When "Enable HTTPS-Only Mode in all windows" is enabled this mode appears to stop the download of a Proxy Auto-Configuration file from a HTTP only web server that is hosted on a on a corporate intranet
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
People
(Reporter: loaderladdy, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog1])
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Steps to reproduce:
- Open Firefox with HTTPS-Only mode enabled for all sites.
- Make sure Firefox is configured to use Windows 10 system proxy and the system proxy is configured to download a PAC File from a HTTP Web Server (not using the HTTPS protocol) (Its a corp intranet server hosted on an internal network)
- I wasn't aware HTTP-Only mode was a new default setting configured to all sites (is it a new default setting?)
- attempted to access Internet content via our corporate proxy servers (Firefox should use the corp PAC File to direct Internet requests to the corp internet proxy)
- Observe if this fails with a time out error
Firefox is configured to use the System Proxy on WIndows 10. These settings are locked to the end user
Actual results:
Internet web sites are not accessible
Expected results:
Internet web sites should be accessible if the PAC File is downloaded from its HTTP-Only web server
Reporter | ||
Comment 1•3 years ago
|
||
Disabling HTTPS-Only mode is the current workaround that allows Firefox to obtain the corp PAC File from its http-only web server
Comment 2•3 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Networking' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
Comment 4•3 years ago
|
||
Thanks for reporting - that's very likely that this is not working properly with https-only mode
. Moving over to dom:security
. I have to put this in the backlog for now though.
What's surprising though is that we don't show an error page in that case which would allow to connect using plain http:
.
Reporter | ||
Comment 5•3 years ago
|
||
I do wonder if the “HTTPS Only Feature” has any Group Policy management tools? And if it does, could URL exceptions or PAC File exceptions be an item that could be controlled by Group Policy setting?
Description
•