Closed Bug 1725026 Opened 4 months ago Closed 4 months ago

HTTPS-only mode no longer works as it did before Firefox 91

Categories

(Core :: Networking, defect, P1)

Firefox 91
defect

Tracking

()

VERIFIED FIXED
93 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- verified
firefox91 --- wontfix
firefox92 --- verified
firefox93 --- verified

People

(Reporter: msr34xhwm1f, Assigned: kershaw)

References

(Regression, )

Details

(Keywords: regression, reproducible, Whiteboard: [necko-triaged])

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0

Steps to reproduce:

Activate "Enable HTTPS-Only Mode in all windows" in privacy settings.
I'm not using Private Browsing mode. This also happens with a fresh profile.

Behavior with Firefox 91.0
1.) Visit https://www.msi.com/Motherboard/MPG-Z590-CARBON-EK-X
2.) Click on "Support" in the upper right corner
3.) Firefox shows a warning that the website does not use HTTPS

1.) Visit https://www.nvidia.com/Download/index.aspx?lang=en-us
2.) Select any driver (the preselected options are sufficient)
3.) Firefox shows a warning that the website does not use HTTPS

Behavior with Firefox 90.0.2:
1.) Visit https://www.msi.com/Motherboard/MPG-Z590-CARBON-EK-X
2.) Click on "Support" in the upper right corner
3.) The website with the latest driver is displayed without warning

1.) Visit https://www.nvidia.com/Download/index.aspx?lang=en-us
2.) Select any driver (the preselected options are sufficient)
3.) The website with the latest driver is displayed without warning

If "dom.security.https_only_mode_break_upgrade_downgrade_endless_loop" is set to "false" in about:config, this warning no longer occurs in Firefox 91.0.

Actual results:

Since Firefox 91, there is a warning on both websites that HTTPS is not available.

Expected results:

There should be no warning.

If you click on "Continue to HTTP Site", you will be redirected to the corresponding website with HTTPS.

If you change the URL in the address bar on the warning page from "http://" to "https://", the website also loads without problems.

These warnings exist only since Firefox 91.0. In the previous version this problem did not exist and obviously a https variant exists.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → DOM: Security
Product: Firefox → Core

(In reply to Acursen from comment #0)

Behavior with Firefox 91.0
1.) Visit https://www.msi.com/Motherboard/MPG-Z590-CARBON-EK-X
2.) Click on "Support" in the upper right corner
3.) Firefox shows a warning that the website does not use HTTPS

In Firefox 91+:

  1. Left click on "Support" => warning shown.
  2. Middle click on "Support" => warning shown.
  3. Right click on "Support", select any of the Open Link in New YYY => warning shown.
  4. Copy the "Support" link, i.e. http://www.msi.com/Motherboard/support/MPG-Z590-CARBON-EK-X, open a blank new tab, paste the link and press enter => no warnings.

Same with OP, warning is not shown in all cases by setting dom.security.https_only_mode_break_upgrade_downgrade_endless_loop to false.

Notes

In https://www.msi.com/Motherboard/MPG-Z590-CARBON-EK-X, clicking "Support" will eventually reach https://www.msi.com/Motherboard/support/MPG-Z590-CARBON-EK-X even if HTTPS-Only Mode is disabled.

Regression

Last good Nightly: 2021-06-24
First bad Nightly: 2021-06-25
pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9b2ffc8e850587f349301559d397a384ef5c7508&tochange=b9a82200b994f1d8c24f4cc2881b01f245c82757

Bisecting autoland builds:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=b626c01bd196a9a7d3d20810319f5140aa04e21e&tochange=60d705792e3a71df76d57f1de7a2e44756bbfe3d

This is regressed by bug 1716069.

Has Regression Range: --- → yes
Has STR: --- → yes
Component: DOM: Security → Networking
Regressed by: 1716069

Kershaw, could you take a look?

Flags: needinfo?(kershaw)

This is regressed by removing user gesture check in bug 1716069.
I think the correct solution is only checking if it's user gesture when the redirect chain is empty.
In a summary:

  1. When the redirect chain is empty, this is the first load. We should check if this is triggered by user gesture.
  2. When the redirect chain is not empty, we should not check user gesture, since this channel is created due to redirection.
Assignee: nobody → kershaw
Severity: -- → S3
Flags: needinfo?(kershaw)
Priority: -- → P1
Whiteboard: [necko-triaged]
Pushed by kjang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7e0dab3c9d5c
Check if the load is triggered by a user gesture only when redirect chain is empty, r=ckerschb
Status: UNCONFIRMED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → 93 Branch

The patch landed in nightly and beta is affected.
:kershaw, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(kershaw)
Flags: needinfo?(kershaw)

Comment on attachment 9236012 [details]
Bug 1725026 - Check if the load is triggered by a user gesture only when redirect chain is empty, r=ckerschb

Beta/Release Uplift Approval Request

  • User impact if declined: When HTTPS-only mode is enabled, we could show the warning page wrongly when users click a http link from a https page.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: N/A
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The patch is straightforward and is covered by an automated test.
  • String changes made/needed: N/A

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Because this patch is easy and I think it's worth to uplift it to make sure HTTPS-only mode works as before.
  • User impact if declined: When HTTPS-only mode is enabled, we could show the warning page wrongly when users click a http link from a https page.
  • Fix Landed on Version: 93
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The patch is straightforward and is covered by an automated test.
  • String or UUID changes made by this patch: N/A
Attachment #9236012 - Flags: approval-mozilla-esr91?
Attachment #9236012 - Flags: approval-mozilla-beta?

Comment on attachment 9236012 [details]
Bug 1725026 - Check if the load is triggered by a user gesture only when redirect chain is empty, r=ckerschb

Approved for 92.0b5 and 91.1esr.

Attachment #9236012 - Flags: approval-mozilla-esr91?
Attachment #9236012 - Flags: approval-mozilla-esr91+
Attachment #9236012 - Flags: approval-mozilla-beta?
Attachment #9236012 - Flags: approval-mozilla-beta+
Flags: qe-verify+
QA Whiteboard: [qa-triaged]

Reproduced the initial issue using old Nightly build from 2021-06-25, verified that having HTTPS-Only Mode enabled and using the steps from comment 1 and 2 the issue does not reproduce anymore across platforms (Windows 10 64bit, macOS 11.5 and Ubuntu 18.04) using the following builds: Latest Nightly 93.0a1, Beta 92.0b6 and latest esr91 from treeherder.

Status: RESOLVED → VERIFIED
QA Whiteboard: [qa-triaged]
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.