXHtKK

Status: RESOLVED FIXED

(Core :: DOM: Security, defect, P2)

Description

[Tomer Yavor]

STR:
mozregression --pref dom.security.https_first:true -a https://radio.garden/visit/berlin/6lcXHtKK --launch 2021-06-07

expected: a downgrade to http.
result: endless loop

Comment 1

[Tomer Yavor]

Attachment: Error

Redirection error in combination with http/2

Comment 2

[Tomer Yavor]

Attachment: snippet of the websites javascript code

The websites tries to redirect to its http site if it is called by an https request which isn't "Native".
So we get in kind of an odd loop I guess. Because the website supports https but tries to downgrade us. We receive responses to our https requests, so we won't downgrade.
Summarized:

1. We request https://radio.garden/visit/berlin/6lcXHtKK
2. https://radio.garden/visit/berlin/6lcXHtKK checks from which place we are calling it
3. Page wants to downgrade us by redirecting us to http://radio.garden/visit/berlin/6lcXHtKK
4. We upgrade the redirection and start again from stage (1)

Comment 3

[Tomer Yavor]

Attachment: Bug 1715253 - HTTPS-First ends up in an redirecting endless loop for https://radio.garden/visit/berlin/6lcXHtKK. r=ckerschb

Comment 4

[Christoph Kerschbaumer [:ckerschb]]

Attachment: Bug 1715253: Break endless upgrade downgrade loops within https-first

Comment 5

[Christoph Kerschbaumer [:ckerschb]]

I am driving that one over the finishing line for us

Comment 6

[Pulsebot]

Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/autoland/rev/63e5df9ef639
Break endless upgrade downgrade loops within https-first r=necko-reviewers,kershaw

Comment 7

[Alexandru Michis [:malexandru]]

https://hg.mozilla.org/mozilla-central/rev/63e5df9ef639