1720500 - https-first: revisit upgrading form submissions

Status: RESOLVED FIXED

(Core :: DOM: Security, task, P2)

Comment 1

[Simon Friedberger (:simonf)]

What was the reason for postponing this?

The HTTPS-upgrades proposal https://github.com/whatwg/fetch/pull/1655 makes the distinction based on request type only upgrading GET. Since GET is supposed to be idempotent that seems reasonable. We are using a specific flag on the LoadInfo which identifies form submissions.

Comment 2

[Christoph Kerschbaumer [:ckerschb]]

Back when we first implemented and shipped HTTPS-Only there was no HTTPS upgrades proposal. I remember that we were worried about breakage of form submissions, hence we explicitly did not upgrade them. I am totally on board with re-writing those bits, eliminating the flag and do upgrades/exceptions based on actual types.

Comment 3

[Frederik Braun [:freddy]]

We will upgrade GET, but not POST.

Comment 4

[Frederik Braun [:freddy]]

Simon is going to disable the "form submission" check guarded by a pref that is only enabled in nightly & early beta.

Comment 5

[Simon Friedberger (:simonf)]

Attachment: Bug 1720500 - Enable HTTPS-First for form submission r=freddyb,valentin

Comment 6

[Simon Friedberger (:simonf)]

Attachment: Bug 1720500 - Enable HTTPS-First for form submission r=freddyb

Depends on D224287

Comment 7

[Pulsebot]

Pushed by sfriedberger@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ef0935ccc445
Enable HTTPS-First for form submission r=freddyb,necko-reviewers
https://hg.mozilla.org/integration/autoland/rev/2cc02a7da851
Enable HTTPS-First for form submission r=freddyb

Comment 8

[Cristian Tuns]

https://hg.mozilla.org/mozilla-central/rev/ef0935ccc445
https://hg.mozilla.org/mozilla-central/rev/2cc02a7da851