Open Bug 1717793 Opened 3 years ago Updated 3 years ago

When "Enable HTTPS-Only Mode in all windows" is enabled this mode appears to stop the download of a Proxy Auto-Configuration file from a HTTP only web server that is hosted on a on a corporate intranet

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
Firefox 89
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: loaderladdy, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0

Steps to reproduce:

  1. Open Firefox with HTTPS-Only mode enabled for all sites.
  2. Make sure Firefox is configured to use Windows 10 system proxy and the system proxy is configured to download a PAC File from a HTTP Web Server (not using the HTTPS protocol) (Its a corp intranet server hosted on an internal network)
  3. I wasn't aware HTTP-Only mode was a new default setting configured to all sites (is it a new default setting?)
  4. attempted to access Internet content via our corporate proxy servers (Firefox should use the corp PAC File to direct Internet requests to the corp internet proxy)
  5. Observe if this fails with a time out error
    Firefox is configured to use the System Proxy on WIndows 10. These settings are locked to the end user

Actual results:

Internet web sites are not accessible

Expected results:

Internet web sites should be accessible if the PAC File is downloaded from its HTTP-Only web server

Disabling HTTPS-Only mode is the current workaround that allows Firefox to obtain the corp PAC File from its http-only web server

The Bugbug bot thinks this bug should belong to the 'Core::Networking' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Networking
Product: Firefox → Core

Christoph, please can you triage this bug?

Flags: needinfo?(ckerschb)

Thanks for reporting - that's very likely that this is not working properly with https-only mode. Moving over to dom:security. I have to put this in the backlog for now though.

What's surprising though is that we don't show an error page in that case which would allow to connect using plain http:.

Blocks: https-only-mode
Severity: -- → S3
Component: Networking → DOM: Security
Flags: needinfo?(ckerschb)
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]

I do wonder if the “HTTPS Only Feature” has any Group Policy management tools? And if it does, could URL exceptions or PAC File exceptions be an item that could be controlled by Group Policy setting?

You need to log in before you can comment on or make changes to this bug.